In the context of current international tensions, France is subject to numerous cyberattacks. Their consequences can be disastrous for businesses, ranging from paralysis of activities to theft of sensitive data. Sources of stress, cyberattacks complicate the decision-making of IT managers and limit their impact. Anticipation then becomes a necessity. How to prepare to face a crisis? How to react properly once she is there?
" There are two types of organizations: those that have already been victims of a cyberattack and those that will soon be. "says Guillaume Poupard, Director General of the French National Agency for Information Systems Security (ANSSI).
A cyber crisis can be tackled in one of two ways: either you deal with it, with all the risks of emergency measures, or you anticipate it. Unfortunately, the cybersecurity watchdog highlights the lack of foresight on the part of businesses. That's why ANSSI is urging them to put preventive measures in place. The agency has identified five priority measures to be implemented in the short term to prepare for any eventuality.
1. Strengthen authentication procedures
The most sensitive accounts, those of the company's information system (IS) administrators and those of the most exposed individuals (management, senior executives, etc.) must be strengthened. ANSSI recommends the implementation of strong authentication using two identification factors (2FA).
For example, to access the network, you will need to combine a strong password with a hardware device (smart card, USB token, magnetic card, etc.). At the very least, a code received by SMS can be used as a second means of identification.
This two-factor authentication system has already been available to banks since 2019.
2. Increase network monitoring
In the event of a cyber attack, reaction time becomes crucial. Preparation is therefore essential to be able to react as quickly as possible when the time comes. That's why ANSSI recommends setting up permanent global network monitoring. This will enable any compromise to be identified and dealt with as quickly as possible. In the absence of global monitoring, ANSSI recommends " centralize logs from the most sensitive points of the information system » such as VPN entry points, virtual desktops, domain controllers or hypervisors.
IT security managers will need to investigate any anomaly that might normally be ignored, such as abnormal connections to domain controllers and any alerts from antivirus and EDR (Endpoint detection and response) solutions.
3. Back up data and applications offline
Carry out "regular back-ups of all the company's data, including those on file servers, infrastructure servers and business applications", insists the ANSSI.
To prevent ransomware, backups should be disconnected from the network to prevent encryption. Priority should be given to the use of cold storage solutions (hard drives and magnetic tapes).
Backups should be restored regularly to ensure their integrity and avoid errors during restoration.
4. Identify critical services
In the event of an attack, security actions must be prioritized. To do this, you must first have established an inventory of the company's digital services and prioritize them according to their critical nature for the company's business continuity.
ANSSI also asks that dependencies on service providers be taken into account.
5. Preparing crisis management for cyber attacks
A cyberattack can destabilize the functioning of the company. Support functions such as telephony, messaging, but also business applications are often the first to be put out of service. The company will then have to operate in degraded mode, sometimes at the risk of returning to paper and pencil.
Depending on the severity, a cyberattack causes a partial interruption of activity ranging in the most serious cases to a total interruption.
The company will have to set up a crisis unit and define a response plan aimed at implementing a business continuity plan (BCP) or a disaster recovery plan (DRP). This will enable the company to operate in degraded mode and restore systems and data as quickly as possible to return to a normal situation.
