IT Security Policy for PWC, UK

The practice of defending the servers, electronic systems along with data and networks from another attack with malicious intent can be defined as cyber security. With the help of Cyber security, it becomes easier for organizations and individuals to secure their data and privacy from cyber attacks. According to Saravanan and Bama (2019), there are several domains of cyber security is available, which include; internet, network, and application security along with operational and ICT security.

Figure 1: Various Domains of Cyber Security.

Currently, the technology of cyber security is enhanced, however, the rate of cybercrime and attacks is also increasing at an incredible pace. According to the report of ncsc.gov.uk (2021), more than 95,000 URLs along with 2 million commodity campaigns were cyber-enabled from 2020 to 2021 alone. This is clear to understand the level of internet threat and attack. There are more than 60% increments of cyber threats are felt by organizations in the UK since 2020, meanwhile, more than 60,000 attempts of hacking small and medium-sized businesses happen on the daily basis in the UK.

In the modern era, information security is one of the major concerns of organizations. Due to the development in technologies related to information, organizations starts implementing and storing the database in digital format. According to Alqahtani (2017), organizations must secure their data from theft, alteration misuse, and illegal access. Information security emphasizes confidentiality along with integrity and availability of data, which is beneficial for the organization to achieve development in the global market. These policies are implemented on every employee and stakeholder, who utilizes the resources of an organization and provide the regulations about the use of those resources and technologies. It is necessary to develop security policies due to cyber threats that can affect the integrity and information of any organization. There are various types of threats related to cyber security are available, which include; Malware, phishing, social engineering, and ransomware (Seemma et al., 2018). The hackers used these threats to achieve their intentions. Due to this, various organizations utilize software and outer services for protecting themselves and PwC is one of them.

1.2 Background to research organization

PwC is a London-based organization that comes into existence after the merger between Prince Waterhouse and Coopers & Lybrand in 1998. PwC is a formal short name of the brand PricewaterhouseCoopers, which was changed in 2010 (pwc.com, 2022). The services provided by this organization is focused on human resources, management of the crisis, and the enhancement of performance that are necessary to resolve the complex issues of stakeholder and client globally. The purpose of this organization is to solve the problems that are necessary along with building trust in society. In the UK, a total of 19 offices of PwC are available in places, such as; London, Northern Ireland, and Scotland.

For the safety of data and information and to mitigate the risk of cyberattacks, it is necessary for organizations to implement and manage policies. For supporting the objectives of the organization along with ensuring the security of technology information and information asset, a document is formed which is referred to as an information security policy (Angraini et al., 2019). With the help of this policy, it becomes easier for the organization to improve its security and strengthen the infrastructure from external threats. The purpose of developing and implementing the policy regarding the security of information technology is highly related to the preservation of integrity and confidentiality of any organization. Several policies are effective against external threats, which include; a policy of response regarding data breaches and a policy of clean desks. This research will be helpful to understand more about security policies related to information technologies.

1.3 Research Rationale

Security is considered one of the primary requirements of any organization. Currently, along with technological advancement, the risk of cyber-attacks increased each day. For mitigating the risk of getting attacked by hackers, organizations must develop and implement policies. This research will analyze the security policies for mitigating the risk related to cyber security against legitimate targets against PwC. It can be stated that the following study will provide immense significance regarding IT security policies.

1.4 Research Questions

What is the importance of an Information technology security policy?

How does IT security policy affect Cyber attacks done on any organization?

What is the role of IT security policy to mitigate cyber-attack in an organization?

1.5 Aims and objectives

Aims

Aim 1: The research aims at providing an in-depth demonstration of IT security policies and their impacts on the business of PWC, UK.

Objectives:

To understand Information technology in an organization
To explore the impact of IT security policies on organizations

Aim 2: This research aims to analyze the various attacks that are poised over IT companies in the global context

To explore the Cyberattacks that happen on organizations globally
To evaluate the IT organizations affected by cyber attacks

Aim 3: The project also aims at delivering a set of IT security policies to mitigate the current/modern attacks against legitimate targets

To explore the information technologies security policies
To understand the

Aim 4: The final aim of this research project is to provide recommendations that would be effective in addressing the current/modern attacks against legitimate targets based on designing an IT security policy in favor of PWC, UK

To explore the recommendations that are efficient to prevent a cyber attack
To understand the effective security policies in favor of PwC, the UK

Chapter 2 Literature Review

2.1 Role of Information technologies in any organization

With the help of information technologies (IT), the functions of decision-making along with channels of communication and technical fields can be affected. The research done by Erdurmazli (2021), aims to understand and examine the impact of IT on the cultural life in any organization. With the help of IT, organizations can easily enhance their decision-making about products and services. This research also stated that the cultural values of an organization can also be influenced by IT. For a better understanding of information technology, the researcher explored different studies with diverse approaches. This research stated that there are various examples of information technologies, which includes; decision support systems and management information system. Also, the negative effects of formalization can be reduced in an organization with the ability of IT. This research helps to understand the necessity of IT in any organization as it is essential to storing and sharing information in any organization along with providing cultural effectiveness in any organization. Meanwhile, the research done by Malik et al. (2018), aims to provide a review of the study of organizational learning and information technology. An organization can get a suitable platform for learning with the help of information technology. The research stated that it becomes easier for the organization to manage knowledge with the help of IT. For a better understanding and to achieve the purpose, the researcher has done a review of several studies on this topic. The finding of this research also stated that the decision-making in any organization becomes more effective due to IT. By implementing IT in their infrastructure, the organizations can change their actions that are related to decision-making. This study stated that IT contributes to the learning of an organization differently in the turbulence of the environment along with the turnover of the firm. Meanwhile, this study also stated that IT facilitate by the culture of the organization while the decision-making gets influenced by IT in a positive direction.

Figure 2: the relationship between organizational learning and IT

The role of information technology is increasing every day for small and medium enterprises. The purpose of the research done by Almeida et al. (2018), is to understand the challenge and importance of security policy on small and medium enterprises. The researcher stated that a document that contains the set of procedures and methods that is essential to be communicated by each employee and reviewed at regular intervals is classified as an information security policy. The organization should consider ISO 27001:2013 before developing the security policy. This research helps to understand that privacy standard and information security level is relatively low in small and medium enterprises due to barrier to knowledge and resources availability. The result of this research stated that it is essential to have three elements, which are; security risk management, scope definition, and asset management for structuring the security policy for any organization. It can be stated that the information is an asset that must be protected and cared for by the rules and procedures defined as security policies.

2.2 Cyber attacks and the reason behind these attacks

The Internet has integrated the lives of 3 billion people and played a leading role in global communication over the last few decades. According to Li and Liu (2021), for organizations all over the world, cyber-attacks are a challenging issue as the major purpose of cyberattacks is to harm organizations financially. This research aims to understand cyber-attacks and security by reviewing the emerging trends and developments. For achieving that purpose, this research utilized several studies previously done on this topic. This research helps us to understand several methods of cyber-attacks, which include; logical bomb, sniffer, denial of service, and Trojan horse. Also, attacks used widespread denial of services where the hackers utilized multiple sources to launch the attack. Along with cyberattacks, this study helps to understand the advantages of cyber security. With the help of cyber security, real-time information about the latest data can be followed.

Shape1

Figure 3: Types of Cyber Attacks

The research done by Lallie et al. (2020), aims to analyze cyber-attacks and crime during the pandemic in the UK. During and after the pandemic, it can be stated that the graph of cyber-attacks increased exponentially. Various effective measures can be implemented by the organization to achieve the development of cyber security. Some various infrastructures and sectors got affected by cyberattacks, such as; healthcare. The research helps to understand the difference between cyber-dependent and enabled crime. Malware, Denial of Service (DoS), and hacking come under dependent crime, meanwhile, a cyber-enabled crime includes; phishing, extortion, financial fraud, and pharming. The research includes more than 43 cyber-attacks that happened in the UK during the pandemic, where 86% of attacks involve phishing along with malware in more than 65% attacks. Also, approx 15% of cyber attacks happened in the UK alone during the period of pandemics.

Meanwhile, the research done by Nobles (2018), stated that the majority of incidents related to cyber-attacks and breaches happen due to human error. This research aims to highlight the complexity of managing human factors in information security. With the help of this research, it becomes easier to understand that in any organization, humans can be considered the most prominent weakness in security. The finding of this research stated that for mitigating the risk related to cyber-attack, organizations must develop and implement measures that are related to employees, such as Cybersecurity that is centered toward the human. The cyber-security that is human-centered can help the employees to improve their decision-making while focusing on risks related to behavior. This research helps to understand that the organization must develop the policy and planning that can help them to provide education to employees to mitigate the risk of cyber-attack.

In the modern era, technological advancement helps the functionality and daily activities of organizations and individuals. Technologies such as IoT help to evolve the communication between machines. However, the research done by Das and Gunduz (2019), stated that these innovations can be considered one of the significant threats to cyber-security. This research helps to analyze the cyberattacks on critical infrastructure. With the help of IoT, it becomes easier to connect the IP address of any device to the internet. However, it also exposes the device to security threats. The researcher provides the example of a cyber attack on the electric grid in the UK. By targeting the senior employees of that grid through spear-phishing attacks, hackers attacked the grid. This research helps to understand various ways to mitigate the attacks related to cyber-security, such as; encryption and access control. Also, the implementation of intrusion detection systems and IP fast hopping are some of the ways that can be used for mitigating cyberattacks.

2.3 Role and impact of Information security policy

Currently, the security and protection of information starts getting the attention of organizations. The research done by Helms (2019), aims to understand the management of information system security policy. The researcher stated that it is a tedious task to manage policies regarding information security. The security of information is handled by various means by different measures in several organizations. However, the organizations must understand the importance of information security (IS), as if the organization failed to adhere to the standard of IS, the data can be compromised. The study helps to understand that information security indicates the security of information that is important for that particular organization. The attackers always try to attack and compromise the IS of an organization to achieve the data and information related to the organization. This research helps to understand that there are various means to maintain the information security policies, such as; the development of a single document that contains the policies.

Meanwhile, the research done by Bekkevik et al. (2018), stated that it is necessary for the organization related with effective measures to ensure the development related to cyber-attacks. The purpose of this research is to explore the practices of information security (IS) in an organization. The concept of information security has evolved with the development of digitalization. This research helps to understand that an information system policy contains adopted standards, which guide the employees. Also, a specific aspect of organizational culture can be perceived by information security. Meanwhile, the goals of information security must get aligned with business processes as it is difficult to convert security into business value. The finding of this research stated that there are various challenges related to practices of IS in organizations, which include; cultural awareness, organizational relations, security procedures, and personal risks. It becomes easier to understand that the organization must think about the behavior and attitude of staff members along with implementing technical infrastructures for effective information security.

2.4 Strategies for Cyber Security

Meanwhile, the research done by Tvaronavi?ien? et al. (2020), aims to explore the management of cyber security of energy infrastructure in national cyber security strategies. In various countries, the implementation of cyber securities presents a lot of challenges in several countries. The researcher stated that the United Kingdom placed first on the global security index due to investment in the development of Cybersecurity. After the United Kingdom, the USA, France, Estonia, and Lithuania are the countries that come at the top following the global security index. The finding of this research helps to understand several indicators of cyber security level, which are; good governance, security culture, and legal regulation along with incident and technology management. The researcher stated that even after the effective implementation of Cybersecurity, the countries generally lack an adequate framework. The finding of this study helps to understand that it is still necessary for the countries to develop their protection of critical infrastructure, which is a vital point of Cybersecurity. Meanwhile, it can be stated that the UK has to develop its technology management.

Due to technological advancement along with dependence, it becomes essential to raise the need for security requirements for cyberspace. The research done by Bederna and Rajnai (2022), aims to analyze the ecosystem of cyber security in the European Union. This research helps to understand that the need for cyber security increased in European Union (EU) after the cyber attack against Estonia. The researcher reviewed various researches to achieve the aim. For ensuring cyber security at the operational level, the EU identified various stakeholders, like organizations and councils. The research stated that the majority of organizations are depending on the infrastructure of information and communication technology instead of an approach of cyber resilience that is multi-layered. The finding of this research stated that organizations and society must handle the requirements of Cybersecurity. It can also be stated that currently the organizations only implement the capability of Cybersecurity in the approach that is based on risk.

The research done by Liu and Lang (2019), aims to understand ML for intrusion detection systems to mitigate cyber-attack on organizations. The researcher stated that cyber-security techniques mainly include anti-virus software along with intrusion detection systems and firewalls. For achieving this purpose, the researcher reviewed and analyzed several algorithms related to machine learning that is necessary to achieve the implementation of IDS while conducting a survey. The researcher stated that with the advancement of ML along with its algorithms, it becomes easier for the system to detect abnormalities by the detection system. Meanwhile, the organization must understand that real-time requirement is essential for detecting cyber attack in an organization. The finding of the research stated that it is possible to enhance the performance of IDS by implementing multiple networks of deep learning. This research helps to understand that it is essential to have interpretability for practical IDS.

For effective safety, various organizations start implementing several technologies for reinforcing their security from cyber threats and artificial intelligence (AI) is one of them. According to Nguyen and Reddi (2019), machine learning (ML), which is a part of AI can be used for both defending and attacking cyberspace. The purpose of this research is to understand the utilization of deep reinforcement learning (DRL), which is a branch of ML in Cybersecurity. The researcher stated that it becomes easier for organizations to develop an intrusion detection system that is based on DRL. The finding of this research stated that there are several fields in which DRL is used, which include; cyber security and IoT. However, there are several challenges to the implementation of DRL in intrusion detection systems (IDS) due to the recent emergence of this technology and it is quite costly to use this technology in a real environment for training purposes. Also, there is a very little study available regarding the utilization of reinforcement learning.

Meanwhile, the research done by Alhayani et al. (2021), also stated that techniques related to AI can be effective against the risk in cyber security. This research aims to determine AI's effectiveness in cyber security. This research helps to understand that for the reduction of cyberattacks, AI can be used effectively. For achieving the purpose, the researcher utilized the quantitative method along with surveying data collection. With the help of AI, the defensive measure of any organization can be enhanced along with the detection of network anomalies. Also, this research helps to understand that currently, organizations starts utilizing machine learning for analyzing malware. The finding of this research stated that for performance improvement, organizations start utilizing AI as primary assets. So, it can be stated that for the better security of data and knowledge, organizations should start utilizing AI and ML in their infrastructure.

2.5 Factors affecting Cyber Security

Information is an essential factor for any organization in its development. The research done by Straver and Ravesteyn (2018), stated that there are various factors related to humans that affect the security management of information in an organization. The researcher stated that in one-third of cases of a data breach in organizations, the employees and contractors are the major cause. So, it can be stated that organizations must provide essential knowledge about security policies to their employees because it is a serious threat to the data of an organization. The research utilized a qualitative method for a better understanding of information security policy (ISP). The finding of the research stated that the protection level of information and technological resources can increase exponentially with the utilization of ISP. This research helps to understand that policies regarding the security of information in any organization are essential to develop and provide knowledge to the employees related to the organization.

It can be stated that due to rapid advancement in technological advancement and the growth of new technologies, it is becoming challenging to secure and protect the flow of information in any organization. The research done by Chang et al. (2018), aims to understand the impact of stress-related security policies on its compliance. The attack on any organization not only influences not only the attacked organization but the employees and consumers related to it. However, the role of employees also affects the success rate of cyberattacks. The report of PwC stated that more than one-third of attacks succeeded due to breaches that happened by internal members. The finding of this research stated that stress-related to security job and task highly influences the risk of exposure to data security. This research helps to understand that the organization must implement effective security policies while reducing the risk of stress from employees by implementing them efficiently.

2.6 Summary

In accordance with the review and analysis of research done by several researchers regarding the impact of cyber-attacks along with the role of security policy to mitigate the cyber risks. It can be stated that the implementations of various several strategies developed by organizations like; PwC. It can be summarized that there are various impacts of cyber attacks and several technologies can be used to improve cyber security.

References

PwC, 2022. History and milestones. Pwc.com. Available from: https://www.pwc.com/us/en/about-us/pwc-corporate-history.html [Accessed on: 26 March 2022]

Seemma, P.S., Nandhini, S. and Sowmiya, M., 2018. Overview of cyber security. International Journal of Advanced Research in Computer and Communication Engineering, 7(11), pp.125-128. Doi: 10.17148/IJARCCE.2018.71127

Alqahtani, F.H., 2017. Developing an information security policy: A case study approach. Procedia Computer Science, 124, pp.691-697. Available from: https://scholar.google.com/scholar?q=Developing+an+Information+Security+Policy:+A+Case+Study+Approach&hl=en&as_sdt=0,5

Saravanan, A. and Bama, S.S., 2019. A Review on Cyber Security and the Fifth Generation Cyberattacks. Oriental Journal of Computer Science and Technology, 12(2), pp.50-56. Available from: https://scholar.google.com/scholar?as_ylo=2018&q=10.13005/ojcst12.02.04&hl=en&as_sdt=0,5

NCSC.Gov.UK., 2021. Record number of cyber incidents mitigated as NCSC protects vaccine rollout. National Cyber Security Centre. Available from: https://www.ncsc.gov.uk/news/record-number-mitigated-incidents [Accessed on: 28 March 2022]

Angraini., Alias, R.A., and Okfalisa., 2019. Information security policy compliance: Systematic literature review. Procedia Computer Science, 161, pp.1216-1224. Available from: https://scholar.google.com/scholar?q=10.1016/j.procs.2019.11.235&hl=en&as_sdt=0,5

Chapter 2

Erdurmazli, E., 2021. Effects of information technologies on organizational culture: A discussion based on the key role of organizational structure. A closer look at organizational culture in action/ed. by SD Göker.-London: IntechOpen, pp.125-139. Available from: https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&q=Effects+of+information+technologies+on+organizational+culture%3A+A+discussion+based+on+the+key+role+of+organizational+structure&btnG=

Malik, S., Chetty, M. and Chadhar, M., 2018. Information Technology and Organizational Learning Interplay: A Survey. Pp.1-12. Available from: https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&q=Information+Technology+and+Organizational+Learning+Interplay%3A+A+Survey&btnG=

Li, Y. and Liu, Q., 2021. A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments. Energy Reports, 7, pp.8176-8186. Available from: https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&q=10.1016%2Fj.egyr.2021.08.126&btnG=

Almeida, F., Carvalho, I. and Cruz, F., 2018. Structure and challenges of a security policy on small and medium enterprises. KSII Transactions on Internet and Information Systems (TIIS), 12(2), pp.747-763. Available from: https://scholar.google.com/scholar?q=Structure+and+challenges+of+a+security+policy+on+small+and+medium+enterprises&hl=en&as_sdt=0,5

Helms, J., 2019. Information systems security policy management: A literature review. Pp.1-58. Available from: https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&q=Information+systems+security+policy+management%3A+A+literature+review&btnG=

Tvaronavi?ien?, M., Pl?ta, T., Casa, S. and Latvys, J., 2020. Cyber security management of critical energy infrastructure in national cybersecurity strategies: Cases of USA, UK, France, Estonia and Lithuania. Insights into Regional Development, 2(4), pp.802-813.

Nguyen, T.T. and Reddi, V.J., 2019. Deep reinforcement learning for cyber security. IEEE Transactions on Neural Networks and Learning Systems. Pp.1-18. Available from: https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&q=Deep+reinforcement+learning+for+cyber+security&btnG=

Alhayani, B., Mohammed, H.J., Chaloob, I.Z. and Ahmed, J.S., 2021. Effectiveness of artificial intelligence techniques against cyber security risks apply of IT industry. Materials Today: Proceedings. Pp.1-6. Available from: https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&q=Effectiveness+of+artificial+intelligence+techniques+against+cyber+security+risks+apply+of+IT+industry&btnG=

Straver, P. and Ravesteyn, P., 2018. End-users compliance to the information security policy: A comparison of motivational factors. Communications of the IIMA, 16(4). pp.1-22. Available from: https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&q=End-users+Compliance+to+the+Information+Security+Policy%3A+A+Comparison+of+Motivational+Factors&btnG=

Bederna, Z. and Rajnai, Z., 2022. Analysis of the cybersecurity ecosystem in the European Union. International Cybersecurity Law Review, pp.1-15. Doi: https://doi.org/10.1365/s43439-022-00048-9

Lallie, H.S., Shepherd, L.A., Nurse, J.R., Erola, A., Epiphaniou, G., Maple, C. and Bellekens, X., 2021. Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Computers & Security, 105, p.102248. Available from: https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&q=Cyber+security+in+the+age+of+COVID-19%3A+A+timeline+and+analysis+of+cyber-crime+and+cyber-attacks+during+the+pandemic&btnG=

Li, Y.J. and Hoffman, E., 2019. Information security policy compliance (No. 201911010700001094). Iowa State University, Department of Economics.

Resul, D.A.S. and Gündüz, M.Z., 2020. Analysis of cyber-attacks in IoT-based critical infrastructures. International Journal of Information Security Science, 8(4), pp.122-133. Available from: https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2018&q=Analysis+of+cyber-attacks+in+IoT-based+critical+infrastructures&btnG=

Nobles, C., 2018. Botching human factors in cybersecurity in business organizations. HOLISTICA–Journal of Business and Public Administration, 9(3), pp.71-88. Available from: https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2018&q=Botching+human+factors+in+cybersecurity+in+business+organizations&btnG=

Liu, H. and Lang, B., 2019. Machine learning and deep learning methods for intrusion detection systems: A survey. applied sciences, 9(20), p.4396. Available from: https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2018&q=Machine+learning+and+deep+learning+methods+for+intrusion+detection+systems%3A+A+survey&btnG=

https://core.ac.uk/download/pdf/301376175.pdf

Bekkevik, F.M., Holm, O.R., Vassilakopoulou, P. and Hustad, E., 2018. Information security practices in organizations: A literature review on challenges and related measures. In Digital and social transformation for a better society-Proceedings of the Twelfth Mediterranean Conference on Information Systems (MCIS 2018). Pp.1-13. Available from: https://scholar.google.com/scholar?q=Information+security+practices+in+organizations:+A+literature+review+on+challenges+and+related+measures&hl=en&as_sdt=0,5

Designing an IT security policy to mitigate modern attacks against legitimate targets in PWC, UK

Table of Contents

Chapter 1 Introduction

1.1 Background to the research topic