ETIs in the face of cyber risk: playing the cyber proximity game
Often with little or no protection against cyber risks, intermediate-sized enterprises (aka ETIs) have become prime targets for cybercriminals. Their digital hygiene and their ‘protective measures’ are indeed priorities, but in practice, it is not always easy for them to find their way around. One of the keys is to mobilise the local IT ecosystem. To understand this, let us hear from Mouhédine Habache, Head of the Conix Security Engineering Center Team.
A recent French Senate report on the subject, entitled “La cybersécurité des entreprises – Prévenir et guérir : quels remèdes contre les cyber virus ? (Corporate cybersecurity – Prevention and cure: what remedies against cyber viruses?), notes that “smaller companies think they are safe. This is an illusion, sometimes a deadly one: a company can close down after a cyberattack. The indirect costs are sometimes revealed with a long latency period.”
According to the authors of the document (Senators Sébastien Meurant and Rémi Cardon), when large organisations strengthen their cyber defences, cybercriminals turn to their suppliers, subcontractors, or customers, who are often smaller and more vulnerable companies.
Insufficient digital hygiene
The vulnerability is multifaceted. “In cybersecurity, employees remain the weakest link—even a Trojan horse—as they perceive cyber protection as an additional burden,” they lament, before noting that a siloed organisation with minimal collaboration and communication reduces the effectiveness of a cyber corporate culture.
“The fight against cyber viruses requires constant digital hygiene and constant ‘protective measures’ on the part of everyone.” However, “increasing the budget allocated to tools is not a sufficient response to the growing number of increasingly sophisticated threats.”
In addition, the global shortage of cybersecurity experts reinforces the skills gap in this area for ETIs.
Since 2020, the IT consulting and services company CONIX has been supporting these companies with a cybersecurity approach adapted to their business model.
“We help them improve their cyber defence capability by offering them a tailor-made cyber action plan,” says Mouhédine Habache, Head of the Conix Security Engineering Center Team.
His team of 15 cyber engineers is specialised in technical expertise dedicated to architectures and solutions. They intervene both in preventive mode (to secure companies’ IT ecosystems, including hardware, infrastructure, and networks) and in remediation mode (to rebuild their information systems after an incident).
“The method, based on a variation of the ‘France Relance’ recovery plan, consists of a tailor-made offer that will enable them to know their security status at a given moment,” Habache explains. “Our aim is to make small organisations aware of the importance of taking stock of their cybersecurity before the damage is done.”
Over the past two years, his team has carried out around twenty projects of this type throughout France. And the conclusion is clear: “Almost 100% of the missions carried out show that small structures do not have a security approach at all; and if they do, it is incomplete due to a lack of expertise,” Habache notes.
Similarly, their perception of the cyber threat is sometimes unclear: “ETIs do not always fully appreciate the value of securing their assets and data and do not budget for cyber actions,” he continues.
“They don’t know exactly how to map their cyber risks to insure them and they don’t plan to secure their business tools.”
Another finding is that cyber insurance coverage is sometimes inadequate for the client’s needs and business ecosystem. Or the client does not meet the compliance clauses of the contract by not adopting the basic resilience practices set out in the document.
But the biggest challenge, in his view, remains the document management policy: “Few ETIs really master the basic document processes or the operating procedures,” he notes. “Formalising the document management system according to ISO 9001 and ISO 27001 quality standards is essential to define the security to be implemented in an organisation and to control it over time.”
Once the inventory and the action plan have been drawn up, Mr Habache recommends that ETIs introduce cyber-resilient monitoring and maintenance. To help them in this process, he recommends local expertise.
First of all, geographical proximity: “The ETI thus benefits from a rapid and effective prevention and reaction solution […]. There are small local cyber structures that can help them in their security approach, from the implementation of the action to the remediation plan and from monitoring to maintenance.”
Then, human proximity: “The goal is to have easy access to information, to regional experts, and to players evolving in the same local economic ecosystem, who know each other and can thus provide advice, consultancy, and services better adapted to the needs of ETIs,” continues Habache. “We must not forget that cybersecurity is first and foremost human, before being technological. Use this proximity to be more resilient!”
In a context of cyberwarfare marked by the Russian-Ukrainian conflict, are ETIs more exposed than ever to cyberattacks? And what does the expert recommend in the face of these new threats?
“Regardless of the geopolitical context, the economic situation, or other factors, these risks are neither new nor current: they have existed for years, but they are evolving. Therefore, organisations—large or small—must constantly maintain a high and evolving level of security throughout the life cycle of their information system,” he replies.
In his view, the war could be an awareness-raising lever for those who currently have no cyber-resilient approach in place, due to lack of resources or pure ignorance.
“They need to be aware of the risks they face and maintain the highest possible level of cybersecurity, because anything can happen at any time to any structure,” he concludes.
- Cyber risks
- Cyber industrial safety
- Security and Stability in Cyberspace
- Operational security
- Antifraud action
- Digital identity & KYC
- Digital Sovereignty
- Digital transition