November 26, 2019
John Smith, President
Business Name
1254 Coyote Way
San Bernardino, CA 92401
RE: Importance of Cybersecurity in Organizations
Dear Mr. Smith:
It has come to my attention that most businesses do not implement cybersecurity practices or policies in their organizations. These companies are not taking initiative in preventing attacks nor are they acknowledging the risk that is involved in storing valuable client information. This results in financial loss, loss of reputation, and loss of customers.
Let me start by introducing what exactly cybersecurity is. Webster defines cybersecurity as, measures taken to protect a computer or computer system against unauthorized access or attacks. According to an article written by Matt Powell, “Half of all cyber-attacks are targeted at small businesses.” As per Cybint, almost 60% of companies have experienced cyber-attacks such as DDoS attacks, phishing, and social engineering attacks. According to Juniper research, small businesses make up to 13% of the entire cybercrime market, yet surprisingly small businesses invest less than $500 in cyber security ( Matt Powell, June 2019 “11 Eye Opening Cyber Security Statistics”). Regardless of what size your company is, cybersecurity is a necessity to prevent data breaches, identity theft and cyber-attacks.
Purpose
The purpose of this letter is to address the importance of cybersecurity in organizations and how it affects the confidentiality, integrity, and authorization of information and computer systems. I’ve divided this letter into three main parts that provide reasons why every business, including yours, should implement cybersecurity procedures and policies into their everyday businesses. The three main parts will explain what kind of threats can affect your business, how to mitigate and manage risks and threats, and why you should implement cybersecurity policies or procedures.
Threats and Risks
Let’s face it, most businesses utilize computers and interconnectivity to perform daily business transactions, reporting, and other vital business operations. These computer systems communicate with one another that transmit and store personal and confidential information. So, it is essential to protect these devices and systems from cyber criminals and other threat vectors. Risk is defined as, the likelihood that a threat will exploit a vulnerability. A vulnerability is a weakness, and a threat is a potential danger (Gibson, CompTIA Security +). Cybercrime and cyber-attacks pose great threats to this information. If there’s one thing that’s abundant in the IT world, it is attacks and attackers (Gibson, CompTIA Security +). Now to discuss some threats and risks factors, some of the threats include but are not limited to: Social engineering, malware, denial-of-service attacks, and man-in-the-middle attacks. Let me explain briefly how some of these attacks work.
Social engineering is the practice of using social tactics to gain information (Gibson, CompTIA Security +). Social engineering does not usually involve the use of technology but relies on the unknowingness of existing employees. This attack can work by using flattery and conning. An example could be, by getting someone to reveal confidential information by impersonating a higher authority within the organization. Another form of this type of attack is spam emails. You see them everyday in your junk or spam inbox, these emails are unwanted and unsolicited. According to CompTIA Security +, “between 80 percent and 92 percent of all internet email is spam.”
Malware includes a wide range of software that has malicious intent. (Gibson, CompTIA Security +). Malware includes viruses, trojans, worms, logic bombs and more. Usually malware is installed unknowingly by users within an organization. For example, when a user installs software downloaded from the internet. Ransomware is a specific type of Trojan attack that takes over a user’s system and attempts to extort payment from the victim.
A denial-of-service attack is an attack that attempts to disrupt the services provided by another system (Gibson, CompTIA Security +). You might be wondering how this affects your business. Well in short, these attacks will hinder your business by disrupting services that your business might use such transactions, connectivity to websites both incoming or outgoing, and applications from running correctly. These types of attacks can cause loss of finance by hindering you to process transactions and can also cause productivity to fall within your business.
A man-in-the-middle attack. This attack can be thought of someone intercepting information between conversations unknowingly to either party. The definition according to Darril Gibson is a form of active interception or active eavesdropping. It uses a separate computer that accepts traffic from each party in a conversation and forwards the traffic between the two. These attacks gather private information and also distribute malicious code to systems.
Lastly, another common risk to organizations is improper configuration of computer systems and devices. This is not an attack by an outside source; however, it is really common for attackers to infiltrate due to misconfiguration of devices. Some of these devices might include: Firewalls, switches, and user privileges
These examples of threats and risks are just naming a few out of so many. Businesses big or small face these threats everyday due to negligence in configuration and improper training of employees. Now after explaining some examples of threats and risks to organizations, allow me to explain how to avoid these risks.
Risk Mitigation and Management
With all of the threats and risks that exist to harm your organization; you might be thinking that it is a daunting task to protect and fortify your company. However, that isn’t the case, I will explain how your organization can mitigate and manage risk.
Proper training and properly configuring and utilizing devices reduce risk. Some things to consider is educating your employees on threats and scams that can lead to infiltration of information. For example, advise your employees not to click on suspicious looking emails that they were not expecting. This will help prevent malware from infecting your systems. Another leading cause for risk is the improper setup of user accounts. Sometimes users are given too much privilege that can allow them to gain access to sensitive or confidential information. This can be avoided by providing users with limited privilege and only authorize them to access what is needed to perform their job functions. Keeping your systems up to date also mitigate risk, if for example
Another form of mitigation is physical security. “Physical security protects people, data, equipment, systems, facilities and company assets” (Harris, 2013). According to an article written by David Hutter, Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on "technology-oriented security countermeasures" (Harris, 2013) to prevent hacking attacks. Attackers seek the easiest means of infiltration, and often that becomes the most convenient choice. Vulnerabilities such as laptops, cell phones, and other mobile devices pose risk because these are physical devices that store sensitive information and can be stolen or lost. Something to consider is installing tracking software on these devices that allow you to pinpoint their location. Another means of alleviating this risk is having passwords setup to access. Implementing strong passwords with a minimum of six characters with a combination of letters, numbers and symbols. Here are some countermeasures organizations can take using physical controls. Physical control examples include types of building materials, perimeter security including fencing and locks and guards (David Hutter, sans.org).
Risk management is the practice of identifying, monitoring, and limiting risks, to a manageable level. It does not eliminate risks, but instead identifies methods to limit or mitigate them (Gibson, 2017). There will always be risk when owning a business, but risk management allows you to reach a level of acceptable risk using risk response techniques. Mentioned in Gibson’s Security + book, these techniques include; avoiding, transferring, mitigating, and accepting.
· Avoiding risk: An organization can avoid risk by not providing a service or not participating in a risky activity.
· Transfer: The organization transfers the risk to another entity. A common method includes purchasing insurance.
· Mitigate: The organization implements controls to reduce risk.
· Accept: When the cost of a control outweighs a risk, an organization will often accept the risk.
It is also an important to assess risk; this is referred to as risk assessment. Your organization must identify all assets and their values. After that you identify what threats and vulnerabilities are present, in short, a risk assessment attempts to identify the impact of potential threats and the potential harm it does to an organization. This can help you determine how much financial investment might be needed in order to protect your organization.
Investing and implementing in cybersecurity
Lastly, I would like to explain why your organization should invest and implement cybersecurity practices for your business. As mentioned above there are a lot of factors that pose great threats and risks; these threats can be devastating to a business and can often lead to the downfall of an organization.
Financial loss is a big factor and motivator to implement cybersecurity policies. As a business you want to be profitable, but you may often overlook the necessity to implement policies that protect your assets. This can result in financial loss to your business, you should think consider consolidating an IT firm that specializes in cybersecurity or having a IT department with cybersecurity specialist. Even though this can also be costly, risking running a business with neither of these options can have an even greater cost in the end. It’s not a “what if” your business gets attacked or targeted, it’s a “when” it’ll happen.
Another key factor would be loss of reputation. In todays business world, reputation is everything. Take for example, if your organization prides itself in customer service and then faces an attack that breached your systems to gain access to thousands of customers information. This will result in loss of reputation and stakeholders if your organization does not have a means of countermeasures. Companies that have sensitive information breached will not recover if there was a simple overlooked security policy or misconfigured system because this information will get out to the public and will result in loss of consumer trust. In the survey, conducted by OnePoll, 86.55 percent of 2,000 respondents stated that they were “not at all likely” or “not very likely” to do business with an organization that had suffered a data breach involving credit or debit card details (Drinkwater, 2016).
In par with loss of reputation, loss of customers is often the case with a business having a data breach.