Privacy & Security Issues at Work Place – Office
Every organisation locally or internationally have their set of ethics to be followed in the business activities, and its the prime duty of the organisation staff to adhere to the rules and regulation while at work. Though code of ethics is followed, there are circumstances where issues are to arise. Obligations to such issues are not mentioned in the code of ethics. Such ethical issues would be as follows:
CORPS Private Limited is a leading company in retail businesses and it is well-known in the region because of its good reputation. They started facing many unexpected issues regarding their computer systems since last month. As a result of this, they created a special group having many well qualified Business Analysts and IT Professionals to investigate and find out the issues in their systems efficiently. After discussing with the company System Administrators and other operative management staff, they found out that their systems are facing some severe security threats which may lead to the system crash. In this case how possibly could system security been considered as a social issue? Social issues could be defined issues interrelated have an impact of a group, a community or an organisation. In this case, CORPS being a leading retail business company and engages in a number of transaction per day, would be definitely affected by a system efficiency. Because, the backbone of the organisation is the system, if that fails, then the entire days proceedings comes to a standstill. As a solution, according to the BCS code conduct, section 2 Duty to Relevant Authority, the failure of the system could be reported to the technical administers of the organisation. Therefore ;System Administrators main work is to monitor the processing activity, tune the system and explain all the past activities that have happened during the last three months to the team. SO, if the team reports to the systems administrator of CORPS the failure is fixed.
There can be several definitions to explain the term “Ethical Issue”. The simplest would be , the perception of the activity. Consequence theory explains this clearly(G.Johnson, computer ethics , 2002). The” behaviour or the conduct of a person towards an activity can be argued right or wrong based on his perception”. For example; employees of an organisation visiting social networks like Facebook, Twitter, Myspace or Skype . This may be against the code of ethics of that particular organisation where, visiting social blogs whilst working would be wrong. But what if the employee argues saying, the visit was not during work hours, but after his work hours. Where he had completed his responsibility has an employee and was gaining some entertainment. In the employees perspective this arguement would be correct. But in the company’s side, they would argue saying, why does the employee have to exploit company resources and gain entertainment. Also, he might finish his cores and log in, but there may be other where secretly would gain access to social sites. In this case, he is leading by example. So the best solution to this would be to block social websites during working hours. Thereby all problems are solved in both view points.
Today the internet has become the main source of globalisation. It has become the most indispensable utensil for every human being around the world to carry out many different activities. The expansion of globalisation, has made many business engage into eBusiness , like e-commerce & eBusiness. Though these activites help in gaining more sales volume, what is the assurance of security of data involved? The problem arises in the form of hackers(intruders who gain unauthorised access to company files through networks). In e-business, customers transact with organisations through interconnected networks. During hacktivism process, first a hacker chooses a network to attack. It is likely to be a specific interest of the hacker which may benefits the hacker or the hacker may port scan a network to determine its vulnerability towards the attacks. Port is an opening through which the computer receives data via the network. Open ports carry risks and will give easy access to a hacker or a cracker to access the system. Then the hacker will visit the target in some way and finds out vital information that will help them access the system. In this stage the hackers get desired results from Social Engineering method. Beside that hackers also use a technique called Dumpster Diving, where they find documents that users have thrown away. This information will help them gain access to the network.
In this case, the law which has been violated would be Data Protection Act of 1998. According to (Bott, Professional Issues in Information technology, 2006) “personal data shall be obtained only for one or more specific and lawfull purposes, and shall not be further processed in any manner incompatible with that purpose or purposes”. In this case, the data had been processed only for a single transaction, but further process had been done by the hacker for their personal use. So it would be a partial violation. As a solution to these kind of problems, the intruders are imprisoned or premium fine is asked. (Bott, Professional Issues in Information technology, 2006).
Similarly we can also divide these unknown personalities into two groups as active intruders and passive intruders.
Active Intruder is a person, who only reads the information. They will not interfere or modify the message; they simply monitor the message exchange. Passive Intruder is a person who modifies (insert, delete, update & create new messages) the information. They also deny the access to the authorized users and occasionally they stop the communication.
It is important to secure the properties of information, particularly from the active intruder who can cause severe harm to the information carried out through a system.
Attacks by Intruders
There are several types of attacks made by the intruders which affect the properties of a message passed through an Information System.
Confidentiality is a property which is connected with privacy of a message. It can be affected by the interception of passive intruders. They intercept and read the message without making any changes. This type of hacking violated privacy of the message . Privacy according to
Modification is another property, which could be affected by integrity attack made by an active intruder. As a result of this attack a modified fake message will be passed on to the receiver, which is different to the genuine message.
Interruption is one of the properties which will affect the availability of the authorized users like administration and staff. This is another type of attack made by active intruders.
Fabrication is the worst attack made by active intruders. During this attack receiver gets a false message using authorized senders’ account, created by the intruder, thus it is essential to do authentication and check whether the real person has send the message.
Suggested Security Measures
Though the company is using some standard security measures, the newly arisen threats proved that those are insufficient. For example, for the money online transactions (when eCustomers purchase through the Internet) company uses payment gateway, a secured and encrypted path to credit card, debit card transactions. When customers are accessing shopping cart and trying to purchase the product, they will automatically directed to the payment details page through a secure hypertext transfer protocol (https), where a locked padlock symbol is shown in the url. It helps to carry out web transactions (Browsers, Web servers & Internet applications) and to maintain the privacy of a customer as well as secrecy too.
Company also uses two cryptography algorithms. First one is called symmetric cryptography. In Symmetric cryptography, one key is used for encryption and decryption process. Next is asymmetric cryptography. In Asymmetric cryptography, one key is used for encryption while another key is used for decryption process.
Also, company office networks have proxy servers which act as application level gateway helps to increase the performance and security. All the office computers are having protected by firewall, a technological barrier which prevents unauthorized access and unwanted communication. The special team also monitored all the computers in the network, to investigate if the computers have antivirus software and whether they are attacked by computer viruses, Trojans, computer worms etc. They also suggested a new daily routine computer scanning scheme to prevent virus threats.
The special group also suggested to implement some other popular methods such as digital signatures, digital envelopes, digital certificates (issued by Certifying Authorities) that are liable to increase the security level.
Other Standard Security Functions (suggested) with its Applications
- Netscape Secure Socket Layer (SSL) which is known as IETF transport layer security protocol (TLS) is a standard method which secures data packets that are passed (Browsers, Web servers and Internet at the network layer applications) from packet sniffer applications. In this method a session key is used to encrypt and decrypt all the messages that are transferred over TCP connections.
- Secure MIME (S/MIME) is another standard that secures email attachments exchanged across platforms (Email package with RSA encryption & Digital multiple signature).
- Wireless Transport Layer Security (WTLS) protocol provides secure transport using User datagram protocol (UDP).
- Secure Wide Area Networks (s/WAN) is a secured place where a point to point encryption is done between firewalls and routers (Virtual Private Networks- VPN).
- Secure Electronic Transaction (SET) is also similar to https, which secures credit card & debit card transactions (Smart cards, transaction servers, ecommerce) over Internet/Web. Using this scheme allows user (client) to authenticate that the server is a recognized one.
Most of these security standards are used in the application layer and session layer of the networks.
The special group also found out that they are having lack of security when transmitting data through the wireless networks; therefore they suggested Wired Equivalent Privacy (WEP) to make security within the wireless networks in LAN, like Ethernet.
So when Internet is being used for serious applications, where the exchanged information is sensitive or valuable, it is important to confirm that the sender of this information can be confident about its security. CORPS also uses Transaction Processing (TP), Management Information System (MIS) and Decision Support System (DSS) for their daily routine work. For example, when a guest or a registered user is logging into the company website, Database Management System is used to retrieve the required information from the database. Similarly, during cash transactions, banking system and transaction processing system in management information system are used to credit and debit money in the merchant account and other accounts.