In our previous blog post, we’ve described some principles for building a new complex approach to corporate security. 

In this article we’re going to continue dealing with this topic, we’ll provide a slight overview of some information security trends and advice on how top-managers may eliminate the ongoing risks.

1)    Comply with regulations

We are now witnessing plenty of different regulations coming into force throughout the world. Their adoption means that there are more and more requirements invented, which are obligatory or recommended for organizations to comply with. These regulations should have a positive impact, because despite concerning technical aspects directly, they are also corresponding with management and marketing related issues. 
The first issue – financial loss. A failure in complying with regulator’s requirement will turn into financial penalties. For example, in case regulations are violated, GDPR imposes a turnover penalty, which will anyway motivate many companies not to neglect expenditures on the information security technologies. 
The second issue concerns the image of organization – if company isn’t interested in clients’ security ensuring, then, it should be ready to face up to the situation, when their audience shifts to more privacy-driven competitors. In addition, the stricter the rules for gathering and processing user’s info are, the less info is gathered, which, of course, simply reduces the amount of data, which is at stake of being exposed. Promotion of such security acts will also raise users’ awareness and competencies in the information security sphere.
The next worth mentioning trend is filing shareholder derivative claims related to cybersecurity incidents. The case with the T-Mobile in November of 2021 is illustrative. A shareholder derivative lawsuit was filed against T-Mobile USA’s board of directors. They were accused of non-efficient monitoring and acting upon obvious red flags. The general idea of the mentioned trend is that shareholders point on the personal responsibility of CEO’s, blaming them for unpreparedness for cyber incidents. So, what directors should keep in mind? Obviously, it’s quite difficult to be a professional in the information security sphere if you haven’t studied relevant subjects in the university and if you don’t have relevant work experience. Nevertheless, as a chief officer, you have to set up business processes related with information security properly. The most fundamental principles are the following: be up-to-date and expand your knowledge on the subject; educate and motivate employees; hire real professionals and use advanced software, plan and motivate investments in information security. For more detailed explanation on how to strengthen company’s security system, you may refer to the previous article in our blog.

2)    Passwords

Now let’s have a look at some negative tendencies, which exist in the information security all around the globe. In the current circumstances, when more and more various attacks take place, people tend to focus on numerous complicated issues. Due to this, attention is often distracted from some basic principles, and some even consider them as ‘outdated’. For example, protection of passwords is still of great importance, however, many people ignore this basic aspect of information security. This may be illustrated with the recent survey, conducted by NordPass experts. They analyzed leaked passwords, belonging to different managers and heads of organizations’ accounts. According to this info we can make some conclusions. It can be stated that many top-managers seem not to care about security at all. Among the most popular password the following names, numbers, fantastic creatures and words  were spotted: “Tiffany”, “Charlie”, “Michael”, “dragon”, “monkey”, “123456”, “111111”, “info”, “qwerty”, “password”. As top managers usually have access to the most critical data, their passwords should be way more encrypted. This example illustrates that information security awareness level of many CEOs’ isn’t high enough, which, undoubtedly, poses serious risks for companies.

3)    No absolute guarantee of safety do exist 

Try to build and appropriately use complex security system, stay up-to-date and be well-acknowledged about information security threats and try to reduce “digital trail”. During past time, there were plenty of incidents, related to the sphere of information security, and it's becoming more and more obvious, that there is simply no single universal solution which guarantees total confidentiality. Everyone should understand clearly that users’ data is always at stake, at least to some extent. Recently, an incident with DuckDuckGo was revealed. DuckDuckGo positions itself as a super-protected browser. However, it was found out, that in iOS and Android browser versions at least two trackers aren’t blocked – LinkedIn and Bing, according to a non-disclosure private agreement, conducted between DuckDuckGo and Microsoft, which had been kept a secret, and non-disclosure is a prerequisite of the contract. 

4)     Email 

Email is still considered the riskiest channel for data loss. It’s accounting for 65% of data losses.  For example, according to the research by Tessian and the Ponemon Institute nearly 60% of organizations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months. This was closely followed by cloud file-sharing services (62%) and instant messaging platforms (57%).   According to some assessments, 90% of cyber-attacks start with phishing.  Anyway, it’s impossible to ignore this ever-lasting threat. 

5)    Investments in the information security infrastructure

When it comes to security, the necessity of investment is indisputable. Investments should be reasonable, of course, but still, they are extremely important. In order to be able to plan effective investment program, it’s crucial to obtain the full picture of what is actually happening in the security system of organization and what are the ongoing risks. 
In our previous article we argued, that it’s very important to increase the level of awareness in security-related issues among employees and managers. This may be achieved with the help of permanent education – theoretical lectures, practical tasks with case studying and trainings. Still, there is one more aspect of this issue. Let’s shift attention on the network links between companies’ executives and information security officers. It becomes more important to maintain and tighten contacts between these employees. If executives permanently receive reports, comments etc., containing description and explanation of the risks and methods, which can help eliminate them, there is a chance, that the level of executives’ literacy in information security sphere will grow steadily. The most probable outcome is to invest the required amount of money. This is an important step, because many companies don’t allocate enough funds for information security, these sums often don’t exceed 10% of overall investment. However, usage of special protective software, as well as educational practices are of high importance nowadays.

6)    Finally, the last but not the least – insider threat.

This risk is also often undervalued. Many companies report that there are plenty of risks, related to insiders’ actions, those aren’t addressed properly. For instance, according to CyberEdge group, many companies believe, that they are poorly prepared to deal with insider threat. In the list of preparedness to different threats, insider-related risks were marked number 9 out of 12. What’s more, in the list of most dangerous risks, mentioned in the same report, insider threat was ranked 10 out of 12. Still, human error or malicious behavior is one of the most threat. Even in case an external attack takes place, it often requires an insider to take part in a violation. According to Ponemon Institute report, 56% of insider incidents were caused by employee or contractor negligence, and 26% by malicious insider. The average annual cost per incident for the three types of incidents, including employee or contractor negligence, criminal & malicious insider, credential thief  accounts for $15,378,635. [2022 Cost of insider threats global report. Ponemon institute]   Neglecting of measures required to prevent insider-related risks may have far-reaching consequences. And the incident in fact starts not at the point, when intruder makes some specific actions (for example, in order to steal info), but at the time, when he or she gets access to some critical data. Let’s also examine another kind of situation, when insider acts not because of malice, but makes a mistake by negligence. This situation is even more wide-spread, but it doesn’t mean, that it’s necessarily less hazardous. In this case, once more, the incident doesn’t start when insider decides to take some actions. In both cases, the incidents’ initial points were access to some critical data.   Because, even if a person plans to take a malicious targeted action, but he or she doesn’t have an access to data and isn’t able to transmit it in any illegal way, the risk is eliminated at the earliest stage. Thus, the most effective way to deal with insider-related risks is to use specific software. For example, SIEM system helps to control access, compliance with information security policies. DCAP-system classifies data and provides users with a possibility to distinguish, which data has to be protected from the overall document flow information and sets rules, which users or groups of users have access to specific data. And DLP-system ensures, that a secure data perimeter is set up, which in turns, prevents leak of confidential and crucial data.