Cybersecurity in 2023: what strategy should you adopt?

The French National Cybersecurity Agency (ANSSI) identified 831 proven intrusions in 2022. That’s more than 2 successful cyberattacks each day.

As companies across all industries become more digitalized, opportunities for cybercriminals have risen sharply.

Whether you're a freelancer or a manager at an SME, what risks could your business be exposed to? What cybersecurity strategy should you adopt to protect your company? In this article, you’ll get up to speed on the cybersecurity risks for freelancers, micro-enterprises, and SMEs. On top of that, you’ll get some expert advice from our cybersecurity director, Ayoub El Aassal.

Cyberattacks only happen to other companies, right? Unfortunately not. Even if the overall number of attacks observed in 2022 was slightly lower than in 2021, "the threat remains high" according to the ANSSI. And this also concerns micro-enterprises and SMEs.

Here are some figures to put that in context:

• 45% of companies were affected by a successful cyberattack in 2022 (CESIN barometer)
• 60% of these attacks had a direct impact on the company's activity. For 24% of affected companies, the attacks resulted in business disruptions over a significant period of time. For 14% of companies, data was compromised and their brand image suffered due to the media impact, while websites became unavailable for 13% (CESIN barometer).
• 14% of impacted companies spent more than €50,000 on relaunching their activity after the cyberattack, and 6% spent up to €100,000.

Even if the majority of attacks targeting micro-enterprises and SMEs are opportunistic - exploiting minor vulnerabilities - they can certainly lead to more significant incidents. You should, therefore, take these risks very seriously to ensure the long-term security of your business.

Before launching a security strategy, you'll need to assess your business's vulnerability to attacks. So ask yourself, who would try to attack us, and what do we need to protect ourselves?

These answers will determine your specific security needs. If your vulnerability is minimal - your online presence consists of a website and a few social media profiles, for example - then your main threat will likely come from automated bots that scan webpages for weaknesses. If your business surpasses a high revenue threshold or handles sensitive information, you may be targeted by attackers with more resources and skills.

Your cybersecurity strategy will take shape according to the kind of attackers that could target you, and the resources at your disposal to deter them. Once your strategy is well defined, you’ll be ready to roll it out.

What measures should you take?

Two-factor authentication (2FA) is a security method that requires two separate forms of identification to access your data. This typically combines something you know, such as a password, with something you have, like an app or a physical security key.

A username and password combination is a basic one-factor authentification method. Because it relies on memory alone, it’s not a secure way to log in.

You have several methods at your disposal to set up two-factor authentication, including:

• Sending a one-time code via SMS (which is usually time-limited).
• Using an identity authentication app.
• Sending a login notification to another device.
• Using face, voice, or fingerprint recognition.
• Using a security key or cryptographic key (e.g. Yubikey).

A password manager allows you to generate complex passwords; it stores them for you so that you can log in to your applications securely. Two of the most popular password managers are Dashlane and 1Password.

Password managers automatically detect legitimate websites by pre-filling the authentication fields. Although a human can be fooled by a malicious site - one that looks and feels like Gmail, for example - a password manager won’t fill in your password if the site isn’t authentic. You’ll be alerted and you can steer clear.

And what about the password management feature included in some web browsers, like Google Chrome and Safari? Our cybersecurity director shares his thoughts:

Storing all your passwords in a single password manager increases the security threat in the event of a breach. Again, it's all about evaluating the risk. Are you more concerned about your passwords being guessed? Or your password manager getting hacked? Every company has a different approach, according to its own circumstances and industry.

How vulnerable are you?

Most SMEs have an online presence - the key asset being their website - and they will usually offer their products and services online, too. With a network (infrastructure, tools, etc.) that stores customer and business data, your vulnerability to cyberattacks increases. 

What measures should you take?

To begin with, the recommendations outlined for self-employed professionals and freelancers also apply to your small business. Ask for two-factor authentication to be set up on software that your employees are using on a daily basis. And make sure that all employees are using a password manager.

• Less than 50 employees

If your business has an online presence, you'll be exposed to the internet’s common threats. Before implementing security measures, you should take an inventory of your assets and assess the risk for each. After, you can launch actions to reduce the vulnerability of each asset.

What measures should you take?

1. Set up a WAF on every website

A WAF (web application firewall) secures an app server by filtering out any malicious requests coming from the internet. This firewall protects your company against simple and generic attacks that are often carried out by scripts and bots.

2. Limit the impact if an asset is compromised

Go through each asset in your digital inventory and ask yourself: How do I protect my business if this is compromised? For example, if an attacker targets a specific PC, you need to stop them from gaining access to your whole network. Make sure you've installed antivirus software and, if the attacker gets past it, shut down the shared network as an emergency solution. It’s equally important to use unique admin and user passwords across all your servers and devices. 

There are plenty of cost-effective measures you can take - based on your risk assessment - to significantly reduce the threat posed by cyberattacks.

What is ransomware? Malicious software that locks down a company’s data and demands a ransom to regain access to it.

The two best practices listed above will guarantee a basic, yet strong, layer of security for your micro-enterprise or SME.

• More than 50 employees

Once you have more than 50 people on your team, it's essential to hire a dedicated cybersecurity expert. They'll be able to:

1. Model the risks more accurately

With their specialist knowledge of how different attackers operate, your cybersecurity manager can help you identify vulnerabilities and preventative measures. If the immediate threat is ransomware, should you start by making backups? Segmenting networks? Or by installing threat detection software, such as EDR (endpoint detection and response)? All of these measures are sound, but the order in which they are implemented is crucial - and your cybersecurity expert will know where to start. They can make the difference between a system-wide breach and containing an attack to just one single device.

2. Neutralize system-wide threats with new systems and procedures

You don't want an employee to jeopardize your business by mishandling sensitive data. To make sure this doesn’t happen, the cybersecurity manager will set up various procedures and approval systems (whether automatic or manual). For example, a sole developer shouldn’t be able to modify important code without the relevant permissions. An effective review or approval system will cater for this, while ensuring agility and flexibility are not impacted.

• More than 150 employees

Beyond 150 people, it's unlikely that everyone in the company will know each other. It's therefore essential to use an identity and access management solution. These platforms grant access to company apps via a single and secure login, through which every employee must identify themselves. At Qonto, we use OneLogin. Another popular platform is Okta.

• More than 200–250 Employees

At this stage, a company should have enough safeguards in place to consider a serious investment in detection technology. These solutions allow you to track any actions taking place within a centralized system. For example, if someone modifies a crucial component of a system, it's important to know who made this change. By centralizing these incidents in a SIEM (security information and event management), you can instantly detect any unusual behavior.

As we've explored, it's impossible to ignore cybersecurity risks in 2023. Every company needs to get up to speed on the potential threats and develop a solid cybersecurity strategy. In fact, your future success depends on it. Now that you’re equipped with the know-how, we hope you feel inspired to take action.