Protection of confidential and personal data from insiders and external attacks is the primary task of the company's information security department. The importance of threats to the safety of information increases with the growth of technical equipment of attackers, and corporate services must be ready to assess and prevent new threats. The slenderness of a protective system depends on the complexity of its development and implementation.
Types of threats
Corporate systems are susceptible to various information security threats, from employee data theft to external interference in order to destroy the functionality of protection tools. This encourages enterprises to build their own threat model based on business objectives and system characteristics. For a small business, concern for corporate security of the enterprise is no less relevant in connection with the trend towards digitalization of business activity, the gradual transfer of activities to the virtual space.
You have to protect:
- payment for goods and services via the Internet;
- remote connections;
- IP telephony;
- cloud storage;
- virtual servers.
The central task of the information security department is to build such a corporate security system for an enterprise that could cope with the most common types of threats:
- viruses (Trojan horses, ransomware, programs aimed at breaking the network security system and stealing information);
- spyware and adware;
- DDoS attacks;
- substitution of the main page of the site;
- social engineering that encourages employees to risk company resources.
The threat model should consider risks from external sources and insiders. The latter are often to blame for the majority of information leaks, intentional or unintentional infection of the network with malware.
Companies lose significant funds in the following cases:
- disclosing confidential information to competitors resulting in the loss of markets or customers;
- loss of personal data leading to fines from regulators;
- damages from lawsuits;
- direct theft of assets or funds from electronic accounts and cards, cryptocurrency and other electronic assets;
- image loss.
Today, Russian companies are most often attacked by hacker groups from Russia. Computer security specialists from Check Point suggested that attacks on the resources of Russian companies occur twice as often as the world average, and in addition to stealing passwords, the use of information systems of companies for mining cryptocurrencies is becoming a popular method of cyber attacks. Russian companies attack 893 times a week on average, compared to 465 in global statistics.
The share of Russian attacks is 39% of the total; American hackers attack Russian businesses and banks in 30% of cases. In 86% of cases, the source of infection on the information network was e-mail, which was not properly protected. It is interesting that in Russia viruses are more often packaged in the .exe format, in the world most infections occur from files in the .doc format. This suggests that the personnel of Russian companies continue to download and install hacked and infected programs on corporate computers. Almost 13% of infections of Russian information systems in 2019 fell on the XMRig cryptominer, which is used to create the Monero cryptocurrency. Another 12% of incidents are to blame for the AgentTesla password stealer, which collects data from the victims' keyboards.
An extremely serious risk for banks and financial market organizations is the negligence in handling personal data of clients. Leaks, mostly due to the workings of insider actions, happen all the time. This leads to customer churn and significant loss of profits. Results of the audit of the corporate security system of the enterprise by the regulator
When assessing risks, one cannot save on corporate information security of an enterprise. The invested funds do not always pay off in full, an additional risk is the incompetence of IT departments, insisting on indispensability and forcing them to spend significant resources on software and hardware that is not necessary to purchase.
Funds should be spent systematically and purposefully on solving information security problems:
- confidentiality or protection against leakage threats;
- integrity or absence of intentional or unintentional damage, distortion;
- availability, all information resources should always be available to users and customers of the company.
Recommendations for creating secure systems can be found in the guidance documents of the FSTEC of Russia. They will advise on the best ways to select certified and effective software products.
Ways to solve the problem of protection
Features of corporate information security systems are determined by the structure of the business and its ramifications. Often in the network of a company, bank, large public organization, technical means are used not only from different manufacturers, but also from different generations. This makes the information system unmanageable, and the costs of its administration exceed the degree of efficiency of the invested funds.
It is also necessary to take into account the heterogeneity of the standard corporate information system in terms of network architecture. Various local and distributed networks are involved in its formation.
Regulations and actions of regulators
Information with a high degree of confidentiality is protected by regulatory legal acts of varying degrees of significance. The main laws in force in this area: "On information", "On the protection of personal data", "On commercial secrets", "On objects of critical information infrastructure". Certain issues of regulating the turnover of commercial secrets and prosecution for its illegal distribution are mentioned in the Civil and Criminal Codes.
Recommendations and orders of regulators - FSB of Russia and FSTEC of Russia - became a separate group of normative acts governing the organization of corporate security of an enterprise. For banks, the rules for building a network and security systems are developed by the Central Bank of the Russian Federation. They help to see the direction of the company's information network development, to build its architecture from the point of view of maximum efficiency. In this area, GOSTs, Rosstandart regulations are in force.
Regulators demand to build a safety concept based on the following principles:
- use of licensed certified hardware and software purchased under official contracts with the provision of distributions and technical support;
- verification of information objects for compliance with regulatory security requirements;
- preparation of organizational documents with an indication of the list of software tools allowed for use and a ban on the installation of programs not mentioned in them;
- timely updating of operating systems;
- application and updating of recommended anti-virus programs;
- development of differentiated access systems, assignment of confidentiality labels to users and resources;
- creation of an identification and authentication system;
- control over the work of technical support and outsourcing companies that can provoke information leakage;
- development of methods for storing and restoring infected software.
Fully implementing these recommendations will protect your network from most security threats. To protect files in the database and outgoing traffic, it is advisable to use encryption using cryptographic protection tools certified by the FSB of the Russian Federation.
Organizational, software and hardware tools
When building a system, it is necessary to use an integrated approach that takes into account the compatibility of software and hardware and builds it according to a single plan. With the "patchwork" method of construction, often some characteristics are improved due to the deterioration of others, system resources, human and financial potential are not enough to simultaneously maintain the viability of all nodes and modules, update and technical support of the software.
The choice of software and hardware tools for creating a unified corporate security system of an enterprise is individual for each company, and organizational tools are the same for almost all market participants who are operators of personal data or work with confidential information of high value.
The regulator instructs the operator of personal data to create a coherent system of organizational measures in which they are hierarchically subordinate to each other. There are two documents at the top level:
1. The policy or strategy of the information security system, containing all the necessary parameters that determine the mechanism of its functioning: the order of ranking resources according to the degree of confidentiality, methods of avoiding unauthorized access, the procedure for determining the degree of admission, rules for the use of resources.
2. Policy for the processing of personal data, which describes the purposes and methods of processing, the rights of users. The document is opened for general viewing and posted on the company's website. Violation of this requirement may result in remarks, fines or prescriptions during inspections of the regulator.
At a lower level of regulation of the corporate security system of the enterprise, it is necessary to prepare and approve:
- policy of working with paper media;
- list of confidential information;
- the procedure for working with removable media;
- the procedure for obtaining access to the Internet and e-mail and their use;
- the procedure for determining the degree of user access to data and the rules for changing it.
In addition to documents, it is necessary to take procedural measures aimed at protecting confidential information - the installation of electronic locks, the introduction of access control, the definition of rules for training users. Along with the solution of these tasks, technical and software protection measures are being introduced.
Software and hardware information security
FSTEC in the guidance documents defines the requirements for the composition of the software necessary to ensure the security of the company:
- firewalls restricting the transition from one protected sector to another;
- anti-virus tools to identify all new security threats;
- trusted download facilities;
- intrusion detection tools;
- means of cryptographic protection.
- In addition to them, businesses often implement:
- network health monitoring systems;
- vulnerability monitoring systems;
- SIEM programs capable of detecting information security incidents and reporting them to the security service;
- DLP systems that exclude any data leaks from the protected information perimeter and restrict access to highly confidential resources.
The implementation of these solutions will help to build corporate security systems of the enterprise at a comfortable level, without overloading IS resources and personnel, but guaranteeing the highest possible degree of security.