1. Why Organization are heavilyreliant on information system Aninformation system can be defined technically as a set of interrelated componentsthat collect (or retrieve), process, store, and distribute information tosupport decision making and control in an organization. In addition tosupporting decision making, coordination, and control, information systems may alsohelp managers and workers analyze problems, visualize complex subjects, andcreate new products. Information systems contain information about significantpeople, places, and things within the organization or in the environmentsurrounding it. By information we mean data that have been shaped into a formthat is meaningful and useful to human beings. Data, in contrast, are streamsof raw facts representing events occurring in organizations or the physicalenvironment before they have been organized and arranged into a form thatpeople can understand and use. (Kenneth C Laudon, Jane P Laudon, 2017)Thedefinition of an information system is based on the more general concept ofwork system.
Businesses operate through work systems. Typical businessorganizations contain work systems that procure materials from suppliers,manufacture physical and/or informational products, deliver products tocustomers, find customers, create financial reports, hire employees, coordinatework across departments, submit tax payments, and perform many other functions.A work system is a system in which human participants and/or machines performwork (processes and activities) using information, technology, and otherresources to produce specific products and/or services for specific internal orexternal customers.
Aninformation system is a work system whose processes and activities are devotedto processing information, i.e., capturing, transmitting, storing, retrieving,manipulating, and displaying information. Thus, an information system is asystem in which human participants and/or machines perform work (processes andactivities) using information, technology, and other resources to produceinformational products and/or services for internal or external customers. (Alter, 2008)Nowdays, organizations are heavily relying on information system for gettingsuccess in business and also people’s life style are changing rapidly as wecan’t stand without information system in our daily life. Wirelesscommunications, including computers and mobile hand-held computing devices, arekeeping managers, employees, customers, suppliers, and business partnersconnected in every way possible.
Email, online conferencing, the Web, and theInternet, are providing new and diverse lines of communication for allbusinesses, large and small. Through increased communication channels anddecreased costs of the communications, customers are demanding more ofbusinesses in terms of service and product, at lower costs. E-commerce ischanging the way businesses must attract and respond to customers.Thefollowing facts are reason why information system is so essential to theorganizations,1Economic Importance:Eventhough the cost of installation and maintenance of an information system quitehigh (depends upon kind of system) in the beginning, but in due course thecosts drop and appears fair deal when compared to kinds of benefits enjoyedwith the help of it. Also with the passage of time cost of information systemstends to decrease, whereas, costs of its substitutes (for instance labour) hasbeen historically tends to rise (Laudon, 1990). Furthermore, informationsystems use networks, which help an organization to reduce the transactioncosts, by making it worthwhile for organization to contract external suppliersinstead of using internal resources. 2.
Information Systems Improve Performance:InformationSystems are designed to improve the overall efficiency and effectiveness of aprocess. The information systems speed up the process and reduce the time byremoving non-value adding steps in the operation. For instance, Citibankdeveloped the Automatic Teller Machines and Bank Debit Cards in 1977( Laudonand Laudon 9th Ed.).
It made financial transactions easy and was a hugesuccess. Further, banks continued to innovate and these days with the help ofreliable and secure information systems from TEMENOS, Infosys, Oracle etc, mostof the customer can do majority of transaction from their home computer or evenfrom mobile telephone. Moreover, information systems provide real timeinformation which reduces the scope of errors, hence, increases the quality ofthe output of the process.3.Importance in Decision Making:InformationSystems provides the tools for managers enabling them to monitor, plan andforecast with more precision and speed then ever before. They also enablemanagers to respond more rapidly and adapt swiftly to the fast changingbusiness environment. The Decision Support Systems can significantly improveresults both on quantitative and qualitative fronts. For instance, there arearound 142 million employees working in United States generating $12.
2 trillionof Gross Domestic Products. If the decision making quality of these employeescould be improved by just 1% in a year the GDP might be expand substantially. 4.
Organizational Behavior Change:Behavioralresearches illustrate that information systems facilitate flattening ofhierarchies by broadening the distribution of information to empowerlower-level employees. It pushes the decision making rights to the lower levelin the organization as the lower level employees receives the information theyneed to make decisions eliminating the need of middle managers. This also leadsto the reduction is the administrative costs of the organization. 2. Various types of security threats toany information system of an organization.
Thefollowings are types of security treats to information system;a) Malicious software: Viruses, Worms,Trojan Horses and SpywareMalicioussoftware programs are referred as malware and includes a variety of threats,such as computer viruses, worms, and Trojans. A computer virus is malware thatattaches to other software or files. data to execute, usually without theknowledge or permission of the user. Worms, which are standalone computerprograms copied from one computer to another on a network. Unlike viruses,worms can work alone without connecting to other computer program files andrelying less on human behavior to spread from one computer to another.
A Trojanis software that seems to be benign, but does something different thanexpected. The Trojan itself is not a virus because it does not replicate, butit is often a way to introduce viruses or other malicious code into a computersystem. Spyware also acts as malware. These small programs sneak onto computersto monitor users’ web browsing activity and to advertise.b) Hackers and Computer CrimeAhacker is an individual who intends to gain unauthorized access to a computersystem.
Hacker activities have broadened beyond mere system intrusion toinclude theft of goods and information, as well as system damage andcybervandalism, the intentional disruption, defacement, or even destruction ofa Web site or corporate information system. In a denial-of-service (DoS)attack, hackers flood a network server or Web server with many thousands offalse communications or requests for services to crash the network. The networkreceives so many queries that it cannot keep up with them and is thusunavailable to service legitimate requests.
A distributed denial-of-service(DDoS) attack uses numerous computers to inundate and overwhelm the networkfrom numerous launch points. Most hacker activities are criminal offenses, andthe vulnerabilities of systems we have just described make them targets forother types of computer crime as well. Computer crime is defined by the U.S.Department of Justice as “any violations of criminal law that involve aknowledge of computer technology for their perpetration, investigation, orprosecution.
” Many companies are reluctant to report computer crimes becausethe crimes may involve employees, or the company fears that publicizing itsvulnerability will hurt its reputation. The most economically damaging kinds ofcomputer crime are denial of service attacks, activities of malicious insiders,and Web-based attacks.c) Internal Threats: EmployeeWetend to think that threats to the security of a company are born outside theorganization.
In fact, the workers in the company raise serious securityproblems. Employees have access to insider information and, in the presence ofsloppy internal security procedures, they can often move around anorganization’s systems without a trace. End-users and information systemspecialists are also a major source of errors introduced into informationsystems. End users introduce errors by entering incorrect data or by notfollowing the correct instructions for data processing and computer equipmentuse. IT specialists can create software errors when designing and developingnew software or maintaining existing programs. d) SoftwareVulnerabilitySoftwareerrors are a constant threat to information systems, leading to unquantifiedproductivity losses and sometimes putting people who use or rely on systems atrisk.
The increasing complexity and size of software, as well as demands fortimely delivery to markets, have contributed to increased software defects orvulnerabilities. A major problem with the software is the presence of hiddenerrors or flaws in the program code.3. The Impact of Ransomware on BusinessOrganizationsTheword Ransomware is a combination of ransom and software, and a program that isdesigned to attack a targeted system with the aim of holding the user as ahostage, and restricting users from accessing their devices. It can also beused to encrypt the user’s data, forcing the victim to pay the ransom.Generally, ransomware uses malware and Trojan forms to bypass and infect thetargeted system. Ransomware consists of two major types: lockers, which preventthe user from the entire system, and crypto ransomware, which only encrypts theuser files. Ransomware vastly attacks companies and endpoint users.
Ransomwareattacks may happen in different contexts such as email attachment, compromisedwebsites, advertising, running untrusted program on the machine, sharingnetworks and communicating with an infected system. The world has experienced amassive global ransomware cyber-attack known as “WannaCrypt” or “WannaCry”since Friday, May 12 2017. Hundreds of thousands’ computers worldwide have beenhit and affected more than 150 countries. WannaCry is far more dangerous thanother common ransomware types because of its ability to spread itself across anorganization’s network by exploiting a critical vulnerability in Windowscomputers. The malware has the capability to scan heavily over TCP port 445(Server Message Block/SMB), spreading similar to a worm, compromising hosts,encrypting files stored on them then demanding a ransom payment in the form ofBitcoin. It is important to note that this is not a threat that simply scansinternal ranges to identify where to spread, it is also capable of spreadingbased on vulnerabilities it finds in other externally facing hosts across theinternet.Thereare approximately 30–40 publicly named companies among the likely thousandsthat were impacted by this ransomware. Examples include the Russian InteriorMinistry, Telefonica (Spain’s largest telecommunications company) and FedEx.
The UK National Health Service (NHS) was badly hit, with 16 of the 47 NHStrusts being affected, and routine surgery and doctor appointments beingcanceled as the service recovers. There are reports that in China over 40,000organizations have been affected, including over 60 academic institutions.Russia appears to be the heaviest hit by the WannaCry attack. Kaspersky Labsattributes this to Russian organizations running a relatively large proportionof dated and unpatched systems. WannaCry appears to be specifically designedfor an international attack: it can demand the ransom in 28 languages.Businesswhich infected ransom were leading to negative consequences such as-temporaryor permanent loss of sensitive and important information-interruptionto business operation-financial losses incurred to restore systems and files-potential harm to an organization’s reputation.Ransomwarecan be devastating for productivity.
It puts all projects on hold until accessto important files is recovered and the system is protected. If your computershave been infected with Ransomware, all sensitive information may fall into thewrong hands and be erased from your devices. A data breach containinginformation about customers or customers’ employees creates a crisis that nocompany wants to deal with. Sensitive information is at stake, but payinghackers does not guarantee that the information has not been copied yet. Payingthe repurchase does not guarantee the safe return of all files.Mostcompanies have an IT strategy and disaster recovery plan, but surprisingly, feware sufficiently prepared to deal with a ransomware attack. This is partlybecause they do not understand the risks, and because ransomware threats evolveat a rate that antivirus software struggles to keep up.
4. Prevention and risk mitigation planto organizations Organizationsshould be practice the following Control measure for prevention of futureattack,(A) Conduct ongoing, documented, andthorough information security risk assessmentsMaintainan ongoing information security risk assessment program that considers new andevolving threats to online accounts and adjusts customer authentication,layered security, and other controls in response to identified risks. Identify,prioritize, and assess the risk to critical systems, including threats to applicationsthat control various system parameters and other security and fraud preventionmeasures.(B) Securely configure systems andservicesProtectionssuch as logical network segmentation, offline backups, air gapping, maintainingan inventory of authorized devices and software, physical segmentation ofcritical systems, and other controls may mitigate the impact of a cyber-attackinvolving ransomware. Consistency in system configuration promotes theimplementation and maintenance of a secure network. Essential components of asecure configuration include the removal or disabling of unused applications,functions, or components.(C) Protect against unauthorized accessLimitthe number of credentials with elevated privileges across the organization,especially administrator accounts and the ability to easily assign elevatedprivileges that access critical systems.
Review access rights periodically toreconfirm approvals are appropriate to the job function. Establish stringentexpiration periods for unused credentials, monitor logs for use of oldcredentials, and promptly terminate unused or unwarranted credentials.Establish authentication rules, such as time of-day and geolocation controls,or implement multifactor authentication protocols for systems and services(e.g., virtual private networks). In addition, conduct regular audits to reviewthe access and permission levels to critical systems for employees andcontractors. Implement least privileges access policies across the entireenterprise. In particular, do not allow users to have local administrator rightson workstations, and remove access to the temporary download folder.
(D) Perform security monitoring, prevention, andrisk mitigationEnsurethat protection and detection systems, such as intrusion detection systems andantivirus protection, are up to date and that firewall rules are configuredproperly and reviewed periodically. Establish a baseline environment to enablethe ability to detect anomalous behavior. Monitor system alerts to identify,prevent, and contain attack attempts from all sources. (E) Perform Update information securityawareness and training programsConductregular, mandatory information security awareness training across theinstitution, including how to identify, prevent, and report phishing attemptsand other potential security incidents. Ensure that the training reflects thefunctions performed by employees. (F) Implement and regularly testcontrols around critical systemsEnsurethat appropriate controls, such as access control, segregation of duties,audit, and fraud detection, and monitoring systems are implemented for systemsbased on risk.
Limit the number of sign-on attempts for critical systems andlock accounts once such thresholds are exceeded. Implement alert systems to notifyemployees when baseline controls are changed on critical systems. Test theeffectiveness and adequacy of controls periodically.
Report test results tosenior management and to the board of directors or a committee of the board ofdirectors. Include in the report recommended risk mitigation strategies andprogress to remediate findings. (G) Review, update, and test incidentresponse and business continuity plans periodicallyTestthe effectiveness of incident response plans at the organization and with thirdparty service providers to ensure that all employees, including individualsresponsible for managing risk, information security, vendor management, frauddetection, and customer inquiries, understand their respective responsibilitiesand their institution’s protocols. 5 Ethical issues that may arisefrom using connected devices in an organizationEthicsrefers to the principles of right and wrong that individuals, acting as freemoral agents, use to make choices to guide their behaviors.
(Kenneth C Laudon, Jane P Laudon, 2017) Ethical issues ininformation systems have been given new urgency by the rise of the Internet andelectronic commerce. Internet and digital firm technologies make it easier thanever to assemble, integrate, and distribute information, unleashing newconcerns about the appropriate use of customer information, the protection ofpersonal privacy, and the protection of intellectual property.Employeesmust be trained and kept aware of a number of topics related to informationsecurity, not the least of which are the expected behaviors of an ethicalemployee. This is especially important in information security, as manyemployees may not have the formal technical training to understand that theirbehavior is unethical or even illegal.
Proper ethical and legal training isvital to creating an informed, well prepared, and low-risk system user.Asmuch as information technology is important to our lives, it is facing someserious ethical challenges and it is up to the IT experts and users ofinformation technology to be ready for these challenges. As more emerginginformation technologies pop up on the market, most of the IT experts and usersdo not know how to go about the challenges brought about by these technologies.Information technology is facing major challenges which are lack of privacy,security, copyright infringement and increased computer crimes. Criminals havebeen eagerly utilizing the many loop holes technology offers.
Since informationtechnology greatly aid the speed, flow and access of information, cyber-crimehas become an ever-rising profession. Many businesses and organizations are atrisk of becoming a cyber victim on a daily basis, as most, if not all businessis based on some digital network.Thereis also the possible threat of unfaithful or vengeful employees that can useinformation technology to achieve their personal goals which might be harmfulto an organization. IT is not bad in itself, but the way humans use the tools providedby information technology has brought some serious challenges.