The following text is my 2nd week’s assignment in the course I am taking currently on Coursera.org “Cybersecurity and its Ten Domains“
The assignment was to describe “What is the role of cyber security in an organization?” in over 100 words. Although I tried to keep the text short I couldn’t summarize it more, so the final word-count was 868 .To answer the question we were expected 1. to recognize the importance of cyber security in our increasingly computer-driven world and 2. to explain the technology principles of detection/protection and access control. It was also mandatory to use examples to do that. In plain text I thought to explain why cyber security is important and how to implement it. My answer was based on the numerous reading material that we had to study but also on all the cyber security TED and other talks I have watched on YouTube.
Cyber Security in the corporate world of today
The importance of Cyber Security in our modern era and standard ways of implementing it for organizations and companies.
Our society, businesses and organizations are constantly becoming more and more intertwined with online technology. Much of the data that used to be stored on paper, is now stored exclusively on hard drives so that it can be accessed faster, more easily and from remote areas. Records of customer data, emails, telephone numbers, financial and accounting information is also stored electronically. Educational institutes store their teaching material electronically and even the laws of the state are stored in a digital form. Another example of how dependent organizations are on the internet, are groups that have to do with the protection of human rights or journalists who need to use specific cryptographic programs for their communications. Their exclusive usage of digital technology to store and send sensitive information makes cyber security a top priority for these groups.
The role of cyber security in an organization is vital for the protection of its data and for ensuring that its services and projects will keep running without obstacles nor delays. Modern organizations depend almost exclusively on computer systems for storing data, contacting customers and performing various tasks such as research, marketing and strategic planning. The financial success of an organization, as well as the successful implementation of its goals will depend on the health of its computer systems. It is vital that the systems remain free from intrusions from third parties who may attempt to gain unauthorized access. Failure to ensure secure systems may lead to loss of data, loss of competitive information (such as patents or original work), loss of employees/customers private data to complete loss of public trust in the integrity of the organization. An example of a company that went bankrupt as a result of a hack, was the Dutch company DigiNotar in 2011. DigiNotar was in the business of issuing and selling certificates but a security breach allowed hackers to issue fraudulent certificates and gain access to hundreds of thousands email accounts. This company never recovered from this hack and lost the trust of its customers. It bankrupted as a result.
Cyber security is implemented through Access Control and the CIA principles. Access control is the procedure of controlling who is allowed access to information and to what extent they can alter or use this information. Access control also encompasses the control of entrance to physical facilities. A great way to understand the basics of Logical Access control is to study how forum software works. In forums, the administrator can create various groups and assign to them specific access to specific forums. He/she then assigns users to the groups. The admin can also grant special privileges to specific users who then get access to restricted forums even though they belong to different user groups. Some groups may be authorized to post announcements, while others can only reply to posts. In some forums only the group of the moderators can edit or delete posts and whole threads.
The CIA principles stand for Confidentiality, Integrity and Availability and refer to the three qualities or states of the data that we are protecting. The data needs to be kept confidential (no unauthorized access or spying), it needs to retain its integrity (no alteration, manipulation or destruction of the data) and it needs to remain available whenever it is needed (no ddos attacks or ransomware, although ransomware would endanger both the integrity and the availability of the data). Of course there are more ways to endanger the CIA qualities of data, above are mentioned only few indicative examples.
The British Standard on Information Security Management suggests the following steps concerning the planning of an Information Security Management System (ISMS): Asset identification, risk assessment, risk treatment. Here is an example on how we could implement these steps in an organization that deals with protecting the culture and heritage of abandoned villages. This organization manages a museum of folk art:
- Asset identification: The assets of such an organization are the physical antique items at display. Also photographs, historical data and electronic inventories of those items. The website of the museum and the email inbox is also an asset. This museum keeps physical financial records.
- Risk Assessment: a physical breach could result in the theft of the antique items and the financial records of the museum. A digital breach could result to spying on the email correspondence between partners, experts or customers, using the museums computers to create a botnet and stealing sensitive customer data.
- Risk Treatment: To minimize the risk we should install an alarm system and hire guards for protecting the physical assets. The OS and all types of software used on the museums computers should be maintained so that they are continuously up to date and without known vulnerabilities. We should grant access to those computers only to specialized personnel and finally educate the personnel so that they don’t use the computers in an irresponsible way that could put them at risk. For example no inserting of unknown usb-sticks into the computer and learning how to recognize scam or fraudulent emails.