Investments in Information Security: It’s All about Budgets and Staff

Сybercrime is growing year by year: the attacks on finance, information and the reputation of companies are becoming widespread, and the attackers are getting more inventive. What are the most effective ways of information protection in modern conditions? This question was debated at the conference “Challenges of Digital Transformation” held in February in Moscow, Russia.

The discussion covered three main issues: the relations of information security departments with other departments and employees, the budget and the relations of security officers with regulators. The regulation in Russia is very specific, therefore, such experience is of little use in other countries. The more interesting topic concerns relations with employees and corporate financiers.

It’s all about the money

Cybersecurity issues in Russia were far from a priority — as always, profit is the king. Businessmen see no reason to think about it, and if something bad happens, it proves that investing or not investing in cybersecurity can’t protect business from losses. So, how to convince a business to support information security?

As practice has shown, the most effective argument is the use of metrics, the language of numbers, specific volumes of prevented financial losses. How many attacks were made last year and what proportion was prevented? If the figure was 93%, then next year the security department should commit to increase it to 98%.

The subject to sufficient investment in the necessary software and employee training. What was the proportion of false alarms of the security system? They can be prevented if business invests in upgrading obsolete systems. How much revenue did the company lose as a result of the customer outflow, which were frightened by information about incidents? And what about thefts of the customer base, which was resold to competitors? Such cases can estimate financial losses from cyberattacks, thus it is possible to justify budgets — spending on security decreases losses.

Each employee should work on information security

The analytics of incidents of recent years testifies: the human factor is a weak link in data protection. An attack on a company's information assets can begin with taking control of any device belonging to any department.

Here are the numbers. More than 70% of complex attacks begin with a phishing email, upon receipt of which the employee inadvertently clicks on the link in the text. The share of employees making such unreasonable actions is 30% of the staff. The average time from the start of an attack to hacking the first computer is less than half a minute. Having gained control over one device, attackers use it as an access point to the administration of the entire data system. 49% of malware is installed via email. Access is not a problem if employees practice short and easy passwords. The study showed that every 7th employee succumbs to the tricks of social engineering. The most vulnerable were legal services, followed by accounting staff and the secretariat.

The experts agree that today, the long-known British standard is more than relevant: each employee must be responsible for ensuring the information security of the organization. What does this mean in practice?

First, to perform their tasks, IS departments can no longer be a stand-alone unit. Their task is to establish horizontal interactions with all departments, speaking with staff in a language they understand, to use examples, to show how attackers work, what damage this can cause to the business, what losses the company or competitors faced, etc. Clarity is the basis of knowledge. The rules for an employee are simple: do not open links in letters from strangers and companies, regularly change the access passwords at the workplace, know the signs of suspicious websites and protect information on personal smartphones.

Second, it is necessary to do practical exercises with people. Information security experts who understand the meaning of each rule can take the initiative, motivate, and offer the training content that meets the company's characteristics. It is necessary to maintain high motivation for people to follow the rules of information hygiene. One of the most effective methods is to carry out exercises from time to time, tossing phishing emails to employees or hacking their passwords.

And finally, the last principle is the continuous updating of IS training programs. Today, new types of 

cyberattacks appear weekly, and information security specialists need to get the latest information from their professional community and prepare personnel to protect themselves from new types of threats.

The following case speaks about the requirements for the quality and thoroughness of information security training.

The accounting employees of the company were trained in information security and passed all tests. After that, the IS specialists sent phishing emails to these accountants. Women were congratulated on March 8 and offered to open a link to receive a 30% discount in the online store. The IS service installed a counter that recorded every attempt to follow the link from a letter. It was a surprise when clicks on the links turned out to be almost 20 times more than the employees of accounting staff! It turned out that when the link didn’t open, the accountants forwarded letters to their friends to check if it would work out for them. After the results of such a “phishing test”, the employees have probably become the most IS-aware accountants in Russia.

Изображение: IT-world.ru