Security of Information Systems
“I understand that simply forgetting to include quotes is considered plagiarism in FAU, and that every semester students are disciplined for forgetting to include quotes.” - 5410
Since the advent of the internet and increased expansion of computer based technology in today's corporations, information security breaches have increased at an alarming rate. While we often times hear of the more widely publicized embezzlement, money laundering, burglary and bribery statistics, data has shown that companies have seen greater losses from losses attributed to information security breaches. However, ashamed managers are often times reluctant to be forthcoming about these breaches as they can have adverse effects on the reputation, status, and their business as a going concern (Bodnar and Hopwood, 2004).
In order to deter white collar criminals from engaging in crimes associated with computer information security, the Computer Fraud and Abuse Act was enacted in 1986 making it a federal crime to fraudulently gain access to computer data of financial institutions, the federal government, or computers used for the sale of goods between states. This legislation also prohibited the trafficking in passwords for computers (Bodnar and Hopwood, 2004).
One of the most effective ways to prevent criminals from accessing and compromising confidential company information is to implement an effective information security plan and properly train firm employees accessing the system. Additionally, companies should implement a dynamic and independent third party auditor to frequently test the adequacy of their security system. Lastly, key responsibilities within the information security chain should be segregated and rotated frequently. If companies follow these three basic tenets, they will be one step closer to the effective security of their information.
“In June 2008, Carol received an e-mail from “Bank of America” (“BOA”) indicating that her account information had been compromised. The e-mail directed her to click on a hyper-link which purportedly would direct her to her on-line account. The e-mail also indicated that after clicking on the hyper-link she would be redirected to the BOA homepage where she would be required to “Log-In” and answer security questions to ensure that her information was not further compromised. She unknowingly followed the directions of the e-mail and clicked on the hyper-link and was subsequently directed to a web page that was almost identical to BOA's homepage. Sure enough, as the e-mail indicated she was prompted to provide her Account Number and PIN. And in one small click of a mouse, “poof” her personal bank information was stolen. Once she provided the information and clicked the mouse she knew something was wrong. She was directed to an “Account Summary” page that contained inaccurate information (C. Rukis, personal communication, June 3, 2008). Like so many of the internet scams we see today, the criminals prey on the hopes (Nigerian Oil Scam) and fears of the unaware consumer (Hartofilis, 2009).”
While the testimonial above only cost the victim time and resources to recoup money and change the on-line password information, these types of information security breaches costs companies billions of dollars each year. Wikipedia reports that in 2007, the victims grew to approximately 3.6 million and total losses were approximately $3 billion (Wikipedia, 2009).
This paper will focus on the common ways information security is breached in today's businesses, how we can control threats in information security systems, and what the future holds for information security in today's business environment. This paper will first discuss three active threats to information systems; input manipulation, data theft, and sabotage. Next, this paper will analyze how companies can implement procedures and systems to assist in the security of information. Lastly, this paper will focus on the importance of information security in the future.
Threats to Information Systems
One of the most common threats to information systems is infiltration. Some of the most prevalent types of data infiltration include input manipulation, program manipulation, data input manipulation, data stealing, and outright sabotage. The most frequent type associated with this form of fraud is manipulation of the data. The reason why this type is most common is because the criminal requires the least amount of skill (Bodnar and Hopwood, 2004).
In one case of data infiltration, a disgruntled ex-employee of a thinly capitalized South Florida broker dealer maintained the passwords for the firm's web-based trading platforms upon his termination. To the firm's demise, they failed to update the trading password when he left. Unbeknownst to the firm, the individual proceeded to accumulate a $1 million position through the system in the firm's proprietary trading account. Unfortunately, the security purchased was an illiquid grey market stock. The artificial volume caused the stock to increase over 300% and the firm was left holding “the bag.” With no true demand in the security, the firm assumed a substantial loss in the position leading to the bankruptcy of the firm (E. Smith, personal communication, May 2007).
The next type of threat to information systems is data theft. This is one of the most prevalent information security breaches occurring today. As we know, company proprietary information is often times what differentiates the good companies from the great ones. Customer lists, patent information, and even the McDonald's “special sauce” recipe are what give companies the competitive advantage. For the reason, common law indicates that information contained on a company's computer is proprietary and cannot be used without permission (Bodnar and Hopwood, 2004).
A recent example of the SEC taking aggressive action against a broker - dealer for stealing customer information was the 2007 case against Next Financial Group (“Next”). Next was issued a cease and desist from engaging in practices that violated privacy laws and was censured $125,000. The broker dealer launched an aggressive recruiting campaign to solicit brokers and raise assets at their firm. Prior to the broker signing the employment agreement with Next, the firm advised the brokers to provide user id and password information from the existing firm so Next could obtain clients' personal information. The firm attempted to expedite the account transfer process by pre-populating client account information on new account forms; presumably making the account transfer process easier for the new hires (SEC, 2007). As evidenced by the sanction, the SEC did not view this practice fondly.
The last type of threat to information systems I will analyze is sabotage. At some point, all have been affected by the acts information system sabotage; whether in our daily personal computing or in our work environment. One of the most common forms of sabotage is known as the “virus” (Bodnar and Hopwood, 2004). The worm virus has been the focus of many information security technicians as of late. This virus is especially concerning because its scope reaches across many computer networks and grows in size as it infects more computers (Bodnar and Hopwood, 2004).
Look no further than the 60 Minutes piece several weeks ago, to learn about potentially one of the worst computer viruses of this decade. Conficker.c is a worm virus that purportedly has already infected between 5 and 10 million computers. The most concerning thing about this virus is that the infected systems have no clue that they have been infected and may continue to spread it through the network (Sughrue, 2009). To everyone's delight, this virus was suppose to be detonated on April 1, 2009 and the Conficker.c watchdogs have yet to see it rear its ugly head. However, this does not stop them from spending exorbitant amounts of time, money, and resources tracking its path.
Implementing a Information Security System
With so many different ways and so much potential for breaches to information security systems, companies must establish a control system to strengthen the security of its information. There are seven basic tenets that help strengthen the security of company information systems. The following seven procedures are imperative to establishing an effective information security system:
1) Educating employees;
2) Developing a structure of accountability;
3) Establishing a board of directors and its appointees;
4) Establishing a budget for the information security system;
5) Establishing an independent audit of the system;
6) Establishing quality internal controls;
7) Establishing a compliant system (Bodnar and Hopwood, 2004).
While all play a role in developing a sound security system, I will elaborate on the three that I believe to be most essential.
The first and what I believe to be the most important is properly educating company employees about the importance of information security. If employees “buy into” a culture of information security, this attitude will flourish throughout the company. Employees should understand that they have an obligation to review for and report breaches of information security.
The next component of an effective information security system is establishing an accountable and independent audit system. In my opinion, the independent audit of the system should be conducted at least quarterly or more frequently depending if changes are made to the security system. Further, the independent auditor should conduct stress tests of the firm's security system (Bodnar and Hopwood, 2004). In summary, an interactive and proactive independent audit of the firm's system will help ensure information security.
Lastly, I believe companies must segregate duties for those individuals responsible for ensuring information security. The company puts itself at unnecessary risk if it assigns sole responsibility to one individual. As we have seen from the previously presented example, one disgruntled ex-employee can cause significant business risk to an inadequate security system. Therefore, the implementation of checks and balances, rotation of responsibilities, and even required vacation is imperative for an effective information security system (Bodnar and Hopwood, 2004)
The Future of Information Security
The days of “basic firewalls” and basic detection systems to secure information are over (Richards, 2008). Sabotage, viruses, manipulation of data, phishing scams, and even “Trojan Horses” are just some of the threats facing information security systems today (Bodnar and Hopwood, 2004). Despite the financial constraints facing companies in the current economic environment, information security is not an area that leaves room to cut corners. Information is one of a company's most valuable assets. Breaches of information systems can have adverse effects on the reputation, status, and overall viability of a business. Therefore, companies must ensure that they implement an information security system that is accountable, verifiable, and as dynamic as the business environment in which they seek a competitive advantage. Those companies neglecting the security of their information will inevitably find themselves at a decided disadvantage to their competitors.
Bodnar, George and William Hopwood. Accounting Information Systems. New Jersey: Pearson Prentice Hall, 2004.
Hartofilis, Nick. “Hartofilis Reply to Alfred Phishing Post.” VBulletin. February 7, 2009. (http://www.whopwood.com/acg6475/showthread.php?p=10920&highlight=hartofilis#post10920.) March 29, 2009.
Richards, Kevin. (2008) The Future of Information Security: 2008 and Beyond. Retrieved March 29, 2009 from http://www.cio.com/article/168352/The_Future_of_Information_Security_and_Beyond.
SEC v. Next Financial Group, Inc. Administrative Proceeding File No. 3-12738. Retrieved March 29, 2009 from www.sec.gov/litigation/admin/2007/34-56316-o.pdf.
Sughrue, Karen. (2009) The Conficker Worm: What Happens Next? Retrieved March 29, 2009 from http://www.cbsnews.com/stories/2009/03/27/60minutes/main4897053.shtml.
Wikipedia. (2009) Phishing. Retrieved March 29, 2009 from http://en.wikipedia.org/wiki/Phishing.