Security of Information in Business Organisations - Essay Example

Running Head: SECURING BUSINESS INFORMATION Securing Business Information Client Inserts His/her Name Client Inserts Grade Course Client Inserts Tutor’s Name TABLE OF CONTENTS INTRODUCTION 3 INFORMATION ASSETS AT RISK 5 Storage Facilities (Computers)/Technical Mishaps 5 Human Errors 5 Physical Information 5 THREATS TO INFORMATION 6 Threats Analysis 8 Natural Threats 8 Malicious Programs 8 Human Errors and Malice 9 DEFINITION OF TERMS 11 Confidentiality 11 Non-Repudiation of Data 11 Availability of Information 12 Authenticity of Information 12 COUNTER MEASURES TO PROTECT AND BETTER MANAGE THE THREAT TO SECURITY ASSETS 13 Foundation Principles 13 Awareness 13 Responsibility 14 Response 15 Social Principles 15 Ethics and Democracy 15 Security Lifecycle Principles 15 Risk Assessment 15 Security Design and Implementation 16 Security Management 16 Reassessment 17 CONCLUSION 17 REFERENCES 20 INTRODUCTION Securing business information may be defined as a process of protecting any form of information that is vital to one’s business interests and business’s wellbeing (Cisco Systems Inc., 2012). However, Cisco Systems Inc. (2012) states that protecting business information is slowly turning a difficult subject for many entrepreneurs due to the emergence of many loopholes which increase with the changing technology. But, anyhow, technological availability means ease of operation of any business which every entrepreneur (Dhillon, 2003) delights at. For this reason, various entrepreneurs and other business affiliates devise alternatives in form of methodical strategies (Herath & Rao, 2009) to delicately try to protect vital business information amidst the threat the major threat aforementioned. But loopholes for leaking of business information into unintended audience constitutes complex intertwined counterparts including the technology itself (Dhillon 2003), mismanagement of data and distrust between the management and the workers from a major viewpoint among others (Ardichvili & Page, 2003). From a business operation point of view, all these are important business assets. Therefore, while most businessmen solely use the information and technology (IT) departments of their businesses to protect business information, the method alone has been widely rendered insufficient by many business researchers (Herath & Rao, 2009). Anyhow, mishandling of data by internal data handlers for a company is also a threat to the integrity of information for use within the company (The Chartered Institute for IT, 2012). Proper data handling ensures that the necessary information for different uses is kept as original, accessible and valid as possible. For coherence in a typical company, however, managers only give out the information necessary for daily operations of a company to specific users at different levels within accompany (Finch & Furnell, 2003; Gupta, 2009). When employees are not exactly well informed about various procedures, errors are possible as well as lack of reassurance to the employees. The result is non-motivated employees (Gupta, 2009), a condition that may impact negatively to the company in terms of development. That aside, the concept of information security is interpreted according to the specific purpose(s) for which protecting information by a particular businessman becomes a primary concern (Gupta, 2009). Similarly, the risks thereof differ (Garoupa, 2000; Alberts & Dorofee, 2003). Garoupa (2000); Alberts and Dorofee (2003); and Calder (2005) find it important for business managers to calculate the risk factors so as to locate a safe threshold to define the measures to take to restrict business information. Anyhow, unrestricted business information puts at risk not only the business itself, but also its various assets including employees (Alberts & Dorofee, 2003). Hard as it is, securing business information is a long and continuous process that is achieved through various levels including conduction of various assessments and researches, analyses, suggestions, implementations and monitoring (Herath & Rao, 2009). Given the difficulty explained above, in this context, this study focuses on various threats to business information leakage, threats to various assets, risks thereof, decisions and procedures to restrict information and up to which levels and the kinds of measures to adopt for this quest. The major purpose is to give an analysis of different forms of threats and risks in general and suggestions to solve problems of business information insecurity (Torkzadeh, 2006). INFORMATION ASSETS AT RISK Storage Facilities (Computers)/Technical Mishaps Storage facilities such as computers and the contained data are at a great risk if improperly managed. Databases carrying vital information such as individual employee’s performance records, the company performance records and other operational information are examples. Keeping backup storages of similar data and reassessing the functionality, reliability and life cycles of storage facilities becomes important. Too, protection against hackers and viruses are added suggestions a manager may put into use (Post, 2007). Human Errors In the business context, employees are fundamental assets for any company. Their personal information in the company must be kept confidential to them and to the company (Alberts & Dorofee, 2003). Such information may include performance and background records; profiles; and the salaries accorded to them (Kassner, 2010). Actually, not even fellow employees should access their say website accounts. If proper security initiatives are not put in place, in this regard, the employees have tendency to feel insecure and thus non-motivated. From another dimension, employees may also worsen off in terms of motivational requirements if the information access limits are too severe. Under such conditions, employees may feel dishonoured and less involved in the running of the business. Similarly, the quality of the information for which they are accorded access must be up to date. This is to ensure they are kept reassured about their careers (Alberts & Dorofee, 2003). Physical Information The physical information at risk includes hard copies of information (Alberts & Dorofee, 2003). These may be information printed on papers in the current time or information printed in the past and stored in files (Kassner, 2010). Threats to such information constitute of human error and natural threats. Human threats may include misplacement of information, malicious alteration of information, confiscation and/or destruction of information (Alberts & Dorofee, 2003). Often, malicious employees may smuggle vital business information out of a firm which may be very dangerous to the firm in question (Alberts & Dorofee, 2003). Similarly, accidents may occur where wrong information is stored at the expense of the appropriate one, or information becomes physically destroyed. Sometimes vital information may be exposed to unintended audience just by a simple mistake like throwing copies to dustbins and leaving them undestroyed (Alberts & Dorofee, 2003). Natural threats to information include natural disasters which are rather unpredictable. Examples are fires that may lead to complete destruction of not only physical information but also storage facilities, buildings and other properties (Alberts & Dorofee, 2003). Earthquakes, lightning and floods, though at a lower rate, may be other lines of natural destroyers of information (Herath & Rao, 2009). THREATS TO INFORMATION It is in line with any company management’s efforts to keep business information as safe as possible (Herath & Rao, 2009). But often, tendencies for management to turn porous either voluntarily or involuntarily are evident especially with the current era of numerous private and mobile pellet electronics, and multicultural workforce that make it hard to control protection of information (Dimensional Research, 2012). According to Dimensional Research, these are rather visible threats that complement improperly managed IT departments that are specialized in management of a company’s management information. For thoroughness in the study of threats and assets at risk, the analyses below have been done. Threats Analysis Natural Threats Natural threats involve natural processes such as poor data storage facilities and their collapse. Many management strategists take IT specialties as the initial and the main data storage and protection tool (Herath & Rao, 2009). However, according to Herath and Rao, various studies have indicated insufficiency of IT whereby, unknown to incompetent management, the assets used are corruptible and/or subject to indefinite failure. Information security managers mainly use computer based database management. However, it is not entirely safe to conclude that electronic devices never fail. They are indeed surrounded by many threats. It is not imaginable for example, the failure in the production when vital information needed for daily running of a business disappears at a time when it is needed most (Danton, 2004). Well, damages to the storage devices can occur indefinitely. It is often a wise thought for the management to ensure backup soft and hard copy documentation of information prevails as a major precaution (Herath & Rao, 2009). Natural disasters such as fires, earthquakes among other natural calamities are known to destroy not only information, but also other properties when they occur. It is thus important for managers to ensure more than one storage stations for vital information where possible. Malicious Programs Malicious programs such as computer viruses are a threat to databases that are singly handled by the use of computers (Finch & Furnell, 2003; International Chamber of Commerce [ICC], 2003). They have the ability to interfere with the integrity, authenticity and availability of data. In most cases, data stricken by viruses becomes unreliable and irretrievable. Similarly, data occurring only in soft form may be involuntarily altered by deleting and addition of information. Others malicious online threats include Trojan Horses, malwares Human Errors and Malice Human errors in the management of information may be largely attributed to integrity indices of data handlers (Finch & Furnell, 2003). Various company managers have mistakenly isolated information safety roles. That is, information security is rendered a role of a particular person rather than the whole working fraternity. Alarmingly, even the business managers relegate the role of securing information to the ‘responsible’ personnel – in most cases, the IT sector (Herath &Rao, 2009). However, the competence of the data handlers does not always match the care needed to handle particular information. Among the data handlers in the IT, malicious thoughts are generally prevalent and some rather responsible workers may leak, alter or misplace vital information (Intel.com, 2012). This happens whenever businesses lack policies and guidelines (Intel.com, 2012) to control the process of managing business information. The entire workforce governing information dynamics need to be motivated (Chan, Woon & Kankanhalli, 2005). According to Chan, Woon and Kankanhalli (2005), it is often important to measure the reactions of the employees. The manager can simply control malicious breaching of information by conducting working community study to determine the significance of the data handling personnel. Ideally, when a person is bestowed an exclusive role of ensuring business information safety, sense of control may mislead that particular person (Hintzbergen & Smulders, 2010). In other words, such a person may develop possessive motives and therefore become loose in his or her task over time (Hamill, 2005; Hintzbergen & Smulders, 2010). Company managers thus need to engage the whole working fraternity into business privacy policies while underpinning the spirit of integrity and loyalty to workers (Chan, Woon & Kankanhalli, 2005). This is in recognition that attempts to keep information safe through a single IT sector at the expense of creating an atmosphere governed by ethics and integrity of employees does not exactly become successful. This is in the path towards establishing a new operational ethical culture (Hamill, 2005) of the company in question. The mobility of workers (Bennet & Regan, 2004) who often carry with them portable private electronic devices like mobile phones that have the capacity carry large amounts of information is another threat. Similarly, access to various personal e-mail accounts, social networks and telecommuting render the business information prone to external leakages and personalization (Bennet & Regan, 2004). But, equally, the presence of such alternatives has eased the management of business through improvement of communication among others (Intel Press, 2012). Therefore, business managers must learn to work with these technological utilities. As reiterated above, the final resort is to establish a business culture of spontaneous privacy motives among all the employees while granting them necessary access to information. This is for the fact that even the persons who have the role to control information fluxes say under IT sector of the management are a threat in these terms and therefore guarantee for maximum security remains minimal (Zhdanov, 2006). As aforementioned, online information hackers form a major external threat that faces major businesses in the world today (Kassner, 2010). But this depends on the ease of access offered to them by data protecting mechanisms in a particular company. When vital information may thus leak into the outside without the management’s knowledge, highly sophisticated methods of protection of business information must be ensured (Zhdanov, 2009). Hackers are interested vital information of the company in question such as competitive strategies, budget of the company, departments and alignment or workers among other vital strategic entrepreneurial information. Leaking of such information may put the company in question at a great downfall risk. Managers must therefore keep pace with the technology in all dimensions. DEFINITION OF TERMS Confidentiality This a virtue that renders a particular information a personal property that should not at any cost be share with unintended audience (Alberts & Dorofee, 2003). The information thus is confidential and can only be perused by its target audience. For a company, confidentiality may refer to the company executives or any other person of specific target (Straub & Goodman, 2008). Non-Repudiation of Data Non-repudiation is a business virtue that insists vital information should not be let loose (Straub & Goodman, 2008). The intension is to maintain interest in incessantly valuing of business information at different levels across different times (Straub & Goodman, 2008). Major concerns while restricting business information from extraneous access have been based on the uncertainty on how the end user – in this case, the final receiver of information – will possibly use the information (Finch & Furnell, 2003; Herath & Rao, 2009). Once the information reaches unintended hands, it becomes very hard to control (Herath & Rao, 2009) its usage as well. The final resort therefore has remained to use all means to restrict outflow and breach of vital information. It has been noted that most of end users of ill-attained information tend to use the information maliciously which could turn dangerous to the running of a particular business (U.S. Postal Inspection Service [USPIS], 2012). Malware and Trojan horses, insiders risks and hackers of private information are examples of malicious motives (The Chartered Institute for IT, 2012). Availability of Information For availability of information, the manager must correctly determine and ensure levels of access of different kinds of information (Straub & Goodman, 2008). Generally, whether information is highly private, if it is needed for the daily operation of business at particular level must be availed (Supica, 2003). Another dimension for this is the storage; information must be kept in a safe way and where it can be easily retrieved for use when need arises (Straub & Goodman, 2008). While underpinning the role of protecting business information, Whitman and Mattord (2012) warn that improperly secured companies, in this context, have seen many of their original business ideas and creative inventions stolen and the copyright changed. Similarly, of late, hackers maliciously distort images of companies’ profiles on their websites and/or social networks (Intel Press, 2012). Access to private information of any category of members of staff by unintended audience has been treated as a vice even between employees. Safety of information against breach by internal handlers covers storage methods – so as to keep information as original, accessible and valid as possible. Authenticity of Information This is the capacity of the information to remain unaltered and thus valid for as long time as possible (Straub & Goodman, 2008). Threats against validity of information may be natural or human. Therefore, the storage facilities and methods must be of high quality while the data handlers must be qualified and persons of utmost integrity (Supica, 2003). For coherence in a typical company, however, managers only give out the information necessary for daily operations of a company to specific users at different levels within a company. However, the role to determine the limits of use remains a hard subject. Therefore, as Ardichvili and Page (2003) suggest, the manager must generate trust within the working fraternity (Tan & Wei, 2003; Symatec, 2012). A good relation must be established if the required integrity of the employees is thus sought for (Alberts & Dorofee, 2003). COUNTER MEASURES TO PROTECT AND BETTER MANAGE THE THREAT TO SECURITY ASSETS To counter the threats to security assets effectively, ICC (2003) provides the following guidelines for company managers. Foundation Principles Awareness There is a need to readily appreciate that business information cannot sufficiently be controlled by the IT departments alone. However, setting business information policy of the firm should be the first step (ICC, 2003). Efforts to raise awareness of the prevailing business information security policy to all stakeholders including but not limited to the entire workforce, business advisors and the suppliers is a key step (Chan, Woon & Kankanhalli, 2005). The immediate urge is to empower the stakeholders with a rich background and the necessity of keeping information as private and confidential as possible so that they collectively appreciate confidentiality of information in the business context and the effects of breaching business information. The process includes ensuring that a company’s personnel are well educated in terms of security (IT Governance Institute, 2006). Responsibility The management should establish a team of specialists say a board which to which all the cases of breach of business information will be addressed. This will not be meant to interfere with the security department but closely work together. All the stakeholders must be aware of their responsibilities in this context. Still, the management must set aside sufficient resources demanded for ensuring sound information security undertakings are in progress (ICC, 2003). Response Any cases of breaching of information should be addressed keenly and dealt with accordingly (Danton, 2004). Such cases should open a warning and resources (ICC, 2003) must be assembled in advance to remedy the situation. Necessary measures including penalties need to be explicitly included in the business information security policy (Danton, 2004). Social Principles Ethics and Democracy The responses to all stakeholders including the consumers must be equal (Danton, 2004). However, the information security policy must be in line with the current legislative policies. Therefore defining thresholds beyond which information may be rendered breached is important (ICC, 2003). Expectations of the public that might affect the security of business information (especially production information) should be addressed by the management. Management decisions that may agitate the public attention and subsequent questioning that may lead to uncalled for leak of vital business information should well be analysed before their implementation (Danton, 2004). Security Lifecycle Principles Risk Assessment Generally, any breach of the above discussed business information surmounts to various risks (Zhdanov, 2006). For a competent manager, it is necessary to identify the vital business assets that may be adversely affected by any kind of misguided information alteration and misappropriation (ICC, 2003; Zhdanov, 2006). Similarly, it is important to determine in advance the number of possible threats to those assets in case vital business information at different levels is at which edge, alteration and misappropriation are possible (Zhdanov, 2006). According to ICC (2003), it is also important to perform cost-benefit analysis of the proposed information security undertakings (Torkzadeh, 2006) and in the long run determine the acceptable levels of risk to the company. The implication thereof is that one will be able to decide on the feasible security levels and allocate required resources with credibility. Security Design and Implementation The emergent security plan must cover all the identified assets and provide reasonable and equitable solutions (ICC. 2009). The idea is that when all the identified loopholes are catered for, it is possible to question any kind of breach to information at which juncture, necessary responses are properly imposed (IT Governance Institute, 2006). The plan must then be communicated to all stakeholders of concern to prepare them in advance in the overall process of protecting the identified assets at risk. Having done that, every offender can be questioned about his or her accounts in a certain way (Calder, 2005). Security Management With proper allocation of resources for the information security plan and upon completion of implementation, procedures to maintain high efficiency and efficacy of the security plan must be established with utmost clarity. These procedures are for: controlling physical, system and applications access; monitoring the operation of policies, procedures and practices thereof; backing up data and maintaining and updating software and infrastructure; and preventing the introduction of malicious codes and viruses (ICC, 2003). Rich background information about these procedures must be the first main focus of a serious entrepreneur. That is why high education and respective skills of one’s security panellists are important to seek first (Kassner, 2010). Reassessment Success of a security plan however crafted is not readily guaranteed (Zhdanov, 2006). Often, even in the most sophisticated security strategies of different companies globally, information breach loopholes do occur unsuspected (ICC, 2003). That is why after all the above stages are successfully in action, performance analysis of the security plan must be conducted. This generally referred to as audit. Audit must be conducted periodically partly to determine cost-benefit implications (Zhdanov, 2006) of the employed information security plan and partly to identify possible technical hitches that are involved in the functionality index of the plan (Torkzadeh, 2006; Zhdanov, 2006). The results of various audits are analysed critically whereof responses to the realized loopholes and/or technical hitches are made (ICC, 2003; Zhdanov, 2006). The issues leading to any of identified problems should be solved immediately. Rather, resources for such purposes must be allocated in advance for ‘special operational programs’ (Torkzadeh, 2006). CONCLUSION In the current era of global economic perspectives, security to business information has remained the first focus of different entrepreneurs. However, threats to breach of business information have increased. While most entrepreneurs have maintained a culture of solely depending on the IT specialists under IT departments of different companies for information security systems, various researchers conclude that the technology alone cannot service the process of protecting vital business information wholly. This is due to the widening of threat sphere what with the growing and ever changing technology. Threats include natural ones – that is natural processes that lead to failure of data storage assets such as computers, and malicious computer programs such as extraneous codes and viruses and human induced ones which include malicious employees that carry unwarranted information on their electronic assets, emails and social websites. The assets facing these threats have been classified into computers and databases of vital information that are subject to improper management of security systems, hackers and other malicious programs such as computer viruses. To counter these threats, a comprehensive security plan must be formulated and implemented. The idea is to establish new business information security policy that will be known to all stakeholders. However, this is rather a long process that occurs in specific stages as follows: establishing of foundation principles that include awareness to stakeholders, responsibility and responses; social principles that cover ethics and democracy assurance; and security lifecycle principles that include risk analysis to establish the acceptable risk a particular company is willing to take, security design and implementation where all the stakeholders are informed, security management that involves staffing and maintaining functionality, and reassessment that involves conduction of periodical audits to measure the performance of the new security plan. Audits are also meant to measure cost-benefit implications of the new security plan. REFERENCES Alberts, C. & Dorofee, A. (2003). Managing Information Security Risks. Boston: Pearson Education, Inc. pp. 12-87. Ardichvili, A. & Page, V. (2003). Motivation and Barriers to Participation in Virtual Knowledge-Sharing Communities of Practice. Journal of Knowledge Management 7(1), pp16-36. Bennet, C.J. & Regan, P.M. (2004). Editorial: Surveillance and Mobilities. Surveillance & Society 1(4), pp.2-11. Calder, A. (2005). A Business Guide to Information Security: How to protect your Company’s Assets, Reduce Risks and Understand Law. Great Britain: Creative Printing and Design. Pp.1-124. Chan, M., Woon, I. & Kankanhalli, A. (2005). Perceptions of information security at the workplace: linking information security climate to compliant behaviour. Journal of Information Privacy and Security, 1(3), pp13-26. Cisco Systems Inc. (2012). Securing Your Business Information—Strategies for Outsourcing Security Measures. Retrieved on September 17, 2012 from http://www.cisco.com/warp/public/cc/so/neso/sqso/mnsqss/prodlit/sosfm_ov.pdf Danton, G. (2004). Information Warfare and Human Rights Law. UK: Academic Conferences Limited. pp.13-42. Dhillon, G. (2003). Data and Information Security. Journal of Database Management, 14(2), pp.1-5. Dimensional Research. (2012). The Impact of Mobile Devices on Information Security: A Survey of IT Professionals. Dimensional Research. pp. 1-7. Finch, J., & Furnell, S. (2003). Assessing IT security culture: system administrator and end user perspectives. A Paper Presented at Proceedings of ISOneWorld 2003 Conference and Convention, Las Vegas, Nevada, USA. pp. 3-19. Garoupa, N. (2000). Corporate criminal law and organization incentives: a managerial Perspective. Managerial and Decision Economics, 21, pp.5-21. Gupta, J.N.D. (2009). Handbook of Research on Information Security and Assurance. Pennsylvania: IGI Global Snippet. pp.4-49. Hamill, J.T. (2005). Evaluating information assurance strategies. Decision Support Systems, 39, pp.11-31. Herath, T. & Rao, H.R. (2009). Encouraging information security behaviours in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47, pp.154-65. Hintzbergen, J. & Smulders, A. (2010). Foundations of Information Security. (2nd ed.). Zaltbommel: Van Haren Publishing. Information Systems Audit and Control Association (ISACA). (2009). An Introduction to the Business Model for Information Security. US: ISACA. pp.5-22. Intel Press. (2012). Securing Business Information. Retrieved on September 17, 2012 from http://www.intel.com/intelpress/sum_book5.htm Intel.com. 2012. Securing Business Information. Retrieved on September 17, 2012 from http://click.intel.com/Securing_Business_Information-P897.aspx International Chamber of Commerce (ICC). (2003). Information Security Assurance for Executives. Paris, France: International Chamber of Commerce. pp.2-39. IT Governance Institute. (2006). Information Security Governance: Guidance for Boards of Directors and Executive Management. (2nd ed.). USA: IT Governance Institute. pp.7-36. Kassner, M. (2010). Five tips for securing company data. Retrieved on September 17, 2012 from http://www.techrepublic.com/blog/five-apps/five-tips-for-securing-company-data/392 Post, G.V. (2007). Evaluating Information Security Tradeoffs: Restricting Access can Interfere with User Tasks. Computers & Security 26(3). pp.1-9. Straub, D.W. & Goodman, S. (eds.). (2008). Information Security: Policy, Processes and Practices. (Vol. 11.) Armonk, NY: M.E. Sharpe. pp.66-111. Supica, Z. (2003). Securing Business Information: Strategies to Protect the Enterprise and Its Network. Retrieved on September 17, 2012 from http://www.net-security.org/review.php?id=83 Symatec. (2012). Secure Information. Retrieved on September 17, 2012 from http://www.symantec.com/solutions/midsize/solutiondetail.jsp?solfid=mb_sol_secure_inf o&solid=secure Tan, B.C.Y. & Wei, K.K. (2003). An integrative study of information systems security effectiveness. International Journal of Information Management, 23, pp.3-14. The Chartered Institute for IT. (2012). Securing Information Systems. Retrieved on September 17, 2012 from http://www.bcs.org/content/ConWebDoc/25649 Torkzadeh, G. (2006). Value-focused assessment of information system security in organizations. Information Systems Journal, 16 (3). pp.65-83. U.S. Postal Inspection Service. (2012). Business Checklist for Securing Personal Information. Retrieved on September 17, 2012 from https://postalinspectors.uspis.gov/radDocs/BusChecklist.html Whitman, M.E. & Mattord, H.J. (2012). Principles of Information Security. (4th ed.). Boston: Course Technology, Cengage Learning. pp.1-240. Zhdanov, D. (2006). The Role of Performance Incentives in Compliance with Information Security Policies. A Paper Presented At Conference On Information Systems And Technology, Pittsburgh. pp. 4-21. Read More