cybersecurity unknown building block

Electronic archiving: a little-known aspect of cybersecurity

The world is changing and cyberattacks are now part of daily life. And among the electronic arsenal available to protect against this, electronic archiving ranks highly.

 

Cybersecurity breaches have almost become the norm and regularly make the headlines. Although private individuals are often affected, companies also pay a heavy price. In its annual report on cybersecurity (The Global State of Information Security Survey), the auditing and consultancy firm PwC reminds us that more than 4,500 incidents are identified each year and affect French companies. This equates to more than 12 incidents per day (not including unreported incidents).

 

2 trillion euros lost by 2020

The firm also stresses that barely more than one company in three states that it has confidence in its capacity to identify the sources of cyberattacks. To this must be added the major financial impact of these cyberattacks and the associated operational risks. For France, the losses suffered this year are up by 50% compared to 2017 and are estimated at an average of 2.25 million euros for French firms. And the global estimates are certainly no more reassuring as according to a study by the World Economic Forum, cyberattacks could generate economic losses of up to 2 trillion euros by 2020. The corporate environment is increasingly exposed to cyber threats and network-based attacks are also on the rise. As proof that institutions are also targeted (and not only banks, e-commerce giants and social networks) in early December cyberattacks targeted several institutional websites including those of the Urssaf, the Ministry of Justice, Paris-Sud University, the University of Lorraine and the Franco-American foundation. The method used was that of the distributed denial of service attack (DDoS), which involves initiating a traffic overload through simultaneous connections to the same website to cause it to crash and thereby making it inaccessible. And that’s not all, because the Ministry of Foreign Affairs suffered an intrusion with the massive theft of data belonging to tens of thousands of citizens, and the websites of several major groups (Carrefour, Total, EDF, Orange, La Française des Jeux, TF1 and BFM.TV) and that of the national police force are now being targeted by certain “hacktivists”.

 

Ransomware: charging you to decrypt your data

Although in some cases the hackers are trying to paralyse the activities of the State and of major French companies, with ransomware the objective is clearly a financial one. It was thought to be dormant but with intrusions identified at Boeing, the city of Atlanta and the emergency department of Baltimore hospital, it appears that ransomware is still active. It’s also effective, as on average the companies affected paid 38,900 euros worldwide and 31,500 euros on average in France. Indeed, France has certainly not been spared, as shown by the recent study from Vanson Bourne. “Although in 53% of cases the most successful attack enabled the attackers to encrypt files, this had no impact on the organisation because it had backups to replace the corrupted data or because it was able to decrypt the files” explained the study. Nevertheless, the fact remains that 7% of the victims were unable to find a solution to recover their data and 3% preferred to pay the ransom to be able to decrypt it.

 

Today, security does not begin and end at the company’s walls

Previously, cyberthreats were rarely considered when an organisation performed a risk assessment. Today, at a time when we are witnessing an explosion in the volume of digital data and transactions, the risk of cyberattacks has increased significantly. Additionally, thanks to the cloud, this data can be accessed from anywhere in the world. The task of ensuring security for transactions and critical data therefore no longer begins and ends at the company’s walls. PwC also estimates that 70% of organisations have defined or are in the process of defining a preventive strategy. Proof that cybersecurity is no longer an issue taken lightly by companies.

 

An EAS offers an extra line of defence

Ultimately, it’s the whole of the company’s knowledge but also its “information assets” in the wider sense which are under threat: documents concerning techniques or know-how, business processes, procedures but also management documents constituting proof of administrative matters to be produced during inspections and finally contractual documents between clients, suppliers and partners, which together comprise the items needing to be produced in the event of business disputes or litigation in order for the company to defend its rights. Such documents must be protected, not only from cyber threats but also from internal malpractice or errors. All too often, these documents are stored within the organisation and backed up on unsecured servers or hard disks which are almost freely accessible to employees and which are relatively easy to hack. However, European legislation is perfectly clear on this particular point. The company’s management documents are subject to archiving obligations and are only legally admissible during administrative inspections or litigation proceedings if they are archived under conditions guaranteeing and maintaining their integrity. It is therefore necessary to ensure that they cannot be deliberately or accidentally modified for the whole period covered by the storage obligations.

 

Using a certified service provider

To face these risks, which are not only financial but also operational, all of these documents must therefore be kept safe and the best possible place for this is undoubtedly in an EAS (Electronic Archiving System). On condition however that a certified service or certified service provider is used. Trusted service providers exist in this field, possessing ad hoc certifications and fully trained teams. A number of essential authorisations, standards, certifications and qualifications exist. These include ISO 27001 certification (for IT security management systems), NF 461 for compliance with Afnor standard NF Z42-013 and ISO 14641-1 (concerning electronic archiving systems with evidential value), or the France Cybersécurité label, eIDAS qualifications or HDS certification (for personal health-related data). Ensuring suitable protection requires compliance with these standards but also a set of specific skills (which must be regularly upgraded - on a half-yearly basis as a minimum - as cyber threats are evolving quickly) and financial, technical and human resources which are not always available in all organisations. Outsourcing these tasks to a service provider specialising in electronic archiving can therefore clearly help companies as this service provider focuses all of its resources on the matter.

 

An ability to face all scenarios

Electronic archiving offers an excellent solution for avoiding and thwarting cyberattacks. Organisations which suddenly no longer have access to archived documents are exposed to administrative risks, in that they can no longer defend themselves during inspections, but also legal risks in litigation cases, which can have serious direct or indirect financial consequences and lead to the managers incurring criminal liability. Especially as the hackers’ motivations and hacking techniques are fast changing and varied. Some for example, are designed to steal an important document to avoid it being used during a litigation case, to spy on a competitor by gaining access to sensitive business documents or to hinder business activities by preventing the victim from demonstrating his compliance or know-how or even by tarnishing his image by publishing fake documents.

Epigraph

It is virtually impossible to delete, add or steal documents stored in an electronic archiving system meeting the applicable standards. These systems guarantee the security and integrity of documents over the long-term by using advanced cryptographic procedures and their tools and processes are also the subject of highly detailed periodical audits by external service providers approved for this purpose by the authorities.

A greater role for protection

The role of the service provider in the archiving process is to protect the organisation’s information and strategic assets, including from abuse (whether intentional or otherwise) by staff. By having a certified service provider handle the archiving of these documents, these organisations are able to guarantee that their evidential value is maintained. Additionally, they cannot be suspected of having manipulated this information and also avoid all the inconveniences caused by IT system breaches and technological obsolescence, while at the same time keeping pace with changes in the law and in standards. Finally, only authorised employees will have access to the stored data, with major actions being the subject of validation at several levels, with all interventions being recorded and traced in logs, for which the security and integrity are fully guaranteed.

 

In short: electronic archiving has today become a major “cyber” component for organisations.