Lev Matveev, founder and chairman of SearchInform, reveals the main “pain points” in the information security protection of small and medium-sized businesses, explains, how to eliminate them and shares illustrative cases of information security (IS) incidents.
Today, the amount of digital data is growing steadily. At the same time, the information is often more valuable than physical assets and therefore becomes a subject of interest for intruders. To protect your company, it seems like you don’t need much: an onboard IS specialist, advanced protective software and the hardware required. But, if it’s so simple, why is the number of data breaches and cases of corporate fraud increasing year after year? I see several reasons for this:
- For small and medium-sized businesses it’s often too expensive to purchase the protective software and equipment required. Even large companies do not always allocate sufficient budgets for information security issues, and for SMBs, the situation is much more complicated. Paying a one-time fee of several hundred thousand dirhams for software, and equipment and hiring a specialist on staff is an impossible task for SMEs.
- There is a shortage of information security specialists on the market. According to SearchInform statistics, 1/3 of companies’ executives admitted this problem.
- Information security is much more skewed towards protection against external threats – viruses, hackers, and DDOS attacks. Internal risks are underestimated, although there are convincing statistics, revealing, that in 2022, more than 72% of companies in the UAE experienced information security incidents due to their employees’ actions.
How to ensure protection against data leaks without having an in-house Information Security Department?
To make information security more accessible to all organizations, regardless of size or revenue, we at SearchInform launched the internal threat protection outsourcing service in 2019. We take on all the tasks – from software installation and configuration to providing a professional IS analyst who monitors the situation in the client company, provides reports and prevents IS incidents.
Our service enables to:
- Ensure protection against data leaks;
- Detect cases of fraud, document forgery, etc.;
- Monitor employees’ activities;
- Detect cases of third-party employment and work for market competitors;
- Comply with regulatory requirements;
and much more.
I’ll focus on the most common incidents that our outsourcing analytical experts detect in customers’ companies, often during the first month of service usage.
More than 90% of companies face data leaks, one of the most dangerous types of data-related incidents. The most frequently leaked types of data are customer databases, technical information (e.g. drawings) or know-how, followed by accounting and financial documents. Clients’ and customers’ personal data is one of the most sensitive types of data leaked.
Case: the information security analyst detected an attempt to send a passport scan to an external email account. He prevented the operation of document sending and investigated the incident. It turned out that the hotel employee had an acquaintance who bought passport scans and IDs to confirm identity on online casino resources, carsharing services, etc. The employee intended to send passport scans in order to receive a monetary reward.
Inefficient use of working time and idleness
It’s easy to calculate how much a company loses if its employees spend 60% of their paid working hours on social media. Are you ready for such expenditures? In addition, the idleness of individual employees affects the entire team’s morale.
Employees have the right to search for jobs, but if they do so, the employer should be aware of it to either retain the employee by offering him/her new terms and conditions or to prepare for the employee’s replacement. If dismissal is unavoidable, the employee’s access rights to confidential data should be reconfigured to prevent information leaks.
Document forgery, corporate fraud and theft
Overall, in 86% of companies, fraud attempts were detected. Kickbacks, bribery and document forgery are also widely spread. Our analysts identify not only cases of data falsification in documents (e.g., suppliers’ quotations), but also cases of executives’ signatures forgery. Unfortunately, it is not very difficult to forge documents today – most intruders use Photoshop for this purpose. As a result, companies suffer financial losses and, in some cases, experience reputational damage.
Case: A manufacturing enterprise was losing $97,000 to $120,000 per month as a result of pipe theft. The company executives requested an investigation. Our outsourcing IS analyst revealed the fraud scheme by obtaining duplicate waybills: one for 3, and the other for 4 pipes. 4 pipes were transported through the VCC, one was unloaded along the road, and only 3 pipes were delivered to the client.
Violations of access rights distribution
Such incidents are detected in most companies. Improper data storage and misconfiguration of access rights are among the most serious incidents. If employees outside of the financial department have access to financial documents, sooner or later, the data leak will occur.
Side companies and third-party employment
Employees moonlight during paid working hours; they often use insider data to work for market competitors or to start their own businesses to compete with their employers.
As a result, on average 70% of clients continue to work with us after a free trial month.
When communicating with potential customers, I make a simple argument: information security is an investment that pays back many times over. In most companies, the cost of InfoSec outsourcing will not just be recouped, the customer will get a benefit, due to the identification and elimination of fraudulent schemes, business pain points such as employees’ side companies, work for market competitors, third-party employment and staff idleness.
– Partner Content