Business information security
And nformatsionnaya business security is becoming an essential component of its successful conduct. Cybersecurity experts at Cybersecurity Ventures reported that hacker attacks occurred every 14 seconds in 2019. Sberbank predicted that the cumulative global losses of companies from information risks will reach $ 2.5 trillion. Just as much risk is involved in the actions of insiders. At the same time, the management of companies is not always able to fully assess the risks and build a strategy of actions that can minimize threats.
Experts conclude that threats to business information security are becoming more significant. So, in 2019, only the number of cases of using social engineering methods increased by 6%. Cyber fraudsters attack Russian companies 1.6 more often than the global average. This may be due to the fact that domestic business pays less attention to assessing threats and protecting against them. Organizations of the financial sector are more at risk. SAP CIS reports that 1-2 banks are attacked monthly and the average cost of damage from an attack is $ 2 million. But since personal data is the most popular commodity on the black information market, it is worth thinking about the security of organizations specializing in the field of retail: mobile operators, transport and travel companies.
Large companies are attacked dozens of times a day, while cyber fraudsters constantly scan the information security perimeter, monitor vulnerabilities and test new malicious software. If the company itself spends significant budgets on protection against information security threats, then its suppliers and contractors, small firms that carry out individual orders, become more vulnerable and, along with their data, lose customer information. Insider risks are equally serious if the organization does not use a restricted access system and does not build a multi-layered defense.
For an ordinary company, whose information has no significant independent value for fraudsters, the greatest threats are:
- Malware of various modifications (ransomware viruses, network worms). Cryptographers pose the greatest threat; a ransom is required for the return of data that is not only trade secrets, but also operational ones;
- spam, which makes it difficult to process external correspondence and clogs information flows;
- actions of insiders who steal or modify data;
- phishing attacks associated with spoofing site addresses;
- business intelligence ordered by competitors;
- network attacks;
- DDoS attacks causing denial of service;
- theft of equipment and mobile devices containing confidential information;
- targeted attacks;
- sabotage of employees.
Insider threats, intentional and unintentional, can also be classified:
- vulnerabilities in the software or in the technical part of the system missed due to the incompetence of employees;
- accidental information leaks;
- intentional leaks caused by bribery of competitors, intermediaries in the stolen data market or committed out of revenge;
- data leaks associated with the exchange of confidential information via mobile devices;
- loss of mobile devices or computers;
- information leakage from service providers, other counterparties.
Information of the following types is most often stolen:
- publicly available internal operational information;
- personal data of clients;
- customer database of the company;
- closed financial information, management reporting;
- intellectual property;
- marketing research, research about competitors;
- payment information, data on bank transactions.
A separate risk is the virtualization environment. Companies are leveraging the cloud to save on storage and business applications. Service providers are far from always able to provide the required level of information protection, especially when it comes to personal data, where it is necessary to comply with the requirements of the regulator.
It is difficult to calculate the actual damage to a business from information security threats. It can be calculated based on the available numbers and analytics of the hidden part of the problem; most companies try to hide data on incidents that occur, trying to avoid reputational costs. Experts believe that in one year a business loses an amount from attacks comparable to the cost of implementing the entire Digital Economy project in six years (1.5 trillion rubles in 2019 alone, according to estimates).
- actual, in the form of missing money from accounts, amounts paid to extortionists who infected the system with viruses, damage from the suspension of business processes. Fines paid to the budget and damages compensated to clients as a result of the won processes in connection with the loss of valuable information by the company become a special item of expenses;
- calculated, when the amount of lost profit from the leakage of valuable information can be calculated based on the financial indicators of the company's activities and from the amounts spent on a hasty update of the information security system;
- reputation - the company loses markets, customers, the value of its shares falls in a situation when it becomes known about its reckless behavior and insufficient protection of important data.
Damage can only appear after a long time, for example, when the know-how was stolen by an insider and appeared at the disposal of competitors after years.
The management of companies adheres to a double position on the issue of information security of business. Sometimes threats are overestimated, sometimes underestimated.
Kaspersky Lab gives the following figures:
- 41% of companies consider protecting data from targeted attacks a top priority;
- 91% underestimate the risks of using malware;
- most businesses consider anti-virus software the only protection they need;
- internal threats, insiders cause leaks in 87% of cases.
The lack of a clear understanding of one's own threat model becomes the reason for either overspending on security budgets when funds are spent on the latest software, or underestimating the necessary funding, and then the damage becomes the cause of unprofessional management actions.
The chosen methods of ensuring information security of a business depend on the threat model. In banks and financial sector organizations, information on customer deposits and accounts is most at risk. The hackers are interested in the personal data of the clients or the details of the calls from the mobile operators. For industry, the goal of hackers can be to intercept the control of an enterprise's information system and stop it.
The list of protection methods depends on various factors:
- the level of protected information;
- recommendations of regulators;
- available time, financial, human resources.
The basis for building a strategy for ensuring the information security of a business is often not real-life threat models, but how managers independently, based on the study of the press or analytical information, or under the influence of IT personnel, imagine risks.
The priorities are:
- data protection against targeted attacks on confidential company information - 41%;
- data protection against leaks regardless of their characteristics - 34%;
- prevention of DDoS attacks (regardless of business model) - 29%;
- building a system of protection against computer failures - 23%;
- return on investment in IT infrastructure - 20%;
- making a decision on further financing of IT infrastructure.
A separate issue that is not related to management priorities from the point of view of business, but which is important for deciding on a system of protection measures, is the fulfillment of the requirements of regulators related to the protection of state or bank secrets and personal data.
Measures and methods of ensuring information security of business
You can learn how Russian business is building an information security system from surveys. Rarely does anyone consider it necessary to use the full range of programmatic, technical and organizational measures, even if they are prescribed by regulators. Most often, replacement hardware and software options are used with the promise of installing the necessary ones as soon as possible.
Most enterprises build a system of priorities based on the business model and available financial resources. Among the main ones:
- anti-virus protection and other protection against malware on computers;
- control over software updates, elimination of security gaps identified in new versions, purchase of certified software;
- network architecture management, allocation and protection of critical areas;
- control over the use of removable media;
- ensuring the safe use of mobile devices;
- control over the security of cloud services;
- external security audit;
- implementation of systems for monitoring the health of elements of the IT system;
- control over leaks and installation of DLP systems;
- information and incident management, installation of SIEM systems;
- use of means of cryptographic protection;
- IT lifecycle management systems (PC Lifecycle Management);
- mobile device management (MDM) systems.
Security solutions are often developed by companies without relying on the requirements of regulators recommending measures to ensure the security of personal data. They are driven by business needs and budgets, and even the risk of audits does not force businesses to apply the entire recommended system of measures. Perhaps this is what causes frequent attacks by hackers who understand the vulnerabilities of most business information security systems. For banks, the increased degree of danger from cyber attacks gives rise to the need to develop their own security systems in accordance with international standards and the requirements of the regulator - the Central Bank.
A separate task is to unite the interests of individual business entities in the fight against global threats, since an independent fight against cyber terrorism is impossible. Large corporations create associations within which they organize the exchange of experience and technologies in the field of responding to cyber attacks. The same is happening within the framework of the state project GosSOPKA, where the owners of critical information infrastructure objects jointly respond to cyberattacks. Collaboration further reduces the risk of damage from hackers.