Risk Management: Information Security Management - Example

Risk Management: Information Security Management Name: Institution: Introduction An emerging risk factor for most businesses is the threat of information breach[Har12]. Almost all businesses have an online platform and a computerized system of storing information (business data). Due to technological advancements, organizations moved from the old data/ information storage techniques that were primarily bases on paper based databases to the computer bases storage systems/ data bases such as floppy discs CDs, Digital Versatile Discs DVDs’ and Hard drives. More recently, the cloud computing has created a virtual space (online platform) in which organizations can store and retrieve data[IBM14]. These technologies have greatly benefited many businesses globally. Some of the notable advantages from computer based storage technologies include easier access to information as well as increased connectivity and data sharing among individuals in an organization[Doy00]. However, these gains have come at a cost key among them is the increased risk of information loss through theft. This is referred to as information security breach[Her101]. Urs E. Gattiker describes information security breach as circumstances where the stated organizational policy or legal requirements regarding information security have been contravened[Gat04]. He points out that every incident that suggests that the Confidentiality, Integrity, Availability and User Accountability, Authentication and Audit (CUA-UAA) of information has been inappropriately changed can be considered as a security incident/ breach. This report seeks to analyze the safety concerns facing businesses with regards to their data. Businesses are all industries handle a lot of information on a daily basis. Some of this information such as client details, employee’s details and business strategy is very sensitive and needs to be handled appropriately. However, the fact that access to can’t be limited to one individual in large organization means confidential/ sensitive material risks being leaked to competitors or the general public. Moreover, if access is limited to one individual (which is highly unrealistic in a large organization), the threat/ risk of theft through hacking is still very significant. Consequently, there is need to examine these concerns. The report highlights the current global state of data security. The information theft trends will be highlighted as well as the methods used to carry out these security breaches. The methods ad measures used to mitigate and manage this risk as and the difficulties faced in the management and mitigation efforts will also be discussed. Due to financial and time constraints, the report will heavily rely on secondary data from reports and publications from experts in the field. Issue identification and literature review Global information security statistics and trends A 2013 report on the global on the cost of data breach by Ponemon Institute (the data was collected in 2012) points out that between 2300 and 99000 records were stolen per incident of security breach in 2013[Pon13]. The report covered 277 companies in 16 industries across nine countries. The total number of incidences reported averaged 23,647[Pon13]. Some of the key findings in the report include Australia and the United States of America (USA) had the most number of breaches that resulted in highest / greatest number of data loss or exposure. Italian companies had the least exposure per incident. German and American companies suffered most financially per breach for both normal breaches and malicious breaches. On average, the financial loss per malicious breach in Germany and America $ 214 and $ 277 per compromised record while the average for breaches in general was $ 199 and $ 188 respectively[Pon13]. On average, German companies lost $ 4.8 million while American companies lost $ 5.4 million[Pon13]. Indian and Brazilian companies were at the opposite end of the spectrum with losses from malicious attacks only averaging $ 71 and $ 46 respectively[Pon13]. This gave companies in the two countries an average of $ 42 and $ 58 per incident and $ 1.1 million and $ 1.3 million respectively[Pon13]. Australian, German and Japanese companies were most at risk from malicious attacks in all the nine countries under observation[Pon13]. On the other hand breaches in Brazil and Indian were more likely to be caused by human error and glitches in the system respectively[Pon13]. Australia and France had the most the highest lost in customers following an information security breach[Pon13]. German and Australian companies spent the most spent the most on such detection and escalation activities as investigating and assessing the data breach ($1.3 million and $1.2 million, respectively)[Pon13]. Organizations in India and Brazil spent the least on detection and escalation at$359,406 and $358,478, respectively[Pon13]. American and British companies received the greatest reduction in data breach costs by having a strong security posture, incident response plan and CISO appointment. The US and France received the greatest cost reduction from the engagement of consultants to support data breach remediation[Pon13]. How information security is compromised. Unauthorised access by outsiders These types of attack are commonly referred to as hacking[Pri14]. In Britain, cyber attacks have been on the increasing trend especially among large organizations[Pri14]. Almost 25% of the large companies surveyed were hacked compared to only 12% of the small companies[Pri14]. Other forms of unauthorised access are customer impersonation and identity fraud/ theft, both of which have been on the rise[Pri14]. Computer theft and fraud It consists of physical theft of computer equipment. Attackers employ this method for the equipment or the information stored in the hard drives or both[Pri14]. For large organizations, there was a small decrease of 5% in the physical theft of computer equipment by staff but an increase of 7% of physical theft by outsiders[Pri14]. Deliberate sabotage by staff of systems or data Some employees may deliberately sabotage a company’s data system for various personal reasons. However such incidences are very rare. However, the impact of such an event can be severe especially when the culprit has a high degree of clearance/ access to the company files. Nevertheless, 5% of the PWC survey respondents were affected in 2014 compared to 6% I the previous year[Pri14]. However, the 4% increase in the total number of such breaches identified raised an alarming point, indicating that deliberate sabotage by staff, when occurring, is moving towards becoming a repeated offence[Pri14]. 7% of the affected respondents suffered several times a day in the past year[Pri14]. Infection by viruses and malicious software This remains one of the most common types of attacks globally[Pri14]. Technological advancements such as smart phones have opened up new avenues for attack.[Pri14] PWC points out that in Britain, the majority of detected attempts to exploit vulnerabilities on PCs and servers targeted ‘Oracle Java’ followed by the ‘Windows components’ category, including vulnerable Windows OS files that don’t apply to Internet Explorer and Microsoft Office[Pri14]. Impact of information breach Information security breach is a critical issue in modern cyber based business due to financial toll it has on businesses. The financial costs of information security come in two categories. The first one is referred to the direct financial[Cal12]. These costs can be readily expressed in monetary terms and include loss of assets, regulatory fines and compensation payment to individuals who’s sensitive information was under the care of the organization[Cal12]. For instance, a company in Wales spent over £ 250,000 in incidence response and recovery to clear a virus that had gone undetected for several months[Pri14]. In general, among small businesses, the average time spent on responding to incidents is 12-24 days, up from 6-12 days in 2013[Pri14]. The average cost of this time also rose to £3,000-£9,000 compared to £2,000-£5,000 the previous year[Pri14]. Moreover, there is a further £9,000-£17,000 on average spent on responding to incidents (up from £500-£1,500 in 2013)[Pri14]. In large organizations, the average number of days was 45-85 days, up from 25-45 days[Pri14]. Large organizations incurred £12,000-£34,000 in time costs compare to £6,000- £13,000 in 2013, and £80,000-£135,000 in cash costs (up from £35,000-£60,000 in 2013) on average[Pri14]. The second category of costs is referred to as indirect costs. Although the impact of the indirect financial costs cannot be readily experienced in monetary terms, the long term financial impact is still significant. The indirect costs include; Business disruption Data security breaches may disrupt the operations for extended periods depending on the severity of the attack[ECC09]. For instance, in Britain, severe attacks disabled companies for between 7-10 days for small businesses and 5-8 days for large organizations and an average of 1-2 days for both in 2012[Pri14]. Damage to reputation The PWC Information Security Breaches Survey 2014 concedes that the reputation loss is hard to quantify[Pri14]. Moreover, the large organizations in Britain were able to keep knowledge of the incidences internal in 70% of the cases[Pri14]. Nonetheless, the report estimates that reputation damages averaged £1,600-£8,000 for small businesses and £50,000-£180,000 for large organizations[Pri14]. Managing the risk issue One way of managing the risk of information is by educating the workforce on proper Information technology safety techniques which can form the basis of the company’s Information technology code has several aspects[Eur12]. First of all the management has to train all the staff on the proper ways of handling the company data. The workforce must be able to not only handle the data system appropriately but they must also be in a capacity to reasonably notice when the system is not working correctly or has been compromised. This would involve some basic training on aspects such as data handling, computer viruses and networking systems especially for employees who have access to very sensitive material. As part of the training, the employees should be warned and trained against the dangers plugging their personal devices into the company’s system. Secondly the IT code should have a clear structure with regards to information access and reporting. A clear structure regarding access ensures that access to the most sensitive information is limited to a few individuals. Such measures would ease the monitoring of the data as well as simplifying investigations in case of breach. The clear structure with regards to reporting any abnormalities ensure that the response measures are timely. Apart from the highlighted measures concerning the personnel, the software and hardware employed by the company has to be appropriate. The company should install systems that detect, prevent and deactivate any form of attack or intrusion. Systems such as firewalls and antivirus should be installed to protect the software while security measures such as CCTV cameras and alarm systems should be employed to protect the hardware. Risk of risk management There are two major loop holes to the risk management technique advanced above. First of all, the fact that it is heavily dependent on human input weakens in in several ways. First, the employees might be resistant to resistant to the changes. Lack of motivation or a bad attitude towards the new rules and regulation could undermine its implementation. Moreover, some of the concepts may be too technical for some individuals meaning they would struggle to grasp all the information. That being said, even the employees who have grasped these would struggle to detect any breach by hackers due to the fast difference in expertise and information technology knowledge between the two. Secondly, the viruses and tools that are used to penetrate secured data keep on changing on a continuous basis. New and better programs are continuously being developed by hackers. Therefore, the financial constraint of continuous updates on the prevailing safety features could hinder the effective implementation of the IT code. Recommendations To counter the two limitations the company should employ the following recommendations The employees should be made active participants in the entire formulation and implementation process. This would make them feel as if that the whole idea was something that was imposed on them. Consequently, the probability of any resistance would be greatly diminished. Moreover, there should be a qualified and equipped IT department with a chief information security officer (CISO) that is responsible for the maintainace and protection of all data[Wyl03]. Essentially, their job would be to detect any anomalies the other employees could have missed or lacked the capacity to notice. Secondly, the company should employ softwares that are easy to upgrade. In most cases off the shelf softwares are cheaper to upgrade despite the fact that they may be more vulnerable to attackers when compared with tailor made programmes. However, some of the softwares that come with reputable brands like Apple have a good record on security. A heavy initial investment on such software and hardware could save the company millions in terms of upgrading costs and data loss in the long run. References Har12: , (Harkins, 2012, p. 1), IBM14: , (IBM, 2014), Doy00: , (Doyle, 2000, p. 77), Her101: , (Herold, 2010, p. 98), Gat04: , (Gattiker, 2004, p. 292), Pon13: , (Ponemon Institute, 2013, p. 2), Pon13: , (Ponemon Institute, 2013, p. 3), Pri14: , (PricewaterhouseCoopers, 2014, p. 15), Pri14: , (PricewaterhouseCoopers, 2014, p. 14), Pri14: , (PricewaterhouseCoopers, 2014, p. 13), Pri14: , (PricewaterhouseCoopers, 2014), Pri14: , (PricewaterhouseCoopers, 2014, p. 12), Cal12: , (Calder & Watkins, 2012, p. 13), Pri14: , (PricewaterhouseCoopers, 2014, p. 17), ECC09: , (EC-Council, 2009, p. 5), Pri14: , (PricewaterhouseCoopers, 2014, p. 16), Pri14: , (PricewaterhouseCoopers, 2014, p. 18), Eur12: , (Gutwirth, et al., 2012), Wyl03: , (Wylder, 2003, p. 36), Read More