Database keys: only a third of companies have data protection solutions.

Only a third of Russian companies use data protection solutions, cybersecurity companies told Izvestia. At the same time, businesses prefer to limit themselves to basic solutions, approaching the situation formally and not feeling much interest in specialized software. Moreover, the management core does not always understand and realize the importance of the recommendations of the information security teams, trying to save money. About which industries require specialized solutions and what they are — in the material of Izvestia.

How data is protected

Software solutions for data protection are used by only 35% of Russian organizations, according to a study by the Garda group of companies. Experts point out that Russian businesses rely on leak protection and access control, but underestimate highly specialized database protection solutions.

Among the security methods used, the most common are products of the DLP (Data Leak Prevention, data leakage protection) and DAG/DCAP (Data Access Governance and Data-Centric Audit and Protection, a data-focused protection methodology) classes.

"But DBF class solutions (Data Base Firewall, database protection) are used much less frequently, which is due, among other things, to a low level of awareness about such technologies, despite their high efficiency and potential," the study notes.

The "bottleneck" remains the weak synchronization between the company's management core and information security teams, the authors of the study note.

Alexey Kozlov, a leading analyst at the information security monitoring department at Spikatel, confirmed that businesses use basic information security solutions more often and do not use highly specialized ones.

"This is due to the desire to cover the most obvious risks — leaks, viruses, external attacks, and so on — and formally comply with regulatory requirements: the law on personal data, on the security of critical information infrastructure, and so on," he said. — As a result, business is often limited to basic information security solutions such as antiviruses, DLP and firewalls, without reaching more narrow and effective tools.

Hijacking Track: Scammers Use Telegram's New Feature to Steal Channels

What should resource administrators be afraid of?

According to the expert, this is due to a lack of knowledge, resources and a focus only on visible risks, while attacks at the data level remain out of sight.

"Basic solutions are easy to justify to management, while highly specialized ones require deeper immersion in architecture and business processes,— said Alexey Kozlov. — As a result, data protection holes will form, and businesses risk leaks that will simply be impossible to detect and investigate in time. Companies often think about highly specialized solutions only after serious incidents within the organization.

Denis Polyansky, Director of Customer Security at Selectel, noted that various studies confirm that a significant proportion of Russian businesses leave protection at a basic level.

"The main reasons for this problem are the lack of a unified strategy and KPIs for security in companies and, as a result, the weak alignment of business goals and information security units," he said. — This is mainly due to the fact that when building information security, companies are formally guided by the requirements of the documents.

For example, there is no obligation to use DLP in the requirements for personal data, so companies follow this logic: if something is not required in the documentation, it is not used. Staff shortages, targeted competencies within teams, and budget constraints also have an impact.

Where specialized solutions are needed

The experts surveyed note that businesses should use solutions such as database firewalls (DBF) and Database Activity Monitoring (DAM) more often. They help to track and block suspicious requests and actions inside databases.

— Solutions for data access control and information-focused auditing (Data-Centric Audit and Protection, DCAP), tokenization (replacing real data with aliases), Format-Preserving Encryption (FPE) and data security Management in clouds (Data Security Posture Management, DSPM) are also often underestimated.), — said Alexey Kozlov. — These technologies are rarely used, but at the same time greatly reduce the risk of leaks and increase the level of protection of sensitive data.

There are industries with special data protection specifics where universal solutions may be ineffective, Denis Polyansky noted.

— They require an integrated approach that takes into account the specifics of the application. Such industries include, for example, the fuel and energy complex. Specialized protocols are widely used here, the high cost of downtime, and overregulation. At the same time, almost a third of Russian cyber groups are targeting the fuel and energy sector.: 41% of attacks in 2025 are industrial espionage," he said.

Specialized solutions are also needed in the financial sector and E-com: there is a large list of Russian and international requirements, critical processes (calculations, digital ruble, large amounts of critical customer data, etc.). Special protection is also needed in telecom, where signal networks are used and huge subscriber bases are collected. And the widespread availability of communication services makes it attractive to carry out attacks on supply chains through telecom operators.

— Therefore, it is important to note that specialized tools cover what universal ones do not see: industry protocols, insiders, high regulation, critical RTOS (the time range of acceptable system downtime due to an emergency failure. — Ed.), — he said. — Narrow solutions are needed where the cost of error is high: energy, transport, finance, healthcare, telecom and large e-commerce platforms.

Find out by voice: a database of biometric data of scammers will appear in Russia

The measure is aimed at protecting citizens from telephone criminals.

And Alexey Makarkin, director of DataSpace Cloud products, noted that companies that outsource protection should still independently control their level of protection.

— For example, a cloud provider protects the cloud, and the client is responsible for the security of their virtual infrastructure in the cloud. If a company hosting its data in the cloud does not at least ensure micro-segmentation within its infrastructure, the principle of minimum privileges at all levels, does not set up continuous monitoring, and does not take inventory of all its IT assets, no amount of solidity in relation to threats to the information security of a cloud provider will help," he said.

Pavel Kuznetsov, Director of Strategic Alliances and Government Relations at the Garda Group of Companies, however, believes that the "shake-up of the last few years" and the efforts of the state regulating data protection have produced a positive result.

— There are practically no "twos" left in terms of organizing protection, but most of all there are "good guys" and "threes," he said. — Ensuring the protection of information is a process, a competition between armor and projectile. And it is fundamentally wrong to assume that by installing security tools on the network, recruiting staff and creating a process model, you can relax and forget about the problem.

Dmitry Markov, CEO of VisionLabs, noted that the interest of companies in specialized solutions is still growing, especially from the financial sector.

Companies should change their approach when security is sacrificed to the speed of development of digital services, Pavel Kuznetsov believes. For example, use masking when transferring test suites to development teams, for example, systems using AI methods. If an incident occurs and masked data leaks, responding to the incident will become easier and cheaper: you will only have to technically eliminate the leak channel, take appropriate countermeasures and not waste time working with the company's reputation.