Information Security refers to the protection of data and attempting to limit tampering or unauthorised access by undesirable parties. Information security is vital in today’s world, for individuals and organisations alike, as our sensitive information integrates into the online world more and more.
The sensitive information in question varies based on industry and company, from banking details, addresses, usernames and passwords, shipping details and many others. In the wrong hands, this information could be used for unethical gains.
Cyber Security professionals are upcoming experts in the workforce leading the way into securing information and data, helping to ensure our oneness with connectivity be safe and sustainable. These professionals are equipped with the broad know-how of maintaining solid integrity of networks, systems, devices and software.
Cyber and Organisational threats and their forms
A cyber threat is any risk imposed to a network or device, intending to obstruct or threaten operations, accessibility or information. It can come in many forms, and is often used as leverage against an individual or organisation for a financial ransom.
Organisations sit at a particularly high threat level, as they often have large amounts of money at stake, or access to information that could grant access to it, such as customer banking details.
Organisations are prime targets for cyber attacks, and threats come in many shapes and forms for them. Three examples include:
- Malware attacks – Malicious Software used to deny access or destroy information unless a payment is made, often through virtual currency.
- Data breaches – Intentional breaches and leaks of sensitive information that should only be used or accessed by limited and select individuals.
- Denial of service – Shutting down a system, website or network through an overload of traffic.
Key Risks
1. Relationships, risks, and strategies
As much as information can be secured, there is always a ‘way in’ for somebody skilled enough. Additionally, there is a point where usability becomes difficult and tedious if too many protections are in place. As such, organisations will always need to consider their risk appetite and how much sensitive information is protected internally. Therefore, Risk Management is an essential part of Information Security, as protection can never be fully bulletproofed, but still needs to be accessed for day to day operations.
There is a tightly woven relationship between data, networks, users and applications within organisations, that demands taut and regimented security measures in order to maintain stability.
Data often needs to be used or accessed for day to day operations for many organisations. Typically, this is stored and accessed through a network, whereby users can access the data in person or through applications and software. As such, access to data would need to vary from employee to employee; and would need to be completely inaccessible to any party outside of the organisation unless authorised. For example, an Insurance company would need to access customer information daily, whether it be for renewing a policy, lodging a claim, reviewing payments etc. This sensitive information could completely reveal a customer’s banking information, address and contact details – more than enough for a cyber criminal to take advantage of for their own gain. Each department responsible would only require information and data necessary to their role. As such, access is granted accordingly in the network to each department’s PC’s, to reduce the likelihood of information unrelated to their department being distributed; accidentally or intentionally.
Using Identity and Access Management systems, permissions and restrictions can be enforced in the network to manage this.
2. Physical security
Information and Cyber security is not just limited to virtual or logical means, it also covers the physical infrastructure that contains, displays and transports data.
Not every act of cyber crime is limited to holding data ransom, it can also include disrupting operations and denial of service. Devices and networks can be breached or disrupted in many ways on the physical level. Likewise, data cables, Wireless Access Points (WAP’s) and essentially any ‘accessible’ device has the potential to be manipulated with.
A basic, example of an organisation’s physical infrastructure, would include PC’s connected via data cables to a switch, then a switch into a server and/or router. Additionally, WAP’s are often installed throughout the organisation in order to offer wireless access to the internet.
In this basic example, there are some inherent vulnerabilities and weaknesses to the networks security. Data cables are very easy to cut and thereby disconnect multiple devices. Open ports on switches could allow for unauthorised connection to or configuration of a network. Router’s and WAP’s can be breached wirelessly, often easily with a simple password from a user manual, and can also be flooded with traffic. Although all of these vulnerabilities require knowledge and effort to bypass, they are realistic threats that exist for an organisation. Disgruntled employees, competitor organisations and cyber criminals are some of the main culprits that could commit these acts.
In order to mitigate any threats, there are multiple steps an organisation can take. These included:
- Using trusted, licensed Malware protection
- Using encryption and decryption services for usernames, passwords and data
- Limiting access to information amongst employees only to those that need it (use of Identity and Access Management systems).
3. Identity and Access Management (IAM)
IAM systems are used in order to provide control over who can access certain resources, and even allow control over when these resources can be accessed. Typically, these function through two main processes, Authentication, followed by Authorisation. Authentication is used to prove the user is legitimate, typically through a unique username and password.
Once successful, Authorisation is then used in order to grant the desired access to the user and provide access to the selected resources. A popular example of this is Microsoft’s Active Directory, which can allocate permissions to users as necessary within a network.
Using the lock and key analogy as an example, the user would be provided with a key to a door. In this case, among three doors, the user would only need access to one door. They would use the key on the lock to open the door (authentication). Once the door is opened, they are now able to access (authorisation) the room (resources) that they require.
IAM systems are extremely important in the modern day, as, in most cases, not all resources are required to be accessed by every employee. Often, it is not secure or confidential to grant total access to these resources for everyone in an organisation. Additionally, adding IAM systems also reduces the likelihood of external parties, such as competitors or hackers, being successful in accessing secure resources and information
Takeaways
Cyber security is more important that ever. Every organisation must have appropriate systems in place to identify, evaluate and manage the risk. Any compromise to data or confidentiality of information will have a significant compliance, financial and reputation consequence. Remember, cyber security is only as the weakest link.
How we can help
InConsult is committed to helping organisations better understand the benefits of internal audit. We have extensive experience in internal auditing, risk management, cyber security, crisis management, business continuity, emergency management, disaster management and pandemic planning.
If you would like to know more about our internal auditing services, contact us to discuss your needs.