The ANSSI published its threat overview on 11 March, highlighting two main risks: threats linked to the use of AI, attacks on hypervisors, the software used by cloud service providers to manage their customers, and attacks on the supply chain.
A growing proportion of companies' value comes from their data, reputation and intellectual property.
It is therefore essential to identify and locate these assets, map the associated risks and assess the potential financial impact if the risks materialise. This enables decision-makers to make informed cyber protection investment decisions.
Decision-makers are ultimately responsible for cyber risk, and regulatory constraints are increasing.
Cyber risk management requires a documented process that includes a BCP, identified players and drills.
The cast includes :
- Incident response teams: Internal or external SOC. The ANSSI has set up regional CSIRTs to deal with requests for cyber assistance from medium-sized organisations.
- Cyber insurers, who have experience of their customers' claims.
- Lawyers, particularly for reporting issues, which can be delicate and restrictive, especially in an international context. For example: declarations to the CNIL, ANSSI and foreign authorities.
- Provide lawyers with a media service to communicate with the people concerned.
It should be noted that the Senate began examining the law transposing NIS 2 at the beginning of March. Already transposed in Italy and Belgium, there will be no over-transposition in France. It is advisable to wait for the ANSSI requirements framework before demonstrating compliance.