IT Security Risks and Cyber Security
Michael Johnson
Global Executive, Global Chief Information Officer CIO, Chief Security Officer CISO, Corporate Leader
Today’s company risks are at an all-time high. It’s a very overwhelming mission for small, mid companies and even large enterprises. We have to stay on top of things in order to protect our assets. Information security is a topic that you’ll want to place at the top of your project plans. Having a strong plan to protect your organization from cyber-attacks is fundamental. So is a recovery plan to help you deal with the aftermath of a potential security breach. These plans can also become leverage for your company. Investors think highly of those managers who are prepared to deal with every imaginable scenario that the company might experience.
Cyber criminals use less than a dozen vulnerabilities to hack into organizations and their systems, because they don’t need more. Over 48 percent of attacks are the top 10 common vulnerabilities exploited. Easy infrastructure practices such as timely software patches and having proper functioning encryption are some of the easiest protection however more companies fail at this simple practice. Having a simple cyber security policy is lacking for a lot of companies. A policy that identify risks related to cyber security, establish cyber security governance, develop procedures and oversight processes, protect company networks and information, identify and address risks associated with remote access to client information and funds transfer requests are just some of the items that should be included in your cyber security policy.
Confusing compliance with cyber security is also a big one for companies. Ensuring compliance with company rules is not the equivalent of protecting the company against cyber-attacks. Compliance is rules and regulations however security protection is the actionable items that you put in place. There is a gray area that a lot of times gets lost in translation that "we passed compliance audits so we are protected". This is not always the case. Minimum guidelines form compliance practices do assist with protection however is not the full actionable plan against cyber breaches.
We have to be aware of all risks and always be asking our selves what is the risk and how should I protect. Security is the responsibility from the newest employee up to the CEO levels at all times. We live in a new world with technology and we must protect ourselves. I will leave you with a below list of common but not all risks and threats that any company should consider and plan for.
Michael Johnson
Want to hear more about Cyber Security Register now for https://www.businesssanitysummit.com/
Threats
Below is a list of threats – this is not a definitive list, however gives you some ideas
? Access to the network by unauthorized persons
? Bomb attack
? Bomb threat
? Breach of contractual relations
? Breach of legislation
? Compromising confidential information
? Concealing user identity
? Damage caused by a third party
? Damages resulting from penetration testing
? Destruction of records
? Disaster (human caused)
? Disaster (natural)
? Disclosure of information
? Disclosure of passwords
? Eavesdropping
? Embezzlement
? Errors in maintenance
? Failure of communication links
? Falsification of records
? Fire
? Flood
? Fraud
? Industrial espionage
? Information leakage
? Interruption of business processes
? Loss of electricity
? Loss of support services
? Malfunction of equipment
? Malicious code
? Misuse of information systems
? Misuse of audit tools
? Pollution
? Social engineering
? Software errors
? Strike
? Terrorist attacks
? Theft
? Thunderstroke
? Unintentional change of data in an information system
? Unauthorized access to the information system
? Unauthorized changes of records
? Unauthorized installation of software
? Unauthorized physical access
? Unauthorized use of copyright material
? Unauthorized use of software
? User error
? Vandalism
Vulnerabilities
? Complicated user interface
? Default passwords not changed
? Disposal of storage media without deleting data
? Equipment sensitivity to changes in voltage
? Equipment sensitivity to moisture and contaminants
? Equipment sensitivity to temperature
? Inadequate cabling security
? Inadequate capacity management
? Inadequate change management
? Inadequate classification of information
? Inadequate control of physical access
? Inadequate maintenance
? Inadequate network management
? Inadequate or irregular backup
? Inadequate password management
? Inadequate physical protection
? Inadequate protection of cryptographic keys
? Inadequate replacement of older equipment
? Inadequate security awareness
? Inadequate segregation of duties
? Inadequate segregation of operational and testing facilities
? Inadequate supervision of employees
? Inadequate supervision of vendors
? Inadequate training of employees
? Incomplete specification for software development
? Insufficient software testing
? Lack of access control policy
? Lack of clean desk and clear screen policy
? Lack of control over the input and output data
? Lack of internal documentation
? Lack of or poor implementation of internal audit
? Lack of policy for the use of cryptography
? Lack of procedure for removing access rights upon termination of employment
? Lack of protection for mobile equipment
? Lack of redundancy
? Lack of systems for identification and authentication
? Lack of validation of the processed data
? Location vulnerable to flooding
? Poor selection of test data
? Single copy
? Too much power in one person
? Uncontrolled copying of data
? Uncontrolled download from the Internet
? Uncontrolled use of information systems
? Undocumented software
? Unmotivated employees
? Unprotected public network connections
? User rights are not reviewed regularly