Task 1: Identify the types security risks within an organisation and how they can be prevented.
For this first task, I will be examining some of the potential risks which can be found in an organisation and a solution for how they can be prevented. In the subheading below, I will make sure to explain five different security risks and then offer a way to prevent these risks from arising or happening.
Security risks and preventions
Outdated Software and hardware:
Let’s begin with the risks of outdated software. This is one of the security risks within an organisation, this could cause dire consequences. Outdated software can encompass things from outdated antivirus software, old operating systems and anything in between. Having outdated software makes an organisation prone to numerous problems, spanning from cybercrime to system failure. An example of one of the problems an organisation may face with outdated e.g. antivirus software, would be the fact that they wouldn’t be able to defend against more recent threats, with this the organisation is open to the latest threats which could cause the breech of the organisations information, deletion, alteration, software damage etc. having other outdated programs can be just as a problem, very much like antivirus software, other software which have not been kept up to date may miss out on patches to the program. This is a potential risk as certain software ‘especially if it keeps sensitive information’ for the organisation. These are serious threats, from the risk of outdated software, the organisation is most likely going to face dire consequences for something like this.
Preventions:
After having a look into the risk of outdated software, we can now have a look into the preventions of this risk arising in the organisation. First of all, a way to prevent or minimise the most recent threats is to make sure that the organisation keeps their antivirus up to date. I have explained the consequences of not doing this, and makes this a mandatory thing to do to keep secure. Whenever an update is available it should be updated, keeping the user up to date with all of the most recent threats. Now we will have a look at updating other software, this basically carries the same concept, it is important to make sure you have the latest version of software, to ensure all of the patches are there and decreases the likelihood of being attacked in anyway, this is more centred around software which carries sensitive information.
Damage to Hardware:
Next, we will have a look at ‘damage to hardware’. This is looking at damage in some way to the organisation’s digital system. There are many ways something like this could occur, and usually can be up with one of the most devastating things for an organisation to go to through, mostly for the replacement costs. an example of damage to hardware, would be something like a building fire. If a building was to have a fire where the organisation is set up, there is no possible way to get back what it burnt, fires can cause tremendous amounts of damage to the system, even possibly destroying it all, if information is saved onto the machines and not on a backup somewhere, such as an external drive or server. The company has lost all of their data too, adding to the devastation, it could take years to recover from such an event like this, that’s if the organisation is able to recover, it is possible for them to go out of business spending on replacing damaged items in the system. A not so tragic risk when it comes down to damage to hardware, is something like spilling liquid over a machine, this could potentially damage the hardware, carelessness from staff could cause the company to pay for e.g. a new keyboard, to a new computer depending on the spill, this can be a minor setback, but it is possible this could happen again, so its important that the organisation makes sure it doesn’t happen again.
Preventions:
Now let’s begin to have a look into the preventions of damage to hardware. Even though it is not always possible to save hardware in certain events, it is always possible to save data. As I was explaining, in the case of a fire it is very unlikely that hardware is going to be saved, but the data which the company keeps can be saved onto an external source, being an external drive or an external server, meaning the information can be saved. If the fire was caused by staff members, it would be important that prior to the fire they should be taught about health and safety in the working environment, an example being expose cigarettes in the correct manor. All this is going to make this situation much better. Similar rules apply to staff spilling liquid over equipment in the workplace. Staff should be taught about health and safety in the workplace, making sure drinks have lids on and are placed away from the computer.
Cyberattacks:
Now on to the third risk. Cyberattacks are a very serious matter which an organisation must be aware of. Cyberattacks generally target small to medium sized businesses as they are more vulnerable than bigger ones, due to this matter, it is likely that the attacker will be attempting to find information which related to bank details, or anything related to money within the organisation. On other occasions, the attacker may be just wanting to cause harm to the organisation by sharing their personal information. this can be done in numinous ways by the attacker to retrieve this information, usually taking advantage of the members lack of understanding in security, but can also take advantage of non-secure systems. Cyberattacks are known to be able to do a lot of damage to an organisation, usually resulting in damaging the reputation by exposing customers personal information and stealing bank details. The organisation will be responsible of this was to happen, and will be punished with either a fine or forced to close. Ever if they were to proceed it is unlikely that any customers will go to an organisation which have been prone to cyberattacks.
Preventions:
Next preventions we will be taking about is cyberattacks. As I have explained this is a very serious matter to an organisation. there are many ways this can be minimised, but it is very difficult to be prevented. For organisations, it is always important to deal with these types of risks, and there is one way that all of the staff can help with helping keep the system secure from cyberattacks, this would be to make sure that all staff have strong passwords logging into the site, on top of this, it is very important to keep changing the password, to ensure that no one is able to guess it. Another way to help minimise threats like theses is to keep things secure and updated, I have already touched a little on this earlier, but this is a very useful thing to do, as it does not let attackers easy access to a system. Finally, another way to help this matter is to potentially hire an expert in the field, to good thing about this is to make sure that the organisation have someone who will keep them safe from external threats, as they are an expert, it is likely that this will drastically keep things safe and secure.
Unauthorised access to a system:
The fourth risk which we will be talking about is unauthorised access to a system. This encompasses unauthorised staff entering a forbidden system to an external threat accessing the system, both are risk factors for an organisation. To give you an idea, let’s say a certain unauthorised staff member accesses the system, for example; a janitor is able to access the system. The system should only be accessed by certain staff members who are qualified within the role. If it’s possible for the staff member to access the system, they could view confidential information about other staff members, the organisation or even customers. Unauthorised to see this information, it is possibility that the staff member may expose the information, alter it, this could be for the staff members benefit e.g. payment information etc. this is likely to cause problems for the organisation, especially if the information is exposed or altered.
Same goes for external entities. The difference between internal entities and external, is this type of threat is more likely going to be from an outside attacker than an inside one, what I mean by this is someone who does not work in the company isn’t as likely going to risk their job to harm the organisation, but from outside it is more likely going to be a targeted attack towards the company.
Someone outside accessing personal information, could use this to jeopardise the organisation by exposing information or selling information on to other people or changing or deleting information. if word get out, the effects of a breech like this is most likely going to hurt the reputation of the organisation, most likely forcing them to pay large fees, or in the worst-case scenario, it is possible for the organisation to be shut down.
Preventions:
Next, we will have a look at preventions to unauthorised access to system. People being able to access information when not authorised can be very dangerous for an organisation. So if one of the staff members who are not authorised to access a system does so, a way this can be prevented is to make sure that something like two step authentication is added, this means that the staff member needs to get past to steps to access, meaning the likelihood them accessing the information is going to be dismal, keeping the organisation a safer place, this could also go well with CCTV too, as it is good to know who tried to access the system. overall this could be added to keep an eye on the staff who don’t have these certain roles in the organisation. when it comes down to external entities accessing personal information it is more of a likelihood they are here to attack to get something more out of it, usually bank details, to prevent or make this more unlikely to happen, an organisation could always make sure that their online security is strong by installing good security software within the organisation, and maybe hiring someone who is a specialty in the field to keep information secure boosting the understanding of security in the organisation. With people like this, it makes it much harder for an information breech to occur.
Staff related risks:
To conclude this task; we will now have a look at staff related risks. One of the biggest risks comes with human error. Staff in an organisation are probably the most likely to cause risks, this could be forgetfulness e.g. forgetting to log out of their system, and the possible consequence of this could be someone walking into the room and easily accessing personal information about the organisation. When the attacker gets the information its possible for them to leak it. This is likely going to damage the company’s reputation. Another possible risk with staff could be uninformed staff. The problem which could occur with this is a lack of understanding of security procedures within the organisation. Not knowing about the procedures is likely to cause extreme security risks, for example, sharing personal information via email, opening questionable webpages, opening questionable emails, using weak login passwords etc. organisations with uninformed staff are prone to many possible dangers to their security e.g. leaked personal information, hacking, phishing etc. Finally, one more risk which may occur when it comes down to staff in an organisation would be trust. Sometimes in an organisation, problems may occur with trust for employees doing certain jobs in the workplace. On some occasions, is it very possible that some staff can’t be trusted with their job, especially if they are handling sensitive information about the company. If they are not a trustworthy member to the company it is possible for them to alter, delete or share the information. This is another possible way to jeopardise the organisation.
Preventions:
Now we will begin to look at the way to prevent the staff related risks which I have explained. Going back to the first staff related risk ‘forgetfulness’, a way to prevent, or at least minimise the security risk is to make sure that there is punishment to the staff members if they make mistakes, also to make sure staff work together as this is more likely going to stop them from making a mistake as there is more people around them to call them out if they are about to cause an issues, and if they do, it is always good to punish them so the mistake does not happen twice. Next thing would be lack of understanding. This is one of the bigger risks out there as if the staff of not know the procedures which are in place, or do something because of a lack of understanding, this could destroy a company. The best way this can be prevented is to train staff. The staff must be trained in security to ensure that they know what to do and what not to do, knowing the basic information is likely to save the organisation from danger. Informed staff make the best staff, meaning that they won’t make mistakes like opening a risky email. Finally, when it comes down to the staff in the organisation, it is important to keep an eye on them, usually using something like CCTV, knowing what the staff member is up to at all times can help know if they are up to something or not, seeing who done the crime can help solve who will be punished for it, and the fear of a CCTV camera is most likely going to scare them out from doing it anyways.
References
- http://www.business2community.com/cybersecurity/8-ways-businesses-can-prevent-cyber-attacks-01251164#iLJDBCqqLcc1MpXS.97
- http://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/the-rising-strategic-risks-of-cyberattacks
- https://www.cio.com/article/2872517/data-breach/6-biggest-business-security-risks-and-how-you-can-fight-back.html
- https://moodle.strode-college.ac.uk/moodle/course/view.php?id=565 PowerPoint: assess risks to IT security
Task 2: Describe the organisational security procedures that can be found within a business.
For this task, we are going to have a look at certain organisational security procedures. These security procedures which we are going to be looking at can found within an organisation, this is to help with keeping the business secure.
What is a security procedure?
The simple definition of a security procedure would be a set of ‘rules’ or ‘tasks’ which must be followed by the staff to ensure the safety of the organisation. procedures within an organisation are a great thing too, as it helps with lowering the chances of risks which may occur, keeping business data, personal information secure. This can also help with keeping physical systems secure too. In organisations, there are usually numerous security procedures to follow, usually displayed in a list, making sure that staff follow them at all costs and resulting in punishment if they don’t oblige by the procedure. The fear of punishment is likely going to make them follow the procedures that the organisation has created.
Now we have explained what a security procedure is, we can now have a look at the types of security procedures which could be found within an organisation.
2017-9-25-1506297752