Information Technology and Ethics/Privacy and Data Security

Silver Team

BYOD stands for “Bring Your Own Device”; it has become rather popular within recent years where larger organizations and corporations allow their employees to bring or use their own devices for work purposes. IT departments are increasingly realizing that BYOD is happening whether it is officially sanctioned or not, and they are taking steps to address the trend with technology solutions that secure corporate data across a range of platforms and devices.^[1] Whether or not the BYOD exception is officially sanctioned within an organization or corporate, employers and administrators have to be extremely cautious with the kind of employee they’re hiring and allowing to utilize bringing their own device. Generally, BYOD provides comfort and accessibility for the worker, on the other hand it opens opportunities for security risks, data loss, and data privacy issues.

DATA misuse is a common occurrence in many company networks. It can range from the wrong E-Mail being sent, to extremely important files being deleted. BYOD can be a hassle since the company can not access the personal BYOD device since the company does not own it. This can result in misuse with company data on BYOD devices. Some files can stay on personal BYOD devices for years until the device gets replaced, stolen, or damaged. Misusing company data with BYOD devices can occur in any company. Any type of electronic document can be accessed and tampered with on the BYOD device. The BYOD must have a strong policy to combat the misuse of DATA. Even with sensitive documentation massive amounts of damage can occur and the costs can sky rocket depending on what data was misused and how it was misused.

Various policies and regulations placed by the IT department of an organization or corporate are necessary in order to ensure a safe working environment; most importantly one that will not compromise the business. BYOD in practice generally means accessing email from a personal device, and this presents risks given the potential nature of data sent by email and how easily a mobile device can be lost – or hacked if not sufficiently secured. Employees accessing corporate data on personal devices present a huge risk to data security unless the correct protection measures are in place.^[1] Other forms of BYOD include cell phone or laptop usage, memory sticks, hard drives, and other devices that enable access to your work related account or work related data.

As BYOD enables for larger risks and misfortunes for a company; it also enables a difficult assignment of enabling policies that are respecting the privacy of the employee. However, attempting to secure data by monitoring personally owned devices can be seen as an invasion of individual privacy rights. Across different geographies, data privacy legislation dictates that individuals must give fully informed and explicit consent for their personal data to be accessed and processed. In the practical world of BYOD and MDM, this "access" means monitoring activity and potentially locking and wiping the device – functions that employees may not be too happy about allowing on their personally owned smartphones or tablets.^[1]

Generally, companies and corporations should avoid BYOD. If it is something that they’d like to make an exception for certain workers, something like a mobility policy would be beneficial and in all cases crucial. The risk do overtake the positive outcomes of BYOD and companies must pay close attention to how the data is being handled on any BYOD device in the corporate network. According to Privacy Rights Clearinghouse, there are many laws and regulations companies must consider when creating a BYOD policy. Which laws apply will depend on the nature of the employer's business and what kind of data it collects, stores, and uses.^[2] A corporate mobility policy implies a level of compromise between the employee and employer. The employer allows the employee to use the device of their choice, while the employee recognizes their responsibilities in regard to corporate data protection and allows a certain level of monitoring on their personal device.^[1] Ironically, if the employer is going to most likely place a mobility policy for BYOD users, then they should disregard BYOD and simply provide their employees with the necessary technology and access, which can all be simultaneously monitored by the IT department to reduce any risk of file misplacement, privacy invasion, or other issues relating to BYOD.

Virtual Reality (VR) is “the use of computer technology to create the effect of an interactive three-dimensional world in which the objects have a sense of spatial presence.^[3]” Users must share personal and sensitive information when interacting with virtual environments. Virtual reality platform providers collect biometric data such as hand-tracking movement, retina movement, and voice data as feedback to improve various functions. The platform provider can gather associated data if the consumer links their VR account with a social media account, such as Facebook. There are no federal laws or regulations on how VR platform providers can manage consumer data. VR consumers cannot request the deletion of their data from the device or the provider except for the state of California. The California Consumer Privacy Act gives consumers more control over their privacy. CCPA ensures that consumers can opt out of data collection (if allowed), request the deletion of their data, know what happens to their data, and limit the use and release of their data.^[4]

As VR collects various amounts of data, it makes them a target for hacking. Hacking is gaining unauthorized access to a network, device, or system. As VR has no regulations for handling consumer privacy, they do not have any set security measures. Hackers can brute force their way into a victim’s account and steal personal information.   There is no multi-factor authentication for the user’s VR account. There is no data encryption within VR platform providers; thus, it is easier for hackers to steal it.

Every U.S. state must enact a privacy act to ensure VR platform providers properly manage consumer data. Every VR consumer should know how the providers use their data and why they collect it. Every VR provider must have a disclosure on the screen, and the consumer must accept it before using the device. The disclosure must be in easy-to-understand terms. All data must be encrypted when stored in case of a breach. All VR devices and accounts must have two multi-factor authentications to prevent unauthorized access. With these added precautions, consumers can traverse their virtual environments safely.

Workplace data can vary in the content it holds but it is crucial that all content is stored and managed correctly to avoid the loss of data or the misplacement of it. In the event that the data were to be compromised or accessed by unauthorized individuals, the organization may encounter short-term and long-term consequences. In order for an organization to protect data within their Domain and Cloud storage, they must understand the severity of losing data and the importance of maintaining data private.

To prevent data breaches from occurring, organizations should limit and restrict certain individuals from accessing certain files and data.^[5] Employees should only have access to information that will help them in completing their job duties. This restriction should apply to company owned devices and devices connected to the organization’s network.

When it comes to using devices, whether personal or company owned, users should ensure that their device is accounted for and has at least one form of password setup to prevent any stranger from gaining access to important information.^[5] If there is an opportunity to use twice different types of passwords on the same device, that would add an extra layer of security. This is important because once a device has been reported lost, the next challenge to follow would be to prevent entry to the device and detect if it has been compromised.

It is important to keep up with current devices by ensuring that all operating systems and applications remain patched or updated to avoid any security vulnerabilities.^[5] Updates target any new bugs that have been discovered and attempts to resolve them to further improve the experience and quality of the application or software. Updates typically try to implement new security features to further protect users from being hacked.

Any device that holds private information should undergo a deep cleaning. A deep cleaning will entail organizing files on any device by sorting and deleting any of the data that no longer needs to be saved.^[5] The fewer files that are saved on your device, the less data you are responsible for keeping safe. Keep in mind that files may be backed up elsewhere and should be removed if the files are no longer needed or if wrongful access was granted.

There are four data handling programs to manage workplace data.

1. Cyber Security Program:

The content outlines important procedures for secure data disposal, regular audits and assessments, creating policies and processes, implementing technological controls, providing employee education and training, establishing an incident response strategy, putting in place procedures for ongoing monitoring and evaluation, establishing sound vendor management procedures, conducting regular testing and updates, establishing communication and reporting processes, and emphasizing continuous These steps include erasing data from obsolete documents and electronic equipment or physically destroying them, carrying out routine audits and assessments, developing thorough policies and procedures, utilizing cybersecurity tools, regularly training staff members in cybersecurity awareness, developing an incident response strategy, monitoring system logs and carrying out security audits, managing vendors and third-party suppliers, carrying out penetration tests, and exploiting vulnerabilities.

2. GRC Program:

Several crucial phases go into creating a good Governance, Risk, and Compliance (GRC) program. First, it is important to clearly define the objectives and boundaries of the GRC program, taking into consideration the business's strategic goals, industry standards, and legal needs. To identify and assess the company's risks, including operational, financial, legal, and reputational concerns, a complete risk analysis should be carried out. Industry best practices should serve as the basis for the policies and procedures that define the company's governance, risk management, and compliance procedures. To manage risks, a framework should be designed that outlines roles and responsibilities for risk management as well as procedures for risk identification, assessment, mitigation, and monitoring. To guarantee that the business complies with all applicable laws, regulations, and industry standards, compliance processes should be put in place. These processes should include steps for tracking, reporting, and documenting compliance. Internal controls, such as control processes, monitoring systems, and reporting procedures, should be created and put into place to guarantee that operations are carried out efficiently and in line with policies and procedures.

3. Insider Threat Program:

The article also emphasizes the necessity of ongoing training and awareness campaigns to inform staff members of the many kinds of insider threats, their possible effects, and techniques for spotting and reporting them. This involves imparting knowledge on data management principles, insider threat mitigation techniques, and information security best practices. Another essential component of identifying insider threats is closely watching user activities. Organizations can track and evaluate user activity for any unusual or suspicious behaviors that may indicate insider threats, such as attempts to enter restricted areas or data transfers that deviate from usual patterns, by using tools like log analysis, network monitoring, and user behavior monitoring. It's also advised to do routine audits of user accounts, access rights, and system logs to spot any potential criminal activity or anomalies that could point to insider threats. To proactively identify and stop insider threats, this involves assessing user access privileges, keeping an eye out for privileged account usage, and carrying out regular security audits.

4. ISO 27001:

ISO 27001, a widely recognized standard for information security management systems (ISMS), implementation calls for a planned strategy and a number of essential components. The scope of the ISMS must be established, leadership commitment must be obtained, a risk assessment must be completed, a security plan must be created, security measures must be put in place, processes and policies must be documented, staff must be trained, internal audits must be completed, management reviews must be conducted, certification preparation must be made, and continuous improvement must be the main focus. Declaring the criteria, restrictions, resources, processes, and individuals that will be covered by the ISMS system is the first step in determining its scope. The implementation must also have the support of senior executives, who should do this by appointing a management representative and giving the required funds.Through a careful risk assessment, risks and vulnerabilities to information assets must be identified and evaluated. This entails identifying resources, threats, and vulnerabilities, as well as determining risk levels, estimating the likelihood and effects of potential incidents, and determining vulnerabilities.

Each employee in an organization should be educated on the importance of cybersecurity, not just the IT professionals. A cybersecurity policy will explain each person’s responsibilities for protecting IT systems. This includes standards for email encryption and using social media in a workplace. When it comes to cybersecurity, employees are the weakest links. According to McAfee, 43% of data loss was caused by employees. A strong cybersecurity policy will help employees understand the importance of protecting data.^[6] In sectors such as healthcare and finance, that often hold important customer information, this is especially important as they can be heavily fined for insufficient security procedures.

The cybersecurity policy will inform employees and other users how to access online resources responsibly. It will also include general security expectations from everyone in the organization. The policy should emphasize the important aspects such as security for sensitive data. The policy should be easy to read and understand.

The IT department is responsible for all information security policies. However, other key stakeholders are also a part of creating policies. For e.g., the legal department will contribute to the creation of the policy by ensuring it meets legal requirements. As technology is constantly changing, it’s important to update the cybersecurity policy to meet these changes.

In order to fully understand the concept of ethical hacking, we must first understand the concept of penetration testing. Penetration testing is the act of legally exploiting computer systems in order to strengthen the system's overall security level. In order for this act to be considered legal, a penetration tester must gain written authorization from the party requesting penetration tests. Without this authorization, the act of exploiting computer systems is considered illegal. When performing penetration tests, a penetration tester will exploit a computer system by taking advantage of unknown vulnerabilities within the system. Once the penetration tester has finished their tests and successfully gained access to the computer system, they will create a report to summarize their findings. Topics discussed within this report include all identified vulnerabilities, the vulnerabilities used to perform exploitation, and recommendations for patching the identified vulnerabilities (Engebretson, 2013).^[7] It is important to provide as many details as possible when writing reports for penetration testing. This way, your client is able to use your report as a guide to resolve the vulnerabilities within their computer systems. Without a detailed report, a client will not be capable of successfully implementing the solutions provided to them.

Within the act of exploiting computer systems, there exists a concept known as ethical hacking. In most circumstances,  the terms "ethical hacking" and "penetration testing" hold the same meaning. Ethical hacking is used to describe a person who performs computer system exploitations in order to help others. Specifically, to help others strengthen the security of their computer systems (Engebretson, 2013).^[7] As you might deduce, if ethical hacking exists, then unethical hacking must also exist. Within the field of penetration testing, there are terms that assist in describing the difference between ethical and unethical hacking. These terms are known as "white hat", "gray hat", and "black hat".

There are three types of hats that describe the difference between ethical and unethical hackers. First, you have black hats. A black hat is someone who performs malicious, unauthorized exploitations on computer systems. A white hat  is someone who performs legal, authorized exploitations on computer systems. For the purpose of helping people strengthen the security level of their computer systems. Lastly, a gray hat is someone who performs both white hat and black hat hacking (Grimes, 2017).^[8] To be clear, any form of black hat hacking is illegal. The amount of hacking you perform does not matter, any unauthorized hacking is considered illegal. To conclude, black hat is the term used to describe unethical hacking. White hat is the term used to describe ethical hacking. Lastly, gray hat is the term used to describe someone who performs unethical and ethical hacking.