The development of information management technologies have been hailed as a valuable milestone in terms of enhancing effective and efficient business management. Several benefits have been accrued from the applications of modern information managemt technologies. These include enhancement managemt of business information, increase in the speed of business transactions, reduction of the risk of human errors among others. Regardless of these benefits, information technologies pose new threat to business managers. Most of these challenges are concerned with security risks that such technologies expose organization. Additionally, the threat of IT is compounded by the evolution of internet which is perceived as the ultimate platform to conduct e-commerce. It is imperative to state the IT exposes organization to different security risk, depending on the nature of the business the organization is involved in (Borodzicz 2005). For a financial service company the use of IT is especially risky due to a number of reasons. There enormous amounts of financial transactions, most of which are strictly confidential. The use of internet based financial services exposes the firm to the risk of infiltration by hackers and other malicious programs. This makes the company financial databases vulnerable to security attacks. This essay analyses the comparison and differences between three major security risks that IT security manager within financial service organizations face. This includes the threat to unauthorized access through spying, hacking virus attacks and infiltration by malicious programs. Despite the variations of effects of each of these, the security of the company’s databases is significantly compromised. Other risk involved includes poor assessment to security needs. This exposes the company to the risk of developing inappropriate security strategies. Additionally, mangers face the risk posed by human errors and accidents. Additionally, the essay proposes suggestions on counter measures to mitigate these risks.
The management of modern businesses faces many challenges, the threat of security being one of these challenges. As such, modern management has becoming more complicated. These complications are brought about by a number of factors, which include natural calamities, man made hazards, uncertainties, the nature of the business the organization is engaged in as well as unpredictability of future events. As a result modern businesses are increasingly being exposed to risks (Borodzicz 2005). This is especially true for organizations that use information technology. One of the characteristic natures of information technology is the infinite possibilities that exist within IT networks. In this case, firms that utilize IT are exposed to numerous risks. Due to the infinite possibilities presented by business IT, it is becoming almost impossible to counter IT based security threats. So complex are security threats that some of the world most technological savvy firms have also suffered security attacked within their It networks. These include the Spanish police, Sony among many other global brands. If these risks are not managed efficiently, not only will the IT firms suffer but also will the entire IT industry.
Most IT security managers realize the need to establish control system within their IT systems. To ensure that these controls are safeguarded against security threats, IT managers ensure that their IT networks are insulated from external interference. Such insulation is vital as it enables such systems evade external s security risks, it is imperative to assert that such system needs different control to avert internet security threats. Regardless of such vulnerability, it is imperative to note that IT managers have insulated their networks from external attacks by isolating access to internets and internet. However, there is an increasing need to expand IT control systems to accommodate the internet. This is because internet is emerging as one of the latest platform to conducted business. In this regard, the most crucial IT based security risks within a financial services company are analyzed. The financial service organizations are hoses due to the enormous risks posed by the use of IT based financial management systems.
Financial service industry has experienced growth for the last few years, thanks to information technology. Most of the financial organizations have developed IT tools that enable them handle transactions efficiently and effectively. Since financial service organizations handle enormous amounts of money, IT security is one of the crucial investments that financial firms have to make. Traditionally financial firms had only internal networks and thus considered themselves averse to security threats. However, the expanding roles of IT in modern business means that financial service companies have to expand the roles of IT to allow external use. This makes financial service companies vulnerable to increasing security risks.
Other than the open up of system controls to external use, there are other factors which make security of financial service company to be top priority. These include the fact that financial service company handles lost of confidential information on financial transactions. Most of this information is sensitive and thus needs to be strictly protected from unauthorized access. Additionally information is a valuable asset for any financial service organization. One of the success factors financial service businesses is the ability to protect that integrity of confidential financial information. As much as financial service companies rely on IT for improved business efficiency, human resource does most of the daily operations. As it is commonly known human beings are prone to accident of unintentional errors. In this case, such errors and accident expose the company to security threats. Furthermore, while modern IT allows firms to operate in the virtual world natural calamities do pose as security risks. In addition to these, a financial service firm may be exposed to security risk associated with poor assessment of security needs. This leads failed information security management systems, which leads to severe breach of information security. Combined, all these factors make financial service companies increasingly vulnerable to security threats.
One of the most dangerous security risks that a security manager within a financial service organization faces is unauthorized access to confidential information. There are a number of vulnerabilities which expose a financial service firm to unauthorized access to confidential information. While most of these vulnerabilities are categories as technological, others are just due to human weaknesses.
Technological vulnerabilities include attacks by viruses, malware, spywares and other unwanted programs. The most common is attack by viruses. Viruses are common since there at least 15 new viruses discovered each day. This multiplies the number of already existing viruses significantly. Despite the fact that IT security managers install the latest IT security programs and firewalls, financial service companies are still at the risk of virus attacks, because viruses evolve with the ability to navigate security installations. Viruses are also spread involuntarily and unintentionally. This implies that viruses spread through a network without any specific individual directing them. The dangers of virus attacks are vital. Most of the viruses are known to attack databases corrupting them and thus rendering the data unusable. As such a financial service company may find it impossible to access client financial data. In case there was no backup the firm losses all the data. This has severe business and legal consequences (FLSmidth Automation 2009).
While viruses are spread unintentionally, hacking is intentional unauthorized access into a privately owned database. Hackers gain unauthorized access into databases by circumventing security controls from a remote location. Hacker targets specific IT networks with specific actions in mind. For a financial service company, hackers’ primary target would be to either gain access into a specific financial account or instigate unauthorized transfer of funds. In this case hacking is one of the biggest security vulnerability that security managers within financial firms face (FLSmidth Automation 2009). Additionally, it is possible for ignorant or malicious employee to misplace confidential information. When his happens, unauthorized people have an increased chance of accessing that information. Human resource personnel might also fall victim to the cunningness of malicious fraudsters and reveals vital information. Fraudster may assume false identity and access a company database through phishing, the use of spyware or through social engineering (ISO 2007).
Other than unauthorized access to confidential information, a security manager in a financial service company also faces the risk of human errors and accidents. Human errors refer to vulnerabilities of It network as a result of ignorance’s caused by either lack of knowledge, or mere recklessness. For instance, a financial service firm employee may download applications such as music players, games, among others. These applications may overload an IT system and thus reduce the speed of some of the basic system functionalities such as security checks. When this happens hackers may utilize such security vulnerabilities to gain unauthorized access to financial systems. In some of the cases, it is possible for these unwanted applications to crash programs. When this happens, the security of financial information is significantly compromised. Additionally, a financial service firm may not have strict rules on the use of portable storage devices with in the organizations. As such, employees within a financial security firm may innocently use such storage devices such as USB sticks, CDs, iPods, iPad among others (ISO 2007). These hardware components may be infected with a malware or other suspicious programs that might copy confidential data. Access into secured databases also requires the use of security passes such as passwords. While such passwords are highly personalized they have also been a great cause of concern to IT security managers. Due to recklessness employees may store their passwords poorly with the risk of exposure to unwanted parties. Additionally, employees may also store confidential data in unsecured location such as their personal storage devices. When this happens the security of confidential information is greatly compromised.
The risks of human errors and accidents, as well as unauthorized access involve the combination of both human effort and technological input. The use of USB devices, CDs and other data storages technologies has an indirect effect on data security within a financial service organization. Such technologies threaten data security when an element of human error or accident is involved (ISO 2007). Employees within a financial service organization may store financial data in unauthorized devices due to ignorance. Such information is at the risk of access by unwanted persons. Similarly, malicious programs such as spyware, viruses as well as malware may attack a financial service firms’ database through indirect human effort. Security managers within financial security firm recognize that while most of these programs are spread unintentionally, they nevertheless involve human effort. Malicious programs are usually embedded inside popular downloads such as games. Employee may unintentionally infect the company’s database when they download such applications. However, unlike security risk associated with human errors and accidents, the risk of unauthorized access seems to have more severe consequences. Hackers, unlike malicious programs target systems with the intensions of causing extensive damage on the business aspects (FLSmidth Automation 2009; ISO 2007).
Financial service organizations are also exposed to security risk associated with poor assessment of security needs and priorities. These types of risk are multi faceted and also have a variety of causes. Poor assessment of a company information security needs may be caused by incompetence, ignorance on the part of information security assessors, poor methods used in the study of information security needs as well as lack of clear guidelines on the companies information security needs. Indeed the causes are inexhaustible. As indeed mentioned herein poor assessment of security needs is multi faceted. A company may conduct piecemeal assessment; that which only focuses on certain security aspects, while ignoring others. In regards to a financial service institution, this may involve only assessing the risk of external attacks while ignoring internal threats. Additionally, the company security assessors may be poorly informed about the latest security threats. Poor security assessment may also involve the use of inappropriate assessment methods which generates incorrect findings (Brock 1999).
A number of occurrences are likely to emanate from poor assessment of a company’s security needs. One of the most likely occurrences is poor integration of security measures into the entire system. This is likely to lead to partial or absolute failure of the new security systems, thus not meeting the company’s security needs. Additionally, architectural weaknesses within the company’s information security framework are likely to be realized. This may result from installation of outdated security measures, thus exposing the systems to the risk of multiple attacks. Poor security needs assessment also results to designing of poor security response mechanisms, within and without the system. This might lead to delayed response to security threats. For effective implementation, it is usually necessary to train the human resource on the new security procedures. Poor assessment leads to poor training of both users and administrators (Brock 1999). While this is the biggest vulnerability emanating from poor security need assessment, it leads to inadequate maintenance of a company’s control system. As mentioned earlier, one of the causes of poor assessment of a company’s security needs is the human ignorance and technical incompetence. Such weaknesses in expertise lead to poor development of ineffective security strategies. One of the riskiest areas affected is the development of security permissions. The results will be poor permissions which will expose a system to the vulnerabilities such as copying of passwords and user IDs as well as adding of unauthorized but trusted remote servers among by hackers other risks (ISO 2007).
Similar to the risk associated with human errors and accidents, the risk associated with poor assessment of security needs and priorities largely emanates from human weaknesses and recklessness. These two types of risk may also involve the misappropriations of knowledge or authority. Additionally, like the risk associated with human errors and accidents as well as poor assessment of security needs and priorities makes the financial service company database vulnerable to unauthorized access (Scarfone, Souppaya, Cody and Orebaugh 2008). However, unlike the other two types of risk, the risk associated with poor assessment of a company’s security needs and priorities emanates from lack of technical expertise. Additionally, unlike the other two types of risks, this type of risk is not as a result of malicious intent. Furthermore, poor assessment of security needs is not as a result on unwanted activities such as hacking or unwanted programs such as malwares viruses among others. It emanates from poor systems designs (ISO 2007).
There are other risks which security managers within financial service institutions faces. However, a number of mitigating factors seem relevant if the ones mentioned above are to be minimized. For instance, the risk of poor assessment of security needs and priorities can be addressed through the adoption of cost effective, practical approaches that enable security managers to identify the real security threats. To effectively assess and identify the real security threats, it is vital for security assessors to incorporate information from numerous sources from within the company. These sources include management reports, annual security audit reports, the company’s business plan as well as seeking information from middle and lower level managers. Additionally, it is imperative to note that security risks changes with time. As a result it is important to conducted longitudinal studies on a company’s security needs for an extended period of time before any suggestions are made. Incorporation of every departmental input is important. As such, security managers need to identify an individual from each department. These individuals act as the departments’ security assessment coordinators. While all these activities are ongoing it is crucial to hold regular inter departmental meetings which brainstorm the ongoing security assessment. Through these meeting, the company’s security needs will be identified. Additionally Within these meetings the available security controls will be identified and their weaknesses highlighted. Existing controls will also be compared with the existing mandatory security requirements. This will allow the security assessors to identify the security risk and vulnerabilities. All these efforts need to be coordinated by information security experts (Scarfone, Souppaya, Cody and Orebaugh 2008).
Proper assessment of security needs enable a financial service company to also develop a mechanism for dealing with other types of security risks. This implies that a financial service company will be able to address risks involving unauthorized access. Having done a proper assessment of security needs, it becomes possible to develop the most appropriate security strategies (Peltier 2005). The financial services company is exposed to spywares, viruses, malwares and attacks by other malicious programs as well as hackers. Proper assessment will enable security managers to identify the most effective Firewalls for specific company needs. The most effective Firewalls will enable the company to utilize both the internet as well as the intranet by filtering different malicious programs as well as hackers without jamming financial database (Scarfone, Souppaya, Cody and Orebaugh 2008).
Securing the company’s database from viruses may not be effective through the use of Firewalls since viruses easily spread through a database evading existing security measures. In this sense it becomes necessary to install appropriate Anti Virus programs. An Anti Virus program enables the information system to filter viruses especially in networks accessed by many people. Anti Viruses also enable the company protect its system from malicious programs spread by portable devices. Most importantly after assessing the company’s security needs, security managers are most likely to understand the need to establish secured backup systems immune to any security threat. Secured backup enables a financial service firm not only to recover damaged data, but also to secure security-intensive data (FLSmidth Automation 2009).
As mentioned elsewhere within the essay, security installations can only be effective to the extent that they filter attacks spread through the system. There exists other security needs, difficult to control through security installations. Such threats emanate from unrestricted use of external data storage technologies. In this case, a security manager within the financial service organization needs to develop other mechanisms to deal with such a menace. As such, a strict policy on use of private data seems relevant. This will minimize the chances of introduction by malicious programs through the use of external data technologies such as USB sticks (Peltier 2005). Additionally, this kind of policy eliminates the chances of transfer of data through external devices for malicious intent. Additionally, security mangers can impose strict regulations on the types of applications that can be used on a company’s computer networks. This reduces the chances of introducing malicious programs through download of unauthorized applications. It is imperative to note that such policies are only effective depending on the discipline of employees as well as there being strict monitoring criteria. Since it is practically impossible to monitor the use of external devices by every employee, security mangers need to disable all ports for external devices (ISO 2007). This will practically render employees data storage devices unusable on the company’s computer network.
It is imperative for security manager within a financial service organization to realize that due to the nature of its business, the firm is highly vulnerable to security attacks. The threats to security for a financial service firm have moved from the traditional banks robberies to cyber crime. This phenomenon is compounded by the incorporation of internet as a platform to conduct e-business. The combination of internet and other financial information management technologies makes the firm susceptible to external security threats. It is also imperative for security manager to understand that security threats evolve with time. In this regard, no single security strategy makes the company immune to cyber crime and other types of security threats. In this regard, continuous assessment of the company security needs seems relevant. As stipulated earlier, poor assessment of security needs exposes the company to multiple security risks. In this regards, assessment of a company’s security needs should be moderated by qualified security experts. Result of such assessment need to be compared with the emerging security threats within the financial service industry. The development of an effective security strategy allows the firm to incorporate appropriate Firewalls and Anti Viruses. While these effectively enable; the company to mitigate the effects of such security threats, they do not guarantee absolute protection. In this regard, this security measures need to be reinforced with an information back up plan. This allows the firm to access lost data. Additionally, some malicious programs slow system speed significantly. A systems back up allows the firm to access data during downtime. Combined, these measures significantly reduce malignant security risks.
Borodzicz, E., 2005. Risk, Crisis and Security Management. New York: Wiley
Brock, J., 1999. Information security risk assessment. Web.
FLSmidth Automation. 2009. Security risk assessment. Web.
ISO. Top information security risk for 2007. Web.
Peltier, T., 2005. Information security risk analysis. Oxon: Auerbach Publications
Scarfone, K., Souppaya, M., Cody, A. and Orebaugh, A., 2008. Technical guide to information security testing and assessment.