The Need For Computer Security
Security has always been a vital component of information systems, and ever since the rise of the Internet back in the early 1990’s, information systems have become increasingly accessible by people across the globe. Today, security is one of the highest priorities in most organisations and more and more home users are getting the message and becoming aware of the importance of information security.
The introduction of GDPR (The General Data Protection Regulation) in 2018 has meant that under EU law companies must take the role of protecting individuals data very seriously. Although the law is EU based, it also covers the movement of personal data to regions outside of the EU. Breaches of data protection in any manner - through lax security systems, as a result of attacks from unauthorised third parties, or accidental transmission or sharing - are treated very seriously and has been demonstrated by number of substantial fines. These include a fine levied against British Airways of £183m.
Because computer communications specialists have dominated the supply of security safeguards, the language used is considered as arcane because it contains a lot of technical jargon.
Basic Security Concepts
The most important security concepts related to information on the internet are:
Against this consider that the most important concepts related to the people using the information on the internet are:
A key issue with displaying information on the internet or on any other information system is to make sure that only the authorised people are able to view that information, because confidentiality is a vitally important attribute when it comes to information security. But when unauthorised people obtain access to information, the result will be loss of confidentiality because information such as research data, medical reports, needs to be secured. Add to this the need to protect the privacy of individuals and prevent unlawful access to their information. This includes but is not limited to: information stored in banks, hospitals and medical records, medical laboratories and medical research data, the tax office, and many others.
When private information is circulating on an insecure network, it may be subject to many forms of misuse, including theft and corruption. Data corruption occurs when information is modified by a third-party, thus resulting in the loss of integrity for this data. It is important to note that information can be modified by people with or without malicious intent; for this reason, it is important to keep confidential information secure at all times, to avoid any accidental tampering (such as human error) or intentional tampering.
Needless to say, it is always important to maintain data integrity during any type of communication, but in critical cases such as EFT (electronic funds transfer), army and security agencies communications, and air traffic control, maintaining data integrity becomes an absolute necessity. This means that extreme measures should be taken to prevent data from being deleted, modified, or becoming inaccessible. The loss or inaccessibility of data in such circumstances can translate to severe physical outcomes.
To secure data availability on the network, it is important to reduce network outages as much as possible, because the availability of the network itself is extremely important. If the network is down, network users will not be able to access the network and any resources available on that network.
Organisations have to apply some form of security to restrict unlawful access to data stored on their networks. This is mainly achieved by using authentication and authorisation:
- Authentication on a network provides a proof that a network user is indeed the person they are claiming to be, either by asking the user to input a password (something they know), a smartcard (something they have), or a biometric identity print (such as a finger print). Additional steps such as CAPTCHA add additional processes to ensure that the log on is being performed by an individual and not via some other robotised means.
- Authorisation on a network provides a proof that a certain network user has the right to read a file, run a program, delete a folder, or perform other network activities. Companies will create profiles for employees to restrict their access or security levels to be commensurate with their role within the firm.
It is important to understand that authentication and authorisation work together, because a user needs to be authenticated first before they can be authorised to perform network activities.
Security Breaches and Intrusions
Types of Threats
When you want to assess the security threats available, you need to consider the effects of the following threat sources:
- Natural disasters: Earthquakes, cyclones, floods, tsunamis, etc.
- Environmental threats: Water damage, chemicals, power outages, etc.
- Human threats: These can be divided into intentional threats and unintentional threats. Intentional threats consist of deliberate actions by people with malicious intent such as virus infection, network attacks and unauthorised access.
- Unintentional threats: These are mainly the result of human error whereby people might modify or delete information by mistake. However, although mistakes may occur, the onus is on business to ensure they have robust systems and training procedures in place to prevent such occurrences. Data protection agencies will consider such instances as serious breaches where appropriate steps have not been taken to ensure the security of personal data.
The most important thing you need to do before undertaking a threat assessment for your information is to determine the level of sensitivity for that information with respect to the various stakeholders, along with the sources, nature and situations of the threats to that information. These are explained below:
- The time managers spend in planning for risk mitigation.
- The time employees spend in implementing the risk mitigation plans.
- The time employees spend in backing up data.
- The costs of purchasing additional media for storing data and software.
- The time and costs of providing training to staff about new procedures.
- Any additional costs arising from contracting support from alternative sites for redundancy, offsite backups, and secure data storage.
Risks can be classified according to their degree of likelihood as well as the impacts they cause if they happen and the costs the business should incur if its stakeholders decide to establish safeguards against those risks.
Information security requires risks to be managed and mitigated. Steps need to be taken to ensure systems, processes, and training programs in place are as robust as possible, and take into account as many potential risks and contingencies as possible.
After a business undertakes risk assessment for their information system, the stakeholders will need to determine the appropriate financial costs attributable to ensuring the protection of data on the systems employed by the business.
When implementing security for a home computer or a business alike, one needs to assess the security threats for the information system, regardless of how small or large it is. However, the existence of threats to any system in general does not mean that harm will arise; it simply means that the system administrators are aware of the threats and that they should use this knowledge to develop some action plans to mitigate the risks of each threat.
A threat is only harmful to a system if the system contains some sort of vulnerability to this particular threat. A vulnerability assessment is required to identify the degree of susceptibility of a particular system to any possible threat to this system.
Safeguards are usually adopted by organisations to counter vulnerabilities in systems. For example, many companies and businesses choose to install lightning rods on their buildings to avoid being hit by a lightning strike. These lightning rods are considered to be safeguards against lightning strikes because if a lightning strike hits the building, the rods will help divert the strike, thus protecting all the electrical and electronic systems in the building. Safeguards against power surges and power failures include using surge protectors and UPS systems (uninterruptible power supply).
When discussing vulnerability assessment for an information system or any other system, it is important to understand the term “risk assessment”. The first question you should ask yourself is: what is ‘risk’? The term risk is generally used to replace terms like ‘harm’, ‘threat’ and ‘vulnerability’. However, in the world of information security, the word risk defines the likelihood of a threat causing harm to a particular information system due to vulnerabilities in the system.
In the digital age information security is a significant challenge
As technology moves on, so the threats to security increase and change. In a post GDPR environment, a company cannot simply blame system or procedural faults after an event. Not only will breaches attract significant fines, but as individuals become more aware of threats and more protective of their own data, the damage to a company's reputation can suffer irreparably.
Do you work in IT, do you run your own business, are you in a management position or own a business where you are responsible for ensuring the integrity of data handling and storage procedures?
By training and increasing your knowledge and awareness, you will have the tools to mitigate risks and actively work in a role where a business and it's contacts, suppliers, and clients data is adequately protected.
You can enrol on our Information Security course today as an active step towards safeguarding your business. If you have any questions, or want to know more about IT systems, or managing a business, then get in touch with our specialist tutors today. They will be pleased to answer your questions and look at different study options to meet with your training needs for your or for your employees.
More from ACS
Directory to short courses, certificates and diplomas. Lots of study options.
Lots of options to study computer programming, servicing and management.