External:
This means that damage has come from outside the organisation. This may still come from an unhappy employee but it may also be by someone looking for self-gain or satisfaction or even a competitor company. These threats may include but are not limited to, virus attacks, phishing and identity theft, forging data, hacking, theft and industrial espionage.
Access causing damage:
If someone gains unauthorised access to your systems or network, the way in which they achieve this may cause damage to data or restrict system and network resources. There are several ways in which this could be achieved.
Viruses: A computer virus is defined as a software programme which is capable of replicating itself or causing harm to files or other programmes. The effect of the virus may simply be a nuisance such as opening or closing the CD drive or swapping keyboards keys such as changing the ‘@’ key to the ‘!’ key. It may reproduce itself and spread from application to application to prevent detection and removal. A virus may also copy, alter or delete data contained on the Hard Drive.
Trojans: This is a type of malware which appears to perform a desirable function to the user, but actually allows unauthorized access to the system or network. Trojans may be used for the purposes of key logging which is the recording of keystrokes entered such as system or network passwords or even bank details, remote attacks where the system is used to perform the actual attack on the system or network and may be used to help with denial of service attacks.
Worms: This moves through the system changing or overwriting pieces of code and does not need to attach itself to an existing programme. This has the least potential to cause severe damage out of the three examples provided above.
Access without causing damage:
Access may be gained to your systems or network with causing very little or no damage, such as looking at data and passwords to your systems and network. In this case it may be a while before the infiltration is noticed, it may even only be when your organisation realised there is a problem with competitors or customers. There are several ways in which this could be achieved.
Phishing: This is done via the use of emails which impersonate a legitimate business to try and persuade or trick users into providing personal or company details such as PIN numbers, passwords and credit card details, this is a type of social engineering.
Piggybacking: There are two types of this; the first is where legitimate users credentials are used and an unauthorized person follows the legitimate person into the building or system, or a normal communication carries a hidden harmful application.
Threats related to e-commerce: An organisation that relies heavily on e-commerce to conduct business may stop completely in the loss of their IT systems, whereas a traditional business may still be able to function somewhat. I have outlined several threats below that may relate to your e-commerce system.
Website defacement:
This is an attack where the visuals of the website have been changed. Someone who does this is termed a ‘cracker’. Usually this is not done for financial gain; however customers may be forwarded to a ‘spoofed’ site where they proceed to conduct business. This is bad for your organisation as income may be lost while the website is recovered, also a loss of business may occur as the goodwill and trust of potential or existing customers may be lost.
Control of access to data via third party suppliers:
Organisations that need to share data with a third party to enhance the services they offer may result in security issues to the commercial security of an organisation and the personal security of customers. For example eBay allows private retailers to set up an ‘eBay shop’ acting as a go between for the customer and private retailer, the issue is that personal information of the customer such as their address required by the private retailer to send the goods is given to the private retailer, this allows the retailer to collect customer details which increases their customer base and potentially allows them to set up shop alone. This could result in a loss of revenue and business for your organisation.
Denial of service attacks:
This is where a system or network resource is made unavailable to the intended user by making extreme communication requests. If the server cannot handle the amount of requests being made then the website goes down due to server overload. The result of such an attack is loss of service and revenue as customers cannot interact with the e-commerce services provided by your business.
Counterfeit goods: These are imitation products offers for sale that may not be immediately indistinguishable from the genuine version. This puts products at risk as the counterfeit goods may be unsafe for use and is a form of fraud which is an illegal act.
Software:
Software produced by your organisation or software that is used by your organisation may be counterfeit, this puts you at risk of legal ramifications. The incentive for the fraudster is that the counterfeit software is cheap to produce and can be sold for the same high price as the original. Also it may result in a competitor organisation gaining an edge over your own. A fine may be incurred if your company is found to be using counterfeit software and a loss of business is likely if software you produce is available elsewhere at a cheaper price.
Distribution mechanism:
There are many ways in which counterfeit goods may be distributed, such as over the internet on a peer based file sharing system, car boot sales for physical items such as data CD’s or on online auction sites. The result of distributing counterfeit goods is that it directly reduces the income of the creator of the goods and the recipient of the goods is in an illegal position where a fine may be imposed which may be where your company lies.
Organisational impact: To summarise, security threats could impact your organisation in several ways outlined below.
Loss of service:
This stops the customer from interacting with your business and may reduce the amount of custom you receive as they may lose trust in your services. The result of this is a loss of income and revenue.
Loss of business:
If essential data that is integral to the services of your business is lost, deleted or corrupted then your business will again lose custom, revenue and income.
Loss of income:
If your business starts to lose income then the end result may be that you have to lay off employees or that the business itself may become bankrupt and cease to provide a service.
Increased costs:
This is likely to effect the customer in that they will have to pay more than they did for the same service and the reputation of the business will diminish as the business may seem as if it’s being greedy demanding more money.
Poor image:
A poor image will reduce the amount of custom that your business receives this in turn will result in less income for your business.
All of the above impacts on your organisation may ultimately result in your business having to close down. This highlights the need for your business to employ serious security measures and possibly to invest money into the installation and maintenance of preventative measures against potential security threats.
Importance of Information security: Information security is important as much of the value placed on your business to customers it the information or service that your information allows you to provide that your business has which will benefit the customer in some way. Your information may also give you a competitive advantage over rival companies.
Confidentiality: The Data Protection Act 1998 outlines how personal data held by organisations should be handled. It limits how much data an organisation should hold for their immediate purpose for the data. It attempts to stop organisations for holding excessive amounts of data that they have no immediate purpose for. There are several things you must consider regarding this such as: who can see the information, who can update the information, how long is the information to be stored for, how often must the information be reviewed for correctness, what information can be stored and what systems are available to store the information. Reviewing who can access the data, what information is stored and if the information is still correct is imperative to manage the information in a confidential manner.
Data integrity: This refers to whether the information stored is correct and how reliable that information is. This is important as storing the incorrect information or out of date information can cause an individual distress and could even lead to legal action against your organisation. It is also important for your business purposes, for example if need to get in touch with a client to discuss their insurance and the phone number for them you have is wrong, you may lose a client or negatively affect the service you provide for them.
Data completeness: This is whether the information you store has all the required part to be useful, there is no point storing someone phone number if the last 3 digits are missing, as that information is then useless. Data completeness is an important aspect of data integrity.
Access to data: What data can be accessed by who and when governs the availability of data. It’s important to review who can access that data within your organisation as someone may no longer need access to the data. The Freedom of Information Act 2000 gives citizens right of access to any data that is held about them by an organisation. A written request would legally force you organisation to state whether you hold any information about that person, what the information is and to provide a copy of all the information on that person to that person. Access to data can be managed by different user rights and levels of password access.