The Risks
Why do we need to protect information systems?
Any information that an organisation holds, whether it is simply a list of bank account numbers, client contacts or the formula for a best-selling pharmaceutical product, is an important asset and needs to be treated as such. Many home users may not be aware that they store enough information about themselves on their computers for criminals to impersonate them if they gain access to it, with such information as bank accounts and credit card details. Just as you would put a lock on the door to your home or office, perhaps install an alarm or even employ a security guard, so you should ensure that the information held on your computer system is sufficiently protected.
Technological advances in Internet connection introduce a new element of risk. The introduction of high-speed Internet connection (Broadband or ADSL) has been a great enhancement for business - particularly those small businesses that are able to access these services. However, it is important to recognise that because you are 'always on' then this exposes you to greater risk. Hackers can use an open 'back door' to get into your computer unless you have the right software installed to prevent them from doing so. Additionally, wireless networks, sometimes referred to as WLANs, enable a user to access the Internet via an organisation's network. Yet at the same time they can also give a hacker access to your systems without them even having to enter your building.
What are the risks facing information systems?
Both businesses and government are increasingly dependent on the Internet for performing day-to-day tasks. Many home users are taking advantage of the Internet for banking or even their weekly supermarket shopping. This can bring benefits such as increased efficiency and cost savings. However, this development also carries significant risks that need to be addressed. These include:
- Computer viruses ('worms' or 'trojans') are malicious computer programs which can be very destructive, causing your computer to do things like overwriting your hard drive, deleting files or even making your machine inoperable.
- Hacking is when your computer, network or website is 'broken into' over the Internet. This can result in incidents such as theft of data or information, disruption or 'Denial of Service', deletion or alteration of files or website defacement. These 'attacks' can be carried out by a wide variety of criminals. So-called 'script-kiddies', young amateur hackers, often carry out the attacks for kicks or to show off amongst their peers. However, these attacks may be carried out by criminals seeking to commit fraud or identity theft for financial gain. Hacking or 'cyber-terrorism' can also be carried out for political reasons by terrorist groups, agencies of foreign states or activist groups.
- Inadequate security policies and procedures can mean that any organisation's information and information systems are put at risk. Unauthorised access to information held on computer systems is often as a result of poor management of security controls. For example, employees may share their password or contractors may be given access to information which can leave an organisation open to theft or fraud.
- Physical accidents or attacks such as fire or flood can destroy an IT or telephone system. Information systems are dependent on power and often need to be kept cool, so a power outage can mean that the systems go down.
- Errors in systems software or hardware design are commonplace and can cause an otherwise secure system to be vulnerable.
- Out-of-date systems and software can mean that information may be lost or become unavailable. Small businesses often rely on software or hardware that is out of date and does not have even the most basic security controls. If the program becomes corrupted then it may be difficult to get at the information held on their systems.
Some facts about the risks
- In the National Hi-Tech Crime Unit's 2003 survey, 83% of businesses stated that they had experienced some form of hi-tech crime. Of the 44 financial institutions surveyed, three companies had experienced a fraud worth more than £60 million
- A study by Novell in 2004 found that one third of UK workers write their computer passwords down and 1 in 10 keep them on a post-it note on their desk
- The Novell study also revealed that 67% of sacked UK workers would be prepared to steal information that would be useful in their next job
- The DTI Information Security Breaches Survey 2004 of 1,000 UK companies determined that 1 in 3 large businesses had had their websites attacked by hackers in the last year
- The MyDoom virus was at its peak in January 2004 and was making up an estimated 1 in 12 of all e-mail messages and infecting 55 million computers worldwide
- Two thirds of UK businesses suffered an incident in the last year where they had to restore significant data from backup (e.g. systems failure or physical theft) according to the DTI Information Security Breaches Survey 2004
