QUESTION

TOPIC: DATA SECURITY IN BUSINESS

 

Due Date:  4:00 PM, 26-05 2012

 

Individual Research Assignment: Marks:  20

 

Description of Assignment: 

 

This assessment will give students the opportunity to investigate and analyse a particular issue associated with doing business in the world today and:

 

a)    describe the issue, and the problems it may cause

b)    investigate two real-life cases which illustrate the issue

c)     identify some possible solutions to combat or alleviate those problems

 

Students will prepare a 3000 word research report based upon the issue that has been assigned.  This assignment will require each student to research an issue (in books, magazine and newspaper articles, academic journals, and on the Internet), and write a fact-based case study of a problem related to the issue.

 

The purpose of this assignment is to enable students to critically evaluate some of the major issues confronting business organisations today, and gain some experience of researching and fact-based report writing.

 

Case study:

Students will be expected to find two (2) real-life cases related to the topic and the problems associated with it, and describe that case in their own words.

 

Conclusion:

 

Following your research, you will be free to come to your own conclusions about the topic. It is therefore necessary to write up your report in a strict order as illustrated below.

Written report:

 

The assignment will take the form of a fact-based academic report. Your aim will be to produce an opinion about the issue based upon the facts you have discovered in your research. You will have the opportunity to discuss your research with your tutor in workshop sessions to make sure you are on the right track with your research and report writing. Your title page should include a word count.

 

The report should use the following format:

 

1. Introduction

1. You should define the issue that you have been allocated and give a general overview and description of your issue. Identify which areas of business are usually effected by the issue and what are the sorts of problems associated with it.
2. You should provide an overview of what you intend to write about in your report, so that the reader can anticipate how you are going to present the material and what it will consist of.
3. You will identify two (2) true life case studies of an instance of the allocated issue.
4. Each case will address the following topics:

2. Case Study (2)

• A brief description of the case study, and how the student found out about the case;
• The history or background of the situation in which the case occurred;
• A description of what happened in this particular situation and the events or occurrences that caused it to happen;
• An analysis of the immediate results or injuries that were caused in the case;
• A description of any long-term problems that flowed from the case;
• A description of any solutions that were made to overcome the problems in the future. Were they successful?

 

• Outline of your introduction and Case Studies are due in Tutorial Week 9 for tutor’s approval

3. Discussion

 

1. Each student must compose a summary of the issue and the problems it causes.
2. What are the most successful solutions, and do you have any other opinions about how the issue might be addressed in the future. Are there any technologies or procedures that might help overcome the problem?

 

4. Conclusion

1. Summarise your report – conclude by telling the reader what you have done in the report.
2. List all references cited in your report
3. List any other references which you found of interest
4. Use correct APA format.

5. References

 

Plagiarism

 

It is important to learn from the work of others and you are encouraged to explore the library, World Wide Web resources and have discussions with other students.  However, work for assessment must be entirely the student’s own work and material cut-and-pasted or paraphrased from Internet sources is unacceptable.

 

Plagiarism is the presentation of the expressed thought or work of another person as though it is one’s own without properly acknowledging that person.

 

You must not allow other students to copy your work and must take care to safeguard against this happening.  In cases of copying, normally all students involved will be penalised equally; an exception will be if you can demonstrate the work is your own and you took reasonable care to safeguard against copying.

Marking Guide:

 

Section	Topic	Marks
1.	Introduction – definition of the topic, and history of it Report Structure Outline	10 10
2.	Case Study Case Study Outline Description – background to the case, and what actually happened Causes – why did the case happen, what things caused it Problems – what problems did the case cause immediately Solution – where there any solutions tried to fix or prevent the problems from re-occurring	10 10 5 5 10
3.	Discussion and Conclusion Discuss how the case relates to the overall topic – is it typical of the problems usually caused? What solutions do you suggest for the future in this topic	10   5
4.	References (correct format, matching with citations, citations present) Style (Spelling, grammar, length, originality) Academic writing skills Referencing (Correct citations, formatting, referencing style) Research (How extensive was the research)	10 5 5 5
	TOTAL	100

SOLUTION

1.    Introduction

 

A new defence system called Data Security is vital for most organisations or businesses to counter the large-scale application attacks, swelling raft of applications and targeted insider threats. The organisations or businesses had to bear cost of billions of dollars due to data breaches and more than 500 million of sensitive records were exposed due to data lost (Privacy Rights Clearinghouse, n.d.). Moreover the data security breaches are monetarily destroying as the business has to bear on an average $6.75 million per data breach incident and additional $204 per data record which has been compromised (Institute, 2010).

It is not just that the organisation gets affected by data breach, but the individuals who fall prey to data fraud and identity theft is also in millions. Data Security is that is why a major concern for business organisations because be it external attack or insider abuse, data breaches are the most enduring attacks on data which an organisation faces.

 

 

1.1Define the issue

1.1.1Overview of data security in business

 

In the information security areas of any business there are majorly two kinds of data security issues or threats which any organisation faces:

• Noisy Threats: they directly hinder with our capability to do any business. For e.g. Worms, spams and viruses are noisy threat sand they attack both systems and networks, thus finally disrupting the business operations and productivity of the business. These are very annoying data security issues and are highly visible too (The Business Justification for Data Security, 2009).
• Quiet threats:  They are the real damagers regarding data to any business, but do not prevent any organisation from doing their business. Quiet threats like adapt theft are much more dangerous as they can remain undetected for years together. Whenever they get detected, it’s difficult to calculate the material damage they have caused to the business. For e.g. the theft of credit card is quiet threat, where someone else is going to face the loss. So security investments are curbed by forcing the regulations or contractual obligations (The Business Justification for Data Security, 2009).

1.1.2Areas of business affected by data security in business

 

It has been found that the main areas of business which get affected by data security are:

• Financial sector/ Information ( Credit card numbers)
• Human Resources ( health care information)
•  Information technology
• Trade secrets
• Customer Metrics
• Intellectual Property ( patents , source codes)
• Sales data

1.1.3Various problems attached with data security in business

 

Any attack on the data security can cause:

• loss of the intellectually property of the organisation,
• the business liability towards the compromised customer data is also borne by business,
• disruption of business continuity occurs
• Loss of customer confidence occurs at the same time
• Excessive amount of time and money spent on recovering the lost data.
• Inadequately protected data will result in violation of industry regulations and can lead to loss of business integrity or potential crime penalties (Securing Network-Attached Storage:Protecting NAS from viruses, intrusions, and blended threats, n.d.)

1.2 Overview of what we are going to write in report

 

In this report we have analysed the risks attached to data security and found the importance of adapt security for any business organisation. Several problems or issues attached with data security have been studied and how they affect any organisation has also been found.

After analysing two real life cases of data security breach we will try to find out the history or background of both the cases. Then after critically analysing the problems attached with these two cases we will try to find solution to overcome such data security problems in future.

 

 

2. Case Studies

 

2.1 True Two Case Studies related to data security in business

 

The two case studies of data security breach which have been chosen are:

• Sony Corp.’s data breach, makers of play station exposed users to years of identity theft risk in May, 2011 (Edwards and Riley, 2011).
• In late, 2007 around 4.2 million credit card numbers were stolen by hackers along with security codes and expiration dates. This security breach case was notified by Visa to Hannaford in February, 2008 (Balasubramaniam, 2011)

 

2.2 1^st Case Study description and how student found about it

 

In mid-April the Sony Corp. Online- entertainment system was being hacked by hackers through security breach and many customers were exposed to years of potential identity theft. Almost 100 million customers of Sony Play station Network, Qriocity film, Sony Music Services, and Sony Online Entertainment are at risk even if the chances of credit card risk subside. This case study was found on the Bloomberg website on internet.

 

2.2.1History of situation in which case occurred

 

The electronics mogul in manufacturing classiest electronic items had to face 55 class action law suits because of faulty and lacking security system (Kelly, 2011). Due to security breach the hackers were able to access the personal data of 100 million customers of Sony. This is the reason why the Sony Corp had to face the financial setback which cost dearly also due to sheer lack of data security.

The operating profits dropped down by $178 million. Other than the financial burden, now the company is struggling with the badly diminished reputation and the shattered confidence of customers. Moreover the company did a blunder by hiding this security breach information from customer for a week’s time, that their private information has been compromised (Kelly, 2011).

2.2.2 Happenings in this situation and events which caused it to happen

 

The sequence of the events which occurred in the Sony’s case: data Breach and electronic Crime are:

• George “GeoHot” Hotz a 21 year old hacker uncovered and probably shared the root key of Sony Playstation 3.
• As a Payback an online community by the name of ‘Anonymous’, launched a series of Distributed Denial of Services (DDoS) as well as Low Orbit Ion Cannon (LOIC) attacks against the company. The two attacks which were made on the Sony were named #OpSOny and #Sony Recon (Data Breach and electronic Crime: the SOny’s CAse, n.d.).
• The first attack disrupted all the websites of Sony and the second attack gathered and then published all the private and personal details available about the Sony Executives even included Sony CEO Howard Stringer. It was done using social engineering techniques.
• During these attacks in a strange manner the PSN) Playstation) Network was also disrupted through ‘Anonymous’ (Data Breach and electronic Crime: the SOny’s CAse, n.d.).

 

2.2.3 Analysis of the results or injuries caused in this case

 

The immediate results which were seen in this case:

• During the first attack 25 million user’s data was stolen and in the second attack 77 million user’s data was hacked.
• 77 million data users whose data was stolen stored their credit cards details too.
• However Sony does not store the security number so the attackers would not be able to use the credit cards in illegal manner.
• This incident shows the amount of damage data breach can cause and is a major threat to the ICT Systems.
• Names, emails, Phone numbers, birth dates and other information from PCF Games customers were stolen by attackers (Data Breach and electronic Crime: the SOny’s CAse, n.d.).

2.2.4 Long term problems which followed from this case

 

The long term problems which arise from this security breach case are:

• The biggest long term problem which Sony will face is reinstating the customer’s confidence in the company.
• Loss in the stock market as this security breach case impacted the stock markets too.
• This caused financial damage to the company for millions of Euros.
• It indirectly affected the people who were associated with the Sony operations (Data Breach and electronic Crime: the SOny’s CAse, n.d.).
• Sony had to face and will keep on facing heavy criticism for both security breach and the way it handled the notification news from media.
•  Numerous civil actions have been raised in various countries against Sony.
• Regaining the compromised trust and faith of loyal customers is a long term damage which Sony will have to face due to the backlash due to security breach case (Biddle and Wynn, n.d.).
•  Since Sony did not comply with the data security obligations, so of the ICO gives a decision that breach has taken place, then Sony will have to make an undertaking and pay a fine of 500,000 pounds.

 

2.2.5Solutions to overcome the security breaches in the future

 

The immediate solutions which Sony could resort to overcome such situation in future are:

• Giving adequate assurance regarding safety of personal details to the customers.
• Re-evaluation of security controls was done. Planned to add one-time passwords (OTP) approach which adds an additional security layer and helps in securing online transactions.
• The strong step taken by Sony is to enhance its data security system and not to restore the services until all the security measures are in place.
• Sony has made claims that it is starting measures which will significantly enhance all the areas of PlayStations Network’s Security along with the personal data of the users too.
• It has planned to move its network infrastructure and the data centre also to more secured location.

 

2.3 1^st Case Study description and how student found about it

 

This case of Hannaford Breach Case happened between December 7, 2007 and March 10, 2008, when the supermarket’s systems were breached by the hackers. They took away the debit as well as credit card numbers, along with their Pin numbers and expiration dates from the customers who shopped at Hannaford Supermarket. This grocery chain store has more than 200 outlets spread all across New England, Florida and New York. By the time the security breach was announced by Hannaford around 1800 fraudulent transactions were already made. This case study was found on website called bank info security on internet (McGlasson, 2009).

 

2.3.1History or background of situation in which case occurred

 

An East Coast supermarket chain store went through security breach in which more than 4 million card numbers were exposed to security breach. It also resulted in 1800 cases of fraud which were announced by the Hannaford Bros. Grocery chain (Sharp, 2008). The plaintiffs sued Hannaford due to massive security breach of data which occurred in 2008.

 

 

2.3.2 Happenings in this situation and events which caused it to happen

 

As per the statement given by Hannaford debit and credit card numbers were stolen during authorisation process and around 4.2 million unique card numbers were exposed. This makes this security breach case the biggest case till date. The breach of security was exposed on February 27, but when investigators found that the data breach had already started on 7^th December, 2007.

The hackers stole the credit card numbers expiration dates, along with the security codes. Visa notified Hannaford about the breach and then in 2008 publically it was announced by Hannaford on March 17, 2008.

 

2.3.3 Analysis of the results or injuries caused in this case

 

The security breach affected 165 stores of Northeast and 106 Sweetbay stores in Florida. Even the smaller grocery stores which sold Hannaford products were also affected. Only the account numbers were stole none of the personal data was compromised like the telephone numbers, name and addresses were divulged.

The customers lost their confidence on Hannaford and all the credibility of the company was compromised. Along with this the financial cost which every affected customer had to bear and the company must have borne is unaccountable.

 

2.3.4 Long term problems which followed from this case

 

The long term problems which followed this case was for Hannaford, that how it will re-establish its lost credibility (admin, 2009). Gaining the customer loyalty and confidence was major long term concern for the company. Moreover it will keep on facing severe criticism for this case of security breach of data for long term in media and their sector too. Another identified long term risk is that the debit card holders who were involved in the Hannaford aces are at high risk of fraud anytime.

 

2.3.5Solutions which were made to overcome the situation in the future

 

The moment this security breach case was exposed Hannaford took aggressive steps to augment the network security along with the security structure of the company.

As a precautionary measure now Hannaford stopped collecting, knowing or keeping any personally identifiable information related to the transactions with themselves to avoid any such kind of data security breaches in future.

It urged its customers to keep track of any unidentifiable credit or debit card transactions on regular basis and just in case if any problem is found they should immediately contact the right authority.

It asked their customers to beware of spam emails or telephonic calls which were made by people claiming to be form Hannaford. The customers should confirm whether the call or email is from Hannaford or not and should avoid giving personal details to anyone fraudster (Sharp, 2008).

 

3. Discussion

 

3.1 Summary of the issues and problems it causes

 

The issues and Problems which are created due to data security breaches are numerous and unlimited with a vast impact on not just the business, but the people whose information or data is being compromised. Both the business as well as the IT system of the organisation gets impacted due to the security breaches (2011 Data Center Security Survey: Breaches – Impact & Remediation, 2011).

 

 

Business Impact

The biggest negative impact on the business side of the security breach was regarding very high legal cost and the compliance cost. The company lost productivity due to system downtime which caused moderate to very high impact on the overall organisational business. Tarnished public image or the lost revenue is also another problem which businesses have to face due to security breach.

 

Source : (2011 Data Center Security Survey: Breaches – Impact & Remediation, 2011)

 

Data Centre Impact

The damage done to the data centre is much more and enhanced as compared to the business impact due to security breach. The reason being huge amount of productivity was lost due to data security breach because data centre staff could not work. The security breach tarnished the established rapport of their data centre. Some said that it resulted in higher amount of legal and compliance costs (2011 Data Center Security Survey: Breaches – Impact & Remediation, 2011).

 

 

Source: (2011 Data Center Security Survey: Breaches – Impact & Remediation, 2011)

Thus if we compare both the impact on the non-It part of business and the Data centre or IT part of organisation it is found that IT  security breakdowns have higher impact on the data centre than the non-It part of organisation.

 

Remedial Measures and Cost

Remediation covered everything starting from discovering the breach, assessment of the damage done, informing the management or law enforcement and then finally fixing the problem. The remediation process is a hand on process according to some thinkers while some thought that the whole process of finding, assessing and fixing the problem of security breach required IT resources and cost.

This clearly indicates that security breaches are serious matter for business as well as the data enter as they are both cost as well as time consuming. For the data centre they are particularly painful because IT is supposed to be the guardian to keep the organisations data assets secure. So whenever any security breach related to data occurs, the rest of the business and the outsiders blame the data centre for lacking in expertise or weak (2011 Data Center Security Survey: Breaches – Impact & Remediation, 2011).

 

Source: (2011 Data Center Security Survey: Breaches – Impact & Remediation, 2011)

 

3.2 Most Successful solutions

 

There are several major concerns however after going through these two real-life cases of data security breach data security breach should be treated as an area of concern by the business. In most of the security breach cases what best can be done is to  do data evaluation, potential loss estimate should be done before going ahead with business justification or evaluation and risk estimation should also be done. Data security strategy should have risk evaluations which should cover:

Data valuation: Working with business unit heads and management to find list of major data types or information and completion of valuation.

Risk estimate: Define the security for data risk categories and then finally do the risk assessment. The risk analysis can be done for the most sensitive information which can be exposed to potential risk.

Loss estimate: Find the potential loss categories and then try to adjust them according to the company’s contractual, regulatory or operational profile.

 

The Four important elements for any breach management plan are:

1. Containment and Recovery:  They require an initial response where investigation of situation should be done and then recovery plan could be developed. It should inculcate who should be informed about the breach and what can be done to recover the losses and if needed inform the police (Managing a data security breach Seventh data protection principle, 2011).
2. Assessment of Ongoing Risk: Assessing the risk which might be associated with the breach is very important in order to find out what adverse effect it can have on individual or company, how much likely are they to occur and how much damage will they cause.
3. Notification of Breach: An important element of breach management strategy is informing people and organisation about the breach as seen in case of Sony, since it took time to inform it lost more reputation and risk grew.
4. Evaluation of Response: The effectiveness of the response of notification of breach is also very important. Identifying the weak points in the security system is also important (Gross, 2003).

 

4. Conclusion

 

Although most vital area of concern in modern world of information technology data security is very important for any business because as seen in the case of Sony and Hannaford there are several long term as well as short term losses which the organisations who are considered to be corporate giants have to bear (Gaither, 2003). There are numerous potential data security losses which the business has to bear due to the security breaches of data. Some of them are listed below:

Reputation damage: The Company’s value gets affected by its reputation, because new customers always seek out for the firms which are known and trustworthy. Same is the case with the investors who buy stocks of the trustworthy and reliable companies only.

Customer Loyalty: The perception of data loss affects both the brand and customer’s loyalty. If the data loss is viewed as which can be prevented, and the financial cost or inconvenience to the customer is higher, then these customers will stop doing business with such organisation.

Loss of Sales:  Pricing sheets and the customer contact information of any organisation whose data security has been breached if lands with the competitor then the competitor will get enough data for targeted sales campaigns an thus loss of market share and profits.

Future Business:  Predicting the future business loss is impossible which can range to like putting company out of business due to data loss.

Competitive Advantage:  R&D expenditure done to create a new product which is highly competitive will not be valued in the market is the source code, ingredient, research or process list is being stolen.

There are many immediate as well as long term solutions which should be taken before the breach happens in the organisation for data security like risk assessment and data valuation etc. and some measure should be taken after the security breach has happened in the organisation to avoid further damage form the data security loss (Room, 2011).

 

 

5. References

‘2011 Data Center Security Survey: Breaches – Impact & Remediation’, Gabriel Consulting Group, pp. 1-3.

admin (2009) Hannaford breach case not over yet, 9 October, [Online], Available: http://www.databreaches.net/?p=7715 [25 MAy 2012].

Balasubramaniam, V. (2011) Technology & Marketing Law Blog, 27 October, [Online], Available: http://blog.ericgoldman.org/archives/2011/10/post_3.htm [22 May 2012].

Biddle, S. and Wynn, K. Data Security, [Online], Available: http://www.pinsentmasons.com/en/media/published-articles/data-security/ [25 May 2012].

Data Breach and electronic Crime: the SOny’s CAse, [Online], Available: http://www.gcsec.org/blog/data-breach-and-electronic-crime-sonys-case [25 May 2012].

Edwards, C. and Riley, M. (2011) ‘Sony Data Breach Exposes Users to Years of Identity-Theft Risk’, Bloomberg, 3 may.

Gaither, C. (2003) ‘““Law Requires That Firms Reveal Security Breaches’, The Boston Globe, 23 June, p. C1.

Gross, G. (2003) ‘Congress Takes Small Steps On Privacy Legislation’, InfoWorld, 18 July.

Institute, P. (2010) Cost of a Data Breach, January, [Online], Available: http://www.slideshare.net/Imperva/the-business-case-for-data-security [22 May 2012].

Kelly (2011) Cpostys & Risks-The SOny Security Breach, 20 October , [Online], Available: https://www.titanfile.com/blog/costs-risks-the-sony-security-breach/ [24 May 2012].

Managing a data security breach Seventh data protection principle (2011), [Online], Available: www.gov.im/odps [25 May 2012].

McGlasson, L. (2009) Hannaford Data Breach Case Ruling Coming, 6 April, [Online], Available: http://www.bankinfosecurity.com/hannaford-data-breach-case-ruling-coming-a-1352 [22 May 2012].

Privacy Rights Clearinghouse, [Online], Available: www.privacyrights.org/500-million-records-breached [22 May 2012].

Room, S. (2011) ‘Data security breaches: a cause for concern for local government’, Guardian Professional, 16 September.

‘Securing Network-Attached Storage:Protecting NAS from viruses, intrusions, and blended threats’, White Paper :Symantec Enterprise Security.

Sharp, D. (2008) ‘Breach exposes 4.2 million credit, debit cards ‘, Associated Press: SECURITY, 17 March.

‘The Business Justification for Data Security’, The SANS Institute (26 January 2009).

LE61

Please  Click on the  below links to Chat Now  or fill the Order Form !