Many companies have an information security and risk management strategy, but such a strategy does not typically include all that is necessary to decrease the digital risk to the organisation; by incorporating aspects of cybersecurity within the risk management strategy, the organisation is able to provide a higher level of security to its stakeholders. The process through which such a change can be made is a relatively simple one, though implementation can be complex, depending on the current size of the business and its available resources. An information security and risk management strategy provides the organisation with the framework through which the company is able to protect company data and the information infrastructure in which it is contained (Nazareth & Choi, 2015). Information security is solely concerned with the security of the data and the network of hardware and software on which it is contained and accessed, while cybersecurity expands this concept to include “the protection of information resources, …other assets” and the person or persons to whom the information belongs (Von Solms & Von Niekerk, 2013, p. 97).
The basic IT security risk management strategy typically includes the following components: business awareness, defining the strategy, developing the strategy, and identifying metrics and benchmarks that can be used to ensure that the organisation’s strategy is in alignment with industry standards and in compliance with all legal mandates (Pironti, 2010). Soomro, Shah, and Ahmed (2016) noted that the use of information technology (IT) security measures alone are insufficient to provide the digital protection that an organization needs; their conclusions based on an extensive synthesis of the existing literature, the researchers noted that a more holistic approach, one that includes the basic components of cybersecurity practices, is necessary in order to protect the integrity of the organisation’s network. If an organisation is to protect its company data and its clients’ information, the IT security risk management strategy of the organisation must be expanded to include cybersecurity practices.
The basic approach to IT risk management requires the application of the COBIT 5 framework, integrating aspects of audit and assurance, risk management, information security, regulatory compliance, and IT governance (ISACA, 2018). These are all internal features to the organization, focusing on the protection of data from within and often failing to address external threats. The ideal network administrator will incorporate aspects of cybersecurity into the risk management strategy of the organization, oftentimes without making a distinction between the two, making it easy to incorporate further aspects of cybersecurity within the organisation’s IT risk management practices (Von Solms & Von Niekerk, 2013).
Use your promo and get a custom paper on
"Developing an IT Cybersecurity Risk Management Strategy".
While the IT security risk management practices and strategies of the organisation will depend on the size of the organization, the amount of digital data it utilizes, and the resources of the organization, the vast majority of businesses integrate computers to one degree or another. In light of this technological integration, there are several basic aspects of cybersecurity practices that may be integrated, regardless of the size of the organization. These include, but are not limited to, the presence and use of antivirus software, the presence and use of antimalware software, the presence and use of a firewall, the use of encryption to send sensitive information over the internet, the use of logins and passwords to limit access by one or more individuals on the system, and network monitoring. Still further, basic policies about remote access of the system, level of access available to the system remotely, and even whether the internet connection for the organization can be accessed by non-employees must all be taken into account and integrated in the IT security practices in order to reduce the risk of a cyber threat to the organization.
The network administrator must be able to distinguish between malicious and non-malicious risks to the network and to the company data, and must determine the degree of risk that he or she finds acceptable. All ports not in use should be closed to through traffic, and access to the network should be limited to the minimum required for individuals to do their jobs, decreasing further the potential for risk to the organisation if the individual’s login information is compromised. Still further, all login information should be changed every four to six months in order to decrease the potential risk, and all logins for employees who no longer work for the company should be deactivated immediately, particularly in instances where remote access of the system was allowed.
To prevent further concerns, the organisation should integrate cybersecurity policies into its general IT policies for staff, including, but not limited to, not accessing the network for personal reasons, not downloading or installing any programs on company computers, not opening unknown attachments, and providing information on how to deal with phishing emails and other cyber threats. By making employees aware of what should and should not be done on the network, and how to protect themselves and the company from basic cyber threats, the risk to the organisation as a whole is reduced. Indeed, the argument could be made that it is at the crossroads where human interaction with the network and the network itself serves as the most vulnerable point in cybersecurity integration. While it is easy to believe that all individuals who use the technologies that have become such an integral part of our world will be aware of simple practices like not sharing their passwords or being sure to log out of a terminal once they are done with it, this assumption would be patently false. This writer has worked at companies where employees have, without thought or concern, freely stated their system login credentials to other employees in the presence of customers. If a customer had any malicious intent, all he or she would need to do would be to access the network remotely and login with that employee’s information in order to start wreaking havoc on the network. There is a disconnect within many employees, causing them to treat their work credentials and access with less security than they would their own personal information, providing a singular opportunity for those who would target organisations.
Computer and network hacks, network breaches, data breaches, and general and targeted attacks have created some of the largest problems for consumers and for organisations in recent years (Greengard, 2016). The drive to place more and more information in a digital format, a byproduct of the constantly connected mentality of today’s society, has resulted in the presence of a treasure trove of information just waiting to be acquired, and given that information is the currency of today’s society, the need to protect it is now greater than ever (Greengard, 2016). Cybersecurity practices are not yet able to meet all digital threats, and with new threats arising daily, there is a marked need to ensure that as many cybersecurity practices are incorporated into the IT risk management strategy as possible, offering the best safeguards for the business. As with all things digital, however, each strategy should be tailored to the specific needs of the organisation, and without an idea of the organisation, its field, its resources, or its size, only general suggestions and recommendations as to how to integrate those practices can be offered, as is the case in the suggestions herein.
- Greengard, S. (2016). Cybersecurity gets smart. Communications of the ACM, 59(5), pp. 29-31.
- ISACA (2018). COBIT 5: A business framework for the governance and management of enterprise IT. [online] Isaca.org. Available at: http://www.isaca.org/cobit/pages/default.aspx [Accessed 19 May 2018].
- Nazareth, D. and Choi, J. (2015). A system dynamics model for information security management. Information & Management, 52(1), pp. 123-134.
- Pironti, J. (2010). Developing an Information Security and Risk Management Strategy. [online] Isaca.org. Available at: https://www.isaca.org/Journal/archives/2010/Volume-2/Pages/Developing-an-Information-Security-and-Risk-Management-Strategy1.aspx [Accessed 19 May 2018].
- Soomro, Z., Shah, M. and Ahmed, J. (2016). Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), pp. 215-225.