Information security: how to protect critical data, minimize risks, and keep your business running smoothly

How to build an IS system, protect data, reduce risks, and ensure stable company operations without losses.

  • Principles and goals of information security protection
  • Information Security Goals and Principles
  • CIA triad: the basic model of data protection
  • Which data actually need protection

Cyber incidents cost CIS businesses about 80 billion rubles in just a few months. These losses are made up not of abstract threats, but of very concrete issues: process stoppages, regulatory fines, data loss, and failed contracts. We explain how to build information security protection: which data requires priority protection, which threats pose the greatest risk, and how to step by step create an information security system that reduces losses and supports operational continuity.

Principles and goals of information security protection

In the first five months of 2025, the total losses of CIS companies from cyberattacks exceeded 80 billion rubles According to the CIS Ministry of Internal Affairs, which is 20-25% above last year's level. This is not about hypothetical risks, but direct losses: _downtime, regulatory fines, loss of customer data, and contract failures._ Information security (IS) in such a situation, it is not a set of separate IT tools, but a risk management system for data and digital processes.

Antivirus software and a firewall solve only part of the problem. The key question is which data is critical to the company's operations and what the consequences would be if it were lost, altered, or unavailable. Information security goals and principles The main goal of information security- protection of business assets, first and foremost data. According to GOST, information security is the state of protection of information and infrastructure in which its key properties are preserved.

An effective system is built not around individual technologies, but around a process: - risk assessment; - asset prioritization; - implementation of technical, organizational, and legal measures; - regular monitoring and updates. This approach allows organizations to _invest in protection deliberately_ - where the potential damage is greatest.

CIA triad: the basic model of data protection All information security measures rest on 3 fundamental principles of information: 1. Confidentiality- means that each document or file in the system is opened only by the employees who need it for their work. Violations lead to leaks, fines, legal risks, and revenue loss. 2. Integrity- guarantees data integrity and correctness. For business, this means reliable reporting and stable system operation.

Integrity breaches lead to wrong decisions and process failures. 3. Availability- ensures access to information and services at the right time. DDoS attacks and infrastructure outages hit this principle directly, causing downtime, supply disruptions, and customer churn.

Discuss your challenge with an architect

Which data actually need protection Protecting every information asset without exception is _economically impractical._ Priority should be given to the assets whose loss would cause the greatest damage. - Personal data.Are governed Federal Law GDPR. Leaks lead to large fines, audits, and loss of customer trust. - Key commercial information.Customer databases, technologies, development plans, R&D results.

Losing them effectively means handing competitors your investments, time, and market advantages. - Critical operational information. 1C databases, ERP and MES systems, internal policies.

If this data becomes unavailable or damaged, business processes stop and significant financial losses follow. Financial and accounting reporting.Distortion or unauthorized disclosure of information can lead to regulatory claims, account freezes, and loss of trust from partners. According to analysts, in 2024 the CIS information security solutions market grew by 30%,reaching a volume of about 593 billion rubles.This reflects a practical business approach: investments in information security are seen as a way to reduce the likelihood of major losses, shorten recovery time after incidents, and ensure stable operation of critical systems.

Which threats are truly dangerous for business

  1. More than 40% of cyberattacks often begin with compromised corporate accounts.

  2. This means the attack usually starts not with a server breach, but with access that already exists inside the company.

  3. To build an effective defense system, you need to understand which threats are relevant to the business and how they are carried out.

  4. They are usually divided into _internal and external_ threats, but in practice most incidents are mixed: an external attacker exploits an internal weakness - a person, a process, or a configuration.

Internal threats: risks of legitimate access

Internal threats are associated with users who already have authorized access to corporate systems: employees, contractors, temporary staff, or former workers. The main challenge is that at an early stage, insider actions are practically indistinguishable from normal work activity. Below are common forms of internal threats. 1.

Intentional actions.Intentional actions by employees aimed at harming the company: copying and passing data to competitors; sabotaging systems or deleting information; installing malware for later access or extortion. 2.

Careless actions. Unintentional mistakes that create an entry point for an attack: opening a link in a phishing email; sending confidential files to the wrong recipients; using simple or repeated passwords; losing work devices without protection.

External threats: targeted attacks and outside pressure

External threats come from cybercriminal groups, competitors, and specialized attack teams. In recent years, they have become more targeted and less visible. - Phishing and social engineering.This is not about mass mailings, but targeted attacks. Hackers use information about the organization and employees to make emails or calls look believable.

The goal is to obtain credentials or trigger the needed action. - Malware and ransomware. Such attacks often combine data theft with later encryption. Even backups do not always solve the problem if the data has already been copied and is being used for extortion. DDoS attacks.Aimed at service disruption and unavailability.

Critical for companies with online sales, service platforms, and external customer portals. Supply chain attack. Attackers target contractors and software or service providers. Through updates, integrations, or technical access, malicious code enters the customer's infrastructure directly, making it harder to identify the source of the attack.

Key technologies and information security tools

Information security solutions directly affect operational continuity, regulatory compliance, and risk manageability. Practice shows that basic tools such as antivirus software and a firewall are not enough, especially amid the growth of phishing and targeted attacks, including those using automated and AI tools. Organizational measures: risk management and human behavior Organizational measures define how employees work with information and what happens during an incident.

They set the rules and reduce the risk of incidents caused by staff. Policies and procedures- information handling standards must be formalized: the information security policy, procedures for handling confidential data, and incident response scenarios. These documents are used for staff training, access control, and incident review.

If policies are not applied in practice, they do not affect the level of risk. - Employee training- regular employee training reduces the risk of phishing and credential compromise. Short formats work best: analysis of real attacks, reminders about mistakes, and test phishing campaigns.

Training should be practical and aimed first of all at new employees and users with elevated privileges. Access management- access on a need-to-know basis: an employee gets only the rights needed for current tasks. This reduces damage from mistakes or misuse and makes control easier. - Recovery planning- recovery and business continuity instructions help reduce downtime and losses in the event of a failure or attack.

It is important not only to have a plan, but also to test it regularly. Important!Organizational measures also include _protecting meeting rooms, executive offices, and areas for confidential discussions_ (acoustic and visual protection). This reduces the risk of information leakage outside digital channels. In other words, information security covers both the IT environment and physical processes within the company.

Technical and software tools: practical implementation of protection The technical layer consists of tools that automatically prevent attacks, detect incidents, and help respond to them. In practice, not a single system but a combination of solutions is effective. The table shows the key categories of tools, their examples, and the business problems they solve.

Tool categoryExamplesWhat problem they solve
Physical securityAccess control to premises, surveillance system, premises security,
protecting servers from overheating.
Protect against theft of servers, computers, and flash drives,
blocking unauthorized access to key areas.
Perimeter and network protectionFirewalls, network intrusion detection and prevention systems (IDS/IPS),
security gateways.
Monitor and filter inbound and outbound network traffic,
block attempts at unauthorized external access.
Endpoint protection (devices)Next-generation antivirus (NGAV), centralized configuration and protection
company phones (MDM), EDR solutions.
Protect employees' computers, laptops, and smartphones from malware,
monitor their status and compliance with security policies.
Data and content protectionData loss prevention (DLP) solutions, encryption,
cryptographic tools.
Prevent leaks of confidential data (customer databases, know-how),
protect information in transit and at rest, even if it is stolen.
Monitoring and analysisSIEM systems, incident response systems (SOAR),
integrated platforms for cyber investigations (XDR).
Collect data from different security systems and detect anomalies
and help quickly investigate incidents.

Step-by-step plan for building an information security system

An information security system is an ongoing process that evolves with the business, the IT landscape, and threats. Below are the steps that will help you build protection deliberately rather than piecemeal.

Discuss your challenge with an architect

1. Asset inventory and assessment Determine which data and systems are truly important for the company. For each asset, answer three questions: - what happens if the data is stolen; - what happens if it is altered; - what happens if it becomes unavailable for an hour, a day, or a week. This way, you will not spend your budget protecting everything indiscriminately, but will focus on what the company's operations really depend on: customer databases, critical know-how, financial systems. 2.

Risk analysis and attack scenarios After identifying assets, you need to understand which threats are real for them. Conduct a technical _infrastructure audit__(vulnerabilities, settings, access rights)_ and modeling possible attacks. Consider threats from a practical angle: - who might be interested in this data; - through which entry points an attack may happen (employees, public services, contractors); what damage the business would suffer in the event of a successful attack.

The result is not a generic list of threats, but prioritized risks with clear scenarios. This list helps you choose protective measures with justification and explain to management why specific investments are needed. 3. Policies and procedures Define the rules that govern security in the company. The minimum set includes: an information security policy; rules for handling confidential data; an incident response plan.

Documents should be concise, specific, and known to every employee. If policies exist only for reporting purposes, they do not reduce risk or help in a crisis. 4. Implementing technical controls Choose technical solutions only after you understand your assets and threats. Otherwise, you risk buying tools that do not address real problems.

It is important not just to deploy the solutions (we listed them earlier in the table), but to connect them so you get a complete picture and detect incidents faster. 5. Training and working with staff Most attacks begin with employee actions, so training is a mandatory part of the system. Short practical formats work best: analysis of real attacks, reminders about common mistakes, and test phishing campaigns. 6.

Monitoring, response, and improvement. Security requires constant oversight. Set up event monitoring and regularly check how the security measures work: - conduct internal policy compliance reviews; - periodically commission penetration testing; - rehearse incident scenarios according to a preprepared plan. Each audit or incident provides information for improvement.

After that, the cycle starts again with a review of assets and risks. Who is usually involved in implementation? Most often, several teams work on the information security system at once: an in-house specialist or security team responsible for day-to-day operations; integrator or a vendor that implements and configures technical solutions; - external auditors or consultants for independent assessment and strategy; - a lawyer ensuring compliance with legal requirements.

This distribution reduces the burden on the business and improves decision quality. Common mistakes In practice, businesses regularly miss several important points: they do not disable access for former employees; they do not control privileged and service accounts; they ignore non-digital leakage channels (paper, meeting rooms, printers); they make backups but do not test recovery. If these gaps are not fixed, the company may face a breach or data leak.

Svyaznoy case study: protecting high-load online services

Situation: "Svyaznoy" operates an ecosystem of public online services: an e-commerce store, financial products, operator selection services, and additional digital services. The company's websites receive about 15 millionusers, and online sales turnover exceeds 22 billion rubles. This level of traffic and visibility makes services a constant target for attacks, from automated bots to attempts to exploit vulnerabilities and disrupt availability.

For business, the consequences of any incident are always twofold: immediate financial losses and long-term reputational damage.

The company was looking for a solution that: - protects against common web attacks; - detects new and nonstandard attack scenarios, not just signatures; - blocks bots and fraudulent activity; - does not reduce site performance under heavy load; - allows protection for new services to be connected quickly without complex fine-tuning. _The key requirement_ was that protection must work automatically and scale with the business. Solution:the partner team implemented _a comprehensive information security protection system_, including a specialized web application firewall (WAF) with event correlation and behavioral analysis support.

This approach makes it possible to detect complex and previously unknown attacks instead of relying only on signature-based filtering. As a resultalready during testing, the system: detected and blocked more than 100 attack attempts; identified exploitation of critical vulnerabilities, including SQL injection and Shellshock; recorded credential stuffing and attempts to upload malicious code; operated without noticeable impact on service speed or stability.

What other companies should consider The experience of Svyaznoy shows that for businesses with public, high-load web services, application-layer protection is a basic element of information security. When choosing a WAF, it is important to assess not only the list of supported attacks, but also: - the ability to detect anomalous behavior; - resilience under heavy load; - ease of scaling for new services.

A specialized WAF is becoming a critical tool for protecting revenue, customer data, and online business continuity, especially as attacks on web applications continue to grow.

Discuss your challenge with an architect

Discuss the article: Information security: how to protect...

Send via: