Hacking the AIS
As more businesses lean on technology to support their operations, unexpected challenges are emerging in the technological environment. Hackers, whose identities in most incidences remain anonymous, have become a major threat in the operations of most businesses. On November 2013, a cyber-attack on Target Company threatened to throw the company in a financial crisis, coupled with lack of confidence from majority of its customers. The cyber-attack on Target Company resulted in over 40 million customer accounts becoming compromised (Ziobro, 2014). Hackers were able to gain sensitive information of cardholders following the attack. This attack was discovered three months later, and resulted in loss of customers’ money.
Target Company bears a huge responsibility in terms of effectiveness of its response to the security breach. Reports indicate that Target’s security team had earlier learnt of a breach in their system but downplayed the security warnings (Ziobro, 2014). The lack of follow-up gave hackers the upper hand where they were able to access sensitive data on millions of customer’s cards. Intruders had managed to find their into the company’s security system where they inserted a malware. This occurred on November 12, 2013. The company’s security system detected some of the hacker’s activities. A quick follow-up of this may possibly have enabled the company to stop the hackers. Due to the slow response, the company bears full responsibility of the security breach.
Software providers have limited roles as far as security breaches are concerned. From a legal standpoint, hackers bear the greatest responsibility, although in most cases hackers remain anonymous (Remenyi, 2008). Since it is difficult to know the identity of hackers, the end-user comes second in terms of responsibility. According to the law, it is the duty of the end-user such as Target to put in place adequate countermeasures to ensure that data is not compromised. The end-user must continually update the accounting software to match new product definitions at own cost. In case of new versions, the end-user should acquire them at own cost. The end-user also contributes towards correction of any faults on the product. In connection to this, the end-user bears all the cost of security breaches that may occur with the software (Remenyi, 2008). This clearly shows that the role played by the software providers may have been sidelined.
While making a purchase, the end-user is supposed to sign an agreement stating they agree to the terms and conditions of the software provider. Most of these agreements distance the software providers from any liability in case information systems audit and control association. The current laws do not hold software providers responsible for security breaches suffered by the end-user. A part of the problem is that currently, there are no set standards that define security and efficacy of software provided by third parties (“International Council of E-Commerce Consultants”, 2010). It is thus difficult to hold software providers responsible for all the vulnerabilities found in the accounting information system. The software provider in Target’s case has little responsibility since it was negligence on the part of the company that resulted to the security breach. However, in case the accounting information system had significant faults, the company can hold the software provider responsible for the security breach.
There is need for more regulation in preventing hacking among businesses. When hacking occurs, much of the blame is passed to the end-user, who may not be in any way responsible for the attack. The current legal framework overlooks the potential liability software providers hold through delivering poor quality products. The role of the software provider need to be revisited and more emphasis placed on the quality of software they provide. Stringent measures should be introduced to ensure that software providers are held accountable for security breach involving their software. These measures should be aimed at encouraging software providers to improve security of their software without placing too much pressure on them. As such, software providers should only be held responsible for security breaches that according to an independent oversight body could have been avoidable (“International Council of E-Commerce Consultants”, 2010).
A number of analysts have suggested the above as a suitable approach in creating a suitable additional regulation. Through advancements in the software or technology, new opportunities for hackers to access data also emerge. Unscrupulous software developers may provide poor quality products to end-users without their knowledge. It is difficult for users to know how a product was developed; whether all the quality standards were met by the provider (“ECIWS” & Remenyi, 2008). In addition, the end-user may not be aware of whether it was tested and whether it met the specific requirements on being tested. An additional regulation that places more responsibility on the hands of the developer may encourage them to produce software which is not easily susceptible to cyber attacks. This will improve security of business accounting systems.
There are a number of ways businesses can use to secure their systems against hackers. Businesses should regularly update their information systems’ firewalls and ensure limited access to sensitive areas (Ryckman, 2012). Regularly updating the software helps in reducing the chances of a malware attack on the company’s system. In addition, the business should acquire new versions of software which are less vulnerable to security attacks. Firewalls are specially designed to prevent outside attacks on a business’s computer network. They also keep in check internal connections, preventing internal users from accessing unauthorized data. Firewalls also enable encrypted communication to remote offices which are in far off locations. Firewalls also have the added advantage of terminating sessions. Outdated firewalls can easily be susceptible to malware attacks from hackers. These measures can tremendously improve network security for a business.
Businesses should invest resources in educating their employees about common tricks that hackers use to gain access to sensitive company data (Ryckman, 2012). Majority of cyber attacks target employees who easily fall prey to the hacker’s tricks. Hackers are able to use encrypted emails that contain harmful malware. Once they send these emails to employees through fishing, they are able to gain access to the company’s data when employees open the emails. Reports indicate that in most cases, malware enters the computer system when employees click dubious email links and attachments. These attachments contain harmful malware that becomes installed in the computers or laptops. Employees should be taught on how to create strong passwords that cannot be easily cracked by hackers. Businesses must provide employees the right training as well as resources to help them manage cyber crime issues effectively.
Businesses should also restrict access to information among employees. Access control gives employee authority to access the information they may need depending on their job description (Ryckman, 2012). In case an employee needs to access information which is inaccessible the system prompts them to submit an application to helpdesk. There are various types of controls which include: physical access controls, logical controls, discretionary access controls, and among others. Physical access controls involves use of physical barriers in order to keep away unauthorized persons. Logical access controls involves use of passwords, account restrictions, and group policies. Employees may not support controls but it important to educate them on the importance of such controls. Most businesses restrict access to social media sites as they have been shown to be a source of malwares and viruses (Ryckman, 2012).
Cyber attacks have become increasingly common leading to huge losses. Businesses should put in place adequate monitoring systems to ensure they reduce the risk of a security breach. Cyber attacks are not only targeted to big businesses, but also to small companies which are more vulnerable due to lack of adequate monitoring systems. End-users often software bears the greatest responsibility in case of a security breach. There are a number of proposals meant to increase the level of responsibility to software providers in case of security breaches. Software providers will bear the risk when it becomes apparent that the security breach could have been avoided. Nonetheless, businesses should put in place adequate measures to reduce incidences of cyber attacks.
European Conference on Information Warfare and Security, & Remenyi, D. (2008).Proceedings of the 7th European conference on information warfare and security. Reading: Academic Pub.
International Council of E-Commerce Consultants. (2010). Ethical hacking and countermeasures. Clifton Park, NY: Course Technology, CENGAGE Learning.
Ryckman, P. (2012, June 13). Owners May Not Be Covered When Hackers Wipe Out A Business Bank Account. The New York Times, pp, 1A.
Ziobro, P. (2014, March 13). Target Didn’t Follow Up After Hackers Tripped its Security System. The Wall Street Journal, pp, 1A.