Acquisition and Procurement in the Cybersecurity Industry - Essay Example

Acquisition and Procurement in the Cyber security Industry

Introduction to Cybersecurity

Cybersecurity refers to the technologies, practices and processes that are designed to safeguard computers, programs, networks and data from any form of attack, unauthorized access and damage. In the technological world buyers want to get hold of cybersecurity products and services because of the rate at which cybercrime is growing. The days in which people could communicate online and do businesses online without having to worry about attacks are far gone. In the modern day code has been weaponised and can be used to commit crime. Cybersecurity emerged because of the faceless criminals that have come to exist.

Benefit of Cybersecurity Industry to the society

In the last decade technology has advanced rapidly, most of the things in the modern day society are digitized. As a result of digitization, cyber risk is now considered as a high profile case in the society; with the increase in fear of hack attacks also security failures which could damage the economy globally. Through internet of things the society is connected at all times. An example of digitization is in the healthcare system if this system is compromised confidential information of patients may be leaked. It is therefore very important to maintain network security so as to prevent dangerous and abuse criminal security in the society at large.

Sources of demand for Cyber security products and services

Businesses, individuals, governments and industries rely more on computer systems this means that there is a growth in the number of computer systems at risk. Some of the sources that increase the demand for cyber security products and services are; consumer devices, financial systems, large corporations, automobiles, utilities and industrial equipment, medical systems among others.

Financial institutions like commercial banks and the U.S Securities and Exchange Commission are prone to attacks from cyber criminals who their main aim is to manipulate markets for their own illegal gains. Applications and websites that require a user to enter their financial information that is, bank account information and credit card numbers are also targets of hacking for cybercriminals as they give probable financial gain from making purchases, transferring money or the information acquired can be sold on the black market.

In the Automobile industry, vehicles are increasingly being digitized, with door locks, anti-lock brakes and driver-assistance systems that are advanced. In addition, connected cars communicate cell phone networks and on-board consumer devices through Wi-Fi and Bluetooth. All these modifications to the automobiles have increased security risks. This risks include; eavesdropping through the car’s on board microphones and in extreme cases remote hijacking by hackers can occur.

Computer systems oversee functions at a number of utilities, which include nuclear power plants, coordination of telecommunications and the power grid. It does not matter whether this computer systems controlling utilities and industries are connected to the internet or not they are still vulnerable for attacks. In 2014, 79 hacking incidents were reported at companies dealing with energy by a division of Department of Homeland security.

Operational Risks Overview

Operational risks can be defined as the risks in an organisation that can hinder the performance of everyday activities, this can involve the management of an organisations systems, people and processes to reach its ultimate business performance.

Types of risks and vulnerabilities

Upon purchasing cybersecurity related services and products a buyer’s organization could be exposed to vulnerabilities and risks. These risks and attacks can be incorporated in an organization through hardware, software, data centres and telecommunication systems.

Hardware and software attacks

With the increased diffusion of technology in our society it is important that before purchasing or acquiring electronic appliances or devices, hardware and software alike has to be thoroughly analysed. Failure in evaluating the hardware components of purchased cybersecurity product could lead to serious repercussions. Examples of vulnerabilities that could be introduced in an organization are;

The creation of backdoors for the purpose of putting malware to systems and other purposes. Back doors can also be created via memory and RFID chips short for radio-frequency identification. Invasive operations used to tamper and modify with hardware can also be done. Acquiring access to protected memory through eavesdropping without opening other hardware are also a form vulnerabilities that can occur in an organization. Altering the normal behaviour of a system by introducing faults and the use of counterfeit products.

Data centre security attack

Data centre can be described as a facility that is composed of computers that are networked together and storage that organisations and businesses use to store, organize, disseminate substantial amount of data and also process the data. Data centres can include network firewalls, switches and routers, servers, physical racks and cabling that are used to interconnect IT equipment.

Some of the risks that can infiltrate in an organizations data centre include; access of unauthorized personnel to the system and by accessing the system the cybercriminal is able to manipulate the data. Firewalls acquired by different manufactures can be prone that is the backup and exchanged files between users are not well encrypted to attacks, thus allowing hackers to be in control of the organization.

Sources of operational risks.

In the cybersecurity industries, for the organizations that supply the cyber security products and services have to meet certain standards to ensure there products cannot be infiltrated by attacks thus affecting their buyers’ organizations. There are a number of risks in these cyber security supply companies in which when they are not mitigated there are vulnerabilities found in their products. These operational risks are grouped into four in which among these four there are a number of sources of these risks. The four classes are external events, actions of people, failed internal processes and system and technological failures.

Under the four classes there are a number of operational risks. Actions of people refers to problems that are caused by actions that are not taken or taken by a person in a given situation. Inadvertent actions are those associated with individuals within the organization and they are usually unintentional which are taken without harmful or malicious intent. These actions may involve an error, omission and mistake done by an individual. These inadvertent actions can affect the quality of the service or product by making it more susceptible to attacks and by doing so this type or risk can extend to the buyers. Thus this risk transfer can make the organization that bought the service or product be prone to cybercrimes.

Another source of operational risk of a cyber-service or product can be inaction, inaction refers to failure to provide a certain action upon a specific situation. An individual can fail to act because they lack the proper skills, guidance and knowledge. Also lack of the qualified person to perform an action can lead to inaction. This risk is also likely to transfer to the buyers organization.

Failed internal processes are associated with internal processes failing to perform as intended. One of the sources of risks under this class is process controls. Process controls is characterized by failure of process due to inefficient controls when it comes to operation of the processes. Process controls rises in a case where there is failure to have periodic review the end to end operation of the system and make changes when necessary.

Supporting processes are operational risks under failed internal processes. These occur when an organization fails to support the process necessary to deliver appropriate resources. Elements like lack of adequate funding, lack of proper training and development and inadequate staffing contribute to this risk.

Under systems and technology failure, a risk can occur when there is unexpected or abnormal functioning of assets of technology. These assets include systems, software and hardware. When a software is incompatible and not well tested the expected product or service may not function as required. Hardware failures may also arise when the hardware in not of the right capacity, doesn’t perform as expected and it is obsolescence.

The above sources of operational risks in a supply company of cybersecurity products and services are most likely to transfer to a buyer’s organization when not mitigated since they cascade to the organizations inability to deliver services. The risk transfer can have major negative impacts on the buyers organization, these impacts include backdoor and espionage whereby the system which is compromised can provide cyber criminals the ability to alter data and spy on the data of the organization. As a result of the backdoors cooperate espionage can be committed through selling of the organizations data on the dark web. Private information of the organization as well as the employees may be compromised.

Product liability

In the April of the year 2014, a legislation was introduced which would see cyber securities companies be protected when they suffer from cyber-attacks. The legislation that was introduced is known as the National Cybersecurity Protection Advancement Act. This legislation was introduced by a chair of the Homeland Security Committee, known as Rep. Michael McCaul. The above legislation has still not been passed.

In the Cybersecurity industry, organizations value their privacy and for this reason they do not feel free to share their information with the federal government. The doctrine is to deal with liability for a number of damages that incur from lack of proper cyber security measures.

Upon purchasing or installing cyber security services or products, an organization needs to be ready for any form of data breach. When the systems confidentiality, availability and integrity of an organizations information security are compromised there are definitely negative impacts. The most important asset that a company will lose is its reputation. Given that after data breach there is no official ownership so the responsibility is spread among the administrators of the company. Due the unavoidable scrutiny from the regulators and customers the reputation of the company is the most impacted.

A Governance Framework and Standards

COBIT®: AI5 Procure IT Resources

The acquiring of IT resources including services, software, hardware and people need to be procured. Procurement procedures, the setting up of arrangements of contracts, selection of the suppliers and also acquisition need to be enforced and well defined. By following all the right procedures in acquiring the cybersecurity services and products, organizations ensure all the resources acquired were done on a timely manner and also they end up being cost effective. By doing so risks are mitigated.

ITIL Supplier Management SD4

Supplier management process includes handling of all contracts and suppliers that are vital in supporting businesses as a whole, in this instance is the cyber security industry. As a supplier puts more contribution to the value of the business so should the management put more effort to the supplier. Suppliers are mainly third parties in an organization, they may also be services in which a client receives. To ensure products and services provided to the organization by the supplier are up to standards the management ought to find the value for their money.

ISO/IEC 27002 Section 15: Supplier Relationship Management

15.1 Establish security agreements with suppliers

There should be agreements in form of procedures and policies so as the organization’s information is protected. The organizations information are accessible to external suppliers and cyber security outsources, therefore the information is protected in form of agreements and contracts.

15.2 Manage supplier security and service delivery

Service delivery by both internal and external suppliers should be closely monitored and audited against the agreements and contracts.

Conclusion

Companies and organizations in the cybersecurity industry should ensure operational risk Management and best practices are implemented for lower vulnerabilities. Both the buyer and the supplier are responsible for risks in the organizations pertaining the cyber security related products and services. For organizations in this industry to mitigate risks it is important that risk transfer problem is dealt with.

Computer systems oversee functions at a number of utilities, which include nuclear power plants, coordination of telecommunications and the power grid. It does not matter whether this computer systems controlling utilities and industries are connected to the internet or not they are still vulnerable for attacks. In 2014, 79 hacking incidents were reported at companies dealing with energy by a division of Department of Homeland security.

Operational Risks Overview

Operational risks can be defined as the risks in an organisation that can hinder the performance of everyday activities, this can involve the management of an organisations systems, people and processes to reach its ultimate business performance.

Types of risks and vulnerabilities

Upon purchasing cybersecurity related services and products a buyer’s organization could be exposed to vulnerabilities and risks. These risks and attacks can be incorporated in an organization through hardware, software, data centres and telecommunication systems.

Hardware and software attacks

With the increased diffusion of technology in our society it is important that before purchasing or acquiring electronic appliances or devices, hardware and software alike has to be thoroughly analysed. Failure in evaluating the hardware components of purchased cybersecurity product could lead to serious repercussions. Examples of vulnerabilities that could be introduced in an organization are;

The creation of backdoors for the purpose of putting malware to systems and other purposes. Back doors can also be created via memory and RFID chips short for radio-frequency identification. Invasive operations used to tamper and modify with hardware can also be done. Acquiring access to protected memory through eavesdropping without opening other hardware are also a form vulnerabilities that can occur in an organization. Altering the normal behaviour of a system by introducing faults and the use of counterfeit products.

Data centre security attack

Data centre can be described as a facility that is composed of computers that are networked together and storage that organisations and businesses use to store, organize, disseminate substantial amount of data and also process the data. Data centres can include network firewalls, switches and routers, servers, physical racks and cabling that are used to interconnect IT equipment.

Some of the risks that can infiltrate in an organizations data centre include; access of unauthorized personnel to the system and by accessing the system the cybercriminal is able to manipulate the data. Firewalls acquired by different manufactures can be prone that is the backup and exchanged files between users are not well encrypted to attacks, thus allowing hackers to be in control of the organization.

Sources of operational risks.

In the cybersecurity industries, for the organizations that supply the cyber security products and services have to meet certain standards to ensure there products cannot be infiltrated by attacks thus affecting their buyers’ organizations. There are a number of risks in these cyber security supply companies in which when they are not mitigated there are vulnerabilities found in their products. These operational risks are grouped into four in which among these four there are a number of sources of these risks. The four classes are external events, actions of people, failed internal processes and system and technological failures.

Under the four classes there are a number of operational risks. Actions of people refers to problems that are caused by actions that are not taken or taken by a person in a given situation. Inadvertent actions are those associated with individuals within the organization and they are usually unintentional which are taken without harmful or malicious intent. Read More