Ethics and Cyber Security

A broader and better understanding of cybersecurity ethics is critical to promoting and protecting the public to flourish in an increasingly networked society. Cyber security is primarily concerned with protecting human institutions’ integrity, functionality, reliability, and practices that rely heavily on this data, systems, and networks. Following the ethical guideline in cybersecurity will enable the professionals to safeguard their institution and their clients. For this reason, TechFite needs to understand its ethical significance and power to safeguard the public interest, given they have access to data that could affect the public well being.

Some of the important ethical issues in cybersecurity that apply in TechFite include harm to privacy, property, transparency, and disclosure. Harm to privacy threatens the organization whose sensitive information is directly exposed to cyberthreat and tries to prevent the data from being shared with friends, clients, and service providers (Vallor & Rewak, 2022). TechFite lacks coverage on the critical issues of safeguarding sensitive data and proprietor information belonging to their clients. Harm to property injures a  person or an organization who relies upon such property for their wellbeing. This is an ethical issue in Techfite as they disclose their clients’ sensitive data to their competitors and resulting in their competitors launching some products similar to those of their clients (Vallor & Rewak, 2022).

Moreover, resource allocation is poorly done at the TechFite Application Division. People using computers are given full administrative privileges. Besides, different units are visible to one another due to a lack of segmentation and separation, thus weakening the security standard in the company. Transparency and disclosure is another issue affecting TechFite; the company discloses sensitive information from their client to their competitors and has illegitimate companies carry out an off-book method to make payments elsewhere (Vallor & Rewak, 2022). Besides this, it is evident that the company scans other companies’ networks and combines them with other third parties to gather intelligence through surveillance and mining companies’ trash.

Several people have contributed significantly to unethical practices in TechFite. First is the head of the TechFite Application Division, Carl Jasper. Being a leader, he does not check all-important follow-up activities such as monitoring internal activities and enforcement of activities such as data loss prevention (SHRM, 2022). Besides, he has an unprofessional relationship with other workers, such as IT security analyst Nadia Johnson creating a perception that favorable treatment from outside entities is being sought. He also authorizes the creation of accounts outside the company’s requirements. In addition, he partners with a person with illegitimate companies. The IT security analyst Nadia does not perform her various tasks such as auditing. Other employees use Metasploit tools on the company’s computers which is against the rule. Besides, they conducted penetration and scanning of IP addresses for several Internet-based companies. Members of the BI, such as Sara Miller, scan other companies’ networks and influence their subordinates instead of focusing on their work (SHRM, 2022). Finally, Hudson, who is a staff in the TechFite, partners with a third party to gather intelligence through surveillance and mining companies’ trash and is  a member of the Strategic and Competitive Intelligence  Intelligence Professional (SCIP).

TechFite’s lack of an ideal corporate security program is due to poor leadership, violation of company policies, missing security patches, and a lack of an ideal corporate security program. Poor leadership from Carl Jasper and Sarah Miller. Carl Jasper authorized the creation of illegitimate accounts and did not oversing internal insights in his department. Sara Miller misleads other workers by directing them to scan other companies, violating company policies by the employees who misuse the companies’ computers—missing security patches such as documentation for internal insight and enforcement of proper maintenance of the client data. Having dummy account to conduct activities for self gains and staff engaging with outsiders to do other business using the company’s resources. The company lacks an ideal corporate security program to monitor the authorization privileges and segregate different units for security purposes.

The information security policies to prevent criminal activities or negligence include Network Security Policy and Vendor Management Policy. Network Security policy ensures confidentiality, integrity, and availability of data that follows specific guidelines when conducting network activities, and reviews are done periodically (Adsero, 2021). This policy ensures that all the company systems go through auditing procedures and that the log details are documented. These details indicate activities such as the date, time, and origin of a particular activity and who is responsible for what. Vendor management policy ensures the vendors are compliant and have information security abilities. The company vendor should be able to create, maintain and transmit confidential information on behalf of the company and safeguard the information given (Adsero, 2021). This procedure is crucial in risk management, due diligence, and maintenance of compliance management practices.

The key component of Security Awareness, Training and Education (SATE) include Awareness, Training, and Education. Awareness enables an individual to identify security issues and act accordingly (Hickey, 2018). Training equips people with the appropriate security skills and competence. Education refers to the knowledge and skill acquired during the learning process.

Communicating the SATE program to TechFite Employees requires a systematic approach. The managers will be required to perform various tasks such as encouraging the employees to participate actively and uphold the security awareness principles acquired during the learning process. Secondly, the managers will be required to model an ideal security awareness approach to bracing the learning obtained from the training (Security Awareness Program Special Interest Group PCI Security Standards Council 2022). They can do it by creating workshops where the employees can come and learn. Finally, the managers should include management and self-performance reviews security awareness metrics.

SATE training has several advantages, including Compliance, A proactive security culture, and a safer organization. By conducting a security awareness, the organization complies with the state regulation and is a requirement for cyber risk insurance (Pratt, 2022). There is a proactive security culture when employees are aware of their roles in keeping the organization safe and the consequences of negligence and thus act more responsible. Incorporating a security training program reduces the overall risk-taking of an organization (Pratt, 2022). This may translate into a better brand reputation and improve the business.

In conclusion, applying appropriate information security policies will improve the overall performance of the IT department of TechFite organization. Security Awareness, Training, and Education program will result in compliance, a proactive security culture, and a safer organization.

References

Adsero. (2021). 10 Must-Have IT Security Policies for Every Organization. Retrieved 18 April 2022, from https://www.adserosecurity.com/security-learning-center/ten-it-security-policies-every-organization-should-have/

Hickey, B. (2018). Security awareness, training, and education – Infosec Resources. Retrieved 18 April 2022, from https://resources.infosecinstitute.com/topic/security-awareness-training-and-education/

Pratt, M. (2022). What is security awareness training?. Retrieved 18 April 2022, from https://www.techtarget.com/searchsecurity/definition/security-awareness-training

Security Awareness Program Special Interest Group PCI Security Standards Council. (2022). Information Supplement: Best Practices for Implementing a Security Awareness Program. Retrieved 18 April 2022, from https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_Program.pdf

SHRM. (2022). Code of Ethics and Business Conduct. Retrieved 18 April 2022, from https://www.shrm.org/resourcesandtools/tools-and-samples/policies/pages/code-of-ethics-conduct-policy.aspx

Vallor, S., & Rewak, W. (2022). An Introduction to Cybersecurity Ethics. Retrieved 18 April 2022, from https://www.scu.edu/media/ethics-center/technology-ethics/IntroToCybersecurityEthics.pdf