Developing a cybersecurity plan for the websites of case company X
Gamoulos, Cynthia (2021)
Lataukset:
Gamoulos, Cynthia
2021
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2021121626438
https://urn.fi/URN:NBN:fi:amk-2021121626438
Tiivistelmä
The development task of this project is to create a cybersecurity plan for the websites of the case company. This thesis aims to identify and assess various risks that could affect the websites of the case company and create a cybersecurity plan for the protection of their data, software and continuity of operations. Furthermore, this study aims to investigate various cybersecurity risks, such as leaks of information and hacking, from the company's websites and create a risk management plan in order to prevent them.
The organization (case company X) of this development project is a multimedia company that offers expertise and services focusing on the web development of websites, digital marketing and the production of videos and films. This thesis focuses particularly on the websites of the company X.
The theoretical framework consisted of terms and concepts relating to cybersecurity and WordPress, including the basics of cybersecurity, the CIA triad, cybercrimes and types of attackers, the cybersecurity plan and risk management, an introduction to the NIST framework and lastly, information regarding WordPress websites and common types of cyberattacks.
The methods used in this thesis for collecting information included a semi-structured interview where the interviewee was asked open-ended questions that included both written and verbal questions. Secondly, a risk assessment process that consisted of establishing terms such as likelihood and consequences and their different levels of impact assisted in creating the risk matrix that all the possible identified risks can be categorised and their risk level estimated. Finally, the third method was that of the workshop, where various employees of the web development department took part and conducted a vulnerability assessment for the company's website.
The results included a list of risks and possible threats that could cause damage to the website and its contents. These risks got identified during the process of the interview and workshop. In addition, the results included a risk analysis where all the risks were further explained. The whole list of the identified risks can be viewed in the Table chapter of this thesis. In addition, the risk management plan that was created after the risk assessment process took place can also be seen in the Appendix chapter.
In conclusion, the main aim and goal of this thesis were achieved at a satisfactory level. This development task aimed to identify cybersecurity risks and threats for the company's WordPress websites and create a cybersecurity plan for their prevention and mitigation. The presented risks and their prevention methods were successfully identified through the workshop, interview, and research. As well as through discussions with the company's senior web developer expert and the other web developers, this plan could be the first in a series of security plans for the company. What emerged from that discussion is that in combination with this cybersecurity plan, further security plans such as a threat monitoring plan, recovery plan and response plan can be additionally implemented by the case company to complete the entire framework of cybersecurity as defined by the NIST organisation.
The organization (case company X) of this development project is a multimedia company that offers expertise and services focusing on the web development of websites, digital marketing and the production of videos and films. This thesis focuses particularly on the websites of the company X.
The theoretical framework consisted of terms and concepts relating to cybersecurity and WordPress, including the basics of cybersecurity, the CIA triad, cybercrimes and types of attackers, the cybersecurity plan and risk management, an introduction to the NIST framework and lastly, information regarding WordPress websites and common types of cyberattacks.
The methods used in this thesis for collecting information included a semi-structured interview where the interviewee was asked open-ended questions that included both written and verbal questions. Secondly, a risk assessment process that consisted of establishing terms such as likelihood and consequences and their different levels of impact assisted in creating the risk matrix that all the possible identified risks can be categorised and their risk level estimated. Finally, the third method was that of the workshop, where various employees of the web development department took part and conducted a vulnerability assessment for the company's website.
The results included a list of risks and possible threats that could cause damage to the website and its contents. These risks got identified during the process of the interview and workshop. In addition, the results included a risk analysis where all the risks were further explained. The whole list of the identified risks can be viewed in the Table chapter of this thesis. In addition, the risk management plan that was created after the risk assessment process took place can also be seen in the Appendix chapter.
In conclusion, the main aim and goal of this thesis were achieved at a satisfactory level. This development task aimed to identify cybersecurity risks and threats for the company's WordPress websites and create a cybersecurity plan for their prevention and mitigation. The presented risks and their prevention methods were successfully identified through the workshop, interview, and research. As well as through discussions with the company's senior web developer expert and the other web developers, this plan could be the first in a series of security plans for the company. What emerged from that discussion is that in combination with this cybersecurity plan, further security plans such as a threat monitoring plan, recovery plan and response plan can be additionally implemented by the case company to complete the entire framework of cybersecurity as defined by the NIST organisation.