Business Brief for Management Unit
March 27, 2013 Leave a comment
Limiting the vulnerability of
Sunshine Medical Supplies
to computer security incidents
Assessment Item 1 • Management
1.0 Introduction
This brief will provide two (2) recommendations for limiting the vulnerability of Sunshine Medical Supplies (Sunshine) Information Technology (IT) infrastructure to internal and external cybercrime and “Distributed Denial of Service” (DDoS) attacks, as described in The Sydney Morning Herald news article “Rise in cyber attacks on Australian businesses” (Moses, 2013) (Appendix A). IT infrastructure is a core component of Sunshine’s customer relationship management (CRM) system, enabling Sunshine to provide superior customer service through the collection and management of customer data (Samson & Daft, 2012, p. 60), and providing financial services to all sites. Strategies for limiting vulnerability outlined in this brief are investment in IT security policies and awareness training for all employees, and development of a Technological Crisis Management (TCM) Plan (Davis, 2005).
2.0 Analysis of Topic
2.1 Advantages
Improved IT security policies and staff awareness will reduce Sunshine’s vulnerability computer security incidents (CSIs), which comprise “any unauthorised use, damage, monitoring attack or theft of business information technology”, including viruses and other malicious code (malware), spyware, phishing, sabotage of network or data, online fraud, and DDoS attacks (Hutchings, 2012, p. 2, Richards & Davis, 2010, p. 1). Incidents of extortion using “ransomware” are on the rise in Australia (CERT Australia, 2012, p. 22).
Motivation for attacks include targeted and indiscriminate attacks, financial gain, hactivism, personal grievance, and extortion (CERT Australia, 2012, pp. 19-28). Research indicates monitoring employee engagement and addressing grievances can limit vulnerability to internal attacks (Strohmeier, 2013), which account for 44% of reported CSIs (CERT Australia, 2012, p. 4). Sunshine can limit vulnerability through improved policies targeting common employee IT activities and providing training to identify and respond to external breaches.
Sunshine risks significant financial and market losses in the event of a successful CSI. A 2009 report indicated Small and Medium Enterprises may lack the capacity to detect and prevent CSIs, increasing their vulnerability to attack (Richards, 2009, p. iv). Implementation of a TCM plan will enforce security as a core business value, and provide employees with ongoing awareness of current CSI trends and the appropriate response (Davis, 2005). Encouraging individuals to actively contribute to organisational goals aligns with Sunshine’s ‘Theory Y’ management policies (Samson & Daft, 2012, pp. 55-56).
2.2 Disadvantages
Significant investment is required to develop a TCM Plan and provide training across all Sunshine sites, with no certainty of experiencing attacks (Davis, 2005, p. 124). If vulnerabilities are eliminated, the IT system will not experience CSIs, limiting Sunshine’s ability to assess return on investment and justify expenses. Ongoing assessment and maintenance of a TCM Plan requires participation from all employees, risking alienating employees who consider it intrusive (Davis, 2005, p. 128).
3.0 Recommendations
The development of a TCM plan will limit losses in the event of an attack, enabling Sunshine to respond effectively and minimise impact on operations. Short term impacts include significant financial and other losses, exposure to law suits when security breaches involve customer data, and increases in operational costs (Choo, 2011, p. 720), justifying this investment.
It is recommended Sunshine invest in the development IT security and awareness training for all employees and a TCM plan to enable Sunshine to limit financial loss and defend market position in the event of a targeted or random CSI.
Reference List
CERT Australia. (2012). Cyber Crime & Security Survey Report 2012. Retrieved from http://www.canberra.edu.au/cis/storage/Cyber%20Crime%20and%20Security%20Survey%20Report%202012.pdf
Choo, K.-K. R. (2011). The cyber threat landscape: Challenges and future research directions. Computers & Security, 30(8), 719. Retrieved from http://qut.summon.serialssolutions.com/link/0/eLvHCXMwVZ2xDcMwDARVZIWkzgICZIq2pDqI4QGcAUiKv_8IkYAUzgasiPsHcQzhydnWZDRJVKtXEQP1rKpQkLj8lW2Xbb7fw2d_n68j_v4ARKO0UqSlO0QbIQtvg2_U5z2cNsOYoFdLpTSZYjNmoExFHqMOlJC8OXtbHuE2srR_AX6ZJrM. doi:10.1016/j.cose.2011.08.004
Davis, B. J. (2005). PREPARE: seeking systemic solutions for technological crisis management. Knowledge and Process Management, 12(2), 123-131. Retrieved from http://qut.summon.serialssolutions.com/link/0/eLvHCXMwVV3JDcMwDPMjK7TvLGCgkRTXfhcNOkAzgA5r_xEiB3m0E_BDSKRAUCnNhLo-FIYSldorszoYioiLA3f-O7b9TPPtlvbt_X198vUHIOsoKMtQjJqxBn0UoC1kSMJOhZ-xPWs_I5IoayA2K8xnKZwbhtQYyGW5pym8dD8AS64l2A. doi:10.1002/kpm.220
Moses, A. (2013, 18 February). Rise in cyber attacks on Australian businesses, The Sydney Morning Herald. Retrieved from http://www.smh.com.au/it-pro/security-it/rise-in-cyber-attacks-on-australian-businesses-20130218-2em94.html#ixzz2LCv9SUo1
Richards, K. (2009). The Australian business assessment of computer user security: a national survey. Retrieved from http://qut.summon.serialssolutions.com/link/0/eLvHCXMwY2BQMEwFHwOVmJxiZp5oYp4CbPOnJJsbJxmmGpknWaQZoAy2IZXmbqIMMm6uIc4euoWlJfHQ4Yv4JCNzUA8OWBeJMbAAu8SpAEuQFyM
Samson, D., & Daft, R. L. (2012). Fundamentals of management. South Melbourne, Vic: Cengage Learning.
Strohmeier, S. (2013). Employee relationship management — Realizing competitive advantage through information technology? Human Resource Management Review, 23(1), 93-104. Retrieved from http://qut.summon.serialssolutions.com/link/0/eLvHCXMwVV25DcMwDFSRFeI6CwiwTFKi6yCGB_AC4rf_CGGAFEnNgg1xD6-4Uh6rIdpGZpt0HaNNAFd0nJRiVkD-nm0_aH7cy3W8rudZvz0AVZlbpXBimclkEUkwqYExHD7x0dDeHJB72ERhE9kxj1QkcugrKIHm0qXc0kr7G9KIJXI. doi:10.1016/j.hrmr.2012.06.009
Appendix A
Cyber attacks against Australian businesses are on the rise (Moses, 2013)
Date February 18, 2013 – 11:13AM
Cyber attacks against Australian organisations are on the rise with over one fifth of 255 major firms surveyed for a new government report owning up to being targeted in the past year.
Of those targeted a further 20 per cent said they had experienced more than 10 “cyber security incidents”. One organisation reported the theft of 15 years’ worth of critical business data.
The 2012 Cyber Crime and Security Survey Report, commissioned by national computer emergency response team CERT Australia and conducted by the University of Canberra was released on Monday.
The report said those who reported no cyber incidents were likely to not have detected them.
More than half of the affected organisations surveyed believed the attacks on their firm to be targeted (rather than indiscriminate), with the majority coming from external sources but 44 per cent originating from within the organisation.
Attacks involved the use of malicious software such as “ransomware” and “scareware”, and trojans to steal confidential information, and denial-of-service campaigns.
This is despite 90 per cent of respondents reporting the use of antivirus software, spam filters and firewalls, and 65 per cent having IT security staff with tertiary level IT qualifications.
In late September last year CERT Australia received calls from more than 25 organisations being targeted by ransomware, which involved attackers scaring victims into handing over money or risk losing their data.
Another example included in the report was in early last year when CERT Australia received reports from a range of financial firms who had their websites targeted with DDoS attacks, knocking them offline, and demanding they made a payment.
“Cyber attacks have shifted from being indiscriminate and random to being more coordinated and targeted for financial gain,” said Attorney-General Mark Dreyfus.
“Most attacks occur from outside the business, although it appears internal risks are also significant.”
At a time when it only takes one naive employee clicking on a malicious email attachment to breach a corporate network, the report found “many organisations are not confident that cyber security is sufficiently understood and appreciated by staff, management and boards”.
One fifth of the targeted organisations said they did not report the cyber incidents to a law enforcement agency because they feared negative publicity.
The most common way hackers broke into organisations was by using powerful automated attack tools or exploiting software holes or misconfigured systems. A third of attacks involved the theft of notebooks, tablets or mobiles.
In January Prime Minister Julia Gillard announced that CERT Australia would soon be part of a new Australian Cyber Security Centre, which aims to develop a comprehensive understanding of cyber threats facing the nation.
However, in Senate estimates last week it was revealed there would be no new funding for the centre with 95 per cent of staff coming from Defence and no independent leadership.