1

Step 8: Policy revisions Evaluation

Name of student:

Course:

Institution:

Date of submission:
 2

Policy revisions Evaluation

Enterprise cybersecurity is concerned with protecting an organization's sensitive data and

resources from emerging cyber threats. The process aims at ensuring security in the organization

and guaranteeing data confidentiality, integrity and availability. Different security measures are

put in place, such as encryption, security policy, passwords, authentication, etc., to ensure

hackers are denied access to the organization's systems and networks. Despite these measures,

research by Aldawood and Skinner (2019) revealed that in most breaches in organizations,

95percent are caused by human errors. Therefore, it is necessary to strengthen the organization's

security policies and ensure that everyone is conversant with cybersecurity aspects and how to

identify untrusted communications from hackers. This section aims to evaluate the current

organization's cybersecurity policy, identify various concepts of enterprise cybersecurity,

develop a high-level implementation plan for these policies and assess the different types of

threats that modern enterprises face. The paper will further evaluate the principles that are used

during the development of a cybersecurity policy framework.

Various concepts of enterprise cybersecurity

Enterprise cybersecurity is a complex solution that begins from the age-old organization

cybersecurity and includes all levels of current–day business computing (Aldawood & Skinner,

2019). The old cybersecurity techniques were highly conceived to protect data at the local front.

Cybersecurity strategies currently aim to safeguard data as it moves between wireless devices

and cloud servers. As a result, it entails different aspects that protect an organization's on-

premise as well as cloud-based infrastructure. In our modern world, cybercriminals understand

the value of data in an organization. This is why many cases of ransomware attacks are shooting,

with many firms losing their finances. Therefore, there is a need to have solid measures put in
 3

place to prevent these cyber-attack incidents. Proper encryption ensures security for data at rest

and in transit, strong authentication mechanisms, use of antivirus, working organization security

policies, etc.

According to Abu et al. (2018), when cyber breaches occur in an organization, the results

can be devastating and costly. The cost of recovering from a data breach is very expensive; in

most cases, the data may never be retrieved again. A case study of the recent cybercrimes by

Alexander et al. (2020) indicated that Ryuk of 2019 and 2020 required more than USD 300,000

for the hackers to release the data obtained for the company. This was recorded as the most

expensive cyber incident ever in the world. All these cases clearly indicate that firms should not

undervalue cybersecurity; they should adopt strict measures to fight the growing cyber security

cases.

To initiate an organization's cybersecurity technique, an enterprise should consider the following

basic tasks.

a) Define your boundary

There should be well-defined boundaries inside an enterprise at the local and virtual

levels. These boundaries act as a protective shield for the enterprise's information assets, such as

sensitive information and data stored within the local hard disks and cloud servers. Moreover,

having well-defined boundaries further safeguards information as it passes from the local

systems to cloud servers managed by third parties (Alexander et al., 2020).

b) Define the software environment

According to Sunkpho et al. (2019), there should be a well-defined purpose and policies

governing the kind of software used in the organization. If some software programs are outdated
 4

and no longer used in the firm's computing framework, they can be done away with. Ensure that

you install the latest security patches and updates and scan all the devices regularly for viruses.

In addition, there should be training sessions where employees are trained on the latest protocols

and programs they should use to execute their tasks.

c) Hardening of Network Assets

After defining the software environment used in the organization, hardening all the assets

used within the enterprise network is vital. Hardening the assets means that all the hardware

devices and software programs that connect the enterprise systems, either remotely or physically,

must be sealed off to avoid any interference, data leaks and unauthorized access (Sunkpho et al.,

2019). Each component within the system should be tested and inspected to identify whether

there are vulnerabilities and weaknesses that hackers can take advantage of.

d) Vulnerability assessment and implementation of a remediation plan

Despite hardened and up-to-date components within the network, organization security

can sometimes be compromised by software program vulnerabilities. This is due to many

cybercriminals devising techniques to identify loopholes in the currently and latest released

programs and security patches daily. Therefore, there is a need to have vulnerability assessment

to identify these vulnerabilities and then come up with methods to fight cybercrimes.

e) Review of the administrative access privileges in the organization

It is vital to review the current administrative access rights of the enterprise staff

members to identify which individuals are mandated to have access privileges. Administrative

rights should not be given to the junior staff since this may cause data breaches in the

organization, making it a loophole for hackers (Abu et al., 2018).

Major types of cybersecurity threats faced by modern enterprises.

Cybersecurity threats are becoming more sophisticated with the increase and

improvement of technology and high dependence on digital devices (Aldawood & Skinner,

2019). Some of the common threats modern enterprises face are described below.

a) Social engineering attacks

Social engineering attack is a term used to describe various malicious actions executed

through human interactions. According to Kaushalya et al. (2018), the attack is executed through

psychological manipulation where users are tricked into committing security mistakes and finally

expose sensitive enterprise information. First, the hacker investigates the intended person and

gathers enough background information to help them compromise the organization's security.

The most used technique for executing social engineering attacks is phishing. This

includes scam messages and websites, emails and messages aimed at creating fear or a sense of

urgency, and finally prod the user into revealing crucial information or clicking the link that

directs you to a malicious website. An example of a current social engineering attack is a case of

cyber-criminals who stole more than $2.3 million from a Texas school in 2020 (Syafrizal et al.,

2020).

b) Ransomware attacks

A ransomware attack is a data-encrypting software that hackers use to encrypt enterprise-

sensitive information. Once they have encrypted the information, they then require payment, a

'ransom fee', so that they can decrypt the information. It is, however, not guaranteed that the

hacker will decrypt the information even after receiving the ransom fee. According to Syafrizal
 6

et al. (2021), an approximate ransom demand in the year 2020 short to $1.4billion. Ransomware

has been the third most popular malware used by hackers worldwide and is used in more than

22% of breaches. An example of a ransomware attack is the case of California University, where

hackers encrypted the institution's data and demanded more than $1.14 million to decrypt the

information, which they never did.

c) Denial of service attacks (DoS)

Denial of service attacks are targeted at shutting down the machine or networks of an

organization and denying access to the intended users. Hackers accomplish this by flooding the

servers with a lot of traffic or sending many requests to the servers that trigger crashes

(Aldawood & Skinner, 2019). As a result, it deprives legitimate users and employees of

accessing the resources allocated to them. Cyber attackers often target high-profile webservers

such as commerce industries, banks and government organizations. Once the systems are down,

then hackers execute their motives.

d) Cloud computing vulnerabilities

Most companies have shifted to the cloud, intending to revolutionize their digital

transformations. This is due to cloud flexibility because they can easily access their information

anytime. However, with these various benefits realized by using the cloud for storage, data

security becomes crucial, with many cases of cloud breaches being reported. Cloud poses risks of

unauthorized access due to misuse of users' credentials and improper use of access rights.

Cybercriminals have also been using other tricks to exploit unpatched systems. They brute force

attacks and finally gain access to the users' accounts.

With these rising cyber-attack cases, there is a need for proper measures for every

organization to fight the attacks. Prevention is better than incurring high expenses to recover

losses from a cyber attack. Research conducted by Alexander et al. (2020) indicated that in most

cyber-attacks, 95% are achieved through taking advantage of employees and other stakeholders

in an enterprise. All this can be fought by implementing a solid cyber security policy in an

organization that guides and opens up employees to be aware of the different cyber attacks and

how to respond to any case of potential attacks.

Implementation of cybersecurity policies.

A cybersecurity policy is an organization's rules, procedures, and practices to protect its

networks from threat activities. It aims to ensure that all the users authorized to interact with the

company information assets comply with these guidelines and rules; failure to adhere is

answerable to the organization. Alexander et al. (2020) describe a security policy as a "living

document" that is never complete or finished. It is continuously updated with time to reflect on

the changes in technology and employees. Typically, the first section of a security policy is

focused on the basic security expectations, employee roles, and responsibilities, while the second

section consists of areas such as usage of antivirus guidelines, interaction with cloud

applications, etc.

To ensure effective implementation of a cybersecurity policy, it should ensure all the

components of a policy are considered. A policy should have the following: -

a) Purpose

A cybersecurity policy's first basic and essential component is to have a defined purpose.

Calderaro and Craig (2020) state that the primary purpose of implementing policy in an
 8

organization is to protect sensitive digital information. Suppose an organization fails to articulate

its cybersecurity policy's clear and concrete goal. In that case, their security measures are at risk

due to ineffective and unfocused measures. In contrast, having a well-defined purpose for the

organization's security policy enables an organization to tailor its security measures and provide

enhanced data protection.

b) Audience and scope

This is the second crucial component of an organization's cybersecurity policy. It is vital

to ensure that the business specifies the reach of the security policy. The policy should show

which users are targeted and who are not affected. For example, the organization may decide that

third-party vendors will not be included in its security policy. Ideally, the policy should consider

all the programs, systems, data, and other deployed technology in the organization. With such

broad scope, it helps in reducing the company's data security risks.

c) Information security objectives.

It is vital to contemplate the organization's cyber security objectives during policy

creation. According to Sabillon et al. (2017), the IT industry is concerned with three main

principles, the CIA triad that guides information policy formulation for an organization. These

include; confidentiality, where the policy being created should ensure sensitive data and assets

are kept confidential and that only the authorized employees can access the protected

information. In addition, an information policy should be concerned with the integrity of the

organization's data. It should preserve sensitive data in a secure, complete, and intact form to

avoid unauthorized modification by hackers.

d) Authority and access control policy

A comprehensive security policy should indicate what employees of an organization have

the right to limit data access. Everyone in the organization should be trusted and have data

security insights that help them make correct decisions on the kind of information that can be

shared or not. The policy should ensure an access control policy that correctly shows who has

authorized information sharing in the organization. Additionally, the section should indicate

every organization's authority over the IT systems. Furthermore, it should clarify how to handle

sensitive data, the access controls of the company, who is responsible for these controls, and the

minimum-security standards the organization must adhere to.

e) Data classification

Data classification is a crucial component of every organization's cybersecurity policy.

The data should be classified into various security levels, for example, assigning it into different

categories, such as confidential information, secret and top secret, public, etc. The policy can

also group the data depending on the security levels, for instance, level1- information accessible

by the public, level2- information considered to be private but no harm if it reaches the public,

and level 3- information that can have severe consequences to the organization if it goes to the

public, etc. (Sabillon et al., 2017). Every category of non-public data in the ICT systems needs

more protection since a slight breach can highly cost the organization.

f) Data support and operations

This includes the measures and operations the organization should implement for

handling each category of classified information assets. Syafrizal et al. (2020) define three

essential data support and operations categories. The first one is data protection regulations,

whereby under this category, the business should ensure organizational standards are set for
 10

protecting personally identifiable and sensitive data. The other category is the data backup

requirements, where the organizations should have enough secure backups. In addition, the

backups should be encrypted to prevent modification of the data contained within. The last

category under data support and operation is the movement of data, where strict security

measures should govern the movement of data. Data should be transferred over secure protocols

and encrypted to prevent access by outsiders.

g) Security awareness behaviour

It is paramount to have better strategies put in place within the organization, to heighten

the security awareness among the employees and prevent data breaches. The policy must be

structured to encourage some employee behaviours and bolster their awareness. As a result, it

will help to thwart all the potential attacks and losses within the organization. The security

training for employees should cover briefing them on the social engineering techniques used by

hackers and ways to fight. Employees should also be aware of a clean-up desk policy and ensure

that sensitive data is kept out of reach (Syafrizal et al., 2020). Additionally, the employees

should be trained on the internet use policy and be aware of some illegitimate websites that

hackers use to lure users.

h) Responsibilities, rights, and personnel duties

This is the final component of the information security policy, where it should clearly

outline the employees' rights, duties, and responsibilities concerning data protection. Employees

should be given responsibilities by delegating specific persons to conduct access reviews, carry

out employee training, oversee change management procedures and handle incidents. There
 11

should also be the right people to provide a basic oversight for the organization's information

security. As a result, it helps the organization avoid management errors that pose security risks.

All the above components should be considered when developing a security policy for an

organization. As a result, it leads to a robust policy covering all aspects and ensuring that data

breaches are minimized. It will reduce the cases of data breaches in organizations and save them

a lot of finances that could be used to restore from data attacks.

References
Abu, M. S., Selamat, S. R., Ariffin, A., & Yusof, R. (2018). Cyber threat intelligence–issue and

challenges. Indonesian Journal of Electrical Engineering and Computer Science, 10(1),

371-379.

Aldawood, H., & Skinner, G. (2019, January). An academic review of current industrial and

commercial cyber security social engineering solutions. In Proceedings of the 3rd

International Conference on Cryptography, Security and Privacy (pp. 110-115).

Alexander, A., Graham, P., Jackson, E., Johnson, B., Williams, T., & Park, J. (2020, June). An

analysis of cybersecurity legislation and policy creation on the state level. In National

Cyber Summit (pp. 30-43). Springer, Cham.

Calderaro, A., & Craig, A. J. (2020). Transnational governance of cybersecurity: policy

challenges and global inequalities in cyber capacity building. Third World

Quarterly, 41(6), 917-938.

Sabillon, R., Serra-Ruiz, J., Cavaller, V., & Cano, J. (2017, November). A comprehensive

cybersecurity audit model to improve cybersecurity assurance: The cybersecurity audit

model (CSAM). In 2017 International Conference on Information Systems and

Computer Science (INCISCOS) (pp. 253-259). IEEE.

Sunkpho, J., Ramjan, S., & Ottamakorn, C. (2018, March). Cybersecurity policy in ASEAN

countries. In 17th Annual Security Conference (pp. 1-7).

Syafrizal, M., Selamat, S. R., & Zakaria, N. A. (2020). Analysis of cybersecurity standard and

framework components. International Journal of Communication Networks and

Information Security, 12(3), 417-432.

Kaushalya, S. A. D. T. P., Randeniya, R. M. R. S. B., & Liyanage, A. D. S. (2018, November).

An overview of social engineering in the context of information security. In 2018 IEEE

5th International Conference on Engineering Technologies and Applied Sciences

(ICETAS) (pp. 1-6). IEEE.