As organizations worldwide take advantage of information technology to reduce cost and increase performance, digital information can be shared and available over the Internetworking computers, the risk of data security breaches is increasingly concerned. Several major risks that concern Information Technology (IT) professionals and business owners are system breakdown, disaster recovery, and data integrity, which are also the most concerns of the potential business risks. Security threats exist from all attacks (a) on connectivity such as IP spoofing, email spam, viruses and malicious spyware, (b) on data such as destruction of data, modification of data, disclosure of information, and interruption of services, and (c) on environment such as power outages, disasters, and viruses (Farahmand, Navathe, Sharp & Enslow, 2005).
With those security risks in an IT environment, business risks will be significant if there is no security assessment being performed and no security protection plan being implemented. According to Tran and Atkinson (2002), businesses today are equipped with most of the effective security protections such as data encryption to protect data, security socket layer (SSL) protocol to encode the transmission, and biometric authentication to control physical access. For most of the organizations with heavy use of computer and digital equipment, the “locked down” IT environment secures the business. However, the limitation of this environment is the inflexibility of software application updates. The IT professionals have to weigh in deciding a balance between practicality, cost, comfort, and security measures as the “locked down” IT environment requires administrative action. IT professionals also need an absolute support from the executives who need to understand the potential risks.
My IT department believes that locked down IT will be more benefit for the business of the Agency. We utilize remote desktop server from Microsoft Windows 2008 and the HP thin clients. Beside the Cisco firewall, we enable the authentication certificates on all internet connections with SSL web traffic except the static web server. We redirect email to two Interceptors for virus checking and spam filtering before it hit the front-end exchange of all incoming emails. End users cannot use personal email accounts within Agency’s network, and Websense is used to filter and block internet web traffic.
End users are human beings, so they normally unethically abuse the use of technology. In my organization, there was a payroll supervisor changed the payroll data to increase his salary. The database administrator through the back-end changed the financial data without documentation. Farahmand et al. (2005) suggested that personnel are a potential threat when they exceed their privileges and authorities. Both of these employees were prosecuted and fired. However, IT department recognized the important of the issue and conducted periodically security risk assessment and measurement in all systems and network by a third-party to avoid the unethical behaviors and practices since.
Farahmand, F., Navathe, S. B., Sharp, G. P., & Enslow, P. H. (2005). A management perspective on risk of security threats to information systems. Information Technology and Management, 6(2–3).
Tran, E., & Atkinson, M. (2002). Security of personal data across national borders. Information Management & Computer Security, 10 (5).