Damage from information leakage
The amount of damage from information leaks is difficult to estimate in hard terms. In addition to direct losses, the damage structure includes reputational costs, loss of customers and sales markets, the cost of replacing software and retraining employees. The benefits received by the customers of the abduction are not always comparable in cost to the costs incurred by the injured company.
Types of threats
Among those who may find themselves in the camp of the thieves of someone else's information, not only public figures - hackers or companies specializing in hacking someone else's correspondence, for example, Humpty Dumpty. Yes, the loud effect of the appearance in the open press of personal letters of deputy prime ministers or other public figures makes an impression, often entails really large damage. It is much more dangerous for business to steal data using means of competitive intelligence, and for citizens - the appearance in the public domain of databases containing car numbers, information about their medical histories or real estate, records of telephone conversations. Despite the measures to protect personal information, the activities of Roskomnadzor, the introduction of the latest protection systems, the level of risks does not decrease.
Damage to government organizations
Government structures find themselves in the same risk zone as commercial ones. They are not endangered by competitors, but by the following groups of persons:
- organizations directly interested in the theft of state secrets, important information, know-how, other information that can be used for commercial purposes;
- hackers making a name for themselves on high-profile scandals with hacking of protected systems and data leakage;
- foreign intelligence and terrorist organizations.
The abundance of risks forces government agencies to take protection issues more seriously than commercial organizations can afford. The damage caused entails not only financial losses for the budget, but also direct threats to the safety of citizens. Sometimes they are not so dangerous, but public. So, in January 2017, a new episode of the Sherlock series was leaked from the protected resources of the First Channel of television. The situation demonstrated critical flaws in the information security system of the largest Russian TV channel, related to the possibility of stealing content protected by agreements on compliance with licensing requirements. It would seem to be an insignificant phenomenon, but it makes it possible to imagine the risks associated with external penetration into databases and replacement of information in the most important programs. The content was in a secure database, with practically no access to it from network connections, and, most likely, it was stolen in connection with the actions of insiders, and not abstract hackers, however, the very fact of theft speaks of the negligence of services responsible for protecting perimeter.
The channel commented on the situation, noting that it was due to the activities of one of the employees, who "violated strict security protocols by committing criminal negligence in the performance of official duties." The damage in this case was also of a reputational nature, it undermined the partners' confidence in the channel and its systems for protecting commercial information, and direct - audit, checks, software updates. Similarly, the case of inadvertent distribution of data from 17 thousand insured persons by the FIU in the summer of 2017 gave the protection systems of state organizations a bad reputation. The damage was expressed not only in moral damage caused to these persons, but also in the need to improve systems of control over data that could be inadvertently transmitted through e-mail channels.
Direct damage to businesses
It is curious that companies that professionally deal with information security are not protected from leaks either. In April 2017, several key market players received an email inviting them to purchase a competitor's client list. A flaw in relations with its own staff led to a possible reduction in the client base. Can't trust developers who can't protect their own resources. In addition to the client base, the anonymous well-wisher opened a list of personal data of all employees of the competing company, including their mobile phones, to everyone. The most obvious option for direct damage could be employees' claims for compensation for moral damage caused by leaks of personal data. In addition to claims for compensation for moral damage, the category of direct damage includes:
- claims of counterparties related to the dissemination of information containing their trade secrets;
- fines from regulators of activity, for example, Roskomnadzor or the Central Bank;
- information ransom costs - often hackers who have stolen important data offer to return it for a fee;
- the cost of restoring destroyed information security systems or software updates;
- theft of cryptocurrencies.
For example, in 2017, one of the blockchain start-up companies incurred the largest direct damage from cybersecurity crimes in the amount of $ 31 million. Hackers hacked into the Tether wallet and obtained data on all transactions related to the issue of the currency. Probably, many similar situations are simply not reported in the press, according to experts, up to 15% of electronic tokens fall prey to hackers. Equifax, the credit bureau, suffered the largest security rebuilding spending in 2017. Hackers managed to steal information about the personal files of 145 million people, which is roughly equivalent to half of the US population. The cost of rebuilding the system and compensating for damage was about $ 90 million. American law strictly regulates a set of necessary measures to be taken in case of loss of important information, among them:
- notification of victims;
- creation of call centers and hot lines, services for communication with investors;
- communicating with the press and conducting PR campaigns to mitigate the consequences;
- participation in the judicial investigation.
The average damage to a large company if it loses personal information of individuals on a significant scale is about $ 4 million. Losses include legal costs, information support, and lost profits per account.
Indirect damage to commercial organizations
Consequential damage can be expressed in different forms. It is not directly calculated from the aggregate amount of losses and expenses for the restoration of violated rights, but is formed by:
- loss of clients who go to more secure banks or law firms. Thus, the Cost of a Data Breach study, conducted by the American Ponemon Institute, says that more than 59% of clients of organizations affected by the activities of hackers or insiders are ready to change them to another service provider;
- loss of markets captured by competitors who set their goal to destroy the counterparty;
- the costs of developing a new product or technology, the data about which were captured by competitors using know-how;
- falling capitalization of a company, reducing the value of its shares or bonds;
- decrease in brand attractiveness;
- increase in advertising and PR costs;
- raider attacks based on the received confidential information, which can lead to a complete loss of business.
It is very difficult to calculate such damage from leakage of confidential data at the time of its infliction; it can accumulate like a snowball over several years.
Damage to individuals
Individuals in Russia are less likely to suffer from information breach crime than in the United States due to the lower prevalence of credit card data and insurance policies on the Web. In the United States, obtaining such information becomes a means of enrichment. So, in 2017, Scott Management, one of the participants in a popular television show, was able to take possession of the personal data of more than 200 people and, using them, received loans for $ 2 million. After being caught, the offender was sentenced to 17 years in prison.
Also, a significant risk for Americans is the appearance in the public domain of their health insurance card numbers, with the help of which they can receive loans and paid medical services at someone else's expense. The value of one card on the black market is only $ 1 per card, but such a loss can cause much more harm. Russian citizens do not suffer in this way, the greatest risk remains moral damage from getting into the Network of confidential data, for example, photographs during the process of plastic surgery or negotiations with not recommended persons.
Features of damage to banks
Information security standards in the activities of commercial banks suggest that the most serious risks of loss lie in the area of insider activities. The regulatory documents developed by the Central Bank offer measures and methods to combat possible leaks of bank secrecy. For credit institutions, the potential damage from information security crimes lies in two dimensions:
- loss of personal data, customer information or transactions;
- direct theft of funds from the accounts of banks and their clients.
In the first case, situations are known when unscrupulous client managers carried away client databases to other credit institutions, completely depriving the bank of the opportunity to profit from its activities. In the second case, there is practically no information about the penetration of bank account systems, since its disclosure could damage the reputation of the banking institution. Data on no more than 8-10 cases of confidential information leakage per year appear on the Internet.
Situations similar to those that happened on Channel One can be prevented by using the capabilities of modern DLP solutions that can prevent the copying or redirection of important information through external data transmission channels. In addition, regular and sudden checks of workstations and network storages by scanning file systems are required in order to detect confidential information that is not located in accordance with the requirements of security protocols.
In addition to software methods of combating leaks, systematic work with personnel and timely identification of insiders are required. The search for security gaps should be carried out taking into account all modern technologies, it is necessary to audit and control all new technologies aimed at organizing leaks of confidential data.
Professional protection against information leaks involves monitoring systems on a daily basis and taking organizational measures to reduce the amount of damage, for example, working with the press. Any informational risks can be warned at different levels. Until Russian legislation has developed a system of mandatory measures to be taken in the event of a leak, the amount of damage will be less than in a similar situation for Western companies, also because the average cost of legal costs in the country is still less than in the United States.