4 minute read
Guaranteeing information system security through enhanced cybersecurity at Bolloré Logistics and among its partners and customers
4 GUARANTEEING INFORMATION
SYSTEM SECURITY THROUGH
ENHANCED CYBERSECURITY
AT BOLLORÉ LOGISTICS
AND AMONG ITS PARTNERS
AND CUSTOMERS
The digitalization of the supply chain has evolved, leading to a rapid transformation of Bolloré Logistics’ environment while generating a wealth of opportunities and risks. Like other companies, Bolloré Logistics is increasingly vulnerable to the following risks: • reputational damage or reduced turnover due to a data breach; • systems risks due to unauthorized access or control of a system; • system vulnerability inherent to cloud data storage and cloud computing.
According to a study led in 2019 by CESIN (information and digital security experts association), eight in ten companies claim to have been badly affected by cyber attacks which seek out sensitive company data or personal information (e.g. bank data, login details, etc.) in order to use or sell it for profit. The CESIN study underlines the severe consequences of these attacks on company activity (production stoppage, significant unavailability, loss of turnover, etc.). Phishing and ransomware are well-known examples of malevolent acts that harm private individuals and companies.
The information system security policy is overseen by the Information Systems Department, organized by the Bolloré Transport & Logistics division and managed by the Chief Information Security Officer. It was updated in 2019 and therefore applies to all business units, including Bolloré Logistics.
This policy underpins the information system strategies as well as the charters for information system users and administrators. The information system security management system aims to: • prevent by minimizing exposure to risk through suitable measures; • react effectively to incidents and crises • check the proper application of measures and compliance to ensure the continuous improvement of information security. The information system security management system (ISMS) used in the Group is based on the ISO 27001.2013 standard, which manages security in all of its subsidiaries worldwide. It is also based on a delegation and responsibility model with the use of the LISO (Local Information Security Officer) network. In its transport and logistics organization activities, Bolloré Logistics exchanges data with its external partners, such as transport and data suppliers and customers. Thus, the company’s policy covers cyber resilience issues in order to: • Implement security measures to respond to cyber risks identified by General Management; • Guarantee the service provided to customers of the Information Systems Department to meet the expectations of Bolloré Logistics’ end customers; • Ensure the security of data processed on behalf of customers; • Ensure the security of information system users’ personal data • Comply with the contractual and regulatory requirements in terms of information security
Thus, a comprehensive system is in place combined with specific documents and procedures, such as the access control, server security, application-based security plan, backup, audit and physical security strategies. A master plan with a three-year road map is periodically monitored by the company’s General Management. The ISO 27001.2013 certification process is underway with the aim of achieving certification by late 2021.
The IT System Department uses EGERIE solutions to manage risk. In 2019, Bolloré Transport & Logistics set up a Security Operations Center to help the company and its subsidiaries better respond to current risks and develop resilience and expertise on these sensitive information security breach topics. Specific Bolloré Logistics issues in this area are analyzed and taken on board in a specific cybersecurity approach.
In May 2020, following a major cybersecurity incident at one of the Bolloré Transport & Logistics subsidiaries in Africa, General Management accelerated the road map with the mass deployment of a reinforced process across the whole of the scope’s information system. To bolster its malicious activity detection capacity, Bolloré Logistics is equipped with anti-virus software with EDR (Endpoint Detection and Response) which helps to protect the company via emerging threat detection technology at EndPoints (computers and servers) which carries out behavioral analyses and triggers an appropriate automatic response. Any attack is therefore analyzed station by station with an overview across the base. The EDR monitoring is paired with an NDR (Network Detection and Response) system to enhance the protection of networks used by the company and correlate the information with the analysis of computer and server activity to block cyber attacks. For maximum protection of its assets (IP addresses, brands, domain names, etc.), Bolloré Logistics also calls on an external Cyber Threat Intelligence (CTI) firm to closely monitor its online exposure and trigger warnings to ensure the prompt roll-out of adequate action to defend the company against intruders. Since 2016, an audit has also been conducted on each of the applications drawn up by the company and in the relevant countries in the network in order to test the exposure of these computer programs online before their inclusion in our information system. Each of the periodic internal intrusion tests is accompanied by an action plan to ensure compliance. The assessment of the company’s monthly exposure analysis compared with other lines of business highlights the sound management of this risk by the dedicated teams in the network’s 109 countries. For awareness-raising, Bolloré Transport & Logistics calls on Terranova’s solutions. Two information security e-learning courses were rolled out in 2020 to employees in the various business units, including Bolloré Logistics, via the internal training platform. The first module, ’Phishing’, explains to employees what phishing is, with two main objectives: understanding what phishing is and identifying threats to information security, and recognizing and identifying the components of a phishing email and website. The second module, ’Passwords’, is an e-learning course which helps employees to understand the importance of passwords and teaches them to create a strong password that is relatively easy to remember. In the end of October 2020, 74% of Bolloré Logistics employees were thus educated on information security breaches.
