71% of Russian companies state that they have encountered various difficulties in implementing the requirements of 187-FZ "On the Security of Critical Information Infrastructure of the Russian Federation" (CII). This was revealed during a joint study by K2 Cybersecurity and Anti-Malware.ru. In addition, difficulties in complying with the requirements of the law forced 44% of respondents to significantly increase security costs.
More than 14% of organizations have increased their cybersecurity budget tenfold. This was primarily due to an underestimation of the amount of work due to insufficient in-depth audits, as well as an increase in the amount of work due to the technical features of the infrastructure. Some companies do not have a complete understanding of the requirements of the legislation, which further leads to an increase in the number of necessary security tools.
The category of CII entities includes enterprises whose disruption can lead to the failure of transport infrastructure, communication networks, public services, and damage to the life and health of people. The main goal of 187-FZ is to protect the IT systems of government agencies, banks, industry, medical institutions and other companies from cyberattacks. Although the law was adopted in 2018, 35% of respondents are still at the start of the project implementation. Only 7% of companies have fully completed it.
Most respondents (27%) cited the main difficulty as the selection and purchase of domestic software and equipment. This is due to its high cost and shortage. At the same time, almost half of those surveyed (48%) are confident that Russian products will meet the requirements of the law. 31% are not satisfied with what the market offers. At the same time, 21% of organizations (every fifth) admit that they will not have time to switch to Russian products at significant CII facilities by 2025, according to the requirements of Decree 166.
Among other difficulties, companies mentioned: difficulties in understanding the law itself (13%), organization of processes (8%), audit and categorization (8%).
"The Decree of the President of the Russian Federation No. 250 of 01.05.2022 "On Additional Measures to Ensure Information Security of the Russian Federation", which specified specific responsible persons, largely prompted organizations to begin systematic work on implementing the requirements of 187-FZ. The FSTEC of Russia has been conducting systematic explanatory work since 2017, designed to make it easier for CII entities to understand the law and bring their activities into compliance with its requirements. We constantly organize internal and external events, and make targeted mailings. At the moment, organizations are actively sending us documents with lists and information about CII facilities. We predict further activation of CII entities to comply with the requirements of the law," says Valentin P. Danilushkin, Head of the Department of the FSTEC of Russia for the Central Federal District.
"According to the schedules, the critical information infrastructure of T Plus is gradually switching to Russian solutions, in accordance with the requirements of 187-FZ. We believe that, due to the constantly increasing number of attacks, the requirements of the law seem justified. They are aimed at creating not only paper, but also practical information security. The adoption of the law and bylaws (in particular, Decrees 166 and 250) allowed Customers to demand compliance with information security requirements from suppliers in the proposed solutions," says Tatyana Zaitseva, Director of Information Security at T Plus.
"Despite the serious difficulties faced by businesses, the situation with CII security is positive. According to the study, 90% of CII entities have begun implementing the law. We are talking about tens of thousands of organizations. According to our experience, a large number of enterprises still use foreign solutions in the infrastructure of significant protection facilities, including security tools. At the same time, we see a trend that Russian vendors have now received a large growth driver in connection with the vacated product niches, as well as support from the state. Companies are developing their products, while using advanced technologies available on the market," said Andrey Zaikin, Business Development Director of K2 Cybersecurity.
"We see a significant change in the approaches of regulators towards practical, effective cybersecurity, including from the point of view of implementing specific approaches at enterprises: from the responsibility of management to the processes of assessing and confirming the level of security," comments Mikhail Kader, Solutions Architect for Information Security at Positive Technologies.
Now on home
