Asset Protection
Please answer original forum with a minimum of 500 words and respond to both students separately with a minimum of 250 words each
please follow directions or I will dispute
page 1
Original Forum
with References
page 2
Desmond
response with references
page 3
Chris
topher response with references
Original Forum
What do you believe is the greatest internal threat an organization faces? What do you believe is the greatest external threat an organization faces? Explain your response to each.
Student Response
Desmond
In my opinion, the greatest internal threat an organization faces is a lack of computer literacy. Computer literacy is typically defined as the ability to correctly and effectively utilize computers, and in an age were computers are an essential part of most organizations, not knowing how to properly use one can lead to countless problems. Shein’s article focuses heavily on intentional insider threats, people within an organization that intend to do it harm, but I do not think this appropriately addresses the inadvertent insider threat, employees who accidently cause problems for their employers. Employees without computer literacy can easily and unknowingly become an internal threat.
Most often, individuals who are not computer literate will misuse sensitive information. One of the most common examples of a lack of computer literacy leading to an increased organizational risk is phishing. Phishing is a type of scam used to retrieve sensitive information directly from unsuspecting individuals, often by spoofing e-mail traffic or websites (Purkait, 2012, p. 7). This type of threat relies directly on an employee’s lack of knowledge of security indicators and cybersecurity protocol. Phishing is one of the most common causes or identity theft and relies heavily on user error and improper training. It has been found that the most effective way to keep people from falling victim to phishing attacks is to provide them with technical training, thus increasing their computer literacy (Purkait, 2012, p. 29). By increasing computer literacy employers can prevent potentially harmful, inadvertent disclosure of private information.
An increase in training can also help prevent issues that arise from a lack of computer literacy which do not involve outside actors trying to obtain private information. For instance, most government work centers aim to tightly control the availability of personally identifiable information (PII). PII includes things like social security numbers, banking information, full names, etc. anything that could be tied directly back to identify a singular individual. Well a few months ago in my work center an individual needed to widely distribute a document which contained PII, so the PII had to be redacted. Instead of using the more secure Adobe PDF redaction function he opted to print the document out, cover the PII with black marker, then scan the newly redacted document and send it back out. Because this man did not understand technology, he did not realize that scanners use bright lights to scan documents, or that this process would make the PII visible again. This led to the inadvertent distribution of hundreds of full names and social security numbers to my entire work center. This slip-up put hundreds of people at risk of identity theft, and although identity theft may not directly harm the organization it is emblematic of the massive issues that can be cause d by a lack of computer literacy.
The greatest external threat to organizations is the potential for a cybersecurity breach. Research has found that the average security breach can cost an organization approximately $6.4 million (Krishan, 2018, p. 16). For most companies that would be a massive amount of lost revenue and with security breaches occurring more and more regularly it is important for every business to protect themselves against this potential cybercrime. Although it is impossible to ensure a company is completely safe from potential security breaches it is possible to mitigate the costs of a breach by utilizing things like encryption, an incident response team, employee training, and proactive planning (Krishan, 2018, p. 17).
In addition to the large organizational costs associated with security breaches, these breaches can also cause individuals to incur large expenses. Like in the case of the 2017 Equifax breach, where nearly half of the US adult population had their private information exposed (Berghel, 2017, p. 72). These individuals now have to worry about having their identities stolen for the rest of their lives, and may incur heavy costs for anything from identity theft protection to credit score monitoring. These individual costs coupled with corporate financial losses and reputation loss makes security breaches a big threat for any organization.
Chris
The greatest internal threat an organization faces is those with access. As security professionals, we have a great deal of access and are a huge threat to any company along with Information Technology Professional and the unfortunately overlooked administrative professionals. All of these professions have a great deal of access to everything within a company. Security obviously has the most access to the company and how everything operates as we are charged with its protection. IT has professionals with administrative accounts or any with I will say higher access levels essentially have the keys to the virtual kingdom. Administration professionals such as secretaries or executive assistants are often overlooked however, these types of employees see everything. They have access to the email account of their boss, they route all paperwork and in doing so get access to many things we generally do not view them as having access too. While I believe, anyone can be an insider threat in my opinion the general greatest threat is the IT professional. A whopping 93% of respondent U.S. organizations believe they are vulnerable to insider threats, and plan to increase or maintain what they spend on information technology (IT) security and data protection, according to Vormetric’s 2015 Insider Threat Report (Shein, 2015, p. 1). While it very much depends on location and position in my experience IT professionals are generally under paid, over worked, and underappreciated which I think can lead someone down a path to being either recruited for industrial espionage or just the thought that they can make some cash and leave.
The greatest external threat an organization faces is counterfeiting as a result of industrial espionage. We normally associate counterfeiting with money however counterfeit parts are a huge problem around the world. There has been a large problem with this in the home use drone world in the last few years. Essentially the problem is company A spends millions of dollars developing a new product whether it be the drone itself or the software or hardware required to make it special. Company B uses either the knowing insider threat or the unknowing insider threat (the person who does not pay attention to their training and clicks the malware/fishing etc email) to gain access to company A’s information. Doing this costs them very little considering the millions it would cost to develop a new product. Company B now has enough information to create an adequately similar version of company A’s product. Now as company B creates and sells this product at a deep discount to the consumer company A now has to either develop a new product, new version, or discount their original to be able to sell it. Of course many companies plan for this and plans in place. Either way company A in this example is spending money to try to counter this threat and that does detract from their bottom line. Overall, I do not think it is the traditional competitor that is the greatest threat but the thief that wants to gain from another’s hard work and investment. While the way we attack and counter threats has changed over the years the basic bad guy seems it will never change.
Shein, E. (2015). Companies Proactively Seek Out Internal Threats. Communications of the ACM, 58(11), 15–17. https://doi-org.ezproxy2.apus.edu/10.1145/2820423