ITC596 Assessment: IT Risk Management in Cloud Computing Analysis

Verified

Added on 2023/06/10

AI Summary

This report delves into the IT risk management challenges associated with cloud computing, addressing topics such as unauthorized access to confidential data, data security threats from vendors, legal and compliance risks, lack of data control, and internet downtime issues. The report then presents a case study of a 2018 data breach at Svitzer, a shipping company, where employee data was compromised due to email account hacking and vulnerabilities in security measures. The analysis highlights the vulnerabilities exploited, including inadequate security guidelines and lack of employee training. The report concludes with recommendations to mitigate future risks, including adopting more secure email providers, implementing two-step verification and strong firewalls, and providing comprehensive employee training on security protocols. These measures aim to protect data and enhance the overall security posture of organizations using cloud computing services.

IT Risk Management

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Topic 1
Cloud Computing
The popularity of cloud computing and cloud-based services has increased
substantially over the past decade. It is referred to the practice of using a network which is
hosted on the internet through a number of remote servers which can be used by
individuals and organisations to store, process and manage their data which is an alternate
option to a personal computer or a local server (Jadeja & Modi, 2012).
IT Risks associated with Cloud Computing
Following are a number of risks which are faced by individuals and organisations while
relying on cloud computing technology to store, manage or process their data.
 Unauthorised access to confidential business data and customer information
Along with the popularity of cloud computing infrastructure among organisations, the
number of cyber-attacks on business data has increased as well. Both large and small
entities use cloud computing technology into their organisation because it saves their
operation costs and improves efficiency (Zissis & Lekkas, 2012). It has become easier for
cybercriminals to gain unauthorised access to business data in order to collect confidential
information regarding the corporation. Furthermore, they also collect private data from
customers that negatively affect the reputation and profitability of the company.
 Data security threat at the vendor
Generally, organisations use services of public cloud provided by corporation such as
Amazon Web Services and Microsoft Azure which offers their services at effective costs.
However, these vendors are also vulnerable against IT threats; thus, the data of
corporations are at risk of breach in case the security of their vendor is breached (Hashem,
Yaqoob, Anuar, Mokhtar, Gani & Khan, 2015).
 Legal risks and compliance
While using cloud computing technology, corporations are required to comply with a
large number of data security regulations which are implemented by the government with
Page 1

the intention to protect a specific type of data such as private data of customers. The
regulations put restrictions regarding where the data is kept, who is allowed to access the
data and how the data is protected. If corporations use the public cloud, then they
outsource the management of data procedure, and they rely on third-party vendors to
comply with these regulations (Chen & Zhao, 2012). In case they breach any of these
regulations, then the corporations suffer legal consequences which affect their profitability.
 Lack of control over data
Most organisations cannot afford to establish private cloud servers to use cloud
computing, thus, they rely on the services of third party vendors. Due to reliance on third-
party vendors, corporations did not have effective control over their data which increased
many IT-related threats (Dutta, Peng & Choudhary, 2013). For example, in case the
corporation failed to pay its bill of cloud usage, then it cannot access its data which made it
difficult for the company to run its operations.
 Internet and downtime issues
Organisations have to rely on high-speed internet connection while using cloud
computing, and they also face downtime issue during which they cannot access their data.
Thus, the lack of high-speed internet and during downtime, corporations cannot access their
data which affects their profitability (Zissis & Lekkas, 2012).
Page 2

Topic 2
Summary of the attack
In 2018, a data breach attack is facing by the shipping company Svitzer which
affected more than half of its employees working in Australia. In this attack, email accounts
of three Australian employees are auto-forwarding the company’s emails to outsiders. This
leak continued for a period of 11 months (Bogle, 2018). The perpetrator who conducted this
has not yet been identified by the corporation. This breach started on 27th May of the last
year, and it has affected various departments of the corporation which include finance,
operations and payroll. Nicole Holyer, head of communication at Svitzer, said after the
attack that the corporation quickly stopped the auto-forwarding of messages right after
being altered regarding the same on 1st March.
Forensic IT experts started investigating the matter and provided that sensitive
private information of over 500 employees was leaked and the corporation has employed
around 1000 employees in Australia (ITNews, 2018). The information which has lost includes
superannuation account numbers, tax file numbers, names of next of kin and others.
According to Troy Hunt, security analyst, this incident is not typical, and most cyber-attacks
are focused towards collecting large volumes of data (Bogle, 2018). The attack occurred
because the perpetrator had created an email rule by hacking into the accounts of
employees to forward emails to two external email accounts. Although the name of the
email provided has not been provided, however, Ms Holyer had clarified that it is the one
which many people use.
Vulnerabilities exploited
The hackers were able to hack into the account of employees which shows that the
security guidelines of the company were not appropriate. The corporation was not using
additional security measures such as two-step verification. Due to the lack of training of
employees, they were not able to find out that they are being hacked by the perpetrator
(Hannan, 2018). Furthermore, the email provider was a popular one which shows that
hackers can easily hack into the services of larger organisations which takes a large number
of security measures. Although the threat was accidental because as Troy Hunt provided
Page 3

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

that hackers focus on targeting large data, however, it shows that they focus on small
breaches as well.
Recommendations
Following security measures can protect the data of the corporation in the future.
 The corporation should use a more secure and private email provider has fewer
users and high-security standards. It would assist in avoiding the risk of hacking into
the account of employees and changing its settings.
 The corporation should invest in adopting new security measures such as two-step
verification, strong firewalls and antiviruses. The IT department should continuously
monitor IT infrastructure to check whether a breach has occurred or not.
 Lastly, the corporation should provide training to its employees to ensure that they
are competent to understand the security requirements of services which they use,
and they are able to identify when cybercriminals are hacking them. It will protect
the data of the company in the future.
Page 4

References
Bogle, A. (2018). Svitzer employee details stolen in data breach affecting almost half of its
Australian employees. Retrieved from
http://www.abc.net.au/news/2018-03-15/sensitive-data-stolen-from-global-
shipping-company-svitzer/9552600?section=technology
Chen, D., & Zhao, H. (2012). Data security and privacy protection issues in cloud computing.
Computer Science and Electronics Engineering (ICCSEE), 1, 647-651.
Dutta, A., Peng, G. C. A., & Choudhary, A. (2013). Risks in enterprise cloud computing: the
perspective of IT experts. Journal of Computer Information Systems, 53(4), 39-48.
Hannan, E. (2018). Data theft hits hundreds of employees at tugboat operator. Retrieved
from https://www.theaustralian.com.au/news/nation/data-theft-hits-hundreds-of-
employees-at-tugboat-operator/news-story/8a272b58bd1bfe947a9ecf17f0505b1a
Hashem, I. A. T., Yaqoob, I., Anuar, N. B., Mokhtar, S., Gani, A., & Khan, S. U. (2015). The rise
of “big data” on cloud computing: Review and open research issues. Information
Systems, 47, 98-115.
ITNews. (2018). First data breach publicised under Australian notice scheme. Retrieved from
https://www.itnews.com.au/news/first-data-breach-publicised-under-australian-
notice-scheme-487143
Jadeja, Y., & Modi, K. (2012). Cloud computing-concepts, architecture and challenges.
Computing, Electronics and Electrical Technologies (ICCEET), 877-880.
Walker, J. (2018). Hack against Maersk subsidiary results in loss of employee data. Retrieved
from https://portswigger.net/daily-swig/hack-against-maersk-subsidiary-results-in-
loss-of-employee-data
Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future
Generation computer systems, 28(3), 583-592.
Page 5