This article follows on from the FIC Observatory breakfast of 6 April 2016 on raising awareness. This breakfast, coordinated by Gérard Pesch, organiser of the Security Film Festival, brought together Gil Delille, director of information systems security for the Crédit Agricole Group, Jean-François Escolier, managing director of Getzem Secure, Laurent Huberson, journalist, and Jean-Paul Mazoyer, president of the CIGREF Cybersecurity Circle.
Initially confined for nearly 15 years to a somewhat closed – or at least limited – community of technicians and engineers specialising in IT, cybersecurity has gained much greater visibility over the last 4 years. TV news programmes, documentary reports, the printed press, radio, Hollywood films, series and mainstream video games… all that was needed was for Cyril Hanouna to conduct a live spoofing of Nabilla in ‘Touche Pas à Mon Poste’ to ensure nobody in French society could dare to say that they had never heard of the subject. Now seen as a major issue (thanks to Edward Snowden, Sony or TV5 Monde, according to choice, along with the important awareness-raising work carried out by industry professionals headed up by ISSMs), the theme would appear to have reached the 3 target groups enabling this collective awareness to emerge: companies or administrations themselves, particularly at General Management level, employees and the general public. Despite this improvement, there is still work to be done, regrettably for intrinsic reasons.
Overcoming the language barrier
The first of these reasons can be found in the internal workings of companies. IT security was (is?) seen by IT managers as merely a cost, with no ROI. As Jean-Pierre Mazoyer, president of the CIGREF Cybersecurity Circle, explained, the challenge lies both in involving IT managers in the issue and developing a comprehensive approach to IT risks for ISSMs. This includes using the IT procurement policy as a lever for ‘security by design’ or, at least, ensuring that security is an integral part of the acquisition criteria of IT solutions. However, this approach is not enough. Breaking down the silos between IT management, security/safety departments, job area management, administrative and legal departments and General Management remains a challenge, and this is nothing new. This decompartmentalisation comes up against a major barrier: that of language. It is therefore important to adopt an empathic logic to build bridges between these worlds and, especially, to involve the top management. With few exceptions, the subject is indeed not yet perceived by the CAC 40 companies as an overall challenge meriting the involvement of their Executive Committee. Proof of this, according to Jean-Pierre Mazoyer, is the fact that organising cyber crisis exercises at General Management level still seems unthinkable. It is therefore a question of drawing upon individual levers, for example by playing on the responsibilities of corporate officers in the field, or, indirectly, by appealing to the shareholders.
One percent of an IT department’s budget is devoted to 80% of its problems
The second reason is that security is only effective if transparent for users and integrated into everyday use. The flip side of this is when employees come to regard their company as very well secured, and therefore invulnerable. “We are so well secured internally that I send all my personal e-mails to my professional mailbox, just to be sure,” explained one employee of a large company to his ISSM, who was surprised at the number of security incidents detected on this individual’s workstation. This anecdote reported by Jean-François Escolier, managing director of Getzem, illustrates how far there is to go in moving from raising awareness to having all employees implement best practices. According to the latest study by CIGREF, the ISS budget represents around 6% of an IT department’s overall budget. Out of this share, the percentage devoted to awareness-raising activities is around 16%. Companies thus spend less than 1% of their IT budget on an issue within which 80% of their problems are concentrated…
A positive, or even fun message
An effective awareness-raising campaign involves four things: a clear vision of the target audiences, an effective message, a suitable dissemination channel, and indicators for assessing its ROI, in particular for high-level managers. Still, quantifying the ‘human’ factor is inherently difficult. It is therefore necessary to be creative: evaluation of the feedback on incidents spontaneously provided to the security department, tracking of classic incidents (rate of clicks on false phishing campaigns) or anonymised declarative questionnaires to conduct a true statistical measurement. As for the message, we know that when dealing with security-related topics, the tone has to be positive and even fun, since scaremongering is often counterproductive. In taking this approach, it is nevertheless important to guard against the Hanouna effect: light, entertaining but failing to get any message across, since it has become meaningless. From this perspective, interactivity is essential, and this is Cyril Hanouna’s real strength: he anchors his show in the life of its viewers through live interaction via Twitter. Within companies, it is therefore essential to make a link with the employees’ day-to-day lives through a ‘story learning’ process, which is much more effective than simply raising awareness. In this respect, serious game is a much more effective option, even if it takes up an employee’s time. Time so precious that HR managers monitor whether or not it is being used to good effect. It is therefore important that the project involve not only HR, but also the top management, who are, indeed, an ideal target for attackers. As emphasised by Gil Delille, president of the Skills Forum, if an attack is sophisticated and very well orchestrated, it will succeed in any case. The equation therefore remains difficult to solve.
The success of the Hackacademy
The first real communication operation for the general public was conducted by CIGREF with the support of institutional players and financial contributions from 30 major French companies. The purpose of the Hackacademy video clips was indeed to appeal to public opinion and thus, ultimately, reach out to the majority of the employees of these major companies. From this point of view, the project was a resounding success, with over a million views on Internet platforms and strong take-up within the major companies. The impact on the general public is nevertheless lower, with just a few appearances on Arte and LCP and ongoing discussions with France Télévision. This difficulty in addressing the general public is a reflection of the persistent problem encountered by the mass media in dealing with themes related to cybersecurity. As explained by Laurent Huberson, journalist and editor in chief of “Investigations” on D8, the mass media are primarily seeking unifying topics for TV programmes that attract, during a time slot that is usually highly competitive, the largest possible viewing audience. It is therefore essential to understand the mechanisms that govern the choice of a broadcast topic. The thought process of any editor in chief can be summarised in three questions: is the theme new? Is it out of the ordinary? Does it have a consequence? It is clear that, for a long time, cybersecurity remained associated with B2B concerns, sometimes with geopolitical issues, and were thus very far from the daily preoccupations of the general public. However, over the last 5 years, spurred on by news stories and the pirates’ creativity, the theme also emerged in everyday life: credit card scams, smartphone security, Internet reliability, the phishing campaign with bogus mails from the French Public Treasury, car thefts without break-in, etc. With 20% of interviewees saying, for example, that they have fallen victim to bank scams, cybersecurity has become a unifying subject. Moreover, the mysterious and, rightly or wrongly, spectacular character often associated with computer attacks is obviously very attractive to the media.
A difficult subject for a TV crew to bring to the screen
A dual constraint persists nevertheless: cybersecurity remains a complex subject of a technical nature, difficult to explain to the general public and, above all, difficult for a television production team to bring to the screen! Its handling is therefore often limited to the most spectacular effects, without any work being done on verification, sourcing, education and putting everything into perspective, albeit absolutely necessary for the general public to process the information. The way the hacking of TV5 Monde last year was handled illustrates this difficulty, as emphasised by Laurent Huberson. For the first time in contemporary French history, the programmes of an international TV channel were cut by a cyber attack. Yet, despite its importance, and although it received media coverage, the event was not handled as befitted its degree of severity and has never really been decrypted. The corollary to this is another risk: hasty media coverage and excessive dumbing down can leave room for all kinds of conspiracy theories and accentuate the air of mystery. This is what is meant by the alien effect. Thus, cybersecurity professionals must, above all, extend their popularising and educational efforts to the journalists themselves, in the hope of reaching out to the general public.