Week 5 assignment
bemp1130
wk5ch4.docx|
|
Ethics and Information Security: MIS Business Concerns Business Driven Information Systems, Ch. 4.2: Information Security Read Ch. 4.2 of Business Driven Information Systems: Information Security. |
CHAPTER OUTLINE
|
Protecting Intellectual Assets |
|
|
What’s in IT for me? This chapter concerns itself with protecting information from potential misuse. Organizations must ensure that they collect, capture, store, and use information in an ethical manner. This means any type of information they collect and use, including about customers, partners, and employees. Companies must ensure that personal information collected about someone remains private. This is not just a nice thing to do. The law requires it. Perhaps more important, information must be kept physically secure to prevent access and possible dissemination and use by unauthorized sources. You, the business student, must understand ethics and security because they are the top concerns customers voice today. The way they are handled directly influences a customer’s likelihood of embracing electronic technologies and conducting business over the web—and thus the company’s bottom line. You can find evidence in recent news reports about how the stock price of organizations falls dramatically when information privacy and security breaches are made known. Further, organizations face potential litigation if they fail to meet their ethical, privacy, and security obligations in the handling of information. |
|
|
|
Page 134
opening case study
Five Ways Hackers Can Get Into Your Business
Did you know:
Once every 3 minutes, the average company comes into contact with viruses and malware.
One in every 291 email messages contains a virus.
Three things hackers want most are customer data, intellectual property, and bank account information.
The top five file names used in phishing scams are Details.zip, UPS_document.zip, DCIM.zip, Report.zip, and Scan.zip.
The average annual cost of a cyberattack on a small or medium-sized business is $188,242.
Cyberthieves are always looking for new ways to gain access to your business data, business networks, and business applications. The best way to protect your business from cybertheft is to build a strong defense and be able to identify vulnerabilities and weak spots. According to John Brandon of Inc. magazine, the top five ways hackers will try to gain access to your businesses are highlighted in Figure 4.1. (Please note that there are far more than five ways; these are just the five most common.)
FIGURE 4.1
Five ways hackers gain access to your business
Page 135
Page 136
|
section 4.1 |
Ethics |
LEARNING OUTCOMES
4.1Explain the ethical issues in the use of information technology.
4.2Identify the six epolicies organizations should implement to protect themselves.
INFORMATION ETHICS
LO 4.1: Explain the ethical issues in the use of information technology.
Ethics and security are two fundamental building blocks for all organizations. In recent years, enormous business scandals along with 9/11 have shed new light on the meaning of ethics and security. When the behavior of a few individuals can destroy billion-dollar organizations, the value of ethics and security should be evident.
Copyright is the legal protection afforded an expression of an idea, such as a song, book, or video game. Intellectual property is intangible creative work that is embodied in physical form and includes copyrights, trademarks, and patents. A patent is an exclusive right to make, use, and sell an invention and is granted by a government to the inventor. As it becomes easier for people to copy everything from words and data to music and video, the ethical issues surrounding copyright infringement and the violation of intellectual property rights are consuming the ebusiness world. Technology poses new challenges for our ethics —the principles and standards that guide our behavior toward other people.
The protection of customers’ privacy is one of the largest, and murkiest, ethical issues facing organizations today. Privacy is the right to be left alone when you want to be, to have control over your personal possessions, and not to be observed without your consent. Privacy is related to confidentiality , which is the assurance that messages and information remain available only to those authorized to view them. Each time employees make a decision about a privacy issue, the outcome could sink the company.
Trust among companies, customers, partners, and suppliers is the support structure of ebusiness. Privacy is one of its main ingredients. Consumers’ concerns that their privacy will be violated because of their interactions on the web continue to be one of the primary barriers to the growth of ebusiness.
Information ethics govern the ethical and moral issues arising from the development and use of information technologies as well as the creation, collection, duplication, distribution, and processing of information itself (with or without the aid of computer technologies). Ethical dilemmas in this area usually arise not as simple, clear-cut situations but as clashes among competing goals, responsibilities, and loyalties. Inevitably, there will be more than one socially acceptable or correct decision. The two primary areas concerning software include pirated software and counterfeit software. Pirated software is the unauthorized use, duplication, distribution, or sale of copyrighted software. Counterfeit software is software that is manufactured to look like the real thing and sold as such. Digital rights management is a technological solution that allows publishers to control their digital media to discourage, limit, or prevent illegal copying and distribution. Figure 4.2 contains examples of ethically questionable or unacceptable uses of information technology.2
FIGURE 4.2
Ethically Questionable or Unacceptable Information Technology Use
Page 137
APPLY YOUR KNOWLEDGE
BUSINESS DRIVEN DISCUSSION
Information—Does It Have Ethics?
A high school principal decided it was a good idea to hold a confidential conversation about teachers, salaries, and student test scores on his cellular phone in a local Starbucks. Not realizing that one of the students’ parents was sitting next to him, the principal accidentally divulged sensitive information about his employees and students. The irate parent soon notified the school board about the principal’s inappropriate behavior and a committee was formed to decide how to handle the situation.3
With the new wave of collaboration tools, electronic business, and the Internet, employees are finding themselves working outside the office and beyond traditional office hours. Advantages associated with remote workers include increased productivity, decreased expenses, and boosts in morale as employees are given greater flexibility to choose their work location and hours. Unfortunately, disadvantages associated with workers working remotely include new forms of ethical challenges and information security risks.
In a group, discuss the following statement: Information does not have any ethics. If you were elected to the committee to investigate the principal’s inappropriate Starbucks phone conversation, what types of questions would you want answered? What type of punishment, if any, would you enforce on the principal? What types of policies would you implement across the school district to ensure that this scenario is never repeated? Be sure to highlight how workers working remotely affect business along with any potential ethical challenges and information security issues.
Unfortunately, few hard and fast rules exist for always determining what is ethical. Many people can either justify or condemn the actions in Figure 4.2, for example. Knowing the law is important, but that knowledge will not always help because what is legal might not always be ethical, and what might be ethical is not always legal. For example, Joe Reidenberg received an offer for AT&T cell phone service. AT&T used Equifax, a credit reporting agency, to identify potential customers such as Joe Reidenberg. Overall, this seemed like a good business opportunity between Equifax and AT&T wireless. Unfortunately, the Fair Credit Reporting Act (FCRA) forbids repurposing credit information except when the information is used for “a firm offer of credit or insurance.” In other words, the only product that can be sold based on credit information is credit. A representative for Equifax stated, “As long as AT&T Wireless (or any company for that matter) is offering the cell phone service on a credit basis, such as allowing the use of the service before the consumer has to pay, it is in compliance with the FCRA.” However, the question remains—is it ethical?4
Figure 4.3 shows the four quadrants where ethical and legal behaviors intersect. The goal for most businesses is to make decisions within quadrant I that are both legal and ethical. There are times when a business will find itself in the position of making a decision in quadrant III, such as hiring child labor in foreign countries, or in quadrant II when a business might pay a foreigner who is getting her immigration status approved because the company is in the process of hiring the person. A business should never find itself operating in quadrant IV. Ethics are critical to operating a successful business today.
Information Does Not Have Ethics, People Do
Information itself has no ethics. It does not care how it is used. It will not stop itself from spamming customers, sharing itself if it is sensitive or personal, or revealing details to third parties. Information cannot delete or preserve itself. Therefore, it falls to those who own the information to develop ethical guidelines about how to manage it.
Page 138
APPLY YOUR KNOWLEDGE
BUSINESS DRIVEN ETHICS AND SECURITY
Is IT Really Worth the Risk?
Ethics. It’s just one tiny word, but it has monumental impact on every area of business. From the magazines, blogs, and newspapers you read to the courses you take, you will encounter ethics because it is a hot topic in today’s electronic world. Technology has provided so many incredible opportunities, but it has also provided those same opportunities to unethical people. Discuss the ethical issues surrounding each of the following situations (yes, these are true stories):
A student raises her hand in class and states, “I can legally copy any DVD I get from Netflix because Netflix purchased the DVD and the copyright only applies to the company who purchased the product.”
A student stands up the first day of class before the professor arrives and announces that his fraternity scans textbooks and he has the textbook for this course on his thumb drive, which he will gladly sell for $20. Several students pay on the spot and upload the scanned textbook to their PCs. One student takes down the student information and contacts the publisher about the incident.
A senior marketing manager is asked to monitor his employee’s email because there is a rumor that the employee is looking for another job.
A vice president of sales asks her employee to burn all of the customer data onto an external hard drive because she made a deal to provide customer information to a strategic partner.
A senior manager is asked to monitor his employee’s email to discover whether she is sexually harassing another employee.
An employee is looking at the shared network drive and discovers that his boss’s entire hard drive, including his email backup, has been copied to the network and is visible to all.
An employee is accidently copied on an email listing the targets for the next round of layoffs.
FIGURE 4.3
Acting Ethically and Acting Legally Are Not Always the Same Thing
Page 139
FIGURE 4.4
Ethical Guidelines for Information Management
A few years ago, the ideas of information management, governance, and compliance were relatively obscure. Today, these concepts are a must for virtually every company, both domestic and global, primarily due to the role digital information plays in corporate legal proceedings or litigation. Frequently, digital information serves as key evidence in legal proceedings, and it is far easier to search, organize, and filter than paper documents. Digital information is also extremely difficult to destroy, especially if it is on a corporate network or sent by email. In fact, the only reliable way to obliterate digital information reliably is to destroy the hard drives on which the file was stored. Ediscovery (or electronic discovery ) refers to the ability of a company to identify, search, gather, seize, or export digital information in responding to a litigation, audit, investigation, or information inquiry. As the importance of ediscovery grows, so does information governance and information compliance. The Child Online Protection Act (COPA) was passed to protect minors from accessing inappropriate material on the Internet. Figure 4.4 displays the ethical guidelines for information management.
DEVELOPING INFORMATION MANAGEMENT POLICIES
LO 4.2: Identify the six epolicies organizations should implement to protect themselves.
Treating sensitive corporate information as a valuable resource is good management. Building a corporate culture based on ethical principles that employees can understand and implement is responsible management. Organizations should develop written policies establishing employee guidelines, employee procedures, and organizational rules for information. These policies set employee expectations about the organization’s practices and standards and protect the organization from misuse of computer systems and IT resources. If an organization’s employees use computers at work, the organization should, at a minimum, implement epolicies. Epolicies are policies and procedures that address information management along with the ethical use of computers and the Internet in the business environment. Figure 4.5 displays the epolicies a firm should implement to set employee expectations.
Page 140
FIGURE 4.5
Overview of Epolicies
Ethical Computer Use Policy
In a case that illustrates the perils of online betting, a leading Internet poker site reported that a hacker exploited a security flaw to gain an insurmountable edge in high-stakes, no-limit Texas hold- ’em tournaments—the ability to see his opponents’ hole cards. The cheater, whose illegitimate winnings were estimated at between $400,000 and $700,000 by one victim, was an employee of AbsolutePoker.com and hacked the system to show that it could be done. Regardless of what business a company operates—even one that many view as unethical—the company must protect itself from unethical employee behavior.5 Cyberbullying includes threats, negative remarks, or defamatory comments transmitted through the Internet or posted on the website. A threat is an act or object that poses a danger to assets. Click-fraud is the abuse of pay-per-click, pay-per-call, and pay-per-conversion revenue models by repeatedly clicking a link to increase charges or costs for the advertiser. Competitive click-fraud is a computer crime in which a competitor or disgruntled employee increases a company’s search advertising costs by repeatedly clicking the advertiser’s link.
Cyberbullying and click-fraud are just a few examples of the many types of unethical computer use found today.
One essential step in creating an ethical corporate culture is establishing an ethical computer use policy. An ethical computer use policy contains general principles to guide computer user behavior. For example, it might explicitly state that users should refrain from playing computer games during working hours. This policy ensures that the users know how to behave at work and the organization has a published standard to deal with infractions. For example, after appropriate warnings, the company may terminate an employee who spends significant amounts of time playing computer games at work.
Organizations can legitimately vary in how they expect employees to use computers, but in any approach to controlling such use, the overriding principle should be informed consent. The users should be informed of the rules and, by agreeing to use the system on that basis, consent to abide by them.
Managers should make a conscientious effort to ensure all users are aware of the policy through formal training and other means. If an organization were to have only one epolicy, it should be an ethical computer use policy because that is the starting point and the umbrella for any other policies the organization might establish.
Part of an ethical computer use policy can include a BYOD policy. A bring your own device (BYOD) policy allows employees to use their personal mobile devices and computers to access enterprise data and applications. BYOD policies offer four basic options, including:
Unlimited access for personal devices.
Access only to nonsensitive systems and data.
Access, but with IT control over personal devices, apps, and stored data.
Access, but preventing local storage of data on personal devices.
Page 141
Information Privacy Policy
An organization that wants to protect its information should develop an information privacy policy , which contains general principles regarding information privacy. Visa created Innovant to handle all its information systems, including its coveted customer information, which details how people are spending their money, in which stores, on which days, and even at what time of day. Just imagine what a sales and marketing department could do if it gained access to this information. For this reason, Innovant bans the use of Visa’s customer information for anything outside its intended purpose—billing. Innovant’s privacy specialists developed a strict credit card information privacy policy, which it follows.
Innovant has been asked whether it can guarantee that unethical use of credit card information will never occur. In a large majority of cases, the unethical use of information happens not through the malicious scheming of a rogue marketer but, rather, unintentionally. For instance, information is collected and stored for some purpose, such as record keeping or billing. Then, a sales or marketing professional figures out another way to use it internally, share it with partners, or sell it to a trusted third party. The information is “unintentionally” used for new purposes. The classic example of this type of unintentional information reuse is the Social Security number, which started simply as a way to identify government retirement benefits and then was used as a sort of universal personal ID, found on everything from drivers’ licenses to savings accounts.
Fair information practices is a general term for a set of standards governing the collection and use of personal data and addressing issues of privacy and accuracy. Different organizations and countries have their own terms for these concerns. The United Kingdom terms it “Data Protection,” and the European Union calls it “Personal Data Privacy”; the Organisation for Economic Co-operation and Development (OECD) has written Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which can be found at www.oecd.org/unitedstates.6
Acceptable Use Policy
An acceptable use policy (AUP) requires a user to agree to follow it to be provided access to corporate email, information systems, and the Internet. Nonrepudiation is a contractual stipulation to ensure that ebusiness participants do not deny (repudiate) their online actions. A nonrepudiation clause is typically contained in an acceptable use policy. Many businesses and educational facilities require employees or students to sign an acceptable use policy before gaining network access. When signing up with an email provider, each customer is typically presented with an AUP, which states that the user agrees to adhere to certain stipulations. Users agree to the following in a typical acceptable use policy:
Not using the service as part of violating any law.
Not attempting to break the security of any computer network or user.
Not posting commercial messages to groups without prior permission.
Not performing any nonrepudiation.
Some organizations go so far as to create a unique information management policy focusing solely on Internet use. An Internet use policy contains general principles to guide the proper use of the Internet. Because of the large amounts of computing resources that Internet users can expend, it is essential for such use to be legitimate. In addition, the Internet contains numerous materials that some believe are offensive, making regulation in the workplace a requirement. Cybervandalism is the electronic defacing of an existing website. Typosquatting is a problem that occurs when someone registers purposely misspelled variations of well-known domain names. These variants sometimes lure consumers who make typographical errors when entering a URL. Website name stealing is the theft of a website’s name that occurs when someone, posing as a site’s administrator, changes the ownership of the domain name assigned to the website to another website owner. These are all examples of unacceptable Internet use. Internet censorship is government attempts to control Internet traffic, thus preventing some material from being viewed by a country’s citizens. Generally, an Internet use policy:
Describes the Internet services available to users.
Defines the organization’s position on the purpose of Internet access and what restrictions, if any, are placed on that access.
Page 142
APPLY YOUR KNOWLEDGE
BUSINESS DRIVEN GLOBALIZATION
The Right to Be Forgotten
The European Commissioner for Justice, Fundamental Rights, and Citizenship, Viviane Reding, announced the European Commission’s proposal to create a sweeping new privacy right—the right to be forgotten, allowing individuals to request to have all content that violates their privacy removed. The right to be forgotten addresses an urgent problem in the digital age: the great difficulty of escaping your past on the Internet now that every photo, status update, and tweet lives forever in the cloud. To comply with the European Court of Justice’s decision, Google created a new online form by which individuals can request search providers to remove links that violate their online privacy. In the first month, Google received more than 50,000 submissions from people asking the company to remove links. Many people in the United States believe that the right to be forgotten conflicts with the right to free speech. Do people who want to erase their past deserve a second chance? Do you agree or disagree?7
Describes user responsibility for citing sources, properly handling offensive material, and protecting the organization’s good name.
States the ramifications if the policy is violated.
Email Privacy Policy
An email privacy policy details the extent to which email messages may be read by others. Email is so pervasive in organizations that it requires its own specific policy. Most working professionals use email as their preferred means of corporate communications. Although email and instant messaging are common business communication tools, risks are associated with using them. For instance, a sent email is stored on at least three or four computers (see Figure 4.6). Simply deleting an email from one computer does not delete it from the others. Companies can mitigate many of the risks of using electronic messaging systems by implementing and adhering to an email privacy policy.
FIGURE 4.6
Email Is Stored on Multiple Computers
Page 143
One major problem with email is the user’s expectations of privacy. To a large extent, this expectation is based on the false assumption that email privacy protection exists somehow analogous to that of U.S. first-class mail. Generally, the organization that owns the email system can operate the system as openly or as privately as it wishes. Surveys indicate that the majority of large firms regularly read and analyze employees’ email looking for confidential data leaks such as unannounced financial results or the sharing of trade secrets that result in the violation of an email privacy policy and eventual termination of the employee. That means that if the organization wants to read everyone’s email, it can do so. Basically, using work email for anything other than work is not a good idea. A typical email privacy policy:
Defines legitimate email users and explains what happens to accounts after a person leaves the organization.
Explains backup procedure so users will know that at some point, even if a message is deleted from their computer, it is still stored by the company.
Describes the legitimate grounds for reading email and the process required before such action is performed.
Discourages sending junk email or spam to anyone who does not want to receive it.
Prohibits attempting to mail bomb a site. A mail bomb sends a massive amount of email to a specific person or system that can cause that user’s server to stop functioning.
Informs users that the organization has no control over email once it has been transmitted outside the organization.
Spam is unsolicited email. It plagues employees at all levels within an organization, from receptionist to CEO, and clogs email systems and siphons MIS resources away from legitimate business projects. An anti-spam policy simply states that email users will not send unsolicited emails (or spam). It is difficult to write anti-spam policies, laws, or software because there is no such thing as a universal litmus test for spam. One person’s spam is another person’s newsletter. End users have to decide what spam is, because it can vary widely not just from one company to the next, but from one person to the next. A user can opt out of receiving emails by choosing to deny permission to incoming emails. A user can opt in to receive emails by choosing to allow permissions to incoming emails.
Teergrubing is an anti-spamming approach by which the receiving computer launches a return attack against the spammer, sending email messages back to the computer that originated the suspected spam.
Social Media Policy
Did you see the YouTube video showing two Domino’s Pizza employees violating health codes while preparing food by passing gas on sandwiches? Millions of people did, and the company took notice when disgusted customers began posting negative comments all over Twitter. Because they did not have a Twitter account, corporate executives at Domino’s did not know about the damaging tweets until it was too late. The use of social media can contribute many benefits to an organization, and implemented correctly, it can become a huge opportunity for employees to build brands. But there are also tremendous risks because a few employees representing an entire company can cause tremendous brand damage. Defining a set of guidelines implemented in a social media policy can help mitigate that risk. Companies can protect themselves by implementing a social media policy outlining the corporate guidelines or principles governing employee online communications. Having a single social media policy might not be enough to ensure that the company’s online reputation is protected. Additional, more specific, social media policies a company might choose to implement include:
Employee online communication policy detailing brand communication.
Employee blog and personal blog policies.
Employee social network and personal social network policies.
Employee Twitter, corporate Twitter, and personal Twitter policies.
Employee LinkedIn policy.
Employee Facebook usage and brand usage policy.
Corporate YouTube policy.
Page 144
APPLY YOUR KNOWLEDGE
BUSINESS DRIVEN MIS
15 Million Identity Theft Victims
Identity theft has quickly become the most common, expensive, and pervasive crime in the United States. The identities of more than 15 million U.S. citizens are stolen each year, with financial losses exceeding $50 billion. This means that the identities of almost 10 percent of U.S. adults will be stolen this year, with losses of around $4,000 each, not to mention the 100 million U.S. citizens whose personal data will be compromised due to data breaches on corporate and government databases.
The growth of organized crime can be attributed to the massive amounts of data collection along with the increased cleverness of professional identity thieves. Starting with individually tailored phishing and vishing scams, increasingly successful corporate and government databases hackings, and intricate networks of botnets that hijack millions of computers without a trace, we must wake up to this ever-increasing threat to all Americans.8
You have the responsibility to protect yourself from data theft. In a group, visit the Federal Trade Commission’s Consumer Information Identity Theft website at http://www.consumer.ftc.gov/features/feature-0014-identity-theft and review what you can do today to protect your identity and how you can ensure that your personal information is safe.
Social media monitoring is the process of monitoring and responding to what is being said about a company, individual, product, or brand. Social media monitoring typically falls to the social media manager , a person within the organization who is trusted to monitor, contribute, filter, and guide the social media presence of a company, individual, product, or brand. Organizations must protect their online reputations and continuously monitor blogs, message boards, social networking sites, and media sharing sites. However, monitoring the hundreds of social media sites can quickly become overwhelming. To combat these issues, a number of companies specialize in online social media monitoring; for example, Trackur.com creates digital dashboards that allow executives to view at a glance the date published, source, title, and summary of every item tracked. The dashboard not only highlights what’s being said but also the influence of the particular person, blog, or social media site.
Workplace Monitoring Policy
Increasingly, employee monitoring is not a choice; it is a risk-management obligation. Michael Soden, CEO of the Bank of Ireland, issued a mandate stating that company employees could not surf illicit websites with company equipment. Next, he hired Hewlett-Packard to run the MIS department, and illicit websites were discovered on Soden’s own computer, forcing Soden to resign. Monitoring employees is one of the biggest challenges CIOs face when developing information management policies.9
Physical security is tangible protection such as alarms, guards, fireproof doors, fences, and vaults. New technologies enable employers to monitor many aspects of their employees’ jobs, especially on telephones, computer terminals, through electronic and voice mail, and when employees are using the Internet. Such monitoring is virtually unregulated. Therefore, unless company policy specifically states otherwise (and even this is not ensured), your employer may listen, watch, and read most of your workplace communications. Workplace MIS monitoring tracks people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed (see Figure 4.7 for an overview). The best path for an organization planning to engage in employee monitoring is open communication, including an employee monitoring policy stating explicitly how, when, and where the company monitors its employees. Several common stipulations an organization can follow when creating an employee monitoring policy include:
Page 145
APPLY YOUR KNOWLEDGE
BUSINESS DRIVEN DEBATE
Monitoring Employees
Every organization has the right to monitor its employees. Organizations usually inform their employees when workplace monitoring is occurring, especially regarding organizational assets such as networks, email, and Internet access. Employees traditionally offer their consent to be monitored and should not have any expectations of privacy when using organizational assets.
Do you agree or disagree that organizations have an obligation to notify employees about the extent of workplace monitoring, such as how long employees are using the Internet and which websites they are visiting? Do you agree or disagree that organizations have the right to read all employees’ email sent or received on an organizational computer, including personal Gmail accounts?
Be as specific as possible stating when and what (email, IM, Internet, network activity, etc.) will be monitored.
Expressly communicate that the company reserves the right to monitor all employees.
State the consequences of violating the policy.
Always enforce the policy the same for everyone.
Many employees use their company’s high-speed Internet access to shop, browse, and surf the web. Most managers do not want their employees conducting personal business during working hours, and they implement a Big Brother approach to employee monitoring. Many management gurus advocate that organizations whose corporate cultures are based on trust are more successful than those whose corporate cultures are based on mistrust. Before an organization implements monitoring technology, it should ask itself, “What does this say about how we feel about our employees?” If the organization really does not trust its employees, then perhaps it should find new ones. If an organization does trust its employees, then it might want to treat them accordingly. An organization that follows its employees’ every keystroke might be unwittingly undermining the relationships with its employees, and it might find the effects of employee monitoring are often worse than lost productivity from employee web surfing.
FIGURE 4.7
Internet Monitoring Technologies
Page 146
|
section 4.2 |
Information Security |
LEARNING OUTCOMES
4.3Describe the relationships and differences between hackers and viruses.
4.4Describe the relationship between information security policies and an information security plan.
PROTECTING INTELLECTUAL ASSETS
LO 4.3: Describe the relationships and differences between hackers and viruses.
To reflect the crucial interdependence between MIS and business processes accurately, we should update the old business axiom “Time is money” to say “Uptime is money.” Downtime refers to a period of time when a system is unavailable. Unplanned downtime can strike at any time for any number of reasons, from tornadoes to sink overflows to network failures to power outages (see Figure 4.8). Although natural disasters may appear to be the most devastating causes of MIS outages, they are hardly the most frequent or most expensive. Figure 4.9demonstrates that the costs of downtime are not only associated with lost revenues but also with financial performance, damage to reputations, and even travel or legal expenses. A few questions managers should ask when determining the cost of downtime are:10
How many transactions can the company afford to lose without significantly harming business?
Does the company depend on one or more mission-critical applications to conduct business?
How much revenue will the company lose for every hour a critical application is unavailable?
FIGURE 4.8
Sources of Unplanned Downtime
Page 147
FIGURE 4.9
The Cost of Downtime
What is the productivity cost associated with each hour of downtime?
How will collaborative business processes with partners, suppliers, and customers be affected by an unexpected IT outage?
What is the total cost of lost productivity and lost revenue during unplanned downtime?
The reliability and resilience of IT systems have never been more essential for success as businesses cope with the forces of globalization, 24/7 operations, government and trade regulations, global recession, and overextended IT budgets and resources. Any unexpected downtime in today’s business environment has the potential to cause both short- and long-term costs with far-reaching consequences.
Information security is a broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside an organization. Information security is the primary tool an organization can use to combat the threats associated with downtime. Understanding how to secure information systems is critical to keeping downtime to a minimum and uptime to a maximum. Hackers and viruses are two of the hottest issues currently facing information security.
Security Threats Caused by Hackers and Viruses
Hackers are experts in technology who use their knowledge to break into computers and computer networks, either for profit or simply for the challenge. Smoking is not just bad for a person’s health; it seems it is also bad for company security because hackers regularly use smoking entrances to gain building access. Once inside, they pose as employees from the MIS department and either ask for permission to use an employee’s computer to access the corporate network or find a conference room where they simply plugin their own laptop. Drive-by hacking is a computer attack by which an attacker accesses a wireless computer network, intercepts data, uses network services, and/or sends attack instructions without entering the office or organization that owns the network. Figure 4.10 lists the various types of hackers for organizations to be aware of, and Figure 4.11 shows how a virus is spread.
Page 148
FIGURE 4.10
Types of Hackers
One of the most common forms of computer vulnerabilities is a virus. A virus is software written with malicious intent to cause annoyance or damage. Some hackers create and leave viruses, causing massive computer damage. A worm spreads itself not only from file to file but also from computer to computer. The primary difference between a virus and a worm is that a virus must attach to something, such as an executable file, to spread. Worms do not need to attach to anything to spread and can tunnel themselves into computers. Figure 4.12 provides an overview of the most common types of viruses. Two additional computer vulnerabilities include adware and spyware. Adware is software that, although purporting to serve some useful function and often fulfilling that function, also allows Internet advertisers to display advertisements without the consent of the computer user. Spyware is a special class of adware that collects data about the user and transmits it over the Internet without the user’s knowledge or permission. Spyware programs collect specific data about the user, ranging from general demographics such as name, address, and browsing habits to credit card numbers, Social Security numbers, and user names and passwords. Not all adware programs are spyware and, used correctly, it can generate revenue for a company, allowing users to receive free products. Spyware is a clear threat to privacy. Ransomware is a form of malicious software that infects your computer and asks for money. Simplelocker is a new ransomware program that encrypts your personal files and demands payment for the files’ decryption keys. Figure 4.13 displays a few additional weapons hackers use for launching attacks.11
FIGURE 4.11
How Computer Viruses Spread
Page 149
FIGURE 4.12
Common Forms of Viruses
FIGURE 4.13
Hacker Weapons
Organizational information is intellectual capital. Just as organizations protect their tangible assets—keeping their money in an insured bank or providing a safe working environment for employees—they must also protect their intellectual capital, everything from patents to transactional and analytical information. With security breaches and viruses on the rise and computer hackers everywhere, an organization must put in place strong security measures to survive.
THE FIRST LINE OF DEFENSE—PEOPLE
LO 4.4: Describe the relationship between information security policies and an information security plan.
Organizations today can mine valuable information such as the identity of the top 20 percent of their customers, who usually produce 80 percent of revenues. Most organizations view this type of information as intellectual capital and implement security measures to prevent it from walking out the door or falling into the wrong hands. At the same time, they must enable employees, customers, and partners to access needed information electronically. Organizations address security risks through two lines of defense; the first is people, the second is technology.
Surprisingly, the biggest problem is people because the majority of information security breaches result from people misusing organizational information. Insiders are legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident. For example, many individuals freely give up their passwords or write them on sticky notes next to their computers, leaving the door wide open for hackers. Through social engineering , hackers use their social skills to trick people into revealing access credentials or other valuable information. Dumpster diving , or looking through people’s trash, is another way hackers obtain information. Pretexting is a form of social engineering in which one individual lies to obtain confidential data about another individual.
Page 150
Information security policies identify the rules required to maintain information security, such as requiring users to log off before leaving for lunch or meetings, never sharing passwords with anyone, and changing passwords every 30 days. An information security plan details how an organization will implement the information security policies. The best way a company can safeguard itself from people is by implementing and communicating its information security plan. This becomes even more important with Web 2.0 as the use of mobile devices, remote workforce, and contractors continue growing. A few details managers should consider surrounding people and information security policies include defining the best practices for12
Applications allowed to be placed on the corporate network, especially various file sharing applications (Kazaz), IM software, and entertainment or freeware created by unknown sources (iPhone applications).
Corporate computer equipment used for personal reasons on personal networks.
Password creation and maintenances including minimum password length, characters to be included while choosing passwords, and frequency for password changes.
Personal computer equipment allowed to connect to the corporate network.
Virus protection, including how often the system should be scanned and how frequently the software should be updated. This could also include if downloading attachments is allowed and practices for safe downloading from trusted and untrustworthy sources.
THE SECOND LINE OF DEFENSE—TECHNOLOGY
LO 4.5: Provide an example of each of the three primary information security areas: (1) authentication and authorization, (2) prevention and resistance, and (3) detection and response.
Once an organization has protected its intellectual capital by arming its people with a detailed information security plan, it can begin to focus on deploying technology to help combat attackers. Destructive agents are malicious agents designed by spammers and other Internet attackers to farm email addresses off websites or deposit spyware on machines. Figure 4.14 displays the three areas where technology can aid in the defense against attacks.
People: Authentication and Authorization
Identity theft consists of forging someone’s identity for the purpose of fraud. The fraud is often financial because thieves apply for and use credit cards or loans in the victim’s name. Two means of stealing an identity are phishing and pharming. Phishing is a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent emails that look as though they came from legitimate businesses. The messages appear to be genuine, with official-looking formats and logos, and typically ask for verification of important information such as passwords and account numbers, ostensibly for accounting or auditing purposes. Since the emails look authentic, up to one in five recipients responds with the information and subsequently becomes a victim of identity theft and other fraud. Figure 4.15 displays a phishing scam attempting to gain information for Skyline Bank; you should never click emails asking you to verify your identity because companies will never contact you directly asking for your user name or password.13 A phishing expedition is a masquerading attack that combines spam with spoofing. The perpetrator sends millions of spam emails that appear to be from a respectable company. The emails contain a link to a website that is designed to look exactly like the company’s website. The victim is encouraged to enter his or her username, password, and sometimes credit card information. Spear phishing is a phishing expedition in which the emails are carefully designed to target a particular person or organization. Vishing (or voice phishing) is a phone scam that attempts to defraud people by asking them to call a bogus telephone number to confirm their account information.
FIGURE 4.14
Three Areas of Information Security
Page 151
Pharming reroutes requests for legitimate websites to false websites. For example, if you were to type in the URL to your bank, pharming could redirect to a fake site that collects your information. A zombie is a program that secretly takes over another computer for the purpose of launching attacks on other computers. Zombie attacks are almost impossible to trace back to the attacker. A zombie farm is a group of computers on which a hacker has planted zombie programs. A pharming attack uses a zombie farm, often by an organized crime association, to launch a massive phishing attack.
FIGURE 4.15
Skyline Bank Phishing Scam
Page 152
APPLY YOUR KNOWLEDGE
BUSINESS DRIVEN INNOVATION
Beyond the Password
The password, a combination of a user name and personal code, has been the primary way to secure systems since computers first hit the market in the 1980s. Of course, in the 1980s, users had only one password to maintain and remember, and chances are they still probably had to write it down. Today, users have dozens of user names and passwords they have to remember to multiple systems and websites—it is simply no longer sustainable! A few companies are creating new forms of identification, hoping to eliminate the password problem.
Bionym is developing the Nymi, a wristband with two electrodes that reads your heart’s unique electrocardiogram signal and can unlock all your devices.
Clef is developing the Clef Wave, a free app that generates a unique image on your smart phone that you can point at your webcam, which reads the image and unlocks your websites. The image cannot be stolen because it only stays on your screen for a few seconds. More than 300 websites have enabled the Clef Wave service.
Illiri is developing an app that emits a unique sound on your smart phone that can be used to unlock other devices, process payments, and access websites. The sound lasts for 10 seconds and can be heard within 1 foot of your device.
In a group, evaluate the three preceding technologies and determine which one you would choose to implement at your school.
Authentication and authorization technologies can prevent identity theft, phishing, and pharming scams. Authentication is a method for confirming users’ identities. Once a system determines the authentication of a user, it can then determine the access privileges (or authorization) for that user. Authorization is the process of providing a user with permission, including access levels and abilities such as file access, hours of access, and amount of allocated storage space. Authentication and authorization techniques fall into three categories; the most secure procedures combine all three:
1.Something the user knows, such as a user ID and password. The first type of authentication, using something the user knows, is the most common way to identify individual users and typically consists of a unique user ID and password. However, this is actually one of the most ineffective ways for determining authentication because passwords are not secure. All it typically takes to crack one is enough time. More than 50 percent of help-desk calls are password related, which can cost an organization significant money, and a social engineer can coax a password from almost anybody.
2.Something the user has, such as a smart card or token. The second type of authentication, using something the user has, offers a much more effective way to identify individuals than a user ID and password. Tokens and smart cards are two of the primary forms of this type of authentication. Tokens are small electronic devices that change user passwords automatically. The user enters his or her user ID and token-displayed password to gain access to the network. A smart card is a device about the size of a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing. Smart cards can act as identification instruments, a form of digital cash, or a data storage device with the ability to store an entire medical record.
Page 153
3.Something that is part of the user, such as a fingerprint or voice signature. The third kind of authentication, something that is part of the user, is by far the best and most effective way to manage authentication. Biometrics (narrowly defined) is the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting. A voiceprint is a set of measurable characteristics of a human voice that uniquely identifies an individual. These characteristics, which are based on the physical configuration of a speaker’s mouth and throat, can be expressed as a mathematical formula. Unfortunately, biometric authentication such as voiceprints can be costly and intrusive.
Single-factor authentication is the traditional security process, which requires a user name and password. Two-factor authentication requires the user to provide two means of authentication, what the user knows (password) and what the user has (security token). Multifactor authentication requires more than two means of authentication such as what the user knows (password), what the user has (security token), and what the user is (biometric verification). The goal of multifactor authentication is to make it difficult for an unauthorized person to gain access to a system because, if one security level is broken, the attacker will still have to break through additional levels.
Data: Prevention and Resistance
Prevention and resistance technologies stop intruders from accessing and reading data by means of content filtering, encryption, and firewalls. Time bombs are computer viruses that wait for a specific date before executing their instructions. Content filtering occurs when organizations use software that filters content, such as emails, to prevent the accidental or malicious transmission of unauthorized information. Organizations can use content filtering technologies to filter email and prevent emails containing sensitive information from transmitting, whether the transmission was malicious or accidental. It can also filter emails to prevent any suspicious files from transmitting, such as potentially virus-infected files. Email content filtering can also filter for spam, a form of unsolicited email.
Encryption scrambles information into an alternative form that requires a key or password to decrypt. If there were a security breach and the stolen information were encrypted, the thief would be unable to read it. Encryption can switch the order of characters, replace characters with other characters, insert or remove characters, or use a mathematical formula to convert the information into a code. Companies that transmit sensitive customer information over the Internet, such as credit card numbers, frequently use encryption. To decrypt information is to decode it and is the opposite of encrypt. Cryptography is the science that studies encryption, which is the hiding of messages so that only the sender and receiver can read them. The National Institute of Standards and Technology (NIST) introduced an advanced encryption standard (AES) designed to keep government information secure.
Some encryption technologies use multiple keys. Public key encryption (PKE) uses two keys: a public key that everyone can have and a private key for only the recipient (see Figure 4.16). The organization provides the public key to all customers, whether end consumers or other businesses, who use that key to encrypt their information and send it via the Internet. When it arrives at its destination, the organization uses the private key to unscramble it.
FIGURE 4.16
Public Key Encryption (PKE)
Page 154
FIGURE 4.17
Sample Firewall Architecture Connecting Systems Located in Chicago, New York, and Boston
Public keys are becoming popular to use for authentication techniques consisting of digital objects in which a trusted third party confirms correlation between the user and the public key. A certificate authority is a trusted third party, such as VeriSign, that validates user identities by means of digital certificates. A digital certificate is a data file that identifies individuals or organizations online and is comparable to a digital signature.
A firewall is hardware and/or software that guard a private network by analyzing incoming and outgoing information for the correct markings. If they are missing, the firewall prevents the information from entering the network. Firewalls can even detect computers communicating with the Internet without approval. As Figure 4.17 illustrates, organizations typically place a firewall between a server and the Internet. Think of a firewall as a gatekeeper that protects computer networks from intrusion by providing a filter and safe transfer points for access to and from the Internet and other networks. It screens all network traffic for proper passwords or other security codes and allows only authorized transmissions in and out of the network.
Firewalls do not guarantee complete protection, and users should enlist additional security technologies such as antivirus software and antispyware software. Antivirus software scans and searches hard drives to prevent, detect, and remove known viruses, adware, and spyware. Antivirus software must be frequently updated to protect against newly created viruses.
Attack: Detection and Response
Cyberwar is an organized attempt by a country’s military to disrupt or destroy information and communication systems for another country. Cyberterrorism is the use of computer and networking technologies against persons or property to intimidate or coerce governments, individuals, or any segment of society to attain political, religious, or ideological goals. With so many intruders planning computer attacks, it is critical for all computer systems to be protected. The presence of an intruder can be detected by watching for suspicious network events such as bad passwords, the removal of highly classified data files, or unauthorized user attempts. Intrusion detection software (IDS) features full-time monitoring tools that search for patterns in network traffic to identify intruders. IDS protects against suspicious network traffic and attempts to access files and data. If a suspicious event or unauthorized traffic is identified, the IDS will generate an alarm and can even be customized to shut down a particularly sensitive part of a network. After identifying an attack, an MIS department can implement response tactics to mitigate the damage. Response tactics outline procedures such as how long a system under attack will remain plugged in and connected to the corporate network, when to shut down a compromised system, and how quickly a backup system will be up and running.
Page 155
APPLY YOUR KNOWLEDGE
BUSINESS DRIVEN START-UP
LifeLock: Keeping Your Identity Safe
Have you ever seen a LifeLock advertisement? If so, you know the Social Security number of LifeLock CEO Todd Davis because he posts it in all ads daring hackers to try to steal his identity. Davis has been a victim of identity theft at least 13 times. The first theft occurred when someone used his identity to secure a $500 loan from a check-cashing company. Davis discovered the crime only after the company called his wife’s cell phone to recover the unpaid debt.14
If you were starting an identity theft prevention company, do you think it would be a good idea to post your Social Security number in advertisements? Why or why not? What do you think happened that caused Davis’s identity to be stolen? What types of information security measures should LifeLock implement to ensure that Davis’s Social Security number is not stolen again? If you were LifeLock’s CEO, what type of marketing campaign would you launch next?
Guaranteeing the safety of organization information is achieved by implementing the two lines of defense: people and technology. To protect information through people, firms should develop information security policies and plans that provide employees with specific precautions they should take in creating, working with, and transmitting the organization’s information assets. Technology-based lines of defense fall into three categories: authentication and authorization; prevention and resistance; and detection and response.
LEARNING OUTCOME REVIEW
Learning Outcome 4.1: Explain the ethical issues in the use of information technology.
Information ethics govern the ethical and moral issues arising from the development and use of information technologies as well as the creation, collection, duplication, distribution, and processing of information itself (with or without the aid of computer technologies). Ethical dilemmas in this area usually arise not as simple, clear-cut situations but as clashes among competing goals, responsibilities, and loyalties. Inevitably, there will be more than one socially acceptable or correct decision. For this reason, acting ethically and legally are not always the same.
Learning Outcome 4.2: Identify the six epolicies organizations should implement to protect themselves.
1.An ethical computer use policy contains general principles to guide computer user behavior. For example, it might explicitly state that users should refrain from playing computer games during working hours.
2.An information privacy policy contains general principles regarding information privacy.
3.An acceptable use policy (AUP) is a policy that a user must agree to follow to be provided access to corporate email, information systems, and the Internet.
4.An email privacy policy details the extent to which email messages may be read by others.
Page 156
5.A social media policy outlines the corporate guidelines or principles governing employee online communications.
6.An employee-monitoring policy states explicitly how, when, and where the company monitors its employees.
Learning Outcome 4.3: Describe the relationships and differences between hackers and viruses.
Hackers are experts in technology who use their knowledge to break into computers and computer networks, either for profit or just for the challenge. A virus is software written with malicious intent to cause annoyance or damage. Some hackers create and leave viruses, causing massive computer damage.
Learning Outcome 4.4: Describe the relationship between information security policies and an information security plan.
Information security policies identify the rules required to maintain information security, such as requiring users to log off before leaving for lunch or meetings, never sharing passwords with anyone, and changing passwords every 30 days. An information security plan details how an organization will implement the information security policies. The best way a company can safeguard itself from people is by implementing and communicating its information security plan.
Learning Outcome 4.5: Provide an example of each of the three primary information security areas: (1) authentication and authorization, (2) prevention and resistance, and (3) detection and response.
Authentication and authorization: Authentication is a method for confirming users’ identities. Once a system determines the authentication of a user, it can then determine the access privileges (or authorization) for that user. Authorization is the process of providing a user with permission, including access levels and abilities such as file access, hours of access, and amount of allocated storage space.
Prevention and resistance: Content filtering occurs when organizations use software that filters content, such as emails, to prevent the accidental or malicious transmission of unauthorized information. Encryption scrambles information into an alternative form that requires a key or password to decrypt. In a security breach, a thief is then unable to read encrypted information. A firewall is hardware and/or software that guard a private network by analyzing incoming and outgoing information for the correct markings.
Detection and response: Intrusion detection software (IDS) features full-time monitoring tools that search for patterns in network traffic to identify intruders.
OPENING CASE QUESTIONS
1.Knowledge: Define information ethics and information security and explain whether they are important to help prevent hackers from gaining access to an organization.
2.Comprehension: Identify two epolicies that a business could implement to ensure the protection of sensitive corporate data from hackers.
3.Application: Demonstrate how a business can use authentication and authorization technologies to prevent hackers from gaining access to organizational systems.
4.Analysis: Analyze how a business can use prevention and resistance technologies to safeguard its employees from hackers and viruses.
5.Synthesis: Explain why hackers want to gain access to organizational data.
6.Evaluate: Evaluate additional ways hackers can gain access to organizational data.
Page 157
KEY TERMS
Advanced encryption standard (AES)
Black-hat hackers
Child Online Protection Act (COPA)
Cracker
Cyberterrorists
Ediscovery (or electronic discovery)
FIP (Fair Information Practices)
Hactivists
Information compliance
Information governance
Information management
Information property
Information secrecy
Intrusion detection software (IDS)
Script kiddies or script bunnies
White-hat hackers
REVIEW QUESTIONS
1.What are ethics and why are they important to a company?
2.What is the relationship between information management, governance, and compliance?
3.Why are epolicies important to a company?
4.What is the correlation between privacy and confidentiality?
5.What is the relationship between adware and spyware?
6.What are the positive and negative effects associated with monitoring employees?
7.What is the relationship between hackers and viruses?
8.Why is security a business issue, not just a technology issue?
9.What are the growing issues related to employee communication methods and what can a company do to protect itself?
Page 158
10.How can a company participating in ebusiness keep its information secure?
11.What technologies can a company use to safeguard information?
12.Why is ediscovery important to a company?
13.What are the reasons a company experiences downtime?
14.What are the costs associated with downtime?
CLOSING CASE ONE
Targeting Target
The biggest retail hack in U.S. history wasn’t particularly inventive, nor did it appear destined for success. In the days prior to Thanksgiving 2013, someone installed malware in Target’s security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores. At the critical moment—when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers.
It’s a measure of how common these crimes have become, and how conventional the hackers’ approach in this case, that Target was prepared for such an attack. Six months earlier, the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye, whose customers also include the CIA and the Pentagon. Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified.
On Saturday, Nov. 30, 2013, the hackers had set their traps and had just one thing to do before starting the attack: plan the data’s escape route. As they uploaded exfiltration malware to move stolen credit card numbers—first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia—FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then . . .
Nothing happened.
For some reason, Minneapolis didn’t react to the sirens. Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the company’s data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.
When asked to respond to a list of specific questions about the incident and the company’s lack of an immediate response to it, Target chairman, president, and chief executive officer Gregg Steinhafel issued an emailed statement: “Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology to understand our opportunities to improve data security and are committed to learning from this experience. While we are still in the midst of an ongoing investigation, we have already taken significant steps, including beginning the overhaul of our information security structure and the acceleration of our transition to chip-enabled cards. However, as the investigation is not complete, we don’t believe it’s constructive to engage in speculation without the benefit of the final analysis.”
More than 90 lawsuits have been filed against Target by customers and banks for negligence and compensatory damages. That’s on top of other costs, which analysts estimate could run into the billions. Target spent $61 million through February 1, 2014, responding to the breach, according to its fourth-quarter report to investors. It set up a customer response operation, and in an effort to regain lost trust, Steinhafel promised that consumers won’t have to pay any fraudulent charges stemming from the breach. Target’s profit for the holiday shopping period fell 46 percent from the same quarter the year before; the number of transactions suffered its biggest decline since the retailer began reporting the statistic in 2008.15
Page 159
Questions
1.How did the hackers steal Target’s customer data?
2.What types of technology could big retailers use to prevent identity thieves from stealing information?
3.What can organizations do to protect themselves from hackers looking to steal account data?
4.In a team, research the Internet and find the best ways to protect yourself from identity theft.
CLOSING CASE TWO
To Share—Or Not to Share
People love social networks! Social networks are everywhere and a perfect way to share vacation photos, family events, and birthday parties with family, friends, and co-workers. About 40 percent of adults use at least one social media website, and 51 percent of those use more than one website. The majority of users are between the ages of 18 and 24. The Pew Research Center found that 89 percent of social network users primarily use the websites to update friends and family, 57 percent use the websites to make plans with friends, and 49 percent use the websites to make new friends.
Facebook, MySpace, LinkedIn, Friendster, Urban Chat, and Black Planet are just a few of more than 100 websites connecting people around the world who are eager to share everything from photos to thoughts and feelings. But we need to remember that sometimes you can share too much; there can be too much information. Choosing who you share with and what you share is something you want to think about for your personal social networks and corporate social networks. According to Pew Research, more than 40 percent of users allow open access to their social networking profiles, which allows anyone from anywhere to view all of their personal information. The remaining 60 percent restrict access to friends, family, and co-workers. The following are the top 10 things you should consider before posting information to your social networks.
1: If You Don’t Want to Share It – Don’t Post It
You can select all the privacy settings you want on social networking sites, but the fact is, if you post it, it has the potential to be seen by someone you don’t want seeing it. You know all those fun Facebook applications, quizzes, and polls you can’t help but fill out? A study performed by the University of Virginia found that of the top 150 applications on Facebook, 90 percent were given access to information they didn’t need for the application to function. So when you sign up to find out what sitcom star you most identify with, the makers of that poll now have access to your personal information. It’s anybody’s guess where it goes from there. Social networking is all about sharing, so something you think is in confidence can easily be shared and then shared again, and before you know it, someone you don’t even know has access to something private. “When in doubt, leave it out” is a good motto to follow. And always remember that anything you share has the potential to be leaked in some way.
2: Never Give Out Your Password Hints
Most websites that contain secure personal information require a password and have at least one password hint in case you forget. It typically goes like this: You sign up for something such as online banking; you get a logon and password and then choose a security question for when you forget your password. What’s the name of your first pet? What’s your mother’s maiden name? What was your high school mascot? What’s the name of the first street you lived on? Including any of these details on a Facebook wall or status update may not seem like a big deal, but it could provide an identity thief with the last piece of the puzzle needed to hack into your bank account. Think before you post anything that could compromise this information.
Page 160
3: Never Give Out Your Password
This one really seems like a no-brainer, but if it didn’t happen, then Facebook probably wouldn’t feel the need to list it in the No. 1 slot on its list of things you shouldn’t share. Even sharing the password with a friend so he or she can log on and check something for you can be a risk. This is especially true with couples who feel like there’s enough trust to share these kinds of things. Here’s another scenario for you: You give your boyfriend your Facebook password because he wants to help you upload some vacation photos. A couple of months later, the relationship sours, he turns into a not-so-nice guy, and then there’s a person out there who doesn’t like you and has your logon information. Time to cancel your account and get a new one. If you’d kept that information private, you could simply move on with your life. Now you have a compromised profile, and if you link to other sites or profiles, all that information is at risk as well. Keep your password to yourself, no matter what, and you never have to worry about it.
4: Never Provide Personal Financial Information
You would think that nobody would share things like where they do their banking or what their stock portfolio looks like, but it happens. It’s easy for an innocent Facebook comment to reveal too much about your personal finances. Consider this scenario: You’re posting to a long thread on a friend’s wall about the bank crisis. You say something along the lines of, “We don’t need to worry because we bank with a teacher’s credit union,” or even, “We put all our money into blue chip stocks and plan to ride it out.” Again, if you’re one of the 40 percent who allow open access to your profile, then suddenly identity thieves know where you bank and where you have the bulk of your investments. It’s easy to forget that what may seem like a harmless comment on a Facebook wall could reveal a great deal about your personal finances. It’s best to avoid that kind of talk.
5: Never Give Out Your Address or Phone Numbers
File this one under security risk. If you share your address and phone number on a social networking site, you open yourself up to threats of identity theft and other personal dangers such as burglaries. If you post that you’re going on vacation and you have your address posted, then everyone knows you have an empty house. Identity thieves could pay a visit to your mailbox and open up a credit card in your name. Burglars could rid your home of anything of value. Even just posting your phone number gives people with Internet savvy easy access to your address. Reverse lookup services can supply anyone with your home address in possession of your phone number.
6: Never Share Photos of Your Children
Social networking sites are a common place for people to share pictures of their families, but if you’re one of the 40 percent of users who don’t restrict access to your profile, then those pictures are there for everyone to see. It’s a sad fact, but a lot of predators use the Internet to stalk their prey. If you post pictures of your family and combine that with information like, “My husband is out of town this weekend” or “Little Johnny is old enough to stay at home by himself now,” then your children’s safety could be at risk. Nobody ever thinks it will happen to them until it does, so safety first is a good default mode when using social networking sites. Just like with other private matters, send family photos only to a select group of trusted friends and colleagues who you know won’t share them.
7: Never Provide Company Information
You may be dying to tell the world about your new work promotion, but if it’s news that could be advantageous to one of your company’s competitors, then it’s not something you should share. News of a planned expansion or a big project role and anything else about your workplace should be kept private. Sophos, a security software company, found that 63 percent of companies were afraid of what their employees were choosing to share on social networking sites. If you want to message it out, be selective and send private emails. Many companies are so serious about not being included in social networking sites that they forbid employees from using sites like Facebook at work. Some IT departments even filter the URLs and block access to these sites so employees aren’t tempted to log on.
Page 161
8: Never Give Links to Websites
With 51 percent of social network users taking advantage of more than one site, there’s bound to be some crossover, especially if you have the sites linked. You may post something you find innocuous on Facebook, but then it’s linked to your LinkedIn work profile and you’ve put your job at risk. If you link your various profiles, be aware that what you post in one world is available to the others. In 2009, a case of an employee caught lying on Facebook hit the news. The employee asked off for a weekend shift because he was ill and then posted pictures on his Facebook profile of himself at a party that same weekend. The news got back to his employer easily enough and he was fired. So if you choose to link your profiles, it’s no longer a “personal life” and “work life” scenario.
9: Keep Your Social Plans to Yourself
Sharing your social plans for everybody to see isn’t a good idea. Unless you’re planning a big party and inviting all the users you’re connected to, it will only make your other friends feel left out. Some security issues are also at stake here. Imagine a scenario in which a jealous ex-boyfriend knows that you’re meeting a new date out that night. What’s to keep the ex from showing up and causing a scene or even potentially getting upset or violent? Nothing. If you’re planning a party or an outing with a group of friends, send a personal “e-vite” for their eyes only and nobody is the wiser. If you’re trying to cast a wide net by throwing out an idea for a social outing, just remember that anyone who has access to your profile sees it.
10: Do Not Share Personal Conversations
On Facebook, users can send personal messages or post notes, images, or videos to another user’s wall. The wall is there for all to see, while messages are between the sender and the receiver, just like an email. Personal and private matters should never be shared on your wall. You wouldn’t go around with a bullhorn announcing a private issue to the world, and the same thing goes on the Internet. This falls under the nebulous world of social networking etiquette. There is no official handbook for this sort of thing, but use your best judgment. If it’s not something you’d feel comfortable sharing in person with extended family, acquaintances, work colleagues, or strangers, then you shouldn’t share it on your Facebook wall.16
Questions
1.Define information ethics and information security and explain why each is critical to any business.
2.Identify two epolicies that a business could implement to ensure the protection of sensitive corporate data.
3.Demonstrate how a business can use authentication and authorization technologies to prevent information theft.
4.Analyze how a business can use prevention and resistance technologies to safeguard its employees from hackers and viruses.
5.Propose a plan to implement information security plans to ensure your critical information is safe and protected.
6.Evaluate the information security issues facing a business and identify its three biggest concerns.
Page 162
CRITICAL BUSINESS THINKING
1.Cheerleader Charged $27,750 for File Sharing 37 Songs A federal appeals court is ordering a university student to pay the Recording Industry Association of America $27,750—$750 a track—for file sharing 37 songs when she was a high school cheerleader. Have you ever illegally copied or downloaded a song or movie? If you have and you were forced to pay $750 per track, how much would you owe? What is the difference between file sharing and Internet radio streaming? Do you agree or disagree with the federal appeals decision? Why or why not? Why is claiming a lack of copyright knowledge not a good defense against illegally sharing movies or music? If you do not have a good understanding of information laws, what can you do to ensure that you are never named in a federal lawsuit for violating information laws?17
2.Police Records Found in Old Copy Machine Copy machines made after 2002 all contain a hard drive that stores a copy of every document the machine has ever scanned, printed, copied, or faxed. If the hard drive is not erased or scrubbed when the copy machine is resold, all of that digital information is still maintained inside the machine. The Buffalo, New York, Police Sex Crimes Division recently sold several copy machines without scrubbing the hard drives. The hard drives yielded detailed domestic violence complaints and a list of wanted sex offenders. A machine from the Buffalo Police Narcotics Unit contained targets in a major drug raid, and a copier once used by a New York construction company stored 95 pages of pay stubs with names, addresses, and Social Security numbers.18 Who do you think should be held responsible for the information issues caused at the Buffalo police department? What types of ethical issues and information security issues are being violated? What types of epolicies could a company implement to ensure that these situations do not occur? What forms of information security could a company implement to ensure that these situations do not occur? How does this case support the primary reason that ediscovery is so important to litigation?
3.Firewall Decisions You are the CEO of Inverness Investments, a medium-size venture capital firm that specializes in investing in high-tech companies. The company receives more than 30,000 email messages per year. On average, there are two viruses and three successful hackings against the company each year, which result in losses to the company of about $250,000. Currently, the company has antivirus software installed but does not have any firewalls. Your CIO is suggesting implementing 10 firewalls for a total cost of $80,000. The estimated life of each firewall is about three years. The chances of hackers breaking into the system with the firewalls installed are about 3 percent. Annual maintenance costs on the firewalls are estimated around $15,000. Create an argument for or against supporting your CIO’s recommendation to purchase the firewalls. Are there any considerations in addition to finances?
4.Preventing Identity Theft The FBI states that identity theft is one of the fastest-growing crimes. If you are a victim of identity theft, your financial reputation can be ruined, making it impossible for you to cash a check or receive a bank loan. Learning how to avoid identity theft can be a valuable activity. Using the Internet, research the most current ways the government recommends for you to prevent identity theft.
5.Discussing the Three Areas of Information Security Great Granola Inc. is a small business operating out of northern California. The company specializes in selling homemade granola, and its primary sales vehicle is through its website. The company is growing exponentially and expects its revenues to triple this year to $12 million. The company also expects to hire 60 additional employees to support its growth. Joan Martin, the CEO, is aware that if her competitors discover the recipe for her granola, or who her primary customers are, it could easily ruin her business. Martin has hired you to draft a document discussing the different areas of information security, along with your recommendations for providing a secure ebusiness environment.
Page 163
6.Spying on Email Technology advances now allow individuals to monitor computers that they do not even have physical access to. New types of software can capture an individual’s incoming and outgoing email and then immediately forward that email to another person. For example, if you are at work and your child is home from school and she receives an email from John at 3:00 p.m., at 3:01 p.m. you can receive a copy of that email sent to your email address. If she replies to John’s email, within seconds you will receive a copy of what she sent to John. Describe two scenarios (other than those described here) for the use of this type of software: one in which the use would be ethical and one in which it would be unethical.
7.Stealing Software The software industry fights against pirated software on a daily basis. The major centers of software piracy are in places such as Russia and China where salaries and disposable income are comparatively low. People in developing and economically depressed countries will fall behind the industrialized world technologically if they cannot afford access to new generations of software. Considering this, is it reasonable to blame someone for using pirated software when it could cost him or her two months’ salary to purchase a legal copy? Create an argument for or against the following statement: Individuals who are economically less fortunate should be allowed access to software free of charge to ensure that they are provided with an equal technological advantage.
8.Censoring Google The Google debate over operations in China is an excellent example of types of global ethical and security issues U.S. companies face as they expand operations around the world. Google’s systems were targeted by highly sophisticated hacker attacks aimed at obtaining proprietary information, including personal data belonging to Chinese human rights activists who use Google’s Gmail service. Google, which originally agreed to filter search results based on Chinese government censorship rules, decided to unfilter search results after what it called an infiltration of its technology and the email accounts of Chinese human-rights activists. China called Google’s plan to defy government censorship rules unfriendly and irresponsible and demanded Google to shut down all operations in China. Why would China want to filter search results? Do you agree or disagree with China’s censorship rules? Do you think Google was acting ethically when it agreed to implement China’s censorship rules? Why do companies operating abroad need to be aware of the different ethical perspective found in other cultures?
9.Sources are not Friends The Canadian Broadcasting Company (CBC) has issued a social networking policy directing journalists to avoid adding sources or contacts as friends on social networking sites such as Facebook or LinkedIn. Basic rules state that reporters must never allow one source to view what another source says, and reporters must ensure that private conversations with sources remain private. Adding sources as friends can compromise a journalist’s work by allowing friends to view other friends in the network. It may also not be in a journalist’s best interest to become a friend in a source’s network. The CBC also discourages posting any political preferences in personal profiles, comments on bulletin boards, or people’s Facebook wall. This might seem like common sense, but for employees who do not spend countless hours on the Internet, using social networking sites can be confusing and overwhelming. Why is it critical for any new hire to research and review all policies, especially social media policies? Research three companies you would like to work for after graduation and detail the types of social media policies that the company currently has or should implement.
Page 164
ENTREPRENEURIAL CHALLENGE
BUILD YOUR OWN BUSINESS
1.Providing employees with computer access is one of the perks offered by your business. Employees enjoy checking their personal email and surfing the Internet on their breaks. So far, computer access has been a cherished employee benefit. When you came into work this morning you found the following anonymous letter from one of your employees on your desk. “I received a highly inappropriate joke from a fellow employee that I found extremely offensive. The employee who sent the joke was Debbie Fernandez and I believe she should be reprimanded for her inappropriate actions. Signed—a disturbed employee.” What would you do? What could you have done to ensure that situations such as these would be easily handled if they did arise? What could you do to ensure that such situations do not happen in the future and if they do, all employees are aware of the ramifications of inappropriate emails? (Be sure to identify your business and the name of your company.)
2.The local community has always been a big part of your grandfather’s business, and he knew almost everyone in the community. Your grandfather attended all types of community events and would spend hours talking with friends and neighbors, soliciting feedback and ideas on his business. As you know, data are important to any business. In fact, data are an essential business asset. You have decided to start tracking detailed customer information for all business events from fund-raising to promotions. Since you took over the business, you have been collecting more and more event data to help you run marketing campaigns across events and optimize the event schedules. One day, a sophisticated businessman walks into your business and asks to speak to the owner. He introduces himself as Lance Smith and says that he would like to talk to you in private. Smith is retiring and is closing his business that was located just down the street, and he wants to sell you his detailed customer information. Smith would like a large sum of money to sell you his confidential customer contact information and sales reports for the past 20 years. He says he has more than 10,000 customers in his unique database. What do you do?
3.Yesterday you had an interesting conversation with one of your loyal customers, Dan Martello. He asked you the following question: “If I find a digital camera on the street is it OK to look at the contents, or am I invading the owner’s privacy?” You have a lengthy debate and decided that in some scenarios it is an invasion of privacy to be looking at someone else’s photos and is similar to looking in their windows. In other scenarios, it is not an invasion of privacy if you do not know the person and it is the primary way to identify the owner to return the camera, similar to looking in a wallet. As you are cleaning your business, you find a 30 gigabyte thumb drive and you know that it probably belongs to one of your valuable customers and contains his sensitive information. What do you do? What security concerns are associated with the thumb drive? How could information security policies or an information security plan help your business with this type of situation?
APPLY YOUR KNOWLEDGE BUSINESS PROJECTS
PROJECT IGrading Security
Making The Grade is a nonprofit organization that helps students learn how to achieve better grades in school. The organization has 40 offices in 25 states and more than 2,000 employees. The company wants to build a website to offer its services online. Making The Grade’s online services will provide parents seven key pieces of advice for communicating with their children to help them achieve academic success. The website will offer information on how to maintain open lines of communication, set goals, organize academics, regularly track progress, identify trouble spots, get to know their child’s teacher, and celebrate their children’s successes.
Page 165
You and your team work for the director of information security. Your team’s assignment is to develop a document discussing the importance of creating information security policies and an information security plan. Be sure to include the following:
The importance of educating employees on information security.
A few samples of employee information security policies specifically for Making The Grade.
Other major areas the information security plan should address.
Signs the company should look for to determine whether the website is being hacked.
The major types of attacks the company should expect to experience.
PROJECT IIEyes Everywhere
The movie Minority Report chronicled a futuristic world where people are uniquely identifiable by their eyes. A scan of each person’s eyes gives or denies them access to rooms, computers, and anything else with restrictions. The movie portrayed a black market in new eyeballs to help people hide from the authorities. (Why did they not just change the database entry instead? That would have been much easier but a lot less dramatic.)
The idea of using a biological signature is entirely plausible; biometrics is currently being used and is expected to gain wider acceptance in the near future because forging documents has become much easier with the advances in computer graphics programs and color printers. The next time you get a new passport, it may incorporate a chip that has your biometric information encoded on it. Office of Special Investigations agents with fake documents found that it was relatively easy to enter the United States from Canada, Mexico, and Jamaica by land, sea, and air.
The task of policing the borders is daunting. Some 500 million foreigners enter the country every year and go through identity checkpoints. More than 13 million permanent-resident and border-crossing cards have been issued by the U.S. government. Also, citizens of 27 countries do not need visas to enter this country. They are expected to have passports that comply with U.S. specifications that will also be readable at the border.
In the post-9/11 atmosphere of tightened security, unrestricted border crossing is not acceptable. The Department of Homeland Security is charged with securing the nation’s borders, and as part of this plan, new entry/exit procedures were instituted at the beginning of 2003. An integrated system, using biometrics, will be used to identify foreign visitors to the United States and reduce the likelihood of terrorists entering the country.
Early in 2003, after 6 million biometric border-crossing cards had been issued, a pilot test conducted at the Canadian border detected more than 250 imposters. The testing started with two biometric identifiers: photographs for facial recognition and fingerprint scans. As people enter and leave the country, their actual fingerprints and facial features are compared to the data on the biometric chip in the passport.
In a group, discuss the following:
a.How do you feel about having your fingerprints, facial features, and perhaps more of your biometric features encoded in documents such as your passport? Explain your answer.
b.Would you feel the same way about having biometric information on your driver’s license as on your passport? Why or why not?
c.Is it reasonable to have different biometric identification requirements for visitors from different nations? Explain your answer. What would you recommend as criteria for deciding which countries fall into what categories?
Page 166
d.The checkpoints U.S. citizens pass through upon returning to the country vary greatly in the depth of the checks and the time spent. The simplest involves simply walking past the border guards who may or may not ask you your citizenship. The other end of the spectrum requires you to put up with long waits in airports where you have to line up with hundreds of other passengers while each person is questioned and must produce a passport to be scanned. Would you welcome biometric information on passports if it would speed the process, or do you think that the disadvantages of the reduction in privacy, caused by biometric information, outweigh the advantages of better security and faster border processing? Explain your answer.
PROJECT IIISetting Boundaries
Even the most ethical people sometimes face difficult choices. Acting ethically means behaving in a principled fashion and treating other people with respect and dignity. It is simple to say, but not so simple to do since because situations are complex or ambiguous. The important role of ethics in our lives has long been recognized. As far back as 44 BC, Cicero said that ethics are indispensable to anyone who wants to have a good career. Having said that, Cicero, along with some of the greatest minds over the centuries, struggled with what the rules of ethics should be.
Our ethics are rooted in our history, culture, and religion, and our sense of ethics may shift over time. The electronic age brings with it a new dimension in the ethics debate—the amount of personal information that we can collect and store and the speed with which we can access and process that information.
In a group, discuss how you would react to the following situations:
a.A senior marketing manager informs you that one of her employees is looking for another job and she wants you to give her access to look through her email.
b.A vice president of sales informs you that he has made a deal to provide customer information to a strategic partner, and he wants you to copy all of the customer information to a thumb drive.
c.You are asked to monitor your employee’s email to discover whether he is sexually harassing another employee.
d.You are asked to install a video surveillance system in your office to find out whether employees are taking office supplies home with them.
e.You are looking on the shared network drive and discover that your boss’s entire hard drive has been copied to the network for everyone to view. What do you do?
f.You have been accidentally copied on an email from the CEO, which details who will be the targets of the next round of layoffs. What do you do?
PROJECT IVContemplating Sharing
Bram Cohen created BitTorrent, which allows users to upload and download large amounts of data. Cohen demonstrated his program at the world hacker conference, as a free, open source project aimed at computer users who need a cheap way to swap software online. Soon many TV and movie fanatics began using the program to download copyrighted materials. As a result of the hacker conference, more than 20 million people downloaded the BitTorrent program and began sharing movies and television shows across the Internet.
There is much debate surrounding the ethics of peer-to-peer networking. Do you believe BitTorrent is ethical or unethical? Justify your answer.
Page 167
PROJECT VFired For Smoking on the Weekend
New technologies make it possible for employers to monitor many aspects of their employees’ jobs, especially on telephones, computer terminals, through electronic and voice mail, and when employees are using the Internet. Such monitoring is virtually unregulated. Therefore, unless company policy specifically states otherwise (and even this is not ensured), your employer may listen, watch, and read most of your workplace communications.
Employers are taking monitoring activity a step further and monitoring employees, and employees’ spouses, at home and on weekends. Yes, you read that correctly. Numerous employees have been fired for smoking cigarettes on the weekend in the privacy of their own home. As health care costs escalate, employers are increasingly seeking to regulate employee behavior—at home as well as in the workplace. Weyco, an insurance benefits administrator in Michigan, initiated a program requiring mandatory breath tests to detect for nicotine, and any employee testing positive would be sent home without pay for one month. If the employee failed the nicotine test a second time, that person would be fired—no matter how long the employee had been with the company.
Weyco’s smoking prohibition does not stop with employees but extends to spouses, who must also pass monthly nicotine tests. A positive test means the employee must pay a monthly fee of $80 until the spouse takes a smoking cessation program and tests nicotine-free.
Do you agree that companies have the right to hold employees accountable for actions they perform on weekends in the privacy of their own homes? If you were the CEO of Weyco, what would be your argument supporting its smoking prohibition policies? Do you think Weyco’s monitoring practices are ethical? Do you think Weyco’s monitoring practices are legal?
PROJECT VIDoodling Passwords
As our online world continues to explode, people are finding the number of user names and passwords they need to remember growing exponentially. For this reason, many users will assign the same password for every logon, choose easy-to-remember names and dates, or simply write down their passwords on sticky notes and attach them to their computers. Great for the person who needs to remember 72 passwords but not so great for system security.
Of course, the obvious answer is to deploy biometrics across the board, but once you start reviewing the costs associated with biometrics, you quickly realize that this is not feasible. What is coming to the rescue to help with the password nightmare we have created? The doodle. Background Draw-a-Secret (BDAS) is a new program created by scientists at Newcastle University in England. BDAS begins by recording the number of strokes it takes a user to draw a doodle and when the user wants to gain access to the system he simply redraws the doodle on a touchpad and it is matched against the stored prototype. If the doodle matches, the user is granted access. Doodles are even described as being far more anonymous, therefore offering greater security than biometrics.
You are probably thinking that you’ll end up right back in the same position having to remember all 72 of your password doodles. The good news is that with doodle passwords, you don’t have to remember a thing. The doodle password can be displayed to users, and they simply have to redraw it because the system analyzes how the user draws or the user’s unique hand strokes, not the actual doodle (similar to handwriting recognition technologies).
If you were going to deploy doodle passwords to your organization, what issues and concerns do you think might occur? Do you agree that doodles are easier to remember than text passwords? Do you agree that doodles offer the most effective way to manage authentication and authorization, even greater than biometrics? What types of unethical issues do you think you might encounter with doodle passwords?
Page 168
AYK APPLICATION PROJECTS
If you are looking for Excel projects to incorporate into your class, try any of the following after reading this chapter.
