In January and February 2025, Roskomnadzor recorded 19 personal data leaks, highlighting systemic gaps in corporate security practices. A staggering 38% of Russian companies have never trained employees on information security protocols, according to a 2025 CNews report1. This oversight persists despite 81% of organizations identifying training as the most effective countermeasure against breaches2.
Training Deficits and Human Factor Risks
The absence of structured security education correlates with 68% of leaks originating from human error, as reported by Rostelecom3. Only 16% of employees receive regular infosec instruction, while 41% have never participated in any training sessions, per hh.ru and StaffCop surveys4. Executives exhibit particularly low engagement—25% of senior managers handling sensitive data lack formal security guidance5.
Recent phishing campaigns demonstrate the consequences: 37% of attacks leverage compromised credentials, with a 10% employee click-through rate on malicious links6. Retail and IT sectors show higher compliance (15-20% training rates), while hospitality lags at 2%7.
Policy Enforcement and Technical Vulnerabilities
Corporate governance failures exacerbate risks. 58% of companies neglect to revoke system access post-employment, and 56% of staff have never signed NDAs8. Technical audits reveal widespread misconfigurations:
| System Type | Vulnerability | Prevalence |
|---|---|---|
| macOS | Default 4-character passwords | 65% |
| Linux | Missing GRUB bootloader passwords | 61% |
| Windows | Disabled LAPS | 29% |
Cloud environments show similar gaps—99% of resources grant excessive permissions, per Palo Alto Unit 429.
Remediation Strategies
Andrey Timoshenko, a cloud security specialist, advocates for centralized protection systems during mergers10. Key measures include:
- Quarterly phishing simulations with AI-generated content (Angara Security)
- Automated access revocation workflows (SKB Kontur)
- EDR/NTA deployment for real-time threat detection (Solar 4RAYS)
Regulatory pressures may force change: draft laws propose ₽500M fines for leaks, targeting 75% non-compliant firms under Russia’s personal data law11.
Conclusion
The 2025 data underscores a critical disconnect between recognized best practices and implementation. While attack surfaces expand with remote work and AI-driven threats, foundational controls like employee training and access management remain neglected. Organizations prioritizing these areas reduce breach risks by 43%, according to InfoWatch12.
References
- “38% of Russian companies never train employees on infosec,” CNews, 2025. [Online]. Available: https://cnews.ru
- “Training as primary leak prevention,” InfoWatch, 2025. [Online]. Available: https://infowatch.com
- “Human error causes 68% of leaks,” Rostelecom Security Report, 2025.
- “Employee training statistics,” hh.ru & StaffCop, 2024.
- “Executive training gaps,” InfoWatch, 2025.
- “Phishing click rates drop to 10%,” Angara Security, 2023.
- “Sectoral training compliance,” TAdviser, 2025.
- “Post-employment access risks,” SKB Kontur, 2024.
- “Cloud permission overreach,” Palo Alto Unit 42, 2022.
- A. Timoshenko, “Merger security challenges,” Cloud Security Journal, 2024.
- “Draft data leak fines,” Kiberprotekt, 2024.
- “Training reduces breaches by 43%,” InfoWatch Annual Report, 2025.
