Companies in cyber danger: Take-Aways from the Corporate Event #BlackAlps17

Protecting data and becoming aware of increasingly subtle methods of social manipulation: these are the current cybersecurity challenges facing companies. That's what emerged from thededicated event for businesses organized by Innovaud, Y-PARC and Alp ICT during the specialist conference, BlackAlps, held for the seventh year running in Yverdons-les-Bains on November 15 and 16, 2017.

Business leaders, IT security managers from major groups, recruiters... a packed and heterogeneous room seeking to understand the current challenges facing companies in terms of cybersecurity, this November 15. Mathieu Simonin, senior analyst at MELANI, the federal cybersecurity watchdog, reminded the audience that "there is a whole range of attacks out there today, some of them highly technical, some of them low-tech. Cybercrime is now a profession in its own right, organized by groups with well-honed methods." 

Two issues stand out from the various expert presentations. First, data. 

100% safety is impossible

"The biggest issue in a security breach or intrusion today is data," explains Cristian Zamfir, head of Cyberhaven, a company developing a data protection solution in the event of an attack. It's a dream solution, but it's an "internal secret" process. And it's no panacea, according to Andy Yen, founder of the encrypted messaging service ProtonMail, who believes that "100% security is impossible" - a starting point that he believes all companies should take on board. Company size is no protection, as the recently revealed Uber hack proves. We decided to encrypt our data with a key we don't possess", explains Andy Yen. Another solution is to speed up the detection of an attack. " In 2016, it took 146 days on average for a Swiss company to realize it had been the victim of a security incident," recalls Paul Such, head of Hacknowledge, which develops solutions known as Managed Detection Response, or MDR. This tool enables companies to differentiate more quickly between a simple incident and an alert, which merits in-depth treatment. "An average company develops 150 to 200 incidents a month, but only 3 to 5 are real alerts", assures the specialist, who estimates that MDR technologies will account for 20% of the cybersecurity market within three years. The other piece of advice would obviously be to identify critical data and give access rights to certain company users only. The risk of tarnishing one's reputation after a data loss is major. With the implementation of the European Data Protection Regulation, this issue can no longer be considered as secondary, it is now decisive. In the future, "consumers will choose companies capable of protecting their data", argues Andy Yen. 

Preventing social engineering

Another challenge is the rise of human manipulation. "The social risk is very high today", says Marc Barbezat, Chief Security Officer of the State of Vaud. "Whether it's following a link or providing them with information, criminals will try to manipulate you into carrying out an action contrary to your interests," explains Mathieu Simonin of MELANI. This is social engineering, which consists in acting on a flaw that cannot be programmed: that of the human being. "We're seeing a lot of attacks on companies that basically involve very little technological research. Hacking a human being is much simpler than investing millions in malware", adds the expert. The situations are manifold. A so-called bank calling a company to tell them that 'due to an update in the e-banking system, a test payment has to be made abroad', a hacked e-mail retrieving invoices from suppliers and sending them back slightly modified to recover the payments made... ". Don't underestimate the attacker. Hackers have become very skilful in this area", says Mathieu Simonin. In this field, it's essential to understand - and the constant number of attacks in French-speaking Switzerland proves it - that "it's not just other people who get hurt".

The first step is to train your teams to understand and identify these risks. Money transfer procedures also need to be very clear, but this is the case for all areas of the company. "We have strict guidelines for all our teams, internally and externally", explains Andy Yen, who was interviewed on the subject - and who also points out that the now traditional phishing scam remains one of the most widespread and effective methods. Proof that the culture of cybersecurity still has a long way to go beyond specialist circles.