TechFite Case Study Technology

TechFite Case Study

Section A: Ethical Issues for Cybersecurity

The field of cybersecurity faces some fundamental ethical issues that require the attention of policymakers. A primary cybersecurity ethical issue that emerges from the case is privacy violation (Solove & Schwartz, 2023). Cyber breaches pose a serious threat to data privacy, particularly with the huge quantities of personal data that organizations store electronically. Breaches into personal data by unauthorized users not only compromises confidentiality, but also exposes the affected clients to identity theft and fraud when cybercriminals use their personal data to commit fraudulent activities (Solove & Schwartz, 2023). In the case of companies, access to proprietary data by unauthorized users has the potential to cause serious financial harm, such as when such information leaks into the hands of competitors. Therefore, companies have a responsibility to undertake measures to safeguard personal client information through security audits, access controls, and encryptions, among other strategies (Solove & Schwartz, 2023). Privacy violation is relevant to the case study as there is evidence of employees gaining unauthorized access into clients’ IP addresses, thus obtaining proprietary business information that leaked to competitors. This points to fundamental weaknesses in the systems required to safeguard personal client data.

A second ethical issue is surveillance and monitoring. Cybersecurity professionals face a growing challenge with the emergence of surveillance technologies, including internet monitoring tools, facial recognition, and CCTV cameras, among other technologies (Solove & Schwartz, 2023). Such technologies allow users to gather huge quantities of personal data, raising ethical concerns about whether use of such surveillance technologies is ethically justified, whether client consent is needed, and the potential of abuse and misuse of clients’ personal data (Kritikos, 2023). Based on this, cybersecurity professionals have an ethical duty to establish systems of proper oversight around data sharing and retention to minimize the risk of misuse and unauthorized access (Kritikos, 2023). This ethical issue is relevant to the case study since the company has a release policy permitting surveillance of all electronic communication made using the company’s equipment. It would be prudent to assess the oversight mechanisms that are in place to ensure that users do not exceed the extent of their authorized access through such surveillance.

The third ethical concern relevant to the case study is transparency and disclosure. Cybersecurity professionals have a responsibility to maintain transparency and accurately disclose security vulnerabilities as a means to help decision-makers take corrective measures (Solove & Schwartz, 2023). Failure to disclose vulnerabilities or delayed disclosures exposes organizations to increased risk and derails potential efforts of addressing the same (Solove & Schwartz, 2023). This concern is relevant to the case study as available evidence shows that reports presented to management did not fully disclose the gaps in internal processes.

At this point, it would be prudent to identify the specific unethical behaviors perpetrated by the company’s employees. The division’s head, Carl Jaspers acted unethically by operating ex-employees’ user accounts and using the accounts for intelligence-gathering against other companies. This way, Mr. Jaspers was able to access proprietary business information about certain companies via email. Mr. Jaspers further acted unethically by using his position in the division, and his capacity to dictate account privileges, to escalate privileges on these dummy accounts. In so doing, he was able to gain illegal access into other divisions, including finance, human resources, and the legal division.

The senior analyst, Sarah Miller, and junior analysts Jack Hudson and Megan Rogers, acted unethically by using the metasploit tool to scan into and illegally penetrate the IP addresses of multiple companies. Through third parties, Hudson used surveillance tools to illegally mine other companies’ trash with an aim to gather business intelligence. In so doing, the analysts compromised the confidentiality of private company information, causing their victims to suffer losses from the leakage of proprietary business information. At a personal level, Hudson, a member of the Strategic and Competitive Intelligence Professionals (SCIP) acted unethically by engaging in illegal business-intelligence gathering, contrary to the SCIP code of conduct.

On her part, IT security analyst, Nadia Johnson, acted unethically by failing to disclose the irregularities in the division’s internal operations. She often gave blanket summary reports indicating no irregularities, thus aiding illegal activities by unscrupulous employees such as Jaspers. The reports that Jaspers submitted on the state of internal operations violated the transparency requirement as they failed to cover important areas, including audits on user accounts, internal network surveillance activities, and processes of checking for privilege escalation.

Several factors at TechFite fueled these employees’ lax behavior. First, the company had a weak access control policy, as evidenced by the fact that all computers had full administrative rights, making it easy for employees to access sensitive high-profile client information. At the same time, the company’s oversight on user accounts and activities taking place in the internal networks was weak. The IT division analysts did not conduct regular audits to check for data loss prevention, privilege escalation, and to deactivate ex-employees’ user accounts. This allowed employees to use these accounts to carry out illegal activity unnoticed. The lack of a data classification system at the company also fueled unethical activities as it made it relatively easy for employees (including those with limited access levels) to access the information of past, existing, and potential customers. Finally, the company failed to offer security awareness training to employees on their role in safeguarding clients’ information, applicable laws, legal ramifications of non-compliance, and activities that constitute a breach.

Section B: Problem Mitigation and Building Security Awareness

An information security policy that could have minimized the risk of criminal activity would be use the of a data classification system. A data classification system separates data relating to different clients and may also be designed to group data by the level of confidentiality (Cybellium Ltd., 2023). Such classification helps to protect important data and ensures that certain data is only accessible by individuals with higher clearance levels (Cybellium Ltd., 2023). The company could also have prevented unethical actions by using a strong access control policy. Access control incorporates two elements: hierarchical structure and network security (Cybellium Ltd., 2023).

The hierarchical pattern entails assigning different levels of access to employees in different organizational roles, rather than full access rights for all employees. This would ensure that employees only access information that is within their authorized range, thus protecting sensitive and proprietary information and ensuring such is only accessible by senior managers (Cybellium Ltd., 2023). Such segregation would minimize unethical action by making employees more accountable for the information they are allowed to access. In the event of a breach of high-level proprietary information, the senior management would know what group of employees to focus on in their investigation. On the other hand, network security entails use of tokens, biometrics, or encrypted passwords for users accessing company servers and networks (Cybellium Ltd., 2023). This helps minimize threats as log-in attempts are recorded and activities can be easily tied to specific individuals.

The establishment of a Security Awareness Training and Education (SATE) program would also go a long way towards reducing unethical behavior among employees in the organization (Abrahams et al., 2024). The aim of a SATE program is to foster a culture where employees are conscious about cybersecurity, and equipped with the skills and knowledge necessary to recognize and address cybersecurity threats (Abrahams et al., 2024). A SATE program has several key elements. First, it details the key legislation and regulations that govern cybersecurity in the specific industry where the organization operates (Abrahams et al., 2024). This helps to give a legal basis to the training program, helping employees to understand the legal ramifications of failing to comply (Abrahams et al., 2024). The program should clearly outline the importance of complying with legal standards, using real-life examples or court cases to demonstrate the possible consequences of non-compliance. At the same time, the training program should outline the various strategies the organization has put in place to safeguard personal data, such as data classification systems, audits, encryption, and privilege restrictions. Employees need to understand how these safeguards work and their role in upholding the same.

The training program should also educate employees on the various types of cyber threats, including whaling, phishing, malware, and spam. It would also be prudent to outline the rules that govern usage of social media, internet, email, user accounts, surveillance technologies, and privacy policies. Employees need to understand their duty in safeguarding personal data stored by the organization, including the importance of using secure passwords and multifactor authentication to prevent unauthorized access into their social media, email, or user accounts. Finally, a SATE program should outline details of the organization’s vulnerability testing procedures. This includes the risk assessment tools and frequency of conducting risk assessments, as a means to ensure that vulnerabilities are identified early and addressed before they escalate.

Since employees have varied capacities and abilities, Abrahams et al. (2024) recommends using a variety of techniques to communicate the SATE program to employees. Using a range of delivery techniques ensures that all employees benefit from the training. It may not be advisable to hold a training for all 1,000 employees at the company and hence, there may be a need to segment the employees by job category, and then tailor the training content to meet the needs of specific groups. The program couuld be communicated through interactive workshops that combine lectures with simulation and practical exercises (Abrahams et al., 2024). Lectures are beneficial in helping employees better make sense of cybersecurity principles by allowing room for real-time discussions (Abrahams et al., 2024). Simulation exercises that replicate real world situations could be used to complement lectures and provide an opportunity for trainees to experience the training content practically. For instance, simulated phishing exercises could be used to train employees on how to recognize phishing attempts in their networks (Abrahams et al., 2024).

Secondary communication techniques could include distribution of online training materials to enhance flexible learning given that the company’s workforce is dispersed (Abrahams et al., 2024). Additionally, to increase the level of employee engagement and knowledge-retention, the trainers could incorporate gaming techniques such as use of leaderboards, rewards, and challenges. These are forms of on-the-job-training that help trainers encourage healthy competition and track the progress of employees (Abrahams et al., 2024).

The SATE program will go a long way towards mitigating unethical behavior at TechFite. First, the program educates employees about the legal standards and laws related to cybersecurity, as well as the legal ramifications of non-compliance. Employees are less likely to engage in unethical behavior if they understand their obligations in safeguarding clients’ personal data. At the same time, the program guides employees on what constitutes acceptable conduct in information security. It provides information on their responsibility in safeguarding personal client data and how to act in certain situations, thus ensuring they act responsibly. Finally, the SATE program fosters a compliance culture by outlining industry standards, procedures, and policies (Abrahams et al., 2024). This ensures that employees uphold the principles of professionalism, accountability, and integrity.