There are some major elements of good cyber security. It is however imperative to recognize that factors, such as size, complexity, and sustained evolving nature of attack vectors among others, have made it difficult for the industry to develop a simple, one approach to manage risks related to cybersecurity. Nevertheless, some best practices have been identified to provide a model for locating vital elements that must be present in any cybersecurity risk management plan. The following are some essential elements for cyber security risk management.
First, cybersecurity requires an effective framework. The focus of any risk management effort is a standard system or a framework that help organizations and individuals to manage integrity, confidentiality, and data and ensure critical resources availability (Chaudhary and Hamilton 4). As such, industries have adopted different frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
The NIST offers a deliberate, risk-driven set of practices, guidelines and standards to assist firms manage any cybersecurity threats in a more cost-effective manner. At its minimum level, the framework accounts for major roles through with organizations can manage their critical data, such as identification, protection, detection, responding, and recovery. Apart from the NIST framework, other cybersecurity frameworks include ISO/IEC Security Control Standards, SEC/OCIE Cybersecurity Initiative, and FCC Cyber Security Planning Guide.
Second, cybersecurity requires an end-to-end approach. In this case, the scope is an important consideration. This element requires a broader scope of accountability for Internet resources. That is, cybersecurity program must account for all vital elements that require protection in an organisation. For instance, a scope may consider the network, computers, and other mobile gadgets. However, addressing the scope has become a challenge because of the so-called Internet of things. Today, cars, appliances, doors, and thermostats and many other gadgets are now connected to the network and can easily be accessed by the Internet. This scenario has exposed many possible devices to attacks. The scope should also address the concern from a thorough perspective – inside-out and outside-in approach (Chaudhary and Hamilton 5).
Third, cybersecurity requires comprehensive risk evaluation and threat modeling. Organizations usually have limited resources to devote to attacks. As such, when faced with many forms of threats, they must focus on risk assessment and prioritization. Firms should monitor new forms of threats and their possible impacts. In this case, the cybersecurity team may create a plan that identifies possible attacks, risks, costs, and efforts needed to protect a company.
Fourth, another element for consideration is a proactive Incident Response Plan. For the past efforts, cybersecurity efforts have focused on attack prevention and restricting access to firewalls, user information, and other related actions. Today, however, in addition to prevention, cybersecurity practices are now concentrating on effective response plans against intrusions and limiting damages from an attack. In effect, many organizations recognize that their system security almost clearly will be attacked ultimately. Hence, recovering and limiting damages are now the current efforts to restrict financial losses and organizational reputation issues that emanate after an incident.
Finally, the cybersecurity requires dedicated resources. Specifically, an organization should have a dedicated team for Incident Response. It is regrettable that many firms have not yet allocated adequate resources, developed a response team, identified roles and responsibilities, and have failed to create the required cybersecurity governance approach.
Some recent events involving cybercrime can be used to illustrate weaknesses in organizational cybersecurity system. Cases involving high-profile corporations with high impacts are now becoming common. Such attacks are normally associated with massive breach, financial losses, and severe damages. An attack on Sony Corp, Home Depot, and Target Corp are just some of the few instances. The 2014 cyber-attacks on Sony Corp set a new realm and level in a highly sophisticated technology firm. The attacks were thorough, so deep, and discrete, leaving the company and FBI to imagine just who did it, including the government of North Korea.
Sony attacks were not as any other attacks based on the impacts (Fogarty 1). It is estimated that the company lost data for about 77 million user accounts with various information, including unencrypted credit card numbers (Fogarty 1).
The attacks involved terabytes of information, implying that the attackers acquired vital information of employees, vendor passwords, login details for external users, FTP access information, maps with the company’s IT infrastructure, all servers and hardware information, IDs, staging production information, and certificates among others. Overall, the series of attacks led to the loss of crucial information required to conduct everyday operations at the firm. These attacks on the above-mentioned corporations reflect sustained growing trends that affect firms of all sizes. As such, cybersecurity is now a critical risk that many organizations across the world face today.
ERP Systems and their adoption failures
While many large organizations have adopted ERP systems for many years now, several implementation efforts have often failed, implying that there are critical success factors for a successful adoption of an ERP system. Adoption involves both critical success factors and risk factors. In fact, even these critical success factors could be at risk if poorly handled. It also imperative to note that multiple success factors exist largely based on what works for a specific organization.
- First, user involvement has been identified as a critical factor in an ERP system adoption. ERP systems are known to cause significant changes during implementation. As such, many stakeholders, specifically end users, are greatly affected. It is therefore necessary to involve users in change management. This process requires identification of user needs and creating effective channels of communications to facilitate information exchange and feedback systems. In addition, user involvement also accounts for training of end users. Training ensures that potential users acquire technical skills needed to operate different platforms of ERP systems. Training is necessary because of ERP systems are complex, and users can only be sufficiently engaged if they are well trained.
- Second, support from senior executives is an important factor for consideration (Ziemba and Obłąk 7). An IT department should seek for support from senior managers to reduce resistance. Managers should demonstrate their interests, importance of the project and communicate to all stakeholders about it. Senior managers require detailed information about an ERP system to secure their support. In addition, they can provide communications required to facilitate adoption of an ERP system. As such, leadership support ensures that an ERP system adoption gets leadership support to encourage employees to adopt it and secure the needed resources while aligning ERP systems to strategic organizational goals.
- Third, an ERP system needs clear articulation of needs and planning. Successful ERP system adoption should be driven by a project vision. Moreover, metrics, measures, and expected milestones are defined in this critical process.
- The plan should identify ERP project issues, expected outcomes, the right team and assigned roles and responsibilities. The plan should also account for change management processes.
- Fourth, an ERP system adoption can only succeed when realistic objectives and expectations are set. This activity should start from need identification, setting project objectives and eliminating all unrealistic goals from the project.
- Fifth, ERP team competency can significantly influence outcomes. In most cases, however, it could be difficult to find the right talents to implement an ERP system. Hence, organizations tend to assess skills gap and recommend the necessary training for users.
- Sixth, an ERP system adoption requires business process reengineering and perhaps customization. Reengineering of processes ensures that an ERP system and operations fit. Some critical processes involving daily activities may be altered (Rabaa’i 133-147). Customization ensures that an ERP is adopted to support existing processes. It is however recommended that customization should be restricted to allow exploitation of new features of the system.
- Seventh, the choice of an ERP vendor, consultant, and the relationship created after could influence outcomes. Thus, people and ERP components are critical success factors.
- Finally, organizations should conduct post-adoption assessment against the set metrics to determine the overall achievements and drawbacks of an ERP system adoption.
While there are multiple cases of failed ERP system, the case of Lumber Liquidators ERP is worth mentioning. The company claimed that it suffered massive losses because of its SAP ERP adoption. The project generally dampened productivity of workers (Kanaracus 1).
The company employees who could not figure out the new ERP system caused the ERP system failure. As such, the failure was not related to the system itself. Previously, the company had relied on a flexible and easy to manipulate system. However, the new SAP system was more structured and required users to follow defined steps. The SAP system brought about changes to the company. Given the lack of training among end users and poor change management process, the ERP system failed.
Overall, these diverse factors indicate that there is no one reason responsible for ERP system failure. Rather, multiple factors are usually involved.
Cybercrime and an example
Cybercrime is a type of illegal criminal activity done over the Internet using computers and other equipment connected to the Internet. Typical cybercrime activities vary, but they generally include spamming, hacking, phishing, denial of service and many other forms of attacks. Cybercriminal are driven by different motives, such as defrauding users, stealing, changing, or destroying sensitive information, stealing identities, swindling users, and/or harassing users.
It is imperative to profile cybercriminals to understand types of criminals engaged in such activities. While there are minimal exceptions, most cybercriminals have the following attributes. They possess technical computer knowledge, ranging from simple hackers who use malicious codes to more advanced, talented hackers. Cybercriminals generally disregard the law and believe that such laws should not exist or not applicable to them. They also seek for thrill factors associated with manipulating or outsmarting others. Finally, cybercriminals may also be grouped under motives, such as money, emotion, espionage, sexual desires, some extreme religious beliefs, or just sheer boredom and the desire to have ‘some fun’ (Shinder 1).
As such, people engaged in cybercrime have broader descriptions, but they are generally referred to as hackers or attackers driven by criminal motives because they have the means and opportunity to hack network systems. The most dangerous types of cybercriminals are individuals who create malwares and other malicious programs to perpetuate their criminal activities. Cybercriminals create programs that can steal information, including personal information and bank details, advertise some products, use infected systems to attack more systems (the so-called DDoS attacks – Distributed Network Attacks) and blackmail users – the latest ransomware program.
Computers and networks have become the most vital tools for cybercriminals to perpetuate their activities. Networks and computers have made cybercrime simpler. Cybercriminals have relied on the Internet to identify their targets. For instance, police have successfully thwarted and arrested cybercriminals engaged in child pornography and pedophilia. Cybercriminals may even use their personal gadgets or devices owned by companies.
Once again, the case of Sony Corp attack provides a good example for illustration (Fogarty 1). Irrespective of cybercriminals involved, Sony hack reflects another level of cybercrime. The industry generally believed that such attacks could not happen to a large multinational, technologically sophisticated firm. The attacks were so intense to extent that the company could not understand who was responsible. Nevertheless, the FBI had sufficient evidence to suggest that North Korea, a rogue state, was involved.
As noted, the attacks on Sony were not like any other previous attacks. Cybercriminals managed to achieve a lot. The hackers claimed that they stole terabytes of information from nearly all stakeholders, both internal and external, related to Sony. In short, the hackers stole some of the most sensitive data used in daily operations of the company.
Costs associated with the attacks were massive. For the three months that the attacks took place, the attackers detailed and documented all stolen information. About 77 million users were affected of which 12 million had unencrypted credit card numbers. Analysts estimated that the attacks were most likely to cost the company over $100 million (Fogarty 1).
The attacks reflected another different milestone in terms of costs and corporate IT security breaches. The attacks were a classic case of massive damage to a technologically driven firm that created an online empire, but failed to secure its online systems.
In addition, the issue of North Korea brought about a new perspective in cybersecurity and cybercrime. That is, a rogue state is able and convinced to attack any multinational firm as a form of punishment or intimidation to control their business practices. In this case, the Internet transgresses national boundaries and, therefore, any company could be a victim to such rogue, lawless states.
It is imperative to note that Sony was unable to identify the attackers internally. Consequently, it opted for external assistance. The response of Sony included engaging FireEye, Inc. Mandiant forensic department. The company was hired to clean up the system and restore normal operations. It is recognized for incident response to assist attack victims to clean up the network and restore the network systems. At the same time, the US FBI started their investigations to ascertain the origin of the attack.
It was noted that the response team was engaged in repairing the damage done by attackers and restore e-mail functions soonest.
However, Sony did not respond immediately to queries from customers (Abdollah 1). Instead, more than a year after the attack, Sony still responds to the incident in various forums.
Works Cited
Abdollah, Tami. “Sony CEO breaks down hack response, Google role in ‘The Interview’ release.” 2015. Web.
Chaudhary, Raj and Jared Hamilton. The Five Critical Attributes of Effective Cybersecurity Risk Management. 2015. Web.
Fogarty, Kevin. “Sony makes cybercrime even more dangerous.” Computerworld. 2014. Web.
Kanaracus, Chris. “Biggest ERP failures of 2010.” Computerworld. 2010. Web.
Rabaa’i, Ahmad A. Identifying Critical Success Factors of ERP Systems at the Higher Education Sector. 2009. Web.
Shinder, Deb. “Profiling and categorizing cybercriminals.” TechRepublic. 2010. Web.
Ziemba, Ewa and Iwona Obłąk. “Critical Success Factors for ERP Systems Implementation in Public Administration.” Interdisciplinary Journal of Information, Knowledge, and Management 8 (2013): 1-19. Print.