Some European companies have been hit hard by the pandemic. How can EBRC help them to recover?
Yves Reding: EBRC's mission is relatively easy to understand. Of the four letters in our name, the first and third are the most important. “E” stands for European because we position ourselves as a European company. The European Union, with its associated countries (EEA) is one of the largest trading areas in the world with over 500 million citizens; it has its own values, but it is not a digital powerhouse. The major digital players are mainly American and Chinese and Europe is lagging behind. Europe has missed the first wave of digitalisation. It must become a world leader in the second wave, which will be a real tsunami, that of Artificial Intelligence. It is becoming urgent to capitalise massively on the know-how of our engineers and computer scientists and to set them working on ambitious projects, such as the GAIA-X initiative. Our ambition is to work with others to build this digital Europe. It is a matter of security and European sovereignty!
“R” stands for Reliance because our entire business model is based on trust in digital. We position ourselves as a centre of excellence focused on the protection and management of sensitive information. We are increasingly moving towards a virtual world and the current COVID crisis has precipitated this evolution. For our economies, data has become the new “black gold”, the fuel for growth. Data is becoming increasingly critical, both in terms of confidentiality and high availability. To ensure maximum protection for our customers, we offer them a complete chain of trusted services, starting with our Data Centers. Our Data Centers are Tier IV certified and have not had a single second of downtime since the year 2000! Every day we ensure that all our other offerings are modelled on this same level of quality, whether that is business continuity, risk management, managed services, cloud services or consulting. We set the bar very high, which is why we have implemented a continuous improvement process based on international best practices. EBRC has numerous certifications, including ISO 22301 (business continuity), ISO 27001 (information security), ISO 2000 (IT service management), PCI-DSS (payment security), ISO 9001 (quality), and more.
You put a lot of emphasis on cyber-resilience. What is it exactly? Why do you think it has become an absolute priority for all companies that want to survive in the post-COVID world?
Y.R.: Since its inception, EBRC has always made Cyber-Resilience its core strategy. Digital transformation allows for greater agility, but it also brings with it many and varied cyber threats that need to be addressed. We have always advocated a realistic and pragmatic approach based on the assumption that all businesses will suffer attacks, whether physical or virtual. We believe that Cyber-Resilience must be integrated into the very DNA of all businesses if they are to survive. They must be able to withstand any shock, even if it is totally unpredictable, and come out stronger.
From the outset, we considered a whole series of disaster scenarios, including a pandemic with a border closure. Unfortunately, the facts proved us right with the appearance of COVID in our lives in early 2020. Many companies were not prepared to switch safely to telework and found themselves in a bind.
What are the main lessons to be learned from the current health crisis?
Y.R.: There are two. Companies now know what resilience means. During this health crisis, the word has been used so much that it has become almost meaningless. Twenty years ago, we were among the first to talk about it. Before, the “R” in EBRC stood for “Resilience”. Unfortunately, at the time, we were practically preaching to the choir!
In March 2020, in the midst of the pandemic, the worst-case scenario would have been for the digital infrastructure to fall, a scenario which many economic players have not yet taken into account. Tomorrow's virus, which could undermine the entire global economy, could well be virtual. Many people are talking about the probable appearance of a huge digital “virus” or pandemic that will reach our societies and could affect our vital systems such as health, telecommunications, water distribution, electricity, heating or transport. We have already seen the beginnings of what awaits us in the months or years to come with the "SolarWinds" cyber-attack perpetrated last year. It was incredibly sophisticated and is a rehearsal for the attacks that await us in the near future. It is believed to have affected at least nine federal agencies in the United States as well as large and prestigious tech companies. 17,000 organisations have been infected by the malware.
Simply protecting your data is no longer enough. We need to change our paradigm, take a preventive approach, foresee all potential situations, including the most unlikely ones, and consider that they will come to pass one day or another. Cyber-Resilience goes beyond protection; it is necessary to consider that the attack has succeeded and it is therefore a matter of managing the crisis, restoring and surviving. Our role is precisely to support companies in their approach towards achieving greater Cyber-Resilience.
What are the processes that every company must implement to guarantee the security of its data and the continuity of its business?
Philippe Dann: Cyber-Resilience is a global approach based on 3 main pillars: Information Security (ISO 27001), Business Continuity (ISO 22301), and Risk Management (ISO 31000). Firstly, the aim of security is to protect the company's assets, such as data, for example. Then, it is necessary to integrate the issues linked to the organisation's activities: map its processes, understand its business needs in terms of continuity and security, and ensure that the partners and stakeholders in its ecosystem have the same degree of robustness. Finally, they must have a risk-aware approach, which involves identifying vulnerabilities and responding with appropriate risk management processes. All of this is essential for any company that wants to be cyber-resilient.
It is also important to be prepared for a crisis. To this end, we recommend that incident management exercises be held at regular intervals. They will help answer the following questions: What actions should be taken in the event of a cyber-attack? Is there a good connection between management decisions and those taken by operational staff? Of course, it is often the case that the incident that will most directly threaten the organisation is one that was not expected. However, the more the organisation prepares itself, defines roles and responsibilities and trains its teams to deal with eventualities, the better equipped it will be to respond to incidents, however unexpected they may be.
Every organisation must be aware of the fact that Cyber-Resilience is more than just another project. It is a real mindset that needs to be instilled from the top. The “tone” must come from the “top” and be taken up at all levels of the hierarchy. This ability to have the right reflexes will ensure that an attack does not turn into a disaster for the entire organisation.
How do you differentiate yourself in the support you provide to your customers?
Ph.D.: The originality of our approach! It lies in the fact that we ourselves have all the certifications relating to the standards we recommend to our customers. Regular audits of our activities by the certification authorities allow us to continue to improve. We rely on proven methodologies and standards such as ISO 27001 for the security of sensitive information and ISO 22301 for business continuity.
It's no coincidence that we operate in sectors as diverse as health, finance and the electricity trade. Our ability to listen, our understanding of the different business lines and our feedback make all the difference. Our customers value our own experience. We are not just theorists of security and continuity; we provide them with appropriate, effective and pragmatic answers.