Confidential Organizational Information and Employee Responsibility - Essay Example

Week 5 Assignment: Confidential Organizational Information and Employee Responsibility ISYS 3001 – Human Resource Management Walden University Instructor Name Date Sony’s PlayStation Breach Introduction Sony’s PlayStation Breach is considered as the worst ever data breach as far as the gaming community is concerned as it affected more than seventy seven million accounts, with twelve million of them containing credit card numbers that were not encrypted. Sony could not find the source of the hack immediately but it could be determined that the people responsible for the breach had accessed a lot of data in the process of the breach. This data included names and their corresponding email and passwords, addresses, history of purchases as well as credit card numbers among others. This breach at Sony made experts question the level of security that is associated with other companies that have in their possession millions of data records linked to different users. The situation at Sony should be used by those in the area of IT security to recognize and implement security protocols in a consistent manner throughout their organizations. In the case of customers, they should be careful of the people they give their data as it may not be worth the price of getting an access to online games. Lessons Learned The PlayStation outage was caused by an external intrusion that was directed at the PlayStation Network associated with Sony as well as Qriosity services and involved personal data linked to almost seventy seven million accounts being stolen while preventing users using PS 3 and PS Portable consoles from being able to play online using the service (Daniel & Daniel, 2012). This attack took place on April seventeenth and went on up to the nineteenth of April in 2011, thereby obliging Sony to shut the PlayStation network on the twentieth. Sony ultimately confirmed that personally identifiable information associated with all of the seventy seven million accounts had been stolen on 4th May and the outage that followed went on to last twenty three days. During the outage, almost seventy seven million PlayStation Network accounts that had already been registered were affected, making it the biggest data security breach in history. It was even bigger than the TJX hack that took place 2007 that had affected approximately forty-five million customers (Delta & Matsuura, 2009). Officials from the governments of various nations were concerned about the theft and the manner in which Sony delayed before it gave a warning to its users. On 26 April, Sony gave the statement that it was trying to get its online services running in a week’s time and went on to release PS 3 firmware version 3.61 as a security patch. The users of this firmware were supposed to change their passwords when they sighed in but when the firmware was released, Sony’s network was still offline. Ultimately, restoration on a regional basis was announced and a map of how the regional restoration was to take place in the US was shared when the service was being brought back online. There is a possibility that Sony did not emphasize on its security during the process of software development for the software that runs its networks. During the rush to develop newer products that are innovative, there are chances that security may be left behind. Sony’s business model entails rapid innovation and new software may come with some errors. When Sony exposed a code that had numerous errors in it to numerous people, it was a catastrophe waiting to happen. It is possible that the hackers gained access to the network through taking over the personal computer belonging to a systems administrator who had permission to access sensitive information concerning the company’s customers. It is likely they did this through sending email carrying malicious software to the administrator and this email was downloaded to the personal computer belonging to this administrator. Previously, hackers have accessed and stolen personal data from large companies, for instance, Albert Gonzalez pleaded guilty in 2009 for stealing millions of payment card numbers after he broke into corporate computer systems of various companies including 7-Eleven Inc and Target Company (Easttom & Taylor, 2011). Sony advised the people using its networks to place fraud alerts on their credit cards through various credit card bureaus in the US that it had recommended in statements it released. Protection from data breaches as well as its prevention needs a well thought out and practical approach to security in the entire company (Hill, 2010). All the aspects of the company including risk and vulnerability tolerance are supposed to be evaluated so that using this processes a more inclusive and intelligent security can be achieved. In order for companies to protect themselves from data breaches, they should be able to achieve a balance between protection of their data assets and allowing for innovative workplaces that have a high level of productivity. In reality, the systems of a company cannot be completely secure and therefore, difficult decisions are supposed to be made concerning various levels of protection required for different sections of the company. Additionally, awareness is a crucial aspect as far as security planning is concerned and appreciating the threat landscape while actively endeavoring to secure the company against the identified threats needs relevant technology as well as supporting policies. Further, with the progressive changes in the advanced threats that have become more pertinent as well as the intents that hackers have to find vulnerable systems, it has become almost certain that an organization will eventually fall victim to a breach of data. Therefore, developing a well-coordinated and evaluated response strategy is important the same way as accessing the appropriate resources and expertise to deal with any eventuality. Protecting confidential information Developing protocols with the aim of protecting the lifeblood of an organization is an important investment and to protect appropriately confidential information, workers should be discouraged from prowling on the valuable information that is associated with the company. The employers must also act appropriately towards protecting the information so that it can remain confidential and be considered proprietary in a court or by an arbitrator in the event that litigation arises. When a business or a company develops additional measures in regard to the protection of its confidential information, they is higher likelihood that a court will consider the information as being worthy of protection. Under normal circumstances, the practical reality of the operations associated with a particular business may not allow the business to implement all the measures available for the protection of its data. However, the main objective should be to provide the employees with numerous and regular reminders that will stop them from stealing any important information and coming up with various barriers for prevention of these thefts. Companies should make sure that all their employees append their signatures on restrictive agreements as a precondition for their employment and in the process of creating this agreements, the employer should ensure that the restrictions are sensible (Bidgoli, 2006). Companies should also execute written policies that reflect the obligations that exist in their confidentiality agreements, which have been signed by their employees. Even though policies are not contracts, they are supposed to make sure that the workers remember their obligations towards the protection of confidential information and this will decrease the likelihood of shirking the documented obligations. All the access to information of a confidential nature should be limited to only the employees with legitimate need to know and these employees should restrict their access to the information that is needed for them to perform the duties that are described by their jobs. Conclusion In the current business setting, confidential information like a list of customers, proprietary, information of pricing as well as marketing strategies among others are important business assets that may be compromised if they are not handled with care. A very common area of exposure is the workers who are leaving the company to join a competing business or company. There is also significant risk when confidential information is disclosed in the process of negotiating for a business deal but the negotiations do not reach fruition. Based on the applicable laws, if a company is not taking appropriate steps to safeguard its confidential information, then legal protection may be lost. Classifying information as confidential acts as a practical discouragement for people who would under normal circumstances abused this information. References Bidgoli, H. (2006). Handbook of Information Security Volume 2. Hoboken: John Wiley & Sons. Daniel, L., & Daniel, L. (2012). Digital forensics for legal professionals. Waltham, MA: Syngress. Delta, G., & Matsuura, J. (2009). Law of the Internet. New York: Aspen Law & Business. Easttom, C., & Taylor, J. (2011). Computer crime, investigation, and the law. Boston, Mass.: Course Technology PTR/Cengage Learning. Hill, D. (2010). Data protection. Boca Raton, FL: Taylor & Francis. Read More