Maxim Ruban, head of information security at the eXpress corporate communications platform, commented for RIA Novosti on IT infrastructure security and personal data protection. We publish the full version of the comment.
The likelihood of a leak depends on the size of a company's information infrastructure and its investment in information security. Often, cybercriminals are especially interested in large amounts of data in organizations in the financial sector, the military industry, e-commerce, and large IT companies.
Most often, leaks are associated with unintentional actions of the users themselves and vulnerabilities in the information structure of organizations that may arise due to the negligence of IT and IS departments personnel. There are two main types of leaks: through "holes in the infrastructure, the second - through users and phishing attacks.
With regard to personal data, any legal entity that becomes the operator of the processing of personal data must determine the purpose of data processing and ensure the separate storage of various categories of personal data, including those incompatible with each other in terms of processing purposes. The most important thing is that personal data does not “lie” in one place. At a minimum, they should be stored in different databases and, if possible, encrypted.
Everyone should follow the recommendations of Roskomnadzor. To do this, it is necessary to implement a process for collecting, organizing and storing personal data, and then ensure their protection. Of course, it will take time to change approaches to ensuring the security of personal data. First of all, it is necessary to determine the order of processing and assign responsibility to the staff. The second stage is to provide for a number of organizational, organizational and technical measures to increase the level of infrastructure security.
It is necessary to conduct training for employees on an ongoing basis, to direct efforts to improve literacy in matters of information security. In parallel, it is worth considering the introduction of a confidential data leakage control system (DLP - a system that allows you to determine the flow of information and information depending on certain keys). It is necessary to minimize the list of personal data collected and processed by the company, because the volume of data is growing, and the approach to protecting them remains the same. It is also important to review measures to protect personal data depending on their array. This is an important point, because it is not the leak itself that is terrible, but the damage that can be caused if attackers use this data. Personal data must be destroyed after the purposes of their processing are achieved.
Another option to prevent leaks is to use secure corporate communications. All information is stored in encrypted form. If an attacker decides to hack the database, then it will take tens of years to decrypt it, and therefore his interest in hacking is lost, and he switches his attention to easier "extraction". Using Russian corporate messengers has its advantage also due to the fact that the data is stored on the territory of the Russian Federation, which is a prerequisite for the processing of personal data.
Sometimes users themselves do not understand for what purposes they provide personal data. They either do not receive this information from the personal data operator, or do not pay due attention to it. On the part of the user, the most important thing is to store authentication data in a secure place and to change passwords periodically, not to use the same passwords for different types of services.
Read the original publication in E-xecutive
