_edited.png)
High needs, low means and urgent context: 5 tips to initiate your cybersecurity at low cost
With the rapid evolution of technology, cyber threats are becoming more and more present. Companies need to protect themselves against possible attacks and deal with different threats (intrusions, data theft, ransomware, viruses, phishing, or other social engineering techniques) while complying with the new European regulation on the protection of personal data (GDPR).
And all this is not easy when you are a small structure, or newly established on the market.
So how to solve this strong need for IT security, in this urgent current context, when the means are weak?
Here are a few tips to start securing your activities when you are a small company:
1- Impose security rules in your company
Indeed, imposing basic security rules is an essential first step to initiate the securing of your organisation.
A- Create a strong password policy.
To protect access to the various online user accounts, impose a strong password policy on your employees.
Change all the default login details of the computer system (software or hardware)
Impose a minimum number of characters (ideally between 15 and 20)
Impose the use of special characters (&, !, ?, *, $)
Prohibit the use of words from the dictionary or personal information in passwords ('mydaughtersname14' is thus prohibited!)
Impose the use of a unique password for each online service requiring authentication
Change your passwords regularly, at least once a year (and more if it is a sensitive service)
Require strong safeguards (no sharing of passwords, no passwords written or available in clear text).
Require the use of a password vault (e.g. Keeper Password Manager, or Dashlane) to store passwords securely (and not have to write them down anywhere) and to facilitate the implementation of this strong password policy.
B- Separating computer use
As a company director, you can impose the use of professional equipment for professional missions. This separation of uses is essential in order to prevent attempts to attack your employees from entering your company. Thus, for professional missions, employees must be able to work on equipment dedicated to this use (mobile phone, computer, e-mail box, etc.). This separation of uses allows you to limit the scope and consequences of a potential cyber attack: if your professional equipment is also your personal equipment, you run the risk of seeing all your data (both personal and professional) compromised in the event of an incident.
Furthermore, when your employees work on equipment belonging to your organisation, you are then able to impose security rules, measures and software, which you would not be able to impose when working from personal equipment.
C- Controlling access
Another primordial rule of security in companies is the principle of controlling access to data, especially sensitive data. Many companies handle a large amount of personal data, sometimes sensitive, on a daily basis and are therefore legally obliged to ensure its security. When a new employee arrives, it is therefore important to give him or her only the access he or she will need to carry out his or her professional activity. This avoids carelessness or clumsiness that could lead to data leakage, but it also protects sensitive data against espionage or any other deliberate malicious action, which could perfectly well be carried out internally.
This principle of access control also involves the creation of user accounts with restricted privileges. Thus, only user accounts are used to browse the Internet, and administrator accounts only for configuring devices, software and downloading applications. This measure also makes it possible to limit the possible consequences in the event of an incident: thus, if you browse the Internet from a user account with restricted privileges, and in the event of a malicious link being clicked, the attacker would not have access to the configuration and administration areas of your equipment. The attack perimeter would then be limited to the user account. However, if you are browsing the Internet from an administrator account with full privileges, and if you click on a malicious link, the attacker would be able to infiltrate the administrator space of your equipment, and thus install malicious software, modify the settings and security configuration of your equipment, etc.
If an employee leaves, be sure to revoke their access to the company's information system.
D- Impose regular backups
Backing up your data regularly is necessary in order to limit losses linked to a possible cyber attack or data leak. You will need to determine the frequency of backups for each type of data processed, as well as the backup media you will use. You may decide to back up data daily, weekly, monthly or annually, but you may also decide not to back up all data in the same way, at the same frequency or on the same media. You can make these backups on physical media (e.g. external disks, USB sticks) or on online or cloud media (e.g. on secure external servers, Cloud). Each backup medium presents risks: physical media (such as USB sticks) can be lost or stolen, and cloud media can be hacked.
Be sure to take these risks into account when choosing your backup media, and don't hesitate to make backups of your most sensitive or business critical data.
For backups made on a cloud medium, and especially when sensitive and/or confidential data is involved, it is recommended to encrypt the data beforehand, in order to prevent any risk linked to possible unauthorised access.
This security rule is important because it ensures that in the event of an attack, not all data is lost or inaccessible.
All these security rules in a company can be listed in an ISSP (Information Systems Security Policy). An ISSP is an internal document used to describe the general measures taken by the company with regard to IT security.
Very often, companies only think about drafting an ISSP after having been the victim of a cyber attack. However, drafting a SIP beforehand enables them to limit the risks and consequences of a cyber attack by imposing a framework and security practices. This document also makes it possible to know what to do in the event of a security incident.
2- Install security software solutions
Installing software solutions is indeed not a miracle recipe, but it is nevertheless a crucial first step. Indeed, although software solutions are not everything, and although hackers can always find ways to exploit vulnerabilities in software solutions, a security software solution will offer you a first bulwark against cyber threats.
Here are some of the tools that are essential:
A firewall is computer security software that enforces the previously determined security policy. It analyses, monitors and controls all types of data flows, and alerts when a flow seems suspicious and/or does not meet the requirements of the security policy (ISSP).
An anti-virus is a software solution that allows you to protect yourself from viruses and malware that could install themselves on your workstation.
An anti-spam solution allows, once installed on the mailbox, to filter undesirable contents, and considered as risky (spam), in order to avoid any phishing attempt.
In addition to protection against cyber threats, software solutions are also very effective in detecting incidents or anomalies as quickly as possible. Often, cyber attacks are not detected until months or even years later. Sometimes organisations only realise that they have been attacked after they have discovered that they have been spied on for several years!
Even if a software solution cannot guarantee 100% protection against all cyber attacks, it can nevertheless limit the main risks and give you early warning of suspected attacks or malfunctions.
3- Make your employees aware of the various phishing or social engineering techniques
Phishing is a malicious technique aimed at inciting the Internet user to communicate personal information (access accounts, passwords or banking data). Phishing techniques often use email.
Have you ever received an email from the tax authorities telling you that they owe you a large amount of money? Probably yes. This email is a phishing email. Internet users who click on the link to request the refund are redirected to a landing page created by the hackers. The user is then asked to enter personal information (username and password, IBAN of the bank account for the refund, credit card numbers to pay the 3 euros delivery fee for the gift you have "won" etc.). All the information entered on this landing page is then sent directly to the attacker who can then re-use it to hack into your accounts, steal and/or resell your data, and in more serious cases, impersonate you.
Social engineering is a practice of psychological manipulation for the purpose of fraud. A well-known example of social engineering is the president scam. The company's financial director is contacted by the "Group Director" who demands that a transfer be made as soon as possible to a certain bank account, for example in connection with the signing of a large contract. The person being scammed is put under pressure, the attacker does not give him or her time to think, nor time to respond, and the slightly stressed financial director complies, thinking he or she is talking to a legitimate person. The time to think, to inform himself, and to reach the supposed interlocutor via another means of communication, the attack is over, and thousands of euros are gone.
It is essential to train and educate employees on phishing and social engineering techniques so that they can recognise these attempted attacks and react appropriately if the situation arise.
Social engineering and phishing attacks often use human emotions (fear, anger, excitement, impatience, injustice) and aim to put the victim in a state of stress and haste, so that they are not able to think straight. It is essential that your employees are able to recognise these phishing and social engineering techniques, so as not to put your company at risk.
4- For small digital companies and start-ups: call on professionals to work on the cybersecurity by design of your product/solution/application
Indeed, this is one of the aspects most often neglected by small companies developing digital products. Very often focused on the development of their product, many forget that one day, these solutions will come to market, and that they will represent a real risk for their users if cybersecurity has not been taken into account.
The principle of cybersecurity by design, imposed by the GDPR, consists of taking into account the cybersecurity aspects of the product from the outset. This not only ensures a digital product with a reliable and secure architecture, but also saves time, money and energy during these development stages. Taking cybersecurity aspects into account at the end of a product's development is counterproductive, since if there is a security problem, everything has to be redone, which may result in a considerable loss of resources.
Moreover, the cybersecurity of digital products and applications is now a real business argument. Customers and users of digital solutions are now widely aware of the cyber risks to them and their personal data. Guaranteeing a product with a reliable and secure architecture is therefore a real competitive advantage.
But beyond user demand, investors and other business angels, well aware of the economic and societal issues linked to the use of digital technology, also demand proof of security and protection of personal data in the development of a digital product or application.
Cybersecurity by design then becomes an indisputable competitive advantage on the market, a real key success factor for your company, but also an essential argument to reassure users, customers and investors as to the durability of your product on the market.
5- Take advantage of regional and national grants to initiate cybersecurity in your organisation
At the national and regional levels, numerous financial aids and subsidies are granted to smaller companies.
The France Relance Plan in particular was first mentioned by the President of the Republic Emmanuel Macron in July 2020. The aim was to enable the French economy, slowed down by the health crisis, to recover by investing in the most promising areas. This France Recovery Plan includes a cybersecurity component led by the ANSSI (National Agency for Information Systems Security). This recovery plan is aimed at administrations, local authorities, health establishments and public bodies wishing to establish the state of their cybersecurity and the actions to be deployed, or wishing to carry out a digitalisation project requiring security. These offers are subsidised by the state (between 70% and 100%), and can be an opportunity not to be missed to initiate the securing of your activity.
Note : information concerning the France Relance plan was valid at the time of publication of this article. The France Relance plan is now closed.
For companies, the regions also offer these types of financial grants. The Auvergne-Rhône-Alpes region, for example, recently launched 4 Ambition Region programmes, one of which concerns cybersecurity for VSEs and SMEs. This Ambition Region programme on cybersecurity for VSEs and SMEs is particularly interesting for smaller companies, which do not have large financial resources to spend on a service provider, but which still have significant needs. This regional grant allows smaller companies to access expert consultants while keeping their costs under control. These subsidies are generally granted to the smallest companies (young companies with few employees) with the aim of raising their awareness of cybersecurity issues and supporting them in this first, difficult and yet crucial, initiation stage. It would be a shame to miss out on this aid if you are eligible.
The other regions of France probably offer the same kind of subsidies: don't hesitate to contact your CCI, your CPME (i.e. SME confederation in France) or other business groups or associations: they will be able to direct you.
To conclude
These tips help to reduce the risk of cyber-attacks, and to limit the consequences if they do occur. Unfortunately, these good practices alone are not enough to protect against malicious attacks. If you are not an IT security specialist, you need to seek professional help. The question of cybersecurity should not be relegated to second place: the budget allocated to IT services must therefore take security into account in order to give yourself the best chance of protecting yourself against attacks.
Our (almost all) free resources:
CyberSecura offers you a free one-hour flash diagnosis: estimate the state of your application security (start-ups, VSEs), the state of your GDPR compliance (start-ups, VSEs and SMEs), the state of your network infrastructure security (SMEs) or your security governance (SMEs).
CyberSecura intervenes free of charge with your network in order to address these cybersecurity and personal data protection issues.
To go further:
Related blog posts:
Did you enjoy this blog post?
Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!
Find out more about our support services for start-ups and VSEs
We need your answers !
By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.
Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!
Thank you for your responses!
Would you like to be informed of our news and receive our latest blog articles directly in your mailbox ? Subscribe to our monthly newsletter !
Would you like to discuss your difficulties, your needs, our offers ? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts !