The main aspects of information security
C orporate security - the phenomenon is not new. What only recently began to be called this term has existed since the beginning of trade. Each merchant tried to protect his professional secrets from competitors so as not to lose profits.
Modern realities of corporate security of the company
In fact, modern corporate security is not much different from the old one. Only the realities in which businessmen must conduct their business are changing. Any company wants to be reliably protected not only from external threats, but also from internal ones. This problem is solved by specialists in corporate and information security. They are faced with the task of carrying out a whole range of measures that include almost all areas of the company's life:
- protection of trade secrets;
- internal work with employees;
- internal counterintelligence;
- official investigations;
- economical safety;
- technical and physical protection.
If there are problems at least on one of these points, there will be trouble. Not so long ago, a scandal erupted in the UK - hard drives with data from clinic patients, which were supposed to be destroyed, suddenly appeared on eBay auctions.
The hospitals handed over the discarded discs to a contractor company, which in turn used the services of a private individual. The enterprising Englishman, instead of conscientiously fulfilling his duties - to destroy the media - put the data discs up for sale.
In this case, two points can be called "weak links" - internal work with employees and technical protection. Let's figure out why. Too long chain of intermediaries led to the leak, as a result of which the customer was not even aware of who was directly involved in the destruction of disks and whose actions needed to be monitored. In addition, the very fact that hospitals transferred discs with unprotected personal data of patients to third parties is a technical omission of employees.
A responsible approach to ensuring corporate information security would help to avoid this situation. Let's figure out what needs to be done in order to get a really working information protection system at the output.
How to identify a thief in a company using SearchInform DLP? Real client case.
Three tricky steps
Before starting to build an effective information security system, it is necessary to thoroughly analyze the data storage and processing system already existing at the enterprise. There are three main steps to take for this:
1. Identification of critical information.
2. Identification of weaknesses in corporate security.
3. Assessment of the possibilities of protecting this information.
All these actions can be performed either by your own employees, or by ordering an audit of the company's information security from specialists. The advantages of the first method are lower cost and, importantly, the lack of access to corporate data for third parties. However, if the organization does not have good full-time security auditors, then it is best to resort to the help of third-party companies - the result will be more reliable. This will help avoid the most common mistakes in information security.
"The most common mistake - this is an underestimation and overestimation of threat of business, - said Alexander Doronin, an expert in the field of economic security and the author of" Business Intelligence ". “In the first case, there are holes in the security system of the enterprise, which for the organization results in direct damage from leakage of confidential information, corporate fraud and outright theft that comes to hand.”
When reassessing threats, the security system not only places a heavy burden on the enterprise's budget, but also unreasonably complicates the performance of the duties assigned to them. This threatens with the loss of possible profits and loss of competitiveness. "
Identification of critical information. At this stage, the identification of those documents and data takes place, the security of which is of great importance for the company, and the leakage bears huge losses. Most often, such information includes information constituting a commercial secret, but not only.
For example, after the adoption of the new edition of the federal law "On Personal Data", all information collected by the organization about its employees and clients also needs protection. A series of last year's leaks from Megafon, online stores and Russian Railways, as well as fines received by the perpetrators of these incidents are the best evidence of the need to protect such information.
It is important to remember that third-party audit specialists cannot independently compile a list of all documents that need to be protected. The auditor's work should be carried out in conjunction with an employee of the company who is well aware of the peculiarities of document flow.
Identification of weaknesses in corporate security. This task is performed directly by the specialists conducting the audit. The choice of a scheme for building information security depends on the results of this work.
When identifying gaps in information and, as a result, corporate security, not only technical means are evaluated. A very important point is the existence of differentiation of the rights of employees' access to this or that information, an agreement on non-disclosure of corporate information. It is also important to assess the loyalty of employees to management and relationships in the team - all this is the responsibility of the HR department.
A recent example of a situation where a staffer took advantage of his position to steal information was the theft by Google's Kenya of a startup called Mocality (an online business information database). Google was forced to make an official apology to the victims, and the head of the representative office, through whose fault the incident occurred, was removed from his post.
Assessment of information security capabilities. This is the final stage of the audit, during which, based on the analysis carried out, a list of specific measures that must be taken to protect the corporate secrets of the company are drawn up. Recommendations can be both technical and organizational.
In addition, at this stage, the financial capabilities of the company to protect information are analyzed, since many information security tools may be too expensive for the enterprise. And some of these measures are simply not advisable for small businesses. A special need for a DLP system arises if an organization uses 50 or more computers.
The installation of a DLP system is always preceded by a technical audit. After ordering a 30-day free trial, the customer is consulted by SearchInform engineers who assess the company's IT infrastructure and determine how much capacity is required to install the program.
Information security is just one of many (albeit the most important) ways to ensure corporate security. A set of measures is needed - technical and organizational.
The technical solutions for protecting corporate secrets include the installation of a DLP system (from the English. Data Leak Prevention). This suite of software tools monitors all information flows in an organization - from e-mail to programs that use encryption algorithms (for example, Skype) or HTTPS protocol. All removable media, corporate computers and laptops are also under control.
An important feature of DLP systems is their autonomy. The company does not need to maintain an entire department that would deal with information security. Just a few specialists are enough.
The latest research by SearchInform, a leading player in the Russian information security market, showed that DLP systems are not very popular in Russia and the CIS countries. Only slightly more than half of organizations (58%) plan to install comprehensive protection soon. Others do not consider it necessary to implement it, or believe that partial protection is sufficient. However, information security will only be at the optimal level when comprehensive protection is provided.
DLP system allows not only to provide reliable protection of secrets. Their functions are much broader: with the right approach, you can get information about the mood of employees in the team, track the movement of key documents, incoming and outgoing messages. As a result, the use of DLP systems is also an effective aid in such important corporate security events as internal counterintelligence or official investigation.
However, technical data security and tracking employee actions alone are not enough. Organizational arrangements, work with employees, development of internal documentation are also important.
“The corporate security system must be comprehensive, otherwise it will be like in a joke: a security guard strictly checks the company's employees' passes at the checkpoint, and twenty meters from the checkpoint there is a hole through which anyone can enter the firm,” shares his experience Alexander Doronin .
Organizational work includes informing the staff about the availability of information security systems in the organization, about the need to observe commercial secrets and the possible consequences of its disclosure, both for the company and for the employee himself. Creating a supportive work environment is another key element of organizational action. Corporate security is impossible if employees look one-on-one in disbelief. Such a "cold war" will significantly slow down business processes. Therefore, once again it is worth recalling the important role of the HR department.
As for the development of internal documentation, the responsibilities of employees, as well as their rights of access to certain documents, should be clearly spelled out. Each department must carry out its assigned tasks - no more, but no less.
We must not forget about such seemingly elementary things as the work of the security service. Physical protection of employees in the workplace is also an important part of corporate security.
Only by achieving such two-sided - technical and organizational - protection, without exaggerating or underestimating the threats, it is possible to create reliable corporate protection for the company.
[page link = "/ promo-block-kib /"]