Introduction
Information technology (IT) security can be defined as controlling the access to sensitive and confidential electronic information only to allow authorized individuals to use it at any given time. Information has become a critical factor in individual and organizational success in the modern world while at the same time electronic information is vulnerable to many threats that can be costly when they occur. Consequently, the execution of IT security is now inevitable in the current world. The primary objective of IT security is to substantially reduce any risk that is linked to the three major security goals that include confidentiality, integrity, and availability ( Fuchs, Pernul & Sandhu, 2011) . Confidentiality is about protecting and controlling the access to sensitive information from unauthorized people. Integrity, on the other hand, is to ensure that the stored information is not only accurate but also reliable, and cannot be tampered with. Availability is to ensure that authorized persons can easily and conveniently access the stored data. IT security, therefore, is to ensure the confidentiality, integrity, and availability of data.
The main objective of this term paper is to explore the challenges faced by IT managers and organizations in the implementation of IT security, and it also discusses the importance of IT security and strategies used by organizations to secure their information. Currently, many organizations and individuals are aware of the importance of IT security, mainly due to the rampant cyber threats such as hacking. However, only a few organizations are actively implementing IT security. Many organizations still choose expediency over IT security , which is risky in the modern world. As a result, it is essential to understand some of the challenges that hinder the implementation of IT security.
Delegate your assignment to our experts and they will do the rest.
Importance of IT Security
Many IT security issues are faced by individuals and organizations globally. One of the major IT issue s is data breaches, especially in this era where individuals and organizations store big data that are used for various purposes. Data breaches are increasingly becoming a threat to many organizations. Hackers are now able to access sensitive information, leading to security breaches. According to An, Zaaba & Samsudin (2016), data breach us currently the top IT security threat faced by many organizations. The second major IT issue is data loss, which is also caused by hacking. Cyber attackers or hackers can either damage or corrupt sensitive information, leading to data loss. Apart from hackers, natural disasters such as earthquakes and fire can lead to data loss ( An, Zaaba & Samsudin, 2016) . Permanent data loss can be costly to an organization, particularly firms that rely on data for their operations such as financial institutions. Therefore, data breaches and data loss are some of the major reasons why organizations should strive to implement IT security effectively.
Rampant account hijacking is one of the reasons why an organization should always implement IT security. Account jacking is common in information that is stored in the clouds ( An, Zaaba & Samsudin, 2016) . Hackers can impersonate the user after hijacking the account, and they end up performing malicious or authorized activities that may be harmful to the organization or affected individuals. Account hijacking can make hackers to provide full information to customers while at the same time eavesdropping on confidential transactions. Besides, some organizations have malicious insiders who can tamper with the confidential and sensitive information ( An, Zaaba & Samsudin, 2016) . There are many instances where hackers have colluded with insiders to steal sensitive information, which they have used against the organizations. A significant number of organizations have experienced data breaches or loss due to inside deals. Ahmad, Maynard & Park (2014) argue that many organizations are experience frequent IT threats in the modern era and that the rate of information risks is increasing because of internal and external threats. As a result, organizations need to implement IT security to prevent both insiders and outsiders from tampering with sensitive and confidential information.
IT Security Strategies
Organizations are aware of the importance of information in their success, and they are implementing some strategies to secure their crucial and sensitive information. According to the analysis that was conducted by Ahmad, Maynard & Park (2014), about 60% of organizations are using many technical information countermeasures to ensure that their sensitive information is safe and is not facing significant threats from hackers. Some of the major technical information security strategies that are used by organizations include firewalls, anti-spyware, anti-virus software, and encryption of data. The implementation of a single strategy cannot adequately be used to secure sensitive information because of the possibility of failure or breakdown. Therefore, based on the findings by Ahmad, Maynard & Park (2014), organizations should execute multiple strategies to enhance the effectiveness of information security measures.
Organizations are using different approaches in the implementation of IT security strategies. The approaches include prevention, deterrence, surveillance, detection, response, and deception (Ahmad, Maynard & Park, 2014). Prevention is an approach that is aimed at protecting information before an attack, especially through the prevention of unauthorized accessed as well as modification and destruction. Prevention approach is mainly aimed at preventing any form of attack on the organization that can affect its sensitive information. Prevention strategies are effective in preventing any information leakage (Ahmad, Maynard & Park, 2014). Also, authentication is one of the strategies that are used by organizations to implement prevention strategy because it is cost-effective. However, some organizations use encryption to implement prevention approach or strategy to IT security.
Deterrence is an IT security strategy that is intended to influence human behaviors as well as attitudes to improve the security of sensitive and confidential information. The effectiveness of this approach is based on two main factors. The first factor is certainty of sanctions, which is the awareness of sanctions to be imposed in case of data breaches or loss. The second factor is the severity of the sanction, which is the nature of consequences when there is a data security breach. Ahmad, Maynard & Park (2014) maintain that organization should train and educate employees about IT security to improve the effectiveness of deterrence strategy. Also, organizations should have clear IT security policies that guide employees on the use of sensitive information. Studies have consistently shown that deterrence has positive effects on IT security and it can lead to a significant reduction in computer abuse (Ahmad, Maynard & Park, 2014). The severity of penalties enhances IT security. As a result, the deterrence strategy is the proactive approach that an organization can implement to secure their sensitive data from authorized use or access.
Detection is another common strategy that is used by many organizations to secure their data and information against any form of abuse. It is an operational-level strategy that is intended to determine a given security behavior, which is either an intrusion or misuse (Ahmad, Maynard & Park, 2014). As a result, the primary objective of this strategy is to give organizations the opportunity to react in a given strategic manner to counteract any IT security. Detection strategy helps in the identification of any unusual behavior that can compromise the confidentiality or integrity of sensitive information. Some of the technologies and techniques that are used to implement the detection strategy include network scanners, anomaly detectors, anti-virus software, and computer intrusion detection devices. To enhance the effectiveness of the detection, it should be timely and free from false alarms.
Besides, according to Ahmad, Maynard, and Park ( 2014), organizations use a surveillance strategy to secure confidential and sensitive information. This is the strategic and systematic monitoring of information security environment to adapt to changing circumstances and threats. The strategy gives organizations the opportunity to adjust to the information security changes, which is rampant in the modern world that is characterized by rapid technological advancement. Organizations use application software and technological system to implement the surveillance strategy. Besides, many organizations are relying on the intrusion detection system to execute a detection strategy effectively.
Response is another strategy that is commonly used in an organization to enhance IT security. It is a reactive strategy that is aimed at addressing the identified information threat or risks. Currently, with improved technologies, many organizations are using automated response strategy, which is not only effective but also efficient in meeting the set security goals and objectives. However, even though the response strategy may be effective, many IT managers implement pro-active strategies that are aimed at enhancing IT security (Ahmad, Maynard & Park, 2014).
IT Security Challenges
The complexity of IT security attacks is currently one of the significant challenges that are faced by IT managers as well as organizations. IT security incidents that are linked to the malicious codes such as viruses and Trojan are now complex, and they cause significant damage in many business operations. Computer viruses are not easy to detect and eliminate because they are directly attached to data and information file system (Egan & Mather, 2005). It is now possible for computer viruses to corrupt and damage system files, leading to the loss of crucial information. Traditionally, malicious codes were only found in individual user’s systems, leading to insignificant impact on data loss and staff productivity. However, the modern malicious codes are blended and complex, and they pose multiple security threats at a given time. For instance, Code Red and Nimda are associated with various information security threat, leading to the loss of billions of d ollars and substantial damage to organizational reputation. In 2000, the Log Bug Virus caused about $8.17 billion loss (Egan & Mather, 2005). Therefore, the increased complexity of malicious codes makes it challenging for organizations to implement IT security effectively. At the same time, the rapid spread of malicious codes makes it difficult to respond quickly to prevent significant damage to sensitive information.
Figure 1: Global Malicious Code Impact
(Egan & Mather, 2005)
According to Fenz et al . (2014), failure to accurately predict IT security risks is a challenge that is hindering the implementation of IT security. The continua lly changing nature of IT security risks makes it extremely difficult for an IT manager to accurately identify the assets IT assets that should be protected against any attack. It is now possible for an IT asset that is being ignored to be attacked, making the risks unpredictable. The ability to mitigate any given risks heavily relies on the accurate identification of risks. As a result, the unforeseen IT security risk is a challenge that is yet to be solved despite several attempts by experts. Even though it is increasingly becoming impossible to predict IT security risks, Fenz et al . (2014) also argue that the overconfidence effect is hampering accurate risks identification. Many IT managers are highly optimistic and positive that they can accurately identify major IT risks facing organizations. Consequently, due to the overconfidence effects, IT managers conduct biased risks assessment, leading to increased cases of information security breaches and massive data loss. Fenz et al . (2014) maintain that IT managers and organizations should be objective in risks identification to address IT security threats. To overcome the challenge of the overconfidence effect, organizations should accurately interpret the accuracy of confidence values and to give accurate answers to emerging questions.
The second major IT security challenge is the shortage of IT security staff, especially in developing countries. IT security is a new area, and it still has insufficient experts who can help in addressing many IT security issues. One of the studies that were conducted by CSOOnline.com revealed that only 60% of companies can employ IT experts who are entirely dedicated to information security issues. Nevertheless, the problem is mainly associated with the lack of enough IT security experts. Getting the required credentials for IT security needs through training and experience, which is the reason why many people avoid the discipline. Even though many people are now venturing into IT career, there is still a shortage of IT security experts globally. IT security issues cannot be solved when there are no trained experts to implement the identified policies and strategies (Fenz et al ., 2014).
Shortage of IT security experts has led to another challenge known as lack of knowledge sharing. According to Fenz et al . (2014), knowledge sharing has a significant impact on the improvement of IT security because of its ability to enhance synergy between individuals and organizations. Besides, knowledge sharing is essential in promoting creativity and innovations, which can help in developing effective IT security strategies. Nevertheless, with limited numbers of IT security experts, there is no effective knowledge sharing that is aimed at addressing information security issues. Besides, there are limited IT leaders in organizations that can motivate employees to engage in effective knowledge sharing or knowledge exchange. Hence, the lack of adequate knowledge sharing is a challenge that is affecting IT security.
Cost trade-off is another major challenge that is faced by organizations in their efforts to secure their data and crucial information. The use of IT security strategies is always influenced or motivated by risk management. However, the cost-related issues are often considered when planning and executing the strategy. The desire to reduce costs makes many organizations to compromise some of the issues that are required to effectively implement IT security strategies (Fenz et al ., 2014). To promote the cost-effectiveness of IT security strategies, organizations always minimize the development and operational costs of countermeasures. Organizations should not pay a lot of attention to the cost of implementing IT security strategies.
On the contrary, according to Fenz et al . (2014), the strategies should purely be based on data and knowledge. At the same time, the strategy should be planned and implemented by people who have an in-depth understanding of IT security issues and threats. Neglecting the cost-effectiveness of countermeasures cannot help organizations to address information security issues adequately.
Egan and Mather (2005), on the other hand, argue that the lack of adequate legislation is one of the significant challenges that organizations face during the implementation of IT security strategies. E-commerce sector is experiencing rapid growth, especially since the invention of the internet and smartphones. According to Fal’ (2017), privacy has become one of the main concerns in e-commerce because of the frequent hacking of confidential personal information. E-commerce companies are using IT to store customer data such as name, phone numbers, and credit numbers. Although it is the responsibility of companies to ensure that customers’ personal information is safely kept and protected from any cyber-attack, lack of appropriate legislation worsens the situation. The existing government and industry legislations have not helped in enhancing IT security in many parts of the world, including the USA (Egan & Mather, 2005). Even though some countries have effective cybersecurity legislation, enforcement has become a challenge. The anonymity of many hackers makes it impossible to identify the criminals. Cyber attackers can use modern technologies and application software to hide their identity. Many courts also lack the jurisdiction to hear cybersecurity legal issues because such crimes often occur across the border. Hence, apart from developing effective laws, the government should come up with an effective way of enforcing legislation that is linked to IT security.
Therefore, the implementation of IT security is characterized by many challenges. Some of the challenges are internal and can easily be planned and implemented by organizations (Fenz et al ., 2014). There are also externals challenges that organizations have no control over. However, despite the nature of the challenge, organizations should find ways of addressing problems that hinder effective implementation of IT security. Addressing the challenges requires a multidisciplinary approach and close collaboration between organizations, particularly those that operate in the same industry. IT security breaches are costly to many any organization and they can be minimized if the challenges are addressed. Based on the threat, new challenges will keep on emerging and organizations should find ways of adapting to the problems.
Conclusion
Information now plays a critical role in determining the success and sustainability of organizations. Many companies now rely on information that is available in the market to gain a competitive advantage in the market. At the same time, some companies rely on information that is provided by customers to manage their operations. For instance, banks are using customers' personal information to conduct many transactions. Therefore, IT security is an issue that should be taken seriously by both profit and non-profit organizations. Organizations can prevent data breaches and data loss by implementing effective IT security strategies. Besides, companies can save a lot of money if they minimize information breaches issues that are costly and can lead to negative public image and reputations. Importantly, organizations should address IT security challenges that keep on changing with the development of new technologies and application software. Organizations should work together and collaborate with the government to address the IT security challenges that they encounter.
References
Ahmad, A., Maynard, S. B., & Park, S. (2014). Information security strategies: towards an organizational multi-strategy perspective. Journal of Intelligent Manufacturing , 25 (2), 357-370.
An, Y. Z., Zaaba, Z. F., & Samsudin, N. F. (2016, November). Reviews on security issues and challenges in cloud computing. In IOP Conference Series: Materials Science and Engineering (Vol. 160, No. 1, p. 012106). IOP Publishing.
Egan, M., & Mather, T. (2005, May 6). An Executive's Information Security Challenge . Retrieved from http://www.informit.com/articles/article.aspx?p=368647&seqNum=3
Fal’, O. M. (2017). Standardization in Information Technology Security. Cybernetics and Systems Analysis , 53(3) , 78-82.
Fenz, S., Heurix, J., Neubauer, T., & Pechstein, F. (2014). Current challenges in information security risk management. Information Management & Computer Security , 22 (5), 410- 430.
Fuchs, L., Pernul, G., & Sandhu, R. (2011). Roles in information security–a survey and classification of the research area. Computers & security , 30 (8), 748-769.
