Study: internal threats in large companies turned out to be more dangerous than viruses

Large companies do not like to talk about their security failures, because it undermines their reputation. Therefore, in Russia, where there are no laws on the disclosure of incidents, there are very few statistics on this issue. And if there is no statistics, then there may be a feeling that there are no problems.

However, a new study by Positive Technologies shows that this is not the case: in 2013, noticeable incidents in the field of information security occurred in all large companies whose leaders were interviewed during the study. And in more than half of the companies, the incidents led to significant problems, including financial losses.
')
It should be noted that earlier Positive Technologies Research Center published mainly technical studies, including penetration test statistics and application vulnerability analysis. But do potential threats turn into real losses? To answer this question, the experts decided to conduct a survey among representatives of key industries in order to find out how companies themselves evaluate the threats and the state of their security.

The survey was conducted in April-May 2014 among the leaders of the 63 largest organizations in Russia. Representatives of banking (42%), telecommunications (17%), fuel and energy (13%), transport (4%) industries, as well as government organizations and departments (12%) participated in the survey.

More than 80% of the organizations studied are in the Russian top 100 in terms of capitalization (RIA Rating, 2013). Approximately half of the companies have a very extensive network infrastructure and have over 50 thousand nodes.

As it turned out, in 58% of the companies, information security incidents led to significant problems: these were violations of the IT infrastructure (31%), financial losses (15%) and reputational costs (12%). The most critical incidents were in the banking sector, in the media and transport companies.



The most common incidents were DoS attacks, to which 23% of companies were exposed, as well as attacks on external web applications (21%). The percentage of incidents related to internal causes - violation of the rules of IP operation (16%) and abuse by employees (14%) turned out to be quite high. Thus, internal threats turned out to be more common than such a classic “horror story” as a malware infection (14%).

As sources of the main threats, corporate executives first of all note cybercrime (31%). In the second and third places are abuses of IP administrators (23%) and company employees (17%). Suppliers and partners are considered a possible threat by 11% of respondents: this is a bit, given the tendency to expand outsourcing. 9% of respondents indicated threats to information security from the side of special services.

The main problems that impede the provision of security at the proper level are the lack of information security specialists (37%) and the imperfection of the regulatory framework (26%).



When organizing security, most large companies are guided by mandatory state regulations, but the role of experts is also high: 55% of executives surveyed rely on the opinion of their own security specialists - more than the number of those who believe in industry or international standards. The greatest "weight" expertise of its own specialists has in the telecommunications industry and in media companies.

Many research participants also noted that not only timely response to incidents within a company is important for security, but also interaction with external incident response teams such as CERT (33%) and receiving timely information about vulnerabilities (42%). Most of those who have not yet established such cooperation, said they plan to do so in the future.

You can view the full text of the study on the website of the research center:
www.ptsecurity.ru/lab/analytics

We also remind that on Wednesday , October 8, at 14:30 , Positive Technologies will hold a press conference for IT bloggers and journalists, which will present new research data (for example, vulnerability statistics of popular CMS), as well as new company products to protect applications . You can find out the details of the program, as well as be accredited to the event by writing to pr @ ptsecurity.com . Do not forget to write what kind of media or blog you represent.