Information threats to the security of economic activity are becoming more noticeable every year. Due to the simplification of technical solutions, even a schoolboy can carry out an attack on the information system of a small company.
Information security threats
The globalization of the information space, the development of new types of cyber weapons have led to the fact that Russian economic entities have become targets for international corporations and foreign states. Some cyber attacks are carried out by hacker groups working for governments and defense ministries of other countries. China has been particularly successful in this regard, whose cyberattack professionals attack Russian and foreign support systems, databases, and cloud storages.
When analyzing a hypothetical or practical model of threats that are relevant to the information system of a particular enterprise, the following are considered as separate units of protection and optimization:
- incoming and outgoing information flows;
- software;
- safety management methods;
- elements of information network architecture.
Traditionally, threats are divided into internal and external. Internal, insider, often associated with the activity of the company's competitors. External ones are random or targeted, associated with the place that the enterprise occupies in the general economic and information infrastructure of the country.
Companies must understand that the constant increase in the level of threats creates the need to defend themselves in all directions. A feature of recent years has been the use of IoT objects in information attacks, when every coffee maker or refrigerator connected to the Network becomes a potential source of DDoS attacks.
To implement an effective information security system for economic activity, it is necessary to create a unified database, where it is necessary to store all information about the information security incidents that have occurred, the methods and techniques used to combat them, the opinions of specialists on threat analysis. When creating a knowledge base, you need to rely on the concept of information and economic security, which implies a state of commercial, financial, industrial and any other business activity in an enterprise in which it is impossible or difficult for it to cause economic damage. The threat model depends on the type of business, the sector of the economy, personnel policy and the resources used.
Insider threats
This category of risks is taken into account by all companies when building a business information security system. HR and security services of the enterprise are building a multi-level defense system, introducing differentiated access models, two-factor authentication, and technical means. But, as practice shows, not all risks are taken into account.
Potential threat sources are:
- employees of the lower and middle level who organize leaks and failures unintentionally, due to carelessness or ignorance of the basic rules of information security;
- employees intruding into the information security perimeter in order to substitute information and steal resources;
- employees supplying data to competitors or customer personal information to operators on the black market of information services;
- senior executives interested in transferring the most valuable information resources to competitors;
- IT or security personnel who not only have unrestricted access to data, but also can disguise their work.
When drawing up your own strategy for the implementation of the organization's information security system, you should take into account all the features of the personnel structure of the enterprise and pay attention to preventive actions, education and training of employees.
Insider threats of a technical nature
Since USB drives are becoming the most significant threat associated with the organization of data theft by employees, it is required to exclude their use at the enterprise, except for directly regulated cases, for example, for retrieving information from remote sensors. But this activity must be strictly regulated, the drives must be checked by antivirus software, which will avoid the infection of the system with malware.
Low awareness of employees in information security issues leads to the fact that risks for the company arise when using e-mail.
Staff:
- use one mail account of the company together, which excludes the possibility to control the sending of confidential information to third parties and to find out who exactly leaked;
- use personal e-mail boxes for negotiations for corporate purposes, increasing the risk of data interception and reducing the degree of control;
- open attachments that may contain malware;
- respond to phishing emails by exposing passwords, logins and other confidential information to threats.
Email filtering software can help you avoid most risks of infection or spam, and connecting only part of your employees' PCs to the Internet will reduce the risk of data leakage through external email channels.
External threats
Despite the fact that external threats to business information security are implemented in practice much less often than insider threats, managers and managers often consider them more serious, spending significant resources on protecting the system from external attacks. Hacker attacks, external intrusions, virus threats really turn out to be dangerous, but the installation of modern protection means reduces the probability of their implementation to almost zero.
Classification of threats by type
If we move away from the classification of information security risks of economic activity by source of occurrence and go to their typology from a technical point of view, we can identify the following types of threats:
- unauthorized access to data, leading to their leakage, substitution, blocking, destruction;
- substitution of information (logs, entries in monitoring logs), leading to the loss of information about the real culprits of information security incidents;
- the introduction of logic bombs into the codes of software products that are triggered when certain conditions are met or after a certain period of time and partially or completely disable the information infrastructure;
- development and introduction of malicious programs into the system - viruses, ransomware, Trojans;
- negligence in the development of software products, their timely updating or technical support, which lead to software and hardware failures, downtime, denials of service;
- changes in data packages and electronic documents associated with forgery of an EDS;
- stealing information with masking actions in the system, for example, using someone else's identifiers;
- interception of data by connecting to communication channels, sometimes this requires only an antenna located at a remote distance;
- refusal to provide a service caused by DDoS attacks or other violations of the system's availability for external users.
A number of the listed risks, according to the current legislation, are related to administrative offenses and criminal offenses and are prosecuted by law.
Responsibility for violation of information security of economic activity
Most companies try to apply only disciplinary responsibility in case of violation of information security rules by employees, regardless of whether they were intentional or not. The most significant option for the company's reaction is the dismissal of the offender. This is due to the fact that enterprises try to hide information about information leaks and other incidents, fearing that their business reputation will suffer. Appeals to law enforcement agencies or to the court are extremely rare, even if the enterprise has suffered significant economic damage.
Violations persecuted by means of state coercion are divided into three groups:
- related to the processing of personal data. Such violations often entail administrative responsibility, the most serious is the storage of personal data of Russian citizens on servers located in another state;
- computer crimes committed in the field of information technology;
- information technology fraud, such as theft of other people's money, committed by deception or abuse of trust.
Criminal liability is governed by Art. 272-274 of the Criminal Code of the Russian Federation, and the following violations most often fall under the influence of these norms:
- hacking of Internet sites (hacking), sometimes it is accompanied by a "deface" (changing the content of the site, for example, posting information compromising or defaming the company on the main page);
- theft of bank card data (carding), used for subsequent enrichment. Both private and corporate cards may suffer. Phishing is often used to steal data - sending letters from addresses similar to those known to the recipient;
- cracking, or decryption of software protection systems for its subsequent distribution without a license;
- illegal acquisition and use of someone else's credentials in Internet accounts;
- nuking, or DoS (Denial of Service) attacks - actions that cause denial of service by a remote computer connected to the Network;
- spam - mass unauthorized distribution of electronic messages of an advertising or other nature, or "cluttering" of an electronic mail address (addresses) with a multitude of messages;
- reading someone else's email.
If information related to state secrets is threatened, in some situations the crime is qualified as an attempt of high treason.
Computer technologies are often used to steal confidential information, and in this case, criminal liability may arise for disclosing commercial secrets. Most often in judicial practice, Art. 183 of the Criminal Code of the Russian Federation is used to prosecute persons who disclosed banking secrets. This is due to the fact that, according to the law, banks do not have the right to hide from the regulator - the Central Bank of the Russian Federation - information about incidents of information security of a financial organization, and employees have to be held accountable.
Information security measures
Having identified the objects and sources of threats, having chosen the measures that are supposed to be implemented to protect data and bring the perpetrators to justice, it is necessary to proceed to the development and implementation of an information security strategy. Its task is to make the most efficient use of the company's resources, minimize losses, downtime and leaks, and comply with the requirements for protecting business reputation. Most specialists in information security of economic activities are aware of the complex of administrative, organizational, programmatic and technical measures that need to be implemented; the involvement of an external contractor is required only in difficult cases.
When choosing software protection tools, it is necessary to be guided by the recommendations of the FSTEC, which suggest choosing the best available software products designed to protect personal data. It is necessary to proceed from the principles of saving resources, protecting only critical business processes from information security risks of economic activity.
The required minimum includes:
- improvement of the user authentication system;
- organization of a data traffic protection system inside and outside the information perimeter of the company, installation of DLP systems;
- adoption of a set of organizational measures to minimize all categories of insider risks.
These solutions to combat information security threats do not entail the attraction of significant financial resources, but they can almost completely eliminate the main threats. At the same time, unification of software solutions operating on individual components of the system architecture, on different servers and in different security sectors is required. At the borders of IP sectors with different levels of protection, the installation of firewalls is required. Auditing unstructured data and removing duplicate and obsolete information can help you optimize the use of information resources. For resources containing confidential information, it is necessary to provide storage at the company's facilities, and not in the clouds.
The combination of these measures will help ensure information security in a small company or shopping mall. For companies in the financial sector, additional protection measures are being developed by the Central Bank of the Russian Federation. All decisions must be constantly audited for applicability and effectiveness, making changes to the strategy in a timely manner.
16.12.2020
