An agency’s computer system is under constant cybersecurity threats from several factors.  While many of them are intentional, such as fraud and theft, there are also the unintentional errors and omissions that threaten a systems security. Let’s take a closer look at some examples.

The Intentionally Malicious

Information technology is increasingly used to commit fraud and theft.  Computer systems are exploited in numerous ways, both by automating traditional methods of fraud and by using new methods.

Unfortunately, insiders who are authorized users of a system perpetrate the majority of the fraud uncovered on computer systems.  Since insiders not only have access to, but are also familiar with the victim computer system (including what resources it controls and where the flaws are),  authorized system users are in a better position to commit crimes.  Former employees may also pose threats, particularly if their access is not terminated promptly.

The Good, the Bad and the Unintentional

End users, data entry clerks, administrators and programmers frequently make unintentional errors that contribute to security problems.  Sometimes the error is the threat, such as a data entry error or a programming error that crashes a system.  In other cases, installation and maintenance errors can create vulnerabilities, which are weaknesses that allow an attacker to reduce a system’s information assurance.  Not learning from past mistakes, leaving a bug in the software, browsing harmful sites on the Internet and poor password management can all lead to security threats.

Implementing a Policy

To set up a proper security policy, you have to determine the level of threat to protect against, what risks are acceptable and how vulnerable your system will be as a result.  Risk is the possibility that an intruder may be successful in trying to access your computer, the possibility of an error or a malicious program entering your system and causing direct or indirect damage to your business and business processes.

Because of threats like these, an agency should address some important questions like “what is at stake if someone breaks into the system” and “how much time would it take to retrieve or recreate and data that was lost?” It is very important to develop a consistent, simple and generic policy for your system that users can easily understand and follow.  It will have to protect the data you are trying to safeguard.  The policy will have to state who has access to the system, who is allowed to install software, who owns what data and so on.

Photo courtesy of'
Rick Marcotte