Information Security Management
In modern conditions, when the constantly growing scale of cyber threats can become one of the most critical threats to the global economy, only security personnel and IT departments cannot take part in building an information security management system at an enterprise. All employees must be aware of the current risks and be able to promptly and competently resist them.
Basic principles of information security systems management
The creation of an information security management system begins with the development of an up-to-date threat model. The compilation of this document will be required by the regulator if the company is the operator of personal data. But otherwise, its preparation will allow you to systematize the work on managing data protection processes and avoid unreasonable expenses for software and equipment that are not needed in specific situations.
According to experts, in the first half of 2020, the following system of ranking information security threats by importance was formed:
- targeted attacks. They are aimed at companies and corporations, most of whose employees work remotely, at production management systems (ACS) at organizations that store data in the cloud, at banks that widely use mobile applications for managing accounts and deposits. Traffic is intercepted, mobile applications may have undeclared capabilities, so the process of data exchange at a distance should be as secure as possible;
- espionage, competitive intelligence and the use of hacker technologies. Their relevance increases in a situation where a significant part of the resources associated with ensuring the operation of the information security system is transferred to the control of remote specialists. If the company has not configured a control process, information risk threat monitoring systems with automatic responses, or DLP systems, company data can become easy prey for intruders;
- fraud. With the transfer of employee activity from the office to coworking spaces or home, their interest in entertainment, gaming resources, and ways to make quick money increases, and these manifestations cannot be suppressed by the HR department. These portals are often infected with malware, an employee risks not only losing his funds as a result of fraud or phishing, but also infecting the company's information system with viruses if one device is used for work and play;
- malicious mailings. In early 2020, due to the growing public panic over the coronavirus pandemic, attackers created new email campaigns. Users are sent messages with attached PDF files. In some cases, this is malicious software that encrypts data on a computer. At the same time, in the subject line they write “Tips on how not to get sick with coronavirus, the addresses of real companies are indicated in the copy to distract attention. Under a similar "sauce" on behalf of UNICEF, phishers send out HawkEye spyware. Attackers can also attach the Netwire Trojan to the attachment, which collects data about the system and the computer, downloads and launches files, takes screenshots, controls the keyboard and mouse, and steals logins, passwords and bank card details.
Taking into account the named threats, all business processes of the company are built in such a way as to contain elements of the information security system. In modern conditions, some security elements should take priority over business interests from scaling threats, therefore, the main tasks of building an information security management process are:
- updating data protection policies that shift the focus of information systems security management towards remote access control;
- revision of the risk management system taking into account changes in legislation and the structure of the economy for the medium and long term;
- modification of the organizational structure of the company, taking into account the transfer of employees to remote work, strengthening the role of security services and IT departments.
Implementation of this strategy in a proactive mode, accelerated setting of processes for increasing the level of information security will allow you to gain competitive advantages.
Practical forms of information security management
Information security management in an enterprise should occur at two levels:
- in the office;
- on remote access.
Now businesses are increasingly using the remote work model, cloud technologies. Product creation processes are managed remotely. The materials are located on a remote resource, and specialists connect to them from different parts of the world. This creates the need to make working on a remote connection as secure as possible.
The first stage of the new information security management model is the creation of a division or a working group responsible for developing a strategy for dealing with the risks arising from the exchange of data with remote employees.
The tasks of the cyber defense management division include:
- restructuring of the information system in such a way as to ensure the security of remote connections, to create a guaranteed secure work process;
- training employees in the basics of safe work with equipment and data;
- updating and reconfiguring the software responsible for monitoring cyber threats;
- development and approval of new regulations for work in the information system;
- control over the compliance of the new security model with the requirements of the regulator and current legislation;
- monitoring new threats, ensuring an adequate response to them;
- introduction of modern information security standards, for example, ISO 27001, their adaptation to a remote model for organizing business processes, obtaining certification for a new configuration;
- creation of an information resource on the corporate website dedicated exclusively to information security issues. Employees need to be informed about new threats and risks, modernized phishing mailings and malware. A feedback mechanism must be created on the resource.
When choosing technical and software solutions related to ensuring a new data protection model that does not interfere with the normal course of business processes, the emphasis should be on:
- programs that allow you to launch processes and applications in a dedicated environment;
- VPN technologies;
- complication of traffic routing;
- providing two-factor identification of employees, if possible using hardware - tokens;
- widespread use of cryptographic protection tools.
The security service can use the reduction in the total number of cybersecurity incidents, data leaks, and malware infections as criteria for evaluating the process and the result of its activities. Within the unit, it is necessary to create a system that implies the duty of one of the network specialists to monitor the actions of remote employees and answer their questions.
What an office worker should know about cybersecurity
Employee training is an important task for the company; its implementation protects against 80-90% of threats and risks. A simple memo sent out to office workers will make their behavior when working with equipment and data more conscious.
Key information security rules to train staff:
- it is necessary to separate personal and work information space as much as possible, do not use a work computer for personal purposes, entertaining surfing on the Web and download questionable programs;
- it is necessary to constantly update knowledge about current risks and threats by accessing the company's resource dedicated to this problem;
- you need to know which of the employees of the IT department you can contact in case of an emergency situation, for example, the device is infected with a ransomware virus, and through which communication channel such interaction is carried out;
- it is necessary to limit the use of instant messengers on corporate mobile devices for employee interaction. The list of allowed instant messengers must be specified in the regulatory documents;
- it is necessary to follow the safety rules at home, timely updating passwords on all devices and services used for corporate purposes;
- you need to completely exclude work in public Wi-Fi networks;
- it is necessary to discuss the issues of computer security of a corporate network with the utmost caution in professional forums.
Educating employees about these rules will help make their work more efficient, and computer security management will cease to be the task of only specialized services, becoming a common goal of the entire organization.