Security Threats in Businesses

• Musa Hajara Muhammad

Introduction

The business environment is becoming a fast paced globalized economy that depends on information and data carried via open channels. As a business organization, it is critical to maintain and protect both physical and virtual property that is being owned against intruders, potential theft and other acts that could cause loss of any form. Dominos, for example, one of the biggest pizza delivery company faced a massive data breach where customer information was made public, hence resulting in loss of sales and customers. In today’s global, digital world, data rules. Safeguarding intellectual property, financial information, and a company’s reputation is a crucial part of business strategy. With the number of threats and the sophistication of attacks increasing, safeguarding becomes a formidable task.Businesses, both small and big are under massive attacks by external agents in order to get credit card information and other confidential data which can be have a negative impact on the growth of the business. However, this security threats are not limited to attacks from the outside, but also from within the firm (BusinessSecurity, 2013).

A recent survey shows that 80% of security breaches are caused by insiders- most often employees, more than 20% of attacks on the corporate WEB sites come from the inside, almost 30% of companies, experience more than 5 attacks from the inside every year. However, it has also been argued that having too much security may affect business processes. According to Cowan (2012), while there are various security solutions to help protect businesses from potential reputational or financial damage, a heavy investment in business security solutions may have a counter-productive impact on the business. It can affect the corporate culture, flow of information and operational processes, leading to inefficiencies and productivity loss (Cowan, 2012). On the other hand, being too permissive can have the same result, with employees able to access, share, lose or damage sensitive data too easily (Cowan, 2012).

According to Cowan, business security needs to be tailored to each business depending on their respective risks and business objectives, that is, Security measures must neither be so restrictive that they affect business processes, nor too relaxed and thereby causing harm (Cowan, 2012). The key is to weigh up all the risks and vulnerabilities, potential consequences and controls, and then decide which information assets to protect and which can be accessed and shared openly without major consequences. Following a risk-based approach will lead to business growth and spending the right amount of time and money on the right level of protection in the right areas (Cowan, 2012).

As a result of the negative issues of security threats to businesses, many companies today are adopting a corporate security strategy. Corporate securityidentifies and effectively mitigates or manages, at an early stage, any developments that may threaten the resilience and continued survival of a corporation. It is a corporate function that oversees and manages the close coordination of all functions within the company that are concerned with security, continuity and safety (Wikipedia, 2010). Core components of corporate security includes personal security, physical security, information security, corporate governance, compliance and ethics program, crime prevention and detection, fraud deterrence, investigations, risk management, business continuity, and crisis management (Wikipedia, 2010). While it takes effecting time planning to implement, Bordoloi (2012) argues that developing an effective governance approach to corporate security results in five basic outcomes:

• Reduced risks and potential business impacts to an acceptable level;
• Strategic alignment of security with the enterprise strategy and the organizational objectives;
• Business value generated through the optimization of security investments with organizational objectives;
• Preserved and increased market share due to the reputation for safeguarding information;
• Efficient utilization of security investments that support organization’s objectives.

Also Adhering to a good corporate security policy can assist senior management to help them make decisions and then pass the essential actions to those in management positions. Al-Awadi & Renaud (2008) argue that implementing an effective security solution can be complex and time consuming, stating that while it can slow a firm growth due to the resources involved, it is the key strategy for the sustainability of a firm in the 21^st century. Al-Awadi & Renaud (2008) identified five key factors for the successful implementation of a business security strategy. They include awareness and training, budget, management support, Information Security Policy Enforcement and Adaptation and organization mission.

Critical success factors for security policy implementation

Dhillon (1999) argues that, organizations must have ongoing education and training programs to achieve the required outcome from the implementation of an information security policy. The 2002 security awareness index report cited by McKay (2003) concluded that organizations around the world are failing to make their employees aware of the security issues and the consequences. Hone & Eloff (2002) explain that the behaviour and attitudes of employees towards information security will be more in line with secure behaviour if top management demonstrates concern, therefore it is suggested that the tone of security is set by the attitudes of those at the top of the organization (Hinde, 1998). Management won’t act to support the information security unless they can see that it supports the organization’s core business function (Blake, 2000).

Hence they must be convinced of the importance of information security before they will to provide sufficient budget, and act to enforce the information security policy (Von Solms, 1999). Also, Bjorck (2002) describes budget as the financial facility which firstly rationally estimates the costs and secondly assesses the access required to the resources to achieve successful implementation of information security. Organizations require adequate funding (Doherty & Fulford, 2005) to achieve effective information security. “Budgets generally depend on the manner in which individuals’ investments translate to outcomes, but the impact of security investment often depends not only on the investor’s own decisions but also on the decisions of others” (Anderson & Moore, 2006, p.612 ). Lack of information security budgeting in organizations leads to under- investment in appropriate controls (Dinnie, 1999).

Moreover, Fung et al. (2003) explains that a good security policy is the keystone to a sustainable business growth. There is no doubt that the adoption of a security policy is the initial measure that must be in place to minimize the threat of unacceptable use of any of the organization’s information resources. And lastly, Siponen (2001) explains that in terms of security, organizations usually do nothing as long as nothing goes wrong, but when things do go wrong, they suddenly pay attention and a lot of effort is required to recover from the situation, even though sometimes full recovery is impossible. Some of the experts said that the organization’s clear goals and objectives are essential in implementing security policies and that having a culture of secure information in the organization will affect its success.

Conclusion

Information is knowledge, and knowledge is power. Businesses are beginning to understand the need to demonstrate to customers that their information is being handled securely, especially in the light of numerous data breaches such as the NSA scandal. When customers are aware that the information a firm possesses about them is highly secured, they tend to build confidence in such a firm, and invest even more. What has been discovered from the analysis above is that firms that are concerned about security are more likely to survive both internal and external threats posed to them. However, due to the complexity of implementing these security initiatives, certain schools of thought are of the opinion that it may take firms concerned with security time to grow. These thoughts have led to the emergence of security analysts, data managers, network and security engineers, and other security personnel who specialize in safe guarding company data and information from various mishaps.

In recent years the amount of money pumped into security firms around the world simply goes a long way to reiterate the fact that firms are getting keener about security investment. $15 million pumped into Cylance, $23 million into EndGame, and a whopping $50 million into FireEye are a few from the several investment deals reached with tech security companies. (Bryon Acohido, 2013).

Investing in security can cost a company a large amount of its resources, but not adequately investing in securing its most valuable asset, which is information can cause a company to totally shut down in the case of any data exposure or loss. Alpex Consulting Africa Managing Director, Joseph Kibe, in Kenya said,

“Organizations have lost a lot of data and there must be a lot of losses incurred because of customers’ data being thrown away when information leaks to the wrong hands. The economy has to wake up and secure this information…if you walk into an insurance firm, a bank, or a hospital, is your information secure? That is what will determine who makes it …”

For a successful security policy, organizations must institute security policies to prevent unauthorized access to their resources. Steps must be taken to ensure that employees get the required awareness and security training to make them aware of the security issues and the consequences of insecure behavior. Moreover, the results suggest the ethos of security must come from the top of the organization to encourage a serious attitude from employees and an expectation that they will comply with the organization’s security policy rules and regulations.

A point worthy of note is that, for a firm to think about security in the first instance, it must already have a decent amount of presence over the internet. This alone, can make a company gain more profit and recognition due to its global presence. Most security breaches occur in the most developed of countries, and this is because of the level of advancement in technology, and also sophistication in cybercrime. A country who is just at the developing stage seldom experiences high level of security mishap. This goes a long way to say that the level of development in a country can be directly proportional the amount of cybercrime that occurs in that country.

Implementation of security won’t be possible if a sufficient budget is not allocated. Clear organizational mission statements and goals result in positive employee behavior and positive attitudes towards securing the organization’s information assets. Just like a car, building, or machine, information is an asset, and the most valuable in this era of information technology. Safeguarding such a valuable asset will in no way slow down the growth of a firm, but set it apart from its adversaries.

References

Bordoloi, C. (2012) 5 Benefits of Proper IT Security Governance URL: http://www.enterprisecioforum.com/en/blogs/cj-bordoloi/5-benefits-proper-it-security-governance Accessed (23/06/2013)

Bjorck, F., 2002. Implementing Information Security Management Systems – An Empirical Study of Critical Success Factors.

Wikipedia (2010) Corporate Security URL:http://en.wikipedia.org/wiki/Corporate_security Accessed (23/06/2013)

Dhillon, G., 1999. Managing and Controlling Computer Misuse. Information Management & Computer Security, Vol. 7, No. 4, pp. 171-175.

Doherty, N. F. and Fulford, H., 2005. Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis. Information Resources Management Journal, Vol. 18, No. 2, pp. 21-39.

DeviceLock (2012),Corporate security: risks of the insiders attack URL: http://www.devicelock.com/articles/detail.html?CODE=corporate_security Accessed (23/06/2013)

Business Security (2013) Understanding Business Security URL:http://www.businesssecurity.net/ Accessed (23/06/2013)

Cole, E (2010) Importance of cyber security to protect your business URL: http://www.securityhaven.com/specialist/cyber-security-for-business.html Accessed (23/06/2013)

Hone, K. & Eloff, J.H.P. 2002. What makes an Effective Information Security Policy. Network Security, Vol. 20, No. 6,pp. 14-16.

Fung, P., Kwok, L. & Longley, D. 2003. Electronic Information Security Documentation. Australian Computer society,

Vol. 21.

Dinnie, G., 1999. The Second Annual Global Information Security Survey. Information Management & computer

security, Vol. 7, No. 3, pp. 112-120.

Hind, S. 2002. Security Surveys Spring Crop. Computers and Security, Vol. 21, No. 4, pp. 310-321.

McKay, J. 2003. Pitching the Policy: implementing IT Security Policy through Awareness. SANS Institute.

Von Solms, R. 1999. Information Security Management: Why Standards are Important. Information Management & Computer Security, Vol. 7, No. 1, pp. 50-57.