Strategic Information Systems for Business and Enterprise
Introduction to Cyber Security
Cyber security involves a set of technology, procedures and activities designed to defend against threats, disruption or unwanted exposure to networks , computers, programmes, and records. Data breaches arise from a cyber attack that allows cyber criminals to access a computer system or network unauthorized and to steal the customers or users' privately-owned, sensitive or confidential personal and financial data (Kumar et al., 2018). Cybersecurity Threats involves Viruses program. Probably the most commonly recognized danger to computer protection, a computer virus is a software that affects the function of a device without the user's permission or understanding it also involves threats of Spyware, predators and phishing. The issue of information protection involves the usage of GDPR, IoT-compromised threats, the challenges of cloud health, machine learning and AI threats and assaults on cryptocurrency and Blockchain networks (Kumar et al., 2018). A cyber threat is a malicious act that attempts to damage information, steal data, or generally disrupt digital life. Computer viruses, data violations, denial of service attacks and other attack vectors include cyber threats. In this report three case studies of cyber security will be discusseed. Firstly, description of case company in each case will be evaluated. Secondly, cyber security issues covered in each case will be analysed. Lastly, lessons learnt from each case will be evaluated.
Description of Case Company in Each Case
General information of the company
T-Mobile US, Inc.
T-Mobile is typically a US wireless network operator, its main shareholder being Deutsche Telekom (Dt) with a 43% share, with SoftBank Group, a Japanese joint stock company, partly owning the company and with a 24% share. The rest of the 33% share is publicly owned via common stock. His registered office is in the metropolitan area of Seattle, Bellevue, Washington. In the United States, Puerto Rico and the US, T-Mobile US offers wireless voice and data services.
Google+ was a network of social networking operated and managed by Google (often called G+), and occasionally as Google Plus. On 28 June 2011, the network started against other social media links such as Google Drive, YouTube and Blogger. The network was launched. The service, Google's fourth social media foray, grew significantly in its initial years, while statistics on use varied depending on how the service was defined. The company was managed by three Google executives and underwent major improvements prior to a redesign in November 2015.
Technologies, Inc. is an American company offering utilities such as peer-to - peer ridesharing and hailing, nutritional supply (Uber Eats) and a combined network comprising bikes and bickets. Technologies, Inc. The company is based in San Francisco in over 785 municipalities worldwide. They have links to their websites and mobile apps.Uber is a public service company that is under the jurisdiction of the California Public Services Commission (Huang et al., 2017). The Commission regulates Public Utilities, including through the charging of transportation services provided by Uber 's partner drivers, within its competence. The Commission regulates public utilities.
Key Business Processes of The Company
In the United States, Puerto Rico and the USA T-Mobile US offers wireless voice, message and data services. T-Mobile and Metro's Virgin Islands brands. T-Mobile. With more than 84.2 million customers and total sales of 32 billion dollars, the firm is running the third biggest broadband network in the U.S. market (Huang et al., 2017). On 1 April 2020, T-Mobile USA and Sprint Corporation have joined T-Mobile as the full owner of T-Mobile and have now made Sprint an efficient T-Mobile subsidiary until the brand has officially disappeared in the first installation. Leadership, background and inventory changes occurred immediately with changes on the customer side over time. The Circles were a core function of the Google+ social platform , enabling users to arrange people for Google products and services in groups or to share lists. Circles were organized via the drag-and-drop interface with several identification services, such as the contributor and other fields of profiles, which allow the user to link his 'properties' over the Internet.
Google+ is Google+'s (Google+ stated) social networking Website. The Google+ design team was trying to replicate how people interact offline rather than in other social networking services such as Facebooking and Twitter. "The web reflected real-life sharing," the project's slogan. Google+ was a widely-used Google resource website (Huang et al., 2017). It included basic services such as the profile image, a topic section, an overview picture, past work and school history, an area where updates on the situation were made available. Features included the ability to update photos and status on streams or communities, group different kinds of connections (rather than simply 'friends') to circles, instant messaging, text and video chat multiple people called Hangouts, events, location tags, and editing capability.
Uber is a transport service that allows drivers to reach drivers in the area via the Uber app for a ride. The American multinational ride-hailer, Uber Technologies, Inc., is a service provider that includes peer-to - peer ride sharing, ride service hail, food supply (Uber Eats), and a power motorcycle and scooter micro mobile system. UberX, the basic service level, offers a private ride for up to four passengers on a standard car with driver. For an additional charge are available UberX and UberXL cars with child safety seats. Individuals with a service animal should, if allowed by statute, utilize any form of Uber operation. Riding services levels, many of which are only available in some cities, include ASSIST that provides additional support to elderly citizens and passengers with a physical disability but not for transportation of non-folding wheelchairs(UberWAV for wheelchair accessible vehicles).
Cyber Security Issues Covered in Each Case
Key cyber security issues identified
Data breach- T-Mobile 's U.S. unit reported a data violation that only affected the prepayment clients. The cybersecurity team of T-Mobile has detected a malicious attack from hackers that has provided unauthorized access to certain customer information (Gharaibeh et al., 2017). Some 2 million customers from T-Mobile in the United States had violated their account details, names, e-mail IDs, account numbers, billing details, and encrypted passwords. However, according to their declaration to the Registrar their acquired UK was not impacted. T-Mobile has announced "unauthorized information capture”. The motherboard later confirmed that encrypted passwords were being attacked. The servers were obviously breached through an API in the context of an international community.
Critical infrastructure security- in the start of September 2014, Uber experienced a data breach that enabled an unlicensed third party to access Uber driver names and driver license numbers (Gharaibeh et al., 2017). However, Uber already had been confronted with claims and was famous in 2016 for compromising user data. They even paid £ 133 m to pay the legal penalty for the cyber attack that has revealed 57 million driver and customer data. Uber, the hailer, tried also to keep it hidden, but they made this public in a clever way following the numerous allegations from the public. In November 2017, Uber paid $100,000 (£761,71) to hackers to delete the data they collected from their systems.
Cloud security- As a part of its Facebook breach, Google revealed in its Wall Street Journal article that it has been revealing the breakdown of the data collected by users of up to 500, 000 Google+ users since 2015 that would be shut down permanently on Google +, a social networking site. An API flaw was noted by Google in early 2018 (Gharaibeh et al., 2017). It was noted that Google+ provided third-party application development companies with access to data from friends of applicators via an API for Google's social networking efforts. Google not only leak such results, but kept them a secret out of concern of reputational losses, according to records obtained by the Wall Street Journal. So the parent company Google+ called Alphabet decided to shut downGoogle+ completely for everyone, and announced that it was in response to the situation.
b) Risks associated with the issues
T-Mobile: The data were accessed via the prepaid service account information. In this attack, some personal details were exposed. That will involve name and billing address (if you received one when you set up your account), phone number, prepaid card number, and details about your payment plan and services (Gaglione, 2019). "T-Mobile also reported a leak of data involving more than one million of its customers whose personal data (but no financial or password data) has been leaked to a malicious party. Damaging the consequences of a breach of data includes financial losses. The economic effect of a security breach is unquestionably among the most important and urgent repercussions that organizationwill have to come to terms with (Rojas et al., 2019). Costs also include having to compensate existing users, establishing incident management attempts, continuing to investigate infringements, investing in new security protocols, attorney costs, not to notice eye-watering purpose of the risk management that may be enforced for lack of compliance with the GDPR ( General Data Protection Regulation) (Gaglione, 2019).
Google+:The bug gave third-party developers access to the private, personal data of Google+ users. Despite Google's claim that they did not find any direct evidence that any of the developers were aware of the bug, the fact remains that personal information, including full names, email addresses , dates of birth, gender, profile photos, locations, occupation and relationship status, was left wide open and accessible to unintended audiences. Reputational damage was involved in the risks of infringement. Reputation damage resulting from a data breach can be devastating to a business (Gaglione, 2019). Data has also shown that close to a quarter of retail, financial and create a caring would avoid doing business with organisations who have been violated. In addition, 85 per cent will tell others about their experience, and 33.5 per cent will take social media to vent their anger.
Uber: In the start of 2014, Uber Creator had added a Cloud Access ID to Uber, a website built to collaborate app developers (Fielder et al., 2016). An Uber third-party cloud storage access ID was posted by Uber Developer on Github.com earlier this year, a forum designed to communicate between app development companies. On 12 May 2014, every user who was not an Uber partner accessed the database, including Uber driver names and driving license numbers. The breach was identified in September 2014, but the drivers and regulators involved were not alerted (Newhouse et al., 2017). The accident culminated in several FTC and State Prosecutor's Offices investigations. Furthermore, Uber has undergone fraud trials in many other jurisdictions and civil action cases nationwide. The risk of an infringement was operational downtime. In case of data infringement, business transactions are often severely interrupted (Fielder et al., 2016). Organizations would have to identify the breach and carry out a comprehensive review of the incident and exposure to which structures. Operations may need to be shut down completely until the researchers have received the necessary answers. Depending on the extent of the violation, this procedure can take days or weeks. This can have a huge impact on income and the ability of an organization to recover.
c) Impacts of the issues on case company
T- mobiles: T-Mobile US, Inc. has found that its system breach data that has jeopardized some personal data of its customers (Mendel, 2017). Financial information and Social Security number of T-Mobile claims (including credit card information) were not affected. T-Mobile announces a leak of privacy that involves over one million of its customers who have been subjected to malicious actors' personal details (but not financial or password data) (Fielder et al., 2016). The company informed the customers concerned, but did not give much information in its official hack account (Newhouse et al., 2017). T-Mobile confirmed the infringement of more than one million of its customers ' personal information (but no financial or password information).
google+: This error discovered that a user had not released profile data from Google+ such as gender , sex, email adresse and occupation— and other profile data that would not have been freely exchanged by users. Financial data, passwords or other identifiers such as social security numbers have not been identified by the fault. Data leak affected 52.5 millionGoogle+ users to quickly shut downGoogle+ plans for consumers and its APIs.
Uber: Reports of the breach offended users with respect to personal protection. Over the next two to three years, the business proposing an IPO has harmed the corporate and future buyers' reputation as a consequence of more financial declines and pending inquiries (Mendel, 2017). Hackers stolen 57 million driver and rider profiles and held the details abuse hidden more than a year after charging a ransom of $100,000. Uber revealed that the security violation affected 2,7 million people in Great Britain
Lessons Learnt from Each Case
Actions reported in each case to address the identified issues
T- mobiles: T-Mobile has given all impacted subscribers a text message reminding them of the infringement. They make every possible effort to reach their customers and help their users. He says, 'We encourage you to confirm or update your PIN (Passcode) for additional protection on your T-Mobile account. Customers would be able to contact us by calling 611 via your smartphone or 1-800-T-MOBILE from any smartphone. Organization is happy to help customers incorporate unique account management guidance.
Google+: Google has published a blog post about the efforts of Google to improve data confidentiality and privacy, called Project Strobe, which presents the results and actions taken to mitigate the issue, aimed at restoring support for their initial commitment to users (Cherdantseva et al., 2016). With Google and Facebook technology giants facing a thermal cyber security environment, it should be no surprise that the security of your company and the confidentiality of your clients are combined at a price. It is for the company to decide if such damages are incurred before or after an violation, the latter being for all the parties involved a major expense (Rafferty et al., 2016).
b) Outcomes of the reported actions
T-mobiles: Customers were able to contact the company by calling 611 via their smartphone/ 1-800-T-MOBILE from any smartphone. Organization was happy to help customers incorporate unique account management guidance (Cherdantseva et al., 2016).
Google+: The security of the company and the confidentiality of its clients were combined at a price. It helped the customers to again trust google, as it put its customer satisfaction first by dissolving google plus.
Uber: This was submitted to the FTC in conjunction with all of the audits needed by third parties and certain reward information was communicated. Uber provided bugs in its applications to complaining persons. This has strengthened their trust within their current clients.
c) Proposed actions other than the reported ones that could be taken to address the issues
T-mobiles: Identifying the Source AND Extent of the Breach, alert Your Breach Task Force and Address the Breach ASAP, testing the Security Fix, informing the Authorities and ALL Affected Customers and preparing for Post-Breach Cleanup and Damage Control.
Google+: Training the employees. Training the employees and educating them about cybersecurity, protecting the data, enforcing strong passwords, monitoring data and its transfer, limiting access, patching vulnerabilities, encrypting devices and data and two-factor authentication.
Uber: Staying calm and taking the time to investigate thoroughly, getting a response plan in place before turning the business switch back on, notifying its customers and following its state's reporting laws and calling in its security and forensic experts to identify and fix the problem (Zhang et al., 2017).
d) Suggestions for preventing the issues in future
T-mobiles: SIM-swapping is to convert the client's mobile contact number to a different handset or SIM card. The idea is that the business will be supplied with two-way authentication (2FA) codes written to the telephone number of the target for the eventual goal of hijacking financial assistance (Cherdantseva et al., 2016). SIM transferring should in some cases be used to abuse pay-per-phone accounts(Bada et al., 2019). It also involves Software patch and update as soon as possible, critical data Protection, update if the manufacturer no longer supports software, security regulation implementation of BYOD, implement strong credentials and authentication of multiple factors and to educate employees on best safety practices and ways to prevent social attacks (Whitler et al., 2017).
Google+: Their product safety checks shall be regularly audited in response to international standards, like ISO and SSAE18 / ISAE 3402, to make it aware that the company data are processed responsibly (Bada et al., 2019). The ISO 27001, which is one of the world's most widely recognized independent security standards, must be adopted. In so doing, it achieves ISO 27001 certification for Google Cloud Infrastructure, G Suite and Google Advertising services , software, individuals, technology , processes and data centres.
Uber: Uber will have to protect the privacy of a passenger by hidening special collections and drop-offs in the journey history of the driver (Robbins & Sechooler, 2018). Just the general location where the trip began and finished must be signed in. In this case, the passenger can summon another Uber ride through the app. The GeneralData Protection Regulation (GDPR) in Europe must create “rules of the road” for companies and government bodies that will use personal data in countries where this law applies. At Uber, the DPO must be adopted which will help our company live by our GDPR obligations and monitors our compliance (Bada et al., 2019). The GPS-based location information must be maintained and stored in a password-secured environment and information encrypted during transit. It also must provide annual staff training for employees responsible for handling Uber 's data security practices with personal information..
Conclusion on Cyber Security Report
It is concluded that High-profile data violations remind all of us of the high priority for enterprises in data security. Organizations are now facing a data violation one in four chance of costing about $2.21 M in the next two years. The consequence of an infringement includes lower customer loyalty, lack of confidence, a possible loss in income and a negative reputation. In defence of computers, servers , mobile devices, electric systems , networks and malicious assault data, cyber security is a practice. It is also known as the protection of IT or electronic details. This concept can be divided into many growing groups, from enterprise to mobile computing. The global security challenge is growing at a high rate and each year there are more and more data breaches. A RiskBased Security report revealed that in the first nine months of 2019 alone a shocking 7.9 billion record was exposed to data infringements.
The amount of documents released in the same timeframe in 2018 is more than twice as high (112%). Given the hot air surrounding cyber security, tech giants Google and Facebook should come with no surprise if the security of your business and the privacy of your customers are paired at any cost. It is the responsibility of every organization to determine whether this cost is paid before or after an infringement, which always constitutes a greater loss for all the parties concerned. T-Mobile has announced "unauthorized data capture”. The gpu later confirmed the rumor of encrypted passwords being attacked as well. The European GDPR has to create "road rules" for companies and public bodies that use personal data in countries where this law applies. The DPO is to support our company in living up to our GDPR obligations and to monitor compliance with these obligations. Google's controls over product safety must be regularly audited against international standards such as ISO standards and SSAE18 / ISAE 3402 in order to be aware that its company data are processed responsibly. ISO 27001, one the globally accepted statutory health criteria, will be implemented.
References for Cyber Security Report
Bada, M., Sasse, A. M., & Nurse, J. R. (2019). Cyber security awareness campaigns: Why do they fail to change behaviour?. arXiv preprint arXiv:1901.02672.
Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., & Stoddart, K. (2016). A review of cyber security risk assessment methods for SCADA systems. Computers & security, 56, 1-27.
Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., & Smeraldi, F. (2016). Decision support approaches for cyber security investment. Decision support systems, 86, 13-23.
Gaglione Jr, G. S. (2019). The Equifax Data Breach: An Opportunity to Improve Consumer Protection and Cybersecurity Efforts in America. Buff. L. Rev., 67, 1133.
Gharaibeh, A., Salahuddin, M. A., Hussini, S. J., Khreishah, A., Khalil, I., Guizani, M., & Al-Fuqaha, A. (2017). Smart cities: A survey on data management, security, and enabling technologies. IEEE Communications Surveys & Tutorials, 19(4), 2456-2501.
Huang, Z., Liu, S., Mao, X., Chen, K., & Li, J. (2017). Insight of the protection for data security under selective opening attacks. Information Sciences, 412, 223-241.
Kumar, P. R., Raj, P. H., & Jelciana, P. (2018). Exploring data security issues and solutions in cloud computing. Procedia Computer Science, 125, 691-697.
Mendel, J. (2017). Smart grid cyber security challenges: Overview and classification. e-mentor, 68(1), 55-66.
Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017). National initiative for cybersecurity education (NICE) cybersecurity workforce framework. NIST Special Publication, 800, 181.
Robbins, J. M., & Sechooler, A. M. (2018). Once more unto the breach: What the equifax and uber data breaches reveal about the intersection of information security and the enforecement of securities laws. Criminal Justice, 33(1), 4-7.
Rafferty, W., Rafferty, L., & Hung, P. C. (2016). Introduction to big data. In Big Data Applications and Use Cases (pp. 1-15). Springer, Cham.
Rojas, J. S., Rendón, Á., & Corrales, J. C. (2019). Consumption Behavior Analysis of Over the Top Services: Incremental Learning or Traditional Methods?. IEEE Access, 7, 136581-136591.
Whitler, K. A., & Farris, P. W. (2017). The impact of cyber attacks on brand image: Why proactive marketing expertise is needed for managing data breaches. Journal of Advertising Research, 57(1), 3-9.
Zhang, Y., Chen, X., Li, J., Wong, D. S., Li, H., & You, I. (2017). Ensuring attribute privacy protection and fast decryption for outsourced data security in mobile cloud computing. Information Sciences, 379, 42-61.