Risk Assessment Background
There is no doubt about the fact that cyber threats became one of the key challenges for OPM throughout the past several decades. The key problem with the company’s cybersecurity system is that it does not feature a specific risk governance structure that could be utilized to mediate and mitigate the influence of risks on the organization. Security controls currently have to be accessed with the help of manual sources, as there is no robust continuous monitoring system that would protect the network. A thorough assessment of documentation and requirements shows that all guidelines and policies are followed, but the organization fails to keep its contractor- and organization-operated systems up to date.
Risk Assessment: Potential Exploits
Previous audits establish a thorough basis for the discussion of the concept of cybersecurity weaknesses because the organization does not keep up with the security standards mentioned in the audit. This factor severely influences the potential of the organization to maintain secure operations and decrease the likelihood of a breach. The key potential exploit is the presence of numerous data loss points that could leave the OPM impacted by hacker attacks aimed at intellectual property theft. The status of operations is not recorded in the system, making it harder for cybersecurity specialists to trace threats and implement proactive strategies. The system can also be seen as lacking a centralized approach to cybersecurity, meaning connections between network nodes might contribute negatively to the overall state of cybersecurity at OPM.
Potential Approaches to OPM’s Cybersecurity
The idea behind finding additional approaches to improving cybersecurity at OPM is that the company has already been involved in similar issues in the past, so there should be instruments intended to help the team either prevent or cope with the most significant threats. The first rational decision would be to attract several additional information system security officers to gather feedback and systematize all the threat-related data in a meaningful way. Another crucial element is the lack of specific performance standards that could focus on compliance and redefine the organization’s approach to its cybersecurity in general. Available security options make it safe to say that OPM’s systems should become much more comprehensive in terms of authorization. Not all controls applied within the system would be cost-effective, but the organization has to invest a certain amount of resources in its cybersecurity to protect user data and corporate intellectual property.
Most Probable Vulnerabilities and Threats Affecting OPM
Table 1. Essential cyber vulnerabilities for OPM.
|Personal Identification Verification is missing from all OPM applications||The growing threat of unauthorized access creates a security bottleneck for the organization. From terminated employees to any hacker outside the network, anyone seems to have access to corporate resources. The likelihood of OPM encountering this type of threat is rather high because the company’s database could be dialed with no restrictions whatsoever. As a result, OPM would lose sensitive data to the hackers while also experiencing a shortage in revenues and potential exposure to legal problems.|
|The lack of adequate cybersecurity assessments that would take place at least once per annum||In this case, the main source of threat are hackers and past employees, as the core of this vulnerability is to access the company’s database and exploit it. The wrongdoers would be most likely to complete this with the help of learning the key patterns related to cybersecurity and causing the system to collapse when overflowing the database with erroneous queries on purpose. Again, the likelihood of this cyber threat is exceptionally high because of the company potentially losing any kind of access to its own data. Hackers might manage the information remotely to ensure that they are not going to get caught as a result of their actions.|
|OPM could be prone to unsupported software or even invests resources in equipment that does not affect the price-quality ratio and team performance in a positive way||The problem, in this case, is that hackers or terminated employees could utilize software that is unsupported by OPM systems in order to cause the latter to collapse. This kind of insider knowledge is what is going to affect the team the most, as the likelihood of this threat is the highest out of all. The company could lose access to most of its sensitive information and then be forced to negotiate with the wrongdoers, potentially losing plenty of monetary resources as well. This issue is the most impactful because it hints at some of the instruments utilized by OPM being obsolete and potentially useless in the age of digital innovation.|
Risk Assessment Results
Table 2. Categories of risk and their brief descriptions.
|Low Risk||Medium Risk||High Risk|
|Risks Listed||Software modification policies; Trust modifications; Operating System modifications||Inactive or disabled users; Security group modifications; User password change attempts; Number of users with privileges||Failed log-ons; Operations with files (creating, copying, renaming); Permission changes; Failed file reads; Active directory changes|
|Description||At this point, the environment has to be scanned proactively so as to create an organizational setting where there are no specific risks or threats affecting the team’s functioning (Liu et al., 2018). Any anomalous behavior will be easily identified.||The organization might be in steep need of cleaning the list of disabled users so as to protect itself from a future insider attack. Security groups and audit modifications have to be introduced in order to ensure that the team has up-to-date knowledge regarding who has access to different places within the network (Zhang et al., 2018). Every password within the system should be set to expiring after a reasonable period (no password should be timeless).||There is a rather high probability of the organization being exposed to brute force attacks. Users without required authorizations might introduce any kind of changes into the system, causing it to collapse (Ahmed et al., 2017). All operations with files should be audited, respectively. Sensitive data is at an exceptional risk in this particular case.|
A thorough analysis of OPM cybersecurity systems showed that there were evident issues affecting the organization and its data management initiatives. The lack of guidelines and adequate instruments turn OPM into an easier target because the company does not shy away from utilizing legacy systems and disclosing itself to serious damage that could be given to the company via innovative cyber threats. The need to improve OPM’s cybersecurity will be discussed in line with the key five steps that the management would have to make to protect itself from similar issues in the future.
The first step would be to conduct audits regarding cybersecurity policies more often so as to have the team in a state of readiness. Any modifications should be expected by the team, as an unanticipated change might also destroy the long-established cybersecurity strategy and provide hackers with practically free access to organizational resources. One of the possible ways to resolve this particular issue would be to implement group modifications, including the removal of inactive users and timely updates of security policies (De Bruijn & Janssen, 2017). One of the first tasks completed by the team would be the implementation of stricter password policies so as to respond to the lack of personal identity verification measures.
The next step for the organization would be to implement additional security controls prior to applying any risk management strategies or mitigating cyber threats that were identified during the first step. The effectiveness of this stage depends on how successful OPM’s cybersecurity team would be in terms of auditing the risks and alerting the team when necessary. Therefore, every stakeholder involved in the process of managing sensitive data would become closer to realizing the benefits of security controls (Li et al., 2019). The ultimate rationale for finding appropriate security controls is that cyber threats are evolving, and the team should always remain in touch with the required updates to secure all the sensitive data in an appropriate manner.
After finding the right security controls, the team would be required to categorize every risk depending on its potential influence on the organization and see if OPM has enough hardware power and monetary resources to support stronger risk mitigation strategies. Data storage protection cannot be ignored because it is the last resort of safety in the case where a hacker decides to breach (Cavelty & Egloff, 2019). Accordingly, the organization should invest in a complex all-around solution that would possess all kinds of functionalities aiding the cybersecurity officers in terms of identifying the key risks and addressing them proactively. Based on evidence from De Bruijn and Janssen (2017), it may be supposed that the company could benefit from data loss prevention and data-centric audit and protection instruments when implementing updates to security controls.
The fourth step intended to improve the state of affairs at OPM is the process of finding the right security solutions with embedded native security controls. The team would have a better chance to go through the security logs and see how specific solutions could prevent it from losing data or exposing employees and clients to hacker attacks (Hurel & Lobato, 2018). The team should invest in this particular stage because it would help them take a better look at existing methods of cyber threat prevention and address the essential cybersecurity gaps. By continuously monitoring the network, OPM is going to assess organizational proneness to cyberattacks and deploy the best plan of action.
The last recommendation for OPM is to pay closer attention to how data is being transferred between network units and what are the key patterns inherent in user interactions when it comes to corporate data. A better understanding of corporate privileges and permissions in terms of cybersecurity is what might protect the organization from crucial system errors in the future (Zhang et al., 2018). In general, every unnecessary permission should be revoked, and most users should have the least privileges related to data access. Information security should be perceived as an essential concept, which contributes to the company’s image and not just the capability of identifying and preventing hacker attacks.
Ahmed, A. W., Ahmed, M. M., Khan, O. A., & Shah, M. A. (2017). A comprehensive analysis on the security threats and their countermeasures of IoT. International Journal of Advanced Computer Science and Applications, 8(7), 489-501.
Cavelty, M. D., & Egloff, F. J. (2019). The politics of cybersecurity: Balancing different roles of the state. St Antony’s International Review, 15(1), 37-57.
De Bruijn, H., & Janssen, M. (2017). Building cybersecurity awareness: The need for evidence-based framing strategies. Government Information Quarterly, 34(1), 1-7.
Hurel, L. M., & Lobato, L. C. (2018). Unpacking cyber norms: Private companies as norm entrepreneurs. Journal of Cyber Policy, 3(1), 61-76.
Li, L., He, W., Xu, L., Ash, I., Anwar, M., & Yuan, X. (2019). Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management, 45, 13-24.
Liu, Q., Li, P., Zhao, W., Cai, W., Yu, S., & Leung, V. C. (2018). A survey on security threats and defensive techniques of machine learning: A data driven view. IEEE Access, 6, 12103-12117.
Zhang, J., Chen, B., Zhao, Y., Cheng, X., & Hu, F. (2018). Data security and privacy-preserving in edge computing paradigm: Survey and open issues. IEEE Access, 6, 18209-18237.