In the modern world, most organizations have adopted information technology as the default system of information within and outside the organization due to the immense benefits associated with these technological regimes. However, as a business changes its systems, more risks in the operation of the enterprises have emerged due to the threat posed by these systems both physically and logically. The physical threat refers to the unauthorized physical access to the information system with malicious intent.
On the other hand, logical risks are the electronic ways to gain access to an information system without permission from the owners, which can lead to damage or access to private information (Rajput, Mishra, & Kumar, 2014). In the pharmacy information system, the above threats are real, and thus, measures should be taken to ensure that the system is not vulnerable. This paper will identify the potential logical and physical risks within the pharmacy information system, and suggest logical and physical risk control measures and strategies for eliminating these risks.
Potential Physical Threats That Require Attention
Theft and Vandalism
Theft and vandalism are common physical attacks to most information systems (Ahmad, Maynard, & Park, 2014). The back door is never secure as most of the time it is shielded from mall security officers and surveillance. The store and the office are located in the back; thus, most important items such as money, server computer and medicine are easily accessible from the back door. If a person can enter through the back door into the pharmacy when it is closed, that individual can clipper the pharmacy system by theft or vandalism.
Piggybacking can occur when unauthorized people receive access to the store and office through the back door together with the authorized employees manipulating their trust (Sennewald & Baillie, 2015). If these individuals can have ill intention in relation to the pharmacy, they have the ability to acquire classified information from the office system, which can ruin the firm's reputation among its customers. The information can also be entirely private or confidential, and thus, those affected can seek legal action against the pharmacy due to lack of privacy, which will cost some financial expenditures to the company.
Disgruntled employees are those unsatisfied and acting unethically toward their organization (Ahmad et al., 2014). The pharmacy has several employees who have exclusive access to the office and can also access the computer, which contains the organization information. If these employees are not satisfied or have poor relations with the administration, they can punish them for violating the integrity of the information system. This can occur in case they spread private information about a client or provide critical information to competitors.
Fire is a common hazard to any facility regardless of the level of fire risk exposure (Kizza, 2015). Therefore, the pharmacy faces a risk of fire at any time as it is connected to the electricity, which can turn fault and cause fire or spillage of medicine liquid causing a fire. Regardless of the cause, it is evident that any fire occurring in the pharmacy can be very detrimental to the information system as both the store and office are located in the back area. Fire may also destroy the entire pharmacy causing irreparable harm to the whole information system.
The Unstable Power Supply
The power supply is crucial to any information system as it keeps a constant flow of data and helps in the maintenance process (Ahmad et al., 2014). If power is unstable, this can lead to periodic loss of critical information in the facility, which can affect future operation and result in lack of system maintenance that can affect the computers hardware. In addition, unstable power supply can make the computer and other electronics failure thus resulting to numerous expenses for the pharmacy to make repair and replacement.
Impact of Potential Logical Threats that Require Attention
Malwares are different types of software, which attach themselves into other software so that they can be transferred together. Once they are in a computer system, they replicate themselves causing damage to the entire system (Sennewald & Baillie, 2015).
The pharmacy computers are connected to the internet; thus, malware such as the viruses, worms, and Trojan can enter the information system through the internet. Removable disks from employees can also introduce the malware into the system. Once they are in the pharmacy's information system, they can cause any damage ranging from corrupting data to a complete loss of critical information.
Eavesdropping occurs when an information technology expert uses special software to spy on other information systems. These programs can acquire the information passed in an internal or external network by listening to the grid (Rajput et al., 2014). If a person with expertise in eavesdropping intends to acquire the pharmacy information, he/she can attain such information through the internal as well as an external network connection. Such data obtained can affect the operation as it can reduce customer loyalty and trust, benefit the competitors, or lead to legal suit on health privacy violation.
This attack is typical in a protected system where individuals attack a system when they are denied access. The attack occurs when people with fraudulent intents apply variety of programs to an information system causing the congestion in the system that can lead to its crushing (Rajput et al., 2014).
The attack can be very detrimental to the pharmacy as it can limit operation in the online platform. The customer who uses the online services can be shut down, which adversely affects the daily functioning of the pharmacy. Consequently, some customers may be lost, data may become corrupted, and loss will be experienced due to the reduction in operations.
Hacking is defined as remote access to an information system by an unauthorized person with a fraudulent intention (Rajput et al., 2014). There are thousands of dedicated information technology experts who hack into illegal systems every day; thus, the pharmacy cannot be an exception. There is a perceived risk of classified information leaking out of the pharmacy system through hacking. If any of this leaked information can get into the hand of people intending to destroy the pharmacy, they can ruin its reputation, provide strategic information to the competitors, and also sabotage the stored information by interfering with entries.
The pharmacy also faces a threat of phishing from people with fraudulent intention, which can cause much harm to the operations (Kizza, 2015). Phishing can occur when unauthorized individuals present themselves as legal institutions that the pharmacy trade with asking for critical information or funds. The firm may not identify the illegitimate nature of the persons as they mimic the partner in all ways, even log and other aspects. In that case, the pharmacy might disclose its client information to the wrong people. Such event can reduce customer trust and also lead to substantial losses in the pharmacy.
Security Controls to Protect Against Selected Physical Threats
Administration of the pharmacy has a very critical role to play in the safety control of physical threats as they determine information system security strategy and policy. Rajput et al. (2014) argued that the administrative measures are geared toward the mobilization of human resources and other resources in enhancing system security.
For the pharmacy security to be maintained at optimal, safety standards, training and awareness, good hiring process, and configuration control need to be implemented by the administration. Training and awareness will help employees to avoid piggybacking practice and also prepare them for event such as a fire hazard. A good hiring process will ensure that disgruntled employees are not hired while configuration control will ensure unauthorized physical access will be impossible.
The pharmacy can adopt certain prevention measures ensuring that the listed potential physical threats are eliminated even before they occur. The prevention measures that the pharmacy can take include the removal of the back door for the common access and installation a regulated entry from the front side. The new door also needs to be accessed only by authentication method, with total filtration of unauthorized individuals (Sennewald & Baillie, 2015).
If the above prevention measures are adopted, theft and vandalism via the back door can be highly eliminated and piggybacking can be removed. The pharmacy also needs to install an automatic generator and fire protection to prevent power disruption and fire damages within the system.
To prevent theft and vandalism within the pharmacy, a security alarm should be installed to detect any authorized physical access when the pharmacy is not operating. There should also be fire detectors installed so that they can create awareness in case of fire breakout for quick response toward fire fighting (Kizza, 2015). The system should also have programs and experts who detect any physical unauthorized access or sabotage of the data. Any early detection of such occurrence can help the pharmacy management establish a plan in any possible harm or confusion that might occur.
Measures to enhance the security of a system also include the correction process from an actual threat (Sennewald & Baillie, 2015). Once a threat occurs, the pharmacy should act rapidly to correct all the wrong that such threat brought into its operations. Events such as theft and vandalism, unstable power supply, and fire hazards can cause a complete damage of the information system data, and thus, there is a need for backup.
The backup data should be either in a physical or electronic form but should be kept in a safer place even if it is outside the pharmacy premises. Unauthorized access to data by piggybacking and disgruntled employees should be prevented by establishing strict work ethics or even firing and prosecuting those found operating unethically.
Security Controls to Protect Against Selected Logical Threats
It is the duty of the administration to adopt policies and structures that hinder any access and logical threats into the pharmacy information system. Management in the pharmacy can implement the secure socket layer in enhancing the security of the system. This would ensure that the whole system becomes totally secured from intrusion as access can only occur through certification by the admin of the system (Schou & Hernandez, 2014). The administration should also train its employees on how to enhance security in their computers, for example, by having a secure email password and other necessary safety measures that can be manipulated logically to gain access.
The most effective program that prevents logical threats in any organization is the firewall. Firewalls occur as software or hardware, but regardless of nature, they are useful (Rajput et al., 2014). They can prevent the pharmacy information system from denial of access attack, system hacking, phishing, and eavesdropping. For the firewall to be completely active, the pharmacy needs to install several firewalls within its system. Both internal and external filtering of information should occur; thus, one firewall cannot function adequately for all these tasks. In addition, for prevention purposes, the management can acquire protection devices for authentication and communication stream monitoring.
The detection of potential and actual attack is also paramount when securing the pharmacy information system from the logical threats. Antiviruses are the software that are used to detect any potential malware attack as well as finding and eliminating the actual attacks (Kizza, 2015). If the employees are well educated on the use of the antiviruses, they can eliminate any potential threats as well as make periodical scanning and elimination of any actual malware attacks. The active directory domain can also help the pharmacy to detect an attempts by external intruders to access their system. This program only allows the authenticated people to access the system and thus can quickly detect unauthorized access.
The corrective actions in actual logical threat are geared toward returning the system back to its original state or make it even more stable (Schou & Hernandez, 2014). When malware attacks the system, the corrective measure for the pharmacy is to install a strong antivirus that scans and removes all the malware and continues to monitor the computer with regular updating.
A file server also acts as a good collective measure as it limits access to information. Currently, the pharmacy has not completely protected the file server, and in terms of the default corrective measures, more security is required. Finally, the need for a backup system in the pharmacy is high. In a case of correction measures, a backup will be necessary for providing lost or destroyed information.
Strategy for Addressing Selected Physical Threats
Theft and Vandalism
Theft and vandalism can be prevented by adopting a risk avoidance strategy that reduces access and increases the security of the premises (Sennewald & Baillie, 2015). The access can be reduced by modifying the entry point to modern security. This can include CCTV monitoring as well as having a personal security officer securing the premises all the time and mostly, when operations are closed. The above strategy is perfect for this threat because if management is entirely dedicated to stopping theft and vandalism, that can be achieved.
Risk assignment strategy can be used to reduce this threat by having a single access authentication within the store and the central office. The single access can work correctly if each employee is issued with an electronic access card to use when accessing these sensitive areas. If such cards are issued, an employee can be sensitive in allowing other unauthorized individuals to access the premises under their authentication card (Schou & Hernandez, 2014). The strategy is good as it addresses the risk of entry to all employees so that they act cautiously as the consequence will directly affect them.
Risk mitigation strategy should be implemented to ensure that these employees within the pharmacy do not affect the information system. First, the hiring process should be rigorous and full of integrity; it will ensure that those employed are competent in maintaining work ethic (Ahmad et al., 2014). The organization work ethics should also be tightened, and those workers who violate the policy should be fired or even prosecuted for damages. In addition, motivations should be encouraged to make employees satisfied with their work. The strategy is perfect as this risk cannot be fully eliminated, but if necessary measures are taken, it can be reduced to an insignificant level.
Fire threat is a standard risk in all business; thus, the pharmacy should adopt a risk acceptance strategy. First, the pharmacy needs to acknowledge that fire can occur anytime; hence, there is a strong need for acquiring all the fire fighting equipment such as fire exhausters to ensure that premises are well equipped.
Secondly, all the workers need to be educated about fire prevention and fire fighting so that damages both from the side of employees and information system are minimized. The pharmacy also needs to acquire a fire policy so that their information system can be covered in case of an accident (Kizza, 2015). The strategy is perfect because, in the event of any fire breakout, the response can be quick as such risk is expected at all times.
Unstable Power Supply
The pharmacy management should apply the risk avoidance strategy by ensuring the reliability of power supply. The power can be reliable if private generator and power servers are installed on the premises to avoid any loss of unsaved data. There should also be power banks in every computer to ensure that neither the electricity disruption nor generator failure affects the operations of the pharmacy (Ahmad et al., 2014). The strategy is perfect as it is both reliable and efficient in the operation and maintenance of information system; it is also a great plan because the pharmacy can produce its power.
Strategy for Handling Selected Logical Threats
Malware attack within the pharmacy should be handled by having a risk acceptance strategy. The management should accept that such risk can occur at any time and thus install antiviruses, and educating the employees on how to uses such antiviruses. The antiviruses are perfect as they both prevent and correct malicious software attack in the system (Schou & Hernandez, 2014).
The education of workers is inevitable as they are the one who can stop an attack once an antivirus detects an attack, and also, they can scan for actual attacks and eliminate them. The strategy is effective as it prepares all within the organization for any malware attack that may occur.
Eavesdropping can be stopped by risk avoidance strategy if the pharmacy establishes an entirely wired system. The wired system should also be protected by hubs and firewalls (Rajput et al., 2014). The wireless networking is vulnerable to eavesdropping as it is easily interrupted, and information listened by unauthorized people. The hub and firewalls also help the protection of the wired information; thus, they should be installed on the system. Risk avoidance is possible because if the above measures are taken, eavesdropping will entirely be eliminated.
Denial of Service Attack
The perfect strategy that can be adopted to stop denial of service attack with the pharmacy is risk mitigation strategy. The use of Internet Protocol IP verifies that unicast reverse path can be implemented as it opens the door for cleaning the information system path if it is blocked by any attempt of overloading the system. According to Rajput et al. (2014), it is perfect as it also helps to find the website URL; hence, interruption of the system may be very minimal. If mitigations are established, such risk can be highly reduced by the system.
The pharmacy should adopt risk acceptance strategy by installing of more firewalls and having an Intrusion Detection and Prevention Systems (IDP). When adequately installed, the firewalls limit hackers to enter into the pharmacy system as well as to bypass the internal system if they manage to access the system. On the other hand, IDP detects possible intrusions and prevents such intrusion (Schou & Hernandez, 2014). The strategy is perfect as hacking cannot be fully stopped, only accepting that they pose a real threat and be prepared for it when it happens.
Phishing is possible due to unauthorized access to secure accounts such as emails, which in turn are used to deliver false information. A risk avoidance strategy can be used to avoid such threats (Sennewald & Baillie, 2015). The pharmacy should adopt a standard way of developing passwords and usernames so that acquiring a password by other individuals becomes difficult. The guideline in developing a password or a username should be complicated and efficient. The strategy is effective as it ensures that unauthorized access becomes completely difficult and unattainable with the pharmacy system.
The above analysis has identified the potential logical and physical risk within the pharmacy and suggested possible logical and physical risk control measures that can eliminate and minimise the identified risks. The physical risks identified in the pharmacy include theft, piggybacking, disgruntled employees, fire, and unstable power supply.
On the other hand, logical risks identified include malware, eavesdropping, denial of services attack, hacking, and phishing. It can be concluded that the discussed security control measures and strategies need to be adopted by the management to avoid potential future risks.