When French broadcaster TV5Monde suffered a cyber attack in April, 11 channels were temporarily taken off air and the company’s social media accounts were hijacked. At the time, it was believed that CyberCaliphate – a group supporting Islamic State – was responsible, but it has since been claimed that Russia’s state-sponsored APT28 group was in fact behind the incident.
Whoever was responsible, the company is still feeling the effects three months later.
Yves Bigot, the network’s director general, was quoted by France Info last week as saying that TV5Monde still can’t reconnect to the Internet and won’t be able to do so until French agency ANSSI (L’Agence nationale de la sécurité des systèmes d’information) has completed its investigation into the incident and it has built a new, more secure, system. For the company’s 400 employees, he said, it is like being castaways in the TV series Lost.
“Nous vivons toujours sans wifi, sans pouvoir utiliser de skype ou scanner de document car nous ne pouvons toujours pas nous reconnecter au réseau internet. Il faut attendre que l’agence nationale de sécurité des services d’information finissent ses analyses et que nous construisions la nouvelle architecture de diffusion qui nous protege au maximum. Ce signifie que l’on travaille un peu comme si nous étions les naufragés de ‘Lost’.”
The cost of the attack is estimated to be between €4,3 and €4,5 million in 2015, and €11 million over the next three years – a total of more than €15 million. It’s a huge sum, but M. Bigot says he hopes TV5Monde will be in the 10% of organisations that manage to survive such incidents.
As cyber attacks continue to escalate, the financial impact of security incidents is something all European organisations should prepare for. Others may not suffer as much as TV5Monde, but the costs are still high: IBM and Ponemon Institute’s Cost of Data Breach Study – France put the average total cost of a data breach at €3,12 million for French organisations.
The best way for European organisations to ensure their security – and protect themselves from unexpected costs – is to implement an information security management system (ISMS), as set out in the international best-practice standard ISO 27001.
An ISO 27001-compliant ISMS provides a risk-based approach to data security that can be applied throughout the supply chain. Once your ISMS has been certified to the Standard you can insist that third-party contractors and suppliers also achieve certification. In addition to this, the external validation offered by ISO 27001 certification is likely to improve your organisation’s cyber security posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts – as well as allowing you to meet legal and regulatory obligations.
An ISO 27001-compliant ISMS will also help organisations meet the requirements of the EU General Data Protection Act (GDPR), which is expected to be implemented later this year and come into force in 2017.
ISO 27001 implementation resources
IT Governance has led hundreds of ISO 27001 implementation projects around the world. Our ISO 27001 Packaged Solutions provide fixed-price implementation resources and implementation guidance for all European organisations.
The ISO 27001 Get A Lot Of Help package is by far the most popular, combining a comprehensive mix of core ISO 27001 standards and implementation guidance with key implementation tools, attendance at our Live Online masterclasses, and our unique Mentor and Coach service – all at a fixed price.