In his youth, Dominic Villeneuve was a hacker for several years. The arrest and imprisonment of other hackers he knew gave him pause. In his early 20s, he decided to change sides. Today he uses his knowledge and skills to counter cyberattacks. As director of security and infrastructures at UV Insurance, his mission is to protect the insurer’s infrastructures and the continuity of its services.
“We have to change our methods!”
During his presentation at the Cybersecurity Forum, Villeneuve painted a troubling picture of the situation and the risks that companies face in 2019 and 2020.
“The speed at which attacks evolve is incredible,” he says. Our policies and top managers weigh us down. Hackers and groups move much faster than we do. We have to keep pace. What they want is our information and our money, and we have to be able to react accordingly.”
Villeneuve says that when it comes to protecting companies from cyberattacks, it takes way too long for decisions to come from above. “We can’t just sit back and wait two or three months, or six weeks to put something in place,” he says. “When an attack happens, starting the very next day we can see attacks hitting our firewalls. It’s extremely quick.”
Keeping pace with hackers
We have to constantly adapt our methods in order to respond effectively to external and internal hacking attempts, he urges. This is what UV Insurance did following the wake-up call triggered by the recent cyberattacks which hit the industry.
The insurer appointed Villeneuve as security manager. He first performed internal analyses, then produced an action plan, made recommendations, ranked steps in order of priority and informed top management, employees and the board of directors of the risks. He pulled out all stops to face this threat head on.
Raising executives’ awareness
Convincing top management of the seriousness of potential cyberattacks, and of the need to invest major resources and means in prevention and security can be a daunting task.
“To reach this goal, we need to quantify and demonstrate the reality of cyber threats. It’s not always obvious. It’s a question of repercussions and risks,” Villeneuve explains.
At UV Insurance, awareness raising was easy because CEO Christian Mercier was already very receptive to security concerns. In many companies the task is more challenging. Villeneuve says that current events should serve as an example and a reference to convince top managers to prioritize security.
Recent news about the financial world justifies the efforts and proactive measures, he continues, adding that the media has the strongest impact on top management’s vision.
“Look at what’s happening around us. We don’t want it to be our turn. We have to prepare and learn from what we see around us. Cyberattacks and communication of the impact on other financial industry players has helped us spread the message,” he explains.
Conveying information to top management
Top management needs to be informed of cases of theft of personal information or cyberattacks in the sector, Villeneuve adds, along with the security statistics of the business and hacking attempts against it.
“This information must escalate up to top management to raise their awareness of the problem,” Dominic Villeneuve explains. “When you are the victim of a hacking attempt, when people try to deceive you, the executives need to know about it. Every month, at UV Insurance, I report to top management on our successes, sometimes more difficult challenges, and the campaigns we did internally. A colleague tells the board about our activities.”
As a result, UV Insurance has seen a change in the attitude of its Board of Directors, which now says it is very attuned to security matters.
All the same, Villeneuve is dismayed that in the industry some solid action plans designed to respond to data security breaches and cyberattacks never progress beyond the planning stage. “This was not the case at UV Insurance, but in some companies it’s very difficult to execute plans because of costs, deployment efforts and insufficient resources,” he says.
