Pearson BTEC Level 3 Extended Certificate in Computing
Unit 7: IT Systems Security and Encryption
Learning Aim A:
A.P1 Explain the different security threats that can
affect the IT systems of organisations.
A.P2 Explain the principles of information security
when protecting the IT systems of organisations.
A.P3 Explain why organisations must adhere to legal
requirements when considering IT systems
security.
A.M1 Assess the impact that IT security threats can
have on organisations’ IT systems and business
while taking account of the principles of
information security and legal requirements.
,P1 Threats within an organisation
Types of threat
There are a number of threats which, if they occur, could potentially affect our computer systems
and servers. They can be categorised as follows:
Internal threats
Threats which come from within the organisation are called ‘internal’. These can include the actions
of employees, such as downloading/uploading files – for example from email – which contain viruses
or connecting a home device like a laptop (BYOD), which could contain viruses or malware, to the
organisation system/Wi-Fi. Although these examples may cause unintentional threats to the system,
any damage or theft to data by employers - who may be unhappy with the way the company has
treated them and are seeking revenge – is classed as an ‘intentional’ threat.
The John Fisher School operate a
simple policy when it comes to
‘Bring Your Own Device’. It states
that students are able to bring their
own devices (phones and laptops)
into school, providing they abide by
the rules. These include
‘understanding that bringing in
devices is at their own risk, not using
anonymising proxies to circumvent
security systems and understanding
they have the right to search the
content of any device if there is
reasonable suspicion’. This style of system could be used by your company as it would allow
employees to use their own devices to complete work, whilst signing the policy would protect the
companies system as, if followed, there would be no internal threat caused by the use of employees’
devices.
Another example of an internal threat is the unintentional disclosure of data. This could include
employees leaving their computers unlocked when they are not present, meaning it is easy for
someone to come past and access that data as it has been clearly revealed to them as it is not
restricted - even though the employee didn’t mean for that to happen. Also included under this type
of threat is leaving paper documents lying around the office, as this makes it easy for someone to
see data as there is no password protection on it. These two threats may have been not deliberate,
but could mean data becomes damaged, as the person who found the data could destroy it.
An example of an organisation which could fall victim to such threats would be any company which
deals with money like us; this would most probably be in the form of fraud or theft. If any employers
had legitimate access to the financial data, they may try to take advantage and use the money for
their own purposes. New legislation, such as GDPR (General Data Protection Regulation), aims to
protect people’s data (including bank card details) through the strict regulations regarding the
Unit 7: IT Systems Security and Encryption
, processing and storage of data. These new rules aim to stop people from overriding security controls
and accessing people’s data for their corrupt purposes.
Unsafe practices, such as visiting untrusted websites and using external flash storage, also pose an
internal threat, along with the use of file sharing apps. Accidental loss also causes a threat as,
although it is unintentional, the data would be lost/compromised.
External threats
Threats which come from outside the organisation are called ‘external’. This can comprise of data
theft through many routes, including malware, viruses, worms, Trojan horses and spyware. When
hackers (groups or individual) gain data through these many routes they can either destroy the data
or demand a ransom (normally a large sum of money) in return for the data.
A piece of Trojan malware, which disguised itself as
the Google Play Store, has recently been discovered
by digital security investigators. This is an example
of an external threat as it is something which has
been downloaded onto the device from outside
sources – most probably websites. It poses as a
threat as it tricks unsuspecting users into
downloading and using it, therefore letting the
malware, which is called ‘GPlayed’, steal valuable
information such as bank and location from the
phone.
Other means of external threats includes the withholding and/or disruption of systems. This
normally occurs when the organisations competitors or cyber criminals steal your data and/or use its
public release as blackmail. Governments and terrorist groups also use these techniques in order to
get the financial gain or to profit from the political publicity; whether that is for an election
campaign or propaganda.
Physical threats
It’s not only threats from inside the organisation or from the internet which could cause a threat to
our data; natural disasters or terrorist attacks could also pose a threat. Floods and fires could
damage our offices, and with it our data and computer systems, whilst terrorist acts could destroy
the offices and premises. In the event of a natural disaster, if not totally damaged/or destroyed, the
data would be left vulnerable as it would be easier to access
– due to the damage – meaning it would be easy for
someone to steal the equipment and/or data, as well as
inflicting malicious damage to it. Other examples of natural
disasters include hurricanes and volcanic eruptions.
In September 2018, Hurricane Florence affected areas of
West Africa, Cape Verde, Bermuda, Eastern United States
and Atlantic Canada. The estimated cost to repair the
damage is at least $17 billion, but that figure could
potentially rise to $22 billion. The primary effects from this
hurricane include the flooding and the damage to the houses
in these areas, whilst secondary effects include a decrease in
Unit 7: IT Systems Security and Encryption