On a Cyber Campus Report titled “SME Mission Report and Cybersecurity”, we can read three very (too?) general recommendations. It would be difficult to disagree on these three points:
- Create a ready-to-use cyber prevention campaign and awareness kit.
- Create a national cyber risk prevention market for SMEs.
- Make diagnostic devices more readable. This report cites “ MyCyberHelp», project still in beta mode and supported by Anssi.
Reducing Cyber Risks: Pragmatic Responses
How can we move from this common sense advice to an operational action plan? To reduce the risks that cybercriminals pose to their activities and, sometimes, to the survival of their company, an SME/ETI manager must make three decisions: accept that there is no zero risk in cybersecurity, vaccinate themselves against key risks and move to a “managed services approach”.
Vaccines against cyber risks
Already discussed on my website, I identified three essential vaccines to protect against cyber risks. Remember: a vaccine does not guarantee that you will not get a disease, but it reduces its impacts.
Vaccine 1: Infrastructures, immediate move to public clouds
It is by far the most effective vaccine, but also the most controversial. There is not a single SME/ETI that is capable of effectively protecting its infrastructure. on the premise “. The main industrial players in the public cloud know how to do this very well. All SMEs, IETs, hospitals, city councils, departments, etc. must accept this reality and immediately and definitively renounce the management of private IT centers. This is the first The vaccine frees SMEs/ETIs from the heavy burden of managing the security of their infrastructure, but does not resolve the challenges associated with protecting uses and data.
Vaccine 2: zero trust
This approach, as the name suggests, assumes that there is no a priori trust. Person’s identity, object of access, networks used, applications accessed… all these components can and should be secure. The range of zero trust solutions is endless. The hardest thing for an SME/ETI is to navigate and make choices. It is an essential “multidose” vaccine, but complex to implement.
Vaccine 3: encryption
Data encryption tools such as AES 256, guarantee remarkable data protection. The percentage of SMEs/ETIs that currently encrypt their data is low. The good news is that widespread data encryption is natively available in large public clouds.
The encryption keys offered by these providers are sufficient for the vast majority of SMEs/ETIs. In very specific cases, the company may provide its own encryption key. It is a simple, effective and accessible vaccine for all SMEs/ETIs.
SMEs/ETIs will never have enough human resources to take care of their complete cyber risk protection internally, 24/7. To protect yourself effectively, the right approach is to turn to serious players who offer cyber protection solutions in the form of shared managed services. The costs of these managed services are often considered by managers to be very high. However, this is the price to pay to be well protected.
Yes, effective protection against cyber risks is possible in 2024
By combining these two approaches (managed services + vaccines), SMEs/ETIs can acquire, from 2024, good protection against cyber risks. These are operational and lasting responses. It is a simple, strong and pragmatic message that national bodies responsible for combating cybercrime must insist on, day and night.