Experts: personal data will be the main target of cybercriminals in the foreseeable future.
- When: 04 July 2019
Personal data is attracting more and more attention from attackers and is one of the main targets for cyberattacks, the experts concluded at the seminar ‘’152-FZ: expectations and reality’’ carried out by Linxdatacenter. Consequently, professional solutions in the field of information security regarding this personal data is no longer an option but a necessity. It is reasonable to outsource such projects to a third party who is legally and technically competent in this field. This guarantees 100% compliance with the requirements of the law, protects personal data at a proper level and allows to ensure a high-speed IT system with the business processes linked to it.Individuals’ personal data attracts more and more attention from attackers and becomes one of the main targets of cyberattacks in the modern digital world. Experts came to such a conclusion at the seminar “152-FZ: Expectations and Reality”, devoted to a wide range of issues of safe operations with personal data.
Boris Merkulov, cloud solution and information security engineer of Linxdatacenter, says that any form of personal data, be it a scanned passport, IIAN or TIN - can easily be used by criminals. For example to process electronic signatures in the certification center.He also noted that: ‘’Access to such a signature will further allow them to establish and close the limited liability company, sign payment documents and apply to banks for loans on behalf of the person whose data has been stolen. When looking closer to the history of the latest major data leaks in the world, the focus on PD will be obvious. Professional solutions in the field of information security that ensure compliance with the requirements of laws on personal data are no longer an option but a necessity.”
Natalia Neverovskaya, partner of the law firm Unicomigal, agrees with him. “Not long ago mostly foreign companies contacted us about issues concerning PD, today there is a flurry of such requests from literally everyone – from serious business players to theaters, museums, libraries and medical clinics. New formats of provided services and the penetration of digital tools in areas focused on the final consumer (trade, banks, insurance) have seriously expanded both the volume of PD used by modern economies and the list of data types that fall under this definition. Today, PD assumes any individuals’ personal information that enables to identify person: a phone number, an IP address, a nickname on various Internet sources – all of that is PD”.
Thus, any company and organization is an operator of data and therefore has certain duties and restrictions defined by law.
Olga Ermakova, Senior Legal Counsel and Compliance Specialist of Linxdatacenter, mentioned the importance of complying with all phases of the PD protection project. The most important stage is the audit, since its results reveal the current situation with PD processing in the organization, outline the architecture of the future solution and assigns the roles of the employees responsible for the project. For example, it is the audit stage that is needed to appoint a project manager who will be responsible for data processing as well as further contacts with Roskomnadzor.
The second important stage is the awareness of the continuity of the tasks related to work on PD in the structure of the company's business processes. Any changes in business processes, state structures, legislation updates and law enforcement practice oblige the company to update all regulations, processes, architecture, models of current threats, etc.
The participants of the seminar noted the need to bring the requirements of the Russian 152-FZ and the European GDPR to a common denominator, as well as the role of staff training in the PD protection processes. The law gives a certain freedom: each operator independently decides what data to store, in what way and how long to store it and how to destroy, etc. Internal policies of organizations in the field of data protection should not only be developed, but also communicated to employees. “After business processes audit, obtaining of a conclusion, modeling threats and determining the necessary level of PD protection, the creation of statement of work, technical project and directional documentation begins. The introduction of the PD protection system today is implemented on the basis of this set of project documentation only and according to the specified sequence of actions, - emphasizes Olga Ermakova.
Experts agreed that it is reasonable to outsource projects of PD protection to a contractor whose competences combines the necessary level of legal and technical expertise. “Such an approach will require more time, money and will not provide a large selection of suitable performers, but it guarantees 100% compliance with the requirements of the law, protects PD of individuals at the proper level, and also guarantees an understanding of all the subtleties of processing personal data in relation to the tasks of a particular business,” Olga Ermakova.
The local information protection system of virtual machines consumes a lot of computing resources, slows down their speed and increases the load on the network. The transfer of PD processing to the cloud of an external service provider allows you to ensure a high speed of the IT system and the business processes linked to it while meeting all requirements related to information security. This is ensured by an agentless approach through the implementation of a complex of information security measures in clouds, when antiviruses, scanners and other tools gain access to IT system resources without installing an agent program on the same erver, which increases the speed of scanning virtual machines, ports, network nodes and other.
Couds also provide the ability to scale any IT resources in order to provide the necessary level of data protection upon request, depending on the requirements of the company. For example, VMware virtualization tools used as part of Linxdatacenter cloud services allow you to emulate the IT components of your IT infrastructure, including NSX Edge Gateway type software switches, to guarantee complete security for all connections.
The seminar was organized by Linxdatacenter, an international expert in high-tech solutions for data storage, cloud services and telecommunications, with the information support of the Russo-British Chamber of Commerce and the Finnish-Russian Chamber of Commerce in Moscow.