Cyber Security Ethics
“In law, a man is guilty when he violets the rights of others. In ethics, he is guilty if he only thinks of doing so.” Immanuel Kant
In the last few years, specifically after the economic crash down, there are plenty of stories that highlight the pitfalls on the road to business success and the people in power abuse power too well. The story can be Wells Fargo (WFC, -0.48%) employees creating fake accounts in the names of real customers, or pharma giant Mylan imposing big price increases on users of its life-saving EpiPen.
The consequences of this not only that Wells Fargo was forced to return $2.6 million in ill-gotten fees and pay $186 million in fines to the government. But the biggest hit Wells Fargo will take is to its reputation, as the media and government officials spent much of the year slamming the bank for its fraud.
Businesses are heavily dependant on the technologies for collecting, processing, and storing business-critical information, may it be the organization’s confidential data, customer’s Personal Identifiable Information (PII), or employee’s private data. Any misuse or abuse of this data by the people who have legitimate access to this data can cost not only millions in fine but the reputation which was gained over the years can ruin in minutes after the breach is disclosed.
This is the time for every organization to start imposing not only the conduct of business ethics but also the ethical guidelines for cybersecurity.
Professions like health care, law, and enforcement, which directly impact human life have the formal process of introducing the ethical practices that need to be followed as a profession. These professionals also go through training and take an oath of following ethical practices.
Cybersecurity professionals have access to the organization's confidential, customers, and employee's PII data. There are cybersecurity guidelines and standards to protect this data but unfortunately, there are no defined standards for the ethics that cybersecurity professional needs to follow. These professionals are trained in performing their jobs the best way but they are not trained for how to handle the ethical dilemma.
Importance of Ethics in cybersecurity
When we speak about cybersecurity, we mainly speak about technical controls, compliance, regulatory requirements, policies, and security awareness. We hardly consider ethics as a topic to be covered as a part of cybersecurity discussions.
Cybersecurity professional or analyst has access to the data which is confidential and private. As a part of duty, these analysts access validate, verify information like who accessed which URLs, what are the content of the e-mails send or received outside, password rest, etc. These analysts also have access to the entire IT architecture of the organization, and loopholes in security architecture, as well as vulnerabilities.
Defined ethical guidelines can protect user privacy and the organization's reputation. The absence of the same information can be used to blackmail or harass somebody or ruin the organization's reputation by publishing vulnerabilities to the black market.
The cybersecurity ethical guideline should define, what is right and what is wrong, when and how much information to disclose, and when to keep mum.
“Ethics is knowing the difference between what you a right to do and what is right to do” Potter Srewart
The evolving technologies are changing life drastically from driverless cars to robotic entertainment. Every aspect of work and personal life is touched by these technologies. This has provoked the discussion of ethical guidelines that need to be defined and mandated. These guidelines are started evolving and will take some time to get matured and part of the cybersecurity domain.
Every organization should define and follow some basic ethical guidelines to make sure their stakeholder’s data is handled in the proper manner.
- Clear definition of utilizing data for business purpose and what does it mean abusing the data
- Conduct cybersecurity workshops to promote the ethical behavior and impact of not following ethics
- Include the Ethics as a topic of cybersecurity awareness training.
- Training on social engineering, how to identify the real request than fake urgency
- Not to entertain the request for personal data disclosure, unless supported by business request and approved by the chain of authority
- Have bug bounty programs to reward the talent in your security organization and reduce the unethical exploits
- While responding to the data requests by the auditors or legitimate request form the third party, identify and provide limited data, which is precisely required to fulfill the requirement/or perform the job
- Have No Disclosure Agreement with the consequences of the breach of an agreement.
- Security policies should include the ethical aspect of security
“While academic abilities remain integral, it is work ethics that form the soul of the Business” Jamshyd Godrej
Ethics is something organizations can guide employees to follow, ultimately it is everybody’s moral responsibility to abide by the guidelines and be accountable for every action that involves access to the organizations’ confidential data or the PII data of clients and employees.