30% of civil servants ignore information security rules.
According to a study by Angara Security, 30% of regional officials use personal e-mail addresses for citizens requests. Vedomosti got acquainted with the results of the study. According to the publication, this practice increases the risk of personal data leaks, since personal mailboxes are often not protected in the same way as corporate systems.
In addition, the study found that 60% of regional sites use the insecure HTTP protocol, which makes confidential information, including passwords, available for interception. Experts emphasize that the use of corporate emails that work through the secure HTTPS protocol significantly increases security.
It was also noted that in 10% of cases, online resources are inaccessible to users and do not contain information about technical work, which makes it more difficult for citizens to receive information and services.
According to the study, officials who used personal email for official communication mostly indicated addresses in the Russian domain zone, such as @Mail.ru or @yandex.ru, while no addresses were found in international domains.
Cybersecurity experts believe that the use of personal mail for official communication violates the law on personal data, since citizens are not informed that their data will be transferred to commercial mail services. "In the case of using a personal mailbox by employees of state institutions, all citizens requests that in any case contain personal data (PD) are processed not only by the employees themselves and state systems, but also by commercial ones that ensure the mailbox's operation, "the expert explains. on foreign resources. In this case, we can also talk about unauthorized cross-border transfer of personal data through the servers of these mail services."
It also increases the likelihood of phishing attacks, when attackers can send messages to officials under the guise of a "resident of the region" asking for help. Then they can develop the attack depending on the victim's access rights. Given the practice of using the same passwords in different systems, sometimes compromising a personal device can give attackers access to the corporate network of the department. Then the attacker will have access to all correspondence, and he can also receive messages to it, restoring access to various sites and services (via the "forgot password" function).
In addition, an official's personal email connected to a mobile phone via two-factor authentication may be vulnerable to attacks. The phone number is easy to find out from data leaks, and re-issuing a SIM card on the black market costs about 10,000 rubles, which increases security risks.
The study was conducted on November 20-25, 2023, based on an analysis of 2,000 email addresses published on 400 websites of government organizations in more than 80 regions of Russia, including the governments of constituent entities of the Russian Federation, economic departments, ministries of health and education.
According to a study by Angara Security, 30% of regional officials use personal e-mail addresses for citizens requests. Vedomosti got acquainted with the results of the study. According to the publication, this practice increases the risk of personal data leaks, since personal mailboxes are often not protected in the same way as corporate systems.
In addition, the study found that 60% of regional sites use the insecure HTTP protocol, which makes confidential information, including passwords, available for interception. Experts emphasize that the use of corporate emails that work through the secure HTTPS protocol significantly increases security.
It was also noted that in 10% of cases, online resources are inaccessible to users and do not contain information about technical work, which makes it more difficult for citizens to receive information and services.
According to the study, officials who used personal email for official communication mostly indicated addresses in the Russian domain zone, such as @Mail.ru or @yandex.ru, while no addresses were found in international domains.
Cybersecurity experts believe that the use of personal mail for official communication violates the law on personal data, since citizens are not informed that their data will be transferred to commercial mail services. "In the case of using a personal mailbox by employees of state institutions, all citizens requests that in any case contain personal data (PD) are processed not only by the employees themselves and state systems, but also by commercial ones that ensure the mailbox's operation, "the expert explains. on foreign resources. In this case, we can also talk about unauthorized cross-border transfer of personal data through the servers of these mail services."
It also increases the likelihood of phishing attacks, when attackers can send messages to officials under the guise of a "resident of the region" asking for help. Then they can develop the attack depending on the victim's access rights. Given the practice of using the same passwords in different systems, sometimes compromising a personal device can give attackers access to the corporate network of the department. Then the attacker will have access to all correspondence, and he can also receive messages to it, restoring access to various sites and services (via the "forgot password" function).
In addition, an official's personal email connected to a mobile phone via two-factor authentication may be vulnerable to attacks. The phone number is easy to find out from data leaks, and re-issuing a SIM card on the black market costs about 10,000 rubles, which increases security risks.
The study was conducted on November 20-25, 2023, based on an analysis of 2,000 email addresses published on 400 websites of government organizations in more than 80 regions of Russia, including the governments of constituent entities of the Russian Federation, economic departments, ministries of health and education.
