How to better support VSEs and SMEs in managing cyber risks (article in Les Echos)

An article by Stanislas de Goriainoff, CTO of Sewan Groupe

Although hackers did not wait for the conflict between Russia and Ukraine to break out, the exposure of the various threats from the East, whether real or imagined, has given our economy a wake-up call. Moreover, while security levels are already at their highest in a good number of large companies - in a context of an upsurge in attacks observed since the pandemic in fact - some of them remain much less armed. This is particularly true of very small businesses and SMEs, which are still not very mature on the subject. [1] Indeed, if their managers seem to be well aware of the cyber risks that weigh on their activity, many tend at the same time to overestimate their current level of protection...

Inform well, without alarming.

To hope to involve them in this anxiety-provoking subject, and to convince them of the necessary investments and sacrifices, the priority is quite logically to inform them, with pedagogy and pragmatism. While the majority of VSEs and SMEs unfortunately wait to be the victim of a cyber attack before taking action, the challenge is to deploy prevention efforts, while avoiding falling into overly alarmist discourses. Let's face it, SMEs will not be more targeted as a result of the European conflict. When they are, the attacks are most often automated, and the motive is more likely to be villainous than political: extortion of funds or data. In fact, and logically, the amounts of ransoms demanded are always equal to their capacity, the interest of hackers being above all to ensure the solvency of these ransoms. The creation of an overly anxious climate contributes, in my opinion, to an erroneous perception of the cyber stakes, and is in fact detrimental to good behaviour and good investments.


Prioritise the data to be protected.

Because, indeed, what data are we talking about? First of all, our VSEs and SMEs, once they have been convinced of the benefits of implementing cybersecurity, must be guided in identifying, selecting and prioritising the data to be defended. This action requires specific audits and an often (very) long process of recovering this data, between individual computers and the cloud, between present or past employees, etc. The rise of teleworking in the wake of the COVID crisis has also brought this subject to the fore. Speeches and speeches have multiplied over the last two years to evangelise the minimum protection to be put in place: encryption of data flows (firewall/VPN), encryption of disks, redundant data backups, access limitations and controls for each workstation, etc. The protection of this type of company is all the more important as the digital developments to come are colossal and will have a strong impact on the office of tomorrow.


Improving the security experience.

One thing is certain: complicating the life of the hacker also complicates the life of the user, and in fact taints - slightly - his online experience. While the precious "UX" has become a central link of competitiveness on the web, it is easy to hear that the complexity of passwords, the multiplication of identifiers or other codes received by SMS for example, to name but a few, appear to be unthinkable obstacles for administrators. Beyond the education that we must provide on this point, it is also up to us to imagine and invent a cybersecurity system that can preserve a quality browsing or purchasing experience.



[1] Ifop