''It was less told about growth of the security budget in Volga Federal Okrug than in Russia in general''
The expert’s column on the state of affairs in information leaks and corporate fraud in Volga companies
What's the state of affairs in leaks and corporate fraud in Russian companies? How much worse the situation in Volga Federal Okrug does look in general? Is the number of information security incidents because of human error really growing? Director of the representative office of SearchInform in Volga Federal Okrug Tatiana Latushkina answers these and other questions in her column deliberately written for Realnoe Vremya.
Every year we do research of the state of information security in Russian companies. We focus not on external threats but those concentrated inside companies. And it's a huge variety of possible risks: information leaks, corporate fraud, kickbacks as well as simply lack of attention of a person, negligence, narrow-mindedness and susceptibility to influence of external plotters.
To understand the situation, we asked how the number of information security incidents because of human error had changed, and 16% of the respondents claimed there had been growth. This indicates that companies are increasing their awareness of threats – incidents started to be detected more often, and this is certainly a positive trend. It's more notable in some sectors. For instance, in retailing, oil and gas industry and finance.
It's not accidental – information security risks in these sectors are simply huge: a chain of offices, complicated business processes. But, most importantly, there is what to steal. Fortunately, the same companies are better protected in terms of information security: they implement not only available and habitual tools but also such specific as DLP and SIEM systems (specialised programmes detecting leaks and information security events).
But, unfortunately, it was less told about growth of the security budget in Volga Federal Okrug than in Russia in general (21% against 30%). 14% even cut these costs. Mainly banks install and implement DLP and SIEM systems under regulators' pressure (the Russian Central Bank's requirement). Others do it not out of fear of fines – they aren't so afraid of being punished by regulators. Though legislation has terrifying articles, there aren't tried and tested legal precedents.
For instance, there is a well-known law on personal data and a big number of news that passport and credit card data are leaked at every turn, but the Federal Service for Supervision of Communications, Information Technology and Mass Media doesn't impose a fine for it.
Image can't be ignored
In such a situation, what catches my eye is that companies started to assume responsibility for information leak more often. This year, we've seen a significant rise, and Russian indicators will soon level with EU countries and the USA. 31% of surveyed representatives of Volga Federal Okrug companies said they notified victims about the leak. This suggests that companies can't ignore reputational risks any more. But only 2% of the surveyed communicate information to the mass media. But not all at once.
The image issue is very interesting in general. As it turned out from the research, companies are seriously concerned about losing reputation. A one-fifth of the surveyed told they ensured that their employees didn't spread negative rumours about the company, the staff's loyalty also mattered to approximately the same percentage of the surveyed. 24% of the surveyed said they assessed the damage done to the image from incidents.
But, of course, direct financial losses mattered more. 43% of the surveyed said that unproductivity, employees' fraud, information leaks brought to financial loss in the organisation. Key problems are use of companies' resources by employees for personal purposes (43% of replies), industrial spying and work in favour of opponents (23%), attempts of kickbacks (18%).
Information leaks, as a rule, are loyal supporters of such incidents. Information about clients and deals was missing in a third of cases, technical information was lost less (28% of replies). Information about partners (17%) ranks third, internal accounting (4%) is fourth. So commercial information leaked from Volga companies more than in half of cases.
Violators and punishment
If we try to feature a violator's portrait, it will often be an ordinary employee. 76% of the participants of the survey communicated. A big number of them are supply managers (28% of replies), accountants and economists (22%), executives' assistants and secretaries (18%). That's to say, those who are closer to resources and information.
Employers don't want to forgive violators: they dismiss in a third of cases, they impose a fine in 28% of cases. Only 6% of cases go to court – they don't want to draw attention, fairly thinking that money loves silence. This is why these rare cases of legal actions often speak about gross violation and an employer's great desire to punish the employee. Bosses more often just give up on the violator, of course.
But they try not to file actions against violators not because of specifics of legal procedures: it takes a lot of energy to win a case against even the evilest employee-violator, while the benefit is not always obvious. Though our practice has enough cases where courts take data from special software into account and defend the employer.
To prevent incidents, employers prefer to control e-mail, external devices and phone talks of their employees (27,22 and 16% of replies respectively). Greater attention is paid to those who spread negative comments about the company, who are disloyal or sabotage work. These negative signs of behaviour scored 20% of replies on average. This is also an interesting trend. For an employer, it's just important not just have a chance to fix information leak at the right time. It's important to understand who he works with, employees' personal problems, which can be dangerous for the business and the staff – drug addiction, sharing extremist beliefs, disloyalty to the company.