Risks and Vulnerabilities of Online Data and Security Measures
VerifiedAdded on 2019/09/19
|13
|2464
|371
Report
AI Summary
This report examines the risks and vulnerabilities associated with online data within an organizational context. It identifies various threats, including default passwords, poor disposal of storage media, inadequate security awareness, insufficient software testing, inappropriate access control policies, uncontrolled use of information systems, lack of cybersecurity policies, BYOD policies, limited recovery plans, lack of encryption, external cyber-attacks, lack of disaster recovery plans, unauthorized use of computers, installing unauthorized software, and unprotected documents. The report also outlines fifteen key roles and responsibilities for organizations to maintain data privacy and security, such as engaging senior management, appointing data protection officers, assigning individual roles for data security, constant communication with the privacy center, engaging stakeholders, training employees, conducting EPRA periodically, integrating data privacy and business risk, developing privacy strategies, maintaining personal data inventory, implementing organizational code of conduct, establishing policies for data collection and use, providing for employee identification, using encryption tools, and maintaining security certifications. The conclusion emphasizes the importance of proactive measures to protect both organizational data and the privacy of individuals, highlighting the need for continuous education and adaptation to evolving technological advancements.
Risks and Vulnerabilities
Computing
Student Name:
Student ID:
Course Name:
Course ID:
Faculty Name:
University Name:
Computing
Student Name:
Student ID:
Course Name:
Course ID:
Faculty Name:
University Name:
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Table of Contents
Introduction................................................................................................................................2
Research Aim and Objectives................................................................................................2
Risks and vulnerabilities of online data.....................................................................................2
Role of an organization in maintaining data privacy and security.............................................6
Conclusion..................................................................................................................................9
References................................................................................................................................11
Introduction................................................................................................................................2
Research Aim and Objectives................................................................................................2
Risks and vulnerabilities of online data.....................................................................................2
Role of an organization in maintaining data privacy and security.............................................6
Conclusion..................................................................................................................................9
References................................................................................................................................11
Introduction
The paper is concerned with the assessment of the risks and vulnerabilities of online data
within an organizational setup. Companies operate in challenging environment with
numerous internal and external threats. Threats are of different forms and can be associated
with any organizational function (Parakh and Kak, 2009). If the goal is to ensure effective
and efficient functioning of the organization, then it is important that the risks are identified
well within time and effective measures are taken.
This paper will focus on the risks and vulnerabilities associated with the online data stored by
the organization. Moreover, the role of the organization will also be assessed in maintaining
data privacy and security. Threat to online data security is increasing day by day with the
advancements in the technological elements. The identification of these threats on the
physical and virtual aspects of the system can help the organization in formulating strategies
at the right time.
Research Aim and Objectives
The aim of this paper is to identify the threats associated with the online data security and the
actions an organization can take safeguard their online data. The objectives of this paper are
to identify and analyse fifteen risks and vulnerabilities of online data for the organization
along with the fifteen ways organizations can adopt for the safety.
Risks and vulnerabilities of online data
This section is concerned with the identification and analysis of the risks and vulnerabilities
of the online data of the organization.
1. Default passwords in-use
The paper is concerned with the assessment of the risks and vulnerabilities of online data
within an organizational setup. Companies operate in challenging environment with
numerous internal and external threats. Threats are of different forms and can be associated
with any organizational function (Parakh and Kak, 2009). If the goal is to ensure effective
and efficient functioning of the organization, then it is important that the risks are identified
well within time and effective measures are taken.
This paper will focus on the risks and vulnerabilities associated with the online data stored by
the organization. Moreover, the role of the organization will also be assessed in maintaining
data privacy and security. Threat to online data security is increasing day by day with the
advancements in the technological elements. The identification of these threats on the
physical and virtual aspects of the system can help the organization in formulating strategies
at the right time.
Research Aim and Objectives
The aim of this paper is to identify the threats associated with the online data security and the
actions an organization can take safeguard their online data. The objectives of this paper are
to identify and analyse fifteen risks and vulnerabilities of online data for the organization
along with the fifteen ways organizations can adopt for the safety.
Risks and vulnerabilities of online data
This section is concerned with the identification and analysis of the risks and vulnerabilities
of the online data of the organization.
1. Default passwords in-use
The use of default passwords within the system allows everyone aware of the default
passwords to get unauthorized access to the system. The employees or the management
within the organization do not change the passwords out of laziness (Kaufman, 2009). In
most cases, they do not consider it has a major security concern. It turns into the major risk
area.
2. Poor disposal of storage media
The employees of the organization disposing the storage media without any appropriate
measure can lead to the leak of the sensitive and business critical information to the
competitors. The methods such as simply throwing away the non-functioning devices are not
the appropriate method. If the storage media is not working then it does not mean that
information stored in it cannot be retrieved.
3. Inadequate security awareness
In most cases, the employees working within the organization are not aware enough about the
ways to store and use the information safely. In some cases, the lacklustre attitude of the
employees converts into risky situation such as poor upkeep of system passwords, sharing
critical information to unauthorized employees within the organization, and others.
4. Insufficient software testing
The implementations of the new software are regular in organizations that are software
dependent. As the organization considered for the study is software dependent for most of its
activities, the testing part is a necessity (Pfleeger and Pfleeger, 2002). The lack of appropriate
testing leaves loopholes within the system, which are later utilized by the unsocial
individuals.
5. Inappropriate access control policy
passwords to get unauthorized access to the system. The employees or the management
within the organization do not change the passwords out of laziness (Kaufman, 2009). In
most cases, they do not consider it has a major security concern. It turns into the major risk
area.
2. Poor disposal of storage media
The employees of the organization disposing the storage media without any appropriate
measure can lead to the leak of the sensitive and business critical information to the
competitors. The methods such as simply throwing away the non-functioning devices are not
the appropriate method. If the storage media is not working then it does not mean that
information stored in it cannot be retrieved.
3. Inadequate security awareness
In most cases, the employees working within the organization are not aware enough about the
ways to store and use the information safely. In some cases, the lacklustre attitude of the
employees converts into risky situation such as poor upkeep of system passwords, sharing
critical information to unauthorized employees within the organization, and others.
4. Insufficient software testing
The implementations of the new software are regular in organizations that are software
dependent. As the organization considered for the study is software dependent for most of its
activities, the testing part is a necessity (Pfleeger and Pfleeger, 2002). The lack of appropriate
testing leaves loopholes within the system, which are later utilized by the unsocial
individuals.
5. Inappropriate access control policy
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
The organization’s inappropriate access control policy that does not control who will access
the system and when will access the system, creates challenge in appropriate identification of
the individuals who could use the information against the organization. The access control
policy without provision of levels within the system allows everyone to get access to
sensitive materials.
6. Uncontrolled use of information systems
The information systems within the organization have unrestricted access and anyone can use
any system for personal and private use. This situation creates issue for the organization in
proper identification of the challenge coming from the individual. The information systems
within the organization require some restriction, on both the front, virtually and physically.
7. Lacking cyber-security policy
Organization having no cyber-security policy does not place default restrictions on mission
critical aspects and thus leave organization vulnerable to external security threats (Parakh and
Kak 2011). The policies provide restriction to the unauthorized utilization of the system.
8. Bring your own device policy
The organization, considering the cost of installing number of computer systems within the
organization and also for the employee convenience, allows employees to bring their own
device to use within the company. This is considered very risky if the organization is
engaging in activities that are sensitive. The reason is that the external parties can engage in
hacking the employees’ personal phone and laptops, which is easier to hack in comparison to
organizations’ systems.
9. Limited recovery plan provisions
the system and when will access the system, creates challenge in appropriate identification of
the individuals who could use the information against the organization. The access control
policy without provision of levels within the system allows everyone to get access to
sensitive materials.
6. Uncontrolled use of information systems
The information systems within the organization have unrestricted access and anyone can use
any system for personal and private use. This situation creates issue for the organization in
proper identification of the challenge coming from the individual. The information systems
within the organization require some restriction, on both the front, virtually and physically.
7. Lacking cyber-security policy
Organization having no cyber-security policy does not place default restrictions on mission
critical aspects and thus leave organization vulnerable to external security threats (Parakh and
Kak 2011). The policies provide restriction to the unauthorized utilization of the system.
8. Bring your own device policy
The organization, considering the cost of installing number of computer systems within the
organization and also for the employee convenience, allows employees to bring their own
device to use within the company. This is considered very risky if the organization is
engaging in activities that are sensitive. The reason is that the external parties can engage in
hacking the employees’ personal phone and laptops, which is easier to hack in comparison to
organizations’ systems.
9. Limited recovery plan provisions
Loss of information or threats of hackers are always eminent for the organizations. This poses
major threat to the organization if it has no recovery plan (Miyazaki and Fernandez, 2001).
Recovery plan is also called back plan in case such issue comes up as mentioned.
10. Lack of encryption
The encryption allows secure end to end transfer of the information. The organization being
studied relies less on encryption technology due to the cost involved in this. This leaves
loophole that can be used by third party to eavesdrop.
11. External Cyber-attacks
The cyber-attacks from outside the organization leave organization vulnerable. There are
various interested parties who would like to access the business sensitive information of the
organization such as competitors, small and big hackers interested for personal gains, and
others.
12. Lack of disaster recovery plan
Disaster refers to the threat occurred due to natural calamities that becomes devastating and
risky if the physical storage and system are not safely placed or they do not have any
recovery provision.
13. Unauthorized use of computers/laptops
As stated earlier, allowing easy access to personal laptops and computers of the employees
and the organization, can lead to risky situation.
14. Installing unauthorized software
major threat to the organization if it has no recovery plan (Miyazaki and Fernandez, 2001).
Recovery plan is also called back plan in case such issue comes up as mentioned.
10. Lack of encryption
The encryption allows secure end to end transfer of the information. The organization being
studied relies less on encryption technology due to the cost involved in this. This leaves
loophole that can be used by third party to eavesdrop.
11. External Cyber-attacks
The cyber-attacks from outside the organization leave organization vulnerable. There are
various interested parties who would like to access the business sensitive information of the
organization such as competitors, small and big hackers interested for personal gains, and
others.
12. Lack of disaster recovery plan
Disaster refers to the threat occurred due to natural calamities that becomes devastating and
risky if the physical storage and system are not safely placed or they do not have any
recovery provision.
13. Unauthorized use of computers/laptops
As stated earlier, allowing easy access to personal laptops and computers of the employees
and the organization, can lead to risky situation.
14. Installing unauthorized software
Allowing the staff members to install software that are not recommended by the organization
or are not from the authorized entity can lead to risk. The new software might leave the
existing system vulnerable to external threats.
15. Unprotected documents
The document sharing in unprotected form can be used as tool to transfer virus and Trojan
from one computer to another. The documents carrying viruses look like other usual
documents but contain automated viruses that start running in the background once the
document opens.
Role of an organization in maintaining data privacy and security
There are various aspects that can be covered by the organization to ensure that the privacy
and the security of the organization is maintained. Given below are fifteen legal and
professional responsibilities of the organization that can be considered for effective privacy
and security:
1. Engaging senior management in data security
The organization can engage the senior management to look after the data security
provisions. This will create a sense of responsibility among the subordinate employees to take
care of these aspects seriously.
2. Appointing data protection officers
The organization can bring in a dedicated position who will look after this aspect, particularly
data protection officers. The officers will be looking after the fair use of information and
track the incoming and outgoing data for the organization.
3. Assigning individual roles for data security
or are not from the authorized entity can lead to risk. The new software might leave the
existing system vulnerable to external threats.
15. Unprotected documents
The document sharing in unprotected form can be used as tool to transfer virus and Trojan
from one computer to another. The documents carrying viruses look like other usual
documents but contain automated viruses that start running in the background once the
document opens.
Role of an organization in maintaining data privacy and security
There are various aspects that can be covered by the organization to ensure that the privacy
and the security of the organization is maintained. Given below are fifteen legal and
professional responsibilities of the organization that can be considered for effective privacy
and security:
1. Engaging senior management in data security
The organization can engage the senior management to look after the data security
provisions. This will create a sense of responsibility among the subordinate employees to take
care of these aspects seriously.
2. Appointing data protection officers
The organization can bring in a dedicated position who will look after this aspect, particularly
data protection officers. The officers will be looking after the fair use of information and
track the incoming and outgoing data for the organization.
3. Assigning individual roles for data security
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
The individuals should be assigned specific roles for data security and not one individual
should be burdened with all the responsibilities (Casalo et al, 2007). This will ensure
effective and on time actions from the concerned individual when needed and will reduce
confusion.
4. Constant communication with privacy centre
Setting up effective communication mechanism with the privacy centre will ensure that the
organization stay updated of all kinds of data breach and challenges that are likely to occur in
advance.
5. Engaging stakeholders
The stakeholders associated with the organization, whether internal or external, should be
engaged and motivated towards ensuring security of the organizational information.
6. Training employees for awareness
The training of the employees working in the organization is the major step that can be taken
to ensure the security of the organization. In most of the vulnerable cases, the employees
have been found as creating loopholes, knowing or unknowing, into the system security
(Carlos et al, 2009). It is important that the organization provide training from day one on IT
security aspects.
7. Conducting EPRA periodically
Enterprise Privacy Risk Assessment should be conducted periodically to ensure that
everything is working as per the expectation and nothing is falling off the loop. There are
external agencies that help conduct security assessment. These agencies can be utilized for
this activity.
should be burdened with all the responsibilities (Casalo et al, 2007). This will ensure
effective and on time actions from the concerned individual when needed and will reduce
confusion.
4. Constant communication with privacy centre
Setting up effective communication mechanism with the privacy centre will ensure that the
organization stay updated of all kinds of data breach and challenges that are likely to occur in
advance.
5. Engaging stakeholders
The stakeholders associated with the organization, whether internal or external, should be
engaged and motivated towards ensuring security of the organizational information.
6. Training employees for awareness
The training of the employees working in the organization is the major step that can be taken
to ensure the security of the organization. In most of the vulnerable cases, the employees
have been found as creating loopholes, knowing or unknowing, into the system security
(Carlos et al, 2009). It is important that the organization provide training from day one on IT
security aspects.
7. Conducting EPRA periodically
Enterprise Privacy Risk Assessment should be conducted periodically to ensure that
everything is working as per the expectation and nothing is falling off the loop. There are
external agencies that help conduct security assessment. These agencies can be utilized for
this activity.
8. Integrating data privacy and business risk
The organization should not treat data privacy as different from running the business. The
data privacy should be counted within the business risk and should be given special treatment
as in the age of information the security of data is what all matters.
9. Developing privacy strategy
The organizational heads should prepare strategies to handle the privacy of the data. The
development of strategy should consider various internal and external threats. Above strategy
formation, the major aspect is effective implementation of the strategy.
10. Maintaining personal data inventory
The personal data inventory should be managed properly. There are two aspects in this,
physical and virtual. The physical system containing the stored data must be placed in
location that is far from the physical threat such as theft, and natural or man-made disasters.
The periodic assessment of the data inventory security can help in effective maintenance.
Apart from that, there should be proper backup for the current data inventory to ensure
organizational activities continue despite challenges.
11. Implementing organizational code of conduct
The organization should implement code of conduct that direct the information system use
and handling. This will guide the employees on how to handle the various security aspects.
The code of conduct should be handled to the employees on the first day of joining to ensure
that they get acquainted with the necessary aspects from the beginning.
12. Policies for data collection and use
The organization should not treat data privacy as different from running the business. The
data privacy should be counted within the business risk and should be given special treatment
as in the age of information the security of data is what all matters.
9. Developing privacy strategy
The organizational heads should prepare strategies to handle the privacy of the data. The
development of strategy should consider various internal and external threats. Above strategy
formation, the major aspect is effective implementation of the strategy.
10. Maintaining personal data inventory
The personal data inventory should be managed properly. There are two aspects in this,
physical and virtual. The physical system containing the stored data must be placed in
location that is far from the physical threat such as theft, and natural or man-made disasters.
The periodic assessment of the data inventory security can help in effective maintenance.
Apart from that, there should be proper backup for the current data inventory to ensure
organizational activities continue despite challenges.
11. Implementing organizational code of conduct
The organization should implement code of conduct that direct the information system use
and handling. This will guide the employees on how to handle the various security aspects.
The code of conduct should be handled to the employees on the first day of joining to ensure
that they get acquainted with the necessary aspects from the beginning.
12. Policies for data collection and use
The organization should implement policies that cover the necessary aspects associated with
the data collection and use. The policies made should be informed to the employees as well,
as only presence of policies without known to the employees can still be a risk.
13. Provision for employee identification
The organization must have proper provisions that identify each employee properly. The use
of technology assisted systems can be helpful and guide in ensuring that the no unauthorized
individuals get access into the organization or its systems.
14. Appropriate use of encryption tools
The use of encryption tools should be brought in existence to ensure secure end to end
communication and protection from the eavesdropping. The documents and other form of
data should be encrypted before storing (Tebaa et al, 2012). Also, the document should be
sent in encrypted form. Though this method is cumbersome, but it is secure.
15. Maintaining security certification
Integration of security certification organization such as ISO can be considered as important
step as it helps in independent evaluation of various security and control provisions (Calder
and Watkins, 2008).
Conclusion
Overall, it can be stated that the effective steps from the organizational heads can ensure that
the organization stay safe from the external and internal threat. The periodic assessment of
internal and external threat is important for effective security. The impact of security
provisions, if done right, can be positive on the employees and the other associated direct or
indirect stakeholders of the company. The organization stores numerous information about
the data collection and use. The policies made should be informed to the employees as well,
as only presence of policies without known to the employees can still be a risk.
13. Provision for employee identification
The organization must have proper provisions that identify each employee properly. The use
of technology assisted systems can be helpful and guide in ensuring that the no unauthorized
individuals get access into the organization or its systems.
14. Appropriate use of encryption tools
The use of encryption tools should be brought in existence to ensure secure end to end
communication and protection from the eavesdropping. The documents and other form of
data should be encrypted before storing (Tebaa et al, 2012). Also, the document should be
sent in encrypted form. Though this method is cumbersome, but it is secure.
15. Maintaining security certification
Integration of security certification organization such as ISO can be considered as important
step as it helps in independent evaluation of various security and control provisions (Calder
and Watkins, 2008).
Conclusion
Overall, it can be stated that the effective steps from the organizational heads can ensure that
the organization stay safe from the external and internal threat. The periodic assessment of
internal and external threat is important for effective security. The impact of security
provisions, if done right, can be positive on the employees and the other associated direct or
indirect stakeholders of the company. The organization stores numerous information about
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
the individuals living in the society in which it operates. Therefore, if the organization is
safeguarding its information then indirectly it is safeguarding the privacy of its thousands
customers who shared their private information on trust. Due to the advancement in the
information technology, more and more people are getting aware of the system which is
positive news for the easy maintenance. On the other, there are still large sections of
employee group who are unaware of technical security provisions. It should be the
organization’s initial responsibility to educate its employees before making further move.
safeguarding its information then indirectly it is safeguarding the privacy of its thousands
customers who shared their private information on trust. Due to the advancement in the
information technology, more and more people are getting aware of the system which is
positive news for the easy maintenance. On the other, there are still large sections of
employee group who are unaware of technical security provisions. It should be the
organization’s initial responsibility to educate its employees before making further move.
References
Calder, A. and Watkins, S., 2008. IT governance: A manager's guide to data security and
ISO 27001/ISO 27002. Kogan Page Ltd..
Carlos Roca, J., José García, J. and José de la Vega, J., 2009. The importance of perceived
trust, security and privacy in online trading systems. Information Management & Computer
Security, 17(2), pp.96-113.
Casalo, L.V., Flavián, C. and Guinaliu, M., 2007. The role of security, privacy, usability and
reputation in the development of online banking. Online Information Review, 31(5), pp.583-
603.
Kaufman, L.M., 2009. Data security in the world of cloud computing. IEEE Security &
Privacy, 7(4).
Miyazaki, A.D. and Fernandez, A., 2001. Consumer perceptions of privacy and security risks
for online shopping. Journal of Consumer affairs, 35(1), pp.27-44.
Parakh, A. and Kak, S., 2009. Online data storage using implicit security. Information
Sciences, 179(19), pp.3323-3331.
Parakh, A. and Kak, S., 2011. Space efficient secret sharing for implicit data
security. Information Sciences, 181(2), pp.335-341.
Pfleeger, C.P. and Pfleeger, S.L., 2002. Security in computing. Prentice Hall Professional
Technical Reference.
Calder, A. and Watkins, S., 2008. IT governance: A manager's guide to data security and
ISO 27001/ISO 27002. Kogan Page Ltd..
Carlos Roca, J., José García, J. and José de la Vega, J., 2009. The importance of perceived
trust, security and privacy in online trading systems. Information Management & Computer
Security, 17(2), pp.96-113.
Casalo, L.V., Flavián, C. and Guinaliu, M., 2007. The role of security, privacy, usability and
reputation in the development of online banking. Online Information Review, 31(5), pp.583-
603.
Kaufman, L.M., 2009. Data security in the world of cloud computing. IEEE Security &
Privacy, 7(4).
Miyazaki, A.D. and Fernandez, A., 2001. Consumer perceptions of privacy and security risks
for online shopping. Journal of Consumer affairs, 35(1), pp.27-44.
Parakh, A. and Kak, S., 2009. Online data storage using implicit security. Information
Sciences, 179(19), pp.3323-3331.
Parakh, A. and Kak, S., 2011. Space efficient secret sharing for implicit data
security. Information Sciences, 181(2), pp.335-341.
Pfleeger, C.P. and Pfleeger, S.L., 2002. Security in computing. Prentice Hall Professional
Technical Reference.
Tebaa, M., El Hajji, S. and El Ghazi, A., 2012, July. Homomorphic encryption applied to the
cloud computing security. In Proceedings of the World Congress on Engineering (Vol. 1, pp.
4-6).
cloud computing security. In Proceedings of the World Congress on Engineering (Vol. 1, pp.
4-6).
1 out of 13
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.