Information Security Trends in Business

Introduction 

Today, the internet and other information technologies play a critical role in business. Businesses rely on these technologies for such functions as production and communication. While the role that information technology plays cannot be disputed, it is difficult to ignore the threats and risks to which businesses are being exposed as a result of information technology. Cyber-attacks are becoming more common as more and more businesses embrace information technology. While those behind these attacks leverage various vulnerabilities, a new trend where they exploit employees and other insiders is emerging. This trend is the subject of this paper. The paper begins with a summary of an article that explores the trend in detail. Next, the paper analyzes other articles that explore the same issue before outlining the impact of cyber-attacks on businesses. In concluding, the paper identifies some of the most effective measures that firms can adopt as they seek to secure their information systems.

Article Reference 

Solms, R., & Nierkerk, J. (2013). From information security to cyber security. Computers & 

Security, 38 , 97-102.

Summary 

The article by Solms and Nierkerk addresses a wide range of issues concerning the challenges that businesses face in their quest to secure their systems against attacks. However, information and cyber security are the main focus of this article. In the article, the author notes that cyber security is undergoing significant changes that set it apart from information security. They note that in previous years, hackers and other unscrupulous individuals mostly targeted the infrastructure that businesses relied on for their digital functions. For example, hackers could exploit vulnerabilities in a company’s network to steal information. While Solms and Nierkerk note that hackers are still focusing their efforts on infrastructure, they are changing their tactics. These scholars note that the employees of organizations are becoming part of the cyber-attack weaponry, unwittingly or deliberately. In a clear effort to show how employees are being used to conduct cyber-attacks, Solms and Nierkerk provides a number of examples. These examples include cyber-bullying, the increasing adoption of home automation and digital media. To understand the new threats that firms face, it is important to examine one of these examples in detail. Suppose that an employee uses digital media extensively and has failed to implement proper security measures to safeguard against attacks. Hackers can target such an employee and gain access to the employee’s organization’s systems, networks and information. In essence, through their article, Solms and Nierkerk caution that cyber-attacks could become more prevalent and devastating as hackers exploit employees and leverage weaknesses in the information technology systems that organizations have built.

Results 

For this research project, a number of articles that echo the issues that Solms and Nierkerk address in their article were reviewed. For the most part, these articles magnify the warnings that Solms and Nierkerk issue. They caution businesses to understand that their employees could be used to carry out attacks that can have devastating impacts. Mario Silic and Andrea Back (2013) are among the scholars who share the sentiments that Solms and Nierkerk express. It is true that the article by Silic and Back is extensive and broad in its scope. However, these scholars give special focus to how hackers can use employees to perpetrate attacks. They note that “although organizations sometimes focus more on vulnerability to external attacks than to internal ones, recent industry research… suggests that >75% of the cost of security failures result from insider activity” (p. 279). Here, Silic and Back essentially identify employees and other actors with whom businesses are intimately involved as some of the parties who expose the businesses to the threat of cyber-attacks. To make their point clearer, these authors cite research findings which have shown that businesses are reporting more security breaches. It is fair to blame some of these breaches on employee negligence, improper conduct or complicity. While it is true that the article by Silic and Back is largely similar to the one that Solms and Nierkerk authored, there are some notable differences. Among these differences is the fact that Silic and Back acknowledge that there are many different and complex sources of vulnerabilities. On the other hand, Solms and Nierkerk identify employee involvement as among the issues that set the stage for cyber-attacks to occur.

Silic and Back are not lone voices in their agreement with Solms and Nierkerk that insiders are becoming a key component of cyber-attack perpetration. They are joined by Fredrik Karlsson, Karin Hedstrom and Goran Goldkuhl (2017). In their article, this trio observes that “most information security breaches are a consequence of employees who violate information security policies” (p. 267). Through this statement, Karlsson and his colleagues basically assign blame to employees for security breaches. They echo the warning that the other scholars issue regarding the threat that employees and other insiders pose to the integrity of information security systems. Claire Laybats and Luke Tredinnick added their voice to the discussion on the influence that insiders have on information and cyber-security. In an editorial appearing in the Business Information Review journal, Laybats and Tredinnick analyze the techniques and tricks that hackers use. They note that while hackers use complex tools and procedures to breach security, they rely largely on mistakes that employees make. These scholars offer the example of employees who use weak usernames and passwords. With this example, Laybats and Tredinnick show that simple violations of information security policies could provide hackers with the opportunity they need to conduct attacks.

There is no doubt that the scholarly community is concerned about the cyber threats and attacks that businesses are exposed to. Agata McCormac et al. (2017) highlight these threats in their article. They warn that many firms have failed to adequately prepare or train their employees to ensure cyber and information security. Furthermore, the scholars indicate that there are some employees whose personalities make them perfect candidates for hackers who wish to gain access into an organization’s systems and networks. Basically, McCormac and her team note that employees are increasingly being exploited by hackers. Overall, it is evident that there is agreement within the academic community that insiders are among the greatest threats to information security and integrity. The various scholars whose works have been discussed note that when they fail to adhere to established policies and protocol regarding information security, employees make it possible for hackers to breach security.

Discussion 

The discussion above has focused on the literature regarding the impact of insiders on information and cyber-security. This discussion has set the stage for a look at the impact of insider involvement and the measures that businesses can take to protect themselves against cyber-attacks carried out or made possible by their employees. In the following section, an in-depth look at these issues is offered.

Impact 

Generally, cyber-attacks of all kinds have devastating impacts on business operations and performance. This is one of the most important messages that Safa et al. (2015) convey through their article. They state that when cyber-attacks occur, confidentiality, integrity and privacy is compromised. Essentially, Safa and her colleagues warn that when employees fail to exercise proper caution and allow attacks to occur, the private and sensitive information of their organizations could be stolen. It is worth noting that the warning that Safa and her team issue reflect recent developments. In the recent past, there have been numerous cases where firms lose confidential and sensitive information. For example, there are firms which have lost sensitive customer details such as names, addresses and financial information. In the hands of hackers, this information can be used to harm customers and damage the image of an organization. It is therefore vital for firms to take all necessary steps to sensitize their employees about the dangers of cyber-attacks.

The impact of cyber-attacks and information security breaches is not limited to the loss of information. As Theocharis Tsigkritis and George Spanoudakis (2013) point out, disruption of business operations is another impact of cyber-attacks and breaches. It is true that the article that these scholars authored does not primarily address insider involvement in cyber-attacks. However, the insights that they share still shed light on how cyber-attacks occasioned by employee negligence or complicity affects businesses. When the attacks occur, businesses, particularly those that rely on information technology may be unable to maintain normal operations (Safa et al., 2015). For example, a hospital that has adopted an electronic information management system may be forced to suspend operations as a result of a cyber-attack. Since they are unable to offer services or develop their products, businesses that have suffered cyber-attacks could incur massive losses. While most of the losses are the result of the suspension of operations, additional losses could be incurred in the form of the amounts spent as a firm attempts to restore operations and redeem its reputation. For instance, as part of its efforts to restore client confidence, a business may need to offer compensation to customers who suffered harm as a result of the attack. It is clear that cyber-attacks can be costly and even cause fatal damage to a firm’s operations. If they wish to remain operational and competitive, firms should advise their employees to take cyber-security seriously.

Solutions 

From the discussion offered above, it is evident that when employees are used to conduct cyber-attacks, businesses suffer in a number of ways. Fortunately, a number of effective solutions are available. While these solutions are particularly designed to help employees gain a better understanding of cyber-security, they can be adopted in a wide range of scenarios. In their article, Safa and her colleagues shed light on the steps that firms can take to improve information and cyber-security. Establishing policies through which they prioritize cyber and information security is among these measures. Safa and her team advise that firms should create a culture where information security is taken seriously. Through such a culture, businesses manage to persuade their employees to implement protocols designed to enhance security. Apart from establishing policies and protocols, businesses should also focus on creating information security awareness. Essentially, this involves sensitizing employees on the threat that cyber-attacks pose to operations and the measures that they can institute.

In an article that she authored in collaboration with Solms and Furnell, Safa (2016) noted that for the policies that businesses adopt to be effective, they should be accompanied with stringent compliance procedures and guidelines. Basically, Safa and the other scholars contend that it is not enough for firms to simply adopt information security policies. They need to go further and ensure that their employees fully understand these policies and recognize that failure to comply will have consequences. Karlsson, Hedstrom and Goldkuhl reiterate the advice that Safa and her team offer. These scholars argue that the involvement of employees in cyber-attacks is mostly accidental. They blame this situation on the failure by businesses to develop clear and simple information security protocols. As a result, the employees working for these businesses are unable to comply with the protocols. For example, Karlsson and his colleagues note that there are some information security guidelines that force employees to choose between performing their duties and safeguarding information networks and systems. It is difficult for the employees to uphold such guidelines. For businesses to achieve success in their battle against cyber-security, they need to create policies and guidelines that are simple and easy to understand.

It is often said that the best remedy against threats is prevention. This is indeed true for protecting businesses against cyber-attacks. Gaute Wangen (2017) suggests that as part of their campaign to safeguard their systems against cyber-attacks, businesses should perform risk analyses. Essentially, the analyses are concerned with identifying the loopholes and vulnerabilities that can be leveraged by hackers. Employees who do not understand the importance of security and therefore fail to protect their businesses are among the vulnerabilities that could be used to carry out attacks. As they conduct risk analyses, firms should give particular focus to such employees. Once these employees have been identified, they should be educated on proper cyber-security policies and guidelines. It is worth noting that the risk analyses should not focus on employees only. Instead, they should address all vulnerabilities.

The solutions discussed above should be effective in insulating businesses against cyber threats. However, there is still a possibility that even after adopting these solutions, a firm could still suffer a cyber-attack. This is why it is important to establish last-line defenses that offer added protection. Solms and Nierkerk discuss one of these defenses. They recommend that businesses should protect employees who are charged with responsibilities concerned with information technology (Solms & Nierkerk, 2013). For example, a firm could provide security to its chief information officer when it receives intelligence that there is a risk of a cyber-attack. While this measure appears extreme, it points to the seriousness of cyber-threats and the lengths that businesses should be ready to go to secure their networks and systems. In their article, McCormac and her team assert that there is some association between personality and information security awareness. Essentially, they argue that there are some individuals who are more aware of cyber security owing to their personalities, and that they are therefore best placed to protect businesses against cyber-attacks (McCormac et al., 2017). The implication of this argument for businesses is that firms should match cyber-security tasks to employees who are suited for such tasks. For instance, an employee who is known to be risk-averse would take action to minimize risk. Such an employee would therefore be an ideal candidate for a cyber-security mandate.

Conclusion 

Information technology has become an indispensable tool for most businesses. Thanks to this resource, firms are able to perform functions more efficiently and at lower costs. However, information technology has also presented new challenges that firms must address if they are to thrive in the modern environment. Cyber-attacks are among these challenges. Hackers are now duping and working closely with employees for the purpose of gaining access to the systems and networks of companies. When the hackers are successful, their actions can have devastating and far-reaching impacts on organizations. These impacts include damaged reputation, financial losses, the threat of lawsuits and loss of sensitive data. To prevent attacks from happening, there are a number of measures that the businesses can adopt. These measures include training their employees and adopting clear and simple information security policies. It is also important for firms to offer protection to their employees while also conducting risk analyses. Combined, these measures promise to offer defenses that are difficult to penetrate.

References

Karlsson, F., Hedstrom, K., & Goldkuhl, G. (2017). Practice-based discourse analysis of Information security policies. Computers & Security, 67 , 267-279.

Laybats, C., & Tredinnick, L. (2016). Information security. Business Information Review, 33 (2), 76-80.

McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., & Pattison, M. (2017). Individual differences and information security awareness. Computers in Human Behavior, 69, 151-156.

Safa, N. S., Solms, R. V., & Furnell, S. (2016). Information security compliance model in Organizations. Computers & Security, 56, 70-82.

Safa, N. S., Sookhak, M., Solms, R. V., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behavior formation in organization. Computers & Security, 53, 65-78.

Silic, M., & Back, A. (2013). Information security. Critical review and future directions for Research. Information Management & Computer Security, 22 (3), 279-308.

Solms, R., & Nierkerk, J. (2013). From information security to cyber security. Computers & Security, 38 , 97-102.

Tsigkritis, T., & Spanoudakis, G. (2013). Assessing the genuineness of events in runtime Monitoring of cyber systems. Computers & Security, 38, 76-96.

Wangen, G. (2017). Information security risk assessment: a method comparison. Computer, 50 (4), 52-61.