Abstract
Despite the fact that efficiency in organizations has greatly improved over time, thanks to technological innovations, it is obvious that a lot has to be done to guarantee the safety of important information stored by these organizations. The use of the Internet to carry out numerous business transactions requires that a considerable amount of time is spent developing systems that can withstand security threats.
A major concern for organizations is the safety of the massive data that has to be stored for future use. The information kept will usually vary from one organization to another. Where personal information is involved, extra care must be taken to safeguard the image of the concerned persons.
Apart from examining the challenges faced by organizations due to the increased use of information and communication technology systems this paper also demonstrates the need for organizations to take full advantage of the developments in the information security industry to improve business operations.
Methodology
In writing this paper, various books, articles and other web documents have been consulted. The views of different authors on the topic of information system programs are considered to show why it is very important that organizations do not take information security threats that lightly. Among the references used also, is a white paper looking at control systems that can be useful in securing an organization’s operations.
Scope
There is so much that can be talked about as regards the subject of information security. This paper, however, looks mainly at why the study of information security is important and how organizations can use information security programs to their advantage. There is a discussion on attacks organizations are exposed to and options available to mitigate their impacts.
Introduction
According to Grama (2010), information security refers to the very essential act of protecting information. Information plays a major role in the functions of any organization and as such, how it is kept, whether in electronic or paper form is important.
With recent technological advancements in the information and communication technology sector, electronic storage of information has become popular and today, it is almost unusual to find an organization that does not utilize technology in its operations. A characteristic of most organizations is to store huge chunks of information that are later used to carry out business operations.
Among others, organizations will keep employee records, customer and supplier details, as well as data regarding contracts entered into with service providers (Grama, 2010). This list is by no means exhaustive and the type of information captured and stored will largely depend on the type of business an organization is involved in. Obviously, any loss or interference with the saved data can lead an organization into serious trouble.
The exchange of information between organizations through the use of public facilities such as the Internet is also a very common occurrence (Grama, 2010). Activities of hackers, however, jeopardize the smooth progress of such operations. Hackers will engage in illegal acts either for fun or to get even with a competitor. In the study done by Barman (2001), the Internet presents attackers within and outside the organization with electronic channels to access private information. Grama (2010) also explains that security breaches can be accidental or intentional. An employee in an organization may unintentionally delete important files while an external attacker with ill motives could cripple the operations within the organization by sending virus attacks to computer systems.
There is no doubt that this open nature of the Internet has greatly increased the need for effective security systems (Barman, 2001). Looking at what is at stake; organizations cannot take the subject of information security for granted. The thought of having important company information at the disposal of a stranger, for example, is scary enough to motivate one to take appropriate actions. According to Goertzel (2009), the existence of numerous loopholes has made it easy to plan attacks on information systems.
Egan (2004) also points out that it is imperative for business executives to fully understand information security in order to do electronic business productively.
Being such a delicate concern, therefore, information security is a subject that must be treated with maximum importance. Besides making sure that properly formulated guidelines on security are in place, all staff must adhere to the stipulated regulations.
Background and History of Information Security
In the work of Shostack & Stewart (2008), information security has its beginnings in the U.S. military which have been recognized as a great influence in the technology sector. Given that military networks always store very sensitive information, they are a sure target for intruders. They further argue that even though information security is as old as when information recording started, it is the coming of computers that has caused increased interest in the subject of computer security.
The existence of hackers is another development that has aroused a serious need for better information security systems, is the existence of hackers. Shostack & Stewart (2008) consider a hacker to be some who is quite skilled at stretching a security system to its limits but usually, without ill intentions.
Internal crimes within organizations have also led business owners to discover that the implementation of security systems is a must. It is possible for employees to steal information from one another and later use it wrongfully. Without a secure system, a disgruntled employee leaving the organization may gain access to company secrets that can later be used to harm the organization’s reputation.
Reports by the media have shown that security threats are on the rise with data either being lost or landing in the wrong hands (Grama, 2010). If not checked, this crooked behavior can make an organization lose its credibility, especially when dealing with sensitive clients. Dissatisfied customers worried the safety of their personal data could end up cutting business links with the affected organizations and creating new ones with competitors. Grama (2010) also uses a code used by Julius Caesar to share secrets, to show that the art of securing information has been around for ages only that it came to the limelight in the recent past with the introduction of computer systems.
Development of Information Security
The information security industry has grown thanks to the vulnerable nature of information systems. The many challenges faced when using these systems have made organizations realize that they have to do much more to supply customers with quality services that cannot be compromised by intruders. From the early days safeguarding secrets has been a great concern for individuals, organizations and even state governments.
The development of the information security industry can also be attributed to the fact that many organizations desire to take full advantage of the opportunities presented by technological innovations.
Benefits of Information Security
There are several benefits of information security with business being the major beneficiary. The way people carry out business operations has undergone radical transformations as a result of the current trend in the development of security systems. Organizations are now able to take advantage of the major technological advancements to create a presence all over the world and it is now possible for many people to do business using virtual offices.
Vacca (2009) has observed that for any business to remain firm and relevant in whatever industry, it must seek to establish a very secure organization. Besides seeing a drastic reduction in the cost of doing business, a secure infrastructure will also enable organizations to use the existing technologies to improve business operations without any fears. The fact that an organization is secure can also be used as an effective means to market (Vacca, 2009).
Another benefit of having a secure program for information security is the possibility of being able to share information with others quite easily. This cannot be possible in an environment that lacks a secure system. With many organizations now turning to the use of flexible work environments so as to maintain competitive employees, establishing a secure information security system will definitely be a welcome move.
According to Oram & Viega (2009), effective security can be useful in getting rid of separations that for a long time existed between technology and other areas of business operations.
Another noticeable benefit of using effective information security programs is seen in e-commerce. Because of the advancements in technology, the world is now a global village and this in a big way has eliminated the hurdles of carrying out business across borders. The existence of a security system will certainly build consumer confidence level to do business online and strengthen these business ties. Luckily, a number of tools are already in the market and can guarantee the success of doing online business amidst all the challenges that exist.
According to Egan (2004), the evolution of electronic commerce has also introduced new approaches to doing business. Their success, however, depends so much on the existence of reliable information security programs. Secure systems will help to win the confidence of customers.
Application of Information Security
Information security can be applied in almost any field ranging from managing people to improving business operations. Its use is becoming indispensable given that organizations are in pursuit of ways of making sure that enable them to compete with other players offering similar products in the market.
In buildings, for example, the use of security surveillance systems is popular and has contributed greatly in helping to capture and store a wide range of information regarding movements in and out as well as within the buildings. This is a phenomenon that can be extended to offices eliminating the need for supervisors to keep running behind employees around fearing that they may not perform as expected of them. Security personnel at designated points can monitor all areas within the office to see where everyone is and what they are doing at any moment in time. Any questionable behavior can be quickly detected and if necessary, appropriate remedial measures can be taken.
Employee logging systems are also common in many organizations. Even though some have been subjected to abuse, most systems will enable the management to easily know who was present and who was not on any given day.
Access control systems can also be used to monitor how people enter and leave the office and at what times. Using varying identification means, anyone getting into the office will have their details captured and stored in the system for future reference. The captured information can later be used in case any unwelcome incidences within the organization are detected.
Basic Principles and Concepts of Information Technology
Information security principles include confidentiality, integrity, availability, authenticity and non-repudiation which refer to the fact that once a contract has been entered into, there must never be any alterations to conditions previously agreed on in a contract. Even though information security professionals are concerned more with the first three (Northcutt, 2009), the last two are also equally important. A study done at the University of Miami MSC (2006) also shows that confidentiality, integrity and availability, commonly referred to by security professionals as CIA are given greater importance compared to the other two. Many other authors also share a similar opinion. Thoughts about these principles should always be the focus whenever there is a need to procure a new business solution.
With the rising rate of cybercrimes, customers want to be certain that service providers will treat information about them as highly confidential and make sure that it does not leak out to unauthorized persons. Information such as a customer’s credit card details should never be exposed to strangers.
It is also very important that business operators keep their word whenever they are agreed to offer services to their clients. This will satisfy the requirement of non-repudiation. Information supplied to customers about products must be authentic and no changes whatsoever should be entertained in the process of transacting after an agreement has been reached between the parties involved. Businesses should also make sure that what the customers expect is readily available for them at any time. They should never be any frustrated by interruptions (Northcutt, 2009). An information system that is not there when one badly needs to make use of it is as good as not having one at all (MSC, 2006).
Security Control
According to Purcell (2007), security controls are measures that are taken to protect information systems from attacks that target the three main principles; confidentiality, integrity and availability. Purcell further shows that security controls can be classified in two ways with the first classification giving three sub-divisions of these controls which are; administrative, logical and physical. The second places emphasis on what security actually does.
While administrative controls define regulations to control employee behavior whenever they are dealing with sensitive data within the organization, logical controls provide a means of ensuring that needs of confidentiality, integrity and availability of information are met. Finally, physical controls are put in place to help stop any unauthorized access to vital company data.
The study by Pfleeger & Pfleeger (2003) provides helpful defenses that can be used by network engineers to strengthen the security of networks under their watch. Encryption for example, which is the act of putting information in a scrambled format so that only the intended recipients can read it, can be a useful tact for dealing with attacks to confidentiality and integrity. In a study done by Fry, Nystrom & Nystrom (2009), security vendors will commonly advocate for security intrusion prevention rather than detection though this decision must be backed by factors such as organizational goals, availability of the necessary tools and the structure of the existing network.
Information Security Continuity in Business
The desire by organizations to keep profiting from the use of information systems must be supported by the existence of reliable disaster recovery plans. Though it is good to secure equipment used to store information more valuable to any organization is the security of data at its disposal. While damage or loss of equipment can easily be resolved by acquiring new ones, this is not the case when it comes to information. The disappearance of important data can really mess up an organization’s operations.
This explains why many companies dealing with information security systems are now present. The core business of these companies is to help organizations deal with the fear of losing vital information. At the center of their operations is a data recovery and business operators are prepared to go to any lengths to source these services.
Laws and Regulations in Information Security
Breaches to information security can result in serious consequences both for service providers and consumers. One of the risks involved in the assassination of an organization’s reputation. Once an organization’s image has been ruined, customers will be lost to competitors and restoring their confidence will have to be an uphill task for the organization.
For this reason, efforts are being made by state governments to reinforce consumer protection laws. According to Grama (2010), these endeavors are supplemented by several other federal agencies. If addressed with the seriousness it deserves, this will leave organizations with no option but to implement the best information security programs that will enable them to offer maximum security for any consumer information at their disposal. Lack of strict control procedures on the other hand will escalate the negative impacts of security breaches. It will encourage the poor practice by organizations concerned more about making a profit than giving quality services to consumers and hence exposing their secrets to strangers.
Companies that have implemented information security programs have done it under the influence of either internal or external factors. While some may do it to comply with state regulations on consumer protection, others simply react to past security incidences experienced. Still, other organizations depend on the existence of executives in the organization who knows the important role played by information security programs (Vladimirov, Gavrilenko & Michajlowski, 2010).
Findings
Though very critical, the use of information security on the other hand is considered to be a nuisance by some. Many users are so impatient with security systems and feel like their time is being wasted. All they want is to get to work as fast as they can and get things done (Vacca, 2009). Apparently, the more complex a security system is the greater the inconvenience felt. The common application of secure authentication for example only serves to yield resentment from the users who see this as nothing more than a distraction getting in the way of productivity.
Egan (2004) observed that the information security industry is still evolving and it is not possible to get solutions that provide total security for an organization’s business operations. There is still so much work that needs to be done to ensure that tools exist to address most challenges.
According to Jatinder, Gupta & Sharma (2008), the complexity of auditing functions for information security programs requires an in-depth understanding of an organization’s operations. Information about the stakeholders in the organization, how an organization carries out business and who the competitors are form part of the critical information that can be helpful to do the audit.
For a very long time though, the study of information security programs has greatly been ignored with many claiming that it is so uninteresting. According to Que (2001), this is bound to change given that malicious activities of hackers are on the rise. A very sad discovery is that many information systems professionals are so ignorant about the importance of having a proper information security strategy. They seem to be happy with the fact they are able to do their work and have completely forgotten that it is crucial to continue with research on information security systems.
For organizations to keep benefiting from technological advances, therefore, work has to be done to popularize the need for secure information systems. It is an issue that should dominate business development strategy discussions and state governments should stop at nothing to see to it that organizations strictly adhere to stated rules and regulations.
Conclusion & Recommendations
Considering the fact that information technology is now contributing greatly to the success of organizations, it is very important that time is taken to review systems that are used to store data. Without proper security systems, information can end up in the wrong hands and this can even lead to the collapse of an organization. Equally at risk are customers who may suffer serious consequences of poor information system programs.
Organizations must, therefore, wake up to the fact that to use information technology to advance business there is much more that must be done.
References
Barman, S. (2001). Writing Information Security Policies. U.S: New Riders Publishing.
Egan, M. (2004). Executive Guide to Information Security, The: Threats, Challenges, and Solutions. New York: Addison-Wesley Professional.
Fry, C., Nystrom, M. & Nystrom, M. (2009). Security Monitoring. U.S: O’Reilly Media, Inc.
Goertzel, K. M. (2009). Introduction to Software Security. Web.
Grama, J. L. (2010). Legal Issues in Information Security. Ontario: Jones & Bartlett Learning.
Gupta, J. N. D. & Sharma, S. K. (2008). Handbook of Research on Information Security and Assurance. Hershey: IGI Global.
Miller School of Medicine (MSM). (2006). Confidentiality, Integrity, Availability (CIA). Web.
Northcutt, S. (2009). Security Laboratory. Web.
Oram, A. & Viega, J. (2009). Beautiful Security. U.S: O’Reilly Media, Inc.
Pfleeger, S. L. & Pfleeger, C. P. (2003). Security in Networks. Web.
Purcell, J. (2007). Security Control Types and Operational Security. Web.
Que. (2001). Maximum Security, Third Edition. U.K: Que
Shostack, A. & Stewart, A. (2008). The New School of Information Security. New York: Addison-Wesley Professional.
Vacca, J. (2009). Computer and Information Security Handbook. Maryland Heights: Morgan Kaufmann.
Vladimirov, A., Gavrilenko, K. & Michajlowski, A. (2010). Assessing Information Security: Strategies, tactics, logic and framework. Cambridgeshire: IT Governance Ltd.