Is our online information really safe?
Thesis: Corporations should apply a specific solution to protect customers’ personal information from being stolen.
There are many psychological reasons for cyberterrorism. One of them is financial gain. According to Gross et al., cyber terrorists are “criminals out for pecuniary gain” (284). In Reynolds’ article, cyberterrorists attack corporations and deny their services; 46% of corporations that suffered from the attacks received a ransom note (6). Cyberterrorists demand ransom by conducting cyberattacks against corporations and corporations. Many corporations keep customer’s personal information such as their names, credit cards, social security numbers, and other data and information that can identify the customers in their files. The information is usually kept to assist in filling orders, meeting payrolls, and performing other business functions. Corporations are faced with a problem of cyberattacks from time to time which leads to the customers’ sensitive data falling into hands of unauthorized people who can harm the organization as a result of the data being used to do fraud, identity theft and many other illegal actions which can seriously land the customers into trouble. Therefore, organizations need to apply a specific solution to protect the personal information of customers from being stolen.
The first step that corporations can take to protect customers’ data is by keeping a record of the personal information that is in their computers and files. Research shows that effective data security begins with a corporation assessing the kind of data and information they have so that they can plan on how to keep it safe (Fagan et al., 27). Additionally, the corporate security team should understand how the customers’ personal information flows into, through and outside the organization by looking who could have accessed the information or who tried to access it (U.S. Federal Trade Commission, and the United States of America, 3). This will enable the organization’s security team to assess the security vulnerabilities of the organization system and determine the best ways to secure the information while flowing into and out of the organization.
In order to effectively understand the type of information in the corporation has, all the computers, mobile devices, disks, flash disks, digital copiers as well as home computers need to be inventoried. The inventory of these devices will enable the organization to understand where its sensitive data is stored (U.S. Federal Trade Commission and the United States of America, 4). Also, the type of data that the organization keeps should be inventoried by type and location. All the types of data and their location need to be identified to ensure a complete inventory of all sensitive data. The corporation’s information security team can track personal information of the company by liaising with departments such as the sales department, accounting, and finance department, human resources department well as service providers (U.S. Federal Trade Commission, and the United States of America, 5). This step will enable the organization to get a picture of who is sending sensitive personal data to the organization, How the corporation receives the sensitive personal data, the type of sensitive personal information the organization collects, where the collected sensitive personal information is kept, and how and who can access and use the data.
The second step a corporation can take to protect its customers’ personal information is by scaling down. The organization should only keep the information that is needed to be used by the information in the near future. Corporations should avoid keeping customers’ sensitive personal information that has no legitimate business requirement either in the short-run or long-run (U.S. Federal Trade Commission and the United States of America, 6). If a customers’ sensitive personal information is needed, the corporation should keep it as long as it is legitimately needed to be used within the organization. Therefore, the organization should avoid storing sensitive data and information that is not needed in the organization, and if the information is needed, then use of social security numbers should only be used when required especially when it is a legal requirement (Onsrud, Harlan, Jeff and Xavier, 1086). For instance, an organization can use social security numbers during the reporting of employee taxes because it is a legal requirement. Research shows that most cyberattacks utilize social security numbers to obtain either customers’ or employee’s personal information, and that is why it is not advisable to frequently use social security numbers.
Also, whenever a company develops a mobile app, it should ensure that the app accesses the information and data that is only needed. The mobile app should not collect and retain customers’ data unless it is integral to the organization’s products or services (Reynolds, 7). In such a case, the app should have the necessary configurations to protect the data that it collects and retains. Corporations should also avoid keeping customers’ credit cards and should not also retain the customers’ account number unless there is business need (U.S. Federal Trade Commission and the United States of America, 6). Immediately after account numbers and credit cards are used, they need to be disposed to reduce the probability of the information being used to commit identity theft or other frauds (Reynolds, 8). If a company must keep certain sensitive customers’ personal information, it should develop a written record retention policy that will identify the kind of data and information that is kept, how it will be secured, the duration it will be kept and how the company will dispose of it when the organization no longer requires the information and data. This is a legal requirement that the organization must comply with to improve its ability to protect customers’ data. Finally, the corporation can also scale down access to sensitive data within the organization by following the “Least Privilege principle.” (U.S. Federal Trade Commission, and the United States of America, 7) This will ensure that the employees can only access data and resources that they need to do their work.
Thirdly, the corporation should safeguard the personal information required by locking it. Locking the information and data in the organization means putting the necessary steps in place of accessing the information. To effectively protect the data, four key elements need to be put into consideration (U.S. Federal Trade Commission and the United States of America, 8). The four considerations of ensuring security include physical security, electronic security, training of workers, and ensuring that both contractors and service providers maintain security practices.
Physical security will protect the physical loss of documents due to documents being stolen. The most effective way to protect physical data is to use an alert employee or a locked door, and reducing access to the room by either employees or any other person who may come into the organization (U.S. Federal Trade Commission, and the United States of America, 9). Additionally, files containing sensitive personal information need to be locked in file cabinets, unless an authorized employee is working on the file (Onsrud et al., 1088). All sensitive identifiable information should be locked either in a room or a cabinet, and the company should implement appropriate procedures of how employees who will have business needs for the data will be able to access it.
Many organizations like to store their data electronically. However, some organizations fail to inform the employees about the vulnerabilities of the company’s computer system, and this increases the risk of sensitive data being stolen. To ensure that sensitive data is electronically stored safely, authentication, general network security, laptop security, firewalls, wireless and remote access, digital copiers, and ways of detecting breaches should be appropriately applied to ensure the data stored electronically is safe from cyberattacks (Reyns et al., 11122).
Although the organization’s data security plan may be excellent, time should be taken to train the employees who implement it. The company’s employees should be informed on the rules that they should follow when accessing and utilizing sensitive data and how they can spot vulnerabilities in the data security plan. Periodic training of employees on the security of customers’ sensitive data emphasizes the importance of security practices (Reyns et al., 11128). Additionally, research shows that a well-trained workforce provides the best defense against data breaches, fraud, and identity theft. During hiring, the company should ensure employees hired to use sensitive data are people of integrity and that they cannot expose any sensitive data to outsiders. After training all the employees, they should sign an agreement form that they will follow all the security and confidentiality standards of handling any sensitive data (U.S. Federal Trade Commission and the United States of America, 10). The corporation should make the employees understand that the data security plan policies are an important part of the roles and duties they are assigned to perform. Besides, the corporation should ensure that employees utilizing sensitive customers’ personal information are known for easier follow-ups in case of security breaches.
The effectiveness of data security practices depends on people who implement it. Employees are the most important part of this, but contractors and service providers are also implementers of the corporation’s security practices. Before making contracts with any company or individual contractors, the organization should investigate the security practices of the contractors and compare them to those set by the organization (Fagan et al., 31). The company should then hire contractors whose data security practices comply with its data security plans. For the service providers, the company needs to clearly state its security practices in the contracts and ensure they are in total compliance with the security practices stipulated. The company should insist the services providers report any security incidents they may have experienced, even if the incidents did to lead to data being compromised (U.S. Federal Trade Commission, and the United States of America, 14). This will enable the company to put plans in place to deal with such security incidents before they affect attack the company’s security systems become vulnerable to the incidents.
The fourth step that a corporation can take to protect the customers’ personal information by safely and properly disposing of what it does not require. “What looks like a sack of trash to you can be a gold mine for an identity thief.” (U.S. Federal Trade Commission, and the United States of America, 28) Therefore, leaving paper documents like credit card receipts and C.D.s with customers’ personal identifying information can facilitate fraud and expose the organization’s customers to identity theft risk. To safely and properly dispose of sensitive personal information of the customers, the company should ensure that paper documents being disposed of cannot be read or reconstructed to provide meaning information to cyberattacks. This can be done by implementing informational disposal practices that are appropriate and reasonable to completely prevent the access of personal identifying information by unauthorized persons. The measures taken by the company should be based on cost, sensitivity, and benefits over other disposal methods (U.S. Federal Trade Commission and the United States of America, 28). Since disposal usually takes two forms; paper records disposal and electronic records disposal, appropriate measures should be taken to ensure each does not leave traces of personal information of customers. For the paper records disposal shredding, burning or pulverizing documents before discarding will completely prevent the personal data from being accessed by unauthorized persons. For electronic disposal, software should be used to erase all the data from computers and other portable devices being disposed of by the organization. This will ensure that data that was stored in such devices cannot be recovered in any way.
A corporation should also create a plan that will use to respond to security incidents to protect the customers’ personal information. Although an organization can try to prevent security breaches, they sometimes happen anyway (U.S. Federal Trade Commission and the United States of America, 30). Therefore, there should be a plan in the organization on how it will respond to security incidents to reduce the impact of such security incidents on the business, customers, and employees. A senior member of the organization should be given a responsibility to coordinate and implement the response plan. One way of responding to security incidents is disconnecting computers and systems that compromised from the organization’s network (Onsrud et al., 1092). After disconnecting the computers and systems from the company’s network, the team should embark on an investigation of the security incidents and take the necessary steps to close off the existing vulnerabilities to customers’ personal information. During this process, the organization should notify the consumers, customers, credit bureaus, other businesses, and law enforcement agencies to reduce any negative picture that the cyberterrorists may send to customers, consumers and other businesses. Customers’ personal information should not be left exposed or accessible to unauthorized persons, and therefore, any security incidents that the company may face should be addressed as fast as possible.
Also, to ensure that the personal information data of customers is well protected, an organization may be transparent with the customers on how their data are being used within and outside the organization. Research shows that organizations that offer their customers high levels of data transparency and control are protected in case of data security breaches (U.S. Federal Trade Commission and the United States of America, 33). Organizations that are offering neither inform their customers on how the company uses its personal information no offers them control over their data are at higher risk of financial loss in case there is a data security breach of the customers’ personal information from the company’s systems. According to the study done by Martin, Borah, and Roberts, 80% of firms do not tell the customers how they are using their data or offer them control over the data. As a result, they were 1.5 times to experience a drop in stock price than the 20% of firms who had been transparent to their customers (Martin, Borah, and Robert, 48). According to this study, for organizations that were transparent and offered some control over the use of their data, their customers took it as their responsibility because they had been informed. Therefore, they could have made informed decisions on how their personal information should be used by the company (Martin et al., 54). Customers have the right to know how the organization is using their personal information, and therefore, I advisable that the corporation is transparent with its customers to avoid the consequences of security breaches.
In conclusion, all organizations are entitled to ensure that their customers’ personal information is protected from being stolen. Organizations can implement a different solution on what kind of data the company will keep, how the data will be secured, for how long the data will be kept, and how the data will be disposed of safely and properly to avoid unauthorized access to personal identifying information. The corporation should have a security plan in place that stipulates clearly how the data will be stored safely, who will access data, and how the organization will respond to data security breaches. Employees are part and parcel of the organization and are the ones who mainly implement the organization’s data security plan and practices. Therefore, to avoid cases of increased data breaches, employees need to be informed about the company’s computer vulnerabilities and how to identify them. They should also be asked to sign compliance forms that protecting the data is one of their main duties in the organization. During recruit of employees who will deal with sensitive data, reference records can be used to recruit employees with high integrity to avoid security breaches. Scaling down of employees’ access to data by following the “principle of least privilege” can improve employees’ responsibility on how they use the data that is provided to perform their specific tasks. In the case of the data being linked outside, then the employee will know that he or she is responsible for such a security breach. As a result, employees will not share sensitive personal information that they use to do their particular jobs.
Works Cited
Fagan, Michael, et al. “To Follow or Not to Follow: A Study of User Motivations around Cybersecurity Advice.” USA: IEEE, vol. 22, no. 5, Oct 2018, pp. 25-34. IEEE Xplore Digital Library. 10.1109/MIC.2017.3301619. 18 April 2020.
Gross, Michael L. et al. “The psychological effects of cyber terrorism.” Bulletin of the Atomic Scientists, vol. 72, no. 5, 2016, pp. 284-291. Complementary Index. http://dx.doi.org/10.1080/00963402.2016.1216502. 18 April 2020.
Martin, Kelly D., Abhishek Borah, and Robert W. Palmatier. ” A Strong Privacy Policy Can Save Your Company Millions Journal of Marketing 81.1 (2018): 36-58. https://hbr.org/2018/02/research-a-strong-privacy-policy-can-save-your-company-millions
Onsrud, Harlan J., Jeff P. Johnson, and Xavier Lopez. “Protecting personal privacy in using geographic information systems.” Photogrammetric Engineering and Remote Sensing 60.9 (1994): 1083-1095. https://www.asprs.org/wp-content/uploads/pers/1994journal/sep/1994_sep_1083-1095.pdf
Papakipos, Matthew Nicholas, Cory Rudolph Ondrejka, and Erick Tseng. “Protecting personal information upon sharing a personal computing device.” U.S. Patent No. 8,997,213. 31 Mar. 2015. https://patentimages.storage.googleapis.com/2d/7b/58/34b0bda073781f/US8997213.pdf
Reynolds, Roy. “It’s time to rethink DDoS protection.” Network Security, vol. 1, Jan 2020, pp. 6-8. dblp computer science bibliography. 10.1016/S1353-4858(20)30007-6. 18 April 2020.
Reyns, Bradford W. et al. “The Thief with a Thousand Faces and the Victim With None: Identifying Determinants for Online Identity Theft Victimization With Routine Activity Theory.” SAGE PUBLICATIONS INC, vol 60, no. 10, Aug 2016, pp. 1119-1139. Social Sciences Citation Index. 10.1177/0306624X15572861. 18 April 2020
U.S. Federal Trade Commission and the United States of America. “Protecting Personal Information: A Guide for Business.” (2011). https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-information.pdf