Topic 1: Information Security
Why should managers make information security a prime concern?
Just do response each posted # 1 to 3 down below only.
With any level of management we are talking about, from CEO to team leaders in a call center, information security should be taken very seriously and should be a primary focus. Many front-end managers in a call center, store, or production warehouse take information security very seriously. Ensuring that if you walk away from your workstation, you lock your screens, or the register is logged out as examples. These practices can help prevent social engineering attacks, which is “an attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords” (Rainer & Prince p 91). Although front-line or lower-level managers emphasize the importance of information security, the high-level management should lead by example, set the tone for the corporation and take these procedures seriously (Rainer & Prince 2018).
With the skill sets needed to become a hacker decreasing, the world becoming more interconnected through internet services, and international organized crime becoming very prevalent in today’s society, information security is important (Rainer & Prince 2018). If management doesn’t take information security seriously, the information that the business has been entrusted with keeping secure may become compromised. With the ease of becoming a hacker on the rise with the little skill set, companies are at a higher risk of a deliberate attack on the information. There are many types of attacks, and one is not any less impactful from the other, system security needs to be of high importance to ensure you can reduce the amount of vulnerability in being exposed by these threats.
A manager should make information security a prime concern for several reason. It can bring harm to the company, customer and employees. I work for a bank I have access to checking information, loans, and credit cards. It is important before speaking to customers to verify their information before I release personal information. Sometimes the person is understanding and sometimes the call doesnâ€™t go well. It is important for me to be careful with these types of calls. I have spoken to ex. Girlfriend, ex. Boyfriend, ex. Wife, ex. husband, family member, and the list goes on and on. I have to say; speaking to soon to be an ex. spouse is the worst, they want to ask all sorts of questions and most of the time they are angry. I must explain to them they are not authorized and due to security purposes, I cannot release any information.
I spoke with a customer who wanted to know if her checking account was tampered. She stated she got a strange email stating that her account was violated. The email had the company logo but an address that I never seen before. The sad thing is that the customer trusted the email and gave her social security number, motherâ€™s maiden name, and address. She trusted the bogus fake email. I couldnâ€™t believe she released her personal information than called the company to if it was from our company. I explained to her that the email wasnâ€™t from our company and she may want to consider purchasing a protection plan that will tell her that activity has occurred on her credit card, loan, banking account and more. I also explain it can be difficult to get your money back when fraud is involved. have seen customer accounts being used without their permission and now have to report fraud. It isnâ€™t easy to get your money back when thereâ€™s fraud involve.
The word â€œPhishingâ€ initially emerged in 1990â€™s. The early hackers often use â€˜phâ€™ to replace â€™fâ€™ to produce new words in the hackerâ€™s community, since they usually hack by phones. Phishing is a new word produced from â€˜fishingâ€™, it refers to the act that the attacker allure users to visit a faked Website by sending them faked e-mails (or instant messages), and stealthily get victimâ€™s personal information such as user name, password, and national security ID, etc. This information then can be used for future target advertisements or even identity theft attacks (e.g., transfer money from victimâ€™s bank account).
Unfortunately, my customer fell for Phishing email she thought it was safe to give her personal information to the fake website. Due to all the training management made it a priority for me to take. I was able to tell her the email was fake and to get protection as soon as possible. I advise her, there are safe programs that can put a lock on all accounts if the detect any unusual activity.
The importance of proper information security is needed in the IT field. Security of a companyâ€™s best interest along with the customerâ€™s data and private information should be the highest priority for any business; one incident regardless of size has the power to bring a companyâ€™s reputation down along with possible revenue or future returning customers. Rules and regulations are set into place to keep these businesses doing the right thing even though sometimes itâ€™s more expensive then they like. All businesses should take into account that it is not only their customers information at stake but there companies trait secrets and other information like contacts, buyers, sellers, account numbers, payroll number and so much more they stand to lose and possibly that can be used to hurt the Company.
When used correctly a proper cost and risk mitigation plan can help Information Security Teams to assess the possibility of what an attack could cost the Company along with possible ways to prevent attacks, this can mean going through third party companies to do planed network intrusions to test the systems being used. The benefits to this method even though the Company is being attacked it is controlled, any and all data found or accessed is secure and not removed. The third party company will then give a report of issues found and how far they were able to get into the system along with a plan on how to prevent it and what security implementations need to occur to keep it from happening again. Once the Company has finished and consulted with the main Company who hired them the important process can happen which is planning to prevent a real-world occurrence. Having planned solutions to multiple issues helps keep the Company secure rather than waiting for an issue to arise and no plan in place to counteract the issue.
When a company understands an attack from the very beginning the different aspects of networks can truly shine and perform how they were designed. Proper policies and controls on data access will only further the security. â€œThe main goal is to allow authorized users (customers and employee-body) access to the resources made available by a company, meanwhile keeping attackers out and thwart any exploitsâ€
Risk management is sometimes thought to be aftermath of an issue, when in fact it is well before the issue ever occurs. There is much more to security then just the IT Team can do, the entire Company partakes in the efforts for a secure system, many other things are implemented within the Company to assist the IT teams. Access controls, IPS, DLP, firewall and browser security help keep employees from either purposely or accidentally allowing attackers in or releasing data out of any system. Written policyâ€™s keep employees informed and often times can be used as a contract to notify any employee before they are given access that all information is company business only and they are being monitored should an issue arise at the employeeâ€™s fault they are subject to being dismissed and or fined for damages caused by their actions. Most time that alone is enough to keep employees from doing wrong. A triangle known as the CIA Triad helps with risk management, Confidentiality (C), Integrity (I) and Availability (A). Almost all issues dealing with security can be seen in the CIA Triad and are able to categorize in one of the three choices.