Now firmly entrenched in the digital era, companies and administrations in France have become aware that cybersecurity is henceforth a strategic concern. It is now obvious that, security is a general concern and cyberattacks do not only happen to other people. The multiplicity of uses (smartphones, tablets, etc.), social networks, cloud computing, and IT consumerization are a clear call not only to heads of IT services, but also to company management on the need to lead an effective cybersecurity policy to counter threats.
We surveyed 150 decision-makers of French organizations regarding cybersecurity, seeking to shed light on the main thrust of their thinking on the matter. How do they assess the current threat level? What are the key elements of their security strategy? What are the budgetary trends? Do they get support? What projects are they planning for the immediate future?
Nowadays, the increase in threats is an unavoidable reality and these threats are increasingly persistent and stealthy. Fifty-six percent of cybersecurity decision-makers consider that the attacks are also growing in intensity; only 6% of them consider that attacks are weakening. Whilst opportunism remains the major modus operandi of hackers, certain attacks are precisely targeted (e.g. Sony, Areva, New York Stock Exchange, etc.). Whilst groups like Anonymous claiming to act for militant and political reasons are behind these threats, they are not the only hackers. Increasingly, attacks are being launched by criminal organizations which have become professionals and whose motives are none other than the financial gain derived from the stolen data through the resale of professional secrets and strategic information.
Today, the IT department of a company or a government department must contend both with the variety of mobile platforms, not all of which are at the same level of safety, and with the supported use of social networks by staff members through BYOD (Bring Your Own Device), by which staff members use their personal devices for professional purposes. What is more, mobility and cloud services pose a risk to access control infrastructure. Given this diversification, heads of IT (DSI, RSSI) must be flexible and adaptable. But most importantly, they must maintain vigilance in terms of security. The era of a tactical or partial approach to security has come and gone. Clearly, security must now be strategic. The deployment of technical solutions alone is no longer sufficient; henceforth, there must be clearly defined governance, including risk management in particular.
A company’s security strategy is influenced by external factors and the annual budget the company allocates to security. Fifty-three percent of decision-makers identified legislation and regulation as being among the most important elements. Companies are legally bound to offer secure access and data storage. If a security problem arises, the head of the company, the head of IT and the employee concerned could bear the resulting civil and criminal liability. The importance of public action on cybersecurity is strongly highlighted by company heads, not forgetting the efforts of professional regulatory bodies. Digital transformation and the threat looming over industrial networks are other highly influential factors affecting the security strategies of companies.
As to investment, three-quarters of the companies stated that they had increased their cybersecurity budget between 2013 and 2014. The survey shows that budgetary pressure carries less weight in investment decisions concerning cybersecurity, unlike in other IT sectors, where this element is fundamental. Given the prospect of increasingly intense attacks, more robust defences must be erected to counter such attacks effectively. The digital transformation of companies makes this one of the major critical investments.
With the diversification of uses and the multiplicity of threats, companies might feel abandoned to their own devices. Is this true? Not really. Our survey shows that 86% of companies obtain support to devise and implement their security strategy and that private service providers do 69% of this work. The high rate of sub-contracting in this market is due mainly to the chronic lack of cyber security skills. This is a major constraint, especially as the domain is hugely complex and subject to constant and rapid change. The fact that 17% of the French companies are supported by governmental institutions is a clear sign that government is an unavoidable stakeholder in the market given its involvement in cybersecurity, particularly by issuing regulations and certifications.
Lastly, from the strategic planning perspective, it appears that several security projects are unquestionably important to companies. Although data protection and risk management, both of which are fundamental to security, remain the principal tasks envisaged, decision-makers also seek to emphasise identity management alongside major projects such as SIEM and SOCs installation.
A burning issue in 2015, cybersecurity supplements and enhances physical security measures. Until quite recently, it was a fledgling issue, but now it has become a strategic concern. It has financial implications: in 73% of the companies surveyed, cybersecurity has required budget increases. From a legal standpoint, companies must adjust to the use of new technology by staff and the consequent risk-taking in light of attacks. From a marketing standpoint, cybersecurity is a key influence in the image portrayed and the degree of trust felt, through the level of security the company offers its customers and partners. To conclude on a resolutely optimistic note, it is obviously that French companies, particularly vital businesses, are at the vanguard of cybersecurity today in Europe.