To help companies protect data and increase resilience to both external and internal threats, residents and startups of the Innopolis SEZ involved in IT developments in the field of cybersecurity have prepared tips for ensuring data security. They were brought together by Yana Mikhailova, head of the Resident Development Sector.
The number of cyber attacks is growing rapidly in the world: in 2021, the number of cyber attacks increased by 40%, and separately in Russia – by 54% (according to Check Point). Current events in the world, which have shaken stability, make us think about information security not only for state corporations, but also for private companies from various industries.
Mass media, government resources, educational companies, research projects, medical organizations and companies in other areas are being attacked.
Confidential data of companies, which are valuable not only for the company itself, but also for external parties, are subject to the greatest threat of cyber attacks. The consequences of data leaks in 2021 alone caused damage to the global economy by $ 9 trillion (data from the DMIB MFA).
Here are 7 steps to help companies build a comprehensive approach and systematic work to protect confidential data.
Allocate resources to data protection
Effective data protection work begins with the knowledge that such threats exist and that data needs to be protected.
As Sergei Vakhonin, Head of DLP at Cyberprotect, notes , today the handling of confidential data is often perceived solely in the context of the requirements of the law on the protection of personal data, while losing sight of the fact that in the context of total digitalization, almost all data within a company is of real value and the leakage of many of them will have negative consequences for the business.
The range of risks that companies are exposed to in case of leaks is from administrative to criminal liability. Financial losses, loss of reputation are the most serious risks that can jeopardize the continued existence of a business.
According to the observations of Ilya Petrov, director of the Innostage own products promotion department , reputational risks provoke an outflow of customers, a drop in the value of shares, direct financial losses, loss of positions in the competitive race, and even, for example, the loss of experience and know-how.
In case of high-profile leaks, regulators can initiate unscheduled compliance checks, which are fraught with fines and, in extreme cases, the suspension of the organization’s activities until the discrepancies are corrected.
Financial and reputational losses are not always proportional to the scale of the incident itself. Yaroslav Kargalev, COO of Group-IB in the Innopolis SEZ, notes that the damage will depend on the type of business activity, the nature of the stolen information, possible options for using data by fraudsters, and other factors.
In the event that the victim company is small and operates in a highly competitive market, the consequences of attacks can lead to a business stoppage and closure.
Analyze threats and risks
To select effective data protection solutions, it is necessary to analyze the threats that a company may be exposed to.
According to experts from Cyberprotect, InfoWatch and Innostage , among the common causes of attacks are: employee errors and misunderstanding of what data can be transferred to third parties and what not, weaknesses in systems, insufficient security of IT infrastructure, lack of control over places and channels transfer of protected data, as well as the unscrupulous attitude of data operators to their protection.
Increasingly, “hybrid” attacks as a result of collusion between an external and internal intruder are becoming the causes of leaks. Against the backdrop of the development of communications and a massive transition to remote work, it has become easier for attackers to find vulnerable points in the infrastructure and persuade employees of various organizations to commit crimes, Innostage experts noted.
In the current reality, the types of attacks are rapidly changing and becoming more complex, so you need to return to the analysis of possible risks and threats regularly.
An illustrative example with new challenges is ransomware attacks, which pose great threats to business.
As an expert from Group-IB notes, now, before encrypting workstations, ransomware steals all the data they reach, and only after that they encrypt devices.
Previously, small and medium-sized businesses with a developed IT service that had backups could relatively quickly restore the infrastructure, but now the victim has additional problems – in case of refusal to pay, the stolen data will be published on the Internet. To do this, cybercriminals create special web platforms where they arrange auctions among themselves to sell stolen data.
Develop a data policy and restrict access to information
It’s not a good idea to store all work data and customer bases on Google Drive and make it available to all employees. However, this situation is typical for most small and medium-sized businesses, and especially for start-ups. According to InfoWatch, a resident of the Innopolis SEZ, the vast majority of leaks in Russia (79%) are caused by employees.
In most cases, they are committed intentionally and much less often due to negligence, ignorance, negligence and other unintentional actions, Innostage reported.
Important questions to ask at this stage are: “Which employees and departments need access to which information?” Information security expert, director and founder of the Third Party startup Anton Bochkarev advises that it is imperative to delimit access to information within the company and determine the policy for working with data, because this is something that does not require large investments.
When developing a data policy, it is important to focus on the goals of the company, determine the places, information processing facilities and owners of information systems that process data, as well as appoint those responsible for ensuring data security.
Ilya Petrov from Innostage emphasizes that a detailed legal study of internal documentation is important, which will regulate the procedure for processing and storing data, restrict access, appoint those responsible and establish liability for violation of these rules.
Implement technical data protection solutions
There are various IT solutions: from simple password protection of documents to complex multifunctional professional options. And in each individual company, services are selected according to the tasks, scale and specifics of the business.
As explained in Cyberprotect, it is possible to protect data with basic technical means, starting with access control and simple password protection of documents, in some situations it makes sense to go down the path of data depersonalization.
However, this is not easy and will require the creation of special information systems that process personal data in an anonymized form.
A counterbalance to basic technical means of protection and organizational measures will always be the human factor, which will bypass all levels of protection. In such cases, specialized data loss prevention (DLP) solutions come to the rescue .
Such tools control all the main channels through which confidential data can be transmitted, and instantly block unauthorized transmission attempts.
The most effective method of protecting data from leaks is depersonalization of information , according to experts from Innostage. To do this, you need to change the data processing process in such a way that the resulting array of information is not personal data and is of no value to an attacker, for example, by storing data “in parts” – in different tables and databases.
If this cannot be implemented in a company, a suitable solution would be the centralization of personal data processing, their localization in separate protected segments with control (or a complete ban) on the dissemination of information outside this segment.
An example of such a practice is the organization of a terminal farm for employees to access the personal data system with a ban on copying information to the employee’s device. This allows you to provide better control and security of information, as well as save money on protecting each individual working computer.
The loss of personal data is not always a targeted leak. Attackers can encrypt all information.
Third Party experts advise that with the advent of a developed technical infrastructure, it is worth moving away from local storage of personal data. There were cases when the loss of customer contact data (and mail archive) was an extremely painful consequence of a ransomware attack. A popular solution on the market is a cloud with end-to-end encryption and backup.
Conduct information work with employees
Deliberate leaking of data by employees is a common cause of leaks. But, unfortunately, most companies do not pay enough attention to information work with personnel.
Experts from Innostage emphasize that it is important for companies to communicate the current data security rules to employees, discuss liability in case of violations, and conduct training activities on safe data handling and protection against external threats.
Workers with access to data must understand that they may encounter intruders and, in the event of an attack, must be prepared to respond appropriately.
According to Yaroslav Kargalev, the desire to earn extra money by selling confidential data to competitors or fraudsters is a frequent motive for employee violations.
So, for example, many have personally encountered telephone fraud and calls from “representatives” of the bank. The main source of leakage of this personal data is insiders in financial institutions.
Today there is a whole underground market for leaked and stolen data. Fraudsters are actively looking for insiders within companies of interest to them. As reported in Innostage, the monetization of stolen data often becomes the motivation of attackers, both internal and external.
The data is of interest to hacker groups, competitors, or just ordinary scammers, so it is in demand on the dark web and is well monetized.
Set up control and conduct test checks
After developing the data processing process and implementing technical solutions, the expert from Innostage recommends setting up controls for specific data processing locations, leak channels and users.
It is also important to periodically conduct test mailing lists and calls, train colleagues to be attentive to suspicious letters and calls, so as not to become victims of phishing and sociotechnical attacks in general, advises Anton Bochkarev from the Third Party company.
Be prepared for threats and remediation
It is important not only to equip the company with technical solutions, train employees and be fully prepared for attacks, but also think through scenarios and possible actions to eliminate the consequences in advance.
Group-IB experts recommend that each organization develop an action plan that will allow them to respond to an incident in a regular manner , and not plunge the IT service, the information security service and the company’s management into a state of chaos.
By implementing such procedures, the business will be able to deal with the incident as quickly and efficiently as possible and minimize the damage from the leak. In the event of a data breach or theft incident, how the company prepared for liquidation or mitigation plays an important role.
The worst thing is when a company tries to hide the fact of a leak or shift the responsibility to others.
One of the key tools for mitigating the consequences of leaks is to constantly monitor hacker underground forums, dark web communities and instant messengers in order to detect threats such as the sale of company personal data.
Such a mechanism will allow competitors, the press, the public and customers to learn about the leak before competitors, the press, the public and customers, prepare and take measures to inform the parties involved.
Choosing between two evils, it is much better to find out about the leak on your own, and not from the media. It is also important to initiate a timely investigation of data leaks, which will help not only find the source, but also prevent future compromises.
The business threat landscape is constantly changing and new forms of attack are emerging. An integrated approach, several levels of protection, monitoring and regular analysis of possible threats will ensure the stability of the company and data security.
Mikhail Smirnov, Head of the Expert Analytical Center of InfoWatch Group, recalled that the security and proper handling of confidential data, including personal data, is not only a responsibility before the law, but also a matter of business sustainability, as well as a socially significant task of protecting privacy, fraud prevention and digital identity theft.