How to Assess the Credibility of a Security Certification?

How to Assess the Credibility of a Security Certification?

27 Nov 2023 | Cybersecurity, Legislation and Compliance

To prove their dependability, IT solutions may acquire a security certification. This becomes a significant advantage in the IT market, especially in an era where cybersecurity is a key concern for organizations. However, how can one ensure the credibility of a security certification across different countries?

What is a Security Certification?

Security certification for IT solutions and software involves appraising the product based on specific cybersecurity standards. These standards can vary depending on the industry and the regulations in effect within the issuing country. Therefore, certifications from different countries may not meet the same cybersecurity requirements, underscoring the importance of analyzing the criteria that establish the credibility of a cybersecurity certification.

Criteria for determining credibility

The Cyber Power of the Nation

A nation’s cyber power plays a role in its international influence. It encompasses the ability to utilize digital technologies and cyberspace to achieve national and international goals through government strategies, defensive operations, and resource mobilization. Various global indices help in determining a nation’s level of cyber power.

The Harvard Belfer Center’s NCPI Index

The National Cyber Power Index (NCPI) from the Belfer Center is a measure of nations’ cyber power. This index uses qualitative and quantitative data models to assess the capabilities and objectives of states. It includes 29 indicators, divided into two categories:

  • Intent indicators

Intent indicators reflect a country’s priorities and motivations in terms of cybersecurity. In other words, it shows how the country plans to use its cyber capabilities, in line with its strategic and political objectives. These can range from defence, espionage and information control to influencing the definition of cyberspace norms and offensive operations.

  • Capacity indicators

Capability intent indicators assess a country’s technical capabilities and cyber resources, regardless of how it chooses to use them. This includes technical expertise, infrastructure, available tools and technologies, and qualified human resources in cyber security.

certification de sécurité
certification de sécurité
The 2022 NCPI Report Findings

In the NCPI 2022 report, the authors assessed the cyber power of 30 countries around the world. In the top 10 are the United States, China, Russia, the United Kingdom and France in 9th position. Germany and the Netherlands are lower down the ranking.

France achieves a capability score of around 40 for the objective of “influence in defining cyberspace norms”, putting it in 4th place. In terms of intention score, France is in the top 4 of nations most involved in the defence objective.

The Internal Institute for Strategic Studies (IISS) Assessment

IISS has also developed a methodology for determining a nation’s cyber capabilities and how these contribute to its power. The institute classifies these capabilities into 7 distinct categories:

  1. Strategy and doctrine
  2. Governance, command and control
  3. Essential cyber espionage capability
  4. Empowerment and dependence on cyberspace
  5. Cybersecurity and resilience
  6. Global leadership in cyberspace affairs
  7. Offensive cyber security capability

In its “Cyber Capabilities and National Power” published in 2021, the IISS analyses France’s position in these areas. It states that “In many respects, France leads the EU in cybersecurity and resilience planning.”

France’s transparency on cybersecurity

France is also said to be more transparent on the issue of cyber security. Indeed, the report states that the country “maintains a clear separation between defensive and offensive cyber operations“. Thus, the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Informations) is exclusively dedicated to defensive operations and is not part of the intelligence community, unlike the National Security Agency (NSA) in the United States or the Government Communications Headquarters (GCHQ) in the United Kingdom. “This distinction is important to some in France, based on the assumption that the objectives and remit of an intelligence agency, including its disposition towards secrecy, may interfere with some of the objectives and practices necessary for civilian sector cybersecurity, including the need for greater transparency regarding cybersecurity breaches.”

A nation’s cyber power is therefore one of the essential criteria to be taken into account when assessing the credibility of a security certification issued by a country. Indeed, when a country is highly ranked, it demonstrates its high standards and capacity in terms of cybersecurity. Another decisive criterion is the national certification scheme.

The national certification scheme

Common Criteria (CC) is the only international standard for assessing the security of IT products and systems. This analyses technical criteria, as well as organisational criteria and criteria relating to company processes, in order to assign a more or less high level of security (7 levels).

These criteria are very demanding and require organisations to put in place significant resources. As a result, only large companies or groups can afford to apply for CC certification. This difficulty in awarding certification runs counter to the desire to develop a trusted digital system, bringing together organisations of all sizes, from multi-nationals to smaller businesses.

To facilitate this certification process, France and Germany, drawing on their experience as certifying countries, have created national certification schemes focusing on the technical evaluation of products:

These schemes have made it possible to extend certification to a wider range of IT solutions, boosting their visibility while guaranteeing their high level of security. Indeed, the credibility of these national certification schemes rests above all on that of the issuing country.

The nation’s experience in issuing certification

certification cyber
Number of CC certifications issued in 2022 by country
(Common Criteria Statistics Reports 2022)

The nation’s experience in issuing certifications is a major factor in the credibility of its certification scheme. And for good reason: the number of certified products demonstrates expertise and a particular commitment to cybersecurity.

In 2022, according to the Common Criteria Statistics report, France, via ANSSI, is the world leader in the number of Common Criteria certifications issued, with 74 certified products. Over the last 5 years, France is the second country to have issued the most certifications, just behind the United States.

To sum up, the credibility of a safety certification is based on three main criteria:

  • The cyber power of the nation issuing the certification
  • The country’s commitment to developing a trusted digital system, through its national certification scheme
  • The nation’s experience in certification

France, one of the most credible cyber powers

France appears to be one of the most credible and experienced cyber powers. Firstly, because of the various “cyber power” indices and because of its experience in evaluating IT products.

ANSSI-certified solutions offer significant security guarantees and greater confidence.

Tixeo, the only secure video conferencing solution certified and qualified by ANSSI

Thanks to its sovereign end-to-end encryption technology and secure on-premise videoconferencing offering, Tixeo has been certified and qualified by ANSSI since 2017.

With three ANSSI security certificates received in 6 years, the company marks continuity in its commitment to security. A high level of cyber requirements that goes beyond the purely “marketing” aspect of certification.

To know more about Tixeo

Cyberspace: European companies faced with international cyber espionage

Cyberspace: European companies faced with international cyber espionage

10 Nov 2023 | Cybersecurity, Threats and vulnerabilities

Cyber espionage attacks by state or para-state entities are on the increase, targeting European companies. They mainly target organisations that are essential to a country’s functioning or economy.

 

Consequences of geopolitical instabilities

An upsurge in state and para-state attacks

Since the war in Ukraine, conflicts in cyberspace have continued to intensify and the typology of cyberattackers has diversified. More and more state actors are using traditional cybercrime methods, such as ransomware, to target private or public organisations. As a result, it is becoming increasingly difficult to identify precisely the perpetrators of these malicious activities. What’s more, the techniques used are more sophisticated and therefore more effective, as they mobilise more resources and cause more damage. In fact, the fight against cyberespionage has been made one of the ANSSI‘s main missions for 2022. Cyber espionage can affect information systems for months without being noticed by organisations.

In 2022, 150 cyber-state attacks were recorded, 77% of which involved espionage operations. In 2023, the percentage has already risen to 83% of all state cyber attacks, even though the year is not yet over.

Mainly of Chinese or Russian origin, these state and para-state espionage attacks pursue different objectives, depending on the case:

  • the collection of confidential data,
  • computer or physical sabotage of a critical infrastructure
  • or political destabilisation.

Sensitive sectors particularly targeted by cyber espionage

Government organisations, businesses, public authorities and research institutes are among the prime targets of cyber espionage. It is from these organisations that cyber attackers can gather sensitive data linked to a nation’s economic, industrial or scientific activity. This can start by hacking into employees’ e-mail accounts to retrieve confidential information.

ANSSI recently stated that several cyber espionage attacks, targeting French companies in particular, had been carried out by the APT 28 (or Fancy Bear) hacker unit, which is close to the Russian military intelligence services. The attackers are said to have exploited several security flaws to infiltrate Outlook e-mail accounts between March 2022 and June 2023.

What are the consequences of cyber espionage?

Financial impact on businesses

Cyber espionage has a significant economic impact on companies. Firstly, the attack is generally discovered several months after the infiltration and is immediately publicised in the media. This damages the organisation’s image and leads to a loss of confidence on the part of its customers and partners. Industrial espionage can also lead to the loss of markets and the theft of data relating to the organisation’s intellectual property. All these factors can destabilise companies financially.

Damage to national interests

Moreover, spying on companies operating in critical sectors can pursue interests other than financial ones. For example, when it comes to infrastructures linked to the energy, ICT or health sectors, cyber espionage contributes to the destabilisation of a country in economic, social and even security terms.

Against a backdrop of war and the threat of terrorism, government agencies are targeting strategic sectors. In 2023, it was discovered that Mirage, a Chinese cyberthreat, had infiltrated the networks of the German Federal Agency for Cartography and Geodesy in December 2021. Although the type of information compromised is not yet known, this clearly demonstrates that these attacks can deeply corrupt a system and potentially take hold over time. 

 

Strengthening European cyber security is more essential than ever

With the NIS 2 or DORA Directive, Europe is now preparing to strengthen the cyber security of the most sensitive organisations, particularly in the face of cyber espionage.

State cyber-attacks also fall within the scope of national cyber-defence. Military cyber defence players are mobilising to defend the information systems of critical organisations, in order to prevent state or private organisations from being paralysed. Similarly, the DGSI contributes to cyber defence by detecting and identifying cyber interference by the state as early as possible.

The 2024 Olympic Games: a favourable context for destabilising companies

On the eve of the 2024 Olympic Games in Paris, the authorities are already warning of an “unprecedented level of risk of cyber attacks“, which could also target businesses, again with the aim of destabilising the host country.

Organisations in all essential and critical sectors need to be prepared for a potential cyber crisis. Technical cyber protection measures are expected, particularly to protect confidential communications and data. But it is also advisable to step up in-house training in good cybersecurity practices. Employees and managers are generally the first point of entry into a company’s IS in the event of cyber espionage.

 

How do you raise employee awareness of cybersecurity?

The NIS2 directive: what changes for European businesses and administrations?

Finance: how to prepare for the application of DORA regulations?

Finance: how to prepare for the application of DORA regulations?

8 Sep 2023 | Cybersecurity, Legislation and Compliance

Complementing the NIS2 directive, the DORA (Digital Operational Resilience Act) regulation adds another layer of cybersecurity to the financial sector. To protect their assets and the economic interests of European nations, financial institutions must strengthen their digital operational resilience.

The financial sector is heavily affected by cyber threats

Cyber attacks on the increase

Massive cyber attacks target financial sector infrastructures. Cyber risk now represents a major risk to financial stability. In its Financial System Risk Assessment report published in June 2023, the Banque de France notes that “the financial system remains exposed to a very high level of risk from cyber attacks“. This is due to the geopolitical context and also to artificial intelligence, which opens the way to highly sophisticated attacks that are harder to counter.

The very rapid digitisation of companies in the finance sector also explains this massive exposure to cyber risk. While the digitisation of banking services began very early on, information systems were not secured as quickly. In addition, employees of banking organisations make greater use of mobile devices and are more exposed to the risk of cyber attacks.

How do you raise employee awareness of cybersecurity?

DORA complements NIS2 for cybersecurity

Because of the many risks and challenges involved, the European Union has classified the banking sector as highly critical under the NIS2 directive. As a result, organisations will need to strengthen their cybersecurity and train their decision-makers. Furthermore, DORA regulations are forcing financial institutions to redouble their efforts to better manage their cyber risk and become more agile.

 

 

Key points of the DORA regulations

Which organisations are concerned?

DORA is relevant to most organisations operating in the financial sector, such as :

  • Credit institutions,
  • Investment, payment and electronic money companies,
  • Management companies,
  • Insurance and reinsurance companies,
  • Insurance and reinsurance intermediaries.

Objective: strengthen digital operational resilience

Better mapping and management of cyber risks

Like the “all-risks approach” in the NIS2 directive, the DORA regulation aims to improve risk awareness in the financial sector. Financial institutions must take into account the risks inherent in their operations. The regulation therefore calls for these risks to be identified and their level of impact on the organisation to be quantified, both internally and externally. In this way, organisations will have better visibility of the measures to be put in place and will be more agile.

Risk management also helps to reassure the company’s ecosystem. This is the case for customers, whose assets and personal data must be fully protected.

 

ICT service providers covered by the regulations

Today’s banks and financial institutions are dependent on information and communication technologies. If they are not sufficiently secure, these technologies expose the sensitive data they transmit.

Under the DORA regulations, the financial sector will have to be resilient in the face of operational disruptions linked to these technologies. Organisations will be responsible for identifying and classifying ICT-related risks and developing incident management processes.

Moreover, supervisory authorities will carry out checks on ICT compliance with risk management measures. Sanctions may be imposed in the event of non-compliance.

 

Choose ANSSI-qualified service providers

The French National Agency for Information Systems Security (ANSSI) recommends highly secure products and service providers, thanks to its security visa. It helps organisations in sensitive sectors, such as finance, to assess the reliability of communications solutions.

In the event of a cybersecurity incident, teams need to be able to continue exchanging information in a highly secure environment. This will guarantee business continuity and ensure operational resilience.

ANSSI has published a guide to the operational and strategic management of a cyber crisis.

Consult the guide

DORA regulations
DORA regulations

ANSSI security approval: a guarantee of reliability

For over 5 years, Tixeo has been the only secure videoconferencing solution in France to be certified and qualified by ANSSI, thanks to its Secure By Design approach and end-to-end encryption technology.

Find out more about secure videoconferencing

When will the DORA regulation come into force?

DORA regulation came into force in the European Union on 16 January 2023. Implementation of the regulation is therefore already underway. The deadline for transposing the regulation in all Member States is 17 January 2025.

“Cyber stress test” campaigns in the pipeline

Banking system regularly undergoes stress tests linked to social and economic conditions. Soon, it may also have to undergo cyber stress tests. The ECB (European Central Bank) has announced plans to test the cyber resilience of financial institutions from 2024. This will be done through cyber security stress tests. Increasing cyberthreats, teleworking and the use of the cloud are increasing the severity of cyberattacks and have therefore motivated this initiative.

A good way for organisations in the finance sector to put their DORA preparations to the test.

 

Read also:

OES and OIV: what is the impact of the NIS2 directive?

OES and OIV: what is the impact of the NIS2 directive?

OES and OIV: what is the impact of the NIS2 directive?

30 Aug 2023 | Cybersecurity, Legislation and Compliance

With the forthcoming application of the NIS 2 Directive in Europe, essential service operator (OES) and operator of vital importance (OIV) are preparing for new obligations to strengthen their cybersecurity.

A new name for essential service operator (OES)

The creation of essential entities (EE) and important entities (IE)

The main aim of this amendment to the NIS1 Directive is to maximise the security of the networks and information systems of sensitive European organisations. One of the changes is the end of the term OES (essential service operator). This used to refer to essential services whose cessation would have a major impact on the functioning of the French economy or society.

The NIS2 Directive does away with the term “essential service operator” in favour of two categories of entity:

  • Essential Entities (EE), which would mainly include large companies in sectors classified as highly critical.
  • Important Entities (IE), which would mainly concern medium-sized organisations in sectors classified as highly critical and organisations in critical sectors.

“Digital Service Providers” fall into these categories. It should be noted that there has been no change to the designation OIV (operator of vital importance). These are covered by NIS2.

Find out more about highly critical and critical sectors

Obligations for essential entities, important entities and OIV

Use ANSSI-certified security solutions

The security measures recommended by NIS2 include “the use of secure voice, video and text communications and secure emergency communication systems within the entity, as required”. For OIV, the use of security solutions certified by the ANSSI, thanks to its Security Visa, is even becoming compulsory. In the event of a crisis, operators of vital importance need to react quickly and demonstrate resilience. Secure communications solutions are therefore essential. They enable employees to carry on working. Various technologies, such as end-to-end encryption, guarantee data protection.

visa de sécurité ANSSI
Tixeo VSecure Video Conferencing

Security Visa from ANSSI: a guarantee of reliability

The ANSSI Security Visa makes it easy to identify the most reliable cybersecurity solutions. These solutions have been checked and assessed by approved laboratories.

For over 5 years, Tixeo has been the only French secure videoconferencing solution to be certified and qualified by ANSSI, thanks to its Secure By Design approach and end-to-end encryption technology.

Protecting network architecture

The NIS2 directive recommends partitioning networks and remote access. This is particularly the case when using on-premise security solutions. These must be able to function in an isolated network. The organisation will also need to be aware of all their impacts on its network architecture.

serveur visioconférence
visa de sécurité ANSSI

The benefits of secure on-premise videoconferencing

TixeoServer is Tixeo’s secure on-premise videoconferencing solution, certified and qualified by the ANSSI. Security is part of every step from its design to its deployment. For example, only one network port needs to be opened for installation, in order to limit the impact on the organisation’s information system security policy.

Discover TixeoServer

Use secure subcontractors and service providers

Actors in the supply chain, whether subcontractors or service providers, are subject to the NIS2 Directive. They generally have access to their customer’s infrastructure and therefore represent a security risk. In the event of security breaches within their infrastructure, the network security of the more or less critical entities for which they work would be impacted.

 

Find out all you need to know about the NIS2 directive :

The NIS2 directive: what changes for European businesses and administrations?

Essayez gratuitement la visioconférence sécurisée Tixeo

The NIS2 directive: what changes for European businesses and administrations?

The NIS2 directive: what changes for European businesses and administrations?

29 Aug 2023 | Cybersecurity, Legislation and Compliance

These European-wide cybersecurity regulations are unprecedented. There are many requirements to ensure that European organisations can demonstrate a common high level of IT security. Companies will have to comply, and quickly. Here are the main changes in the new NIS2 directive.

NIS2 directive: extending the scope of NIS1

In 2016, the Network and Information Security (NIS) Directive was adopted by the European Parliament and the Council of the European Union. Its main objective was to increase the level of cybersecurity of major organisations in around ten high-risk business sectors. In France, this represented around a hundred players.

With the intensification of cyberthreats, in a tense geopolitical context, more and more companies and institutions are concerned by the risk of IT incidents. That’s why Europe has published NIS2, an extension of the NIS1 directive, to take effect at the end of 2022. The aim is to broaden the scope of the sectors concerned and to strengthen cybersecurity requirements.

The new directive employs an “all-risks approach”. In other words, it requires a wide range of organisations to better protect their networks and information systems, through a combination of multiple cyber strategies. These include:

  • Risk analysis,
  • incident handling,
  • business continuity,
  • supply chain security,
  • and the use of secure emergency communication systems within the organisation.

 

Virtually all sectors affected

NIS2 will now affect thousands of entities in more than 18 business sectors. All private or public entities with more than 50 employees, or with a turnover in excess of €10 million, are affected. These include digital companies and certain public authorities, which have been particularly targeted by cyber attacks in recent months. These sectors are classified in two categories: highly critical sectors and critical sectors.

Sectors classified as highly critical include :

  • energy
  • transport
  • banking
  • financial market infrastructures
  • health
  • drinking water
  • waste water
  • digital infrastructure
  • ICT service management
  • public administration
  • Space

 

The sectors considered critical are :

  • postal and shipping services
  • waste management
  • manufacture, production and distribution of chemical products
  • production, processing and distribution of foodstuffs
  • Manufacturing
  • digital suppliers
  • Research

Two new entity categories (EE and EI)

The other new feature of NIS2 is the classification of entities into two distinct categories: essential entities (EE) and important entities (EI). This classification is based on the level of criticality, the number of employees and the global turnover of the companies concerned. A large company employs at least 250 people and/or has an annual turnover of at least €50 million. A medium-sized company employs at least 50 people and/or has an annual turnover of more than €10 million.

Thus, essential entities would mainly include large companies in sectors classified as highly critical. Important entities would mainly concern large and medium-sized organisations in sectors classified as critical and medium-sized organisations classified in highly critical sectors. This distinction will make it possible to tailor requirements and penalties for organisations in proportion to their resources and the stakes involved in protecting their data.

It should be noted that in certain sectors, the high level of criticality may justify designation as an essential entity, regardless of the size of the organisation. This is particularly the case for entities identified as critical at national level by the CER Directive.

Tougher penalties

Lastly, the NIS2 directive also strengthens the penalty system. An organisation that fails to put in place appropriate risk management measures or to notify a security incident quickly enough will risk a fine proportional to its turnover and level of criticality. Companies could therefore be subject to fines of between 1.4% and 2% of their turnover, up to a maximum of €10 million.

EU Member States are also able to require entities to carry out audits or inspections. If necessary, they can issue warnings and instructions.

Focus on two new obligations for organisations

Reporting security incidents

With NIS2, when a cyber security incident occurs, organisations will have 24 hours to report it to ANSSI. This deadline is not yet definitive and may be reviewed before the directive is transposed into national law. However, all the organisations affected by NIS2 will have to get organised in order to react quickly. This initial notification is similar to a preliminary report, which will have to be supplemented by a final report. The aim is to improve the responsiveness of the authorities in the event of an incident and to trace cyber attacks more accurately.

Cybersecurity training for executives, managers and employees

In-house training is a key point in this new directive, and is encouraging massive awareness of the subject of cybersecurity.

Indeed, the main challenge of NIS2 is to force the implementation of technical measures, but also and above all operational and organisational measures. The entire organisation must be mobilised for its cybersecurity, not just the IT department. That’s why the directive requires cybersecurity training for senior managers, who must systematically approve all security measures. What’s more, the directors representing the organisation could be held liable if they fail to comply with the directive’s obligations.

With a view to extending cybersecurity to all functions, the NIS2 directive could redefine the role of the DPO (Data Protection Officer) by giving him or her tasks relating to the application of this directive. These new tasks will be consistent with those required to comply with the General Data Protection Regulation (GDPR). It’s a way of looking at cybersecurity as a legal risk, and no longer as the preserve of CISOs.

How do you raise employee awareness of cybersecurity?

When will organisations have to comply?

Firstly, the directive will be transposed at national level in 27 countries from 17 September 2023. Then, from October 2024, it will be mandatory for all companies and administrations concerned. However, organisations need to start preparing for these new cybersecurity standards now, by increasing their level of security. In this way, they will be able to counter the growing number of cyber threats.

How do you prepare for the NIS2 directive?  

As of now, organizations affected by the NIS2 Directive can be assisted by experts to assess the security level of their information system and receive recommendations.

As a trusted service provider, certified and qualified by the ANSSI, Tixeo supports essential service operator and operator of vital importance in their NIS2 compliance. The use of secure communication systems is one of the recommendations to ensure business continuity in the event of a crisis. Protecting online communications is therefore a guarantee of cyber resilience for organisations. 

Try Tixeo secure video conferencing for free

How do you raise employee awareness of cybersecurity?

How do you raise employee awareness of cybersecurity?

26 Jul 2023 | Cybersecurity, Threats and vulnerabilities

Spearphishing, ransomware, downloading malicious software… These cybersecurity threats affect employees in all businesses, particularly those working from home. Raising awareness of cyber security is now essential.

Economic and political risks

Cyber attacks on businesses and public authorities are driven by economic and sometimes political interests, depending on the sector targeted.

The hackers’ objectives may be :

  • To steal money from an individual or a company
  • Capture a company’s customers
  • Damage the reputation of a company or a political player/party
  • Set up industrial, political or military espionage

An organisation’s employees are on the front line when it comes to these ever-increasing cybersecurity risks. Raising awareness of cybersecurity is therefore essential if they are to become aware of them and react accordingly.

 

Cybersecurity awareness campaigns :

Schedule regular training sessions

Cybersecurity training involves all the company’s employees and should be offered on a regular basis. It is preferable to organise them in small groups to encourage discussion and, if possible, to adapt them to the profiles of the various professions.

Training accountants or human resources professionals in cybersecurity is different from training developers or salespeople. Segmenting training courses by profession also enables specific, concrete subjects to be addressed for each professional issue (wi-fi networks when travelling, fraudulent e-mails, etc.). Ideally, training modules should be short, no longer than 1 hour. Beyond that, there is a risk of generating fatigue and impairing understanding of the message.

It may be a good idea to conclude each training session with a practical summary document. This will serve as a memo for the employee. On the fun side, offering quizzes after training courses, with rewards at the end, encourages employees to take an interest in the subject.

 

Using gamification

Still aiming for a more entertaining approach, gamification as part of a cyber-security awareness campaign is proving effective. Various organisations offer escape games or cyber games on the theme of IT security, during which employees put themselves in the shoes of a hacker, for example. These role-playing games and interactive training courses raise awareness of the risks, while reducing the anxiety associated with the subject.

 

Calling on key players

For larger-scale training courses, bringing in a recognised cybersecurity expert is a good way of grabbing the audience’s attention. In this way, employees benefit from in-depth expertise. These may be organisations specialising in IT security, university researchers or cyber defence experts, depending on the company’s sector of activity and the issues at stake.

 

Strengthening internal communication

Employees need to be regularly informed about news relating to cybersecurity, whether it concerns their company directly or not. Giving concrete examples of incidents and their consequences is a good way of raising awareness.

For example, spearphishing attacks are currently on the increase and are affecting more and more organisations. This type of cyber attack specifically targets a company employee with access to sensitive information. It is generally based on identity theft and strong social engineering. The hacker’s aim is to send an e-mail that is consistent with the activity of the targeted person or company, by encouraging them to click on a malicious link or open an infected attachment. In this way, the employee’s data can be understood. The success rate of spearphishing is high and worrying. It is necessary to communicate this type of information to employees by e-mail, via a corporate social network or in an internal repository. These communications can be accompanied by a number of practical steps that can be taken to avoid being caught out.

Furthermore, in the event of an incident, employees need to react quickly, especially if their workstation is infected and therefore unusable. To help them do this, it is useful to distribute “SOS sheets” covering a range of issues (e.g. “I clicked on the wrong link, what should I do?”). Employees will find the contact details of the support service and a few simple actions to take while they wait for help. These sheets are particularly recommended for teleworkers, who are more on their own when it comes to security issues.

 

Read more:

5 tips to secure teleworking from Julien, System and Security Admin at Tixeo

Carry out test campaigns

Finally, there’s nothing like a (fake) cyber attack to raise awareness of cybersecurity. Cyber security test campaigns involve the whole company and have a dual objective. They show employees that attacks can affect them, and so measure their level of vigilance. Generally, phishing campaigns are organised, since this type of email attack is still the most common. At the end of these test campaigns, and depending on the results, additional training modules will have to be offered to employees.

 

3 essential precautions for raising awareness of cyber security

Leveraging the diversity of our actions

Freeing up time for training is not always easy, and most employees drag their feet when it comes to cybersecurity training. So the key is to diversify your training courses, so that you can tackle the subject from different angles, providing concrete, practical information. Not forgetting the educational and fun aspects!

Tailoring awareness-raising campaigns to specific professions

It is important for employees to learn techniques to protect themselves, but also and above all to realise that everyone is a target in their own right for hackers today. The overall awareness of the workforce must be raised at the same time as the awareness of the different business profiles.

Stepping up training for teleworkers

While all employees need to be trained in IT security, this is even more the case for teleworkers. Since the advent of teleworking, cyber-attacks have soared, and so has the cost to the company. It is in companies’ interests to maximise training for teleworkers, as well as their remote support in the event of an incident.

 

Find out about other good safety practices for teleworking:

Download the white paper
white paper on teleworking security
Try Tixeo secure video conferencing for free

Spying: how to recognise an unsecured video conference?

How to avoid “zoombombing” during an online meeting?