Cybersecurity: everyone’s business!

According to Statista, approximately 319.6 billion emails were sent and received daily in 2021. That number is expected to exceed 376.4 billion by 2025 and the global e-commerce market will reach $5.4 trillion in revenue by the end of 2022, up from $4.5 trillion in 2021.

From the real estate to the retail industry, including the restaurant, finance and education industries, the digitalization of our activities might have made us gain several years. Collaborative work tools, digitization of processes, the development of supplier interfaces, online sales… The advantages for companies and institutions are undeniable in order to face current and future challenges.

This major development of our digital world comes with a significant risk to our systems. We are still lagging behind in terms of protecting our organizations, and we are not addressing this risk to the extent that we should. And yet, the numbers are there: in 2021, half of the major companies declared to the Anssi that they had been victims of successful cyber attacks^[2].

The health crisis has created fertile ground for cyber attacks and companies are now paying particular attention to cybersecurity, especially since in 2022 the Russian-Ukrainian conflict has brought the risks to the forefront. In the last few months in France, the health sector has been targeted with hackers demanding a ransom of more than one million euros from a hospital after stealing social security numbers and bank account details that they otherwise threatened to divulge.

These incidents remind us of the risks to which all our organizations are exposed, and the press carries the news: ransomware, data theft, etc. The increasing number of malicious acts, which are becoming more and more sophisticated, must prompt us to deal with this risk in the same way as we deal with fire safety of our premises or the safety of our employees during an emergency.

In fact, it is people that should be repositioned in our systems: 95% of cybersecurity incidents are the result of human error^[3]. It is our behavior (employees, subcontractors on our sites, suppliers connected to our interfaces, etc.) that is at fault. Often through everyday actions: weak passwords or installation of unapproved software on a professional PC. All these actions are possible weaknesses. We need our organizations to take appropriate measures: diagnosis, action plan, training-implementation based on reference standards (ISO 27001, IEC 62443, Ebios, ISO 26262), and a follow-up of these measures.

It is a matter of bringing our organizations up to speed, in the face of a risk that is considered virtually unavoidable and for which the cost and consequences in terms of loss of operations and trust can be drastic. We need to implement good digital practices.

First of all: training our employees. At Bureau Veritas, we regularly raise awareness about phishing among all our employees in France and around the world, and we offer them training on the best practices to apply in their daily work. We believe that cybersecurity is everyone’s business.

Our EHSR and IT managers are at the heart of this system and must be the driving force behind these initiatives and ensure that our organization is efficient in terms of its digital security. Here again, we must raise our standards to the highest level. Even if this does not prevent an attack at 100%, the measures in place can greatly limit its impact.

We experienced this at Bureau Veritas in late 2021. The preventive measures we took enabled us to contain the cyber attack we suffered in a matter of weeks. This was achieved through the impressive mobilization of our teams. Nowadays, that attack allows us to address our customers with even more relevance and empathy when we present our cybersecurity services. Business continuity plan, crisis management, internal and external communication, fine-tuning of our IT systems to continue our operations in a timely manner…

Based on our in-house experience and the services we provide to our customers, we are convinced that protection against cybercrime concerns all the parties involved in a company and must be treated as a day-to-day threat. The consequences can be drastic at all levels: several weeks of downtime for the companies involved, loss of revenue or trust from customers and employees…

All cybersecurity systems must now form “the immune system of companies”: their survival is at stake, without sounding alarmist. We cannot continue to think of cybersecurity as an afterthought. The role it has played in recent years is, on the contrary, establishing it as a key element. In our mission as a Business to Business to Society service company, we develop solutions to contribute to the resilience of companies in the face of cyber issues.