Security Threats
Discuss about the Importance Of Is/It Risk Management Practices To Improve Organization’s Cyber Resilience.
Being in a position to handle any risks is as important as being able to have a functioning information system. As a result of the implementation of an ERP by an organization, the security risks of the organization are increased due to their nature of implementation where different modules are intergraded together in order to achieve the organizational mission. Risk management is a strategic issue in the implementation of ERPs systems in any organization. This is because the success of the ERPs depends on many factors which include technological (Hardware and software), efficient design of processes, and utilization of human recourses. The human resources are the users of the new ERP solution. It is with this in mind that organizations should take risk management strategy that would identify and also control any ERP implementation risks (Andress & Winterfeld, 2014). An organization at risk is exposed to potential threats. “Risk management comprises of risk assessment, risk mitigation evaluation and assessment. Risk assessment is used to determine the extent of the potential.” Some tangible impacts of the success of a threat are things like loss of revenue and the cost of repairing a system that has been affected.
Information threats are real therefore it is important not only to identify the threats but also know the vulnerabilities of the system and look for ways of preventing these threats from breaching the security of the Information system. The threats may be grouped into the types which include:
These are threats that are not caused by human beings. They include quakes, floods, tornadoes, hurricanes, temperature extremes, and many others. Intentional Threats-The best examples of intentional threats are computer crimes or purposeful damage of property or even information. Unintentional Threats-These threats may include unauthorized or even accidental modification of the system. The best way is to study the vulnerability of the system is to identify the threats and then examine the system under those threats (Axelos, 2015).
One has to think about business transactions that can lead to losses from the information system based abuse, fraud and errors. This may lead to losses occurring when users use the system in a manner that they are not supposed to. It may either be intentional or not. Also, there may be threats from intrusion and attacks from outsiders. People may steal or come across authorization credentials and try to enter the system without the knowledge of the authorities and thus jeopardize the integrity of the information contained in the system database. In addition, there may also be systems abuse and fraud from the insiders (Campbell, 2016). Authorized users can attempt and indeed succeed in entering into modules that they are not supposed to enter. Centralization of everything in the organization can become a performance bottleneck and also increase the ease with which people can sabotage the entire operations of the organization. One only needs to ensure that the ERP is not working and the organization will be on its knees unable to operate.
The vulnerability of the system
Weak Passwords
By use of dictionary attacks, intruders can guess correctly the passwords that are used in the ERP system and hence cause a malicious damage to the system or even get access to otherwise confidential data of the organization thereby compromising the integrity of the organization data. To eliminate this kind of threat, the organization should provide complex passwords and combine them with some biometrics in order to strengthen this authorization mechanism (Dwivedi, 2014).
Social Engineering
This is a new threat whereby users are duped by nice and appealing information until they give their access credentials to strangers. For instance, users may be told that they won something and hence to provide their personal information in order to receive their prizes. This kind of threat can only be evaded by educating the system users and inform them it is not usually possible for one to win a prize for a competition they never participated (Mann, 2017).
Unsatisfied workers
The biggest threat to the ERP is the system users themselves especially if they are not satisfied with the organization or if they were not consulted during the system development. If they feel like they do not want the system they may intentionally sabotage it so that it may look to the senior management not to be working. This is especially so if it may be perceived to result in job losses or loss of power of some of the employees. Furthermore, the introduction of an ERP will reduce some levels of bureaucracy and corruption within the organization. This may lead to resistance from the company employees (Jakubowicz et al., 2017). Also, if there are an organization strikes, the workers may target the system since it carries almost every function of the organization.
Interference of the system operations by other malicious programs such as spams, denial of service or worse still viruses (Whitman & Mattord, 2016). This may cause a temporary stoppage of the system operations which may, in turn, lead to huge losses by the organization. It is in this in mind that the organization should ensure the firewalls and anti-viruses are up to date and working properly.
Interception of a message stream when data is being exchanged from one point to another or one module to another is another threat that may be unintentional. This may either be through session hijacking or spoofing by doing web page redirection. It may also result due to eavesdropping using a wiretap and then use a packet sniffer to decipher the meaning of the data obtained.
External Security Threats
There may be programming errors that were not discovered during the system testing. Multiple rounding off of values can lead to cumulative huge losses, duplication of entries is also another other threat (Joyce, Petit, Phillips, Lowak, & Evans, 2017). This is so especially in situations where the database has no referential integrity well implemented. Another very serious threat is that of adding a zero at the end or beginning of values unintentionally thus affecting the final result of a computation. Testing of the system should continue beyond its commissioning in order to see how it behaves when large amounts of data are introduced (Whitman & Mattord, 2016).
Physical Security should be provided to the servers against, fires, water and any other natural environmental hazards. Access to the servers and other networking equipment such as routers and switches should be well controlled. Servers should in fact not be used as a workstation since this may lead to accidental loss of information (Linkov & Palma-Oliveira, 2017). There should also be adequate door locks and access cards to ensure servers are not accessed by unauthorized persons.
- User Level
- Database Level
- Transaction-level
Firstly perform an audit of all security-relevant events and then monitor any abnormalities that may surface and then investigate them objectively. An audit trail is quite important because by looking at such a log, it would be possible to see all the transactions that have taken place. Any qualified information systems expert will be able to know when a transaction is an outlier and thus this would form a subject for a thorough investigation (McGene, 2013).
Secondly, perform an intrusion detection and containment. Instead of waiting until a security breach occurs, it is advisable to put in place detection measures so that in case of any of the above threats, the system will know there is a threat and give such message to the system users. As it has been explained in the previous sections, intrusion detection mechanisms such as firewalls are quite important. This is because they are proactive measures and can even lead to the capture of the intruder (Piggin, 2018).
Thirdly, Perform proof of wholeness control by analyzing system integrity and irregularities and also identify any exposures and any potential threats. Look at the data that has been processed by the system and check if there are any inconsistencies. This will assist see any mistakes that may have been overlooked by the system. It is therefore important to ensure whenever the system is operational, it is in a secure state (Shalamanov, 2017).
Fourthly, restore secure state in an event of a security breach. This will ensure that the system does continue working with the security risk in place as this may mean a continuation of the errors caused by the threat. Backups should be performed regularly although this should be based on data reconstruction difficulty and data volume. The backup procedures are supposed to be properly documented and accessible to the users. More importantly, maintain a copy at an offsite location. Finally, make sure there is an antivirus installed into the system at all times. Viruses are a major risk to any system hence this matter should be taken seriously (Rothrock, 2018).
Conclusion
In conclusion, system security is a very important factor in the implementation of any successful ERP system. The success of the system does not only depend on the successful development of a nice system but also maintaining it throughout its lifetime and ensuring no threats breach its security. The implementation of an ERP system which performs the core functions of the organization means that it should be safeguarded from any threats that may lead to stoppage of these core functions.
References
Andress, J., & Winterfeld, S. (2014). Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners.
AXELOS, A. X. (2015). RESILIA”!Pocketbook: Cyber Resilience Best Practice. London: The Stationery Office Ltd.
Campbell, T. (2016). Practical information security management: A complete guide to planning and implementation.
Dwivedi, A. (2014). Designing for resilience. Cyber Sensing 2014. doi:10.1117/12.2054389
Jakubowicz, A., Dunn, K., Mason, G., Paradies, Y., Bliuc, A.-M, … Connelly, K. (2017). Cyber Racism and Community Resilience: Strategies for Combating Online Race Hate.
Joyce, A. L., Petit, F. D., Phillips, J. A., Lowak, L. B., & Evans, N. J. (2017). Cyber Protection and Resilience Index: An Indicator of an Organization’s Cyber Protection and Resilience Program. doi:10.2172/1433503
Linkov, I., & Palma-Oliveira, J. M. (2017). Resilience and Risk: Methods and Application in Environment, Cyber and Social Domains.
Mann, I. (2017). Hacking the Human: Social Engineering Techniques and Security Countermeasures.
McGene, J. (2013). Social fitness and resilience: A review of relevant constructs, measures, and links to well-being.
Piggin, R. (2018). Cyber Resilience 2035. ITNOW, 60(1), 30-31. doi:10.1093/itnow/bwy014
Rothrock, R. A. (2018). Digital resilience: Is your company ready for the next cyber threat?
Shalamanov, V. (2017). Towards Effective and Efficient IT Organizations with Enhanced Cyber Resilience. Information & Security: An International Journal, 38, 5-10. doi:10.11610/isij.3800
Whitman, M. E., & Mattord, H. J. (2016). Principles of information security.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
