Improving Information Security in Company X
Student’s Name
Department University
Course Name: Course code
Professor’s Name
Date
Abstract
Information security and data protection are regarded as essential aspects of modern retail companies. The pervasiveness of cybersecurity threats and access to unauthorized users’ sensitive information is adversely influencing operations in many organizations. As the newly hired IT supervisor for Company X, that recently experienced a data breach, leading to leakage of sensitive information through the dark web, this report presents remarkable recommendations for improving data security in Company X. The report highlights different ways that I will ensure maximum data protection in all access points for the company. Additionally, the report proposes new technologies and the adoption procedure for the integration of the new technology. This report further highlights the estimated budgetary expenditure necessary for improving information security and data protection within the organization. Finally, the report gives the project management implementation timeline and a detailed explanation of the duration needed to implement the new changes for remarkable outcomes in information security.
Keywords: Information security, artificial intelligence, machine learning, security threat, unauthorized access, encryption
Improving Information Security in Company X
Executive Summary
Information security continues to be an integral facet in contemporary organizations. According to Chopra and Chaudhary (2019), information security refers to utilizing the organization’s technological infrastructure to prevent unauthorized access modification, inspection, and disruption of the network systems. Notably, the demand for security systems is accelerated by the emergence of sophisticated and malicious attacks from hackers and other internet users. Consequently, IT-based organizations are intensively leveraging research and development to enhance the protection of their network systems. In the context of Company X, the security breach was orchestrated by the lack of established security systems to protect the organization’s sensitive information. Thus, the breach led to the leak of the company’s sensitive information to the dark web. Ideally, information security systems’ primary functions are to protect the organization’s capacity to operate optimally. As a newly hired information security manager in the organization, I plan to implement various strategies that will ensure maximum protection of the Company X’s network system. Firstly, I will integrate the use of Machine Learning ML and Artificial intelligence to establish a defense mechanism for detecting unauthorized attempt to access the organization’s system.
Ways of Data Protection
Machine Learning and Artificial Intelligence
The implementation of machine learning and artificial intelligence will profoundly transform the data driven-approaches for company X. Overwhelming evidence indicates that integration of ML/AI can be an effective method of mitigating cyber threats that may render the organization’s operations vulnerable. Notably, Cybersecurity strategies are associated with risk management, strengthening the system’s resilience and patching vulnerabilities. Thus, the integration of AI will enable the organization to detect, defend, and examine possible attacks that may compromise operations in the company. According to Chopra and Chaudhary (2019), one of the significant strategies of implementing AI and ML entails identifying the types of data and systems that might be vulnerable to attacks. The purpose of identification is to enable the system user to allocate the rightful resources required to protect the network systems. For instance, in Company X, the most vulnerable information is financial information and the customer’s database. In essence, the attackers may use phishing as a strategy to coerce the system users. However, a profound implementation of ML/AI systems with the necessary algorithms to detect such attackers will strengthen early detection and block them from accessing the organization’s database.
Artificial intelligence also involves real-time protection that will be essential in detecting previous breaches and blocking them. Al-Zahawi (2019) discusses that AI systems should be programmed with algorithms that contain solutions for past and future breaches. Furthermore, implementing AI/ML will provide the necessary instructions that will enable the scanning of threats and malware with the potential of interfering with the system’s operation. Therefore, ML/AI should be embraced as an evidence-based strategy for cybersecurity management in Company X.
End-User Training
Intensification of end-user training will also be an integrated approach to managing information security at Company X. Empirical evidence indicates that training can enhance information security by inculcating the required knowledge for detecting and reporting possible security breaches. In essence, coaching the staff members and increasing awareness regarding the types of threats that target them directly will profoundly strengthen their understanding of possible phishing attacks and respond to them accordingly. Although the contemporary hackers and unauthorized users are constantly developing new techniques to reach their targets, a constant training program will update the employees regarding the possible breaches that will strengthen the organization’s information security plan. This approach will also be used to educate the employees regarding the information security policy and allow them to align their career goals with Company X’s strategic security plan.
Two-Factor Authentication/Multifactor Authentication 2FA/MFA
2FA/MFA continues to be recommended as an evidence-based strategy for strengthening the information security framework for retail organizations. Fundamentally, the system involves the use of verification procedures that prompt the user to enter their passwords and username whenever they want to access the organization’s customer database or financial data. Notably, the primary advantage of 2FA is that it prevents unauthorized access of the user’s account with stolen passwords by prompting them to enter verification codes sent on their smartphones. Additionally, the user may be prompted to enter fingerprint or face by integrating a biometrics system to access a particular system. In the context of Company X, this system will profoundly strengthen access to different organizational portals and domains to strengthen the strategic security plan.
Conversely, MFA will be used on the customer domains to verify the legitimacy of every transaction. Ideally, MFA provides an additional security layer that supplements the user passwords/username whenever accessing the system. This additional security framework will ensure accountability and transparency in all transactions and defend the leakage of sensitive information from unauthorized users even when their passwords are stolen.
Increased use of Encryption
The company will also embrace encryption as a primary instrument to protect data from unauthorized users. According to Chopra and Chaudhary (2019), the encryption process refers to encoding data using a special encryption algorithm to prevent unauthorized access in the application servers. In essence, when an unauthorized person gains access to the system, they may not read the encrypted information, increasing information security. Company X will encrypt all the data on transit and at rest, to ensure maximum security. Additionally, the organization will enforce a strict use of HTTPs and only allow newer encryption protocols hosted on TLS version 1.3 and above. This strategy will prevent future access to the company’s sensitive information available on the website and manipulation.
Updated Edge Devices
One of the possible causes of a data breach at Company X that adversely influenced its vulnerability to threats was the use of outdated firewalls and routers. According to Al-Zahawi (2019), all the edge devices should be upgraded at short intervals because they are essential entry points to the organization’s networks and servers. As the technology used in IoT devices continues to advance, the IT personnel needs to understand the potential security threats that involve the edge devices. Failure to adhere to the necessary upgrades may render them obsolete and increase the organization’s vulnerability to a security breach.
In Complex X, the strategic information security plan will involve upgrading the available units with the latest software to increase their processing performance power, storage, and memory to support the complete strip-down and increase the visibility of encrypted DPI and SSL packets. Increasing the visibility of edge devices will be achieved by software upgrades that will enhance the tracking of all the encrypted packets for maximum protection.
Increased DNS Security
As a strategy to enhance DNS security, I will implement Cisco Umbrella’s layered security as a preventive mechanism for all the online domain servers. Notably, incorporating the DNS-layer security from Cisco is a significant strategy for blocking all attacks before invading the chain. According to Choi et al. (2008), enforcing the DNS layer, Umbrella prevents more than 80% of attacks channeled to destroy the domain’s stability. Additionally, Umbrella can prevent compromised systems from exfiltrating the botnet infrastructure following the HTTPs protocol. As a strategy to ensure the Cisco Umbrella’s legal implementation, I will advise the necessary stakeholders to pursue the subscription license. Moreover, I will ensure that the communication protocols for device registration to the umbrella server are supported via HTTPs.
The primary advantage of advocating for the Cisco Umbrella incorporation is to enhance security and policy enforcement at the DNS server level. Additionally, as the administrator, it would be easier to split the DNS traffic and send the desired ones to a specific server within an enterprise network. Implementing this framework will also block more than 80% of the attacks channeled through URLs and fake IP addresses (Smith, 2019). Therefore, Company X will reduce the chances of getting attacked due to information already available on the dark web.
Disk Data Sanitization
As a strategy to ensure maximum network security, I will implement disk data sanitization to erase all the old files that may not be required within the organization. Hard drive shredding ensures. According to Townsend (2019), more than 53% of IT-based organizations do not utilize professional approaches to destroy old data and confidential information regarding the organization. I will ensure that old hard drives that contain sensitive information are destroyed beyond repair using hydraulic crushers so that the data cannot be retrieved or reconstructed. To be specific, the destruction level should meet the DoD level of data destruction, which is ten times unrecoverable.
Upgrading the Operating Systems
As the new IT supervisor in Company X, I will ensure that all the digital platforms’ operating systems are upgraded to the latest version. Updating the operating systems is a critical step to enhancing information security because the updates usually include significant patches to potential security breaches mitigated by the developers. This approach will strengthen the system’s stability, and it will be easier to implement network security policies. The culmination of cyber threats continues to evolve rapidly. Therefore, upgrading the system is an excellent procedure to ensure that the network systems have the latest technology to overcome potential threats and malware attacks.
Wireless Network Security
Embracing wireless technology in networking is associated with various benefits, but may also orchestrate new threats to the organization. In essence, insecure and poorly configured access points may sabotage the system’s confidentiality by allowing unauthorized access to the organization’s servers. As a strategy to combat threats related to wireless networks at Company X, I will ensure that all rogue access points are terminated immediately. Secondly, I will ensure that all the access points are properly configured. Choi et al. (2008) recommend using an 802.1x authentication strategy to reconfigure all the new access points in the organizational networks. Overwhelming evidence supports this reconfiguration approach because it prevents unauthorized users from linking their devices on the protected network (Choi et al., 2008). Additionally, it provides a profound platform for authenticating all the devices before granting them access to the organization’s server. I will also use the recommended WPA3 and replace the WPA2, WPA, and WEP authentication protocols to enhance the organization’s security infrastructure. Furthermore, I will encrypt and scramble the communications over the wireless network. Notably, most wireless routers and base stations have built-in encryption mechanism that should be turned on for maximum security.
The Principle of Least Privilege PLOP
I will ensure that all the IT department staff conform to the PLOP principle reduce the system’s vulnerability to external attacks. PLOP is a profound principle in the information technology arena that allows specific users to access critical systems and sensitive data with the administrator’s permission. This strategy will minimize the potential attacks from hackers gaining access to the organizational database using low-level accounts to compromise usability. Therefore, I will ensure that all end-users in my department have the rights and privileges to access all the organizational applications.
Increased Password Complexity Requirements
As a strategy to enhance maximum security in all the user accounts, the IT staff with PLOP will be required to use strong passwords that integrate symbols and characters and figures. For instance, they will be required to integrate passwords that contain characters that they can easily remember and will be impossible for hackers to remember.
Technical Barriers and Trends of Implementing Data Protection in the Industry
Ostrich Algorithm
Ostrich algorithm is regarded as one of the potential technical barriers experienced during the implementation of data protection policy. Notably, it refers to the act of overlooking the potential challenges based on the assumption that they are exceedingly rare (Al-Zahawi, 2019). In other words, the programmer may ignore the potential barriers in developing network security. This aspect may create a gap that may allow the attackers to access the organizational network systems.
The complexity of various algorithms can influence another potential technical barrier. Technology is changing and advancing rapidly. Consequently, IT engineers may not be conversant with all types of new threats that may be difficult for them to establish a suitable firewall. The technicalities in these algorithms also make it a daunting task for engineers to design appropriate network security systems. Lack of knowledge due to technical algorithms is regarded as one of the leading challenges in achieving complete data protection.
Misconfiguration Proliferation
Misconfiguration is also regarded as one of the potential barriers that undermine network security systems’ proper implementation. Townsend (2019) estimates that misconfigurations will directly influence 99% of firewall breaches by 2023. Additionally, more than 50% of the enterprises will be exposed to vulnerable issues related to IaaS storage and network breaches due to misconfigurations (Townsend, 2019). This barrier has a significant relationship with the existing gaps in management and knowledge acquisition. Notably, the firewalls are becoming more complex in design. According to the information revealed by the State of the Firewall Report, 33% of the respondents acknowledged using more than 100 firewalls, whereas 12% affirmed that they used more than 500 (Firemon, 2020). Additionally, most IT practitioners are not conversant with Artificial Intelligence. Consequently, misconfiguration adversely impacts the process of implementing the data protection frameworks in an organization.
Lax Control of Privileged Access
Privileged access is rapidly becoming one of the most preferred strategies for hackers to access sensitive information through existing credentials than hacking the servers. According to Firemon (2020), 74% of the network breaches are experienced through privileged access. This aspect is because most organizations shift their data protection approaches to firewall management and overlook the potential threats from privileged access. Consequently, this mistake leads to many users getting privileged access. As a strategy to mitigate this breach in Company X, I will leverage automation to reduce accidental errors from misconfigurations.
Adoption Considerations
Alignment of Technology with Goals
One of the key considerations in implementing the information security plan at Company X will be ensuring that all technological resources are in tandem with the organizational mission and vision. In essence, the team will be less concerned with the brand but will concentrate on technological infrastructure that supports the company’s objectives and strategic plan. Notably, the primary goal of Company X will be to ensure the confidentiality of personal information of the employees and that of its customers. This approach will strengthen the integrity of the process by ensuring that the company is committed to protecting its customers following the legal requirements for domestic and international markets.
Good Adoption of New Technologies by Both End-Users and Stakeholders
As a competent IT supervisor, I will ensure that the company integrates the latest technology that meets the minimum threshold for data protection implementation. For instance, the company will integrate artificial intelligence and machine learning to enhance deep learning by both end-users and stakeholders. Additionally, automation of protocols will be necessary to minimize potential data breach that may expose confidential data to unauthorized users.
New Technologies that Conforms to the full Current Systems Analysis
The company will embrace new technologies that conform to the full requirements of current systems analysis. Fundamentally, the process will be executed in four distinct phases. The first phase will be planning where all the stakeholders’ opinions and perspectives will be embraced for inclusivity (Albuquerque Junior & Santos, 2015). The second phase will be analysis where all the collected information and ideas are analyzed for strategic decision-making. The third phase will be a design where the engineers will be consolidated and taken through intensive research and development to develop technological infrastructure that meets the organizational needs. The fourth phase will be implemented where the newly designed security infrastructure is put into practice. The figure below Fig 1 illustrates the process.
Fig 1: Process for Current System Analysis in Company X
Disciplined Monitoring and Course Correction
Implementing the new technological infrastructure will follow all the legal procedures and include licensing and obtaining patents for newly developed software. As a leader in Company X’s IT department, I will embrace transformational leadership and allow the team members’ participation in strategic decision-making regarding the new technologies. The employees will also be trained on the new technology’s usability to ensure competence and professionalism in interaction with the new system.
Consideration of Employee Perspective
Conflict and resistance maybe experience in an attempt to transform the organizational culture at Company X. I will strive to avoid conflict in implementing new technology by invoking employee’s participation in the design and implementation of the new technology. According to Hamza (2017), many data protection barriers are culminated by a lack of adequate collaboration. In the context of company X, I will strive to foster collaboration by focusing on strict adherence to information security policies and the sharing of ideas. I will also embrace constant communication with the employees and consultants from other departments to make network security a holistic aspect in Company X.
Technologies to Improve Security in Each Area
Wired Networks
One of the profound strategies to enhance the security of wired networks is executing auditing and mapping. This approach will enhance understanding of the existing network infrastructure and allocate the necessary physical security to avoid vandalism. Ethernet cables will be used to distribution networks to desktop computers. Additionally, network auditing is a critical strategy of enhancing the accountability of all the hardware and software components running in the computer systems. According to Choi et al. (2008), auditing and mapping are essential in the WLAN security policy. The wired networks need to be audited for rogue hardware components and all access points. In the context of Company X, I will use specialized instruments like Air snort for WEP cracking and auditing for identification and authentication fo weak keys, WEP security settings, and key reuse. The process entails checking which devices are connected to which network. I will also check all the operating systems and monitor the user accounts while adhering to the established privacy regulations.
Faster wired network devices such as switches, firewalls, routers, and bridges will be integrated with a firmware patch to improve the information security outcomes. As a strategy to protect the devices, they will be stationed in one room with qualified security personnel from a recognized security firm to avoid possible security gaps. Furthermore, all the devices connected to the organizational servers and networks will undergo a rigorous MAC address filtering to prevent unauthorized machines from accessing the networks. Additional VLANs will also be incorporated to segregate the network traffic.
Wireless Networks
Various opportunities follow the availability of wireless networks due to increased accessibility and information resources. However, if the network is not well-secured, it may adversely impact organizational security. Notably, the process of network configuration is faster and less costly. Although the procedure of wireless networking may encompass some threats, the overall objective for Company X will remain the same with wired networks.
One of the notable technologies to enhance security for the wired networks will be implementing the Wi-Fi Protected Access 3 (WPA3). The WPA3 protocol provides advanced security features like perfect forward secrecy. Moreover, it allows individual data encryption other than shared passwords under the WPA2 protocol (Albuquerque Junior & Santos, 2015). Additionally, the WPA3 protocol prevents unauthorized users from offline password guesses. It also has an in-built encryption feature that will guarantee the privacy of the internal systems.
Additionally, I will engage in anti-virus and anti-spyware software to enhance the security of the internal networks. According to Choi et al. (2008), most computers connected to a wireless network needs the same protection as those connected to the internet. Therefore, installing anti-spyware and anti-virus will be a significant strategy for protecting malicious attacks.
Data Storage
Encryption will be used as the primary approach in safeguarding the information in the backup storage platforms, cold, warm, at rest, or in transit. Fundamentally, full encryption will be used for all servers and information available on the desktop and laptops. Moreover, Linux-based cloud storage will be used to store massive data. The company will further implement layered security to ensure unauthorized users do not access the information stored in the cloud storage. The data stored in physical SSDs and HDDs will be physically manned in a strong room.
Network-attached storage NAS will also enhance network security for secure data storage from the potential attacks. I will ensure that the data stored using this platform is encrypted using profound cryptography to secure sensitive data. In essence, any unauthorized intrusion to the organizational NAS storage system may not access the human-readable data. Backups using NAS are done without the help of super-user access (Smith, 2019). This aspect will ensure that the backup available on this storage system will be useful in case of any attack and loss of information on the online system. The primary objective of securing data on this platform is to address a data breach while preserving the flexibility and organizational performance standards.
End-User Access
As a strategy to control all devices’ security and the network servers, Company X will embrace the 2FA/MFA authentication strategies that will be used to strengthen information security. For instance, when accessing the desktop, Office365 E-mails, and critical servers, all users will be compelled to provide physical proof to verify their identities. Yubico security keys will be implemented for all the end-user access to minimize possible attacks and enhance the system’s security.
Budget
An excellent information security budget and expenditure should aim at improving the security outcomes within an organization. In other words, the primary building block of a profound cybersecurity approach should be reflected in a budgeting process.
| Item/Activity | Expenditure |
| Artificial Intelligence/Machine Learning Configurations | $100000 |
| End-User Training | $200000 |
| Purchase and update of latest Routers | $5000 |
| High-quality Ethernet Cables | $1000 |
| Cisco Umbrella’s certification | $850 |
| Anti-virus and anti-spyware | $1000 |
| Human Security Wages | $200000 |
| Software applications purchase and upgrade | $5000 |
| Edge device upgrade | $8000 |
| Professional Disk Data Sanitization | $700 |
| Firewall installation & configurations | $1500 |
| Network Auditing & Mapping | $1500 |
| HTTP SSL Certification | $800 |
| Maintenance Cost | $10000 |
| Miscellaneous | $10000 |
| Total | $545350 |
Table 1: Estimated Budgetary Requirement for Improving Information Security in Company X
Project Management Plan
| Task Name | Approx. Duration | Month 1 | Month 2 | Month 3 | Month 4 | Month 5 | Month 6 | Month 7 |
| 1.Planning and setting information security goals | 1 month | |||||||
| 2. End-User Training | 1 month | |||||||
| 3. Purchase of hardware/software applications | 3 weeks | |||||||
| 4. AI/ML configurations | 1 week | |||||||
| 5. Wired Networks Auditing and Mapping | 2 weeks | |||||||
| 6. Wireless Network Auditing and Mapping | 2 weeks | |||||||
| 7. Disk Data Sanitization | 1 week | |||||||
| 8. Data Encryption | 1 week | |||||||
| 9. Cisco Umbrella Layered Security implementation/certification | 2 weeks | |||||||
| 10. Updating Edge devices | 2 weeks | |||||||
| 11. Introduction of PLOP | 1 week | |||||||
| 12. Evaluation of data policy & Maintenance | 1 month |
Table 2: Project Management Plan for Improving Information Security in Company X
The first phase of project management implementation will involve rigorous planning and consultation to identify the existing gaps within Company X. Ideally, the process will take a whole month as I seek the company X employees’ ideas regarding possible areas that exhibit gaps in information security. I will also take time to investigate the primary causes of the breach that led to the leakage of sensitive information on the dark web.
After identifying the areas that need intervention, the second activity will be training the end-users regarding the mitigation strategies to improve information security in the Company. This strategy will play an integral role in understanding various technologies that will be installed and enhance user-friendliness. One of the primary barriers to implementing an information security project emanates from a lack of adequate knowledge or understanding of various procedures in enhancing information security. Additionally, training them at the inception of the project is necessary to minimize chances or resistance.
After training the end-users, I will proceed with the procurement of all the necessary hardware and software applications for improving information security within the organization. The process is expected to take a maximum of three weeks because of a rigorous procurement procedure. In essence, a budget will be submitted to the organization’s financial department for approval before proceeding with identifying relevant suppliers and distributors.
The third month of the project manager’s primary activity will be integrating artificial intelligence and machine learning in the security systems. This process will involve configuring all the access points and automation to enable detection and mitigating the possible areas of leakages. As discussed earlier, AI/ML configurations will facilitate the detection of cyber threats and applying the possible remedies to avoid unauthorized access to the Company’s sensitive information.
The fifth procedure will involve mapping and auditing all the ethernet pathways to ensure no unauthorized access points go undetected. Mapping and auditing will also strengthen the process of identifying rogue hardware components that threaten the organization’s network security. The same procedure will also be executed for wireless networks to ensure maximum security of all access points. The mapping and auditing of the wireless and wired networks will take 2 weeks each.
The next procedure will be disk data sanitization, where the old storage devices will be crushed beyond recovery. This strategy will ensure that all the sensitive information regarding the Company is professionally shredded to avoid it landing in the hands of unauthorized people who may use the information to sabotage the operations within the organization. The process will take one week because it will involve sorting the hard disks that require sanitization.
After disk data sanitization, the selected team will also conduct encryption of the wireless networks and stored information to reduce the chances of compromising the system if the information is accessed by unauthorized personnel. The encryption process is estimated to take a whole week. I will also mobilize the team to implement Cisco Umbrella’s layered security to secure the information on DNS servers. The next procedure will be updating and upgrading all the edge devices. This procedure will be essential in replacing old and vulnerable devices that may be used to penetrate the organization’s system.
The next procedure will be granted privilege access to the IT-administrators tasked with altering existing company’s information. The final procedure will be the evaluation of the information security plan and maintenance. Fundamentally, the entire procedure is estimated to take 7 months after the date of its inception.
Conclusion
In conclusion, the initiative’s success in improving information security within Company X is profoundly dependent on all the end-users and stakeholders’ cooperation in implementing the new technology. Notably, the advancement of technology in AI/ML will significantly help the organization address the existing security breach. Although barriers may exist in the implementation process, training the end-users at the inception of the program will profoundly increase their knowledge and help them develop a remarkable attitude to the change process. While it may be impossible to address all the security threats, implementing the proposed procedures will significantly improve the information security for Company X.
References
Albuquerque Junior, A. E., & Santos, E. M. (2015). Adoption of information security measures in public research institutes. Proceedings of the 12th CONTECSI International Conference on Information Systems and Technology Management, 12(2). https://doi.org/10.5748/9788599693117-12contecsi/ps-3155
AL-Zahawi, O. S. (2019). Information security handbook for ISO 27001 controls. UR academy.
Choi, M., Rosslin, J., Robles, R. J., Hong, C., & Kim, T. (2008). Wireless Network Security: Vulnerabilities, Threats, and Countermeasures. International Journal of Multimedia and Ubiquitous Engineering, 3(3). https://www.researchgate.net/publication/228864040_Wireless_Network_Security_Vulnerabilities_Threats_and_Countermeasures
Chopra, A., & Chaudhary, M. (2019). Implementing an information security management system: Security management based on ISO 27001 guidelines. Apress.
Firemon. (2020, September 16). Network security threats & challenges | Vital IT security issues. FireMon. https://www.firemon.com/network-security-threats-challenges/
Hamza, M. (2017). Exploring barriers and pathways to data protection by design within IT companies. https://www.diva-portal.org/smash/get/diva2:1154866/FULLTEXT01.pdf
Smith, R. E. (2019). Elementary information security. Jones & Bartlett Learning.
Townsend, K. (2019, November 13). ‘State of the firewall’ report: Automation key to preventing costly Misconfigurations | SecurityWeek.Com. Information Security News, IT Security News and Cybersecurity Insights: SecurityWeek. https://www.securityweek.com/state-firewall-report-automation-key-preventing-costly-misconfigurations