E. C. New working modes and workspace virtualization inevitably impose freer access to corporate information systems. In the past, enterprises provided their employees with Windows-based PCs that they owned and configured to protect confidential data; in any case, nomadic computers were rare and used only by itinerant personnel.
But today half of all employees use their personal laptop, tablet and above all their smartphone for professional purposes. They log onto their employer’s intranet using devices that also serve their private life: messaging, voice calls, contacts, banking information, photos, videos and lots more. Organizations are unable to clearly delimit their own data from their employees’ private content (which in fact they have no legal right to see). This leaves them two choices: either exploit specialist cybersecurity skills and means to impose secure systems and usages, or open their information systems to personal devices (“BYOD”: Bring Your Own Device). This second choice incurs serious risks, as confirmed by France’s national agency for information system security (ANSSI).
Moreover, other factors make data protection complex: the very large number of users, the multiplicity of mobile operating systems (Windows, Android, Apple iOS, etc.) and of cloud-hosted applications, industrial systems networking (Supervisory Control And Data Acquisition systems - SCADA), and the emergence of connected objects (Internet of Things).
E. C. Cybercriminals, often highly organized, have discovered that stealing confidential or sensitive data can be very lucrative. Their attacks on mobiles are increasingly sophisticated, targeted and varied, including remote surveillance of employees via their cellphone cameras, phishing emails to steal bank details, access codes and passwords, ransom attacks that maliciously encrypt files and demand a payment to decrypt them, and theft of enterprise customers’ personal data. Recently some large groups have been victims of the “fake boss scam” in which a hacker pirates the SIM card of a director’s phone, then calls the Finance Director and orders him to make (in total secrecy) very large bank transfer to an account abroad. While mobility can boost efficiency and service quality, it does expose enterprises to cyberattacks which can be very costly, not least in terms of damage to their image. Yet a recent KPMG study found that although business directors are aware of this issue, only half of them are undertaking serious cybersecurity actions.
E. C. Cybersecurity is founded on anticipation, protection and awareness. In France, in application of France’s Military Programming Act of 2013, the ANSSI has defined twelve sectors of critical importance and identified 218 public and private “vitally important operators” needing priority protection against cyberattacks. These enterprises managing sensitive infrastructures (telecoms, energy, transport, etc.) are now under the obligation to create a cybersecurity unit, to analyze their risks and define a security plan. They are also forbidden to connect certain critical systems to the Internet.
The most vulnerable businesses are the small ones for whom the most reliable solution is to equip employees with restricted-use phones. In addition to technical protection systems, it is important to make employees aware of the risks and to impose good practices. Senior management and all their staff must understand the sensitive nature of enterprise data in today’s hyper-competitive markets and their individual responsibility to protect the company’s assets.
* Pwc worldwide study: "The Global State of Information Security Survey 2016"