The essential role of employees in companies’ information security – economieMatin


Businesses of all types and sizes have been suffering from an upsurge in cyber attacks for several months. This phenomenon results in particular from the generalization of remote work and the increase in the number of collaborative tools to which employees have access. Although they can have a considerably negative impact for companies as well as for their partners, these incidents can be avoided and their consequences reduced.

Indeed, certain preventive practices to be put in place with employees, correlated with efficient cybersecurity solutions, can help reduce the number and impact of breaches of corporate information security.

Sending as an attachment to an email is now a particularly widespread practice for sharing documents between employees of the same company as to an external recipient. However, these documents can contain sensitive or confidential information which must not be found on the screens of malicious people. The senders of these documents do not always understand the danger that their sending can represent and the risks linked to a breach of the confidentiality of correspondence in electronic form. In addition, electronic messaging remains one of the main vectors for the dissemination of threats or strategies for intrusion or interception of information (dissemination of viruses, phishing, etc.).

The awareness and continuous training of employees in constant vigilance around shared data is an essential step : what information is sensitive or confidential, what risks in case of interception of this information, what risks incurred, what tools and what best practices to use to ensure secure sharing.

The use of a strong password, for example, as well as the use of Internet partitioned between professional activity and personal activity, are concepts which may seem obvious but which it is nevertheless necessary to remember frequently. Logging off and running recommended updates are not options, and disabling security software – anti-virus, firewall – should be avoided under all circumstances. Some companies set up cyberattack test simulations – fake phishing messages, fake “hacked” USB keys – which make it possible to analyze the reaction of employees and to conduct a reminder session of best practices if necessary. .

If the company has a moral but also legal obligation to provide the appropriate equipment to guarantee the security of its customers’ data, it must understand that its mission also includes the adoption of protocols allowing the proper use of the tools by all. of its employees, so that the protections really reach their maximum potential.

It is therefore crucial to involve employees in the collective effort against cyber attacks in order to minimize the risks. Risk for the companies themselves, but also for their customers. Because in the event of an attack, it is the leader of the company who is the victim of the wrongdoing who may be concerned. Article 34 of the General Data Protection Regulation indicates that when a personal data breach is likely to give rise to a high risk for the rights and freedoms of a natural person, the controller must communicate the breach of personal data to the data subject as soon as possible. He must then be able to demonstrate that his responsibility is not engaged, to prove to the authorities that he has indeed, prior to this attack, used all the necessary means to limit the risks: information system security, employee training, but also that it has ensured the proper functioning of its protection strategy, in material and human terms.

If the company displays security breaches of the information it processes, its manager incurs civil and criminal penalties of up to

up to five years’ imprisonment and a fine of 300,000 euros (penal code art 226-16). In 2019, the Council of State confirmed the CNIL fine of 200,000 euros imposed on a large optical chain (1) for the proven absence of measures to organize and protect its information system. In the current context, employee involvement is no longer an option but a commitment from all the players in the company, including managers, who now know that this does not only happen to others and that they will not be able to invoke a victim stance for sole defense.

1) https://www.legalis.net/actualite/optical-center-le-conseil-detat-confirme-mais-reduit-la-sanction/