Hygiene measures recommended by the ANSSI to reduce the risk of cyber attacks
As the containment measures related to the COVID-19 health crisis were put in place, many ISDs were in a cold sweat to meet business continuity requirements in several areas.
Indeed, wherever possible, it was necessary, in a very short period of time, to set up massive recourse to teleworking for employees while not systematically having all the resources to do so under the best conditions. Setting up telework in a relevant way often means giving access to a larger number of employees than usual to the heart of the company’s Information System, with the risks and potential security breaches that this entails. This is all the more true when cyber hackers seize the opportunity to multiply hacking attempts while the employees responsible for protecting the company from these attacks are themselves partially unavailable.
Fortunately, the French National Agency for the Security of Information Systems (ANSSI) has issued in quieter times a “Computer Hygiene Guide” to give perspective to good practices in this area. Some of these recommendations resonate all the more forcefully at the moment. Let’s recall some of them that seem to be key.
First, the expansion of remote access to the company IS, via the implementation of teleworking, implies having a growing number of users of IT mobility services, who are not necessarily aware of good security practices. It is worth recalling that a significant proportion of “successful” IT attacks involve in one way or another the human element and therefore mainly involve employees of the victim company who acted very often “without thinking badly” or by “inadvertence” but in disregard of certain basic rules. It is therefore essential to train and inform new nomadic users in particular to limit the vulnerability of the IS.
Then, both the administrators of the company’s IT network and the business line managers need to have a clear view of the authorized access to the company’s system(s): not everyone probably needs to have access to all the company’s applications or data. Privileged accounts and access rights should be reviewed on a regular basis to ensure that access to sensitive items is controlled. Authorization and authentication procedures should be in place to help contain problems, facilitate monitoring, and make it easier to detect potential breaches or attacks.
Finally, putting in place a few safeguards seems essential to secure information that is the property of the company, one of the major risks being its leakage. This fight is being fought on several fronts: at the same time, it is a question of limiting the possibilities of “getting out” information (banning removable media, limiting the sending of e-mails to external accounts, etc.) but also of securing connections with the company network via the implementation of VPNs that comply with the latest security standards.
As this crisis has had a stimulating effect on the implementation of telework, telework is likely to be a long-term phenomenon in organisations where it is possible. It is therefore never too late to prepare to put in place sound foundations so that the risk does not outweigh the opportunity.