Policy Disc 1

profileJohn_matt
replies_needed.docx

Please don’t give me a two to three sentence replies. It has to look bulky. At least 8 to 10 sentences. Thank you

Reply needed 1

The company's senior managers are reviewing the company's Annual Report which will be presented at the next quarterly shareholder's meeting. The annual report includes the following risk statements:

1. Cyber-attacks could affect our business.

A cyber-attack can be defined as a "deliberate exploitation of computer systems, technology-dependent enterprises and networks". (Techopedia, n.d.) Simply put a cyber-attack is an attempt by hackers to steal from, cause damage to or destroy a computer network or system.  No company or person is immune to cyber-attacks, anyone can be a target and anyone can become a victim. In 2015, it was reported that 50 percent of small businesses had been the target of a cyber-attack. (Harman, 2015) Often times these cyber-attacks occur because of vulnerabilities within the company. Through these vulnerabilities, which could be anything from lost or stolen work devices to unintentional or intentional employee leaks, hackers are able to use and abuse information and in some cases block a company from its own information.

The Red Clay Renovations Company is highly dependent upon computer systems to operate our "smart home" and "Internet of Things" technologies. Due to our high dependency on computer systems we could be more vulnerable to attacks if we do not take proper precautions to protect ourselves, our consumers and our assets. Through the use of our Internet of Things (IoT) technology we have a number of our networks connected and sharing information, which means a breach in one device could expose all networks. Although, there is no way to give a 100 percent guarantee that the Red Clay Renovations Company will never experience a cyber-attack even with the proper protective programs in place, we still have to ensure we continuously monitor, review and implement changes to make it more difficult for successful cyber- attacks to be carried out. We not only have to inform and protect our company we must also inform and protect our clients to ensure they have all the information and tools needed to protect themselves. A cyber-attack could ruin our current and future business deals, it would stain the reputation of our company, as well as could be very costly for us and the clients.

2. Disruptions in our computer systems could adversely impact our business.

Disruption to the Red Clay Renovations Company's computer system could be harmful to the business which is the metaphorical backbone of the company. Our business is a computer-based operation a disruption in one of our systems could possibly affect all of our locations. While have to always protect all of our assets, we could possibly quickly recover from a small breach in one of the field offices, however a breach at the Operations Center in Owings Mills, MD could be disastrous.  The possible repercussions to our businesses as a whole would be financial loss, data loss, tarnished reputation, and could possibly lose some of our clientele. We have to ensure we are keeping our cyber security up to date, install proper and updated security software, draft, implement and enforce proper protocol policies, and train our employees and clients.

3. We could be liable if third party equipment recommended and installed by us, i.e. smart home controllers, fails to provide adequate security for our residential clients.

Installing third party equipment can be a bit tricky in regards to who is liable for security or malfunction of the equipment. Our company does not manufacture the equipment we install but we could be held accountable for any defaults they may have. I believe there are two ways to handle liability situations, accept liability or transfer liability. If we accept liability for third party equipment we have to ensure we have a team of experts to research and verify the quality and security of the products. We would also have to obtain liability insurance.  " The company's risk treatments for cybersecurity related risks include purchasing cyber liability insurance, implementing an asset management and protection program, implementing configuration baselines, implementing configuration management for IT systems and software and auditing compliance with IT security related policies, plans, and procedures." (King, 2016)  Therefore, any equipment installed by us is our responsibility unless we choose the second option, to transfer liability. In order to transfer liability we would have to draft up a third party liability waiver, the third party company would have to contractually agree, and we must explain to and have signed by our clients. 

References

Harman, P., 2015. 50% of small businesses have been the target of a cyber-attack. Retrieved from, http://www.propertycasualty360.com/2015/10/07/50-of-small-businesses-have-been-the-target-of-a-c

King, V., 2016. Red Clay Renovations.

Techopedia, n.d.,  Cyber-attack. Retrieved from, https://www.techopedia.com/definition/24748/cyberattack

Reply needed 2

When a person throws a pebble into a pond it makes waves. The size of the waves depends on how large the pebble is, the force with which the pebble is thrown and the height it falls from. In the analogy that was just used our organization is the pond and the pebble represents a cyber-attack. While the pond cannot prevent anyone from throwing a pebble into it, we can prepare for and possible prevent cyber-attacks. In the case that we are hit with a cyber-attack it will adversely affect our business, and since we also install third party smart devices into our clients homes we might be liable if one of those devices fails to provide adequate security for our residential clients.

            Cyber-attacks are becoming more common and have affected a lot of large businesses, government employees as well as government agencies. One of the large retail stores that was recently hit was Target. Target’s reputation was severely impacted, they could not process credit card transactions for a while and they were forced to pay victims of credit card fraud $1o million dollars ( Riley & Pagliery, 2015). If our organization is hit by a cyber-attack the chances are we will fell similar effects. Our organization currently uses Symantec Endpoint Protection, which is one of the best anti-malware and host-based intrusion detection on the market, at our offices located in MD, PA and DE. If our organization is hit with a cyber-attack the chances are it will also disrupt our networks.

            The Operations Center of this organization is responsible for conducting accounting and finance, customer relations, human resources, information technology services, marketing and corporate management. If the Operation Center was hit by a cyber-attack it would temporarily cripple our organization. We would not be able to provide any services to customers or except payment. The webserver is where our clients and potential customers would go to view our products but since it would be affected by a cyber-attack it would not be accessible to anyone. Webservers running Apache, Nginx, WordPress as well as Joomla are more likely to be hacked and we are running Windows Server 2012 which is less likely to be hacked (Vasek, Moore, & Wadleigh, 2016). There is also a small possibility that the smart devices we install in our clients homes could be hacked and we could be liable.

            The smart devices we install are connected to the internet so that users can adjust the settings from anywhere. The problem with connecting to the internet is that hackers can break into the smart device without ever touching it and gain access to the user’s network. In a test a user was able to access systems by crawl-able search engines – meaning they show up in search results — and due to the devices not requiring user names and passwords by default in a now-discontinued product, the user was able to click on the links, giving them the ability to turn people’s homes into haunted houses, energy-consumption nightmares, or even robbery targets (Hill, 2015). To prevent such a thing from ever happening to one of our clients we will provide adequate security and train our clients on how to use the system.

            Our organization is well prepared to defend against cyber-attacks. We currently use the best anti-malware and intrusion detection system on the market. The servers we employ are not currently targeted by hackers and are up to date. We will ensure our technicians provide adequate security for smart home devices and train users in order to avoid being liable for any damage that may be caused by a lack of security. In closing we have identified and addressed every risk concerning cyber-attacks and are confident in our staff as well as network that we can stop, prevent, or mitigate any cyber-attack that threatens our network.

References

Hill, K. (2015, July). When 'Smart Homes' Get Hacked: I Haunted A Complete Stranger's House Via The Internet. Retrieved from Forbes: http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/#32cfce0746a5

 Vasek, M., Moore, T., & Wadleigh, J. (2016). Hacking Is Not Random: A Case-Control Study of Webserver-Compromise Risk. IEEE Transactions on Dependable and Secure Computing, 13(2), 206-219. doi:10.1109/TDSC.2015.2427847

Riley, C., & Pagliery, J. (2015, March). Target will pay hack victims $10 million. Retrieved from CNN: http://money.cnn.com/2015/03/19/technology/security/target-data-hack-settlement/

Follow-up replies needed 4

John,

 

I like your overall briefing because it is very informative and provides some insight into how cyber-attacks affects businesses. I have to agree with your first sentence because cybersecurity matters are being discussed in 46% of board meetings (NYSE Governance, 2015). I think cybersecurity being a hot topic in the boardroom is because CEO’s are now being held responsible and can no longer place the blame on the CISO or anyone else. This forces the CEO to become more involved in the protection of the company’s network then they may want to be. That means the CEO can longer just focus on making profits for the organization and must take a more active role in understanding as well as investing in cybersecurity. 

 

 

NYSE Governance Services,. (2015). A 2015 Survey Cyber security in the boardroom. NYSE.  Retrieved from https://www.veracode.com/sites/default/files/Resources/Whitepapers/cybersecurity-in-the-boardroom-whitepaper.pdf

Follow-up replies needed 5

John,

I really enjoyed reading your briefing and it was very informative. I you was able too use a lot of reading the professor provided for very well too get your point across. I like how in your introduction you gave the fact of how in past companies usually held the Chief Information Security Officer (CISO) solely responsible for any security breach, but now almost everyone at the top of management is held responsible for any security breach. I think this is where it starts everyone has to take share and responsibility for security issues. I know it starts at the top but that should be a trickle-down effect and it should concern everyone top and bottom levels.

Overall I think you did an excellent job of covering all associated risk and really using the reading provided to provide a great informative briefing. 

You used many great points from the survey done by NYSE and as I read that survey it was amazing some of the reported finding in the survey. It was also shocking to me that so many of the surveyed people were not confident that there companies were not properly secured against cyber-attacks, I think that number was about 66% that was not confident and that number is way too big. That survey had a lot of good information in it and for the use of writing this briefing.

Follow-up replies needed 6

John,

I think you did a fantastic job within your discussion post because you were very straightforward and addressed all the necessary requirements in an appropriate manner. I really liked how organized you were within your post as you separated the sections within headings to help the reader better understand your next point of discussion. Although you highlighted the introduction and the risk events, you forgot to include a conclusion, which is necessary for a briefing paper (Dorrian, 2016, p. 2). An example of a way in which you could have concluded your paper is by reiterating the negative effects of cyber-attacks, disruptions in computer systems, and failure of security with third-party products, and how they can impact the organization as a whole. Another suggestion that I would like to present to you is for you to mention the smart home controllers when discussing the liability concerns. Specifically, within the readings, we were told that the company offers smart home technologies “which it installs in the residential buildings that it rehabilitates” (King, 2016, p. 10). Additionally, every device has a controller which is accessed through the web and it requires a username/password combination (King, 2016, p. 10). However, this is not very secure as passwords can be brute-forced and/or hacked as “the majority of these devices have little to no security beyond a password protected Web-based logon” (King, 2016, p. 10). This information could help shareholders better understand the fact that the company would be liable if these devices are hacked.

     Another way in which you can improve the overall quality of your post is by including a summary section in which you discuss at least three key points as stated within the rubric. For example, you can provide examples of cyber-attacks that have occurred within large corporations and how their systems were affected in an effort to persuade shareholders to take these risks seriously. You can also state ways in which cyber-attacks can be mitigated. Lastly, you could discuss potential impacts that the risks can have on the organization, whether it be in regards to finance or reputation loss. In conclusion, I think you were concise and clear within your discussion post. However, I would include the above recommendations to improve the overall quality of your post.