Running head: SECURITY OF INFORMATION IN COMMERCIAL AND BUSINESS ORGANIZATIONS

Security of Information in Commercial and Business Organizations

SECURITY OF INFORMATION IN COMMERCIAL AND BUSINESS ORGANIZATIONS

Content Introduction ................................................................................................................................ 2 1. Security protection of information assets ........................................................................... 2 2. Information assets at potential risk in business and commercial organizations ................. 5 3. Potential threat overview .................................................................................................... 7 4. Implications of the threats .................................................................................................. 9 5. Countermeasures overview............................................................................................... 10 Conclusion and analysis ........................................................................................................... 12 References ........................................................................................................................ . .14

Introduction With the recent advancements in the Internet technologies, information security has become a vital part for commercial and business organizations. Information security implies a variety of methods, techniques and approaches aimed at protecting the most valuable asset for organization information. The number of potential factors affecting the organizations information can be either external or internal. For this reason, organizations determine a set of rules and regulations to manage information across different channels within the organization. Information security is also considered as a well-developed mechanism aimed at providing information to the authorized people, people who will not be able to misuse data, causing harm to other people or organizations. Traditionally organizations contain information which is extremely sensitive for their business. Unauthorized access to this information may lead to forbidden use of personal or financial information of either employees or customers or the whole organization. 1. Security protection of information assets Information security can be achieved by means of providing integrity, availability, confidentiality, authenticity and non-repudiation of information within the organization. Integrity means that information cannot be modified or manipulated in some way. The main goal of information integrity is to prevent the malicious use of the information before it can

SECURITY OF INFORMATION IN COMMERCIAL AND BUSINESS ORGANIZATIONS be received by an authorized user. Usually integrity policies are based on noninterference. The control of information flow should be carried out at all sources of information. The encryption mechanism is one of the potential approaches to control the use of information. Information integrity is achieved by core attributes, namely accuracy, consistency and reliability. Adopting information integrity mechanisms helps to ensure a competitive advantage for the organization and better relationships with customers, partners and employees. Even though it is very difficult to provide a complete assurance of information integrity to the organization, integrity policies are supported by ensuring accuracy, consistency and reliability. Reliability is provided when the completeness of information is

achieved. The information is considered to be complete once all its constituents are provided. Reliable information is the information which has its origin and its history can be traced. This information can be used by users if it is up-to-date and relevant for a certain organization. Unreliable information does not create any value and may disrupt the organizations fair name. Consistency can be achieved through multiple instances of the same information that occur within a certain time frame, in specific environment and in relation of one constituent part to another. The information is related to a set of constraints and it is considered to be consistent when it satisfies these constraints within the information model of the organization. Accurate information can be defined as the information coming from a valuable source and providing the correct data. Reliable, accurate and consistent information guarantee the information integrity. Business and commercial organizations have a variety of information serving for different purposes. The main idea of availability is to ensure that the information can be available by the authorized parties when it is necessary. The information can be protected by encryption technology and prevented from unauthorized users; however, availability of the information can face unpredictable troubles. Usually availability of the information is

SECURITY OF INFORMATION IN COMMERCIAL AND BUSINESS ORGANIZATIONS infracted during the natural disasters. Natural disasters, ranging from crucial to unnoticeable to human beings along with human errors within the system, can potentially affect the availability of data in spite of all other components of information security being provided. All organizations efforts should be aimed at eliminating losses resulted from the unavailability of data due to a natural or human factor. Natural disasters can be extremely severe that may lead to a long-term recovery of the information. On the other hand, human

errors are frequent events occurred within the organizations system. The organization should develop a specialized technology able to monitor the defects occurred in the system and recover the access to the authorized users. One of the most important attributes of information security is confidentiality. For some business and commercial organizations it is the highest obligation to protect the personal and financial information of its customers. Moreover, information may include some medical or insurance records belonging to completely private information that cannot be disclosed. Confidentially means that only authorized users may have access to this information. Once it is read, copied or used by unauthorized users, a company encounters loss of confidentiality. Authentication is an assurance that individual who has accessed the information is the right person. Authentication should provide means to identify any abuse of the system by unauthorized users. Generally business and commercial organizations build their systems when password and login are required to enter the system. However, passwords cannot guarantee the highest level of information security. For this reason, individuals are required to use complex passwords and change them regularly. In some organizations in order to identify the person, fingerprint is a necessary element to receive an access. The main objective of authentication is to determine whether a certain individual is an authorized user who is allowed to carry out a certain kind of activities. Nowadays organizations prefer to use

SECURITY OF INFORMATION IN COMMERCIAL AND BUSINESS ORGANIZATIONS a high efficient token-based authentication. Every token is characterized by a secret cryptographic key which is set to establish the tokens identity by means of a challengeresponse handshake (Sandhu & Samarati, 1996). The last but not least, is nonrepudiation attribute of information security policy. The

system should make a record of individuals who have entered the system before they perform a certain kind of activities. Once individual has performed an activity, he should not be allowed to deny it later. If this attribute is supported by the system, then nonrepudiation is provided and the level of information security becomes stronger. Nonrepudiation refers to an ability to provide a cryptographic digital signatures ensuring that a particular message has been signed by the holder of a signatures personal key. 2. Information assets at potential risk in business and commercial organizations Human asset is the most important for business and commercial organizations. However, there is a wide range of vulnerabilities resulting from multiple threats. For this reason, it is extremely important to evaluate humans with respect to the information system. Individuals may be exposed to a certain kind of vulnerabilities due to human negligence, fear appeared as an order from the authority, and insufficient knowledge of the information security system. The most common reason for human vulnerability is their natural tendency to be useful or helpful. Sometimes people do not acknowledge how much harm they can cause to themselves in case of sharing their passwords with colleagues. It becomes very difficult to deploy new technologies and protect organizations assets. One of the examples of organizations assets is intangibles assets. They comprise all sorts of information that cannot be counted. These may be trademarks, licenses, research data or survey data, contracts or agreements. It is said that the poor characterization of information system assets results in frequent security breaches. In the modern business world an activity against the intellectual property of organization is constantly growing. Copyrights or

SECURITY OF INFORMATION IN COMMERCIAL AND BUSINESS ORGANIZATIONS

trademarks comprise the competitive advantage for any business or commercial organization. Organizations should look out-of-the-box in order to manage the security system in a proper way. Hackers usually strive to disclose some business plans or survey reports often for the business goal of competitors. Intangible risks are considered in different industry sectors and are more common among financial institutions. The illegal activities associated with intangible assets can be explained by a huge value of these assets which create almost the half of the market value (Booth, 2008). Thus, even though intangible assets cannot be touched, they may comprise the highest value for a company. Unfortunately, nowadays the everincreasing computer crime has shown that no company can be confident in the security of its information assets. The well-known hi-tech crime is committed by professional criminals who are ultimately interested in the financial gain from their activities. Therefore, more and more organizations are concerned about this tendency in the business industry. Another kind of information assets is physical assets, including hardware, software, operating systems, and printed materials. The improper use of these assets may lead to information disclosure that increases the level of potential vulnerabilities. Inadequate controls and the lack of security measures may be resulted in loss of sensitive and critical information. Without the security procedures and policies organizations may face considerable losses for their business. For the purpose of protecting data and software, information security measures are involved to ensure protection of information against malicious intent of unauthorized users. A wide range of software tools installed on the computer are developed to enhance security control within the information system. They include but not limited to antivirus programs, intrusion detection systems, and firewalls. With the help of these well-known to almost every computer user software tools, organizations may increase the level of their organizations efficiency. On the other hand, the security of both tangible and intangible

SECURITY OF INFORMATION IN COMMERCIAL AND BUSINESS ORGANIZATIONS assets may be provided through regular access control practices, such as passwords, encryption technologies, and others. 3. Potential threat overview Undoubtedly every information system has faced an infection resulted from the viruses activities. Viruses are particular mechanisms aimed to infect other files, destroy their

content or even deleting all files stored on the hard drive. According to the destructive power of computer viruses, they are divided into three categories: worms, Trojan horses and logic bombs. Worms are classified as very little viruses which are developed to destroy or change information in the number of possible ways. Usually one destructive worm can destroy the whole information on the hard drive. Trojan horses are specially designed programs which usually hidden in another piece of program or software. Trojan horses can be received by emails and easily installed along with other programs causing inevitable threat to the information used by a program. Logic bombs usually may cause the maximum destruction. These viruses do not launch automatically, they are programmed to start working once the established time or date occurs. Logic bombs are not always viruses, they can be simple programs or scripts. What is more important, antivirus software cannot definitely recognize this kind of potential threat to organizations information system. Nowadays people are completely aware of the concept of social engineering. Almost every organization either faced social engineering attacks or just reported the attempts to divulge confidential information. The common patterns of social engineering are aimed at breaking organizations security systems and disclosing sensitive information. The widely accepted form of social engineering is sending scams through receiving the password of an authorized user. Once the trust is gained, the access to a system is provided. Therefore, it is highly recommended to provide employees with potential security threat resulted from social engineering. Almost half of security professionals have been involved into social engineering

SECURITY OF INFORMATION IN COMMERCIAL AND BUSINESS ORGANIZATIONS schemes which are especially costly to large organizations (Writers Group, 2011). The frequent occurrence of social engineering attacks is closely associated with the employees awareness of organizations security policies. There are two possible approaches to social engineering: technology-based and human-based. The technology-based approach is artful

and aims to receive confidential information, such as login and password. The most common way is to re-enter the system after the pop-up requiring re-submitting the password and login to continue using the computer system. The human-based approach is based on the fact that human beings intend to provide assistance without any suspect of potential security breaches. For example, a person pretending to be a supervisor may call and require retrieving his forgotten password. An ordinary employee may provide it automatically without checking personal details. Taking into consideration the current state in the business environment, business and commercial organizations need to be extremely carefully in providing information security. Any form of security breach can cost an organization its reputation or goodwill. Business organizations are oriented on a group of customers and they are the main target for organizations financial gains. It is evident that when dealing with customers, organizations save their credit card information or social security numbers. Information security weaknesses are another part of organizations threat. It is widely said that general weakness of information security system is associated with weak passwords. Organizations should build their systems in such a manner when complex passwords are required composed of upper- and low-case characters, digits or underscore. It is recommended to assess the risks of disclosing sensitive information and identify appropriate solutions. Moreover, business and commercial organizations are required to constantly monitor vulnerabilities within the system and address them immediately with the help of a well-developed up-to-date security plan. Without security requirements imposed on employees, organizations cannot guarantee a proper level of security. Throughout the world

SECURITY OF INFORMATION IN COMMERCIAL AND BUSINESS ORGANIZATIONS organizations emphasize physical weaknesses of information security system due to the number of factors. In order to enhance the physical security measures, it is necessary to review the organizations structure and involve camera placement, interior physical security controls, motion sensors and others.

4. Implications of the threats It is widely understood that a significant amount of work should be done in the area of information security before organizations stop to encounter security breaches. The identification of security threats can be challenging for any kind of organization. Due to the unpredictable growth of new technologies, lots of threats already encountered by dozens of organizations. Threats can be divided into several categories. The biggest are software attacks, human failures, vandalism, intellectual property, natural threats and others. The explosion of social network sites has lead to the increased vulnerabilities in terms of hackers' attacks and disclosure of personal data. The collection of users information such as email addresses and personal information can be a significant target to scammers and credit card fraudsters (Willard, 2007). Users also reveal such dangers as cyberstalking and cyberbullying. Cyberstalking is an activity in a social network aimed at torturing other individuals. The most frequent cyberstalking activities are transmission of threats, false accusations, and damaged data. Cyberbullying is another form of causing harm by sending or posting harmful information. This activity means to damage the reputation of other individuals or interfere with the relationships of the targeted users, students in particular. Privacy advocates insist on legislation in order to stop using Internet data without permission. However, legislation cannot pursue every unauthorized use of personal information and can generate a lot of other issues. On the other hand, self-regulation is more preferable to entrepreneurs who are encouraged to promote their systems with fair privacy policies. Nowadays, users are provided with sophisticated tools to control their information

SECURITY OF INFORMATION IN COMMERCIAL AND BUSINESS ORGANIZATIONS over the Internet. Taking into consideration that personal and financial information is not protected enough on the Internet, privacy and security issues have become a significant barrier towards business development. Nowadays organizations should understand that the highest priority for them is information security. It is the responsibility not only for managers, but also for the whole companies, as they need to adopt the up-to-date features in order to enhance their security measures. It is necessary to mention that a lot of security breaches are still not identified

10

because hackers apply the most sophisticated techniques to penetrate into the system. A lot of business and commercial organizations even refuse to invest into information security management. It is evident that a sufficient budget is required to support the security measures. For this reason, it is recommended to establish a comprehensive information security policy containing policies, guidelines and requirements aimed at secure delivering of information. There is a set of rules which can be included into this information security program, namely employees awareness of security issues, report engine able to provide existing and newly occurred breaches, business continuity plans. Moreover, the information security program should be constantly reviewed on a regular basis in order to enhance its efficiency. Implementation of information security activities should be coordinated by a particular assigned person whose responsibilities should be clearly determined and documented (Locke, 2009). 5. Countermeasures overview The warming signs of multiple security attacks occurred in business and commercial organizations prove a necessity to carry out the information security policy. Although, disclosure of financial or confidential information is considered to be an illegal activity, intruders still strive to destroy someones business irrespective of the form of the penalty they may receive afterwards. The development of security culture is necessary to promote

SECURITY OF INFORMATION IN COMMERCIAL AND BUSINESS ORGANIZATIONS innovate ways of information security practices. As a result, it is necessary to suggest some

11

countermeasures. According to the fact that organization information systems face security incidents, vulnerabilities and risks, they need to measure the economic effect of countermeasures. One can divide these countermeasures into several categories: technical, human and physical. Human security countermeasures refer to security policy, rules, and regulations adopted by an organization and required to be followed by the employees. The first requirement for human countermeasure is to establish critical, sensitive and confidential information and manage in accordance with adopted rules. For example, it is forbidden to leave confidential information on the table. Due to human negligence or extra truthiness, business and commercial organizations may encounter considerable financial losses or the loss of good reputation. Having researched the most common attacks carried out in different times and by professional hackers, it has been revealed that very often they do not need to look for innovative methods of intrusion into the system, when the goal is a human being. With the appearance of the first security breaches, organizations have started to put a great emphasis on technical countermeasures developing efficient security management systems. The human elements within the developed information security system have been ignored, and just that very elements have been used by hackers. Hackers continue exploiting people for their own purposes, as the weakest factor in any information security system is human (Mann, 2010). The organizations should learn how to inform their employees about the information security policy and be able to identify strengths and weaknesses of the current state of the situation. Moreover, IT managers can report the effective results of the previous practices in order to identify the existing gap in other areas. It is absolutely evident that people are the central challenge for business and commercial organizations within the information security system. They are extremely vulnerable to hackers attackers, and thus they need to go through training courses before receiving access to sensitive information.

SECURITY OF INFORMATION IN COMMERCIAL AND BUSINESS ORGANIZATIONS Hackers may distract employees attention by attractive elements in order to capture the necessary information (Mann, 2010). It is worth mentioning that the deep knowledge of human psychology will be able to make the influential impact on the information security system. It does not refer to the lack of human intelligence or knowledge, sometimes people

12

can be involved into unauthorized activity without being aware of its content. Human aspects in the information security system are incredible and it should be assessed each time an organization will endeavor to evaluate security measures. Broadly speaking information can be disclosed at different stages either during package or distribution or delivery. For this reason, physical protection measures should be adopted in order to ensure the highest level of security at each stage of its processing. Here human factor should also be involved as without employees awareness of physical security measures, the effect will remain unnoticeable. One may agree that physical measures are already well-known anti-virus software, firewall, encryption technologies, and risk detection systems. Human countermeasures along with physical ones will be able to eliminate the total number of potential vulnerabilities. The most common recommendation are to update the operating system version for security purposes, do not install the software from unknown source and always have antivirus software being turned on. On the other hand, personnel countermeasures are necessary to understand security measures and study the security rules established by an organization (IPA, 2012). Employees need to perceive themselves as a part of the organization they work for. Therefore, their own security should be considered in the context of the organizations security. Conclusion and analysis To conclude, one should admit that the above-mentioned information security policy can enhance security and privacy within business and commercial organizations, but they will not be able to provide a complete protection. Companies continue trying to improve their

SECURITY OF INFORMATION IN COMMERCIAL AND BUSINESS ORGANIZATIONS business adopting all possible applications while involving experienced and talented programmers to achieve the highest level of security. This ongoing process of threat elimination should be constantly managed by organizations, governmental institutions and even educational establishments. The research conducted has shown that all assets, namely human and physical are under constant threat. The knowledge and experience of hackers should not be underestimated, as the goals they pursue may cause inevitable harm not only for organization, but the country in general. The defined countermeasures can be really

13

helpful for organizations if they are used in the most efficient manner. It has been found out that human factor is the most vulnerable for organizations, thus increasing the level of peoples intelligence in potential attacks and their consequences. The research was conducted to bring new understanding of the information security system and its potential capabilities. The future development of business and commercial organizations depends upon peoples responsibility for promoting and encouraging safe and helpful activity.

SECURITY OF INFORMATION IN COMMERCIAL AND BUSINESS ORGANIZATIONS Bibliograpgy Booth, G. 2008. More than reputations at risk. London: Jardine Lloyd Thompson. IPA. Guide for First-Time Information Security Countermeasures. Information security promotion agency. 1 (2012). Locke, Gary. Information security. National Institute of Standards and Technologies. (2009). Mann, Ian. Hacking the Human: Social Engineering Techniques and Security Countermeasures. Gower.(2010). Sandhu, R., Samarati, P. Authentication, Access Control, and Adit..ACM Computing Surveys, 28.1(1996). Takemura, Toshihiko, Osajima, Makoto., Kawano, Masatoshi. Empirical Analysis on Information Security Countermeasures of Japanese Internet Service Providers. Research Center of Socionetwork Strategies. (2008). Writers Group. Practices for securing critical information assets. Critical Infrastructure Assurance Office. (2000). Willard. Cyberbullying legislation and school policies: Where are the boundaries of the Schoolhouse gate in the new virtual world? (2007). Writers Group. The risk of social engineering on information security: A survey of it professionals. Dimensional Research. (2011).

14