1. the environment surrounding it. By information we mean

1.      
Why Organization are heavily
reliant on information system

 

An
information system can be defined technically as a set of interrelated components
that collect (or retrieve), process, store, and distribute information to
support decision making and control in an organization. In addition to
supporting decision making, coordination, and control, information systems may also
help managers and workers analyze problems, visualize complex subjects, and
create new products. Information systems contain information about significant
people, places, and things within the organization or in the environment
surrounding it. By information we mean data that have been shaped into a form
that is meaningful and useful to human beings. Data, in contrast, are streams
of raw facts representing events occurring in organizations or the physical
environment before they have been organized and arranged into a form that
people can understand and use. (Kenneth C Laudon, Jane P Laudon,
2017)

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

The
definition of an information system is based on the more general concept of
work system. Businesses operate through work systems. Typical business
organizations contain work systems that procure materials from suppliers,
manufacture physical and/or informational products, deliver products to
customers, find customers, create financial reports, hire employees, coordinate
work across departments, submit tax payments, and perform many other functions.
A work system is a system in which human participants and/or machines perform
work (processes and activities) using information, technology, and other
resources to produce specific products and/or services for specific internal or
external customers.

An
information system is a work system whose processes and activities are devoted
to processing information, i.e., capturing, transmitting, storing, retrieving,
manipulating, and displaying information. Thus, an information system is a
system in which human participants and/or machines perform work (processes and
activities) using information, technology, and other resources to produce
informational products and/or services for internal or external customers. (Alter, 2008)

Now
days, organizations are heavily relying on information system for getting
success in business and also people’s life style are changing rapidly as we
can’t stand without information system in our daily life. Wireless
communications, including computers and mobile hand-held computing devices, are
keeping managers, employees, customers, suppliers, and business partners
connected in every way possible. Email, online conferencing, the Web, and the
Internet, are providing new and diverse lines of communication for all
businesses, large and small. Through increased communication channels and
decreased costs of the communications, customers are demanding more of
businesses in terms of service and product, at lower costs. E-commerce is
changing the way businesses must attract and respond to customers.

The
following facts are reason why information system is so essential to the
organizations,

1
Economic Importance:

Even
though the cost of installation and maintenance of an information system quite
high (depends upon kind of system) in the beginning, but in due course the
costs drop and appears fair deal when compared to kinds of benefits enjoyed
with the help of it. Also with the passage of time cost of information systems
tends to decrease, whereas, costs of its substitutes (for instance labour) has
been historically tends to rise (Laudon, 1990). Furthermore, information
systems use networks, which help an organization to reduce the transaction
costs, by making it worthwhile for organization to contract external suppliers
instead of using internal resources.

2.
Information Systems Improve Performance:

Information
Systems are designed to improve the overall efficiency and effectiveness of a
process. The information systems speed up the process and reduce the time by
removing non-value adding steps in the operation. For instance, Citibank
developed the Automatic Teller Machines and Bank Debit Cards in 1977( Laudon
and Laudon 9th Ed.). It made financial transactions easy and was a huge
success. Further, banks continued to innovate and these days with the help of
reliable and secure information systems from TEMENOS, Infosys, Oracle etc, most
of the customer can do majority of transaction from their home computer or even
from mobile telephone. Moreover, information systems provide real time
information which reduces the scope of errors, hence, increases the quality of
the output of the process.

3.
Importance in Decision Making:

Information
Systems provides the tools for managers enabling them to monitor, plan and
forecast with more precision and speed then ever before. They also enable
managers to respond more rapidly and adapt swiftly to the fast changing
business environment. The Decision Support Systems can significantly improve
results both on quantitative and qualitative fronts. For instance, there are
around 142 million employees working in United States generating $12.2 trillion
of Gross Domestic Products. If the decision making quality of these employees
could be improved by just 1% in a year the GDP might be expand substantially.

 

 

4.
Organizational Behavior Change:

Behavioral
researches illustrate that information systems facilitate flattening of
hierarchies by broadening the distribution of information to empower
lower-level employees. It pushes the decision making rights to the lower level
in the organization as the lower level employees receives the information they
need to make decisions eliminating the need of middle managers. This also leads
to the reduction is the administrative costs of the organization.

 

2.         Various types of security threats to
any information system of an organization.

The
followings are types of security treats to information system;

a)       Malicious software: Viruses, Worms,
Trojan Horses and Spyware

Malicious
software programs are referred as malware and includes a variety of threats,
such as computer viruses, worms, and Trojans. A computer virus is malware that
attaches to other software or files. data to execute, usually without the
knowledge or permission of the user. Worms, which are standalone computer
programs copied from one computer to another on a network. Unlike viruses,
worms can work alone without connecting to other computer program files and
relying less on human behavior to spread from one computer to another. A Trojan
is software that seems to be benign, but does something different than
expected. The Trojan itself is not a virus because it does not replicate, but
it is often a way to introduce viruses or other malicious code into a computer
system. Spyware also acts as malware. These small programs sneak onto computers
to monitor users’ web browsing activity and to advertise.

b)      Hackers and Computer Crime

A
hacker is an individual who intends to gain unauthorized access to a computer
system. Hacker activities have broadened beyond mere system intrusion to
include theft of goods and information, as well as system damage and
cybervandalism, the intentional disruption, defacement, or even destruction of
a Web site or corporate information system. In a denial-of-service (DoS)
attack, hackers flood a network server or Web server with many thousands of
false communications or requests for services to crash the network. The network
receives so many queries that it cannot keep up with them and is thus
unavailable to service legitimate requests. A distributed denial-of-service
(DDoS) attack uses numerous computers to inundate and overwhelm the network
from numerous launch points. Most hacker activities are criminal offenses, and
the vulnerabilities of systems we have just described make them targets for
other types of computer crime as well. Computer crime is defined by the U.S.
Department of Justice as “any violations of criminal law that involve a
knowledge of computer technology for their perpetration, investigation, or
prosecution.” Many companies are reluctant to report computer crimes because
the crimes may involve employees, or the company fears that publicizing its
vulnerability will hurt its reputation. The most economically damaging kinds of
computer crime are denial of service attacks, activities of malicious insiders,
and Web-based attacks.

c)       Internal Threats: Employee

We
tend to think that threats to the security of a company are born outside the
organization. In fact, the workers in the company raise serious security
problems. Employees have access to insider information and, in the presence of
sloppy internal security procedures, they can often move around an
organization’s systems without a trace. End-users and information system
specialists are also a major source of errors introduced into information
systems. End users introduce errors by entering incorrect data or by not
following the correct instructions for data processing and computer equipment
use. IT specialists can create software errors when designing and developing
new software or maintaining existing programs.

       d)  Software
Vulnerability

Software
errors are a constant threat to information systems, leading to unquantified
productivity losses and sometimes putting people who use or rely on systems at
risk. The increasing complexity and size of software, as well as demands for
timely delivery to markets, have contributed to increased software defects or
vulnerabilities. A major problem with the software is the presence of hidden
errors or flaws in the program code.

3.         The Impact of Ransomware on Business
Organizations

The
word Ransomware is a combination of ransom and software, and a program that is
designed to attack a targeted system with the aim of holding the user as a
hostage, and restricting users from accessing their devices. It can also be
used to encrypt the user’s data, forcing the victim to pay the ransom.
Generally, ransomware uses malware and Trojan forms to bypass and infect the
targeted system. Ransomware consists of two major types: lockers, which prevent
the user from the entire system, and crypto ransomware, which only encrypts the
user files. Ransomware vastly attacks companies and endpoint users. Ransomware
attacks may happen in different contexts such as email attachment, compromised
websites, advertising, running untrusted program on the machine, sharing
networks and communicating with an infected system. The world has experienced a
massive global ransomware cyber-attack known as “WannaCrypt” or “WannaCry”
since Friday, May 12 2017. Hundreds of thousands’ computers worldwide have been
hit and affected more than 150 countries. WannaCry is far more dangerous than
other common ransomware types because of its ability to spread itself across an
organization’s network by exploiting a critical vulnerability in Windows
computers. The malware has the capability to scan heavily over TCP port 445
(Server Message Block/SMB), spreading similar to a worm, compromising hosts,
encrypting files stored on them then demanding a ransom payment in the form of
Bitcoin. It is important to note that this is not a threat that simply scans
internal ranges to identify where to spread, it is also capable of spreading
based on vulnerabilities it finds in other externally facing hosts across the
internet.

There
are approximately 30–40 publicly named companies among the likely thousands
that were impacted by this ransomware. Examples include the Russian Interior
Ministry, Telefonica (Spain’s largest telecommunications company) and FedEx.
The UK National Health Service (NHS) was badly hit, with 16 of the 47 NHS
trusts being affected, and routine surgery and doctor appointments being
canceled as the service recovers. There are reports that in China over 40,000
organizations have been affected, including over 60 academic institutions.
Russia appears to be the heaviest hit by the WannaCry attack. Kaspersky Labs
attributes this to Russian organizations running a relatively large proportion
of dated and unpatched systems. WannaCry appears to be specifically designed
for an international attack: it can demand the ransom in 28 languages.

Business
which infected ransom were leading to negative consequences such as

-temporary
or permanent loss of sensitive and important information

-interruption
to business operation


financial losses incurred to restore systems and files


potential harm to an organization’s reputation.

Ransomware
can be devastating for productivity. It puts all projects on hold until access
to important files is recovered and the system is protected. If your computers
have been infected with Ransomware, all sensitive information may fall into the
wrong hands and be erased from your devices. A data breach containing
information about customers or customers’ employees creates a crisis that no
company wants to deal with. Sensitive information is at stake, but paying
hackers does not guarantee that the information has not been copied yet. Paying
the repurchase does not guarantee the safe return of all files.

Most
companies have an IT strategy and disaster recovery plan, but surprisingly, few
are sufficiently prepared to deal with a ransomware attack. This is partly
because they do not understand the risks, and because ransomware threats evolve
at a rate that antivirus software struggles to keep up.

 

4.         Prevention and risk mitigation plan
to organizations

 

Organizations
should be practice the following Control measure for prevention of future
attack,

(A)  Conduct ongoing, documented, and
thorough information security risk assessments

Maintain
an ongoing information security risk assessment program that considers new and
evolving threats to online accounts and adjusts customer authentication,
layered security, and other controls in response to identified risks. Identify,
prioritize, and assess the risk to critical systems, including threats to applications
that control various system parameters and other security and fraud prevention
measures.

(B)  Securely configure systems and
services

Protections
such as logical network segmentation, offline backups, air gapping, maintaining
an inventory of authorized devices and software, physical segmentation of
critical systems, and other controls may mitigate the impact of a cyber-attack
involving ransomware. Consistency in system configuration promotes the
implementation and maintenance of a secure network. Essential components of a
secure configuration include the removal or disabling of unused applications,
functions, or components.

(C)  Protect against unauthorized access

Limit
the number of credentials with elevated privileges across the organization,
especially administrator accounts and the ability to easily assign elevated
privileges that access critical systems. Review access rights periodically to
reconfirm approvals are appropriate to the job function. Establish stringent
expiration periods for unused credentials, monitor logs for use of old
credentials, and promptly terminate unused or unwarranted credentials.
Establish authentication rules, such as time of-day and geolocation controls,
or implement multifactor authentication protocols for systems and services
(e.g., virtual private networks). In addition, conduct regular audits to review
the access and permission levels to critical systems for employees and
contractors. Implement least privileges access policies across the entire
enterprise. In particular, do not allow users to have local administrator rights
on workstations, and remove access to the temporary download folder.

(D)   Perform security monitoring, prevention, and
risk mitigation

Ensure
that protection and detection systems, such as intrusion detection systems and
antivirus protection, are up to date and that firewall rules are configured
properly and reviewed periodically. Establish a baseline environment to enable
the ability to detect anomalous behavior. Monitor system alerts to identify,
prevent, and contain attack attempts from all sources.

 

(E)   Perform Update information security
awareness and training programs

Conduct
regular, mandatory information security awareness training across the
institution, including how to identify, prevent, and report phishing attempts
and other potential security incidents. Ensure that the training reflects the
functions performed by employees.

 

(F)   Implement and regularly test
controls around critical systems

Ensure
that appropriate controls, such as access control, segregation of duties,
audit, and fraud detection, and monitoring systems are implemented for systems
based on risk. Limit the number of sign-on attempts for critical systems and
lock accounts once such thresholds are exceeded. Implement alert systems to notify
employees when baseline controls are changed on critical systems. Test the
effectiveness and adequacy of controls periodically. Report test results to
senior management and to the board of directors or a committee of the board of
directors. Include in the report recommended risk mitigation strategies and
progress to remediate findings.

 

(G)  Review, update, and test incident
response and business continuity plans periodically

Test
the effectiveness of incident response plans at the organization and with third
party service providers to ensure that all employees, including individuals
responsible for managing risk, information security, vendor management, fraud
detection, and customer inquiries, understand their respective responsibilities
and their institution’s protocols.

 

 

 

 

5  
Ethical issues that may arise
from using connected devices in an organization

Ethics
refers to the principles of right and wrong that individuals, acting as free
moral agents, use to make choices to guide their behaviors. (Kenneth C
Laudon, Jane P Laudon, 2017) Ethical issues in
information systems have been given new urgency by the rise of the Internet and
electronic commerce. Internet and digital firm technologies make it easier than
ever to assemble, integrate, and distribute information, unleashing new
concerns about the appropriate use of customer information, the protection of
personal privacy, and the protection of intellectual property.

Employees
must be trained and kept aware of a number of topics related to information
security, not the least of which are the expected behaviors of an ethical
employee. This is especially important in information security, as many
employees may not have the formal technical training to understand that their
behavior is unethical or even illegal. Proper ethical and legal training is
vital to creating an informed, well prepared, and low-risk system user.

As
much as information technology is important to our lives, it is facing some
serious ethical challenges and it is up to the IT experts and users of
information technology to be ready for these challenges. As more emerging
information technologies pop up on the market, most of the IT experts and users
do not know how to go about the challenges brought about by these technologies.
Information technology is facing major challenges which are lack of privacy,
security, copyright infringement and increased computer crimes. Criminals have
been eagerly utilizing the many loop holes technology offers. Since information
technology greatly aid the speed, flow and access of information, cyber-crime
has become an ever-rising profession. Many businesses and organizations are at
risk of becoming a cyber victim on a daily basis, as most, if not all business
is based on some digital network.

There
is also the possible threat of unfaithful or vengeful employees that can use
information technology to achieve their personal goals which might be harmful
to an organization. IT is not bad in itself, but the way humans use the tools provided
by information technology has brought some serious challenges.