The current assignment deals with the security issues that are being faced by Vet Services, who has a chain of veterinary clinics all around Central London. The case study indicated that the clinics with the assistance of their support staffs and doctors have been able to run sophisticated healthcare treatment using a range of services and procedures for the pets. The company has ensured to follow the gold standards that have been developed by the Royal College of Veterinary Surgeons which has lead to the business expansions as well as the stead increase in the customers. Despite tasting good level of success, the company has been constantly concerned over the security practices and the procedures. The sudden increase in the number of security threats has forced the company to look out for expert advice to develop strategies that will enable them to be capable of handling the security threats. Malware and spam have been constantly worrying the company and it has lead to the lack of production. Lack of strong database server is increasing their concerns and increasing the cost to the company. The business partners and alliances of the company have shown constant concern over the security issues.
This report is focused on highlighted the increasing security threats that are affecting company's world wide apart from the vet services in specific. The researcher will be using the weighted factor analysis and the risk score of analyse the risk that are being faced by the company. The annual loss expectancy of the main assets of the company will also be illustrated in this report. Based on the overall analysis, the author will be proposing the control strategies that are appropriate for Vet services.
2. Security Threats
Security threat in simple can be defined as any threat that can be vulnerable to the security. However Haletky (2009) advocated that security threat in the computer world has deeper meaning behind it. According to the definition given by technopedia (2015), any threat that can potentially cause a serious damage or harm to a computer system is a threat. Security threat can mean any issues that might or might not happen but it can still have serious impact on the systems and the networks. On the other hand, the security threat has also been defined as any confrontation or incident that jeopardizes the security. Kennedy (2015) advocated that precautions are taken to ensure strong action against theft or espionage among others. He has been able to list out various types of security threats as in:
1. Terrorism- This is the type of security threat that is similar to guerrilla warfare created for inflicting disruption, fear as well as confusion. Appropriate action from the respective government and countries has been taken to counter this security threat. For instances, President Obama from USA has allotted a fund of $5 Billion for battling the war of global terrorism.
2. Biological threat- This another form of security threat that mainly affects the countries rather than specific organisations, In this security threats improvised biological weapons and arms are used for creating fear and disruption. The end result of these threats is often new forms of epidemics needing development of effective drugs and medicines.
3. Nuclear security threats- This security threat is often against a nation or threat to global security that can lead to war. Countries have been stockpiling the nuclear weapons for preventing the nuclear war on the respective nations.
4. Transportation- This form of security is highly important for avoiding other types of security threats. Sneaking on illegal arms and weapons, people can be avoided by protecting the transportation systems worldwide.
5. Cyberspace- With more number of companies and counties getting integrated through the network systems, they are becoming vulnerable to the cyber threats and terrorism which affects the infrastructure, power facilities of the companies.
It is important for companies to determine between threats, risk and vulnerability. Vet services have been encountering both the security risk and threats and this has indicated their vulnerability to the cyber attacks. Vaseashta, Susmann and Braman (2014) state that security threats that affects the cyber space and security is the breach of confidentiality, availability as well as the integrity of the information that is available in the cyberspace. They indicated that in order to determine the type of threats that is facing an organisation, it is important to understand whether it is a risk, threat of vulnerability. They state that risk can be considered as the probability of compromise that might occur and these required companies to determine the mitigation factors to handle the risks. Threat on the other hand has been defined as the factors or the activities that compromise the integrity and confidentiality of assets via vulnerability. Vulnerability in simple is the weakness in the system which a company might or might not be aware about. Vulnerability opens create the presence of risks in an organisation and that opens the scope of threat in the organisational cyberspace. Barnes (2002) states it is important for the companies to be capable to analysing risks and the threats. He indicated that a threat is a combination of risk and vulnerability. This opinion has supported the opinion of Vaseashta, Susmann and Braman (2014) given earlier. Barnes has been able to define risk and threat in a very simple manner by taking a very simple example. He indicated that any force coming towards a target is a threat however if there are barriers and measures applied to avoid any contract with the threat and to weaken the same will be considered as the risk. Weaknesses in the system are the vulnerability of the systems. It means there has been weakness and drawbacks in the implementation of the hardware or the software which allows unauthorised accesses. Risk on the other hand is the potential loss against the measured vulnerability.
3. Various types of security threats faced by the organisation
According to the report of Securitas (2014), their survey is among the top industry standard to determine the various threats and risks affecting companies worldwide. According to their study, the top security threats includes the cyber security (internet and intranet security), Business continuity planning, workplace violence, employee screening, environmental and social privacy concerns, property crimes, general employee theft, crisis management, identity thefts and unethical business conduct. According their report cyber and communication insecurity is the top threat among all the organisations. According to Darmanin (2009) every company realises the importance of security, which includes security for the infrastructure, employees and the financial security as top priority. However today since every organisation is relying on the use of computers and information technology, security is becoming a concern in the field. The lifeline of a company today is their network in order for everyone associated with the company to be able to work. Some of the top security threats are:
Darmanin (2009) states spam is the biggest enemy to all the email users. Signing up for an email today has become a reason for useless email to fill the inbox with messages, promotions, and schemes among others. Most of the companies have indicated that at times 94% of their emails accounts are filled with spam mails. This is a growing problem which is also being encountered by the Vet Services who is ending up losing productive hours from the management who are trying to get rid of the spams. He indicated that spam does not mean only unnecessary emails but it can be harmful as well. There are spammers who will send out email links in their message which once clicked will take the user to a spyware download or malware files in their system. As suggested by Al-Hamami and al-Saadoo (2014) the unsolicited emails that have not been requested or required by any recipient are spam. It can contain harmless marketing data or malicious codes for virus that can lead to data loss. When these email clogs up the inbox in the companies it cost millions of dollars to the company in terms of waste of bandwidth. A spam causes serious loss of organisational and performance effectiveness as it has been in the case of Vet Services. There is loss of network as well as malware threats which are linked spam threat. A spam is a threat which is increasing the cost to the people as well as companies (Majzner, 2008).
The malware threats include threat from malicious software like spyware, worms and Trojans that enter the system without the user being aware. Once a system gets affected it will extend the reach to the executables files on the entire connected network creating Information technology epidemic in the company. Some of malware often disrupt the system while others can be for financial gain. Malware threats have the ability to gather the details of the users through the system and the same has been observed in the case of Vet Services wherein the clients are concerned over the weak database of the company as well as the lack of strong privacy and security procedures (Darmanin, 2009). Hoffman (2007) malware is the most common security threat that affects the computers worldwide today. This is the reason why most of the casual users of internet also have strong antivirus software installed on their systems which has been an issue for Vet Services who clearly have not installed good antivirus software in the system consistently and neither it have taken actions to monitor the effectiveness of the same. Contrary to what many researcher have reported, Vet services despite having the antivirus software failed to install it on all the work stations. The author suggests that it is important for companies to have a strong understanding about the malware threats. This is the reason why ever growing malware threat in the world of cyber and IT requires techniques that are effective is detecting the malwares (Rieck, Stewin and Seifert, 2013). Baratz (2004) states it is important to remember that apart from virus, there us another biggest threat in the form of Malware for the computer users. This threat has the ability to hijack the system and browser of the user and makes them very low leading to loss of productivity time. This has been the issue that has been affecting Vet Services in terms of loss of productive hours.
3.3 Network monitoring and database server
As seen in the case of Vet Services, they have lack of monitoring of their network and weak database server. It is imporattn for an orgaisation to have all the servers, networks and workstations to work seamlessly together. A weak database server can crash anytime leading to the workstations to be affected and lack of productivity as people are unable to perform their daily jobs. In case of netwrok failure, the oranisation on whole has to suffer due to loss of production levels. Constant monitorng and strong database server is imporatnt for organisation (Darmanian, 2009). Solomon (2011) states companies need to have a strong database management systems as it will require strong authentication from people before they can access the system and this area has been a vulnerability of the vet Services. The case study on the Vet Services has highlighted the issue of lack of a strong database management system in the company. The database management system is extremely important as it helps the company to manage the data efficiently as well as it allows the users of the system and database to be capable of performing multiple tasks effortlessly.
3.4 Absence of strong antivirus software implementation
Woods and Guliani (2005) states that antivirus software is very important in a company as it helps in integrating the email servers in an effective manners apart from making them capable of avoiding or blocking unwanted emails that might have been compromised with the virus. This has been the case with Vet services, who have failed to implement an updated antivirus system consistently in the organisation. There is software that has the ability to work both as antispam as well as antivirus at the same time. Viruses and malwares are the most common reasons that create problems in the computers and this can be due to lack or absence of the software systems in a company. Vet services have for many years overlooked this area and have been encountering issues in terms of malware and spam for long time. Absence of a strong antivirus systems has open the scope for the IT systems of the company to be prone to virus that the affect the computer's health by making them run slowly, it might even avoid the systems from booting up. Lack of the system has increased the concerns in the partners of the company as they fear stealing of personal data. Since the virus can move from one machine to another, inconsistency in implementation increases the risk of get infected. There is also scope if people or scammer to use the details and send unauthorised messages to outside of the organisation (Csum.edu, 2015). In simple terms, antivirus software acts as gatekeepers at the computer system gateway. It makes the computer capable of avoiding incoming risks and threats and even warns the users of possible system threats. Today' companies have converted their manual work station in to IT enables desks and there has opened the scope for virus attackers and many potential threats.
3.5 Privacy and Data protection
Many clients of Vet Services are concerned over the ongoing privacy issues in the company and they find that there is lack of standard procedures in the company as well. People are able to make unauthorised access and this can lead to increased threat in terms of loss of valuable data. According to recent studies more than half of the companies worldwide do not follow a standards data protection and policies. Policies and procedures helps in risk management in the companies. Cyber threats and security issues have gained so much attention that companies today are failing to focus on simple processes such as process, procedures and policy. When an organisation places the information security under the IT department of the company, they tend to lose focus on the security aspect (Ashford, 2015). Irrespective of the size of the company be it large or small, data protection is extremely critical on the data basis to avoid data theft that have already affected many companies on purpose or intentionally. Vet services is dealing with many clients an customers and this security threat increases the risk to them due to their information being stored in the systems of the company. There are instances wherein business competitors have been able to gain access to confidential information's of their rival companies due to the absence of robust data protection and policies in the specific companies. A company dealing with the customers and businesses have to be concerned as they can get liable for any security beach and this clearly indicates the need of having strong data protection policies and procedures in an organisation (Bridge Capital Solutions Corp, 2015).
4. Risk analysis
Peltier (2005) has highlighted that risk assessment is the second phase in the risk management life cycle. He indicated that companies use the risk assessment to be able to determine the threats that exist and can affect the assets and increased the risk of associated threats to the company. He indicated that risk assessment helps in identification of threat and makes the organisation to determine the control measures and countermeasures depending on the threat priority. It is important for an organisation to reduce the risk to a manageable level if not the zero level. Yoe (2012) has cited the definition of Risk assessment given by the Federal government, risk assessment is about identification of the risk in different phases, as in risk identification, risk characterisation, exposure assessment and the risk solutions. Risk analysis is a method or techniques that help the companies to assess and identify the factors that can create problems in the success and achievement of certain goals. There are many techniques and methods available to an organisation to be capable of analaysing the risk and the impact level. Some of the techqiues have been discussed below:
Weighted factor analysis
Weighter factor analysis is a formula for companies to perfrom the risk analysis.
Criterion 100 100
Malware 75 45
Spam 0.8 0.5
Risk score can be defined "to be equal to one if the Impact Score is equal to one". The risk score is one of the main elemtns for a company in their credit report. It is a very important tool tha thelos the companies to asses the risk of becoming insilvent over a period of one year. Every company has different methods for assessing their levels of risk. The risk of most of the non limited companies is a called as the U score. The risk score can also be calculated based on the probability of the risk and the impact on the risk. It is calculated using the following formula:
Risk score= Impact* probability= 40/75= 0.53
5. Annual Loss Expectancy of the main asset
Endorf (2007) states that ALE or the Annula loss expectancy is the "project economic loss (in the repsecitve curency) that a company is expecting to loose by opearing a netwrok or compiuter sstem sfor a period of one year. This data comrpises of losses associaed wth all the assets be it tangible or intangible assets. So in simple annual loss expectancy is the yearly expected financial loss to an asset due to a single threat, the formua will be
Single Loss expectance * Annualised rate of occurance= annual loss expectancy for one threat.
Here the single loss expectancy is the financial figure that ahs been assigned to an asset based on the indetiifed threat. It cna be calculate as the
Asset value * Exposre factor= Single loss expectancy.
Annual loss expectancy is the expected money loss the company is expecteding for an assets risk for a peruod of one year. It has been defined as the ALE= SLE*ARO. This analysis can be used for conducting the cost to benefit analysi by the company.
Single Loss Expectancy = Asset Value x Exposure Factor
Asset value (Database) = £80000 + £ 40000
Exposure factor= 40%
SLE= $120000* 40%= £ 48000
ALE = $32000 * 40%= £ 19200
This is the annual expectancy rate for Vet Services for the first year. However for the following 3 consequtive years, the company has indicated to invest £ 32000 for the maintenance of the system for the next three years. So the covering will be able to cover the loss that has occurred during the first year by maintaining and increasing the cost in maintaining the database to avoid future occurrences of the threats.
6. Control Strategies for Vet Services
A control strategy attempts at avoiding and preventing the attacks to the assets of the company via its vulnerabilities. There are various types of risk control strategies as in risk avoidance, transference, migration as well as acceptance. Considering the case of Vet Services, they need to opt for risk avoidance strategy
It is the removal or elimination of all the risks and threats that have negative impact on the assets of a company as in the case of Vet services contrary to risk management that aims at controlling the damages and financial impact from threats. Compared to risk management, risk avoidance is a better strategy that helps the companies to avoid any compromising situations completely. While it is rarely possible to elimiante all the risk, developing a risk avoidance strategy can help in deflecting the impact of the threats in the most possible manner. It will avoid costly as well as disruptive impact on the operations and activities of the company. Risk avoidance strategy helps in minimising the vulnerabilities that can pose or open the scope of threat or risk. Risk avoidance strategy focuses on implementing strong policies and procedures apart from training the employees and implementing the best technological solutions and systems in the company. Vet services is in need of a strong risk avoidance strategy as it will help them to update all their technological systems apart from standardising their procedures and getting the staff aligned with the goal of the company (SearchCompliance, 2015). Risk avoidance strategy is known for being the most effective risk management strategy as it aims at avoiding the activities that can pose a threat to the company and lead to a potential loss to the company. However it is important for the company to remember that it might not be effective in every aspect or function of the company. Toma (2012) has advocates that risk avoidance helps in the elimination of acitivities or the factors that may result in loss for the company. The author recommends risk avoidance strategy as it is the easiest started for the company to be able to adopt and administer in the company. Adopting the risk avoidance strategy is also beneficial for the company from the financial perspective as well as for the people associated with the company. Compared to other strategies of risk control and management, risk avoidance is complete damage proof wherein none of the parties het affected from the dominate control. There are instances wherein occurrence of risk has opened platform for new opportunities for the companies but using the risk avoidance might avoid companies from getting these opportunities.
Reymann (2008) states that many companies have been trying to implement various risk management and control strategies to effectively allocate their resources to troubleshoot the security threat that are affecting their revenue generation. Real time notification of the security threats have been a risk avoidance strategy that has been able to notify the companies about any immediate attention or threat and the companies are able to take possible action to tackle the vulnerabilities that might have given space of the threat and prevent the same form happening in the future. Using the risk avoidance strategy will allow the IT department in the company to be able to reduce the security threats and protect the assets, people, partners as well as the technological systems in a cost effective manner.
The researcher suggest that apart from adopting the risk avoidance strategy the company needs to adopt the culture of continuous risk assessment and management as it will allow the companies to integrate all the units of the business to work and communicate together to create a culture of compliance, and increase the effectiveness of the technology and efforts of the management. The company should adopt a business paradigm that makes the employees accountable for their actions and duties. Employees when accountable will be in a better position to avoid risk based n the organisational policies as well as external regulations. The company will be able to constantly monitor the effective use of the technology and resources through this strategy.
The constantly changing and uncertain business environment has a major impact on the manner a company operates in the market. Risk and threats are the main cause of concerns in the companies today and it is impurity for the companies to increase their focus to identify these risks and manage them in the effective manner before it starts hampering the business and the market value of the company. Vet Services has been able to spread their business and sustain their growth however the failure to manage and monitor the risk has increased the concerns of the people over the company. They are questioning the policies and the information security in the company. The company needs to invest in the risk protection and control strategies and software's as in Antimalware and antivirus to avoid any further damage from the same risks that they have been encountering from past few years.
...(download the rest of the essay above)