About 60% of information leaks and 85% of hacks in corporate computer networks are related to unaccounted-for digital assets.
According to Bi. Zone, the main reason for hacking and data leaks in Russian companies is digital assets unaccounted for during inventory. Most often, security services forget about public cloud storage like Google Drive, DropBox and files in them. This allows attackers to penetrate the networks of organizations and gain access to confidential information. Digital assets often remain unaccounted for due to the high speed of business digitalization: local security services do not have time to keep track of new software.
Bi.Zone specialists obtained this information by analyzing the data of more than 200 Russian and foreign companies.
“Let's say the company had an information system (IS) A. Then it is changed to an information system B. At the same time, no one disposes of the first IS, it remains. It may still have access to the Internet. As system A stops even being updated, the risk of intruders penetrating through it increases because they may use the vulnerability that the company forgot to close with the appropriate update”, said Andrey Konusov, CEO of Avanpost.
According to him, there is also a risk that an employee of the company who has not worked in it for a long time could give access to the old system to cybercriminals.
During the inventory of digital assets, the company should take into account all its files and services, including those that are stored or work on the Internet. If anything is missed, there is a risk of leaks or compromise of the network. According to Alexei Parfentiev, head of analytics at SerchInform, unaccounted assets are essentially an open door for intruders to access sensitive data.
Digital assets often remain unaccounted for during the inventory due to the fact that local IT and information security services do not keep up with the high speed of business digitalization.
Rostelecom-Solar noted that often the reasons for the discussed violations are a lack of resources and neglect of information security requirements for the sake of convenience.