SMEs are currently a favorite target of cyber-attackers. Why? Unlike major companies, SMEs rarely have an IT department or a process to train employees and prevent digital invasions. As a result, specific cybersecurity training can be a real advantage for company safety.
According to the last CESIN CESIN (Club des Experts de la Sécurité de l'Information et du Numérique), 80% of companies have had to deal with cybersecurity issues over the past 12 months. If you take into account the fact that it costs on average €800,000 to recover from a cyberattack, investing in preventive training can be a cost-effective solution.
A company-wide issue
Every employee generally has a computer, internet access and access to the company's network. This makes for many potential open doors through which cyber-criminals can infiltrate a company. "A simple USB key can be configured in a specific manner and left lying around. It will quickly be picked up by a curious user who inserts the USB key in their computer and enables a virus to be downloaded. That's all it takes to hack a company's IT system and access valuable data," explains Yannick Chatelain, an expert on online marketing, hacking and cybercrime who is also a researcher and professor at Grenoble Ecole de Management.
Another dangerous attack is the "director rip-off". Once a cybercriminal obtains a key password, he or she can build on the company's organizational structure and combine well-placed phone calls and the use of said password to implement fraudulent actions such as wire transfers. "In some cases, an untrained accountant or financial director can even find themselves accused of collaborating with the cybercriminal!" underlines Yannick.
The danger of curiosity
Ransomware is virus that is loaded onto an IT system and blocks a company's access to its own data. "In 2012, McAfee already counted 120,000 samples of this type of virus. A key to unlock encrypted data is offered in exchange for payment of a ransom, often by sms. Here curiosity is really a killer because unknowledgeable employees will often click on the link sent by hackers. Once that happens, the timebomb is just waiting to go off!" adds Yannick.
Phishing and scamming are other common tactics that rely on progressively acquiring information about a company. Hackers use personalized communications to achieve an objective such as installing a backdoor in an IT system in order to collect banking data or learn sensitive information in order to blackmail a company.
"Cybercriminals are overflowing with creativity when it comes to finding new ways to trick their victims. The best solution to fight off cybercriminals is to set up safety nets through processes such as training to ensure employees know how to use their email accounts in a safe manner. Whereas a major company's IT department will control each user's level of access, SMEs oftentimes don't even have a firewall," concludes Yannick.
Bibliography on this subject
- Big data ou BIG CATA? L'effet Snowden / Kawa 2016.
- Surfez Couvert ! Protéger et Défendre Sa Vie Privée Numérique / Ellipses 2015.
A certificate to manage cybersecurity
Grenoble Ecole de Management via EMSI signed a partnership agreement with EPITA, a school with expertise in cybersecurity training. The two schools agreed to develop new training programs in their fields of expertise. Their first collaboration takes form with a new professional certification program on the topic of managing information security and risks. The certificate is designed to prepare managers to face future cybercrime issues. The first certification will start in September 2017 on the Paris campus. The program will cover policies and methods to help anticipate risks and take protective measure to secure a company's data. EPITA will provide cutting-edge expertise as the school is a partner to the state security services with SecNumedu certification by ANSSI (French National Agency for the Security of Information Systems) and CTI accreditation.
This training program will take place between September 2017 and March 2018 on our Paris campus. The program will include 52 days of training over seven months. Classes will be taught by cybersecurity experts and will build on case studies. To apply, participants should have a master's degree or equivalent in science, sales or management as well as five years' work experience. The TOIEC or equivalent is also required.