The CESIN (Club of Information and digital security experts) just published the fourth edition of its annual barometer realized with OpinionWay within its 174 members, 84% are CISO (Chief information security officer) of big French companies. This annual study allows to better define the perception and reality of cybersecurity and its issues within the companies which are members of CESIN.
The most common cyberattacks and their impacts
During these twelve last months, although the attacks number tends to stabilize, 80% of the interviewed companies have been the victims of at least one cyberattack, and the consequences on the business (stopping of the production, unavailable website, revenue loss…) are more important than in 2017.
Each year, companies face five kinds of cyberattack on average.
Among the attacks suffered, phishing is the most frequent with 73% of companies affected, followed by the “Fake President” fraud with 50% of the respondents affected, then in third position is the ransomware and the malware infection.
Regarding cyber risks, Shadow IT is the most frequently encountered risk, 64% of the interviewed CISO estimate that this is a threat to deal with. Indeed, the implementation and use of non-approved and often free applications can escape the control of the Information systems department.
Cloud and IoT: the impact of the digital transformation on the security of Information systems
For 98% of the companies, digital transformation has a real impact on the security of Information and data systems and increases the cyberattacks’ perimeter. Particularly through the important use of Cloud, used by 87% of the companies, of which 52% store their data in public Clouds.
This use of Cloud represents an important risk because of the lack of control from the hosting provider regarding the company’s data (through administrators or others), or regarding the subcontracting chain used by the hosting provider, or even regarding the data not deleted. For 89% of the CISO, these issues imply the use of complementary securing tools to the ones proposed by the service provider in order to secure the data stored in the Cloud.
Concerning IoT (Internet of Things), the race for innovation and the increasingly common use of connected things lead to the apparition of new cybersecurity threats, notably due to security flaws in these devices.
A cyber resilience to develop
To face these cyber risks, the CISO develop many technical solutions.
However, despite all these solutions, the CISO are less confident comparing to last year regarding the company’s capacity to face these cyber risks, and less than one out of two estimates that their company is prepared to manage a large scale cyberattack. And yet, only 12% have implemented a real cyber resilience program, it is in process for 33% and 34% are planning to implement one.
Three essentially human issues for the future of the cybersecurity
- Awareness of the user
According to 61% of the interviewed CISO, the main issue for the future of the cybersecurity is the training and the awareness of the users to the cybersecurity issue. According to the respondents, “even if the employees are aware, they are still not involved enough and do not necessarily follow the recommendations. An important education work remains.”
- Governance of the cybersecurity
For 60% of the respondents, the governance of the cybersecurity needs to be placed at the right level. Although the compliance to the GDPR allowed the companies to be aware of the data protection issues, the confidence in the ability of the executive committee to take into account the cybersecurity issues stays uneven depending on the activity sectors.
- Human resources
The lack of Information system security profiles observed by 91% of the CISO, is a real challenge for the companies while 50% of these companies plan to increase the workforce allocated to cybersecurity.