1 Introduction
Hacking is one of the activities that is highly favoured with the ever evolving technology. With the workers carrying their own devices in the working environment, the working systems are at a high risk of illegal interference. With the increasing vulnerability to insecure activities such as hacking in our today’s ever-evolving security environment, protecting the information of any business organization has developed into a business imperative. Costello (2013) state that most of the Small-to-Medium-Enterprises (SMEs) often fail in their endeavors due to the forever rising insecurity issues. As such, most of these cases are contributed to the continuous urge of the workers to bring their devices to the working environment. The easy access to internet by the workers at any time through their own devices has been the cause of these set-back in the business community. As such, most of the security controls are established under the supervision of the internet thus this easy accessibility of the internet lays the weakness of the SMEs to be compromised by both the external and internal threats. The purpose of this research writing is to establish an awareness of the hacking that is common in the chartered accountants (CA) field which is mainly propagated by the workers who carry their own devices in the work place.
The purpose of CA profession is to ensure that the holders which as per this paper are the SMEs file the tax returns of the business, possess and audit of the business practices and financial statements and also offer advice to the clients (Costello, 2013). There-fore, this reveals the essence of the CAs in any business organization thus giving a rea-son for the importance of safeguarding the CAs. The awareness of ethical hacking as one of the activities contributed by the increase of personal devices in the work place which is also termed as penetration testing will be discussed in this paper through the evaluation of the efficiency seen in the information security system.
2 Ethical hacking propagated by carrying personal devices in work place
Ethical hacking and penetration can be described as any preventive measure utilized in organizations that are made up of legitimate tools whose purpose is to exploit and point out ant security weaknesses in the organization (Basta, Basta, and Brown, 2013). The profession penetration testing utilizes the same techniques that the malicious hackers use to attack any potential vulnerabilities in the organization’s security system. The objective of these testing is to reveal how easy or complicated the malicious hackers can penetrate the security of the SMEs. Such hackers are motivated by the access of any sensitive information of the assets of the business. These can be made possible by the workers who share the business information in their own devices. Although this places the SMEs at a risk, it makes ethical hacking possible. Ethical hacking is of an essence in helping the CA professionals to be better equipped with the necessary information on the security controls of the organization and the strategy embraced (Baloch, 2014). The essence of the professional penetration testing is relevant in increasing the assurance of the security of the enterprise even when at a risk of losing data or easy access of data from the workers’ devices.
3 Effects of Bringing Own Devices in Working Environment
Although to some extent bringing own devices in the work place has some advantages to the work place such as;
- Increased work satisfaction
- Workers interact more with the business technology because they possess personal devices (PCWorld, 2016)
- The services are kept up to date
- The devices are personalized to the workers’ preference thus work is done more effectively (PCWorld, 2016)
- The SME uses less money since workers carry their own devices
There are some disadvantages that are as a result of bringing personal devices in work place. Hackers are as a result of this but they have both advantages and disadvantages as discussed below.
3.1 Types of “Hat Hackers.”
Different hackers are distinguished in accordance to their motive of penetration. These types of hackers are defined as “hat hackers” which include; white hackers, gray, and black hackers (Aggarwal, Arora, and Ghai, 2014). The “Black hat hackers” are renowned for their malicious hacking with an intent of gaining unauthorized penetration to the information systems of different organizations. Such hackers are one of the negative effects of bringing personal devices in the working environment. Among other negative effects of bringing own devices to working place include;
- It is hard to train staff who have their own devices
- There is high chance of losing data that has been stored in personal devices which may be misplaced (Optimussourcing.com. 2016)
- There is likely occurrence of security issue such as the malicious hackers
- Personal devices may be carrying viruses which may have significant negative effect in the systems of the business (Optimussourcing.com. 2016).
- A malfunction in the personal device may lead in overall ineffective work
The ethical hackers are defined as “White hat hackers” because they hack with an objective of revealing the point of weakness in the security systems. Aggarwal et al., (2014) argue that their core aim is to improve the safety system of the enterprise before the malicious hackers penetrate the organizations. The “Gray hat hackers” are defined as the hackers that are neither ethical nor malicious. They perform their activities as per the legal legislations, but in some incidences, they may penetrate unauthorized organizations. Such unauthorized penetration in any organization is not ethical; thus it will not be the primary focus of this paper. The “White hat hackers” are of significance in the improving of the security system of organizations thus the SMEs should embrace these hackers in this era of much internet insecurity (Aggarwal et al., 2014).
There are hackers who are driven with the motive of bringing down the SME and there are some workers who utilize their personal devices for improving the services of the workplace. As such, these workers utilize their devices to ensure malicious people or other workers do not negatively affect the business by conducting penetration testing.
4 Positive Utilization of Carrying Own Devices in Work Place
Basta et al. (2013) explain that ethical hacking is conducted by a distinct group of people who are from external or may be workers who want to prove an ineffective operation area in the working environment. Ethical hacking can lead to having more unbiased information of the simulation of the malicious hackers’ activities. However, the people making up this team are not entirely trusted on their adherence to the legislation thus they should not only be evaluated but be managed by a person who will be liable for any adverse effect experienced in the enterprise (Wilhelm, 2013). Such workers deal with sensitive information; hence anything can happen in the course of their activity.
The primary focus of such workers is to conduct hack activities in the same way that the malicious hackers would do (Basta et al., 2013; McGee and Byington, 2013). However, the main difference between the “white cap hackers” and the “black hat hackers” is that these hackers observe ethics and exploits the security vulnerabilities of the organization under observed and controlled environmental settings. They use their own devices to help the SMEs to eliminate any security gaps noted before the malicious hackers use the vulnerabilities to their advantage hence depreciating the value of such enterprises.
5 Risks and Threats Relevant to the SMEs set by Workers Carrying Own Devices in Work Environment
Workers who use their devices to carry out ethical hacking first identify and analyze the risks and dangers of the business. The risks and threats form the foundation of the key factors that the hacker analyze before deciding to penetrate a particular organization security system (Brustbauer, 2016; Falkner and Hiebl, 2015). Similarly, the CA professionals should have all the necessary information regarding the associated security risks in an enterprise since they can affect not only the business operations but they may also lead to the safety systems of the SMEs becoming vulnerable to unauthorized penetration (Grant et al., 2014). The risks that are discussed herein include the internal and external risks.
5.1 The Internal Risks and Threats
Kreiser et al., (2013) state that regardless of how robust and efficient the computer security systems of an enterprise may be, employees with malicious motives are at a high probability of inflicting much loss to the business. In addition to employees with malicious intentions, lack of the necessary information about security awareness places the enterprise at a similar risk as to that of “black hat hackers” (Brustbauer, 2016). A simple act such as the opening of junk mails containing viruses placed into the systems using the workers’ personal devices might lead to the company experiencing losses in its revenue. Use of easy passwords by the employees and sharing of the business data into their own devices risk the enterprise into unauthorized penetration.
Moreover, employees may at some point transfer confidential information of the SMEs to their laptops or hard disks which places the businesses at a high probability of having unauthorized penetration. Brustbauer (2016) explain that the employees are given mandate of using soft wares and applications such as Google Docs or cloud services which are of essence for the efficient transfer of corporate data and information. However, this places the SMEs using any of these technological approaches of sharing information into a risk of having a malicious intrusion (Questia.com. 2016). As such, it is evident that the employees of the organization play a great contribution in determining the security of the organization. In this perspective, carrying personal tools in the work place has many risks and threats to the SMEs.
5.2 External Risks and Threats
The external risks associated with the SMEs include the activities conducted by the malicious hackers known as “black hat hackers.” Wilhelm (2013) explain that these hackers can only accomplish the intention of their operations through the identification of security gaps in the organization. As such, these people can gain access to the security system of an enterprise hence deleting or copying sensitive information. Some vital information such as the clients’ credit card information might lead to much unforeseen damage. In this perspective, it is essential to identify and address both the external and internal threats. Such threats can bring both the non-financial losses such as loss of the customers’ trust, damage to properties and even financial losses. Besides, the enterprise may be forced to lose the control over the computer systems which are of essence in the security systems (Caldwell et al., 2013).
6 Types of Penetration Carried out by Workers Using their Own Devices in the Work Place
6.1 Manual verse Automated Penetration
Chung et al., (2013) explain that manual testing and automated testing can be both used as ways of analyzing the security system of an organization. The main difference between manual and automated penetration testing is the amount of budget spent and time used to achieve the best results. Automated penetration may be carried out within few hours and it is economically fair (Austin, Holmgreen, and Williams, 2013). On the other hand, manual penetration may take several weeks, and a significant amount of budget is usually diverted to ensure the success of the process. Automated penetration testing is thus of relevance for organizations undergoing rapid technological changes and for SMEs that are always driven by the motive of minimizing the input while maximizing the output. However, manual penetration gives more accurate results. Nevertheless, automated penetration testing is the most cost effective test and can be efficient if it is conducted with the right approach (Austin et al., 2013). Another importance of automated testing is that it can be carried out as several times as possible.
Automated research tools cannot adequately give an assurance on the level of security in a particular organization (Wilhelm, 2013). These devices may at times not detect the security gaps hence their guarantee is based on the people who programmed the tools. Therefore, inefficiently trained employees who run the automated tools may be at a position of subjecting the enterprises to more damage. Austin et al., (2013) point out that manual penetration is performed by a group of experienced and ethical hackers hence it is much more flexible as compared to the automated penetration. As such, automated penetration can hardly be used in the substitution of different scenarios as compared by the manual profession penetration testing.
6.2 Internal verse External
As stated previously, white cap hacking is conducted with an intent of identifying and tackling both the external and internal threats. The internal penetration test in an enterprise aims at revealing how the staff or private workers of the business could act (Engbretson, 2013). On the contrary, external professional penetration aims at explaining how external malicious hackers could possibly subject the company into losses. The internal penetration test can be more complicated as compared to external test since the internal employees can use both the external and internal channels of gaining access to the business security system. Engebretson, (2013) assert that other areas that the red team could aim in achieving the aimed results include the firewalls and the Domain name server of the business.
7 Importance of Carrying Own Devices in Working Environment for Ethical Hacking
Ethical hacking is of an essence in identifying the security gaps in the SMEs. Upon realization of these security gaps, the business can possibly close the gap thus serving as a safe guard measure of the security of the organization. Typically, it assesses whether the security controls are working to meet their expectations. Technological attacks in the SMEs keep evolving frequently thus it is necessary for the business organization to continue conducting the penetration test (Caldwell et al., 2013; Baloch, 2014.).
The rationale behind the idea of ethical hacking is that it is important for the business organizations to first understand the threats and weaknesses it is facing before coming up with the ideal measures of tackling the challenge of unauthorized penetration. Penetration testing can be the right deal for a business organization in strengthening the processes of the firm. Similarly, it can be of essence in placing the business at a position of mitigating and controlling the risks involved. Antunes and Vieira (2012) argue that the businesses can only achieve maximal benefits in ethical hacking through analysing the weaknesses identified and implementing the changes as expected and finally informing all the employees and stakeholders promptly.
8 Conclusion
Carrying own devices in the working environment has several advantages and disadvantages. However, when used effectively, the advantages outweigh the disadvantages. Using these devices to conduct ethical hacking is vital for any SME in the establishment of an overall good security system. It is of essence in also adding value to the business if any security gaps are identified. In a nutshell, carrying personal devices in the working environment should be advocated for if only the workers do not place the place the business at a risk or any threat. Similarly, it should be advocated for if the workers use these devices to improve the services of the SMEs.
References
Aggarwal, P., Arora, P. and Ghai, R., 2014. Review on Cyber Crime and Security. International Journal of Research in Engineering and Applied Sciences, 2(1), pp.48-51.
Antunes, N. and Vieira, M., 2012. Defending against web application vulnerabilities. Computer, 45(2), pp. 66-72.
Austin, A., Holmgren, C. and Williams, L., 2013. A comparison of the efficiency and effectiveness of vulnerability discovery techniques. Information and Software Technology, 55(7), pp.1279-1288.
Baloch, R., 2014. Ethical Hacking and Penetration Testing Guide. Florida. CRC Press.
Basta, A., Basta, N. and Brown, M., 2013. Computer security and penetration testing. London. Cengage Learning.
Brustbauer, J., 2016. Enterprise risk management in SMEs: Towards a structural model. International Small Business Journal, 34(1), pp.70-85.
Caldwell, N., Harland, C., Powell, P. and Zheng, J., 2013. The impact of e-business on perceived supply chain risks. Journal of Small Business and Enterprise Development, 20(4), pp.688-715.
Chung, C.J., Khatkar, P., Xing, T., Lee, J. and Huang, D., 2013. NICE: Network Intrusion detection and countermeasure selection in virtual network systems. IEEE transactions on dependable and secure computing, 10(4), pp.198-211.
Costello, N., 2013. Stability and Change in High-Tech Enterprises: Organisational Practices in Small to Medium Enterprises. New York. Routledge.
Engebretson, P., 2013. The basics of hacking and penetration testing: ethical hacking and penetration testing made easy. Amsterdam. Elsevier.
Falkner, E.M. and Hiebl, M.R., 2015. Risk management in SMEs: a systematic review of available evidence. The Journal of Risk Finance, 16(2), pp.122-144.
Grant, K., Edgar, D., Sukumar, A. and Meyer, M., 2014. ‘Risky business’: Perceptions of e-business risk by UK small and medium-sized enterprises (SMEs). International Journal of Information Management, 34(2), pp.99-122.
Kreiser, P.M., Marino, L.D., Kuratko, D.F. and Weaver, K.M., 2013. Disaggregating Entrepreneurial orientation: the non-linear impact of innovativeness, proactiveness and risk-taking on SME performance. Small Business Economics, 40(2), pp.273-291
McGee, J.A. and Byington, J.R., 2013. How to counter cybercrime intrusions. Journal of Corporate Accounting & Finance, 24(5), pp.45-49.
Optimussourcing.com. (2016). The Advantages and Disadvantages of BYOD | Optimus Sourcing. [online] Available at: http://www.optimussourcing.com/learninghintsandtips/the-advantages-and-disadvantages-of-byod [Accessed 3 Nov. 2016]
PCWorld. (2016). Pros and Cons of Bringing Your Own Device to Work. [online] Available at: http://www.pcworld.com/article/246760/pros_and_cons_of_byod_bring_your_own_device_.html [Accessed 3 Nov. 2016] http://fieldservicenews.com/advantages-disadvantages-byod/
Questia.com. (2016). BYOD (Bring Your Own Device). [online] Available at: https://www.questia.com/library/journal/1P3-2823622961/byod-bring-your-own-device [Accessed 3 Nov. 2016].
http://www.optimussourcing.com/learninghintsandtips/the-advantages-and-disadvantages-of-byod
Wilhelm, T., 2013. Professional penetration testing: Creating and learning in a hacking lab. Waltham. Newnes.