Essay Example. Cyber Security at XYZ Company

In modern times, organizations face risks more imminently than before. Connecting to the internet creates significant loopholes and crevices, which allow hackers to access critical and private stored information, using different methodologies. Conventionally, cybercrime has grown to become an essential issue of consideration, especially when dealing with large databases. Eventually, a company might face severe monetary and reputational consequences if stringent security measures and standards are not established. Imperatively, XYZ company failed to hire an Information Security Officer (ISO), and that led to critical data breaches and exposure. Studies done by Ursillo and Arnold (2019) suggested that about 40% of businesses in the United Kingdom suffered a cyberattack. The report also stated that 38% of small organizations did not install security tools to enhance their protection from cybercrime threats. Related studies by Baldoni and Montanari (2016) further postulated that cybercrime cases in organizations were solely caused in environments where companies operate below the "security poverty line". The risks are increased by acts such as sending malicious emails between employees through open networks, which may be compromised to data exposure. The purpose of this presentation is to explicitly explore the causes and effects of information security at XYZ company and then develop immediate plans of action that should be enacted to correct the mess.

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Order now

Definition of Cybersecurity in an Organization

In a broad view, cybersecurity refers to the ability of an organization to safeguard its data against any potential internal or external reach (Craigen et al., 2014). In most occasions, this process might demand the incorporation of various technologies, computer servers, programs, and data processing units, among other structural practices meant to prevent unauthorized access of employees and company information. In other words, the central objective of cybersecurity should be to enhance confidentiality, data integrity, and data availability. Issues of cybersecurity can influence organizational reputation in various ways. Hackers might use the obtained private information such as credit card details to withdraw funds, hence rendering the organization bankrupt. Besides, the hacker might expose the identity information, creating emotional problems such as anger in an organization, and destroying its reputation. All of these instances were practical for XYZ company that faced the problems of identity theft, and credit card fraud.

Undoubtedly, stealing an organization's sensitive information puts the company at a higher risk of suffering a lousy image. This reduces the competitive advantage of a company. Perhaps, the effects afflicted to a destroyed reputation might prove to be extremely crippling, more than the actual act of data loss. Furthermore, losing customer data might lead to risks for filing regulatory actions against the organization. As XYZ lost its data, there are possibilities that it may be subject to significant penalties following the privacy guidelines and policies that are related to various jurisdictions. When the impact is added to the issue of credit card fraud, it puts XYZ at a critical position of gaining recovery, because the costs are exponentially high.

Recently, the issue of ransomware has become the most implied risk by numerous organizations. Ideally, ransomware refers to a specific type of malicious software that hackers usually install in an organization whenever they get access to the company's links, websites or servers. Ransomware helps hackers generate colossal money because they often issue threats demanding for payments without which the system cannot be operative again. A report by Craigen et al. (2014) suggested that using unprotected wireless connections in companies is the most risky activity, that hackers can use to access customer data and other confidential, stored information. At XYZ, the wireless internet connection is free from access by everyone, and the credentials seem to be quite weak. External parties can easily maneuver into such systems and access information. The absence of strict guidelines on accessing the computer room situated on the 6th floor creates a wide loophole, for data breaching. It is necessary to consider venturing into strategies that aim at protecting this open information, to avoid the risks of suffering from unprecedented reputation substantial financial losses, facilitated by jurisdiction penalties. Other malicious acts include but are not restricted to: malware, viruses, spyware, and adware.

Cybersecurity Governance

The notion of cybersecurity governance or what other researchers describe as risk management should be granted with equal consideration as other vital issues in an organization. Owners and directors need to establish relevant mechanisms for use in leveraging the standards of cybersecurity, at the same level as matters of compliance, and operational and sustainable financial issues are addressed. For XYZ, the CEO, CTO, and CIO need to collaborate in installing all the information security standards to prevent any access. Accordingly, XYZ should use the National Institute of Standards and Technology (NIST) protocol functions in enhancing its cybersecurity governance (Ursillo & Arnold, 2019). The five functions are identification, protection, detection, response, and recovery.

Identification

In the identification stage, the XYZ company should learn to develop a proper understanding of issues of cybersecurity about systems, people, and data capabilities. All 43 employees, four executives, seven administrators, and six IT employees should be informed on the risks and concerns of cybersecurity so that they all develop a mutual understanding of the need of having information security.

Protection

In the protection protocol, the company should further develop relevant safeguarding measures to offer various security services in the protection of the company's data. In this step, XYZ can install anti-malicious software such as antivirus, antimalware, and antispyware systems. Strict verification and authentication procedures before having access to the company's servers and storage facilities like Microsoft professionals are further protection suggestions.

Detection

The third stage of detection should help XYZ as a company to establish various protocols for detecting cybersecurity events before, during, or immediately upon their occurrence.

Response

The response is one of the essential stages of the NIST framework, and eventually in the cybersecurity matters. It would be worthless, to understand the existence of risks, develop potential protective measures, and detection mechanism if no solutions are suggested to respond to all of these gathered pieces of information. As a result, the XYZ executive board, and owners need to identify the corrective plans which must be set in place, to avoid a future occurrence of data loss.

Recovery

It would be unethical for XYZ to assume that after going through the stated four steps, then possibility of risk occurrence would exponentially reduce to 0%. Perhaps, the modern world, with increased usage of technological capabilities in organizations, raises more opportunities for hackers to crack and have access to stored data. Fortunately, the same technological advancements can be utilized to propose and implement measures which, when installed, then recovery after a possible data breach inexpensive and more straightforward. The recovery step offers the organizational stakeholders with an excellent opportunity to set up appropriate activities, that helps to safely recover the lost data without necessarily undergoing a financial crisis.

Protections from Malicious Software or the External Attacks

Organizations that have data ambiguity must be ready at all times to undertake stringent measures that address the emerging dynamic data threats. To mention but a few, the following constitutes different system utilities that can help XYZ to detect, and protect itself from probable malicious attacks.

First, firewalls are useful software and hardware tools whose presence protects the organizational system from getting attacked by external parties and hence accessing its information. Firewalls help to protect both external and internal links that may be subject to exposure. Studies done by Ten (2010) suggested that organizations using web servers, and routers need at least three firewalls to protect the data adequately. In this case, XYZ only had a single firewall, with 43 employees. The information stored was, therefore, quite significant to be contained using a single firewall. Nonetheless, the presence of a firewall in the company is positive, and should only be advanced by adding more firewalls or other anti-malicious software.

Secondly, a company needs malware or spyware and a highly advanced proxy protection solution for protecting the company's internet from being accessed by hackers. Most importantly, malware often prevents any possible pop up of software codes, which may be used by a hacker to access usernames and passwords. XYZ has weak authentication, and its login credentials are subject to hacking when there is no malware. Besides, the company completely lacks malware, and spyware software, thus its website can easily be used for fraudulent purposes. In most cases, hackers usually develop software codes in open networks that help them to obtain all saved passwords. The CIO and IT employees, therefore, needs to get the opportunity of funding, to install this malware, which is sensitive enough to block all software codes which are meant to allow external access.

Thirdly, a company should have anti-spam software to help in protecting the system during email broadcasting. With 43 employees in the company, there is a higher likelihood that most communications are done on the 7th floor. Moreover, everyone has free access to the internet, including the administrative ones; hence, email servers are continually used. In convention, XYZ has an email server that operates a Virtual protection network (VPN) for all telecommuters. Sharing the same email server at a workplace without differentiation makes it crucial to conclude that the information is not safe at all. Occasionally, hackers can send emails which are similar to those send by organizations, to allow them to get individual responses, which eventually provides room for fraudulent purposes. However, anti-spam software is necessary, as they are automated to detect incorrect emails and senders, and immediately block them from having to access further access.

Finally, it is vital to understand that because internet access in the organization has no restrictions for the employees, there is no confidence in the sites that employees visit while using their gadgets. While off at work, employees can be visiting websites that are threatening the leakage of organizational information. For this reason, a company like XYZ needs access of anti-phishing software to help in monitoring the websites that employees visit in their daily encounters to ascertain that no risky website is accessed which may allow hackers to obtain the customer data and other sets of confidential information. Typically, the software comes in packaging of other vital computer programs that monitors websites servers, and emails that are being used on day-to-day operations. The programs are meant to block any peculiar websites that aim at acquiring the company's data.