This is the fundamental question we ask ourselves for months before many successful attacks in all economic sectors and all countries (especially in countries whose economy is developed). Awareness and accountability for all business users, traceability of operations for administrators and users to authorities, advanced protection against malware, application security audits, protection and monitoring of databases, enhanced data security and applications in the cloud, etc.
These are just some of the SI facets to cover the security plan. Not to mention the urgent need to strengthen the capacity of CISO, RSSI, internal auditors and other heads of operational security: reinforcing the material, the means of control, supervisory capacity and constant analysis of safety, recruitment, training motivate and data-analysts. Finally, it is important to empower RSSI to apply strict penalties, both internally to a particular business management does not respect, for example, the PSSI (Safety Plan Information Systems) of business, than from subcontractors (service providers, outsourcers, call centers, ah call centers with their young employees with high '' external mobility 'and their ability to access the most sensitive customer information ...) .
All this requires strong, energetic and constant involvement in time, the Directorate General for Enterprise.
Recently a good friend, CIO of a major French company in the field of services, with more than 10 billion euros in sales and more than a billion on the Net, told me before the shock of the Gemalto event - because it's a shock for engineers like us, for whom Gemalto, former Gemplus was a standard in data security - than in a famous combination of CIOs of large French companies, few participants had heard of the case of Target early 2014, hacking case and theft of personal data over 100 million US citizens, and that cost the position to the CEO of the company!
Amazing location! We are in 2015, Internet use exploding everywhere and for all, social networks, e-commerce, e-banking, more than ever be''e '' or be eaten is the obligation of conventional companies, yet some DSI beautiful large French companies are not aware of this event, who had shares in the IT and general press? Have they heard about the hacking, cyber-sabotage and data theft have hit Sony Pictures recently or even currently Gemalto? It is only recently that this same French association launched a chapter Security SI! Better late than never, but still ....
Even France 2 in its newspaper urbi et orbi 20h regularly speaks cyber security ... and RTL recently even interviewed the president of CESIN, leading professional association for RSSI, which as CLUSIF and CRIP, tries to unite, inform and educate IT departments of businesses and governments to the dangers of the Internet. The security managers of information systems are therefore to impose any measures put in place procedures, apply controls and, where appropriate, penalties to internal or external actors do not respect the safety requirements; but concretely, today in France, they do not have sufficient political support and financial means to sit a real preventive and curative approach security.
At each event, each more or less sinister sounding more or less destructive, the conclusion is the same: lack of awareness, lax enforcement of security policies, lack of controls, etc., etc.
The problem is therefore at the level of awareness of CIOs who all do not take the risk measurement and then do not allocate the necessary financial resources and therefore do not exert a relay with their general management and agents social that they are legally and criminally liable for any claims.
Fortunately, since the new law of military programming LPM, companies have the obligation to trace the incidents to the National Agency of Information Systems Security, so she can cross-check with other attacks, intervene reinforcement and at the same time inform the general public and business security event, hacking of economic actors.
We live in a lax security on these subjects, coupled with an awareness deficit to hazards, risks faced by users, in business or in life privé.Dangers and risks potentially impacting every moment of life, for identity theft, hacking bank accounts, an espionage campaign of a company may cause permanent damage. The cut out for lawyers!