How is business cyber defense being built today

[Father]

2022 has significantly changed the approach to cybersecurity for many Russian companies. Risks have increased in the information space, and the departure of foreign solutions has forced many companies to quickly look for a replacement.

The following statistics illustrate the main cybersecurity threats to the Russian information space:

• the total number of cyberattacks in 2022 in Russia was 911,000, which doubled compared to last year, according to Rostelecom-Solar;
• Russian Deputy Foreign Minister Oleg Syromolotov announced at the end of December 2022 that the number of cyber attacks has increased by 80%.

Although the number of attacks on government agencies and structures tripled in 2022, entrepreneurs also failed to avoid the increased attention of hackers. Ensuring cybersecurity has turned for many companies from an item of expenditure in the budget to one of the priority tasks over the past year.

Alexander Sanin
Commercial Director of Avanpost Company

The basis has changed, and now it should be clear and obvious to everyone that almost any element of the IT infrastructure, security systems, and other components, if they depend on a manufacturer operating in an unfriendly country, cannot be 100% secure. The notorious import substitution and the now fashionable "digital sovereignty" are now not just slogans on paper, but also real steps in the real strategic documents of many companies. Yes, it is difficult, yes, it is long, but the risks are unacceptable if you do nothing.

What cybersecurity threats do businesses face?​

Cybersecurity systems of Russian companies are now subject to more prolonged cyber attacks than a year ago. So, in July 2022, the expert spoke about an increase in the duration by 150 times. Not only did the duration and intensity increase, but the overall difficulty level also increased.

The list of current threats that are part of the cybersecurity goals for Russian businesses is as follows:

• DDoS attacks that already have a disappointing forecast of 300% growth in the near future. Now they are not just a threat to the cybersecurity of websites, as attackers are actively attacking services embedded in companies ' IT systems;
• targeted attacks that are highly targeted and require serious pre-training. For example, to find out the email addresses of employees, create and send phishing emails;
• all kinds of malware, including cryptographic viruses, that get on employees ' computers both through phishing links and in other ways;
• data leaks that are not always caused by cyber attacks. Often, they are backed by employees who have ignored security measures or sold valuable information to a third party.

In the Cyber Media news section, large-scale examples of what cybersecurity is for appear almost daily:

1. In just a week, three banks were attacked at once: Rosbank, Ural Bank for Reconstruction and Development and Uralsib. The websites and banking applications of all three were eventually unavailable to users for some time.
2. The case of the leak of customer data of the company "Sportmaster" is being prepared for consideration in the Moscow court.
3. The attack on the information services of the Federal Customs Service affected the work of information operators that provide services to foreign economic entities.

A year ago, the motives of some hacker groups underwent a major change. Getting benefits from a cyberattack has ceased to be its leading motivation. But there were other goals that had to be taken into account in the construction of cyber defense.

Philip Schirov
Director of the Altap service for working in 1C via the Internet

A year ago, the main goal of professional cyber attacks was to make a profit. For example, hacking for the purpose of selling data. Over the past year, the number of attacks with an ideological goal has increased: to make business in Russia experience difficulties. If you look at the work of large services in the spring and summer of last year, many companies could not provide services at the proper level. The attacker did not receive any financial benefits, but in this way showed his ideological position.

Who is at the forefront of the attack​

The media gets information about attacks on large companies with a pool of thousands of customers. It may seem that the basic rules of cybersecurity are also relevant for them. 42% of representatives of large and medium-sized companies, as well as the public sector, who took part in the study, recognized the need for changes in their cybersecurity principles by the end of 2022. However, not only they are under attack.

Small and medium-sized businesses also carry risks. Sometimes even large ones, if we take into account the lack of the same resources and budgets for information and computer security as the giants.

Anton Kuznetsov
Leading Information Security Engineer at R-Vision

Along with large companies, small organizations are increasingly becoming victims of hacker attacks. A striking example of this is the Dharma cryptographic attack, which has affected a number of small and medium-sized businesses in various fields of activity over the past few months. Attackers who managed to break into the network of such organizations blocked access to critical user data by encrypting existing files: 1C and MS SQL databases, which usually store information about customers, partners, accounting and other sensitive information. Also, in some cases, important documents of companies in the doc, docx, xls, xlsx, pdf, etc. formats, including financial statements and contracts, were encrypted.

Victim companies learned about the attack when a message popped up on users ' computers that data could be recovered using the decryption key. The attackers are ready to transfer the key itself in exchange for a ransom in cryptocurrency equivalent to amounts from 3,000 to 5,000 US dollars. However, there were no cases of providing decryption tools after Dharma operators received a ransom.

In all recorded cases, Dharma attacked organizations by penetrating from the Internet through publicly accessible servers using the Remote Desktop Protocol (RDP).

For small companies without budgets for complex and large-scale cybersecurity technologies, measures to protect their infrastructure are equally important. Failure to install and update antivirus software in a timely manner, lack of attention to passwords, localization of the software used, and other security measures, as well as lack of employee training can be costly. An increasing number of Russian business representatives are coming to this conclusion.

Maxim Mezhenkov
Company Founder LocalCarHires.com

As a business, we use services and cooperate with other businesses and do not know where they keep their data. Even if they say that they are a Russian company with a Russian infrastructure, they can only be one on paper. If the lights are cut off with a big switch tomorrow, these businesses will suffer, and we will suffer - all those who trusted them to process some of their data. And then there is such a risk: if someone large collapses, who has some of the servers not in Russia, but in Germany, for example, then a huge number of smaller companies will suffer along with it.

Many small companies also had to get acquainted with the concept of cybersecurity due to the emergence of an ideological component in the hacker movement. After all, from the point of view of making a profit, small businesses usually do not arouse increased interest among cybercriminals.

Dmitry Pudov
CEO of NGR Softlab

High-profile attacks and leaks show us that even large companies that are systematically engaged in information security can be successfully attacked. Small companies, on the one hand, are of less interest to attackers, on the other — last year showed that the risks for all Russian organizations have increased significantly. For example, such a phenomenon as hacktivism does not take into account the prospects for monetizing a successful attack. The very fact of hacking or disabling a number of services of almost any company is enough.

Speak the same language as your business​

Previously, the cybersecurity industry in Russia often faced misunderstanding on the part of business owners. It could not have been otherwise, because information security tools are expensive for the company, and specialists of their own information security department need to pay a considerable salary by market standards. The latter has grown significantly over the year following the growth in demand for such specialists. According to the Superjob service, the average salary of an information security specialist is 140 thousand rubles. As of January 2023, there was a shortage of information security specialists in Moscow.

Computer security, if it is organized according to all the rules, still remains a significant item of expenditure in the budget of companies. However, the situation in cyberspace has changed the attitude of many business representatives to these costs.

Grigory Revenko
Director of the Center of Expertise at R-Vision

Many companies have finally come to the realization that ensuring cybersecurity is not just a "tick" for compliance with regulatory requirements, but an essential tool for continuing the effective operation of the organization. And today it is no longer necessary to convince anyone of the need to use certain information security solutions, rather, in the current conditions, their reliability, efficiency and the possibility of an integrated approach to protecting against existing and potential threats are of critical importance.

It is too early to say that the security company is now completely "on the same page" with the business owner. But both sides are taking important steps to understand each other's challenges and opportunities in many companies. The situation with cybersecurity of information systems today encourages this oncoming traffic to continue.

Kirill Ugolev
Head of the TEGRUS Information Security Division

While it is probably premature to talk about a conversation in one language, the process of business maturation to information security tasks is taking place. More and more companies are starting to look at the situation around them, and information security issues are now receiving more attention than, for example, a couple of years ago. Plus, the regulator began to require the creation of information security units with a representative at the level of the company's deputy management in government organizations or companies with critical infrastructure. All these measures, one way or another, create prerequisites for the fact that problems with information security will be voiced and heard, and companies will begin to increase their strength in this area.

Government regulation​

For those companies that have not yet realized what cybersecurity is and what consequences can lead to neglect of it on their own experience, the state reminds of the seriousness of the situation by tightening legislation. The year 2022 has become a kind of record holder for the number of changes in this area.

One of the most high-profile for all areas of cybersecurity was Decree No. 250, which establishes the personal responsibility of a manager for security incidents that occurred in his organization. Starting from March 1 of this year, when transmitting cross-border data, you must notify Roskomnadzor.

Some of the changes in information and cybersecurity have not yet been introduced, but their implementation is announced for the near future. Thus, the State Duma will soon begin considering a draft law on the introduction of turnover penalties for data leakage in case of repeated violation. If it is adopted, their size can grow up to 500 million rubles. The Cyber Media portal asked experts whether to expect changes in the attitude of businesses to cyber defense under the threat of such penalties.

Olga Karpova
Head of Information Security Department at RooX

Of course, an increase in the fine will logically join the pool of factors that motivate companies to develop information security systems.

However, this development has a competitor for the budget — cyber insurance. So far, the demand is low, but it is growing. According to one survey, in 2022, 6% of Russian companies insured cyber risks and 21% planned to use such a service.

However, some experts note that fines should not be expected to have a dramatic effect in solving cybersecurity problems. In any case, the resources of Russian business are limited and none of the companies can "jump over their heads" if they have already taken all the necessary and possible measures taking into account their resources.

Dmitry Mazanov
Representative of Arbitroom company

Tougher penalties for data breaches may force companies to take cybersecurity more seriously and allocate a budget to improve it. However, it should be borne in mind that fines are only one aspect of cybersecurity and cannot guarantee full protection. Companies should also invest in staff training and technology infrastructure improvements, as well as collaborate with qualified cybersecurity service providers.

Conclusions​

Over the past year, the security of computer systems and networks has become part of the development strategy of many Russian companies. The necessary measures had to be taken in a hurry, even for those who had not previously paid due attention to this issue.

The nature of threats faced by information security specialists has changed. Some companies fall victim not to profit-seeking hackers, but to so-called hacktivists who seek to harm rather for ideological reasons. In this sense, even small companies that were previously left out were "under distribution".

Business owners and information security specialists have not yet reached a perfect understanding. However, the growth of cyber threats has significantly simplified their interaction and the achievement of security goals.

Those who do not want to pay enough attention to the issue to business representatives are strongly reminded of this need by the state. The process of tightening legislation in this area continues, which further motivates companies to strengthen their cyber defense.