Unintentional threats to information security
Information security (IS) is a key factor that ensures the quality of an organization's business processes. Implemented information security threats can stop activities and cause significant damage. Unintentional threats to information security, which have arisen in the absence of an expressed will to cause harm, are sometimes the most dangerous.
Typology of threats
An information security threat is understood as an intentional or unintentional action that negatively affects the information system or the data stored in it and from which professionally organized protection is required. The main criterion that makes it possible to classify a threat as random, not based on selfish goals, is the randomness of its occurrence. There is no intent behind such an action to harm the protected information, to organize its leakage or destruction.
The following groups of information threats are distinguished from which protection is required:
- natural disasters;
- failures and failures of technical means;
- software errors;
- errors of service personnel.
Each group of threats to information and its individual properties has its own degree of probability of realization and the amount of damage. Assessment of these parameters allows you to develop an optimal mechanism for protecting information.
Natural disasters and accidents - natural hazards
Floods, earthquakes, fires can completely destroy equipment and storage media. Storing data on a remote server and backing it up allows you to partially minimize threats and ensure data protection.
When building a protection system against this type of information security threat, it should be borne in mind that damage from natural disasters is not always covered by insurance companies. There is a known case when the company was denied reimbursement of the cost of equipment and information destroyed by torrential rains, which were recognized not as a natural disaster, but as an extraordinary natural event.
Accidents and similar man-made threats to information security can lead to the death of equipment and information with the same success as natural disasters; protection from them becomes the task of the security services of engineering services. Fires from ignited wiring and flooding of equipment due to a water supply failure are common causes of information loss. When placing information on third-party cloud servers and the impossibility of personal control over the state of the premises in which the servers storing information are located, it is necessary to require the provider to guarantee that the equipment is protected from man-made threats.
Failures and failures of technical means
This group of information security threats can cause significant damage, but rarely becomes the cause of the complete loss of information. Its property of accessibility suffers more often. Threat protection requires a high level of technical expertise.
Failures and failures can occur:
- on servers and workstations;
- in power supply systems;
- in peripheral devices;
- on communication lines.
Timely prophylaxis of the equipment condition, software monitoring of the performance of system elements will help to avoid this risk of information loss.
Errors in coding or developing automation tools can lead to information being lost or unavailable for some time. These errors refer to vulnerabilities, they are understood as unsuccessful characteristics of a program or information system, the existence of which makes possible the emergence of a threat of information loss.
Hackers, implementing external information security threats, often use vulnerabilities to penetrate an information system that does not have an adequate level of information protection.
Software errors are divided into groups:
- systemic, arising from the incorrect compilation or implementation of technical specifications for software development;
- algorithmic, in which developers have misinterpreted and implemented the algorithms on which the software is based;
- software, arising from writing software code;
- technological, arising in the process of preparing software documentation or its translation, if the software is of foreign origin.
The occurrence of such errors leading to the loss of information is often associated with the use of new software that has not been tested in practice and is not certified by the FSTEC RF.
Errors of users and system administrators - threats of a subjective nature
This is the most common type of information security threat. Such errors occur in more than 50% of cases.
Reasons for the emergence of threats to the safety of information:
- psychophysical. Due to fatigue, illness, nervous excitement, decreased performance, users may misuse the software;
- objective. They are caused by imperfect models of data presentation, lack of regulations, regulatory framework, instructions, low qualification of personnel, obsolescence or low quality of hardware and software, inconvenience of their operation;
- subjective. Errors caused by carelessness, laziness, irresponsibility of employees;
- systemic. This category includes the choice of the wrong architecture of the information system, the installation of unnecessary, conflicting programs that hinder the operation of the IS.
Examples of subjective errors, most often generated by users:
- accidental damage to equipment;
- accidental deletion of files or folders containing work information or system information;
- accidentally changing the operating mode of programs or applications;
- accidental damage to media;
- accidental disk formatting;
- refusal to turn off the workstation from the network, which led to its failure;
- infecting a computer or system with viruses;
- accidental disabling of antivirus;
- entering erroneous data;
- the use of virus-infected storage media to save information from the system;
- use of personal mobile devices for work purposes;
- sending confidential information to the wrong address;
- installation and use of programs not provided for by the operating procedures;
- loss or thoughtless transfer of means of ensuring differentiated access (passwords, electronic devices - tokens);
- ignoring the requirements of working regulations.
Dealing with such errors should be accompanied by a mandatory backup storage of information, as they can lead to its modification, distortion, and complete destruction.
Among the response measures:
- installation of software products that provide "foolproof";
- installation of information security incident monitoring systems (SIEM and DLP systems);
- implementation of the differentiated access model;
- maximum limitation of privileges;
- user training and staff development;
- creation of a legal and regulatory framework regulating user actions;
- using only licensed software and its timely updating;
- maintaining logs for recording user actions.
Fulfillment of these conditions will provide protection against threats of data loss, safety of information and improve the general state of security of the information system.
The randomness of the violation will not make it possible to bring the guilty employee to financial or criminal liability for disclosing commercial secrets, but negligence or negligence will become the basis for disciplinary action. Setting up a control system over the actions of personnel by the security service and the HR department will reduce the risks of the implementation of unintended threats to information security.