The increase in telecommuting induced by containment accentuates the awareness of a trend that is not new: the increase in cybersecurity risks in the world of industry, particularly in R&I (Research and Innovation) services. However, the protection of R&I intellectual assets against cyber attacks is not so obvious, due to the often outward-looking nature of R&I activities (it is not open-organization.com that will say otherwise).
So is it feasible to reconcile collaboration and protection of sensitive information, openness, and cybersecurity? Let’s draw inspiration from the approach of General Olivier Kempf, a Fellow Presans specialist in cybersecurity and cyber strategy, to better understand this challenge.
1. Three levels of cybersecurity
Cybersecurity, Olivier Kempf tells us, is a state to be achieved in a conflictual world where the security of some leads to the insecurity of others. The relative notion, security never exists 100%. Rather, in this field, it is more appropriate to aim for the absence of defects in a device, within a given system. Aiming for “zero defects” in reality always implies a choice of resource allocation:
a decision is not about choosing one’s strengths, it is about choosing one’s weaknesses.
1.1. Cyber protection
Cyber protection is the first level of cybersecurity. It involves awareness-raising campaigns, preferably organized by an ISSM (information systems security officer), antivirus software, architectures, mapping, and data backup methods. All these efforts are aimed at establishing a passive protection infrastructure.
The second level is the cyber defense: the protection infrastructure is up and running, now it’s a matter of placing probes to detect technical or behavioral anomalies. We are moving from passive cyber-protection to something much more active.
Cyber resilience is the third level of cybersecurity and revolves around crisis management. Cybersecurity crises must first be managed in the present. They must also be used to achieve post-crisis cybersecurity reinforcement. A bit like a person’s health is made more robust by antibodies that appear in response to a disease. Cyber-resilience is organized around a continuity plan, which itself must be tested.
2. Three types of cyber attacks
Cybersecurity is a topic because of the existence of cyberattacks. The mass of these attacks consists of espionage, often undetected by its victims. In the case of R&I functions, it is the main threat to be kept in mind (it also concerns the other functions of the company). Nevertheless, let’s review the three types of attacks.
Espionage accounts for 80% of cyber-aggression activity targeting intellectual assets: intellectual property, patents, know-how, industrial secrets. The R&I function is in fact the first target of this type of attack.
Sabotage attacks are aimed at crippling or destroying industrial assets. They may be accompanied by a ransom demand, but they may also have a terrorist objective.
We live in a world of information warfare. Cybersubversion aims to weaken the institutions of society by spreading messages that are harmful to them in a targeted manner. In the corporate world, subversion aims to propagate harmful information and degrade the corporate image.
3. Three levers of cybersecurity
3.1. Technical tools
Technical tools include hardware and software. They tend to be abundant within R&I departments. However, the more tools there are, the more difficult they become to secure. In addition, the security tools themselves must be secured. It is possible, for example, to use artificial intelligence for cybersecurity, but in this case, artificial intelligence must also be secured. Cybersecurity requires recursive (or “meta”) thinking.
3.2. The human
The human factor is the second lever of cybersecurity. It is essential to master it in order to reconcile openness and security within an ecosystem. It is the right processes that enable collaboration between start-ups and large organizations that are neither too paranoid nor too carefree.
3.3. The data
The last level is the data level and touches the heart of the digital transformation. From a cybersecurity point of view, it is a question of mapping and becoming aware of the richness of an organization’s data on the one hand, and securing the systems that produce this data on the other.
Our quick overview provides some pointers to begin structuring the R&I function cybersecurity strategy. To move forward in this reflection, it is necessary to map the targets and defenses, and then make choices to harden the targets that carry the company’s future added value. It is also necessary, as we show in another article, to become a little… paranoid.