Cybersecurity and information security risks are those that present a potential threat or vulnerability to information systems used in government and commercial organizations. These risks can arise from a variety of sources which can be categorized as internal and external threats. Security issues for modern organizations in the government and private sector involve a variety of threats such as system malfunction, insider threats, human error, cyber attacks, data breaches, organized crime, espionage and hacktivists.
The significance of addressing cybersecurity and information security risks cannot be overstated as organizations become more heavily reliant on technological solutions. As more technology is integrated within an organization the number of potential malfunctions and attack vectors increases which threat actors can leverage in an attack. This can result in the loss of classified information, proprietary information, trade secrets and sensitive information about customers such as personally identifiable information (PII).
In order to address these security issues properly organizations must hire qualified security professionals who can implement security countermeasures, stay up to date with the latest trends and teach others about cybersecurity and information security best practices. This includes developing robust security policies, creating layered security controls, conducting risk and vulnerability assessments and providing accurate threat intelligence (FBI, 2016).
Types of cybersecurity and information security risks
As illustrated above there are numerous technology related risks, threats and vulnerabilities which can present themselves to organizations in both the government and private sector. The types of risk, threats and potential vulnerabilities will vary depending on the organization type, status, size and purpose. For example large corporations will usually experience a higher risk of being targeted by cyber criminals for financial gain. Whereas government organizations are more so targeted by state sponsored or state directed threat actors for the purpose of cyber espionage.
For this report risks, threats and vulnerabilities will be categorized into two types which are internal and external. Internal threats are those which arise from within the organization and can be accidental or intentionally malicious. One example of accidental risk from an internal source is a system malfunction resulting from a misconfigured system. Untrained personnel may unintentionally configure an information system such as a mission critical server. A simple example of this would be not properly cooling the device causing it to overheat and shut down. A more technical example would be misconfiguring quality of service (QoS) settings which deprioritize mission critical functions. Other internal risks can include insider threats who intentionally undermine the organization, a lack of security awareness training and individuals susceptible to social engineering (IBM, n.d.).
External sources can be defined as those risks, threats and vulnerabilities which arise outside of the organization. This can range from targeted attacks to regional emergencies such as natural disasters and civil unrest. An example of a targeted external threat would be a cybercrime organization that installs crypto-malware onto an organization’s network and demands ransom payments to decrypt the devices. Another example includes state sponsored advanced persistent threat (APT) groups which target a government organization in order to acquire classified information about technology with potential military applications. Other external threats include hacktivists which commonly seek to briefly disrupt or discredit organizations they disagree with and individual cyber criminals who usually act on opportunistic projects for financial gain.
Impact of Security Incidents on Government and Commercial Organizations
Depending on the type or organization in question there are numerous impacts which can derive from a security related incident. The first is the disruption of essential tasks or operational function of the organization. When an organization experiences a cyber attack or breach this usually has a negative impact on mission critical functions such as communication, operations and technology based activities. In a business this may include processing payments, communicating with employees and managing order fulfillment. In a government organization which may involve communication with personnel in the field, command & control mechanisms and operating defense related technology.
In addition to the disruption of operational capacity organizations also experience other damages such as financial loss, loss of sensitive information, reduction in operational security and reputation damages. For a private corporation this may include a loss in brand authority which results in lower revenue or a loss of trade secrets or proprietary information. For government organizations an incident may result in a reduction of public trust, loss of classified information and increased risk for personnel operating in hostile regions.
In addition to the direct impacts associated with security related incidents there are numerous indirect and unforeseen negative impacts which can arise. The first of these are the national security implications of security incidents that occur in government organizations or companies contracted with the government on defense related projects. An example which illustrates this is the 2014 security breach of the Office of Personnel Management attributed the Peoples’ Republic of China (PRC) which resulted in the loss of PII on more than 20 million government employees who currently hold or have held a security clearance. The negative implications of this incident and similar events is likely unmeasurable and will continue for many decades.
In addition to the above listed impacts there is the potential for much larger and more widespread effects. When the public loses trust in their government’s ability to protect their way of life and for corporation’s to protect their data this can lead to the destabilization of society. Industries such as eCommerce, which has grown into a multi-trillion dollar global market only function properly if a large majority of people continue to conduct online transactions. Successful cyber attacks and security breaches result in a lack of trust in the institutions necessary for society to function properly.
Countermeasures to Mitigate Cybersecurity and Information Security Risks
While the threat of cybersecurity related incidents is on the rise there are numerous countermeasures being developed which can mitigate and even prevent some of the risks associated with using technology. Some of the countermeasures being implemented include security policies & procedures, industry regulations, layer security architecture and a variety of security control mechanisms such as access control, authentication and intrusion detection.
Regulations and frameworks such as the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), NIST Cybersecurity Framework and the ISO/IEC series provide a blueprint for securing organizations across various industries. Regulation ensures that private organizations use the best security practices when collecting, transmitting and managing sensitive consumer data such as health information, financial data and PII.
Industry standards such as PCI DSS and the Information Security Management System (ISMS) provide best practices for specific industries that are at a higher risk of experiencing a security related incident. Organizations such as banks, payment processors and credit unions that deal with sensitive financial data for the customers can leverage industry standards which provide a framework of best practices for protecting their organization. In some instances it may be advantageous for the development of enforceable government regulations that guarantee certainty practices for the benefit of society.
Additionally, internal policies, procedures and security controls can provide layered security mechanisms which can prevent both malicious and accidental data breaches. Policies and procedures can provide employees and personnel with guidance and best practices for operational duties. An example of this is implementing a routine IT audit schedule where trained security professionals inspect the company's digital infrastructure for risks, vulnerabilities and other potential problems. Or a company can provide policies and procedures on other aspects of security such as incident response and disaster recovery plans (NIST, 2023).
In conjunction with policies and procedures an organization may implement the use of security controls. These are administrative, operational, physical and technical mechanisms that prevent, detect, deter against threats and assist with operational recovery in the event of a cybersecurity incident. An example of security controls is the use of authentication or the implementation of an intrusion detection and prevention systems (IDPS). Policies, procedures and security controls can be designed to fit the needs of the organization to provide maximal security against common threats in their industry.
Conclusion
Government and commercial organizations today are faced with a multitude of internal and external risks which can lead to financial damage, loss of privacy and damage to national security. As organizations adopt the use of information technology the risk of experiencing a cybersecurity incident dramatically rises. The impact of a cyber attack or data breach can be devastating for government organization, businesses, individuals and society as a whole. There are many countermeasures which can be employed to mitigate and prevent against internal and external threats. Through a layered security approach consisting of policies, procedures and a variety of security controls, organizations can safely conduct essential functions and significantly decrease the risk of utilizing information technology.
References
A Primer on DarkNet Marketplaces. (Federal Bureau of Investigation)
Cost of a data breach 2022. (IBM)NIST Cybersecurity Framework 2.0 Concept Paper. (NIST)
The Ultimate Guide to eCommerce Security. (Net Solutions)
What Is a Threat Actor. (CrowdStrike)
What is social engineering. (IBM)