Security Problems and Solutions in Organizational IT Systems

Posted: July 13th, 2021

Abstract

The security of information systems is one of the most spoken of and discussed issues in the 21^st century. With increasing automation of most operations across the world, in fields such as education, business, government, and health, the issues of the safety and security of automated systems have become very important for organizations. The security of IT systems is necessary to guarantee that the information stored in systems remains secure and is not accessed by unauthorized persons. The demand for qualified and experienced IT systems security and cybersecurity personnel has increased greatly over the last decade. In addition, organizations continue to face an increasing cybersecurity risk rate. In this paper, the various security problems and issues faced by IT departments in organizations, as well as some of the solutions to these problems are discussed. The paper focuses on ABC Ltd, a financial management organization that has a back and front office software management system and uses an internal network to connect its various branches to the servers.

Introduction

In today’s modernized world, the lives of people, the performance of business organizations, the strength and performance of the economy, and the security of the nation all depend on the availability of safe and stable cyberspace and secure information systems. Businesses and organizations are more interconnected today than ever before as a result of technological development and innovation. The automation of systems and the collection of data for purposes of business operations has made the security of information technology systems very important for organizations (Kim & Solomon, 2016). As organizations and people continue becoming increasingly connected, the risks of fraud, theft, and abuse continue to increase. Increased reliance on information systems and technology has made organizations more vulnerable to cyberattacks and security breaches, including corporate security breaches and social media fraud. Since organizations depend on information technology systems and networks for communication and other important operations, it is not possible to ignore the security threats that may be faced in the process of using these systems. Organizations face various challenges in the process of ensuring the security of data and information technology systems.

Company Summary

ABC Ltd. is an organization that engages in the business of dealing with monetary and financial transactions such as loans, investments, deposits, and the exchange of currency. Financial activities are a crucial part of the economy, as a financial institution serves millions of people and companies every day. Organizations and individuals rely on financial institutions for investing and monetary transactions. ABC Ltd. specializes in investment banking, providing various services that are designed to facilitate business operations, such as equity offerings and capital expenditure financing. The company also offers brokerage services for investors, mergers and acquisitions management services, and acts as a market maker for trading exchanges. For an organization such as ABC Ltd., information systems play an important role. ABC Ltd. handles and stores customer and client data in its information systems (Ayadi & De Groen, 2014). The company has a back office and front office software management system, a human resources management system, as well as an internal network that connects all the hosts in different branches to the servers.

ABC Ltd.’s Online transactions and activities such as marketing are also conducted through the support of information systems (Gumussoy, 2016). Data analysis and strategic decisions are only possible with access to information systems. The company, therefore, is exposed to various security threats associated with the use of information systems. Some of the security challenges that the company faces are discussed in this paper, with various recommendations on how the challenges can be resolved provided.

Information System Security Trends

Information systems are sets of components and devices that work together and are designed to manage the processes of data processing and data storage. The purpose of information systems is to support various key aspects of the management of an organization, including record-keeping, communication, transactions, decision-making, and data analysis. Information systems are used by organizations to improve business operations, process and store data, make strategic decisions, and achieve a competitive advantage (Eloff & Eloff, 2003). They include various combinations of hardware, software, and telecommunication networks. ABC Ltd. requires information systems for various purposes. For instance, the company may utilize customer relationship management systems to acquire a better understanding of its target market, to retain existing customers, and to acquire new customers. Such systems allow the organization to collect, store, and analyze data on customers, define the target group for marketing campaigns, and weight the level of customer satisfaction.

The security of information technology systems is an issue that has implications for millions of people and thousands of organizations. Cybers security is one of the current trends in modern business operations (Smith & Rupp, 2002). It is the process of utilizing security measures to ensure the integrity, confidentiality, and availability of data stored in information technology systems and networks. Cybersecurity operations ensure the protection of an organization’s technology assets, including data, servers, systems, and human beings. Over the last decade, cyberattacks targeting organizations have occurred in the United States (Kim & Solomon, 2016), with the aim of obtaining access to confidential information, organizational trade secrets, and intellectual property. When a cyberattack occurs, it results in the exposure of sensitive business and personal information, which can be used by competitors and attackers for unauthorized purposes. It may result in the disruption of business operations and may impose huge costs on an organization and the economy at large.

While information systems and automation have revolutionized business activities and improved productivity and efficiency, they have also introduced a complex service environment that is vulnerable to attacks (Viega & McGraw, 2011). The major challenges that ABC Ltd. and other organizations face in the management of information systems security are discussed in detail below, after which the various proposed solutions to the problems are provided and discussed.

Issues and Problems with Security in Organizational Information Systems

Lack of Skilled Cybersecurity Personnel

One of the most prominent challenges that organizations face in the management of their information systems is the lack of skilled cybersecurity professionals (Hayes, Shore, & Jakeman, 2012). With the increasing risk of cyberattacks and increasing sophistication of cyber threats, organizations face a challenge in the recruiting of skilled cybersecurity professionals that are capable of safeguarding their information system against attacks. Cybercriminals are responsible for billions of dollars in losses every year. In addition, state-sponsored hacking groups pose a great threat to organizations. The demand for professionals that are capable of securing networks and systems against attackers is, therefore, very high. Training and education institutions across the world are finding it difficult to keep pace with the increasing demand for cyber talent, resulting in the scarcity of cybersecurity professionals. In the United States, there existed a shortfall of more than 300,000 professionals as of January 2019 (Crumpler & Lewis, 2019). The number of vacant cybersecurity jobs continues to increase every year.

Personnel shortages are present in many of the positions that fall in cybersecurity, especially the highly-skilled technical staff (Caldwell, 2011). There is a shortage of the highly technically skilled personnel required for the operation and support of installed information systems. There exists an even larger deficit of skilled personnel required for the design of secure systems, development of network tools and systems, and writing of secure computer code. There is an adequate number of cybersecurity policy planners and compliance officers. However, there is very few highly-skilled personnel for secure systems design and operation. Organizations are in dire need of graduates who have the skills to design secure systems, hunt down any hidden systems vulnerability, and come up with new defense tools and mechanisms. There is also the problem of education and training, as IT departments in many organizations do not believe that education and training programs offered by education institutions prepare students fully to join the cybersecurity industry and perform well.

Many education programs fail to adequately prepare IT students for the cybersecurity industry, which means that organizations have to provide further on-the-job training to new recruits to equip them with the necessary experience and expertise. Many organizations are dissatisfied since they believe that most IT graduates lack the necessary practical and technical experience in information security and computing. Employers also complain that IT graduates lack soft skills that are essential, such as problem-solving, teamwork, and effective communication (Crumpler & Lewis, 2019). In addition, the current education systems do not have metrics or rankings that can assist employers to clearly understand what certifications, programs, and degrees are the most effective in preparing IT students (Oriyano, 2014). The inadequacy of skilled cybersecurity professionals makes it difficult to ensure the security of organizational information systems. Even though organizations invest in the best systems and infrastructure for network and software operations, they may suffer from security challenges since they lack enough professionals for the management of the infrastructure and systems.

Educational institutions face a huge challenge in training students in cybersecurity since it is a relatively new field in education. The few students that graduate and leave school are inadequate to meet the huge demand for experts. Lack of adequate manpower in an organization such as ABC Ltd. would mean that the information systems of the company would not have professionals monitoring them. Any cyberattack alerts would go unnoticed and attackers would gain access to the organization’s databases. Stolen data may be used for unintended purposes and some attackers may delete the data. The integrity of data, especially for a financial institution, is very important. The challenge of acquiring enough cybersecurity professionals, therefore, has to be resolved to ensure the security of the company’s information systems and networks.

High Cost of Infrastructure and Labor

Another major challenge to the security of organizational information systems is the expensive nature of cybersecurity, especially for startup companies. Owing to the fact that the highly-skilled professionals in the field are inadequate, the available professionals are expensive. In addition, hackers are always finding new ways and loopholes to compromise information systems with the aim of gaining access to them (Oriyano, 2014). Besides organizations spending huge amounts of money and other resources to set up information systems and put in place cybersecurity equipment and infrastructure, they are also forced to keep updating their security systems and cybersecurity skills in order to remain updated on the current trends in cybersecurity (Rowe & Gallaher, 2006). Most organizations use the Defense-in-depth system for security, a system developed by cybersecurity professionals where an information system is split into segments and each segment has implemented security system control (Oriyano, 2014). It may be compared with the physical security of a house. first, there is a lock at the gate, then a lock at the front door, then other locks on various other doors inside the house.

For ABC Ltd. to implement such a system, hardware and software components such as computers and firewalls would have to be acquired, which would result in huge additional costs for the organization. While data breaches and cybersecurity continue making headlines, more organizations across the world continue falling victim to data theft and network intrusion (Luo et al., 2011). Many organizations are hesitant to increase their spending on security systems upgrades and the improvement of data protection practices. It is difficult to approximate an organization’s average investment in data protection since different organizations have different security needs and different complexities of information systems. A financial institution such as ABC Ltd. will demand tighter data security compared to a restaurant. The costs of data breaches are huge. Organizations have lost millions of dollars through cyberattacks. A huge investment is necessary to resolve data breaches, pay court fees and compliance fines, and conduct investigations and forensic processes.

In addition, organizations have to restore security systems after an attack and allocate resources towards the process of customer acquisition, since a data breach results in the development of a bad company reputation. Spending money on cybersecurity should not be looked at as an expense but as an investment, as an organization can avoid huge future losses arising from cyberattacks and data breaches. For new companies, allocating scarce resources to cybersecurity practices and infrastructure is a huge challenge. Hiring qualified and experienced cybersecurity professionals is also a very expensive venture.

Abuse of Account User Privilege

Abuse of privileged accounts usually occurs when the privileges that are associated with a specific user are used fraudulently or inappropriately (Luo et al., 2011). This inappropriate or fraudulent use may be malicious, through willful ignorance of policies, or accidental. The abuse of privileged accounts is one of the most common causes of information systems security incidents and breaches. Abuse of privilege is the result of poor control of account access, where a user has more access rights or privileges than they need to do their job (Jang-Jaccard & Nepal, 2014). It mostly occurs when an organization fails to monitor the activity of privileged account users and put in place appropriate access controls. Account access control issues arise when there is a lack of coordination between the security teams of an organization or the various departments of an organization and the IT management team. While IT management is responsible for user accounts administration, security teams are responsible for the monitoring of privileged accounts to ensure compliance with regulations and guidelines.

Privileged user accounts serve as gateways to key systems and data (Onwubiko, 2015). Therefore, the abuse of these accounts can result in the loss of business intelligence and sensitive data. It may also result in downtime of applications and systems that are important for normal organizational operations. Besides the damage to an organization, the misuse of privileged accounts can result in data breaches that may cause bad publicity and loss of customer trust. It may even result in lawsuits and steep fines for compliance failures. A key reason why privileged account abuse is a big issue is that it is fairly impossible to train every employee in an organization in cybersecurity. Lack of training makes employees having privileged account access susceptible to social engineering attacks via the internet (Onwubiko, 2015). Social engineering refers to an attack where cyber attackers use various tricks to retrieve information from employees, such as usernames and passwords (Oriyano, 2014). Attackers can use the data obtained to access an organization’s information systems and proceed with their intentions.

Potential Solutions to Security Issues

The various challenges discussed compromise the availability and the integrity of information stored in organizational information systems. Various solutions have been proposed by experts to address some of these issues. Some of the common solutions include government legislation and countermeasures implemented by organizations to ensure information security. Many governments have also proposed working together and working with IT experts to pursue hackers across geographical boundaries (Smith & Rupp, 2002). Experts have also proposed the improvement of education and training to meet the demand for IT professionals (Cadwell, 2011). Organizations are also investing in research and development to keep their IT departments updated on the current trends in cybersecurity and to sharpen their skills.

Government Legislation and Countermeasures

The cybersecurity skills gap that the country and the world continue to experience should be taken seriously by all the stakeholders in the industry. It is a national emergency and should be treated as such. Measures need to be put in place by the government and by employers to ensure that the various security challenges faced are resolved. The government has a huge role to play in the resolution of these challenges. First, the government needs to increase revenue allocation and scholarship funding towards cybersecurity training in education institutions (Smith & Rupp, 2002). This will boost the capacity of educational institutions and increase the number of graduates that join the cybersecurity field every year. Second, the government should initiate a national awareness campaign and departmental programs that are driven towards the improvement of cybersecurity training and development. It is also important that the government initiates a public-private partnership effort to bridge the gap between high-tech IT companies and startup companies.

Relationships should be built between IT companies and other organizations in various industries to ensure that organizations can be provided with qualified IT personnel (Smith & Rupp, 2002). Instead of organizations working in isolation to ensure cybersecurity, the existing large cybersecurity and technology companies such as Cisco, Dell, Hewlett Packard, and Microsoft should build relationships with organizations in other fields and pool available talent and resources to develop programs and strategies for better cybersecurity and cybersecurity training. The government should also work with IT organizations to raise the eligibility criteria for technology and cybersecurity schools. This will improve the qualification of graduates and the quality of training offered. The government should bring together educators, cybersecurity providers, and employers to work together towards the improvement and standardization of performance measures in cybersecurity (Jang-Jaccard & Nepal, 2014).

Organizations need to put in place various countermeasures to minimize the abuse of privileged accounts. First, organizations need to regularly assess and effectively manage all the assigned account privileges. Privilege assignment should be regularly reviewed to ensure that employees do not have access to data and information that they do not need to do their job. Access rights should be reviewed regularly and excessive privileges removed (Schneider, 2003). Permissions should be reviewed and updated whenever new user roles are added and when user roles change. Second, organizations need to gain visibility into their IT and cybersecurity environment. This is achievable by monitoring changes and user activity in the IT environment. Through this, organizations can identify and detect threats, privilege abuse, and attacks. Lastly, organizations need to analyze user behavior in all privileged accounts. This will enable them to identify when users access accounts outside working hours or when the behavior of users deviates from the norm.

Education and Training

To meet the high demand for cybersecurity professionals, organizations and educators have to work together to ensure that education and training standards are improved (Crumpler & Lewis, 2019). Organizations such as ABC Ltd. should not wait on the government or the technology vendors to resolve the security challenges that they face. They have to take the skills gap into account and step up to ensure that the gap is sealed. Organizations should work to ensure continuous training of IT and cybersecurity staff. Organizations should also invest in new security systems and technologies that are built for integration, automation, and streamlined operations. They should also ensure that their staff is involved in professional training and organizations such as ISSA to sharpen their skills. With proper training, the IT staff of ABC Ltd. will be equipped with the necessary training to handle cyber threats and attacks. Improved training would also ensure that organizations acquire adequate personnel for the purposes of providing support and monitoring the cybersecurity equipment and systems used by the organization.

Trainers and educators, as well as the institutions that fund them, should work harder to ensure that cybersecurity curricula and training include a focus on the fundamentals of computing and security. This will help in preparing students for the industry by improving their ability to take on technical roles (Crumpler & Lewis, 2019). Trainers and instructors need to incorporate hands-on training and learning opportunities such as challenges and competition into cybersecurity curricula to build and improve practical skills in their students. This will also forge strong relationships and partnerships with organizations, allowing students to participate in internships and apprenticeships that can expose them to cybersecurity work environments. Educators and trainers should seek to support the improvement of soft skills in their cybersecurity students. This can be done by emphasizing team assignments in the educational curricula. Retraining institutions should be set up, such as the UK Cyber Retraining Academy, to provide short and intensive training programs to employees. Such programs should be supported by policymakers and organizations to improve the skills of IT staff.

Research and Inter-industry Relationships

There is a need to improve the research on cybersecurity and the development of secure information systems. Organizations should increase their revenue allocation towards cybersecurity research and development to ensure that the best systems and the latest infrastructure is in place for purposes of cybersecurity. Allocation of resources to research will also result in the development of new techniques to deal with cyber threats and attacks (Kankanhalli et al., 2003). It is also important that organizations build relationships with educators and cybersecurity vendors to effectively communicate the key workforce needs and the gap in skills. Better relationships between organizations and educators will help in aligning the needs of industry with the cybersecurity talent that educators develop. Organizations need to consider setting up internal retraining programs and activities to improve their existing talent and fill any workforce shortages. They should also consider hiring cybersecurity applicants having non-conventional backgrounds, such as those who graduate from short-term intensive cybersecurity programs, to meet their workforce needs.

Conclusion

Organizations today are facing several challenges in the process of ensuring the security of information systems, networks, and data. Some of the most common challenges that organizational IT departments face today are challenges in recruiting due to the lack of qualified cybersecurity professionals, abuse of privileged accounts, and the high cost of cybersecurity. There is a high demand for professionals with deep technical training and skills, individuals who are able to take on roles such as the design of secure systems, the development of new techniques and tools, and providing support to cybersecurity systems. Organizations, the government, IT vendors, and educators need to work together to resolve the challenges that the cybersecurity industry faces. Through improved relationships between the stakeholders, improved training and research, and better government policies, the various challenges that organizations such as ABC Ltd. face can be resolved.

References

Ayadi, R., & De Groen, W. (2014). Banking business models monitor 2014: Europe.

Caldwell, T. (2011). Ethical hackers: putting on the white hat. Network Security, 2011(7), 10-13.

Crumpler, W., & Lewis, J. A. (2019, January 29). The Cybersecurity Workforce Gap. Retrieved  October 2, 2019, from https://www.csis.org/analysis/cybersecurity-workforce-gap.

Eloff, J. H., & Eloff, M. (2003, September). Information security management: a new paradigm.            In Proceedings of the 2003 annual research conference of the South African institute of    computer scientists and information technologists on Enablement through      technology (pp. 130-136). South African Institute for Computer Scientists and Information Technologists.

Gumussoy, C. A. (2016). Usability guideline for banking software design. Computers in Human            Behavior, 62, 277-285.

Hayes, S., Shore, M., & Jakeman, M. (2012). The changing face of cybersecurity. ISACA Journal, 6, 29.

Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of    Computer and System Sciences, 80(5), 973-993.

Kankanhalli, A., Teo, H. H., Tan, B. C., & Wei, K. K. (2003). An integrative study of       information systems security effectiveness. International journal of information  management, 23(2), 139-154.

Kim, D., & Solomon, M. G. (2016). Fundamentals of information systems security. Jones &         Bartlett Learning.

Luo, X., Brody, R., Seazzu, A., & Burd, S. (2011). Social engineering: The neglected human       factor for information security management. Information Resources Management Journal    (IRMJ), 24(3), 1-8.

Onwubiko, C. (2015, June). Cybersecurity operations centre: Security monitoring for protecting business and supporting cyber defense strategy. In 2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA) (pp. 1-10). IEEE.

Oriyano, S. P. (2014). Ceh: Certified ethical hacker version 8 study guide. SYBEX Inc.

Rowe, B. R., & Gallaher, M. P. (2006, March). Private-sector cybersecurity investment    strategies: An empirical analysis. The fifth workshop on the economics of information       security (WEIS06).

Schneider, F. B. (2003). Least privilege and more [computer security]. IEEE Security & Privacy, 1(5), 55-59.

Smith, A. D., & Rupp, W. T. (2002). Issues in cybersecurity; understanding the potential risks associated with hackers/crackers. Information Management & Computer Security, 10(4), 178-183.

Viega, J., & McGraw, G. (2011). Building Secure Software: How to Avoid Security Problems the Right Way (Addison-Wesley Professional Computing Series). Addison-Wesley            Professional.