All publications
White papers

Cybersecurity in times of crisis

The Infortive Community's Transition CIOs have published their cybersecurity recommendations in the event of a crisis. This content will be useful for CIOs, General Managers and Business Managers who want to carry out a quick check of current practices in their company. Absolute security does not exist, and no response is ever definitive.

These recommendations cover the following topics:

  1. Crisis governance is fundamental, and relies on predefined responsibilities, communication tools and procedures to ensure a sincere and coherent message.
  2. A response team needs to be set up to react very quickly, even if this means shutting down access, systems, servers and workstations to secure the essentials until a more precise diagnosis can be made.
  3. The security and redundancy of critical resources will also be anticipated.
  4. Users must be given clear, practical instructions on the most common threats (phishing, attempted impersonation...), and experience shows that training people is the best protection.
  5. IT Departments have a number of technical tools at their disposal (VPN, virtual workstations, multi-factor authentication, etc.) to secure access, and will have to step up user support, even if this means diverting resources from projects that have become less of a priority.
  6. Numerous resources (notably governmental) exist on these subjects, and consulting them before any crisis is essential. Feedback and pertinent recommendations are available on risks that have unfortunately become commonplace (ransomware, for example).


We look forward to hearing from you and welcome your comments and suggestions at contact@infortive.com

The challenges of cybersecurity in times of crisis

Objectives

  • Strike the best possible balance between protection needs and business continuity.
  • Find the best possible balance between technical resources, the desired level of protection and the necessary investment.

General principles - There is no such thing as absolute safety

  • Adopt a continuous improvement approach based on the concept of maturity level, which consists of assessing current maturity (as-is), setting new objectives (to-be), and defining an action plan (programs/projects and priorities) to improve cybersecurity practices.
  • Identify, categorize and focus efforts on the most sensitive, critical operations, services, processes, data and systems.
  • Monitor and control new types of cyber-attack, and carry out regular operational security tests.
  • Integrate the human dimension ("human firewall") into the technological arsenal ("firewall") to develop active, reasoned and understood participation by users in protecting the company's strategic assets.
  • Accept that there is no such thing as absolute security, move away from fear marketing, develop a new appetite for risk, free up employees' creativity to innovate and anticipate rapidly changing threats, markets and customer needs.
  • Take steps to detect suspicious access attempts, e.g. from unusual sites.

Expected benefits

  • Ensure IS security and business continuity.
  • Limit the negative impact of a cyber attack.

Crisis governance - Crisis management

Crisis unit

When setting up the crisis unit, define:

→ His mandate

→ Roles and responsibilities

→ How it works (when it is called in, frequency of meetings, etc.)

→ Its reporting to the Codir.

Remind or introduce members of the crisis unit :

→ Challenges

→ Types of risks and incidents

→ The main indicators to track

→ The communication plan.

Ensure that insurance policies cover telecommuting access, and if not, review and update them.

Risk and incident management process

Define and document in detail a process for managing risks (e.g. email phishing) and incidents. In particular, the incident management process must show a link with risk management.

Train all stakeholders in its usefulness and use.

Communication plan

If you haven't already done so, draw up a communication plan:

→ Audience

→ Message types

→ Message detail levels

→ Distribution channels

→ Periodicity.

Speak coherently and truthfully:

→ Say what you know and what you don't know, as positively as possible

→ Acknowledge responsibilities and any errors of assessment made

→ Explain possible solutions and options for getting out of the situation

→ Answer questions clearly, with empathy and in a reliable manner, not sacrificing the quality of information to the need for speed.

Favoring rapid, recurring and direct communication (SMS), in addition to the usual channels.

Internal communications remain fundamental, but they must be supplemented by communications to public authorities (e.g. ANSSI, ARS) by :

→ Informing them of internal security strategy, before incidents or threats are identified

→ Maintaining ongoing relations with them to, for example, keep abreast of other attacks perpetrated against other companies

→ Informing them of attacks, incidents or threats that have occurred in your company.

Critical skills management

Secure technical skills and ensure redundancy of critical and external skills (e.g. subcontractors) to :

→ Carry out work on the infrastructure (network engineers, telecom security, system architecture, application experts...)

→ Set up skill-based rotations (retaining people with high privileges)

→ Organize access to the right information at the right time.

Project reassessment

Ensure that current projects include the cybersecurity dimension.

Recommendations for users

  • Activate multi-factor authentication immediately.
  • Deactivate all accounts of staff who are no longer with the company.
  • Daily monitoring of connections and connection times. However, this must be approved in advance by employee representatives through an agreement.

Data and document protection

  • Protect against theft, store and lock documents and computers.
  • Take all necessary steps to ensure that confidential data is not accessible to unauthorized third parties.
  • Do not share them between business and home PCs, USB drives or disks.

Protection of nominative/personal access rights

  • Never divulge access rights, authentication data or confidential information to anyone (line manager, IT team, other users).
  • Follow password renewal guidelines.
  • Respect procedures in the face of ongoing fraud attempts (proven increase in attempts to defraud the CEO, no change of bank account without thorough verification, support service, change of supplier account, etc.....) and warn customers, which can also be an opportunity to renew contacts.
  • Do not use or attempt to use a third party's account, and refrain from accessing or attempting to access IT resources or services without explicit authorization, at the risk of incurring liability.

Protecting IT resources and services

  • Respect and protect the hardware and software provided.
  • Respect the security measures put in place by IT managers, and comply with their decisions.
  • Distinguish between Pro and Personal use: do not install software.

→ Unless expressly authorized by the company, no personal use on professional equipment,

→ If possible, avoid professional use on personal hardware except for virtual desktops (e.g. Citrix...) or online suites such as Office365, Google.

  • Systematically use the VPN provided by the company to access applications hosted within the company.
  • Report any potential malfunctions or safety incidents immediately as part of the risk and incident management process.

Protection from Internet services

→ Be very vigilant about phishing and train users to identify it.

→ Check the sender and reply e-mail addresses. Some telltale signs: spelling mistakes, incomprehensible strings of letters and numbers, inconsistency, etc.

between the names displayed and the e-mail address (mail to),

→ Check that the links in the e-mail are genuine,

→ Hover your mouse over the links and check that they point to the site address advertised in the message,

→ Don't open e-mails from people you don't know

→ Avoid connecting to suspicious sites, avoid downloading software.

→ Avoid storing, transferring or sharing data on external sites, but only through sites whose security has been checked beforehand.

Recommendations for the IT department

Recommendations by job type

Physical corporate workstations with VPN :

→ Ensure that the MAJ policy for antivirus, windows patches, utilities, applications and passwords is properly applied,

→ If not possible, identify Plan B (e.g. a return to the site to update the most critical positions),

→ Integrate job criticality into Plan B (payments, ERP...), adapt the level of security for the most critical jobs and functions (risk-based governance).

Physical corporate workstations without VPN :

→ Adapt the policy for administering workstations via Active Directory to enable updates via the Internet if the confinement is prolonged.

Virtual workstations (Citrix, etc.) for companies, on BYOD or Chromebooks:

→ Take advantage of this virtualization possibility if it is deployed on the most critical workstations/functions.

BYOD workstations that access Internet or mobile applications:

→ Activate 2-factor authentication wherever possible with a code on the cell phone (in liaison with HRD for the use of personal mobiles on critical functions),

→ Critical applications: encrypted access mandatory (https, VPN...), if not possible return to desktop to access,

→ Non-critical applications: tolerances possible.

Service desk and user support

Quantitatively and qualitatively strengthen the service desk and user support to cope with the difficulties inherent in the sudden development of teleworking.

Implement ongoing awareness-raising initiatives for users (e.g. intranet safety events, etc.).

For multi-site companies, set up local security correspondents at a site or group of sites, to support users locally.

Thematic recommendations

Cyber attacks

Redouble your vigilance, as this is a prime time for attacks.

Check in real time that there are no attacks underway on servers or on the various system layers (Bios, OS, virtualization, databases, utilities, applications, etc.).

Define upstream and enforce emergency actions in case of intrusion e.g. Isolation and shutdown in case of cryptolocker (ransomware).

Backup

More than ever, check and secure backups (OS, configurations, network equipment, backups that must be off-line, so that the entire configuration can be restored). Beware: in the event of a crypto virus, backups may have been corrupted for several months.

Security Operations Center (SOC)

Organize the management of alerts from SOCs, where they exist, by priority level, and study the introduction of on-call arrangements if they are not already in force.

Infrastructure, Network and API

  • If there are several trust zones within the organization, it may be useful to have different teleworking solutions for each zone. Depending on the results to be achieved, inter-zone gateways can be used to easily authorize or prohibit access usually authorized on a "normal" workstation.
  • Manage throughputs by arbitrating priorities (heavy downloads at night, staggered hours for VPNs, etc.) according to the criticality of operations.
  • Check that there are enough simultaneous VPN accesses.
  • Accelerate the virtualization of workstations to avoid the use of personal hardware as much as possible. In these times of crisis, possibly provide teleworking employees with a professional workstation.
  • Verification and maintenance of security and functional patch updates for all infrastructure elements (systems, networks, security, etc.).
  • Check API-related vulnerabilities: select which interfaces are exposed (not all are candidates in times of crisis), do not share all data (close certain silos), review access to the human environment (employees, service providers, customers, etc.) and to third-party infrastructures.
  • Verification of infrastructure suppliers' maintenance and support levels.

Special features for certain business sectors

  • Respect the key rules published on esante.gouv.fr (organization, awareness, incident management).
  • Report security incidents via the Ministry of Solidarity and Health's information systems security incident reporting system.
  • Contact the Ministry's ACSS support unit for healthcare structures when your organization is faced with a cybersecurity incident caused by ransomware.

Useful links 

https://www.cybermalveillance.gouv.fr/cybermenaces/

Thanks

We would like to thank the members of the Infortive community who contributed to the writing of this white paper, as well as Michel Raimondo (Transition CIO).

Infortive, France's first community of CIOs in Transition

Created and run by CIOs in Transition, Infortive brings together Transition Managers who are experts in the transformation of companies, CIOs and Information Systems. The CIO profession remains difficult to grasp, as it is cross-functional, technological and managerial, and must integrate rapid and permanent change. CIOs are in the best position to challenge each other and open up new horizons. As part of Infortive's Interim program, the CIO on assignment will benefit from "mirror" coaching (by one or more of his or her peers).

We run a CIO Transition Academy

A lively community of enthusiastic Transition CIOs, Infortive CIOs meet regularly to share their experiences and the results of constant monitoring, discuss best practices and help each other with specific cases. As part of our ongoing skills enhancement program, we organize training workshops and case studies, and set up committees to identify the best feedback (while respecting confidentiality).

"Only CIOs can challenge CIOs."

You have access to a multitude of specialists

When you call on Infortive, you benefit from the experience and collective intelligence of Transition CIOs with decades of experience and a wide range of skills. It is also the guarantee of a "support" CIO who will provide tailor-made assistance to the Transition CIO on assignment. Beyond the simple logistics of the mission, nothing is left to chance: choice of architectures, selection of software solutions, management... Infortive provides support tailored to the challenges of your transformation.

We look for innovation that brings you value

Infortive's greatest concern is to create value for its customers. Beyond simply improving methods, we focus on researching and proposing innovations that will make all the difference (taking advantage of a carve-out to move away from fixed ERP, reviewing architecture to systematize APIs...).

An offer based on operational efficiency

Our pragmatic offering covers all stages of a transformation project:Upstream, a flash audit to give management a 360° view of how to improve the IT system and IT department performance.A full range of Interim assignments, whether for interims, transformations, turnarounds, crisis management, mergers and demergers.Infortive also supports existing IT Departments in structuring their teams and recruiting for key positions (production manager, architect, PMO, etc.).

I'm looking for an IT Transition Manager

Customer expresses need within 24 hours

Enrichment of requirements by Infortive experts

Drafting and validation of mission statement

Identify the most suitable Interim Managers in 48 hours

Presentation of interim managers at the client's or Infortive's premises

Infortive's recommendations on candidate selection

Transition manager's ownership of objectives

Defining mission communication

Mission kick-off

Mission monitoring by a mission manager and implementation of a mission monitoring schedule

3-week astonishment report and realignment of objectives

End of mission report

a close up of a circle with an arrow pointing to the center
a close up of a circle with an arrow pointing to the center
Others
White papers
White papers
10 outsourcing pitfalls

Focus for IT Departments on the main pitfalls encountered when putting together a call for outsourcing tenders (first-time bidder or renewal bidder), and then when implementing it.

All
White papers
How can I improve my IT department's performance?

This article, written by IT & Digital Transition Managers, explains how to make IT more agile by changing its behavior to speed it up.

All