Thirsty for pressure: Why office workers don't think about cybersecurity
Thelevel of in-house security at Russian companies does not meet the requirements of the time, according to a survey conducted by MTS Link and Superjob. Every fifth employee of Russian offices has never received training and briefings on information security. At the same time, corporate data leaks often occur not because of large-scale hacker attacks, but because of insufficient vigilance of users, experts warn. What an office employee should know and how often should be trained - in the material of "Izvestia".
How often trainings are held
In 10% of Russian companies have never held trainings on information security, and last year such briefings and courses were organized only in half of them. This follows from the data of the research of the company-developer of ecosystem services for business communications "Webinar Technologies" (brand "MTS Link") and the portal for job search Superjob, which involved representatives of 1 thousand companies.
Often corporate data leaks occur not because of large-scale hacker attacks, but because of insufficient vigilance of users, recalled Oleg Pashukevich, director of the Meetings business unit of MTS Link.
- Cybercriminals are very inventive: new methods of social engineering appear literally every week, - he said. - Modern technologies, such as artificial intelligence and dipfakes, are being used. That's why it's critical to regularly educate staff about the risks.
He also noted that companies with remote or hybrid working arrangements are particularly vulnerable to this situation.
According to a survey of office staff, also conducted as part of the study, only 36% had received data protection training less than six months ago. One in five said they had never had such corporate training. A further 7% of respondents recalled taking training more than a year ago, and 3% more than two years ago.
Cyber defense of a company is not only the task of specialized specialists, but also the responsibility of all employees, said Anatoly Stoyanovsky, Director of Digital Transformation and Technological Innovations at the Skolkovo School of Management.
- If you lose your laptop or phone used for work, your company is at risk," he said. - You received a phone call and introduced yourself as a member of the special services (without providing supporting documents) - you have given sensitive information to intruders. Alas, with today's voice and image spoofing technology, you often can't be sure that you're talking to a real colleague and not a hacker.
He also reminded that one of the serious problems of the time has become the spoofing of corporate services.
-As soon as all employees receive a fake letter allegedly from the company's management with a demand to urgently go to a supposedly corporate website (fake in fact, but looking like a real one) and enter their work password - and quite a few employees can do it without thinking, thus passing their password to attackers," the expert stated.
Any company in any industry can become a target for a cyberattack, but this issue is especially sensitive for organizations that accumulate personal data of a large number of people in medicine, banking and retail, warned Yulia Chernoutsyan, General Director of IT provider MightyCall.
- Lack of regular trainings can weaken staff's vigilance against phishing links or the risk of data leakage," she said. - The consequences of such recklessness are serious: leaking commercial information can cause financial damage and undermine customer confidence. And when it comes to violating legislation on personal data protection, there are possible legal problems and large fines, which, depending on the volume of the leak, can exceed tens of millions of rubles.
In many attacks aimed at legal entities, the "weak link" is the person who, through ignorance or gullibility, can become an accomplice of the attackers, is also sure that SafeTech Lab CEO Alexander Sanin.
-We have been observing the growth of fraudulent schemes with an attack on the end user for several years now, " he said. - And it is very important that the user is well aware of the mechanisms of such frauds and what to do and what not to do. And this applies not only to schemes aimed at citizens. Recall at least the attacks against legal entities last year and the year before, when fake calls and messages from alleged company management encouraged company chief accountants to transfer millions to the accounts of attackers.
Pavel Teplov, Innovation Director of Mercator Holding, stated that "a good old sysadmin will not solve all the problems if the staff and management of the company are deprived of these skills.
- Systems are becoming more and more complex, and their proper functioning rests on the shoulders of not only narrow specialists, he said. - A lot depends on the level of training of all users, especially key users, and their ability to understand current risks and mitigation strategies.
The basic rules of cybersecurity are intuitively obvious (don't tell anyone passwords or transaction confirmation codes that come in SMS, don't leave an unlocked computer in someone else's room, don't trust suspicious emails), but it's easy to confuse the average person when it comes to digital services, said Anatoly Stoyanovsky.
- This is due to the fact that for thousands of years we have learned to control physical space and security in it, while digital technologies are relatively new, require a different understanding of things, and therefore people tend to distort common sense in suspicious situations," he said. - An equally important aspect is that in the digital world, the boundary between our personal and work, office space is blurred. From the same smartphone, people can manage and personal bank account, communicate with friends, as well as do some work transactions. Your social network password may be the same as your work password, and then hacking it becomes a company problem.
What an office employee should know
First of all, an employee should understand what types of frauds and attacks are used by attackers, what social engineering and phishing are, how you should treat your passwords and why you need two-factor authentication, Alexander Sanin said.
- And most importantly, it is necessary to understand what the consequences will be if an employee fails to comply with the regulations and the attack is successful," he said, adding that trainings should be held at least once a year.
The same frequency was recommended by Tatiana Shumailova, an expert of Kaspersky Security Awareness digital literacy direction. She noted that the use of weak passwords remains one of the main problems. Last year, the Kaspersky Digital Footprint Intelligence team analyzed 193 million passwords found in the public domain of darknet resources and found that fraudsters could pick up almost half of them in less than a minute.
- And in general, it's important for corporate users to be vigilant: double-check information, be critical of unusual requests, especially if they are pressed for urgency," she said. - Don't click on links or download files if something in the message is suspicious. Employees need to know what to do if they make a mistake or notice any suspicious activity on their computer or smartphone.
Office workers need to know basic information security rules, including creating complex passwords, recognizing phishing emails and suspicious links, as well as rules for working with generative artificial intelligence systems, which also increase the risks of confidential data leakage, Yulia Chernoutsyan added. She recommended holding cybersecurity trainings at least once a quarter, given the speed at which new technologies and types of threats are emerging.
Employees should know the list of actions they should perform in the event of a possible attack, said Alexander Bleznekov, head of information security strategy development at IT integrator Telecom Exchange.
- And it is important to obligatorily conduct practical trainings, for example, to carry out phishing mailings, to consolidate theoretical knowledge. Employees should reflexively distinguish between attacks of this type, understand which resources should not be accessed, and immediately respond," he said.
Tatiana Shumailova noted that the training program and the list of required topics should be selected depending on the risk profile of the employee: whether he or she is an operator at work or deals with personal data, whether he or she has administrator rights on the work PC.
- If they are, for example, employees from the IT department or development, specialized trainings should be organized for them," she said.
Alexander Blezenkov added that the more information resources an employee has access to, the more serious the consequences for the company can become.
- For example, if the administrator opened a malicious file, his authorization data was leaked, further down the chain the attacker can gain access to the domain controller, reset passwords from accounts, gain access to critical resources and encrypt confidential information, delete, download," he gave an example.
Alexander Sokolov, Head of Security Awareness at Solar Group of Companies, called for attention to be paid to the training of all employees, regardless of their position. And further on in the training it is necessary to combine theory and practice.
-From the theoretical basics, it is important to have at least knowledge in the following topics: "Password Policy", "Mobile Device Security", "Safe Internet Search", "How to Protect Social Networks", "Social Engineering Methods and Phishing Attacks", "Security of Confidential Data", "Basic Security Rules for Remote Work", " he listed.
The expert said that companies need to conduct not only theoretical trainings, but also practical training to counter various socio-technical methods of attackers - in particular, to make mailings imitating phishing emails.
- It's this kind of training that reduces the risk of a cyber incident caused by a company employee," he said. - If we don't use something in our practice, the skill is lost. Therefore, cyber literacy training should be approached in a cyclical and continuous manner. The frequency should be as follows: phishing emails once every 1.5 months or so.
At the same time, phishing, according to him, should be targeted to specific groups of users (with the groups of mailings separated by time), rather than one identical email for all company employees at once.
