Cybersecurity and Decision Makers E-Book

Table of Contents

Cover

Foreword

Preface

Introduction

1 An Increasingly Vulnerable World

1.1. The context

1.2. Cybercrime

1.3. The cybersecurity market

1.4. Cyber incidents

1.5. Examples of particularly exposed sectors of activity

1.6. Responsibilities of officers and directors

2 Corporate Governance and Digital Responsibility

2.1. Corporate governance and stakeholders

2.2. The shareholders

2.3. The board of directors

2.4. Customers and suppliers

2.5. Operational management

3 Risk Mapping

3.1. Cyber-risks

3.2. The context

3.3. Vulnerabilities

3.4. Legal risks

3.5. The objectives of risk mapping

3.6. The different methods of risk analysis

3.7. Risk assessment (identify)

3.8. Protecting

3.9. Detecting

3.10. Reacting

3.11. Restoring

3.12. Decentralized mapping

3.13. Insurance

3.14. Non-compliance risks and ethics

4 Regulations

4.1. The context

4.2. The different international regulations (data protection)

4.3. Cybersecurity regulations, the NIS Directive

4.4. Sectoral regulations

4.5. The General Data Protection Regulation (GDPR)

4.6. Consequences for the company and the board of directors

5 Best Practices of the Board of Directors

5.1. Digital skills

5.2. Situational awareness

5.3. Internal governance

5.4. Data protection

5.5. Choosing your service providers

5.6. The budget

5.7. Cyberculture

5.8. The dashboard for officers and directors

6 Resilience and Crisis Management

6.1. How to ensure resilience?

6.2. Definition of a CERT

6.3. Definition of a SOC

6.4. The role of ENISA

6.5. The business continuity plan

6.6. Crisis management

6.7. Crisis simulation

Conclusion: The Digital Committee

Appendices

Appendix 1: Cybersecurity Dashboard

Appendix 2: Ensuring Cybersecurity in Practice and on a Daily Basis

Appendix 3: Tools to Identify, Protect, Detect, Train, React and Restore

Glossary

References

Index

End User License Agreement

List of Tables

Chapter 1

Table 3.1. 2017 World Economic Forum Risk Framework

List of Illustrations

Chapter 1

Figure 1.1. The impact of digital transformation on the security of information ...

Figure 1.2. History (source: Starboard Advisory)

Figure 1.3. The five different types of attacks that companies face each year (s...

Figure 1.4. Still a very high rate of companies affected by cyber-attacks (sourc...

Chapter 2

Figure 2.1. The four missions of the board of directors (source: Starboard Advis...

Figure 2.2. Civil and criminal liability of executives (source: Starboard Adviso...

Figure 2.3. Background: CISOs are not very confident in the ability of their COM...

Figure 2.4. Cyber-risk governance (source: Starboard Advisory)

Chapter 3

Figure 3.1. History: the greater impact of cyber-attacks on the business of targ...

Figure 3.2. Cyber-risk: a business risk (source: Naval Group)

Figure 3.3. The interconnectivity of IT domains (source: Naval Group). For a col...

Figure 3.4. Security breaches, the most striking feature of IoTs (source: accord...

Figure 3.5. Companies are increasingly subscribing to cyber insurance (source: a...

Chapter 4

Figure 4.1. Complying with the GDPR (source: Starboard Advisory). For a color ve...

Chapter 5

Figure 5.1. Employees who are aware of cybersecurity, but who are not very invol...

Figure 5.2. Most companies store at least some of their data in a cloud… most of...

Figure 5.3. Companies deploy more than a dozen cybersecurity solutions on averag...

Figure 5.4. Human intervention remains necessary in the eyes of CISOs (source: a...

Figure 5.5. To secure data stored in a public cloud, the CISO does not only use ...

Chapter 6

Figure 6.1. Preparing for a major cyber-attack: less than one in two companies f...

Figure 6.2. Cyber resilience (source: Starboard Advisory)

Guide

Cover

Table of Contents

Begin Reading

Pages

v

iii

iv

xi

xii

xiii

xiv

xv

xvii

xviii

xix

xx

xxi

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

169

170

171

173

174

175

176

177

179

180

181

183

184

185

186

187

189

190

191

192

193

194

195

196

197

198

199

Cybersecurity and Decision Makers

Data Security and Digital Trust

First published 2020 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned address:

ISTE Ltd27-37 St George’s RoadLondon SW19 4EUUK

www.iste.co.uk

John Wiley & Sons, Inc.111 River StreetHoboken, NJ 07030USA

www.wiley.com

© ISTE Ltd 2020

The rights of Marie de Fréminville to be identified as the author of this work have been asserted by her in accordance with the Copyright, Designs and Patents Act 1988.

Library of Congress Control Number: 2019956830

British Library Cataloguing-in-Publication Data

A CIP record for this book is available from the British Library

ISBN 978-1-78630-519-0

Foreword

Directors and executives are now at the heart of cybersecurity issues. This is my conviction; this is my experience gained by launching one of the first cybersecurity companies in 2005 and by meeting many executives. This is my conviction as the director of a defense company that is particularly exposed to these risks, as well as active in the development of new protection strategies.

Let us make this expertise a driving force for differentiating our companies and France as a safe place to do business. This is where this book written by Marie de Fréminville takes on its full importance.

It brings together five years of work and exchanges between experts and leaders, between the State and industrial actors who forge our conviction that the issue of cybersecurity can no longer remain confined to the circles of geeks, but that it has become a real issue of economic resilience.

The issue is obviously much broader, and corporate governance must address it in all its dimensions: economic resilience, vulnerability of extended business strategies, customer protection, human issues, infrastructure development, insurance policy, crisis management, etc.

The general management and its board of directors must not only be aware of this, but must also each act according to its own responsibility, in order to set up the necessary organizations, risk governance, as well as the company’s protection systems. It is this “call to consciences” that must resonate with the reader, who must then find appropriate solutions: this book will provide you with possible solutions and will enlighten you on the risks to be taken into account to inform your decisions.

As they say in the shift changeover: now it’s up to you to take care of it…

Hervé GUILLOUPresident and Chief Executive OfficerNaval Group

Preface

The organization of round tables with HEC Gouvernance and workshops with the Swiss Women Directors’ Circle (Cercle Suisse des Administratrices) was the starting point of this book for decision makers: managers and directors of companies, public organizations, foundations or associations.

The protection of the company’s strategic data and information systems is the responsibility of the directors and executives, as well as the company’s decision makers, within the operational and functional departments, inside and outside the company.

The comments of the various speakers at these round tables have been included in this book.

In October 2016, “Understanding and preventing cyber-risks: a priority”:

– Hervé Guillou, President and Chief Executive Officer of Naval Group;

– Alain Juillet, Director of Intelligence at the DGSE, Senior Manager for Economic Intelligence at the SGDSN and President of the CDSE (

Club des directeurs de sécurité et de sûreté des entreprises

);

– Guillaume Poupard, Director General of ANSSI (

Agence nationale de la sécurité des systèmes d’information

);

– Alain Bouillé, President of CESIN (

Club des experts de la sécurité de l’information et du numérique

);

– Alexandre Montay, Secretary General of METI (

Mouvement des entreprises de taille intermédiaire

).

In June 2017, “Cyber-risk: a subject to govern”:

– Yves Bigot, General Manager of TV5 Monde;

– Brigitte Bouquot, President of AMRAE (

Association pour le management des risques et des assurances de l’entreprise

);

– Frédérick Douzet, Professor of Universities at the IFG (French Institute of Geopolitics) of the University of Paris 8 and Castex Chair in Cyberstrategy;

– Solange Ghernaouti, Professor of Information Security at UNIL (

université de Lausanne

) and Director of the Swiss Cyber Security Advisory and Research Group;

– Philippe Gaillard, Director of Technical and Cyber-risks at Axa France;

– Alain Robic, Partner Enterprise Risks and Services at Deloitte – Information Systems Security.

In December 2018, “Cybercrime and personal data protection: what good practices for the board of directors and managers?”:

– Isabelle Falque-Pierrotin, President of the CNIL (

Commission nationale de l’informatique et des liberté

s) since 2011, elected in 2017 in Hong Kong, President of the World Conference of Data Protection and Privacy Commissioners;

– Philippe Castagnac, President of the Management Board of Mazars, an international, integrated and independent organization specializing in audit, advice and accounting, tax and legal services;

– Annick Rimlinger, Executive Director of the CDSE (

Club des directeurs de sécurité et sûreté des entreprises

), founding member of Cercle K2 and member of the board of directors of Hack Academy;

– Éliane Rouyer, independent director, President of the Audit Committee and member of the Compensation Committee of Legrand, independent director of Vigéo Eiris.

I would like to thank all these speakers for their contributions and support, as well as Marc Triboulet (my teammate from HEC Gouvernance, with whom this round table cycle was initiated).

The training I developed within the Airbus group for directors and managers of subsidiaries, the work carried out for these conferences, as well as the exchanges during these round tables, have been supplemented by research work carried out over the past five years, participation in working groups (Switzerland’s cybersecurity strategy, for example), support for several start-ups in the field of cybersecurity, the implementation of training, speeches given at the university of HEC Paris and Swiss management universities and at companies or service providers, the implementation of risk mapping, the definition and deployment of measures to improve compliance with the GDPR (General Data Protection Regulation), not to mention the implementation of cyber programs through companies, associations, foundations and public bodies.

Marie DE FRÉMINVILLEDecember 2019

Introduction: Financial and Cyber Performance

Why not assess the cyber performance of companies in the same way as their financial and non-financial performance (governance and CSR – corporate social responsibility)?

Why not certify the cyber performance of companies in the same way as their financial performance via auditors, whose intervention is mandatory for companies of a certain size?

Despite some progress, the vast majority of shareholders, and therefore the board of directors and management, are primarily interested in the company’s financial performance.

However, the digital age is introducing upheavals in the company and in its ecosystem. Indeed, the “all-digital” concerns all stakeholders, administration, public services and national and international infrastructures, defense and intelligence services.

We have reached a stage of non-return, which offers important opportunities, but which is also a source of fragility and major risks, particularly because cyber threat actors are becoming more professional and have significant resources to defraud, spy and sabotage.

The risks for companies are systemic: shareholders are financially exposed and directors, in charge of defining their strategy and ensuring their sustainability, are legally exposed if they do not inform themselves about the quality of data security and information system protection and if they do not ensure that an organization, procedures and tools for a high level of cybersecurity are in place.

There is no such thing as zero risk, but the negligence of a board of directors would be associated with it if no action were taken in the field of cybersecurity of the company and if the attacks had significant consequences for its proper functioning, profitability and reputation.

Financial performance should therefore no longer be the only priority. Financial performance and cyber performance should now be the two priorities of corporate governance bodies.

Should we therefore reinvent the governance body designated by the national actions, namely its competences, its functioning, its agenda and its partners?

For 50 years, we have been wading through a technological tsunami:

– 1970: mainframe;

– 1980: PC (Personal Computer) and client/server;

– 1990: Internet and e-commerce;

– 2000–2010: mobile and cloud;

– 2010–2020: Internet of Things and artificial intelligence;

– 2020–2030: quantum computing and blockchain.

The digital world is borderless and immaterial, and the threats are invisible.

Digital and related new technologies are transforming the way companies operate and business models.

The main cyber-risks are risks of malfunctioning of the industrial or commercial process, financial risks, as well as risks of loss of considerable confidential information (strategic information, personal information) which affect different sectors: hospitals, autonomous cars, banks, telecom operators, energy, etc., with potential human consequences.

According to a study conducted in the United States by the National Archives and Records Administration in 2018, 93% of companies that lost their data for 10 or more days declared bankruptcy in the year of the disaster and half (50%) filed for bankruptcy immediately after the attack.

The question is not “when will we be attacked?” but “what can we do to protect the company as much as possible, what can we do in the event of an attack, what can we do to restore systems as quickly as possible?”

Cyber-risk is an integral part of companies and also of personal organizations (everyone is concerned individually and as a member of an organization). It is not just a technical risk.

People are the weakest (and strongest) link in the entire safety chain.

This book does not deal with tools (hardware, software, servers, architecture), but with organizations, processes and behaviors, without which the company cannot improve its performance, security, incident or crisis management, and resilience.

It is about companies exercising their digital responsibility and maintaining or improving the trust of their stakeholders: customers, suppliers, partners and investors.

Only 30 years ago, I experienced the arrival of personal computers (computers and word processing existed, but were not deployed in companies), the digitization of financial operations (accounting, cost accounting, banking relations and cash management, tax returns, reporting tools, accounting and management consolidation, financial relations with customers and suppliers), as well as the digitization of human resources management (payroll, social declarations, recruitment, training), internal and external communication, particularly with the arrival of social networks, production (connected factories and extended companies), marketing and sales of course, and logistics.

All company functions are now concerned, as well as the relations with all stakeholders: customers, suppliers, service providers, subcontractors, shareholders (individual investors, investment funds), board of directors, auditors, employees, subsidiaries, proxy advisers (governance advisers who publicly comment on the proposals made by companies for their general meetings).

Companies are completely digitalized: their data, operations, accounts, processes are intangible; their internal and external communications, their products are connected.

Organizations and work habits have changed, skills have evolved, tools have been transformed, the classification of documents and people has sometimes (often?) fallen into oblivion.

Companies have been able to internationalize, thanks to the ultra-fast means of communication. We talk to the company across the street as well as to those in the United States or China: only the time difference is incompressible.

Companies share their data with their customers, suppliers, employees, shareholders, subsidiaries, etc. The digital environment provides companies with opportunities to create new businesses, new products and services and new customers, in order to optimize their organizations, reduce their costs, improve their internal and external processes, with their suppliers, service providers, subcontractors, investors, customers, depending on the business sector in which they operate.

Companies are judged on their financial performance: their accounts, their results, their balance sheet, their cash position, their share price, their growth and earnings potential, their non-financial performance (their governance and their social and environmental performance), but…

What about their cyber performance? Data governance, data security: integrity, confidentiality and accessibility, protection of the personal data they collect, use and archive, protection of computer systems that allow the exchange, storage and modification of these data.

A company may be financially successful, but a failure of its IT system or digital security can seriously affect its ability to sell or produce, to pay its suppliers, to exchange with its subcontractors and thus degrade its financial results, its reputation and the confidence of shareholders and stakeholders.

Cyber-risks are not the prerogative of a handful of specialists in the company but affect overall governance. In addition to the regulatory obligations regarding data security, it is a matter of protecting the company against the risk of loss of value, linked, for example, to the dissemination of confidential information.

“All connected, all committed, all responsible” is the slogan communicated by Guillaume Poupard, ANSSI‘s Director General at FIC 20191, from top to bottom and from bottom to top of private or public organizations: the board of directors, the executive committee and all the teams.

The trade war between major powers is more media-intensive than cyberwarfare, which is a weapon widely used by States, terrorist and criminal organizations, or corporations (spying). In addition, data collection is at the heart of the digital economy of the 21st Century, built around data valorization. This economy is currently dominated by the American and Chinese Internet giants. Finally, cybercriminals exploit the many vulnerabilities of digital tools, the human vulnerabilities generated by organizations that have not adapted, processes that have not been updated and collaborators that have not been trained.

There are cyberdeaths among the victims. Cyber-silence is a barrier to awareness. Finally, there are too many executives and directors burying their heads in the sand.

1

11th edition of the International Cybersecurity Forum (FIC).

1An Increasingly Vulnerable World

1.1. The context

1.1.1. Technological disruptions and globalization

Technological disruptions are mostly digital in nature: automated knowledge, networks of connected objects, advanced robotics, 3D printing, cloud computing (85% of companies store data in a cloud; this practice is becoming more commonplace), mobile Internet, autonomous vehicles.

Until 2011, digital risks, or cyber-risks, did not appear in the World Economic Forum’s major risk ranking.

According to the 2019 World Economic Forum study, technology will play a fundamental role in the risk landscape over the next decade, including data theft (personal data, data from companies, public organizations and governments), identity theft and cyber-attacks, as well as deadly “bugs”, as shown by the Boeing 737 MAX crashes. According to the Washington Post, several flaws were discovered in the software of the aircraft’s flight system. The preliminary investigation report on the Ethiopian Airlines crash clearly blames this accident on a failure of the MCAS stall protection system, which had already been identified in the Lion Air accident five months earlier. Not only was the information sent by the probes incorrect, but it was not possible for the pilots to take control of the aircraft.

This accident shows the risks of technological or digital failures, as well as the need to have them tested and certified by independent authorities. It also shows that digital accidents are not necessarily the result of attacks, but of human failures (programming, man–machine link, processes, organization): tools often have “good backs”.

Cyberspace consists of computer equipment (computers, networks, connected objects, servers, printers, routers, etc.), software, applications, information systems and all information exchanged or stored via digital tools. It is the development of connections and flows that make security issues major issues, whether for States, companies or citizens.

Figure 1.1.The impact of digital transformation on the security of information systems in all companies (source: according to CESIN). For a color version of this figure, see www.iste.co.uk/defreminville/cybersecurity.zip

A number of technical black spots are at the root of data leaks:

– the totally decentralized structure of the Internet, based on a multitude of different networks (at the beginning of June “Swisscom’s data passed through China”, the customers of the Dutch operator KDN, as well as those of the French operators Bouygues and Numéricable, were also affected, according to the newspaper

Le Temps

on June 12, 2019);

– the architecture of IP addresses and domain names;

– the “backdoors” of the equipment;

– irregularities in the design of telecom operators’ services;

– insufficient cryptographic tools for software and equipment.

1.1.2. Data at the heart of industrial productivity

With industry technologies 4.0 – ERP (Enterprise Resource Planning), CRM (Customer Relationship Management), 3D printing, extended enterprise – with digital marketing technologies – websites, cookies, tag management – or with connected products and security cameras, data has been put at the heart of activities. Many data are collected and recorded in computer systems and software by different departments, without the company having detailed knowledge of all data flows and mapping.

Understanding the geography of flows and mastering data is a fundamental strategic challenge for the competitiveness of companies, as well as for our defense capability.

Reliable information and the verification of digital identities are critical for companies, users and IT service providers.

1.1.3. Cyberspace, an area without boundaries

Hackers are difficult to identify, and there is a real asymmetry between attackers, who have many and effective weapons, despite few resources, and targets who have much greater resources, but who do not guarantee perfect defense.

Cybersecurity is about the security and digital sovereignty of every State, every company and every citizen. It is of major political, economic and social importance and must therefore be addressed from different angles: educational, legal and regulatory, social, technical, military, organizational, individual and collective (national and international).

The consequences of some attacks can be critical: for example, the attack on the SWIFT interbank network between April and May 2016, which led to fraudulent misappropriations of several tens of millions of dollars in Bangladesh, or the denial of service attack of October 21, 2016 on Dyn servers (a service that allows the users of a dynamic IP address to access a domain name), which paralyzed part of the Internet network in the United States for several hours and seriously disrupted the economic activities concerned.

1.1.4. IT resources

Comprehensive knowledge of IT tools (hardware, software, network) is a structural challenge for companies: the way they have developed and managed their IT infrastructures in recent decades – fragmentary, in silos, at a time when risks were low – makes it more difficult for them to supervise them globally, which is essential for effective cybersecurity management.

1.2. Cybercrime

1.2.1. The concept of cybercrime

In short, it refers to criminal acts in the context of new technologies. We are also talking about computer fraud. Cybercrime includes, among other things, the illegal acquisition of private, personal or sensitive information. Cybercrime includes all crimes whose preparation or execution involves electronic data processing systems, such as sabotage, espionage and data interception.

Cyberspace offers criminal opportunities: digital services and infrastructures are a gateway to malicious intent. Any connected equipment is hackable; it is necessary to ensure continuity between physical security and cybersecurity.

As for computer attacks, or cyber-attacks, every week, new cases are revealed by the press, on all continents, in all sectors of activity (industry, banking, hospitals, hotels, online sales, etc.), for all types of companies: from start-ups to large listed groups, any other entities such as associations, foundations, town halls, public administrations and infrastructures, or even connected objects (surveillance cameras, pacemakers, children’s toys). And the press only reveals the tip of the iceberg. There is a veil of silence on the part of companies, which is understandable: none of them want to divulge their difficulties and especially not their cyber weaknesses.

Computer instabilities or intrusions are made possible both by the increasing integration of new technologies into all aspects of our lives (mobility, home automation, purchasing, travel, banking, etc.) and into the lives of companies (sales, production, communication, security, financial operations, administration, customer relations, suppliers, employees, investors, banks, etc.) and encouraged by the digitization of public services, as well as by the increasing sophistication of computer attacks.

Although information systems are increasingly protected, allowing more attacks to be blocked (in number and percentage), the number of intrusions was stable in 2018 compared to 2017, according to an Accenture study.

As the graph in Figure 1.2 illustrates, computer attacks are not a new phenomenon; they started more than 30 years ago, with the birth of computer networks and then the Internet.

They have then intensified due to the increase in vulnerabilities related to the digitization of economic operations, the opening up of computer networks, data exchanges, mobility, the development of applications and connected objects, and the widespread networking of computers.

Figure 1.2.History

(source: Starboard Advisory)

It should be noted that hardware and software are sometimes sold voluntarily with “backdoors”, which allow software developers or hardware manufacturers to use them to monitor or even take control of the software’s activities, or to take control of the computer. It is like a house builder selling you a house while keeping the key to a hidden door.

These backdoors make it possible to carry out maintenance operations efficiently or to disable the software in the event of disagreement with its customer (non-payment of license).

They can also be installed by hackers to copy or destroy valuable data (IDs, passwords, social security numbers, bank details, means of payment, confidential information) or take control of a computer and use it to carry out malicious actions (computer viruses, denial of service, ransom demands, etc.).

Attackers organize and specialize: some open the door to allow others to break in and take the data or organize financial fraud. The service provided (open the door) is sold at auction on the darknet.

Finally, on this backdoor issue, States have different opinions. Russia has legislated to provide publishers with a way to access encrypted communications. The member states of the Five Eyes alliance (intelligence services of the United States, Australia, New Zealand, the United Kingdom and Canada) also wish to impose the introduction of software vulnerabilities.

The main and official objective is to be able to decipher certain communications that could be linked to terrorist activities and to share information between intelligence services. It also allows State spying, access to trade secrets and the infringement of individual freedoms. The risk is that these vulnerabilities may be exploited by malicious people.

Digital trust therefore depends on the ability of companies to protect systems and data, as well as on the protection of the entire ecosystem, including digital strategies put in place by governments and the work undertaken by information system security agencies to ensure the protection of equipment, applications, networks and software.

1.2.2. Five types of threats

The National Cybersecurity Agency of France (ANSSI) identified five major cyber threat trends observed in France and Europe in 2018.

Some sectors of activity, considered unlikely targets, are now being targeted. This is the case, for example, for the agri-food sector, which means that no company is immune, according to Guillaume Poupard, ANSSI’s Director General.

During the night of April 10–11, 2019, Fleury Michon (a mid-sized, family-owned and independent company specializing in the preparation of deli meats, ready meals and fresh surimi) was hit by a computer virus. To avoid its spread, all systems were disconnected. The plants, as well as the logistics unit, were shut down on April 11. After analysis, appropriate security measures were deployed to allow the activity to restart on April 15.

The unit dedicated to culinary aids was relaunched the morning of April 16. “Our customers’ orders have been delivered again since this morning. The impacts, which are currently being quantified, will be limited and covered by insurance taken out for this purpose”, the company stated in a press release dated April 15, 2019.

1.2.2.1. Cyber espionage

Cyber espionage is the highest risk for organizations, according to ANSSI.

The attacks are highly targeted and technically sophisticated and increasingly target critical sectors of activity and specific critical national infrastructure, such as defense, health or research.

Guillaume Poupard mentioned, during his speech at the French Institute of Directors on April 17: “ten to twenty very serious cases per year. We don’t talk about it, but these attacks exist. Their silence creates a perception bias!” he says.

The best way to access confidential information today is through a computer attack. Victims discover the attacks, sometimes by chance, sometimes by third parties, sometimes thanks to ANSSI. Sometimes, victims discover the attack five years later. The managers then discovered that all their emails could be read. The average time to discover an attack is about a 100 days; it has decreased, but it is still important. Meanwhile, the pirates are taking action.

Cyber espionage is gradually eroding the value of companies and even destabilizing some of them: it is large-scale economic spying using cyber infiltration techniques to steal the most valuable assets (strategic files, business proposals, managers’ email boxes, etc.). Eighty percent of the value of Fortune 500 companies is made up of industrial property and other intangible assets, and cyber espionage is a perfect way to access them.

TeamViewer is one of the world’s leading suppliers of software for the remote control of computers and servers. It was the victim of user account diversions, reported by many customers as originating from Chinese IP addresses, and reportedly infected with Winnti malware in late 2016, as well as German steel producer ThyssenKrupp and pharmaceutical giant Bayer, which acknowledged a hacking attack in 2018, during which the Winnti malware program was also deployed.

1.2.2.2. Indirect attacks