The Economic Value of Software Applications

To schedule and ultimately prosper, all companies, regardless of scale, depending on essential business data. However, advances in information technologies and their eventual implementation by these organizations expose personal data to a variety of hazards and challenges. The risks and vulnerabilities to a company's information are related to inadequate information infrastructure protection, which leaves it vulnerable to ransomware, bugs, compromise, and network machine attack. According to a survey conducted by the Ponemon Institute (as cited in Trend Micro, Inc., 2012), over 78% of firms had had suffered from data breaches over the last 24 months. Irrespective of the person responsible for the data loss, these breaches remain a huge problem. The loss of the sensitive data causes the companies to suffer insurmountable financial liabilities taking the form of direct costs from the data recovery expenses and reimbursements to customers. The data breach may force a company to invest in recreating the lost data right away from the scratch. In addition, these incidences of data loss, damage the reputation of companies making the customers to fear transacting with them in the future. According to the PNC Financial Services Group, Inc. (2015), the data breach cost the US companies $15.4 million annually.

Risks and Threats of Company Data, and the Mitigation Policies

Lack of Security Architecture

There are some businesses that have not put security architecture in place, thereby exposing their networks to exploitation as well as the loss of personal information. In some instances, firms lack qualified employees or the right resources, which leaves their networks directly connected to the internet or linked through _x0093_out-of-the-box_x0094_ network tools with wrong configurations and without additional protective layer. Such inadequate network protection increases the vulnerability of information, software as well as the hardware, including the susceptibility to viruses, malicious software and hacking.

Mitigation measures. Outsource the services on developing robust security architecture from third parties or employ an IT expert team.

Targeted Attacks

This happens when some actors conduct targeted cyber intrusions to some enterprises to get access to the information on business dealings and other activities. The individuals conducting these intrusions gain unauthorized access to networks, computers and other devices where they extort, or extract passwords, usernames, and other data to undertake fraud or theft. Adversaries exploit security vulnerabilities in the targeted business networks through social engineering techniques like the emails with malicious code to entice the users to open an attachment or clink on a link (Australian Cyber Security Center, 2015). These techniques are also popularly called the spear phishing.

Mitigation measures. Install a _x0093_professional enterprise-level e-mail security program_x0094_ to check both outgoing and incoming messages. Offer training to the staff on internet security.

Outdated Software and Applications

Computers run on a variety of applications and software, and some companies are still using older versions, which may have become vulnerable to exploitations and attacks.

Mitigation measures. Establish strong patch management software that identifies vulnerable programs and updates other software regularly.

Poor Configuration Management

In the cases a computer is connected to a network without an adherence to the configuration management policies, it remains vulnerable to attacks. There are also firms with weak data security protection policies such that they do not restrict the items connecting to the networks.

Mitigation measures. Develop configuration management policies for connecting hardware, specifying the security mechanisms and procedures involved for each device. Run a Network Access Control solution.

Internet Websites

Firms with computers that have not been updated are likely to get infected by the malicious codes through browsing. Browsing through unsecured to suspected websites may see malicious software downloaded to the firm_x0092_s network and computer (Privacy technical Assistance Center, 2011). The web servers and databases make the information vulnerable during its transit and storage. While the secure sockets layer (SSL) protocol has proved to secure the confidential data while in transit, its destinations, especially the Web servers in the network of the recipient leaves it in the plain-text form and vulnerable. At this state, the data can easily get stolen or compromised by adversaries inside or outside the network as long as they can access the database or the Web server (SafeNet, Inc., 2009).

Mitigation measures. Install strong antivirus and firewalls to identify and block risky web pages. Protect the data through encryption by adopting technologies that able to cache and switch without leaving the data unencrypted and vulnerable on the backend as shown in figure 1 below.

Figure 1. Data protection while in transit and storage

Source: SafeNet, Inc. (2009)

Mobile Devices

In the modern world, the use of mobile devices, including the smartphones, laptops, tablets and other handheld gargets are on the rise. However, securing them has lagged behind (Privacy Technical Assistance Center, 2011). These devices have supported the access of organizational data and facilitated the execution of work from virtually anywhere and at any time, implying that they are sometimes used outside the company_x0092_s network security boundaries. The Trend Micro, Inc. (2012) reported that over 56% of workers stated that they stored sensitive data on their mobile devices. These facts mean that data breaches may arise when the devices are lost, stolen or their security compromised.

Mitigation measures. Develop stringent mobile device usage policies. Encrypt data in all portable devices bearing sensitive information

Removable Media

Use of the removable media such as the CDs, external hard drives and flash disks on the network or computers of companies poses significant security threats. When poorly protected, these devices provide a pathway for malicious programs to move between networks.

Mitigation measures. Undertake steps such as disabling the auto run feature. Train the workforce on scanning the removable devices for viruses before opening.

Poor Passwords

The failure to implement policies that require all sensitive data to be protected with passwords leaves it vulnerable to attacks and theft. Also, even where passwords are in place, the adversaries have developed password-cracking programs that easily break the weaker ones. In most cases, the user-generated passwords are weak are easily broken (Privacy Technical Assistance Center, 2011).

Mitigation measures. Professional password-generating software should be used, and procedures for generating the stronger ones issued.

Lack of Physical Security

Physical security is also important in preventing any unauthorized access to sensitive information, and also protecting the firm_x0092_s resources and personnel. The lack of physical security measures in safeguarding the dedicated computers, routers, computers, printers and other areas used in the storage of the sensitive data leaves the information exposed to risks.

Mitigation measures. Establish and enforce strong physical security procedures such as the physical barriers (safes, locks, and doors), security breach notification, response and recovery approaches, and surveillance and alarm systems.

Social Media

Using the firm_x0092_s computers and devices to access the social media sites leaves the company_x0092_s data vulnerable to adversaries. As noted by the Privacy Technical Assistance Center (2011) the social media websites are highly targeted by malicious programs, receive a high number of spams, and are used to gain information for theft of identity.

Mitigation measures. Introduce and reinforce policies barring access to some websites using the company_x0092_s computers and other resources. For companies that permit their workforces to access social media websites, they should train their employees on how the security threats and risks are generated when visiting such sites. Install a strong spam filtering solution and antivirus.

Inefficient Backup and Recovery Capabilities

Many organizations lack a robust data backup or recovery techniques, thereby putting their data at risk. The data and system recovery solutions are important as they assist an entity in reducing the risk of damage in the event of data breaches. The Trend Micro, Inc. (2012) reported that around 50% of the surveyed small and medium businesses lacked an automated data backup and recovery strategy while 62% of them did not routinely back it up. In addition, a third of the US firms had not implemented data backup and disaster recovery strategies.

Mitigation measures. Develop policies that outline the procedures for storage, backup and retrieval of data.

Insider Threats

The risks and threats addressed above are majorly linked to outside actors or agents. However, parties in the company, insiders, and who have legitimate access to the network and computers pose great risk to the firm_x0092_s data as they can easily copy, steal, delete, change, or misfile it either due to the user malicious attempts or carelessness (Privacy Technical Assistance Center, 2011). The PNC Financial Services Group, Inc. (2015) described these acts as an internally sources cyber-attacks, which have the capability of penetrating the network system and cause the loss of data. These breaches may expose sensitive data to third parties and severely harm the entity_x0092_s reputation while eroding investor and customer_x0092_s confidence.

Mitigation measures. Have a clearly-defined privilege rights management system. Restrict employees to have access to the data up to a given level. Perform audits to reinforce access control. Verify job candidates_x0092_ employment histories and screen them for criminal records.

_x000c_Memo

To : All Employees

From : The IT Director, Business Consulting, Inc.

Date : 28th March, 2017

Subject : Implementation of New Security Policies

This memorandum serves to inform you of the new policies and procedures that each and every employee of Business Consulting, Inc. will be required to implement. We cannot deny that the information technology has presented us with various benefits. I want to inform you that it is in the same measure that it has presented threats and risks to our crucial component, data, especially where tight measures have not been taken to seal the vulnerabilities to attacks. It is expected that adoption and subsequent enforcement of these policies will save our company a lot of resources, which have been lost through data breaches. Besides, we hope that all stakeholders_x0092_ needs will be safeguarded.

As is the company_x0092_s policy, you will be taken through a thorough training on the new policies and procedures to understand each aspect of every measure, and the expectations from each employee for their success. The policies address how you will manage:

Insider threats

Inefficient backup and recovery capabilities

Social media

Lack of physical security

Poor passwords

Removable media

Mobile devices

Internet websites

Poor configuration management

Outdated software and applications

Targeted attacks

Lack of security architecture

_x000c_References

Australian Cyber Security Center. (2015). Threats report. Canberra: Australian Cyber Security Center.

Privacy Technical Assistance Center. (2011, December). Data security: Top threats to data protection. Retrieved March 28, 2017, from the Privacy Technical Assistance Center: http://ptac.ed.gov/sites/default/files/issue-brief-threats-to-your-data.pdf

SafeNet, Inc. (2009). White paper: Five threats to data security and how to protect against them. Belcamp, MD: SafeNet, Inc.

The PNC Financial Services Group, Inc. (2015). Internal threats to your company's cyber security. Pittsburgh, PA: The PNC Financial Services Group, Inc.

Trend Micro, Inc. (2012). Five reasons small businesses lose critical data. Tokyo, Japan: Trend Micro, Inc.