Go directly to the content of the page Go to main navigation Go to research

Over the last 12 months, 43% of organisations in France have fallen victim to a successful cyber attack, according to the economic research company Asterès. What are businesses currently doing to address cyber risk? Analysis by David Ofer, President of the French Cybersecurity Federation.

What is the current extent of cyber risks?

A number of studies show a phenomenon on the rise. The number of financially motivated attacks notified to the French national information security agency (ANSSI) in 2023 was 30% higher than in 2022. This escalation has also been observed by the Paris Public Prosecutor’s cyber criminality unit.

“Pirates are a step ahead of governments and businesses.”

Whatever the figures being produced from different quarters, one thing is certain: in a world where everything is connected, cyber risk is everywhere. Digital’s invasion of our daily lives, both personal and professional, has opened up a vast playing field to a new generation of criminals ready to exploit weaknesses in information systems to paralyse organisations and steal identities in the hunt for modern society’s new Holy Grail – data. Individuals, businesses, nonprofits, institutions, local authorities – none are safe from these cyberspace pirates.

Is artificial intelligence likely to redraw the battle lines of this new war?

Algorithms equip those involved in prevention and protection to better understand and identify attack sources and areas of weakness. They are a valuable ally in data protection and attack detection. AI is used by numerous sensitive services, including the army and police, to improve their data analysis. But it is equally useful to the criminal fraternity, enabling them to make their attacks more sophisticated, for example, using the deepfakes we hear so much about in the media.

Is it true that criminals are a step ahead of defence and counter response methods?

The race against time between an increasingly professionalised threat and a defence that is still mobilising is indeed rather one-sided. The pirates, because they are invested – literally – in cyber, have moved ahead of governments and businesses that have long viewed cybersecurity as a cost centre. The myth of the hooded hacker working alone at the back of their garage is now further removed from reality than ever! Cyber attacks are now orchestrated by criminal organisations at international level. They are increasingly sophisticated, with precisely established targets and serious consequences for national security and economies.

Which activity sectors are most under threat?

The health sector is one of the worst affected by recent attacks. The reason being that it performs services that are vital for individuals and holds extremely detailed, and therefore highly lucrative, personal data. Other sectors that, if paralysed, would affect the way society functions are also in the attackers’ crosshairs: regional and local authorities, energy, telecommunications and transportation in particular. The risk is currently strongly focused on supply chains. Market globalisation and the proliferation of subcontracting has clearly left supply chains exposed. In the United States, these are subject to repeated attacks. And French supply chains are now being affected as well.

What is the French Cybersecurity Federation’s place and role in the digital security ecosystem?

Various stakeholders in France are currently invested in the cyber issue. ANSSI deals specifically with so-called Operators of Vital Importance (OVIs), major groups, and large regional and local authorities. The cybermalveillance.gouv website was created to inform and to process (with limited financial resources) reports from the public and from business. But for small businesses, SMEs, and smaller local authorities, which are extremely numerous in France, the messages are diluted, often leaving business leaders and elected officials powerless in the face of information they feel detached from. There are a multitude of cybersecurity issues that need to be communicated better: regional networks for small businesses and SMEs; training for young people; cross-industry links; access to controlled cyberspace; etc. This is the space we wanted to inhabit with the French Cybersecurity Federation, created four years ago at the behest of elected officials to bring together digital security specialists, businesses, local authorities and chambers of commerce. Our ambition is to unify efforts to inform, prevent, and protect the economy, through an independent community approach completely separate from any commercial interest. Unlike the various clubs and associations that have invested in the ecosystem in order to defend private interests, we sell no products or services, and we follow a strict public interest and public utility policy.

How much have businesses done in terms of prevention?

Again, there is a wide gap between the major groups, which can deploy greater resources, and the mass of small business and SMEs, which have no idea who to approach, what steps to take or what systems to implement.

“More than 60% of SMEs have no one responsible for cybersecurity.”

In 2023, the Federation carried out a survey, which showed that more than 60% of SMEs don’t have anyone with specific responsibility for cybersecurity, and only 25% have taken out related insurance. We urgently need to strip the subject of cybersecurity of its technical baggage in order to reach out to business in simple and understandable terms. The fight against cyber criminality is entirely dependent on money. The acceleration in digital advances is not being matched by an increase in security spending. Today, because they do not fully understand the subject, small businesses and SMEs are not inclined to allocate adequate budgets to protective measures.

We often hear about a mismatch between the corporate need for technical skills and the talent available…

I honestly think that things are more complex than that and that the issue of resources cannot simply be reduced to this gap between supply and demand. Cyber training courses have come a long way in recent years. But there is a paradoxical situation. On one hand, some courses are failing to fill their places. On the other, companies are not offering enough dedicated digital security roles, and they also have a tendency to demand hyperqualified masters-level candidates when their needs lie, in part, elsewhere. Once again, we must not reduce cybersecurity issues to their technical dimension. With a view to broadening the spectrum of profiles and supporting these companies, the French Cybersecurity Federation recently created the profession of cyber assistant.

What does it involve?

The role of cyber assistants is to make contact with users within the business, communicate with them about computer hygiene rules, and check that people understand and are applying security policies. The aim is to shrink attack surfaces, reduce risk, and report critical points back to the departments concerned. At the same time, we created a training course for this profession of cyber assistant, with 400 to 600 hours of learning open to young people with high school diplomas and to people changing careers.

Is the current legal arsenal sufficient to prevent and control risk?

Yes, it is largely sufficient in providing a framework in the area of security [see box]. Given the scale of the challenges, the regulatory response is not the most urgent factor. Essential services must be ring-fenced to protect and consolidate the prevention and protection ecosystem, to regulate responsibilities across the entire cyber value chain, to develop insurance products, and perhaps most importantly, to raise awareness and provide training at every level. The task is colossal. Lastly, we should remember that the GDPR has a cyber component, which if it were properly applied, would save companies a lot of trouble.

 


A robust legal arsenal

The 1988 Loi Godfrain penalises unauthorised access – or attempted access – to automated data processing systems (ADPS). In recent years, numerous laws have been created in response to each situation. The Digital Operational Resilience Act (DORA) introduced by the European Union strengthened cybersecurity in financial services. The Network and Information Security (NIS 2) directive, which was transposed into French law in 2024, will enable ANSSI to enhance cybersecurity for thousands of systems in a number of activity sectors that will be regulated from now on.

 

10/07/2024