16 May 2017 Cybersecurity: Vigilance required !
As the number of cyberattacks surges, the question of IT security – and beyond that, of information security – is becoming crucial for enterprises, public organizations and individuals. What can be done to guard against the dangers? Several solutions exist. The contents include:
March 2017. France eases into its presidential campaign. Candidates and voters unload all their thoughts online. And that’s when the controversy starts – certain candidates’ websites were allegedly hacked, or at least monitored. Two months earlier, similar rumours riled up the Internet about the American presidential election. Also in the United States, a connected teddy bear made headlines in early March when it was discovered that 800,000 user accounts had been hacked via these stuffed animals that allow parents and kids to send messages through the teddy bear using a phone app. And these messages were posted online…
All this illustrates how far hacking and malicious intent have gone on the web. To bring companies to their knees, cybercriminals have favoured distributed denial of service (DDoS) attacks, which are classified as an “advanced persistent threat.” The idea is to flood an IT server with loads of incomprehensible requests, overloading its ability to respond. The result is that customers can’t access its various services. Most striking is how big the attack is, intensified by the use of a network of so-called “zombie” or “botnet” computers, specifically targeting connected objects since they are not sufficiently safeguarded against such attacks.
Today, increasing dangers (social engineering, internal attacks, etc.) threaten both private and public organizations through increasingly sophisticated methods. Beyond the blow to the victim’s credibility after such an attack, the cost of making the necessary repairs is exorbitant. Following a huge hack in 2015, TV5Monde had to spend over 4.5 million euros to fix the breach, plus allocate 2.5 million euros on security each year. With fewer resources at their disposal, SMEs (see the statistics here), which are being increasingly targeted, pay a heavy toll when attacked.
François Lorek, auditor for AFNOR Certification since 2008, explains: “broader than IT security, which is confined to electronic means, information security views the problem globally with respect to the value of information, whether oral, paper or electronic. It concerns all units and especially those that are custodians of sensitive assets such as third-party data, for example health or banking data. Beyond this need for confidentiality, they also have to guarantee the availability and continuity of their systems – for example, the cloud or electronic messaging – as well as its integrity: saved data must not be able to be erased or written over.”
Information security, prompted by the business of fear, thus involves deploying multiple effective means. First of all, you have to protect your e-reputation. “It’s about planning for risks by mapping them out and using measurement and monitoring tools,” explains Sylvie Arbouy, project manager at AFNOR Standardization. An organization’s reputation is often filtered through online reviews of its goods or services. Our NF Z74-501 standard, currently being transposed into an ISO standard, makes it possible to make consumer reviews more reliable.
Considering the issues surrounding data, some people opt for a specific approach called “privacy by design,” which designs privacy into systems or practices from the very start. “Today, the smallest piece of information can contribute to setting up profiles on people, and in some cases of malicious intent, can harm them. Privacy by design ensures end-to-end security for the whole life of data storage. It’s impossible to breach users’ privacy,” explains Frédéric Solbès, project manager at AFNOR Standardization.
Good IT habits
An increasingly accurate arsenal of regulations and standards covers the question of information security. Thus European regulation 2016/679 on the protection of personal data, published in June 2016, will come into effect in mid-2018. It focuses on information security to guarantee the confidentiality and integrity of data and to guard against leaks. “The European eIDAS regulation, in effect since July 2016, focuses on digital identity and the security of electronic transactions,” adds Benoît Pellan, digital product manager for AFNOR Certification. “The ANSSI (French National Cybersecurity Agency) will be in charge of certifying the services that issue digital signature certificates and electronic stamps, following an audit. We’re also going to audit the primary hosts of health data that were certified.
In this case, the voluntary standard ISO/IEC 27001 deals specifically with information security. It makes it possible to get the ball rolling on a management initiative for this type of security, adapted to the risks of each enterprise. This is a way for everyone to realize how important it is to respect the security measures in order to protect themselves and their organization – just as the rules of the road do for drivers. Respecting the principles of this voluntary standard guarantees good “IT habits.” Whether it involves a chief information officer (CIO) or an information system security manager (ISSM), security managers are no longer on their own: the information security policy and investments are led by management with the goal of ensuring long-term viability. François Lorek goes even further: “The complementary ISO/IEC 20000-1 standard provides service providers with guidelines for ensuring IT security and the continuity of services delivered. Orange Business Services and BNP Paribas (with its BP²I unit), among others, have obtained a certification showing they properly apply this voluntary standard,” the auditor explains.
Labels and standards
Organizations that obtain ISO 27001 certification based on the voluntary standard get a lot out of it, including enterprises such as Iron Mountain, Orange Tunisia, or recently the Bourse de Tunis. There are also other standards, such as SecNumCloud (in french), developed by ANSSI and audited by AFNOR Certification. “It targets cloud hosts and has extremely stringent security standards. The ANSSI certification issued following an audit is a prerequisite for getting the French-German label ESCloud, which covers all of Europe. 2017 will be the first year for certifications following two SecNumCloud audits which we conducted in 2016,” explains Benoît Pellan.
For its part, AFNOR Standardization has developed a new guide (in french that introduces the main benefits of voluntary standards for protecting personal data, under the leadership of Frédéric Solbès’s commission. Another useful guide, 10 Keys for Information Security, republished in January 2017 by AFNOR Publishing (in french), helpfully lays out the requirements of a security management system. “This practical guide explains the requirements of the ISO/IEC 27001 standard, presents updates to the 2013 version and includes 32 technical fact sheets,” explains Claude Pinet, author of the guide, who also had a role in developing a self-assessment tool (in french) on this subject in the BiVi line from AFNOR Publishing. This standard is also subject to training offered by AFNOR Competencies (in french), designed and led by Vincent Iacolare: “The main goal is to make participants aware of the importance of security. However, this shouldn’t squelch good performance, and any progress in this direction needs to be made intelligently,” the expert trainer explains.
Also on the AFNOR Competencies curriculum is the brand-new Auditing Digital Confidence (in french) a course planned along with the AFAI (French Audit and IT Consulting Association). The first session will begin at the end of April. As Jean-Yves Oberlé, one of the facilitators, explains, “The training, which will be divided up into six modules, will deal with digital culture. It will lay the foundation for understanding this environment and raise awareness about digital risk, as well as related practices, including agile projects or applications.” In an increasingly interconnected world, where dependence on IT is increasing and human factors play a key role, everyone needs to get involved in an assertive preventive approach, which has become indispensable. Your security depends on it.
3 QUESTIONS FOR HENRI HEUZE, HEAD OF INFORMATION SECURITY FOR IRON MOUNTAIN
Your enterprise, which specializes in document management and storage, got AFAQ ISO 27001 certification (March 2016). What was the reason for this move ?
Considering our business is document storage, it was natural for us to implement an information security management system. Other units in the group had already been certified abroad, which strengthened their credibility among customers and attracted new ones. So it lets us stand out from the competition. We are the first company in this field to be certified within France. Thanks to the audit, employees got a better grasp of how useful processes are (access control, traceability, etc.). Indeed, we can have extremely strict processes and oversight, but if people don’t understand them, they can accidentally be corrupted. Employee awareness reduces this risk.
What sort of changes have you made ?
A first round of improvements made it possible to prepare for the certification audit (analysis of current situation, risk inventory, risk handling, etc.). An internal audit followed to measure the maturity of the management system and the IT system. After certification, we did a second round with a new risk handling plan. In January 2017, we began a new phase: the scope of the certification should increase from 4 to 8 sites among the 13 in France. AFNOR Certification conducted an audit on this subject, and we’re awaiting the results.
What do you get out of this certification ?
A better understanding of the group’s policy, which functions on the basis of the ISO/IEC 27001 standard, among others. It also makes it easier to participate in calls for bids, and even to make a stronger argument to clinch deals. Customer confidence has increased. When customers visit or audit us, we can respond in an appropriate way and even welcome them with great interest. In addition, being certified has allowed us to attract employees with new talents and skills. This has given customers, government, staff, the group and shareholders all a greater visibility of the quality of our service.
Extra training with AFNOR UK
In 2016 the United Kingdom launched its second strategic plan for cybersecurity, with a 1.9 million pound budget. In this country, which is very involved in this field, the British Standards Institution (BSI, equivalent to AFNOR) published standard PAS 555 in May 2013 which aims to structure the governance and management of risks related to cybersecurity by pinpointing best practices. “PAS 555 focuses on the results of the strategy chosen, which it evaluates,” says Carolyn Jarvis, manager at AFNOR UK. “As for the ISO/IEC 27001 standard, it points to the means to put into place. These two tools are therefore complementary. AFNOR UK began PAS 555 training, and it is being rolled out internationally. It targets international auditors so they can then lead the training in their own country”.