Why not change the paradigm and favor a dual approach, combining both cyber insurance with that of anticipation and knowledge of risks upstream?
With the constant and continuous progression of cyberattacks, the question of the survival of the most weakened companies becomes more significant. The surface of vulnerabilities has become so large, in particular due to new ways of working, shadow IT, or quite simply the lack of resources allocated to IT security that it seems essential, when it is not too late, to define or refine real security strategies.
Among the priorities identified, in particular with the explosion of ransomware, the choice of appropriate insurance quickly appears on the agenda of management, especially in large groups. However, this is the subject of debate, in particular because of the increasing costs and the pre-requisites set by insurance companies, which are increasingly complex according to the latest CESIN barometer.
So why not change the paradigm and favor a dual approach, combining both insurance with that of anticipation and knowledge of risks upstream? In summary: anticipate to act sustainably in addition to “dressing” immediately…
Train each employee in cybersecurity, the first bulwark against cyber threats In 2021, 70% of CESIN member companies deployed cyber risk awareness modules in telework and 40% carried out attack simulations. Figures up sharply compared to 2020.
Since 2020, the worst scenarios imagined by cybersecurity analysts have occurred. As cybercrime becomes more professional and more powerful every day, the challenge is more than ever to train cyber experts, including with the aim of getting everyone to protect themselves individually. This is all the more so since a recent phishing simulation campaign revealed that almost 1 in 5 users had clicked on the falsely malicious link and downloaded the associated malware.
Faced with the risks, the health crisis has revealed many delays in terms of individual practices in the work environment and also in preparation in the event of a crisis. When the containment policies and 100% telework were implemented, many companies were not ready for this change in working methods or to regulate the use of new tools and applications linked to these new working methods. .
And this is where we were able to measure the extent of the shadow IT phenomenon. In 2021, a study by NinjaRMM points out that 41% of European teleworkers surveyed violated, sometimes without knowing it, basic security rules by using additional machines and applications to carry out their missions.
This fragility of IT security policies is even today reinforced by the lack of knowledge of the techniques of cyberattackers and their increasingly sophisticated targeting methods. Ransomware, DDoS attacks (by denial of service), CEO scams or even phishing, the attacks have become much more diversified, each user being considered as a potential gateway into the company’s networks.
Faced with this observation, acculturation to cybersecurity is essential to ensure that no one remains ignorant of current risks. Admittedly, awareness of cybersecurity through pedagogy and training modules is a first pillar, but it only serves the objective of acculturation by being recurrent and up-to-date in the face of changing threats. In addition to this phase of education, small simulation programs are useful because, as Buddha said, “The realization lies in the practice”.
The preponderant role of business management and educational prescribers
Because insuring against risks is not enough and cannot limit or even reduce the risks of cyber attacks, the generalization of knowledge in terms of cyber risks is essential and must be taken in hand, no longer by CIOs alone but by company management.
Employees themselves must be engaged in the process of rolling out awareness programs to meet their needs; to take stock of their knowledge and participate in the audit of complete vulnerabilities by experts. Because the human factor can no longer be a weakness but a strength in the company’s security against cyber threats.
The school also has a role to play since it trains the minds of tomorrow. Would it be incoherent to see cybersecurity awareness and introductory courses emerge alongside commonly studied sciences? In addition to training the younger generations, this can also be a vector of transformation through the transmission of knowledge within the family nucleus.
And finally, to be a source of vocations, while the cybersecurity sector is still struggling to recruit profiles. For all these reasons, the demystification of what cybersecurity is, with all audiences, is more necessary than ever.
The virtuous circle of raising awareness
Of course, the younger generations will soon have a “cyber awareness” and will be able to convince the rest of the population of the challenges and opportunities that cybersecurity represents.
On the institutional side, numerous initiatives, such as Cybermalveillance.gouv, ANSSI in France, the UN Security Council, the European monitoring agency (ENISA) play a leading role in alerting and raising awareness of new cyber risks.
In its new computer hygiene guide, the ANSSI also places awareness and training at the top of its ten priorities to be taken into account by the company. In such a context, it is a safe bet that the generalization of cybersecurity awareness in our French companies will soon lead to a drop in their insurance premiums.