The Effectiveness of Network Security Policies in Preventing Leakage of Confidential Business Data

A  ‘network security  policy’ or a NSP  can be considered as a well documented  policy that  outlines the manner in which the computer   devices  (and other elements) connected  to a private business network would be accessed  by  individuals   internal and external to  the organization. The network security policy, according to experts (Basile et al. 2015), effectively   provides a brief overview of the basic architecture of the network security environment that exists in any organization.

The research work being  proposed in this paper would  be directed towards  highlighting  the  effectiveness of network security policies  in preventing the leakage of confidential business data, as observed  among the UK based online retail business organizations in the recent  past.

Topic of research: Network security policies to prevent data theft for UK based online retail business:

Experts (Kaldor and Rangelov 2014)   define the term ‘data theft’ as the act of getting unauthorized access  to the confidential and private  data of   any  organization  or individual,  with malicious  intent.   The  authors are  of the opinion that in the last few months, data  theft has suddenly  become  one of the core issues  that  IT  managers  associated with retail  businesses are  experiencing.

In February 2017, Retailrisk.com published a report which indicated that according to  the annual crime survey  conducted by  British Retail Consortium,  almost  53 percent of all the  retail frauds reported in the financial year 2015-16 were cyber   based, with violence against the staff and abusing them  on social sites were the  most commonly conducted crimes. While the above mentioned  crimes are  not remotely  connected  with data theft, the very same  report has also highlighted  the fact  that acts  of  phishing, malware injection, denial of  services, security  breaches with the objective of  accessing confidential data  are also on rise. Thus, this particular study would emphasize on the utility of effective Network security policies in fighting against such crimes.

As  mentioned   in the introduction section   of the  paper, the proposed  research study would be solely aimed at  highlighting the manner in which network security  policy documents  can  be utilized  so as  to avoid the cyber  crimes,  especially  theft  or leakage of confidential data.

  The primary objectives of the research study have been outlined in the section below:

1. To identify the common  network security issues experienced  by online retail businesses
2. To identify popular network security policies and their impact on preventing network security problems.
3. To investigate the awareness of small business employees towards network security threats and the effect of the same on the business operations
4. To recommend strategies that can be utilized by UK based online retail businessfor mitigating security threats and issues.

1. To what extent are UK based online retail businesses are aware of the security issues that can lead to data theft?
2. How can network security policies be effectively utilized to prevent data theft from UK based online retail business?

In UK Tesco is facing issue regarding the protection and security of data. As they are accelerating their plan for reaching their customer through multi channel the requirement for managing the technology and the data security risks increases. According to the code of business conduct Tesco needs to secure their customer data and protect their colleagues and customers for avoiding obligations and violation of privacy laws (Siponen and Vance 2014). Tesco has many partners and the threats can arise from any of the point for it is essential for Tesco to identify the threat arising in the business and secure the points. The security in e commerce is an essential part for the success of the business and the information security framework of Tesco must be secured with the application of security protocols and technologies (Kahate 2013). For the promotion of the business Tesco needs to select a strategy using the technology and the system for improving the business environment and the development if the e-commerce system. Because of the expansion in notices by the media from security and protection ruptures like wholesale fraud and budgetary misrepresentation, and the raised familiarity with online clients about the dangers of performing exchanges on the web, web based business has not possessed the capacity to accomplish its maximum capacity. Numerous clients decline to perform online exchanges and relate that to the absence of trust or dread for their own data (Liu et al. 2016). The customary verification instrument depends on personality to give security or get to control techniques; also, conventional encryption and confirmation calculation require high figuring force of PC hardware. In this way, how to enhance the validation instrument and improve the conventional encryption and verification calculation might be the concentration of P2P online business (Liang 2016).

Awareness of Small Business Employees to Network Security Threats

Tesco have a requirement to develop a network security policy for securing the network components and addressing the issues arising during managing the whole business network of Tesco. The main purposes for the creation of network security policy are as follows:

Confidentiality of data- the data residing in the database server of Tesco must be protected with a security layer and proper authentication level such that external users does not have access of the organizational information (Deter et al. 2015).

Identification and authentication- The authentication of the database server must be provided to the recognized personnel like the database administrators. Digital signatures can also be used for recording and modification of the data residing in the database.

Access control- resources must be assigned to the employees of the organization and they must be given proper username and passwords for accessing the resources of the organization (Kim et al. 2013).

Integrity of the data- The implementation of the data integrity ensures that none of the data gets tampered and hashing or message direct can be applied for the integration of the data in the organizational database.

Non repudiation- The customers should not be restricted to purchase a product from their store and new technologies can be used for authentication of the customer and encryption techniques must be applied to store the customer information in the database of the organization (Bunn, Calvert and Karnes 2016).

The online presence of the business of Tesco makes it more vulnerable and it needs to protect the e-commerce assets from alteration or unauthorized access. The application of the security features in the system does not make it a secure system (Gottimukkala et al. 2013). For the development of a secure system there is a need to defend against the recent threats. Security tools can be used for securing the network of Tesco and they are listed as follows:

• Public key infrastructure
• Firewall
• Digital Certificates
• Biometrics
• Digital Signatures
• Locks and bars
• Encryption software
• Passwords

The network security policy for Tesco is required to be prepared after analyzing the threats that can affect the network of the organization. The threat can be dos (Denial of service), unauthorized access, fraud and theft. The DoS attack can be spamming and transfer of virus in the information system of the organization (Son et al. 2013). The unsolicited commercial emails should not be sent to the individuals and installation of unauthenticated software must be avoided because it contains loop holes using which the hackers can intrude into the system. The applications can also implement virus using self replicated computer programs that are designed for performing any unwanted event. The illegal access to the system resources such as the applications and the organizational data must be restricted. Hackers can access the system for finding the secrets of the organization such as the account information and the customer information and use it for illegal purpose (Thomas 2014). The organizational data can also be damaged or modified that can cause a huge loss for the organization. A penetration testing can be done with a group of friendly system expert to find the flaws and holes of the current network of the organization. The hole in the network is then secured for increasing the security of the network. The application of security standards in the developed network would also help to mitigate the risk of security and allow the organization to develop a more secure network (Inukollu, Arsi and Ravuri 2014). A secure channel should be used for transmitting the sensitive data and the data packets should be encrypted before sending. Research on the different websites are done and it has been found that maintaining the web site and privacy and security policy is important for maintaining a good customer relationship and loyalty with the customers. The customers should be informed to secure their emails and make the passwords strong using the combination of alphabet and numeric’s or special character. With the growth of the internet the fraudsters have also increased and some common mistakes are made by the people leaving them vulnerable to attacks like using of same password for multiple accounts (Puthal et al. 2017). The servers of the organization should be configured with SSL for securing the network and IP address of each of the domain must be tracked for monitoring the network. The network administration should monitor the network traffic and record any suspicious activity for defending against the security threats.         

Recommendations for Small Businesses in Understanding and Mitigating Security Threats

The research methodology is used for the collection of the appropriate data and techniques for the development of the project. The collected data is required to be identified by the user and should be consistent with the aim of the research. The utilization of the research philosophy helps to comprehend the adopted strategy for specific examination on the network security policy for preventing the data theft in retail business (Sherif 2016). The research philosophy is associated with the development of piece of knowledge and adopting important assumption based on the selected topic. The assumption made should be studied in order to achieve a successful outcome for the project (Carroll 2014). A critical thinking is required for the evaluation of the network security policy. The research philosophy can be categorized into three parts, which are positivism, interpretivism and realism.

For studying the research topic positivism is used that helps in analyzing the hidden section of the network security policy currently followed by the organization. The information related with the measurement of the effectiveness of the network security policy can also be analyzed following the positivism research methodology. There are two types of research approach such as inductive and deductive and from it the deductive approach is selected for proceeding with the research on the network security policy that should be implemented for the prevention of data theft in the retails business organization (Bae et al. 2014). Selecting the deductive approach the concepts based on the network security policies are analyzed and the inductive research methodology is not appropriate because a practical data analysis is required to get the figures regarding the data theft.

The research design can be further sub categorized into Exploratory, Explanatory and descriptive. It is used for maximizing the control over the factors and different barriers are faced for choosing the best research design for the research paper. Descriptive research design is used for involving the detailed process and correct conditions are used for resolving the data theft issue in the retail industry.

For proceeding with the research an advance investigation is done on the available network policies and the best policy is selected for application in the current network framework of Tesco. The main part of the research is drawing the conclusion and which leads the project. All the studies are not included in the literature review of the research paper. The methodology is created describing the approach and the design followed for proceeding with the research paper. A secondary research methodology is followed for analysis of the information regarding the network security policy of Tesco. The current network policy followed by Tesco is analyzed and the flaws of the current policy are analyzed. A new network policy is chosen for Tesco and it is aligned with the requirement of the business and the possible outcomes are noted and checked that the chosen policy would mitigate the issue of theft of data from the organization. The procedure is repeated until the best result is obtained from it and all the testing is done by a team of skilled system tester and all the outcomes are documented for reference.

The data collection is the most important part and the success of the project depends of effective data collection. It is the process used for the measuring the information depending on the selected topic for research. A feasibility study is required to be made on the selected topic and its effectiveness on the retail industry is required to be analyzed. It is the responsibility of the researcher that a proper data collection method is chosen and accurate and proper data are collected. The collection of the appropriate data reduces the number of errors and it also ensures that the collected data would be highly accepted by the organization for further research on the topic. In the current research different data sources are analyzed for collection of the most appropriate data such as different journal papers, newspapers and case studies of other companies that faces the similar issue in their organization.

When the research was conducted some rules and regulations were required to be followed by the research analyst. The rules and regulation is used for identification of the right and wrong behavior of the person who were involved in the research process. The feasibility analysis was conducted for calculating the effectiveness of the network security policy and the research analyst is required to follow the ethical consideration such that some standardization can be added for the selected topic. The information and the data that are collected from the research on the network security for protection of the data in the organization should be kept secured and prevented from any third party access. The data application is used for understanding the benefits and the features of the network security policy. The data gathered are also used for gathering the information and find some improvement areas in the network security policy currently used by the organization. When the research problem is selected different sources are analyzed for creation of a risk mitigation plan. A proper plan is required to be created for solving the issues that are currently faced by Tesco to handle its business operation. For drafting the literature review the topics are created as recognizable clusters and various positions of the staked out that are relevant with the project. The main data are gathered from the case study and different sources are also analyzed for the collection of the information. The research is done on the network security policy that Tesco should implement for the prevention of data theft in the organization (Gottimukkala et al. 2013). The qualitative and quantitative data are analyzed and surveys are done on the available security policy that can be implemented in the current business process to resolve the issue. Interviews were also arranged with the management team of Tesco for in depth analysis of the problem and the impact of the data theft for the organization. Various data management tools were also used as an analytics and it helps in automated data analysis. The use of the qualitative research technique for proceeding with the research helps in better decision making and the human behavior can be understood in depth.

It must be ensured that during the research the participants who are involved in the research should not be physically or mentally harassed. The participants should not be forced for any of the parts beyond their desire. The peoples involved in the research should be encouraged and motivated for more active participation. The encouragement of the participants helps is getting the best output from them and thus the quality of the research is improved. The use of sample data in the research would also be helpful and an online survey or questionnaire would be useful for motivating the employees to participate in the research (Creswell 2013). For conducting the research a sample of 100 employees is considered and they should a group of satisfied and dissatisfied employees of the organization.  Another sample of satisfied and dissatisfied customer can also be selected for increasing the efficiency of the research.

References

Bae, M., Kim, H., Kim, E., Chung, A.Y., Kim, H. and Roh, J.H., 2014. Toward electricity retail competition: Survey and case study on technical infrastructure for advanced electricity market system. Applied Energy, 133, pp.252-273.

Basile, C., Lioy, A., Pitscheider, C., Valenza, F. and Vallini, M., 2015, April. A novel approach for integrating security policy enforcement with dynamic network virtualization. In Network Softwarization (NetSoft), 2015 1st IEEE Conference on (pp. 1-5). IEEE.

Baskerville, R.L. and Wood-Harper, A.T., 2016. A critical perspective on action research as a method for information systems research. In Enacting Research Methods in Information Systems: Volume 2 (pp. 169-190). Springer International Publishing.

Bunn, W.C., Calvert, L.K. and Karnes, M.E., International Business Machines Corporation, 2016. Assessment of network perimeter security. U.S. Patent Application 15/289,239.

Carroll, J.M., 2014. Computer security. Butterworth-Heinemann.

Creswell, J.W., 2013. Research design: Qualitative, quantitative, and mixed methods approaches. Sage publications.

Deter, M.L., Albright, D.T., Drongesen, K.G., Gonsalves, J.K., Borz, J.P., Bigley, J., Takayama, K.M., Soesbe, J.H. and Wong, D., Hewlett-Packard Development Company, LP, 2015. Office machine security policy. U.S. Patent 9,189,636.

Gottimukkala, S., Huynh, L., Joseph, D., Overby, L., Devine, W., Behrendt, M. and Breiter, G., International Business Machines Corporation, 2013. Method of dynamically updating network security policy rules when new network resources are provisioned in a service landscape. U.S. Patent 8,424,053.

Inukollu, V.N., Arsi, S. and Ravuri, S.R., 2014. Security issues associated with big data in cloud computing. International Journal of Network Security & Its Applications, 6(3), p.45.

Kahate, A., 2013. Cryptography and network security. Tata McGraw-Hill Education.

Kaldor, M. and Rangelov, I. eds., 2014. The handbook of global security policy. John Wiley & Sons.

Kim, K.K., McGraw, D., Mamo, L. and Ohno-Machado, L., 2013. Development of a privacy and security policy framework for a multistate comparative effectiveness research network. Medical care, 51, pp.S66-S72.

Liang, C.S. ed., 2016. Europe for the Europeans: The foreign and security policy of the populist radical right. Routledge.

Liu, J., Li, Y., Wang, H., Jin, D., Su, L., Zeng, L. and Vasilakos, T., 2016. Leveraging software-defined networking for security policy enforcement. Information Sciences, 327, pp.288-299.

Puthal, D., Nepal, S., Ranjan, R. and Chen, J., 2017. A dynamic prime number based efficient security mechanism for big sensing data streams. Journal of Computer and System Sciences, 83(1), pp.22-42.

Sherif, M.H., 2016. Protocols for secure electronic commerce. CRC press.

Siponen, M. and Vance, A., 2014. Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations. European Journal of Information Systems, 23(3), pp.289-305.

Smith, J.A. ed., 2015. Qualitative psychology: A practical guide to research methods. Sage.

Son, S., Shin, S., Yegneswaran, V., Porras, P. and Gu, G., 2013, June. Model checking invariant security properties in OpenFlow. In Communications (ICC), 2013 IEEE International Conference on (pp. 1974-1979). IEEE.

Thomas, R.G., 2014. Indian Security Policy: Foreword by Joseph S. Nye. Princeton University Press.