Cyber

Security
For Internal Corporate Setting

0
 ENGL 3080 - Business Writing
Kyle Maidens • Kelsey Tucker • Jay Scroggins
November 15, 2017

Table of Contents

Introduction 1
Defining Cyber Security 3
The Importance of Addressing Cyber Security 6
Reputation 7
Operational 8
Financial Repercussions 8
Solutions 8
Prevention 9
Policy Change and Implementation 10
Employee Training 10
Security Software 11
Mantraps 11
Encryption Key Management 11
Host Intrusion Detection System (HIDS) 11
Conclusion 12

1
Introduction

Cybersecurity is a high priority for businesses and corporations that use digital

infrastructure. It is designed to protect digital systems from unauthorized access. With

constant technological evolution, cyber security requires businesses and corporations to

continuously educate themselves and their employees to ensure a protected digital

infrastructure. Along with digital evolution, hackers develop innovative methods of

infiltration into company systems. Therefore, it is vastly important for businesses and

corporations to explore the multitude of preventative measures from a cyber security

attack.

Repercussions of cyber-attacks range from a dismantled reputation to a completely

dismantled company of lost finances and clients. Cyber-attacks can greatly affect a

business’s future and how the world views the company. According to Business Insider 1,

numerous attacks have occurred this year including a massive cyber-attack on Ukraine

in June. Not only did the attack affect airports, banks, and government offices of

Ukraine, surrounding countries such as Russia, France, Germany, and Norway were

also affected1. If attacks can affect entire countries, businesses and corporations are at

a larger and more vulnerable risk of being attacked if they are not equipped with the

right protective measures.

To equip businesses and corporations with the right tools to prevent cyber-attacks, our

team has outlined what cyber security and cyber security breaches are along with

suggestions to protect digital systems from unauthorized access. We explain the

2
multiple cyber security methods and how breaches can happen. For digital security, we

offer suggestions for company policies, employee training, and software to install for

protection. These options are based for internal corporate settings.

Defining Cyber Security

Cyber security is a broad spectrum of methods that can be used as protective measures

for a company’s digital content. The Digital Guardian2 defines cyber security as

referencing to a body of technologies, processes, and practices used to protect

networks, devices, data, and programs from attack, damage, or unauthorized access.

Cyber security’s foundational job is to protect data on a digital device for an individual, a

group of individuals, or a large company. Along with the mentioned technologies such

as protective software used for security measures, practices of cyber security include

policies whether personal policy for using your own device or company policies for their

employees.

For a company’s internal measures for cyber security, a large portion of basic security

measures are employee policies. Implementing employee policies regarding safe cyber

activity within the company can save a business from a multitude of attacks. Policies

range from how employees use company computers and devices for personal use,

changing passwords every several months, and properly communicating company

information across networks. Although policies for each company may be different, the

purpose of the policies is to protect the business they are associated with along with the

business’s customers. Policies can and should be tailored for each company so the

policies work best for the setting they reside in.

3
For internal security regarding software, there are many types of software a company

can purchase depending on what content is needs to be protected. Tech Target 3 says

that the most common software companies invest in is application software which is

using software, hardware, and procedural measures to protect applications from

external threats. Since applications are so easily accessible, application security is an

important protective software for cyber security.

For companies that deal with sensitive information that can be of monetary value

(information that can be stolen and sold), information security is the proper

implementation for these companies. Information security, or infosec, is a set of

strategies that maintain the chosen methods that are used by the company to prevent

cyber attacks3. The basic function of infosec is to ensure that sensitive information stays

with the authorized parties and there is no unauthorized access. Infosec programs are

typically run by an outside party hired by a company3. Their scope of protection resides

in preventing access by ransomware, malware, phishing, and identity theft.

Defining Cyber Security Breaches

TechTarget4 defines a cyber security breach as sensitive, protected, or confidential data

being obtained by an unauthorized individual. Margaret Rouse 4 lists data that is

commonly at risk for hacking to be personal health records, personal information, trade

secrets, and intellectual property. According to Privacy Rights Clearinghouse10,

156,736,615 files of data breaches have been recorded for 2017; however, only 422

4
have been made public. Cyber hacks and breaches do not receive much media

coverage so many business owners and corporate executives are not educated enough

on how often and easily breaches occur.

Not only do breaches happen often, they can happen in many forms and by many

methods according to Roger Grimes from CSO5. Below are the three most popular

methods of cyber breaches in companies.

● Socially Engineered Malware

Users are tricked into installing programs of websites that they deem trustworthy

and have visited often. Instead of normal website coding, malware interferes with

the website.

● Password Phishing Attacks

Users receive emails appearing legitimate. After opening the email, a rogue link

interferes asking for personal or confidential information.

● Outdated Software

Outdated software such as Adobe Reader is vulnerable to attacks. Software that

is outdated leaves holes for cyber hackers to use phishing or malware

techniques.

Aside from the technicalities of cyber-attacks, breaches can also occur from the

negligence of employees. According to Figure 9 in Ponemon Institute Research Report 6,

38% of cyber breaches occur from lack of adequate employee training. We conducted a

survey that addressed forty-five employees on their knowledge of policies regarding

5
company devices and company protection software. In Figure 1 from the survey, 53.3%

said either that their employer does not use protective software or they were unsure. In

Figure 2, almost 50% of surveyors said that their employer does not have policies on

using company devices.

DOES YOUR COMPANY

OR EMPLOYER USE
CYBER SECURITY
SOFTWARE?
Not
Sure
29%
No
Yes 42%
47%
Yes
58%

No
24%

Figure 1 Figure 2

The Importance of Addressing Cyber Security

Businesses and corporations are relying more on technology to facilitate business

transactions and daily operations. Technology reliance requires those in charge to be

educated and educate others on digital infrastructure within their company. If employees

are inadequately trained or misinformed of a company’s digital system and policies, the

consequences can result in a business becoming obsolete. Cyber-attacks can damage

a company’s reputation in society, cause monetary loss, and sometimes destroy beyond

repair.

6
For example, ItNews11 reported the travel agency Flight Centre confirmed a data breach

in July caused by human error. In May 2017, DataBreaches.net12 reported a breach that

occurred in New York at Kaleida Health when patient information was leaked through a

phishing scam on an employee’s email account. An unauthorized third party was able to

infiltrate Kaleida’s record system to obtain patient information. These breaches along

with many others that have occurred this year explain the importance to prepare for

potential cyber-attacks. Simple phishing and email scams have impacted these

businesses. If clients feel unsafe with a business, said business will lose clients which

will lead to monetary loss.

Reputation

Reported by The Guardian, one of the largest cyber-attacks of 2017 was the attack on

Deloitte, one of the largest accounting firms in the world 13. Six of Deloitte’s largest

clients were impacted from the email server breach. It was reported that an

administrator’s account was breached so hackers would have access to sensitive

information. It was also noted the password entry was only a one-step entry, not a two-

step verification. Since Deloitte specializes in offering suggestions on cyber security to

their clients, they claimed this breach as an embarrassment, especially regarding their

own field of work. Though Deloitte is a large company that is not easily dismembered,

this blow to reputation impacts not only their company, but their clients. Consumers do

not want to be associated with a business who cannot protect themselves. Deloitte’s

email breach shed a negative light on them as if they were not capable of protecting

themselves and their clients from a cyber-attack.

7
Operational

In October 2017, Integrity Cabinets suffered a cyber-attack of ransomware that shut

down production for three days14. Since Integrity Cabinets is a smaller business, they

were not aware of ransomware attacks. Even though 80% of their infrastructure exist

digitally, this was new territory for them. This ransomware attack included demands of

money estimated at $9,000. Though this sum does not seem large, it still put a dent into

their money and profits from shutting down production for three days.

Financial Repercussions

With both Deloitte’s email server breach and Integrity Cabinets ransomware attack,

financial repercussions were evident. Deloitte’s client list had the risk of being

diminished from a weakened public opinion. Deloitte’s breach spread a lack of trust of

them across their consumers which could push for clients to leave their business. For

Integrity Cabins, the halt of production dipped into their profits. Not only did it shut down

production for three days, their order placement system was also compromised. The

ransomware encrypted files so employees did not have access to them in order to work

within company programs. The surface level of financial repercussions for Integrity

Cabinets was the ransom demand of $9,000. This money dipped into their budget. They

could have used this money for repairs for their machinery or new machinery. The

amount of the demand allows the company to pay without breaking even but still losing

a decent amount of money.

Solutions

There are many solutions to cyber security ranging from policy implementation to

software installment. Solutions are simple steps and methods that can save a company

8
from a devastating blow to company reputation and even monetary loss. Below, we

have outlined three types of preventative solutions.

Prevention Policies

Prevention measures are simple steps employers can implement into their employee

policies. According to the 2015 Cost of Data Breach study by the Ponemon Institute

posted on IBM9, 19% of cyber-attacks occur because of an employee’s negligence.

Employee training and review of policies annually can reduce the risk of cyber-attacks.

Since technology advances frequently, annual education meetings are important so

everyone stays up-to-date on cyber protection. The following are steps from Homeland

Security that an employee can take to prevent a cyber-attack7.

● Avoid Unknown Links in Emails (also called Phishing)

Clicking on a link to an unknown source in an email is one of the most common

ways for hackers to gain access to you or your company’s personal information.

This is a method known as phishing.

● Do Not Share Personal Information

Sharing company information can be devastating. It is common to receive phone

calls that claim to be from retailers or collection agents that need your

information. These people are often actors and should not be trusted. If possible,

get the caller’s name and a callback number just in case they get a hold of any

information.

● Change Passwords Regularly

Changing your password makes it more difficult for a hacker to access personal

information. Avoid using common words and include other characters such as

numbers and symbols.

9
● Keep Your Software Up to Date

Software updates are usually free and only take a few minutes to download.

Hackers have the ability to access older software, so keeping it up to date is

important.

● Pay Attention to Website URLs

Another way for hackers to access you or your company’s personal information is

to trick you into going onto a malicious website. They often make the site’s URL

slightly misspelled or have it using a different domain. For example, instead of

amazon.com, a hacker may create “amazzon.com”, or, “amazon.net.” This may

go unnoticed by many people when they click on a link. This is why website URLs

should be read carefully before accessing.

 Lock Devices When Stepping Away From Them

Leaving a computer or other device unlocked and unattended is a risky action

and may attract hackers.

 Education

If employees are not knowledgeable of what a phishing email or malware look

like, then attacks are more likely to happen from employees carelessly

maneuvering through the internet on company devices. For employers, it can be

helpful to test employees by running simulated phishing attempts or send mock

emails from an unknown source. A quiz on cyber security is also a good way to

learn about an employee’s knowledge on the subject and how much they need to

be taught. From these simulated exercises, employers can evaluate what topics

of cyber security

10
Security Software

There are multiple forms of cyber security software. Below are explanations and

examples of security software and methods for businesses listed on TechTarget’s

website3.

Mantraps

Mantraps are a form of physical cyber security that require codes or key cards for

access to a room that harbors sensitive information. Optional mantraps can require

other forms of verification such as biometric verification using biological reference such

as one’s hand, fingerprint, or eye scanning. Although some mantraps can be expensive,

sensitive information will be safer from a cyber-attack because of the complex

verification process.

Encryption Key Management

An encryption key is a complex algorithm that secures data from being accessed by

unauthorized users. Amazon offers users to create and manage their own encryption

keys. Management of these is important because of how complex they can be. There

should be a small group of individuals within a company that manage the encryption

keys.

Host Intrusion Detection System (HIDS)

HIDS included programs such as firewalls, anti-virus software, and spyware detection

programs.

● Firewall: This program is used to control incoming and outgoing network traffic

acting as a barrier or gateway. Although the Internet has advanced to creating

11
 more holes of infiltration, a firewall program will protect against several of holes

lessening the risk of cyber intrusion.

● Anti-virus Software: This software not only protects against computer viruses, it

also prevents spyware, ransomware, and multiple other cyber-attacks. Anti-virus

software operates to protect computers, servers, and mobile devices from

malware attacks.

● Spyware Detection Program: This software is typically installed in business

settings to monitor employees’ browser history. However, spyware can also harm

businesses so having a spyware detection program can eliminate outsider

intrusion on cyber networks.

Conclusion

Cybersecurity is one of the most pressing threats to companies. With the multitude of

ways that the digital space can be breached, it is imperative that companies are

informed and prepared. These attacks can be crippling to companies and customers. As

these attacks begin to evolve and become more complicated, it is a business's

responsibility to change and evolve with the threat. Companies should take the

necessary steps to prevent and combat these threats and ensure a safe digital space for

company and customers. Our team is prepared to help companies make these

transitions so that they are better prepared for an attack in the future.

12
Reference Page

1. Harrington, Rebecca. “Here Are the Companies and Government Agencies Affected by the

Cyberattack Sweeping the Globe.” Business Insider, Business Insider, 27 June 2017. Web.

November 10, 2017. http://www.businessinsider.com/petya-petrwrap-cyberattack-

companies-government-agencies-affected-2017-6

2. Lord, Nate. “What Is Cyber Security?” Digital Guardian, Digital Guardian, 27 July 2017. Web.

November 10, 2017. https://digitalguardian.com/blog/what-cyber-security

3. “What Is Cybersecurity? - Definition from WhatIs.com.” WhatIs.com, TechTarget, Nov. 2016.

Web. November 10, 2017. http://whatis.techtarget.com/definition/cybersecurity

4. Rouse, Margaret. “What Is Data Breach? - Definition from WhatIs.com.” SearchSecurity,

TechTarget, May 2010. Web. November 10, 2017.

http://searchsecurity.techtarget.com/definition/data-breach

5. Grimes, Roger A. “The 5 Types of Cyber Attack You're Most Likely to Face.” CSO Online,

CSO, 21 Aug. 2017. Web. November 10, 2017.

https://www.csoonline.com/article/2616316/data-protection/security-the-5-cyber-attacks-you-

re-most-likely-to-face.html

6. “Big Data Analytics in Cyber Defense.” Ponemon Institute LLC. Teradata. February 2013.

Web PDF. November 10, 2017.

https://www.ponemon.org/local/upload/file/Big_Data_Analytics_in_Cyber_Defense_V12.pdf

7. “Protect Myself from Cyber Attacks.” Department of Homeland Security, Homeland Security,

8 Aug. 2016. Web. November 13, 2017. https://www.dhs.gov/how-do-i/protect-myself-cyber-

attacks

8. “Reduce Cyber Security Risks with Employee Training.” Reduce Cyber Security Risks with

Employee Training | Wombat Security, Wombat Security Technologies, INC,. Web.

November 13, 2017. https://www.wombatsecurity.com/about/news/reduce-cyber-security-

risks-employee-training

13
9. “Security.” IBM, IMB, Web. November 13, 2017. www.ibm.com/security/data-breach.

10. “Data Breaches.” Privacy Rights Clearinghouse | Data Breaches, Privacy Rights

Clearinghouse. Web. November 16, 2017. https://www.privacyrights.org/data-breaches

11. Coyne, Allie. “OAIC Investigating Flight Centre Customer Data Leak.” ITnews, Nextmedia, 21

Aug. 2017, Web. November, 10. 2017. www.itnews.com.au/news/oaic-investigating-flight-

centre-customer-data-leak-471346.

12. Dissent. “NY: Kaleida Health Notifies 2,789 Patients about Phishing

Incident.”DataBreaches.net, DataBreaches.net, 1 Aug. 2017. Web. November 10, 2017.

www.databreaches.net/ny-kaleida-health-notifies-2789-patients-about-phishing-incident/.

13. Hopkins, Nick. “Deloitte Hit by Cyber-Attack Revealing Clients' Secret Emails.” The

Guardian, Guardian News and Media, 25 Sept. 2017. Web. November 17, 2017.

www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-

secret-emails.

14. Robertson, Ronnifer. Personal Interview. November 4, 2017.

14