Small and medium-sized businesses are often prime targets for cybercriminals because they typically have fewer cybersecurity resources than larger companies. Hackers view SMBs as potential ways to access the sensitive data of larger companies they do business with. A 2016 study found that 55% of SMBs experienced a cyberattack and 50% experienced a data breach in the prior year. While SMBs believe they are lower risk targets, experts warn they still must implement basic cybersecurity practices like creating security policies and identifying sensitive data assets to protect themselves, employees, and customers from threats like ransomware, phishing scams, and data breaches. Large companies are also increasingly requiring SMB vendors to demonstrate sound cybersecurity practices.

1. Open Quick Links
Quick Links
Page Landmarks
Content Outline
Keyboard Shortcuts
Logout
Global Menu
Arianna StansberryActivity Updates1
· Home
· Help
Top Frame Tabs
Home Tab 1 of 3 (active tab)
Notifications Tab 2 of 3
My Community Tab 3 of 3
Current Location
1. BBA 3602-15R-1A20-S1, Principles of Management
2. Unit VIII
Menu Management Options
·
·
Course Menu:
BBA 3602-15R-1A20-S1, Principles of Management
·
· COURSE INFORMATION
· Start Here
· Announcements
·

2. · Syllabus/Schedule
· Unit I
· Unit II
· Unit III
· Unit IV
· Unit V
· Unit VI
· Unit VII
· Unit VIII
· Communication Forums
· Grades
·
· RESOURCES
· My Library
· Math and Writing Center
· Student Resources
· Tools
Unit VIII Scholarly Activity Grading Rubric
Criteria
Achievement Level
Level 1
Level 2
Level 3
Level 4
Level 5
Introduction
(20 points)
0 - 11
Presents little to no coherent information on the topic to engage
the reader in the paper. Components of the thesis and/or
summary of main points may be missing. The point of view may
be unclear or too general. Provides no road map for the paper or
provides one that does not accurately reflect the paper’s
content.

3. 12 - 13
Fails to provide enough background to truly engage the reader
in the topic. Presents the essay’s thesis and a summary of main
points so that the writer’s point of view or interpretation is
fairly clear, but several components may be missing. Provides a
road map for the paper that may require a lot of work.
14 - 15
Somewhat engages the reader with background information on
the paper topic. Presents the essay’s thesis and a summary of
main points so that the writer’s point of view or interpretation
is somewhat clear, but a few components may be missing.
Provides a road map for the paper that may need some work.
16 - 17
Mostly engages the reader with some form of creative “hook”
and basic background information on the paper topic. Presents
the essay’s thesis and a summary of the main points, mostly
clarifying the writer’s point of view or interpretation, but a
component may be lacking or need work. Provides a fairly clear
road map for the paper either in the thesis statement or body of
the introduction.
18 - 20
Engages the reader in the topic with some form of creative
“hook” (such as a story, quote, example, etc.) and provides a
clear background for the topic so that readers can gain an
understanding of the purpose of the paper. Clearly presents the
essay’s thesis and a summary of the main points that clarify the
writer’s point of view. Provides a clear road map for the paper
either in the thesis statement or body of introduction.
Quality of Discussion
(45 points)
0 - 26
Unclear, often because thesis is weak or nonexistent. Few to no
topic sentences. Little or no evidence of critical thinking.
Transitions are weak and often confusing.
27 - 31
Generally unclear, often wanders or jumps around. Little

4. critical thinking is evident. Some transitions may be missing or
weak. Several paragraphs may lack strong topic sentences.
32 - 35
Fairly clear and appropriate, although may wander occasionally.
Shows an effort to think critically. Some transitions may be
weak. A few paragraphs may lack strong topic sentences.
36 - 40
Mostly clear and appropriate, although may wander
occasionally. Provides evidence of critical thinking. Transitions
are adequate. One or two paragraphs may lack strong topic
sentences.
41 - 45
Clear and appropriate. Provides strong evidence of critical
thinking. Makes use of excellent transitions. Paragraphs contain
strong topic sentences.
Organization
(15 points)
0 - 8
The organization is hard to follow; ideas are not linked together
and/or may be fragmented. Lacking any logical grouping of
ideas or transitions from one idea to the next.
9 - 10
The organization is mostly unclear and could be arranged in a
more logical way. Some ideas are linked together, but some
ideas are fragmented. There is little to no grouping of ideas or
use of transitions.
11 - 11
The organization is fairly clear, but it could be arranged more
logically to better support the proposed solution. Ideas are
somewhat grouped together with a few transitions between
groups.
12 - 13
The organization results in clarity and presents mostly logically
arranged points to support the proposed solution. Ideas are
grouped fairly well, and there are transitions throughout the
document.

5. 14 - 15
The organization results in clarity and presents logically
arranged points to support the proposed solution. Related ideas
are well grouped, and transitions between ideas flow smoothly.
Writing Mechanics
(10 points)
0 - 5
Writing lacks clarity and conciseness. Serious problems with
sentence structure and grammar. Numerous major or minor
errors in punctuation and/or spelling.
6 - 6
Writing lacks clarity or conciseness. Minor problems with
sentence structure and some grammatical errors. Several minor
errors in punctuation and/or spelling.
7 - 7
Writing is somewhat clear and concise. Sentence structure and
grammar are strong and mostly correct. Few minor errors in
punctuation and/or spelling.
8 - 8
Writing is mostly clear and concise. Sentence structure and
grammar are strong and mostly correct. Few minor errors in
punctuation and/or spelling.
9 - 10
Writing is clear and concise. Sentence structure and grammar
are excellent. Correct use of punctuation. No spelling errors.
Citations and Formatting
(10 points)
0 - 5
The majority of sources used are not academically reliable.
Reference entries and in-text citations follow APA formatting
guidelines, but many errors are present. Several in-text citations
do not have references and vice versa.
6 - 6
Some peer-reviewed papers are used along with non-
academically reliable sources. Reference entries may somewhat
follow APA formatting guidelines; several major errors in in-

6. text citations or references may be present. Some in-text
citations do not have references and vice-versa.
7 - 7
Most sources used are peer-reviewed papers, though two or
more sources are not academically reliable. Reference entries
and in-text citations show effort to follow APA formatting
guidelines; several errors in in-text citations or references may
be present. Most in-text citations are referenced and vice versa.
8 - 8
The number of sources meets any expressed assignment
requirements, and all but one source is a peer-reviewed paper.
Reference entries and in-text citations follow APA formatting
guidelines fairly well and are usually correct. All in-text
citations are referenced and vice versa.
9 - 10
The number of sources meets or exceeds any expressed
assignment requirements. Every source used is peer-reviewed or
academic in nature. Reference entries and in-text citations
follow APA formatting guidelines and are free of errors. All in-
text citations are referenced and vice versa.
Close
0d0d292f-3807-4
Cybersecurity threats proliferating for midsize and smaller
businesses: smaller organizations are targets for hacking and
phishing attacks to get information that can harm them or bigger
they do business with
Citation metadata
Author: Russ Banham
Date: July 1, 2017
From: Journal of Accountancy(Vol. 224, Issue 1.)
Publisher: American Institute of CPA's
Document Type: Article

7. Length: 2,372 words
Lexile Measure:1260L
Document controls
Translate
Document Translation
Format Options:
· Save to Google Drive™
· Save to OneDrive™
· HTML
Top of Form
Bottom of Form
Translate Article
Set Interface Language
Font Size
Listen
Listen
Larger documents may require additional load time.
Main content
Full Text:
Why would cyberthieves target a company other than the very
largest--big enterprises with big payoffs? It's a question that
many small and medium-size businesses (SMBs) ponder,
arriving at the wrong answer.
Hackers have SMBs in their crosshairs as much--if not more so-
-than the world's biggest enterprises. Here's one reason: Small
companies in the business-to-business space that serve large
organizations often connect to the latter's networks and systems.
In effect, the SMB is a potential conduit to the larger company's
data assets. Case in point: The massive data breach of Target in
2013 was widely reported to have begun with the hacking of the
retailer's HVAC vendor.
Another reason SMBs have a bull's-eye on their backs is that
just like larger businesses, they are repositories of sensitive

8. customer and employee information like credit card numbers.
These data can be stolen and sold on the darknet, the
anonymous network used for illegal peer-to-peer file sharing. In
its shadowy corners lurk the plunder of many data breaches,
including the spoils taken from SMBs.
"Small businesses are a prime target of cybercriminals," said
Larry Ponemon, Ph.D. (accounting), chairman and founder of
the Ponemon Institute, a research think tank dedicated to
advancing data protection practices. "Hackers know that smaller
organizations don't have the wherewithal to develop a defensive
security strategy. But the companies themselves tend to
erroneously believe that the bad guys only target big
companies."
This was true for a long time, Ponemon added, "until smart
hackers realized they could get into a large business through a
small one. Just because you're small doesn't mean you don't
have access to a huge amount of valuable information."
A 2016 study by the Ponemon Institute found that 55% of SMBs
experienced a cyberattack in the previous 12 months, and 50%
experienced a data breach over the same period. Nearly 600
respondents participated in the research, which looked at
companies with a headcount of fewer than 100 employees up to
1,000.
PROTECTING THE STORE
There are several types of information that many SMBs are
required by law and industry regulations to protect. They
include protected health information (PHI) that is shielded by
the HIPAA privacy and security rules, personally identifiable
information (Pll), and credit card data. The latter security
standard is known as PCI DSS for the payment card industry
that created the data security standard. Similar regulations are
in place for businesses in specific industry sectors, such as
small banks or insurance agencies.
In all cases, a business must protect the information from loss,
theft, or damage and notify relevant authorities in the event of a
data breach. Noncompliance can result in fines and penalties.

9. The challenge for SMBs is the cost of protecting these data.
"Large organizations have ample resources dedicated to this;
smaller organizations typically do not," said Mark Burnette,
CPA, shareholder at audit and advisory firm LBMC, where his
focus is client cybersecurity. "Their resources generally are
constrained. They just have less attention to provide the
matter."
Other cyber experts agree. "Small companies typically don't
have a formal cybersecurity policy, much less a chief
information security officer like many large companies have in
their employ," said Rod Smith, CPA, managing director of audit
and advisory firm Crowe Horwath. "It's also considered overly
expensive by many SMBs to implement a program that prevents,
detects, mitigates, and helps a business recover from cyber
incidents."
Aside from the expense, many small businesses believe there is
scant risk of something bad happening if they skirt the rules.
While Smith noted that the regulatory scrutiny of SMBs is not
as assiduous as the inspections accorded larger businesses,
complacency can backfire. Ponemon agreed: "The statistics
indicate that very few small companies will avert a
cyberattack."
This may explain why many large enterprises that conduct
business with smaller companies are now requiring them to
provide evidence of their cybersecurity practices. "More and
more smaller businesses serving Fortune 500 and large publicly
owned companies are coming to us to report on their
cybersecurity practices," said Smith. "The main reason appears
to be that their customers are demanding it."
SMBs that do not confront such pressure nonetheless cannot be
cavalier about a risk that can severely disrupt and even doom
their business. Hackers are aware that many SMBs collect
customer credit card data. Knowing this, the thieves attack a
small retailer's point-of-sale system to make their way into the
payment card data. "A small retailer on Main Street also may
have access to all sorts of people, buying mailing lists that

10. could contain sensitive data like login information," Ponemon
said.
Other threats include payment card skimmers that physically
tamper with ATMs and fuel-pump terminals. "Being small
doesn't mean you're free from worry," he added.
Aside from a data breach, SMBs also face the threat of
ransomware. This malicious software is embedded within
infected email links, email attachments, and compromised
webpages that either lock up a computer screen so users can't
access their applications, or encrypt files so they can't be
opened. To unlock or reopen, the company must pay a ransom,
typically in bitcoin. Once hacked, most companies pay the
ransom, which for smaller businesses is in the range of a few
thousand dollars.
The common entryway for a cyber extortionist is a phishing
scam that entices an employee to click on something he or she
shouldn't. According to the U.S. Department of Justice,
ransomware attacks quadrupled from 2015 to 2016, averaging an
astonishing 4,000 attacks each day. The United States is the
region most affected by ransomware, recording 28% of
infections globally. "When we first looked at ransomware in our
SMB survey, only 11 % of small companies had been victims,"
Ponemon said. "In 2016, the percentage jumped to 46%--nearly
half of all attacks."
LOCKING DOWN THE HOUSE
According to the Ponemon study, the most prevalent
cyberattacks against SMBs today are web-based and
phishing/social engineering scams. Negligent employees and
third parties such as outside vendors are the primary cause of
most breaches. Nearly six in 10 respondents said they did not
have visibility into employees' password practices, indicating
the possibility of weak password protections. Of small
businesses that have developed a password policy, 65% do not
strictly enforce it.
TAKING PRECAUTIONS

11. "Small companies need to do what large companies are doing;
being small doesn't let them off the hook," said Mary Galligan,
managing director, cyber risk services at audit and advisory
firm Deloitte. "In both cases, the cyber hygiene is the same,
whether you employ 10 people or 10,000."
How can SMBs begin this journey? Galligan advised they task
someone within the organization to be responsible for the
cybersecurity program. "It's basic human nature--once we put
someone in charge of something, it gets looked at," she
explained. "The person could be the CFO or in very small firms
someone who is knowledgeable about technology. Once
selected, the individual should be championed by the CEO or
the business manager so everyone understands such supervision
is in place and is important."
The cyber risk monitor's first assignment should be the
development of a written cybersecurity policy that is signed by
employees, who are then held accountable to the policy's rules,
she added. This report should identify the organization's key
cyber risks and most important data assets, as well as who in the
organization has access to these data and on which devices,
such as a personal laptop. (See the sidebar "Cybersecurity Risk
Management Reporting Framework" for information about
guidance the AICPA has released to help organizations gauge
the effectiveness of their cybersecurity efforts.)
"You can't protect sensitive data assets if you don't know what
they are," said Burnette. "Once you know what it is and who
should have access to it, you can then identify all the business
processes involved in storing, transmitting, or processing the
data to make well-informed decisions about how best to protect
it."
Not that this is easy. Burnette pointed out that many SMBs have
duplicates of data residing across the business. "An example is
an attorney at a small law firm that exchanges sensitive files
with clients, pulling information out of the firm's data
repository and storing it on their laptops and phones using
Dropbox, on flash drives, and possibly even backing it up on an

12. external hard drive at home," he said. "There are now four
copies of sensitive data floating around." And those methods of
storage are not considered secure.
Other points to make in the cybersecurity policy include how
the company's IT hardware is secured. For example, a key
concern is the possibility of a nonemployee on the premises
surreptitiously attaching a thumb drive to a desktop computer or
a laptop to download files and other information. "If a device
stores sensitive data, consider plugging the USB ports,"
Galligan said.
The security report also should address how the business is
securing connected networks, cloud-based services, and other
internet connections. Ditto companyprovided mobile devices
and those owned by employees that are used in a work context.
Also spelled out clearly in the report are the company's security
expectations of its employees and the third-party organizations
providing services to the business.
In the case of a small business such as a cafe that hosts a Wi-Fi
public access network, the report should identify how the
wireless router is secured, such as through WEP, WPA, or
WPA2 security software (each type offers a different level of
security). According to a 2016 study of more than 31 million
Wi-Fi hotspots across the world by Kaspersky Lab, more than
one-quarter are not secured, lacking encryption or password
protection.
Lastly, the report must have sharp teeth, with employees
determined to be noncompliant at risk of losing their jobs.
"Since phishing and other social engineering tactics are the root
cause of so many data breaches, employees must be held
accountable for their behavior," Galligan said.
TRAINING AND EDUCATION
A tone at the top stressing the importance of cybersecurity and
policies around strong passwords can help safeguard companies
of all sizes. But that must be paired with training and education
to regularly remind employees about the types of sensitive data

13. the organization produces, transmits, and stores. Regular
training also should be scheduled to ensure employees recognize
new phishing scams and understand the actions they need to
take when such tactics are evident. (See the sidebar "Get the
Complete Picture" for tips from the Federal Trade Commission
on protecting your business's sensitive data from cyberattacks.)
"Small companies' biggest risks like ransomware are caused by
people clicking on things they shouldn't click on," Galligan
said. "If a small business only had the resources to concentrate
on just one thing, I would put it towards data access
management."
Even the best cybersecurity policy is not perfect to thwart all
cyberattacks, as large companies will attest. With the world
increasingly interconnecting, companies of all sizes are
becoming bigger targets.
"I tell clients they're going to be hacked at some point, which is
why they need to have a plan in place of what to do when it
happens," said Galligan. "Based on the size of the attack, they
may need forensic, legal, and even crisis management support."
Incident response planning is also key. "Knowing this
beforehand, and having it clearly spelled out in the
cybersecurity policy, will guide more-efficient and cost-
effective mitigation and remediation tactics."
GET THE COMPLETE PICTURE
For information on how to defend your small business from
cyberattacks, the Federal Trade Commission rolled out a
webpage on May 10 (ftc.gov/SmallBusiness) that offers free
risk management tips and other advice to small and medium-
size businesses. The site is designed to help smaller companies
protect their networks, systems, and customer and employee
data from cybercrimes. Among the FTC tips is compiling the
following information:
* Who sends sensitive personal information to your business.
Do you get it from customers? Credit card companies? Banks or
other financial institutions? Credit bureaus? Job applicants?
Other businesses?

14. * How your business receives personal information. Does it
come to your business through a website? By email? Through
the mail? Is it transmitted through cash registers in stores?
* What kind of information you collect at each entry point. Do
you get credit card information online? Does your accounting
department keep information about customers' checking
accounts?
* Where you keep the information you collect at each entry
point. Is it in a central computer database? On individual
laptops? On a cloud-computing service? On employees'
smartphones, tablets, or other mobile devices? On disks or
tapes? In file cabinets? In branch offices? At employees'
homes?
* Who has--or could have--access to the information. Which of
your employees has permission to access the information? Do
they need access? Could anyone else get a hold of it? What
about vendors who supply and update software you use to
process credit card transactions? Are contractors operating in
your call center?
Source: Federal Trade Commission, Protecting Personal
Information: A Guide for Business.
CYBERSECURITY RISK MANAGEMENT REPORTING
FRAMEWORK
The AICPA unveiled a new framework for cybersecurity risk
management reporting designed to help businesses meet a
growing challenge.
The AlCPA's framework is voluntary and designed to enable all
organizations to communicate about the effectiveness of their
cybersecurity risk management programs and to communicate
effectively about cybersecurity activities. Two resources that
support reporting under the framework were released in April:
* Description criteria that management can use to explain an
organization's cybersecurity risk management program in a
consistent manner. CPAs can use these criteria to report on
management's description of its cybersecurity risk program.

15. * Control criteria that CPAs providing advisory or attestation
services can use to evaluate and report on the effectiveness of
the controls within a client's program.
An attest guide, Reporting on an Entity's Cybersecurity Risk
Management Program and Controls, has been published to assist
CPAs who are engaged to examine and report on an entity's
cybersecurity risk management program.
The engagement for reporting on a cybersecurity risk
management program and controls grew out of an emerging
need identified by the AICPA Assurance Services Executive
Committee. Using the framework, CPAs can provide
cybersecurity-related assurance services while applying their
experience in auditing information technology controls.
More information is available at aicpa.org/cybersecurity.
Russ Banham, who specializes in technology risk management,
is a veteran financial journalist and author of more than two
dozen books.
Copyright: COPYRIGHT 2017 American Institute of CPA's
http://www.journalofaccountancy.com/
Source Citation
Source Citation (MLA 8th Edition)
Banham, Russ. "Cybersecurity threats proliferating for midsize
and smaller businesses: smaller organizations are targets for
hacking and phishing attacks to get information that can harm
them or bigger they do business with." Journal of Accountancy,
July 2017, p. 75+. Gale OneFile: Business,
https://link.gale.com/apps/doc/A499343041/ITBC?u=oran95108
&sid=ITBC&xid=2c2f047b. Accessed 15 Sept. 2019.
Gale Document Number: GALE|A499343041
More Like This
ITBC
oran95108

16. Gale OneFile: Bus
false
false
DO_DOWNLOAD
CLOUD_DRIVE
cloud.translate.do
DownLoad
HTML
ITBC
GALE|A49934304
Cybersecurity_th
FULLTEXT_WITH_
Translate Article
https://app-na-rea
en_us
Let's collaborate on IT best practices: the industry should
develop a set of best practices for managing information

17. technology systems and not wait for FDA to take the lead
Citation metadata
Author:Keith Parent
Date: July 1, 2005
From:Pharmaceutical Technology(Vol. 29, Issue 7.)
Publisher: UBM LLC
Document Type: Article
Length: 704 words
Document controls
Translate
Font Size
Listen
Main content
Pharmaceutical firms today confront a daunting array of
problems--expiring patents, dwindling pipelines, counterfeit
drugs, and more. Profits are slowing and share prices
plummeting. Is it any wonder that pharmaceutical firms are
making billion-dollar cutbacks?
Information technology (IT) budgets are on the chopping block,
yet CEOs are asking IT departments to play a bigger role in
drug discovery, clinical trials, and manufacturing automation.
It's up to IT to figure out how to do more with less.
The US Food and Drug Administration regulations make cost-
cutting all the more difficult. Although FDA requires companies
to comply, it rarely tells them how. Agency guidance documents
provide insight into regulatory requirements, but they do not
provide a step-by-step quality management framework that IT
departments can follow.
Pharmaceutical IT departments could do better. They must
adopt repeatable IT quality practices designed to cope with
FDA-regulated environments. The Information Technology
Infrastructure Library (ITIL) is a comprehensive set of best
practices developed in 1989 by Great Britain's Office of
Government Commerce. In essence, ITIL is a series of books
that provides detailed guidance on a wide array of IT services.
Hundreds of companies use ITIL processes to improve their

18. delivery of everything from change management to systems
availability.
Unfortunately, although ITIL is a powerful quality management
framework, it was never designed to accommodate FDA's
rigorous regulatory regime. There is currently no standard set of
evolving best-practices for IT management in the
pharmaceutical industry. That is why the industry has had so
much trouble coping with 21 CFR Part 11 in recent years, and
why even today, IT managers dread the thought of consolidating
servers in a validated environment, even though most large
firms could save millions per year by doing so.
One need only visit pharmaceutical data centers and count the
hundreds of obsolete servers running at 5-10% of capacity to
realize that vast sums of money are wasted every year. Why?
Because companies have neither developed nor adopted a battle-
tested set of best-practices that is designed to accommodate
FDA regulations.
Instead, every pharmaceutical firm has its own approach to
managing IT services, validating systems, consolidating servers,
and managing clinical trials. Indeed, IT management practices
frequently vary widely among departments and business units
within the same company.
ITIL could serve as the foundation of an industry-wide suite of
IT best practices, but first it must be substantially modified to
accommodate FDA's specific requirements. That task is far too
big for any one company. Imagine the difficulty of developing
IT management processes for next-generation manufacturing
plants employing the latest process analytical technologies,
while also developing soup-to-nuts guides for automating drug
discovery, clinical trials, outsourcing, and data center
management. The effort would require extensive collaboration
between a wide array of pharmaceutical IT practitioners,
vendors, and consultants for years to come.
During the past 10 years, my consulting firm has developed a
small portfolio of ITIL-based best-practices for pharmaceutical
firms--the byproduct of numerous consulting engagements--but

19. we have only scratched the surface. We think it is time for IT
practitioners, vendors, and consultants in the pharmaceutical
and other FDA-regulated disciplines to take a page from ITIL's
book and collaborate on industry best practices that will enable
every participating company to improve its IT product and
service delivery, tackle challenging new opportunities such as
IT in drug discovery or process analytical technology
manufacturing automation, while capping or reducing the cost
of information technology.
We think this effort should have a name appropriate to the
pharmaceutical industry and, borrowing from FDA's
nomenclature for quality in manufacturing, laboratory and
clinical trials management, decided on "Good Systems Practice
(GSP)" to balance "Good Manufacturing Practice (GMP)."
We all understand the purpose of GMP on the plant floor and
GLP in the laboratory. Why don't we have GSP in our data
centers? I propose that we develop a Good Systems Practice that
will become an open standard for all FDA-regulated companies
to adopt. We should not wait for FDA to regulate how we
manage our IT systems. Instead, industry should lead the way to
Good Systems Practice. We have already started. Call me if you
want to join in.
Keith Parent is the CEO of Court Square Data Group, Inc., 1441
Main Street, Suite 223, Springfield, MA 01103 413.746.0054,
[email protected] csdg.com.
Parent, Keith
Copyright: COPYRIGHT 2005 UBM LLC
http://www.ubm.com/home
Source Citation
Source Citation (MLA 8th Edition)
Parent, Keith. "Let's collaborate on IT best practices: the
industry should develop a set of best practices for managing
information technology systems and not wait for FDA to take
the lead." Pharmaceutical Technology, July 2005, p. 82. Gale
OneFile: Business,
https://link.gale.com/apps/doc/A135578546/ITBC?u=oran95108

20. &sid=ITBC&xid=74d08f60. Accessed 15 Sept. 2019.
Gale Document Number: GALE|A135578546
Sample paper Do not copy!
Running head: INFORMATION TECHNOLOGY 1
INFORMATION TECHNOLOGY 4
Information technology (IT) is the technology involving
the development, maintenance, and use of computer systems,
software, and network for the processing and distribution of
data (Merriam-Webster, 2017). An article in the Harvard
Business Review that was written in 1958 stated that
information technology consisted of three basic parts,
computational data processing, decision support, and business
software (Mitchell, 2017). No matter how one defines
information technology, it plays a vital role in both large
corporations and small businesses alike. With the world
advancing and becoming more technology-centric, information
technology has to change as these advancements make their way
to the forefront. There are several trends in tech world that will
drive IT decision making for the next five years.
Data growth is forcing IT departments to adopt new forms
of operation and reset their expectations of work. Server loads
are growing 10% every year, network bandwidth is increasing
by 35%, and storage capacity is expanding by 50%
(Schaffhauser, 2015). With the increasing popularity of online
video there is a demand for network bandwidth both on Internet
and on IT networks. Because these new software packages
demand more data usage due to their richer graphics and
interaction with computers, IT teams must plan accordingly for
their company’s current and future needs to keep up with the
network traffic (Mitchell, 2017).
The Internet of Things is creating a new way to looking at

21. business and collecting information about the clients and
developing a new level of automation to make the business more
efficient (Schaffhauser, 2015). The Internet of Things is a
network of small devices that are self-aware and self-
discovering. These sensors support their own mesh network so
that as devices are deployed, they find each other and “report
back.” They are often location-aware and in some cases don’t
require batteries (Schaffhauser, 2015). Currently, there are
hospitals using these sensors that are attached to hand-cleaning
stations. As nurses and doctors wash their hands, the sensors
scan their badge and the data is collected. If there is ever a
lawsuit, because someone get infected and blaming the hospital,
they can go back and track the sequence of every movement to
use as a defense against the lawsuit. Right now most
organizations are in a “look-see mode” (Schaffhauser, 2015). It
is important that IT stays on top of what their company’s plans
are as it relates to the Internet of Things.
Software-defined infrastructure is creeping into the data
center. Conceptually, they are intended to create a new way to
operate, orchestrate and automate, by putting configuration
controls at a higher plane than it was. Instead of having
individuals go out and optimize at the devise level to get the
best performance or best use of that particular resource, if
someone can do it at a control plane, they can enhance the
workload, traffic flow and automation. This can eventually
improve the overall efficiency of the operation. This is
currently being tested, but the promise is there (Schaffhauser,
2015). Eventually one will be able to manage these
environments on or off the premise. It will become a virtual
environment. Workloads could move based on actual business
needs, performance needs, and time of day. They could be
moved to wherever they need to be. A related trend is
“proactive infrastructures” where data centers are beginning to
use predictive prescriptive analytics to help IT staff gain a
sense of what will happen in real time as the machines are
running or what would happen if a particular system change

22. were made (Schaffhauser, 2015).
As technology continues to advance, security risk become
more problematic. Security risk come from both internal and
external. Internal attacks are one of the biggest threats facing
any data systems. These risk can come from various places.
One way is by a disgruntle employee. A rogue employee,
especially if they are part of the IT staff, with knowledge of and
access to networks, data centers and admin accounts, can cause
severe damage (Schiff, 2015). That is why it is imperative that
a company identify all privileged accounts and credentials, and
immediately terminate those that are no longer in use or are
connected to employees who are no longer with the company
(Schiff, 2015). Next, they need to monitor closely, control and
manage the privilege credentials to prevent future exploitation
by implementing necessary protocol and infrastructure to track,
log, and record the privileged account activity. Alerts should
be in place to allow for quick response to the malicious activity
(Schiff, 2015).
Another internal risk comes from careless or uninformed
employees. When an employee is not trained in security best
practices and have weak passwords, visit unauthorized website,
and click on links in suspicious email or open email
attachments, these pose an enormous security threat to an
organization’s system and data (Schiff, 2015). One risk is that
spyware can be downloaded into the system. When spyware
enters the network, a company can no longer guarantee that
their corporate information is secure (Johnson, 2004). It also
generates more spam. When spyware finds an email address, it
sends it back out over the internet to be traded shared or sold to
spammers. When a user is clueless enough to click on the
product ads within the spam, they risk downloading additional
spyware, which in turn devours network resources causing poor
performance and proliferation pop-up ads (Johnson, 2004).
That is why businesses must train employees on cybersecurity
best practices and offer ongoing support. IT must also ensure
that all employees have strong passwords, since they are the

23. first line of defense (Schiff, 2015).
Other internal security risks can come from cloud applications
and unpatched devices. The best way to prevent threat from a
cloud application is to defend at the data level using strong
encryption that prevents any third party from accessing the data
even if it resides on a public cloud (Schiff, 2015). Unpatched
devices, such as routers, servers and printers that employ
software or firmware in the operation, and a patch for
vulnerability in them has not been created or sent, or their
hardware was not designed to enable them to be updated, can
easily be accessed by hackers (Schiff, 2015). The best way for
a company to defend against this risk is by instituting a patch
management program that ensures devices, and software are
kept up to date at all times (Schiff, 2015).
Like internal information security risk, external
information security risk can be devastating on a company as
well. One of these security risk can come from vandalism and
looting, where individuals exploit security weakness that are
exposed during an emergency or natural disaster that make it
impossible for security to reach the damaged facility (FFIEC,
2017). In order to prevent these events from occurring,
businesses need to address these potential threats before any
disaster takes place by implementing alternative security
measures. These measures must be capable of protecting the
company both physically and logistically (FFIEC, 2017).
External information security risk can also come from
natural disasters, such as fires, floods and other water damage,
and severe weather (FFIEC, 2017). A fire can result in the loss
of equipment and data. It is essential that a business’
evacuation plan provide guidelines for securing or removing
media, if time permits. That is why fire drills should be
periodically conducted to ensure that personnel understand their
responsibilities (FFIEC, 2017).
As with a fire, water can also damage equipment resulting in
data loss. If a company is built near a floodplain, they risk
being flooded. Since water always seeks the lowest level,

24. business need to make sure that their critical records and
equipment are located on upper floors, if possible, to mitigate
this risk (FFIEC, 2017). By raising the flooring or elevating the
wiring and servers by several inches off the floor, can also
prevent or limit the amount of water damage. A business should
also be aware that water damage can occur from other sources
such as broken water mains, windows, or fire sprinkler systems
(FFIEC, 2017). If a business has their computer or equipment
room located in an area that has a floor above it, the ceiling
should be sealed to prevent water damage. The company should
also consider in investing in water detectors as a way to provide
notification of a problem (FFIEC, 2017).
A disaster resulting from an earthquake, hurricane,
tornado, or other severe weather typically occurs by a defined
geographic location (FFIEC, 2017). Given the random nature of
these natural disasters, a company located in an area that
experiences any of these events needs to include appropriate
scenarios in their business continuity planning process. In
instances where early warning systems are available, businesses
should implement procedures before the disaster to minimize
losses (FFIEC, 2017).
In conclusion, the information technology world is rapidly
changing. From increased data growth to the Internet of Things,
modern society depends on information technology in nearly
every facet of human activity (Al-Ahmad & Mohammad, 2013).
With these changes comes new opportunities, however,
organizations are exposed to increasing information technology
security risk. That is why it is imperative that companies create
standards, best practices, and frameworks to help manage these
risks (Al-Ahmad & Mohammad, 2013). Risk associated with
the use of technology needs to be adequately maintained and
assessed for an organization to maintain their business (Al-
Ahmad & Mohammad, 2013).

25. References:
· Merriam-Webster. (2017). Information technology. Retrieved
from https://www.merriam-
webster.com/dictionary/information%20technology
· Mitchell, B. (2017). Introduction to information technology
(it). Retrieved from https://www.lifewire.com/introduction-
information-technology-817815
· Schaffhauser, D. (2015) 5 tech trends that will drive it
decision-making for the next five years. Retrieved from
https://campustechnology.com/articles/2015/04/20/5-tech-
trends-that-will-drive-it-decision-making-for-the-next-5-
years.aspx
· Schiff, J.L. (2015). 6 biggest business security risks and how
you can fight back. Retrieved from
https://www.cio.com/article/2872517/data-breach/6-biggest-
business-security-risks-and-how-you-can-fight-back.html.
· Johnson, M. (2004). Spyware wake-up call. Computerworld,
38(18), 20. Retrieved from EBSCOhost
· FFIEC. (2017). Appendix c: internal and external threats.
Retrieved from https://ithandbook.ffiec.gov/it-
booklets/business-continuity-planning/appendix-c-internal-and-
external-threats.aspx.
· Al-Ahmad, W., & Mohammad, B. (2013). Addressing
information security risks by adopting standards. International
Journal of Information Security Science, 2 (2), 28-43.
Retrieved from EBSCOhost.