Study: internal threats in large companies were more dangerous than viruses

Large companies do not like to talk about their failures in the field of security, as this undermines their reputation. Therefore, in Russia, where there are no laws on the disclosure of incidents, there are very few statistics on this issue. And if there are no statistics, you may get the feeling that there are no problems.

However, a new study by Positive Technologies shows that this is not so: in 2013, noticeable incidents in the field of information security occurred in all large companies whose managers were interviewed during the study. And in more than half of the companies, incidents led to significant problems, including financial losses.

It is worth noting that earlier the Positive Technologies research center published mainly technical studies, including statistics on penetration tests and analysis of application vulnerabilities. But do potential threats turn into real losses? To answer this question, experts decided to conduct a survey among representatives of key industries to find out how companies themselves assess threats and the state of their security.

The survey was conducted in April-May 2014 among the leaders of 63 largest organizations in Russia. The questionnaire was attended by representatives of the banking (42%), telecommunications (17%), fuel and energy (13%), transport (4%) industries, as well as government organizations and departments (12%).

More than 80% of the organizations studied are included in the Russian top 100 in terms of capitalization (RIA Rating, 2013). Approximately half of the companies have an extremely extensive network infrastructure and number over 50 thousand nodes.

As it turned out, in 58% of companies information security incidents led to significant problems: violations of the IT infrastructure (31%), financial losses (15%) and reputation costs (12%). The most critical incidents were in the banking sector, in the media and transport companies.



The most common incidents were DoS attacks, which affected 23% of companies, as well as attacks on external web applications (21%). The percentage of incidents related to internal causes turned out to be rather high: a violation of the rules of IP operation (16%) and abuses by employees (14%). Thus, internal threats turned out to be more widespread than such a classic “horror story” as malware infection (14%).

As the sources of the main threats, company executives primarily mention cybercrime (31%). In the second and third places are abuses of IP administrators (23%) and company employees (17%). Suppliers and partners consider 11% of respondents a possible threat: this is not enough, given the trend towards an increase in outsourcing. Threats to information security from intelligence agencies indicated 9% of respondents.

The main problems that hinder the provision of security at the proper level are the lack of information security specialists (37%) and the imperfection of the regulatory framework (26%).



When organizing security, most large companies are guided by state regulations that are binding on them, but the role of experts is high: 55% of managers surveyed rely on the opinion of their own security experts - this is more than the number of those who believe in industry or international standards. The greatest “weight” of the expertise of its own specialists is in the telecommunications industry and in media companies.

Many participants in the study also noted that not only timely response to incidents within the company, but also interaction with external incident response groups such as CERT (33%) and timely information on vulnerabilities (42%) is important for ensuring security. Most of those who have not yet established such cooperation have reported that they plan to do this in the future.

You can familiarize yourself with the full text of the study on the website of the research center:
www.ptsecurity.ru/lab/analytics We

also remind you that on Wednesday October 8 at 14:30Positive Technologies holds a press conference for IT bloggers and journalists, which will present new research data (for example, vulnerability statistics of popular CMS), as well as new company products to protect applications. To find out the details of the program, as well as to accredit to the event, you can write to pr @ ptsecurity.com . Remember to write which media or blog you represent.