a.5 Threats

1.Bad-Faith Actors-In organizations, security threats can come from not only cyberspace. Bad-faith actors or Insider Threats are actors within the organization that pose risk to the organization. Intentional insider threats are those who intentionally abuse privileges to steal information for financial gain. These threats can be disgruntled employees or plants. Non-intentional insider threats can be ignorant employees who create vulnerabilities with their mistakes such as clicking on phishing scams, falling victim to a security breach or poor security practices.

2. 3rd-Party Exposure-Another threat an e-commerce business is 3rd-party exposure. This commonly occurs when 3rd party vendors orgs rely on have poor security measures. Every business relies on some type of outsourcing in the supply chain, and a data breach for them means your information is also at-risk.

3. Unsafe security practices-In any organization, poor ‘cyber-hygiene’ as it’s called can seem harmless to users, but in fact poses significant risk. Poor hygiene is often the result of lack of training and education on best-practices and and tech-literacy. Examples include not frequently changing passwords, writing passwords down physically, not creating strong, unique passwords that are hard to crack or even accessing company information on public networks.

4. Configuration Mistakes-Organizations can be put at risk if security measures are implemented incorrectly. Issues can arise from multiple mistakes in the implementation and upkeep process such as failure to segment networks to protect sensitive information, failure to keep systems up-to-date, failure to keep passwords current and complex, and failure to configure devices uniquely from default settings.

5. Ransomware-Ransomware is another risk companies working with any part of the web face. Ransomware is a type of malware that retrieves and locks down data until a ransom amount of money is paid to the hackers responsible. Ransomware can make it’s way in to systems by a multitude of channels such is email phishing, un-trustworthy websites, or posing as a trustworthy source. Ransomware can cost organizations thousands of dollars and still leave information vulnerable after a breach.

b. 5 Traits of the business:

1. e-commerce business ran through a 3rd-party ecommerce site-The company runs over a popular third-party e-commerce site that handles each portion of the backend processes like payments, setting up shipping, etc. however, they have had two data-breaches in the last five years, making all companies that work with them vulnerable. The ease of using this platform is a benefit, but the level of risk associated with continuing business with this company will make your company vulnerable.

2. POS-Checkout systems and Chip readers connected to the internet over a network-Each of the three brick-and-mortar stores have three POS system checkouts, each a computer that requires network access to accept payments and retrieve customer and product information.

3. Acceptable-use technology policy for corporate employees only-The company has an acceptable-use policy, however only the corporate employees are required to read and sign it. It is a small measure that leaves out the majority of employees in the organization. If employees don’t know policies, they cannot correctly abide by them.

4. Network configuration handled only by IT Team-Network configurations are all handled by the IT team, of only 2 people. This is not inherently harmful, however, not having network specialists managing the company networks, this can leave room for mistakes and therefor,  risk.

5. No Private store networks-As previously stated, having network segmentation is an integral part of network security, ensuring no sensitive information can be accessed over public networks. Setting up a separate private network for stores will help mitigate this risk.

c. 5 Recommendations:

1.Thorough training-The first step to strengthening any companies’ security is start within and develop a thorough and frequent training policy to ensure each member of your company knows the policies and best-practices. Informed employees are secure ones. Employees that know how to spot phishing emails, password etiquette and to avoid public networks are integral to ensuring company information is secure.

2. Reevaluate security practices of 3rd party vendors-Developing an internal team to evaluate each vendor to determine their history and security practices can help mitigate the risks associated with working with 3rd-party vendors.

3. Create a contingency plan-A contingency plan for if/when a data breach occurs is integral recovering from the attack. It is important to have a plan to reinforce/change firewall information, passwords, etc. after an attack to reduce any risk of the same attackers accessing the information again.

4. Make 2-step authentication policy-Another recommendation I would make is choosing a 2-step authentication process for every employee in the organization. This will add one more layer of security for each user. A simple system that has the user press a confirm button over a mobile application ensures the authorized user is the only one to get access to their accounts via the sign-in process.

5. Implement a password manager software-Finally, I suggest choosing a reputable password manager system to hold employee passwords. This will reduce the risks associated with writing down passwords physically or in personal files. These systems will also allow the organization to require frequent password resets and password parameter to ensure security.