Security is very essential for any company whether large or even a small startup. One must remain aware of the potential security threats facing the company. According to research done on security issues facing organizations, it shows that information security is a major concern for all modern organizations (Knapp, Marshall, Rainer, & Morrow, 2006). In the past, protecting information just meant keeping it locked in a safe or drawer. However, in this era of virtual criminal activities, all information in the organization’s computers and all other systems must be protected. The level of sophistication from criminal entities, rival organizations, different governments and civil disobedient individuals have made it a requirement for all organizations to invest in adequate security measures. Organization’s information must get protected from hackers, virus and malware attacks and all other threats.
Knapp et al. (2006) explained that the top issues in information security were similar across most organizations despite their size, sector or geographical location. The conclusion was as a result of a survey done by the International Information Systems Security Certification Consortium and Auburn University researchers. The results showed that the top information security issues were of managerial nature, user awareness, malware, patch management, risk management and policy issues. Participants of the research explained that the management of most organizations does not consider information security important. In most organizations, security measures are usually implemented after an attack has occurred. In others, the users of the organization’s systems are not aware that some of their actions can cause the systems to be vulnerable to attacks. Some of the security policies in organizations do not get implemented properly leaving the company with a risk of facing vicious attacks from malicious people.
Apart from information security, physical security is also a concern for organizations. Physical security includes keeping the facilities of the company safe and also controlling who has access to them. According to Malatesti (2008) physical security is meant to prevent environmental and human threats. An organization should have restriction on the areas or the resources employees can access. People can cause damage intentionally or accidentally by having access to important resources. That is a security issue that affects all kinds of companies regardless of their characteristics.
According to Knapp et al. (2006) participants of the research done on information security issues also gave recommendations on how to solve the identified issues. One of the recommendation was that the government should set clear laws that ensure the management of all organizations supports information security. The management should not view security measures as costly or hindrances since they are important. At least one person in the managerial positions of the organization should have Information Technology (IT) expertise. It ensures that the management can make well-informed decisions regarding the organization’s security.
The government should enact laws to prevent people from creating malware especially those with malicious intentions. The efforts to prevent such attacks on organizations is not enough especially if the attackers are from different countries. There should be global standards used to enforce and prosecute offenders regardless of where they originate.
Organizations should also train all their employees on the importance of security measures they have put in place. They should be made aware of the actions that can make the organization vulnerable to attacks. All security policies should get enforced, and strict penalties placed for those that do not adhere to them.
According to Malatesti (2008) organizations should set up a physical security program. The program should include elements like policies and procedures, auditing, deterrent and detective controls. The policies control the vulnerabilities found during risk assessment, and they should be in line with the laws and regulations. Auditing controls are meant to keep a log of all access to resources or areas within an organization. It monitors access and ensures only authorized individuals can have access. Detective controls include CCTV, laser and alarms that are important in notifying any security breach incidents. Organizations should not only have protection against information security attacks; physical security should also get prioritized even in the technology era.
According to Hagen, Albrechtsen, and Hovden (2008), in business, effectiveness is used to measure if set objectives have become accomplished. The effectiveness of information security can get measured using four perspectives that include risk management, economic perspective, legal and cultural perspective. Before any measures get implemented in an organization, assessment of risk must occur and measures that the management decides to implement should reduce the risk level not increase it. In terms of the economic perspective, the security measures should at least increase the organization’s profit or rather reduce its losses.
Hagen et al. explained that companies should implement measures that do not violate any legal requirements. All procedures and policies should be in accordance with the law. The cultural perspective is where the measures create a good culture security in the organization. Measures are effective if they are well understood by the organization’s employees and they influence positive behavior.
Hagen, J. M., Albrechtsen, E., & Hovden, J. (2008). Implementation and effectiveness of organizational information security measures. Information Management & Computer Security, 16(4), 377 – 397.
Knapp, K. J., Marshall, T. E., Rainer, R. K, & Morrow, D. W. (2006, December 21). The Top Information Security Issues Facing Organizations: What can Government Do to help? Information Systems Security, 15(4), 51-58. Retrieved from http://www.infosectoday.com/Articles/topissues.pdf
Malatesti, C. (2008, July). Physical Security in the IT space. Information Systems Security Association, 32-35. Retrieved from http://www.emrisk.com/sites/default/files/white-papers/Physical%20Security%20in%20the%20IT%20Space.pdf