Wednesday, May 6, 2020

Companies Focused On Mitigation Of Risks â€Myassignmenthelp.Com

Question: Discuss About The Companies Focused On Mitigation Of Risks? Answer: Introduction As the computer industry has evolved so have the security measures used to safeguard data. To start with, there was computer security which involved limiting the level of access of ordinary users to the level that enabled them to only perform their tasks. Information security was the second aspect after users got personal computers and began innovating. The third term was cyber security was developed after the introduction of the digital era. Nowadays, there is cyber resilience that ensures that cyber security is implemented from the top level using the top down approach. Using this strategy, cyber security is not solely the task of the Information Technology (IT) department. Due to an increase cybercrime, companies ought to start embedding resilience protocols in their business models. This should be done through governance and management processes. This is aimed at protecting information in business processes such as product development which not only minimizes risk but also increases efficiency. According to a research carried out by Telstra, Australian companies are recognizing the significance of involving all stakeholders in cyber security (Telstra Cyber Security Report 2017, 2017). In addition, their research indicated that the Information Technology (IT) department was held responsible for the security breaches experienced in 2015 and 2016. However, their research also indicated that the blame has shifted towards top level managers due to an increase from 19 percent in 2015 to 61 percent in 2016 (Telstra Cyber Security Report 2017, 2017). Moreover, there is a rise in the involvement of executives in cyber security initiatives accounting. Methodology The research carried out involved secondary data retrieved from the internet. One of the sources was the Telstra Cyber Security report comprised of findings from a research carried out by Frost Sullivan. The online surveys conducted by Telstra gained 360 responses and 42 percent were from Australia. Additionally, Telstra used data gathered from its security products and partners. Majority of the results were derived from large organizations with more than five hundred employees globally (Telstra Cyber Security Report 2017, 2017). The research focused on the information technology sector, public sector and manufacturing and logistics respectively. The other secondary sources did not involve research findings. Threats Threats can be categories in various ways. First, cybercrime where the aim is to acquire financial rewards directly or indirectly. Second, cyber hackers that are motivated by a belief to achieve a certain goal. Third, cyber espionage which is aimed at getting a strategic or economic advantage. Fourth, business continuity management which includes natural disasters and consequences of human error (Cyber Resilience Best Practices, n.d.). The nature of threats varies depending on the forms of crimes and the tools used. For example, the forms may include, manipulation, blackmail, and theft. On the other hand, the tools used may be malware, spyware, ransomware, and devices (Telstra Cyber Security Report 2017, 2017). In some cases, such as ransomware there are companies that sell these services (Cybersecurity: Threats, Challenges, Opportunities, 2016). To begin with, there is the ransomware which occurs when one is denied access to a device until a ransom is paid. The most common is cryptoware which encrypts files and demands payment to unlock them such as Cryptolocker. Another type is Ranscam where the exhorters claim the file are encrypted while in reality they have been deleted (Cybersecurity: Threats, Challenges, Opportunities, 2016). In such cases, ransom is not supposed to be paid since companies have backups. However, companies choose to pay the ransom if the price is lower than the cost of implementing the backed-up files and resuming normal operation. In some cases, the files are not recovered after payment because they can be sold to third parties or they had been deleted. In Australia, these attacks are common as aforementioned. In 2016, 24 percent of the companies experienced this type of an attack and it took at most five hours to recover (Telstra Cyber Security Report 2017, 2017). A vendor research revealed that along the Asian region ransomware is the most downloaded tool of attack. This is because of the ease of availability on the internet. As a result, only 40 percent of the Australian companies in the research did not undergo such an attack. For those companies that paid the ransom, 33 percent failed to recover their files. Some companies choose to pay the ransom to maintain their reputation. Another form of threat is botnets. A bot is a device that is compromised, controlled remotely and connected to the user such as a webcam. A collection of bots makes up a botnet. With a large number of botnets, one can carry out a distributed denial of service attack such as the attack on the website of the Australian Bureau of Statistics Ecensus in 2016 (Cybersecurity: Threats, Challenges, Opportunities, 2016). Denial of service attacks occur when many messages are sent to a website making normal operation to halt. On the other hand, distributed denial of service attack occurs when many devices are used to deliver this attack (Cybersecurity: Threats, Challenges, Opportunities, 2016). Phishing is form of attack that occurs when a user clicks on a malicious link in an email that had posed as a trusted message and malware is downloaded and executed. An example is a fake shopping invoice phishing for credit card information. Spear phishing attack is when an email targets a certain member of an organization based on research carried out mainly through social media. Another term that is used is whaling which occurs when a phishing attack targets a top senior executive (Telstra Cyber Security Report 2017, 2017). Generally, these forms of attack are can be grouped as social engineering attacks operations (Cyber Resilience Best Practices, n.d.). Adoption of security protocols The findings revealed that most companies use various security measures such as access controls. They also use guidelines from the Australian Prudential Regulation Authority and Australian Cyber Security Center (Telstra Cyber Security Report 2017, 2017). Mainly, audits are conducted and assist in the formulation of policies on cyber security. There was also an increase in the number of board briefing meetings conducted by companies within a month. These board meetings checked on the effectiveness and efficiency of the security measures being used by the companies. This is proof that many companies are involving the top management in cyber security initiatives. However, there are vital security measures that majority of the companies do not implement. The findings revealed that majority of Australian companies do not conduct cyber drills (Telstra Cyber Security Report 2017, 2017). Cyber security drills are useful for testing the response and continuity plans in case an attack occurs. Further, most companies do not adopt the Payment Card Industry Security Standards which are required to avoid security breaches for those who accept credit cards. This was attributed to lack of awareness, outsourcing of this function and the lack of use by the majority. Finally, there was also a small percentage of companies that failed to check the authenticity of the information provided by their vendors. Framework Cyber resilience is used to ensure the company is able to continue meeting its objectives. This means that the measures employed must be aligned to the objectives. The framework outlined is in the Cyber Resilience Best Practices and is based on the ITIL service management lifecycle (Cyber Resilience Best Practices, n.d.). This approach was developed in 1989 and has continued to deliver effective IT services. This framework can also be used by companies that do not use ITIL in IT service management. The elements of this cyber resilience are clear ownership and responsibility for it by the board and tailored training for the employees. as a result, the companys critical assets and key threats are identified and communicated. The company is also able to assess its cyber resilience strategy. There are also control measures that a company must employ to maintain balance in cyber resilience. The first are preventive controls which are used to prevent incidences that lead to attacks. The second are detective controls that are used to indicate when such incidences occur. The third are corrective controls that respond and correct such incidences. The selection of the right balance depends on the ability of the company to deliver services, maintain customer convenience and mitigate risks. The design and implementation of these controls is done based on the management system the company uses. For example, there is the strategy, design, transition, operation and continued improvement used by ITIL (Cyber Resilience Best Practices, n.d.). The first stage of the cycle is the strategy. Here, the objectives of the company are clearly defined and understood so all the activities that follow are based on them. Then, the critical assets that are information, systems and services are identified. These assets include those that are essential to the stakeholders. The threats and risks that these assets face are also outlined. The second stage is the design. The design is done based on the strategy that was set up. The selection of the appropriate controls, training, and procedures is done. Moreover, the levels of authority for different personnel is identified so everyone knows who has the power to do what (Cyber Resilience Best Practices, n.d.). The third stage is transition where the operation of the controls is tested. This is where the detection occurs since the company through testing knows when an asset is not right through an accident or malicious action. There is also detection of where the attack came from that is internal or external. The fourth stage is operation where controls are operated (Cyber Resilience Best Practices, n.d.). It involves continual testing of the controls, the readiness of a company to respond to attack, minimize the effects and provide the solution within the required time span. The last stage is continual improvement where the strategy must evolve as technology evolves. It must also redefine the whole process once an attack occurs so as to learn from it. Recommendations In order to achieve cyber resilience, the company must identify the types of information it holds and determine what types need to be protected depending on how important the information is. There is sensitive information in every company that must remain confidential such as commercial agreements. For other companies, the integrity of the information is what matters most. Therefore, companies should not aim to protect all information with the same level of security measures. In such cases, there may be some compromises to be made. The decision- making process should involve all stakeholders not only the IT department. In fact, there should be a system where the ownership of information assets is given to those departments that heavily rely on the information. For example, customers personal informations security measures are best identified by the sales and marketing department (Cyber Resilience Best Practices, n.d.). Cyber resilience requires the active participation of other departments. This requires the involvement of the board to oversee this transitioning. In addition, the risk management process but be aligned with the control measures implemented in the cyber resilience practices (Cyber Resilience Best Practices, n.d.). For an effective cyber resilience practice, all stakeholders such as customers, suppliers, and partners must be involved. For example, to implement controls, the procurement department must cooperate to determining the cyber resilience requirements for different suppliers. Similarly, the handling of client information requires the cooperation of the sales and marketing department especially when the information is shared with suppliers. Cyber resilience can also be implemented through sharing of information among organizations. For example, companies can unite and share information about common security threats and attacks (Cyber Resilience Best Practices, n.d.). This can assist those companies that have not been affected to update their security measures. The information shared can also provide the solution on how to detect and remedy such incidences. It can also provide a forum where businesses can acquire training on state of the art technology to handle cybercrime. The government can also formulate standardized policies that must be met to enhance security. Cyber resilience depends on people, processes and technology. The company must provide training to create awareness among employees, suppliers, partners, and customers. This is to ensure security is maintained for all types of information. In the design and implementation of the company, the culture of the company must be considered (Cyber Resilience Best Practices, n.d.). This is because the processes of an organization are governed using clear set rules or loose guidance. The designs chosen should not affect the performance of the company. In regards to technology, the technology and security measures used should cut across different departments and stakeholders. To maintain resilience the company should not only employ various detection and response technologies but also invest in conducting cyber drills. In fact, if those strategies are not tested they are bound to fail. Testing is beneficial for the organization since it needs to use some resources to cater for a threat that has occurred while ensuring all other resources are geared towards providing products and services as before. Therefore, the continuity plans of the organization are vital in case of an attack. If the company uses credit and debit card information it must comply with the PCI security standards (Telstra Cyber Security Report 2017, 2017). Conclusion Conclusively, generally, the policies and frameworks adopted must meet the companys requirements and be aligned with the objectives. As aforementioned, sensitive information is being shared between the business and its partners. This has necessitated the need to include all stakeholders in the cyber resilience practices to achieve efficiency and effectiveness. Companies need to work together with the government to create policies that enhance cyber resilience. Finally, the company should reinvent its business practices to keep up with technological advances and cyber resilience practices. References Cyber Resilience business Practices. (n.d.). [ebook] pp.4-19. Available at: https://www.tsoshop.co.uk/gempdf/RESILIA_Cyber_Resilience_Best_Practices.pdf [Accessed 9 Sep. 2017]. Cybersecurity: Threats, Challenges, Opportunities. (2016). Australian Cyber Security, management. Telstra Cyber Security Report 2017. (2017). Telstra Corporation Limited, pp.4-30.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.