Due technology. However, whilst technology can deliver a

Due to the technology boom and the rise of the information age cyber-crime has grown expeditiously due to the evolutionary nature of information technology. With its enormous capacity to make information accessible, the Internet has changed the way Americans interact. Consumers now routinely shop, pay bills, and bank activities which once required face-to-face human contact online. Consumers, increasingly aware of their dependence on the Internet to transact and communicate with others, have raised concerns regarding the safety of their private information. The daily advances in Information Technology have revolutionized the way we live, work, and enjoy our leisure time to the point to where we are now able to look up and research anything online. We are living in a society that is increasingly dependent upon information technology. However, whilst technology can deliver a number of benefits, it also introduces new vulnerabilities that can be exploited by persons with the necessary technical skills (Furnell, 1999).A much larger collection of information technology (IT) is instrumental in the day-to-day operations of companies, organizations, and government. Companies large and small rely on computers for diverse business processes ranging from payroll and accounting to the tracking of inventory and sales, to support for research and development (R&D) (Lin, 2014). Despite these leaps and bounds in the advancement of information technology society has created its own enemy by means of the internet called cyber-crime.  Over the past few years, a rapidly increasing number of sophisticated cyber attacks targeting high-profile organizations have been reported in the media (Hult, 2013).Cybercrime is a criminal offense committed via the internet or different forms of information technology; it is also the fastest growing area of crime because of anonymity (Cheswick, 2003). Breaches of supposedly secure computer networks have repeatedly compromised consumer data, thus evidencing the inadequacy of current cyber-security systems, which strive to safeguard confidential information. Additionally, because of the federal government’s dependence on the Internet, these security breaches could threaten national security. In today’s technology-driven society it is important for organizations to be aware of the constant and growing threat of cybercrime. Security incidents threaten not only financial harm, disruption, reputational damage, litigation, and loss of intellectual property but also safety, essential services, and national security (Tauwhare, 2016).Each and every day there are new reports and statistics showing the now common trend of companies and organizations falling victim to hackers or viruses that were able to breach their network security and expose the company to risk of exploitation; or the organization losing mass amounts of sensitive data. ON JUNE 12, 2015, an incident in the Asia-Pacific region caused network performance problems for hundreds of thousands of Internet destinations, including Facebook and Amazon (Lychev, 2016). The rapid development of intranets, extranets, and the internet has introduced an increased level of security problems for network managers, computer information systems professionals, individual users, and corporations with an expanding base of telecommuters. With the advent of electronic mail and electronic commerce via the internet, computer information security is an increasing worldwide concern (Cheswick, 2003). Current approaches to cyber-security are not working. Rather than producing more security, we seem to be facing less and less (Cavelty, 2014). Small and midsized businesses are now the preferred targets for cybercriminals not because they are lucrative prizes individually but because automation makes it easy to attack them by the thousands, and far too many of them are easy targets Small businesses, in particular, are a great target for criminals with one reason being that major companies and corporations usually have an IT department with a section in that department dedicated to network security particularly focused on the company’s website and online transactions. In most cases, small businesses have not yet grown to the point to where they have anything other than a regular IT department and thus don’t have the same level of protection. Another reason cybercriminals target small businesses, in particular, is if the small business is a supplier or subsidy of a larger corporation. In this case, cybercriminals target these small businesses to gain access and information to the larger corporation as a sort of like a back door or unguarded or limited access point. The main goal of cybercrime is not necessarily to sabotage a company but more so to gain access to information such as personal information, bank account information, credit card information, that can be sold or used for profit or exploitation.With all of these threats and challenges to the security of businesses and organizations, new emphasis is being placed on companies IT department to create a strong security policy that minimizes the threat to the company of falling victim to cybercrime. Software vulnerabilities when exploited cause loss in confidentiality, integrity, and availability of information (Chen, 2011). Concerns about the vulnerability of the information technology on which the  nation relies  have deepened in the security-conscious environment after   September  11,  2001,  attacks and in light of increased cyber-espionage directed at private companies and government agencies in the  United  States (Clark, 2014). Ineffective protection can often be attributed to the manner in which firms go about planning their information security programs (Johnston, 2009).The first step in creating a security policy is to do an overall assessment and potential overall of the current security policy by testing it against current systems as well as testing the knowledge of but upper executives as well as regular employees to gauge there security awareness and potential threats to the organization.Security threats can have a negative impact on the reputation and assets of an organization as well as adversely affect the legal and regulatory compliance of the organization. Security awareness is a primary pillar of security for any organization to avoid major security breaches (Dahbur, 2013). Several studies support the idea that there should be a greater emphasis on security awareness at the individual user level as well because it has been determined and reported by numerous sources that the “human element” is considered the weakest link in current and emerging security policies. The knowledge and experience of the security staff and employees, complemented with the support and commitment of the management, can simply be the difference between organizations that are successful in maintaining information security and those that fail. Continuous security awareness helps raise the maturity level of employees and enhance their security obligations (Dahbur, 2013).By conducting an initial analysis of the current security performance and knowledge of the employees the data gained from the security tests generally provide an outline of the current security status of the organization thus giving the IT team critical information on how to begin the reconstruction and development of an updated security policy. By measuring information security performance, organizations determine the extent to which their security needs are met. Such measurements may apply to the entire system or to its individual elements. The majority of information threats currently faced by organizations are elementary in their nature. Reports show that nearly 75 percent of incidents could be easily prevented by basic tools (Bernick, 2016). After an analysis is done on the current security systems in place to protect the companies network and the current weaknesses documented; the next phase would be to use the current data and statistical analysis as a backbone to upgrade the current security policy.Because security is such a complex subject and it is impossible for all potential threats to be anticipated and neutralized; the new security policy should place emphasis on the most likely threats and employee training along with risk assessment and the company’s current cyber-security position. Back on May 11, President Trump signed an executive order on cyber-security, giving civilian and military agencies a 60-day deadline for reviewing cyber-security posture (Kerner, 2017). Once the infrastructure of the security policy is created it should be broken down into five sections that include an overview, scope, policy, enforcement, and revision tracking.  Each one of these is important in its own right; the overview gives a detailed summary of the policy with key points. The scope informs the reader what the policy does and does not do and when each thing listed should be enforced; the actual policy itself tells how to fulfill each task that is outlined with step by step procedures. The enforcement section establishes who is responsible for each task along with the execution and the enforcement of the policy; while the revision tracking ensures the regular updates and evolution of the entirety of the security policy. Each one of these sections should also have subcategories that have procedures to identify new risks, learn from mistakes and public examples, legal requirements, threat levels, how to train employees, consequences, and security policy testing. Once a security policy is created and reviewed by management the IT department and employees; the next step is to have it signed then all personnel trained so that it can be implemented within the organization. The Cybersecurity Law stipulates that the information infrastructures for important industries and fields such as telecoms, information services, energy, transportation, finance, public service and e-government should be deemed as key information infrastructures (Qi, 2017). Generally, once a security administrator has specified a security policy, he or she aims to enforce it in the information system to be protected. This enforcement consists in distributing the security rules expressed in this policy over different security components of the information system—such as firewalls, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), proxies, etc.—both an application, system and network level (Alfaro, 2007). The procedures and approved measure that are outlined in the security policy gives the step by step method for the implementation because they include standard operating procedures, guidelines, and user guides. The three most important steps in the implementation of the security policy are the installation of all technical controls hardware/software, implementation of security awareness training across the entire organization, and an up to date security monitoring program. When adding technical controls to existing systems it is important to stay within the security policy and not take shortcuts because of budget constraints. This is important because when a company or organization chooses a cheaper or more cost effective solution rather than sticking to what was already agreed upon often times the cheaper solution is not as secure and will have holes or weakness within it that puts the company at risk for exploitation. Security shouldn’t come at the price of performance. Watch for trade-offs like stately inspection at firewalls, which raises the likelihood of performance impact as multiple security elements are “turned on” (Leong, 2009). Policy-based network management, separating the rules that govern the system from the functionality it provides, is currently the favored approach. However, policy refinement is still an open problem in network security management because many technologies should be specified, and the consistency, the correctness and the feasibility of policies should be proven (Laborde, 2006). As cybercriminals continue to develop new ways of impersonating legitimate organizations and email senders, computer users need to become even more vigilant and circumspect in their daily practices (Werner, 2017). MonitoringOnce the security policy is developed and then implemented within the policy guidelines the next step; will be to constantly monitor the systems that are put in place in an effort to enforce compliance, security, and to document regular status updates. Developing an information security strategy that involves employee monitoring requires that the information risks and system controls of an entity are understood. A comprehensive content security policy focuses on four areas tailored to the needs, resources, and goals of individual organizations: prevention, detection, investigation, and reporting (Wakefield, 2004). To counter digital threats, security-conscious organizations build computer incident response teams (CIRTs). These units may consist of a single individual, a small group, or dozens of security professionals (Bejtlich, 2013). This is extremely important and critical because an organization must have someone within the organization that is specifically responsible for handling intrusion detection systems; because without it, it is very likely the organization will be exploited in the future.  According to a study by Carnegie Mellon University, commercial software typically has 20 to 30 bugs for every thousand lines of code—50 million lines of code means 1 million to 1.5 million of potential errors to be exploited (Britton, 2016). EVOLVEOnce the security policy is developed, implemented, and monitored the final step an organization must do to effectively maintain network security is to continue to upgrade the policy and framework; until it becomes organic and is able to continually evolve with information technology, the company, and cybersecurity laws and policies. Developing an information security strategy that involves employee monitoring requires that the information risks and system controls of an entity are understood. A comprehensive content security policy focuses on four areas tailored to the needs, resources, and goals of individual organizations: prevention, detection, investigation, and reporting (Wakefield, 2004).Cyberspace is a virtual unowned computer creation, which requires a high level of technical equipment and a good information infrastructure. This space without national boundaries simultaneously coexists with a real space in order to make collective communication among people faster and better (Spalevic, 2014). Most experts agree that a proper technology background is essential to securing the organization’s IT infrastructure (Woszczynski, 2017).Companies buy software and hire network security specialists to monitor the networks. All of these are to assist in the detection and prevention of attacks on the networks (Jenab, 2016).Majority of Small and Medium business feel that IS Security is not their main concern. Preemptive measures are been addressed for the new emerging threats in the market (Nilaykumar, 2012).Targeted attacks have become so sophisticated that decision-makers from the boardroom, C-suite and data center are all grasping for answers. Being prepared requires an assortment of tools across the board. As part of a comprehensive cybersecurity strategy encompassing the network, servers, desktops, mobile and web applications, etc., it’s crucial to understand exactly what an IT infrastructure has to deal with (Sherry, 2014).Organisations should consider guidance with regard to data protection and regulatory compliance in line with incident management, especially with regard to potential cross-border data access and transfer positions (Mallinder, 2013)