The editorial staff of Le Monde Informatique takes you back to its Cybermatine Scurit 2021 cycle during the summer. Back today to the Hauts de France stage. With in particular the testimonies of Frdrick Meyer, CISO of Auchan Retail, Jrme Pellois, CISO of La Redoute and also Nicolas Bourgeois, DPO of Mobivia.
On May 5, you were able to attend the Cybermatinee Sécurité webconference during the stage in the Hauts de France region. Do you want to relive the event or access it for the first time? No problem, find the full replay of this show for free at this address. This program was produced in partnership with Afcdp, Cesin and Clusif as well as locally with Clusir Nord de France and DSI Gun. Among the feedback, we have offered you those of Frédérick Meyer RSSI, Auchan Retail and member of Cesin, Jérôme Pellois RSSI of La Redoute and Nicolas Bourgeois DPO, Mobivia and member of AFCDP. Without forgetting Joseh Graceffa president of the Clusir Nord de France as well as Benoît Salingue, member of the office, DSI Gun. For his part, Saad El Aboudi, Deputy CEO of Diskyver, spoke to present this cyber start-up specializing in securing VoIP communications. This Security Cybermorning was produced with the support of Netskope, VMware, Darktrace, Veeam, Trend Micro and Rubrik.
Within Auchan, a central organization is responsible for delivering security services within the various entities of the company in which referents steer resources and projects. This is precisely the case of Frédérick Meyer, CISO of the retail branch, the group’s largest. “Auchan’s IT strategy is cloud first and on the corporate entity we no longer have an on-premise datacenter but only cloud infrastructure, not only IaaS but also SaaS”, explained Frédéric Meyer. To accompany the movement, IT security has been in tune by adapting to this strategic characteristic. “We don’t necessarily have a bias, it’s not because we work with a cloud provider that we will choose 100% of our cybersecurity solutions from them”, specifies Frédéric Meyer.
“We call on external resources because it’s complicated to find and recruit security skills,” explained Frédéric Meyer, CISO of Auchan Retail and member of Cesin. (credit: LMI)
Cloud security, an evolution not a revolution for Auchan
The distribution giant turns out, like other large groups, to be particularly exposed in cyber terms, including the e-commerce part which continues to progress. “We are subject to attacks and security incidents and ransomware,” continues Frédéric Meyer. To fight and remedy, Auchan relies in particular on means in cloud service posture management (CSPM) to control access in particular. “It’s not because we are in the cloud that we are revolutionizing security, it may not be very innovative and disruptive, but we are very attached to identity and access management”, indicates the CISO and also a member of Cesin. To the question of how to place the cursor between security for cloud or legacy environments, what counts above all are the rules of hygiene, configuration, patch management put in place, whatever their nature. “To protect the cloud and the on-premise, these are not necessarily the same tools, they must be combined to address one or the other of these environments”.
Find free replay of Cybermatine Security Hauts de France
With 2,000 employees and nearly 750 million euros in turnover, the La Redoute group is a must in e-commerce in France. After having shifted its business model from paper (catalogues) but also from telephone sales, to an almost essentially online channel, the company has accompanied its digital momentum with a cybersecurity strategy. “We are putting in place a defense and surveillance strategy,” said Jérôme Pellois, RSS of La Redoute. “We have to equip ourselves but also equip ourselves with teams capable of knowing what is happening and reacting”.
Jérôme Pellois, CISO of La Redoute speaks on the cybermatinee Sécurité Hauts de France 2021 du Monde Informatique broadcast on May 5, 2021. (credit: LMI)
As part of its web activities, La Redoute has relied on the Google Cloud infrastructure and in particular, from a cyber point of view, on the tools of the American giant. -DDoS Cloud Armor from Google to stop Internet attacks and also monitor sites with an anti-bot”, explains Jérôme Pellois. A tool that fits perfectly into the anti-fraud task deployed by the group to ensure that only real customers or visitors browse its website. As such, an anti-fraud system developed to order and by La Redoute’s internal teams has been designed with end-to-end customer monitoring to validate whether customer behavior is strange, such as using several bank cards or even making a delivery to a unusual place. Fraud scoring is thus used to enable La Redoute to ensure the legitimacy of a customer journey and/or an order.
Not deciding what action to take in the heat of the moment
Having been confronted with several cyber crises, ranging from hacking in order to recover data from a commercial site or attacks such as ransomware or data theft via malicious connections on computer systems, the CISO of the Mobivia group, Nicolas Bourgeois, learned some lessons. “What is important to initiate is not the day of the attack but before to identify which stakeholders are required to intervene and their role depending on what may happen”. And the security director continued: “it’s not in the heat of the moment to decide what measures to take right away”.
Even if it is not an obligation, it is better to warn users when illegitimate connections are made without their knowledge thanks to identifier hacks carried out on social networks, for example, advises Nicolas Bourgeois (credit: LMI)
Also as DPO, Nicolas Bourgeois recounts having taken advantage of his crisis experiences to apply lessons learned in terms of personal data. “With the GDPR, notification obligations must be taken to inform the persons concerned,” says Nicolas Bourgeois. “We have mandatory notifications in some cases, not all the time”. In a scenario where the latter do not exist, the company still has an interest in taking the lead and informing the people concerned by adapting to the circumstances. “Even if it’s not an obligation, it’s better to warn them,” advises Nicolas Bourgeois. And Mobivia’s RSSI/DPO illustrates his point with a case where pairs of identifiers and passwords recovered in social network hacks were used by hackers to test them in order to connect without their knowledge on legitimate sites. “The risk is limited, but as the hackers used data to access illegitimately, we took the lead in informing the users concerned of these connection attempts”, explains Nicolas Bourgeois.
Joseph Graceffa, president of the Clusir Nord de France on the Cybermatinee Sécurité recalled the adaptation that the members of the club have shown to mobilize themselves by videoconference which, as for the DSI Gun, was far from being in its DNA. (credit: LMI)
Find free replay of Cybermatine Security Hauts de France
During the Hauts de France Security Cybermatine, the Clusir Nord de France and DSI Gun clubs had the opportunity to provide their perspective on the past health crisis and associated cyber impacts. “We have seen an explosion of phishing attacks among our members, which has been a reality for all companies,” said Joseph Graceffa, president of the Clusir Nord de France. “The bring your own device has brought its share of good but above all bad surprises which has not necessarily been anticipated in all security policies”. Will this crisis serve as a trigger in terms of cyber recruitment? “Companies have lost resources because they were unable to attract good profiles. But not one CISO has seen his resources frozen or has not been listened to,” assures Joseph Graceffa.
“For IT decision makers, the period has been very stressful and many actions have been put in place to better clarify the level of risk. The main teachings are human and technical, and we don’t know if we are being attacked, it’s a major fear of our members. The ability to surround yourself with the right profiles for which cyber is the day-to-day business is what we can put in place to counter this threat”.