Business information security

Business information security

All articles

Information security is a set of measures that you take to protect your confidential data, developments, ideas, technologies and, eventually corporate money. At the same time, small companies often neglect this serious problem as the founders or hired managers are sure that “we have nothing to steal from us”. This happens because information security is an extremely broad concept. All its aspects are difficult to fit into one frame, and at the same time they aren’t perceived as part of a single problem. The main misconception is that information security is of a huge cost. However, it’s possible to significantly improve the quality of the IT infrastructure just by following some of simple rules. Let’s figure out what threats there are and what to do to avoid terrible consequences and extraordinary expenses. Types of information security. Information security includes maintaining the confidentiality of data, creating a hierarchy of access to information, ensuring the smooth operation of software, including backing up critical data, as well as controlling bank accounts and other financial instruments. Any requested information can be accessed only by those users on duty who need it. For example, only employees of the purchase department can get information about suppliers, at the same time they do not need to know the names and financial details of buyers. This will help keep the database safe, since a fired employee with access to all databases, not only profile information, can sell them to competitors. The we-are-one-team attitude is bursting at the seams after the first serious incident, and it’s good if the business suffers insignificant losses. In fact, the main breach of information security is the human factor. It is important to create a hierarchy of data access and not deviate from the rules. After an employee is transferred to another position within the company or leaves the team, you need to change passwords (passwords must be sophisticated, by the way), as well as erase electronic keys. It is also important to conduct trainings to improve computer literacy, because the human factor is not only resentment or malicious intent. This can be inattention, lack of an adequate level of processes understanding, curiosity and overwork. So, one of the main type of hacker attacks on business, phishing, is most often not a virtuoso hacking or malware, but a trick with the emotions of insufficiently competent employees. Phishing is the creation of an almost exact copy of a specific site in order to obtain personal user data such as bank card data, passwords from CMS sites of enterprises or accounts in social networks. An absent-minded user responds to an emotional appeal to urgently share card details or passwords, as the phishing site threatens to delete or send something somewhere, and eventually we lose access, money, and reputation. Phishing, according to IT Support specialists, will go to the “private sector”, that is, hackers will hunt for personal data on social networks. This trend can already be observed “in the field”: phishing attacks on enterprises are decreasing, but everyone has heard about the case of Russian football player Artyom Dzyuba, who was blackmailed for huge amount of money for a home video stolen from a personal device.

Types of information security threats

Information security threats can be external or internal. Internal ones are the neglecting the rules and regulations, a hierarchy of access to data (for example, ordinary employees should not have administrative rights) or absence thereof, the negligence of employees or an irresponsible attitude to work. This also includes procedures that theoretically seem to be abecedarian, such as telling manager’s bank card details and a PIN-code to one of the employees (because “we are the team” and “it’d be faster and easier”) or a problem with the same electronic key to access the office workspace. Employees should know that they have no right to change them, give them to third parties, and so on. External threats are the consequences of political events (for example, the seizure of equipment), natural disasters, incidents in office centers and hacker attacks: ransomware viruses, DDoS attacks, phishing, and so on. The development of a hierarchy and rules for access to equipment and information will also help here: for example, you can limit user rights on workstations to prohibit employees from installing any software. It is important to note that most malware simply cannot be activated on a computer with limited rights, even if they got there via a local network or from the Internet. In addition, the installation of anti-virus software, as well as regular OS updates will help protect your business from external threats. All critical data must have backups (backups must be checked regularly), and they must be stored in a special dedicated database, and not in shared folders. Another very simple tip is to set more complex passwords for peripheral and network equipment. This is a very common mistake made by administrators. Gateways and IP telephony is dangerous equipment due to the fact that they have unchanged basic passwords like qwerty, 12345.

Let's summarize: create a hierarchal access to all data Configure the correct backup of critical date Install anti-virus software and update it regularly Install operating system updates Introduce regulations on access to information for different employees Do not share electronic keys and bank cards details with third parties and prohibit these actions for your employees Use the recommendations of experienced users and those who have already had a similar problem. If you haven’t found a way to protect your information, contact IT Support specialists: we will be happy to help you. Monitor the performance indicators of the equipment (the degree of processor utilization, the amount of RAM used, etc.) Set up remote control of employee actions at workstations