Portfolio

Responsive Voice: If you want to listen to the text instead of reading it, click the PLAY button below.

Click the buttons right next to headings in order to listen to the separate sections.

Mitigating corporate information exposure on the web

Introduction

In today’s technological world, provided that a company wishes to expand and evolve into a world-wide international company, it is necessary to develop a software for both customers and employees, while storing all the data electronically. The efficiency of such improvement is directly proportional to the company’s future revenues and further development. However, the risk of the corporate information exposure has to be considered. The threats may come from the inside of the company or from the outside. In order to avoid the risk, there are various strategies for mitigating the unwanted exposure of the corporate information on the web.

Risk of data leakage

“You can't defend. You can't prevent. The only thing you can do is detect and respond. ” - Bruce Schneier. According to P. Gordon, data leakage is the unauthorized transmission of information from within an organisation to an external destination or recipient (Gordon, 2007, p. 6). Such undesired information exposure is present all around the world and it usually costs companies vast amount of money and bad reputation. Thus, organisations seek for various mitigating methods, minimizing the risk of data leakage. Companies have to distinguish between the internal threats (staff within the organisation) and the external threats (hackers from outside the organisation) and then take appropriate actions to minimize the threat.

Internal threats

“Research in the area of information security has shown that the employees of an organisation are considered among the biggest threat to the information security of any organisation” (Jabbour & Menasce, 2009, p. 2). For some it might be surprising, but the labour force within the company is the major aspect of data leakage. According to a US-CERT and US Secret Service survey published in 2006, the financial losses due to the insider attacks were much higher than those caused by outside attacks. Even the time it takes to detect the insider attacks is so high that it is usually detected after the onset (Jabbour & Menasce, 2009, p. 2). Since most of the internal threats are unintentional, majority of anti-leakage measures focus on improving the security of the software and increasing the awareness about the risks of data leakage. However, there is still a potential risk of intentional threat, when an employee could have various motivations to leak data or sabotage it.

One of the ways, which help mitigate the corporate information exposure is to increase the awareness of employees about the importance of information security. Various team-buildings and presentations should be considered, which would help them understand the risks of information exposure. The staff should know what they can publish outside the company and what they cannot. Their understanding is the key concept in further internal risk-mitigating measures.

Another important measure against exposure risk is user training. Once the staff is aware of all the vulnerabilities within their working space, user training is an essential part of increasing the information security. As soon as the employees have a full understanding of the integrated software and organisation within the company, the chance of any accidental damage or release of corporate data is diminished.

Keeping the highest possible amount of comfort among the employees could be a way of preventing intentional leakage of data. Since the motivation for such sabotage may vary, the organisation must be aware of this in order to take actions which will aid in avoiding any type of sabotage. Reasons for this include corporate espionage, financial reward, or a grievance with their employer. (Gordon, 2007, p. 7)

External threats

Even when keeping the unwanted exposure from the inside of the company is under control, there are plenty of external threats. With the increasing popularity and revenues of the company increases the interest in the corporate information by various people or organisations. Breach attempts are happening world-wide in every second, making the system security the most crucial aspect of avoiding any data exposure.

“Phishing” is one of the biggest external threats to an organisation, or even individuals. It is the act of using various communication devices such as e-mail and telephones in an attempt to trick individuals into either revealing their personal information, including passwords and social security numbers, or installing malicious software (Cooper, 2016). When a member of the staff within a company responds to such communication, the whole organisation is in great danger. According to Bruce Schneier, the organisations should not blame the users for being victims of phishing, they should rather focus on developing security measures not involving the users’ awareness of these risks (Schneier, 2016).

Monitoring the network activity within the organisation is one of the possible approaches against external threats. According to a research , 13.2% of participated students and staff within a university located in the Midwestern United States fell for the simulated phishing attack. They provided their user IDs along with their passwords to a fictitious website (Jensen, Dinger, Wright, Thatcher, 2017, p. 612). By monitoring the network activity, it can be avoided, for example by using blacklists and filtering as proposed by Florencio & Herley. They designed a scheme of phishing prevention, in which the browser should detect when a user has typed protected credentials into a non-whitelisted site and report such action to the server. If the server detects an attack, it adds the phishing domain to the blacklist, preventing the further continuation or repetition of the attack. (Florencio & Herley, 2007, p. 29)

A common system security measure is the password policy. It ensures that the users will have to set up more complex passwords, causing better security against hackers trying to reach the corporate information through the user account. It also includes the ability to lock the account after several failed attempts (National Cyber Security Centre, 2015). The passwords are then more difficult to guess and it takes more time for the hackers to get into the account, increasing the time for detecting that there has been an attempt of breach. It might even stop the breach itself.

Conclusion