Please note! This essay has been submitted by a student.
Information Systems are susceptible to hazardous and fraudulent activities, hence it is imperative to secure and monitor these systems. Some of the common IS risks are:
Excessive dependencies on system components: Third-party vendor tools which can offer Security Information and Event Management (SIEM) software are potential solutions towards monitoring the entire organizational network. Companies can purchase and install these softwares on the pretext that these systems can provide comprehensive security. A drawback of this arrangement is that these tools need customization and effective management to have any impact on system security. Communication between network devices and system software is challenging. However, nowadays many organizations actively track their networks and are aware to any data breaches. Having knowledge of a diverse portfolio of monitoring tools helps to mitigate this potential risk.
Insufficient system log content: There are system logging features integrated in devices which are not often not utilized to its maximum potential. Even if logging options are enabled, these do not record effective logs or logs are not reviewed carefully by administrators. Additionally, if systems are not configured properly, event logs can be content-heavy without any useful information that can result in overload in mailboxes.
A proper use of third-party tools should be done which facilitates proper logging process and gives efficient signals in events of any cyber attack. A well-managed SIEM can produce a robust system defense if it is configured and managed by a competent organizational team.
Latest innovations causes security protocols to be outdated: With rising demand for more data-driven products the need to produce quick results often compels software developers to use unsecure data architectures which can make entire system susceptible to vulnerabilities. Often this is a result of untested code being pushed into production without taking all-round security risks into account. Before pushing applications to production, proper integration and security risks measures should be taken. Users should test out new software products before merging it onto their production platforms. This can prove to be an effective testing phase of a new product before it is accepted in the market. A well-planned test-driven software development process can help in keeping the security protocols updated along with latest innovations.
Old operating systems: Legacy versions of software eventually become unsupported by vendors. Security patches which keep the software stable and safe may not get released due to lack of system support from vendors. Hackers and malicious softwares target this inadequacy to get access to networks.
Lack of encryption: In-house data, whether in data-warehouses or in OLAP/OLTP processes need to be encrypted so as to prevent external agents gain access while trying to hack systems. External hardware components such as USB drives, CDs, etc. should either be encrypted by themselves or should keep data within an encrypted folder.
Vendor tools that can scan outbound emails for sensitive data can help the user with a secure file load website or encryption before physical transfer of data. These external drives should have in-build encryption process which allows users to log into these devices only after successful user authentication.
Data residing on personal devices – Bring your Own Device policy (BYOD): Companies have been struggling to maintain a balance between allowing an employee to use one’s personal device vs. use company device for conducting business. In today’s world of centralized data repositories, employees want to access company sensitive information from their personal devices such as laptops, tablets, smartphones. Organizations should build isolated security systems which allows employees to access data from their devices using multi-factor authentication. Even if employee’s device gets stolen or hacked, the data resides on the organization’s network instead of employee’s device; thus reducing the risk of lost data.
“Diplomatic immunity” within organizations: Often IT service personnels are kept exempted from system access requirements which are detailed for other employees. Examples – non-expiring passwords, security certifications, training, etc. This can be attributed to the IT personnels’ vetting during interview processes. This results in an unmonitored accounts for these members. They become a prime target for hackers/phishing emails which can lead to intrusion from external or malicious automated bots. Complete user reviews of accounts and settings should be done at least twice per year to verify whether access rights comply with IS and IT policies.
Lack of management support: Valuing organization security is driven by company’s leaders and senior management. This attitude trickles down to junior employees and helps foster a strong security environment and culture across the whole organization. A commitment to invest towards securing companies security infrastructure results in long-term financial gains and a firm reputation in the market and prepares the team for any future audits. The “umbrella” IT security strategy and responsibility should not rest on a Systems Administrator or Chief Information Officer. Sometimes, IT security is so embedded within an organization that the organization reports directly to the Chief Executive Officer or board members. This helps in internal audits and independent assessments, objective monitoring of systems, and the ability to report without prejudice.
Failure to cover cyber security basics: Historical trends and reports of past attacks suggest a fundamental lack of awareness about cyber security measures. Cyber criminals often use a limited number of common vulnerabilities to hack into organizations and their systems; largely because organizations have a lackadaisical attitude towards basic cyber security measures. Research shows that a simple measure such as timely patching can block 78% of internal and external vulnerabilities in organizations. But, organizations fail to incorporate this thus exposing themselves to further attacks. Reliance on antivirus and external firewalls to act as a single security layer and failure to encrypt transactional data is a huge lapse in accessing security threats.
Lack of a recovery plan: Preparation and awareness can help prevent or assuage any security attack. However, these plans lack the after measures of an attack or any possible breach of data. This can result in a breakdown of organizational structure rendering business operations to be inadequate. Several studies have shown that companies lack the know-how to deal with the aftermath of such attacks. It takes a long time not only to restore normal business operations but it takes an even longer time to rebuild the lost reputation and trust amongst stakeholders and consumers.