Introduction
Information systems are frequently exposed to different types of threats that can lead to data breaches, loss, and financial implications. The damage to an information system can range from a small breach to the entire destruction of the system. However, the effect of various threats may vary considerably according to the type of data stored or stolen. Currently, many organizations are struggling to understand the types of threats their information systems are facing and how to mitigate them before actual damage is done. Therefore, to improve the understanding of threats, it is important to analyze the information systems loopholes which will allow the system engineer to come up with a plan to mitigate these challenges.
A Comprehensive Outline of the Threats and Mitigation Plan
The first threat to a company’s information system is phishing and social engineering. Currently, social engineering and phishing attacks have become common and popular ways that attackers use to access a network and spread malware. Although it is an external threat, hackers rely on easy scam employees to access the company’s data. These employees are tricked into revealing their credentials or sending them a clickable link that is already infected with phishing software to steal personal information (Obotivere & Nwaezeigwe, 2020). The phishing attacks can be mitigated by the use of antivirus software which will enable the identification of suspicious emails. Nevertheless, the best mitigation procedure is through security training awareness. The company should educate employees on how attackers gain entry into a system and how they can identify suspicious emails. Additionally, enhancing understanding of social engineering is important in preventing it.
Data sharing outside the company is another way the information system is facing a threat. Sharing of confidential company data such as intellectual property, personal indefinable information, or sensitive material safeguarded by the data protection law to third parties can expose an organization to a data breach. The exposure happens out of carelessness on the part of the employees. For example, hitting a reply all button instead of replying directly to a thread sends information even to an unintended audience (Obotivere & Nwaezeigwe, 2020). These types of threats are rarely mitigated by training as they are an embodiment of the human errors that everyone is prone to. However, software such as Data Loss Prevention (DLP) tools can enable an organization to track sensitive data and ensure that data sharing through email or internet services is only limited to the intended audiences. Additionally, solutions such as Endpoint Protector are an excellent way of setting different permissions and security policies according to an employee’s department.
Information systems are facing a greater threat from the use of unauthorized third-party software applications or the internet in the workplace. However, the use of these third-party applications is difficult for IT departments to detect which leads to the term shadow IT term. Employees install applications for sharing data and social media without knowing the vulnerability they are causing to the system (Wang et al., 2021). To mitigate this challenge, the company needs to pass a policy that prevents the employee from installing unknown applications on their workstation computers or using them to login into their social media accounts.
The use of unauthorized devices is another way company’s data is stolen or breached. Many of the data protection policies focus on data transfers outside of the established channels such as over the Internet but fail to consider the use of portable devices. The use of USBs has been for a long time the ground for data protection strategies. This is because it is a device that is easy to use, lose, or conveniently employ to smuggle data out of the company. Lost USBs have led to major data breaches such as the infamous Heathrow Airport security incident where an employee lost a disk with over 1,000 confidential files containing highly sensitive personal and security information. To mitigate this risk, employees should only use company-issued USBs or portable devices such as a disk. Additionally, no employee should leave the premise with the company’s USBs or hard disks or bring their devices to work.
Continuity Planning
The advancement of technology has made cybersecurity a major concern for business continuity planning. In Business Continuity Institute Horizon Scan 2016, the participants stated that their number threat concern is cyberattacks and data breaches. Therefore, there is no doubt that companies must include the two concerns in their continuity plans alongside traditional information breach threats (Thomas et al., 2021). However, in designing a continuity plan, cybersecurity deserves special mention because a light data breach can have a devastating impact on the company, partners, and customers. The first concern to consider is backups of valuable information in a secure location. Secondly, the IT department must consider remote work security. As the job environment is changing, more employees are working from home which increases the likelihood of data breach or loss (Thomas et al., 2021). Another concern is communication channels which must be clear and free from external interference. Lastly, it is important to consider the lateral movement of data. Part of business continuity involves resolving issues as quickly as possible. Therefore, the faster the IT team can contain data infiltration, the faster business can get back to normal.
Ethical Considerations of Data Breach
The first consideration is privacy, security, and trust that the customers have placed in the company by sharing their personal information. Foundations of all security systems are based on the moral principles and practices of the people involved in the standardization of the profession. Therefore, security threats bring to light responsible decision-making, fraud and misuse, copyrights, trade secrets, and sabotage. The threats to information pose ethical concerns for a company to protect consumer data, trade secrets, and liability of loss of customer and company data.
References
Obotivere, B., & Nwaezeigwe, A. (2020). Cyber Security Threats on the Internet and Possible Solutions. IJARCCE, 9(9), 92-97.
Thomas, C., Fraga-Lamas, P., & Fernández-Caramés, T. (2021). Computer Security Threats. Books on Demand.
Wang, Y., Xi, J., & Cheng, T. (2021). The Overview of Database Security Threats’ Solutions: Traditional and Machine Learning. Journal Of Information Security, 12(01), 34-55.