1 / 22

Regional Workshop on Capacity Building in Public Policy Issues of Internet Use for Business Development in Asia and the

Regional Workshop on Capacity Building in Public Policy Issues of Internet Use for Business Development in Asia and the Pacific . 18-20 October 2006 Bangkok, Thailand Mr. Evgeniy Moiseev, Advisor to International Union of Economists, Russian Federation

Sophia
Télécharger la présentation

Regional Workshop on Capacity Building in Public Policy Issues of Internet Use for Business Development in Asia and the

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Regional Workshop on Capacity Building in Public Policy Issues of Internet Use for Business Development in Asia and the Pacific. 18-20 October 2006 Bangkok, Thailand Mr. Evgeniy Moiseev, Advisor to International Union of Economists, Russian Federation

  2. Information Security and Protection of the Information of Small and Medium Enterprises in Russian Federation

  3. Introduction • In year 2005 the quantity of SMEs in Russia increased in 26 thousand and reached 960 thousands entities • Russian companies continue to embrace the internet enjoying the benefits of broadband connections • Security awareness in Russian business community has never been better. For example 90% of companies have anti-virus software in place and more than half of businesses believe that security is a high priority to their senior management of board

  4. However, the gap between the companies that are focused on information security and those that are not is widening Spy ware, instant messaging, identity theft, Voice over IP telephony, and even MP3 players pose new security threats for businesses. Roughly half of businesses while they may have anti-virus protection, typically lack basic security disciplines and may be over-confident about the effectiveness of their security controls

  5. Evaluating the risks, educating staff about them and implementing appropriate technical controls are all vital for success in tomorrow’s security landscape. • On August 15th 2006 The Russian Government signed a Decree on licensing the technical defense of confidential information.

  6. IT systems in general, and the internet in particular, are increasingly important to business operations • Nearly every Russian business in big industrial centers makes use of the internet; 97% have an internet connection and 80% of these are broadband. • About 50% of companies have a web-site, with 70% of these being externally hosted. • Dependence on IT continues to grow-only one in six small companies could operate their business without IT.

  7. IT systems in general, and the internet in particular, are increasingly important to business operations • Three-quarters of Russian rate security as a high or very high priority to their senior management or board of directors. • The main drivers for information security expenditure remain confidentiality, integrity and availability.

  8. The priority given to security has translated into action • The number of companies with a formal security policy is increasing. • The average Russian company now spends 3-4% of its IT budget on information security. • 90% of businesses have anti-virus software. • 96% of companies filter incoming e-mail for unsolicited messages (spam). • But nearly half of Russian businesses that are confident have identified all significant security breaches in the last year.

  9. The improved controls appear to be having an effect. After big rises since the mid-1990s, the number of companies affected by security incidents appears to have stabilized. The cost, however, remains considerable. • There are 30% of Russian companies had a security incident in the last year, down from 45% two years ago. • Large businesses are more likely to have security incidents, tend to have more of them and their breaches tend to be more expensive.

  10. Security-aware culture • More than half of businesses spend less than 1% of their IT budget on information security. • Only 15% of companies have carried out security risk assessment in the last year. • Only 1 in 10 companies has security qualified staff • Majority of Russian small businesses have overall security policy, though most of them use the internet • *60% of companies fail to check the background of their staff • 80% organizations do nothing to educate their staff about their security responsibilities

  11. Security threat for the future • 80% of Russian businesses are not protected against spy ware. • 60% of transactional web-sites do not encrypt the transactions that pass over the internet. • Roughly 80% of companies that allow staff to connect via public wireless and do not encrypt the transmissions. • 80% of firms have taken no steps to protect themselves against the threat posed by removable media devices (e.g. USB tokens). • 2 in 3 companies that allow instant messaging (ICQ, MSN etc.) have no controls in place over its use. • Only half of the companies that have implemented Voice over IP telephony evaluated the security risks before doing so.

  12. Attitudes to information security • The larger the business, the greater the reliance. • Companies that are heavily dependent on their IT are likely to assign a high priority to information security as those that are not. However, 10% of heavily dependent businesses do not see security as a priority. • Information security is most likely to be on the board’s agenda in financial services companies.

  13. Security Education • *The higher the priority that information security is to senior management, the more likely the company is to educate its staff. • **Traditionally Russian companies to whom security is not a priority at all, always carry out background checks.

  14. Security skills and expertise • The number of qualified security professionals in Russia as well as in other countries, while rising , remains low compared to the total number of businesses. • Many small businesses cannot afford to hire full-time security professionals, and so lack the in-house knowledge to deal with today’s security issues.

  15. Investment in security • Investment in security is a very delicate issue: benefits are often invisible and, however much is spent, there is no guarantee of safety • A significant number of Russian businesses are still not spending very much in information security. • Businesses whose worst incident involved staff misuse are the most likely to spend on security, averaging less than 8% of their IT budget.

  16. Investment in security • Now majority of businessmen in Russia think it is important to invest in information security to enable business opportunities and improve efficiency. • Different sectors of businesses are tend to have different prioritiesdepending on its specific (intellectual property, customer information).

  17. Viruses and malicious software • Almost every Russian company irrespective of size installs anti-virus software on its computers. • The internet gateway remains the most popular place to install the software. Increasingly personal firewalls installed on individual PCs now include some intrusion detection capability. • Interestingly, companies with intrusion detection or prevention reported more virus infections than those without.

  18. Network and web-site security • At least half of Russian companies have a web-site. 60% of these web-sites are externally hosted. • Firewalls are still the main defensefor web-sites

  19. Emerging technologies • Removable media devices are becoming smaller, more common and more powerful. MP3 players, USB data keys, digital cameras and portable hard discs all pose a potential security threat, since staff could download confidential data onto them and then remove it from the organization. • 50% of Russian companies allow Instant Messaging across the internet (e.g. through AOL, MSN Messenger, ICQ or Yahoo! Messenger). • The most common step taken against this threatis to tell staff not to use such devices and then changing PC configuration to prevent use of USB devices and encrypting confidential data.

  20. Incidents of security breaches Large companies are most likely to suffer security incidents. Why? • Firstly, they have more staff, so the internal misuse increases • Secondly, the size and the typical presence in the internet makes them more attractive target for external attackers Despite having a higher risk profile, large firms appear better equipped to repel attacks.

  21. Types of security incidents • Infection by viruses and malicious software • Human factor • Unauthorized access by outsiders • Computer theft and fraud • Systems failure and data corruption

  22. Impact of breaches • Business disruption • Incident response costs • Direct financial loss • Damage to reputation • Total cost of incidents

More Related