Corporate IT Cybersecurity Risks
The protection of organizational information encompasses a great deal more than just implementing firewalls, antiviruses, and technology platforms with the expectation that nothing will happen. Currently, consumer and societal pressure are forcing companies to adopt a proactive approach to identify and protect vital resources, which are data, information technology, and critical business processes. Today’s businesses depend on the internet to perform certain e-commerce and logistical tasks. Intrusion in these areas may generate a loss of reputation, regulatory consequences, customer backlash, and financial losses.
Businesses need to keep in mind that the purpose of information systems and the consequent data residing in these systems is to support and manage business processes that align with organizational goals and missions. Data, therefore, is a fundamental element that gravitates toward the organization and its mission and contributes to the capabilities of the business to manage company operations. What this means is that in today’s business environment, a lack of data or the inability to use data will hinder a company’s ability to conduct business.
Carnegie Mellon University’s Software Engineering Institute uses a methodology called OCTAVE for evaluation and defines risk as the possibility to suffer losses or damages. A threat is a component of risk including a human or non-human exploited vulnerability that generates an unexpected, unknown, and unauthorized action that causes a modification, exploitation, or loss of information. The results of such an attack can have negative financial impact across the board.
Furthermore, in the development or implementation of software, businesses need to consider vulnerability as an element in the management of risk. This can occur when software deficiencies occur within the code of a program. The deficiency is considered a bug, an error, or a failure in the software that produces a result that is not expected or accounted for. These bugs may be exploited by hackers. Therefore, companies that implement software systems need to review possible vulnerabilities by running continuous testing, specifically in mission-critical sections of the systems.
The process of risk management involves certain activities including identification of assets, an analysis of possible risks that the identified assets are vulnerable to, selection and implementation of mitigation or management controls, and continual improvement of all security measures. In the corporate environment, not all information assets have the same value; therefore, each asset is classified depending on the characteristics of the data security needs, including the confidentiality and availability of the data. Businesses need to implement enterprise security risk management by hiring personnel directly or outsourcing with expert companies in the field that can manage and secure critical assets.
Not all risks faced by organizations are due to security breaches. There are different categories of risks such as preventable risks, strategic risks, and external risks. Some threats can include natural disasters. Other risks can be caused by simple involuntary human error including programming errors, lack of planning, and opening files infected with viruses or other threats. Some breaches, however, are intentional. These include identity theft, unauthorized access to information, hacks, and others. Organizations must determine the impact that they face when exposed to these risks and plan accordingly based on such impact.
To successfully operate and remain competitive in the highly-connected cyberworld, all businesses, regardless of size, must advance toward a higher level of security. Businesses need to invest in defending all processes involving sensitive information that has the potential to cause damages if lost, manipulated, or exploited. The investment should include training to protect data at all levels of business. Furthermore, such a defense should be proactive and continual as hackers will improve their tactics and techniques.