Case Study: When Hackers Turn to Blackmail
1. The introduction of Sunnylake hospital case
The use of information technology in business presents major security challenges, poses serious ethical question, and affects society in significant ways. Especially, the computer crime is a growing threat to society and is caused by the criminal or irresponsible actions of individuals who are taking advantage of the widespread use and vulnerability of computers and the Internet and other networks. It presents a major challenge to the integrity, safety, and survival of most business systems.
Once Sunnylake Hospital was a backwater community care centre, while Paul, the CEO of Sunnylake had come to the hospital five years earlier, the situation of
…show more content…
Once negotiations are in play, everything turns into a chess game. The negotiator and the emergency team can work out terms and logistics. When an agreement has been reached, the money is dropped and the whole episode is over.
2.2 Providing full disclosure to his various constituents
The CEO and the board are responsible for “good business judgment” in guarding against the threat. So Paul’s first mistake was to dismiss the original e-mail message. All IT threats should be taken seriously, and he would have let Jacob Dale know about no IT system is “bulletproof.” Sunnylake should have had a workable, fully tested backup system to ensure uninterrupted patient service and protect everyone affected. Doctors and nurses are trained to diagnose, problem solve, and dynamically treat their patients. IT systems facilitate, but are not substitutes for, patient treatment. The fact that the hospital did not have up-to-date security software installed, or a reliable security outsourcer and an emergency plan in place, is inexcusable.
So what should Paul, the CEO, do? First, he had better get off that sofa and give up the vain hope that IT can restore the system and get the hospital running again. Paul should also be in high communication mode with all of his constituents. He should understand that in today’s networked environment there are absolutely no secrets. Any IT breach forces an organization to ask, How much should we disclose about this threat? In
However, some people trying to fix the attack did an adequate job considering the problems the company had. Joanne and Leon Ledbetter did everything in their power to restore the website and protect the customer data, which even included running red lights. Leon was so new that he didn’t know exactly what to do. Training for an emergency would have proven useful. The CIO, Bob Turley, knew of the emergency protocol and out of date manuals, but never did anything to alleviate these problems. This put the company in a significant disadvantage, and created a bigger problem than what was necessary. Faced with this problem, Turley was able to facilitate direction for the company as best as he could, which ended with the security breach stopping.
As we have seen throughout the county, if the proper “tone from the top” is not emphasized or proper policies/procedures implemented and adhered to throughout, the company’s reputation, assets, stock values could be harmed tremendously. Some smaller enterprises might not be able to sustain a cyberattack and
As organizations utilize software and the internet together to make transactions and complete accounting functions, the threat of cybercrime comes into play. “Cyber crime against private business is growing, and consuming a larger share of Federal Bureau of Investigation resources than ever before…” (Kelly, M., & 42 staff, 2011)
A root-cause analysis of the security breach revealed multi-factorial issues at the technical, individual, group, and organizational levels. At the technical level, the applications and web-tools were initially tested and evaluated in an ideal environments that was not equivalent to the clinical practice
If you were the CIO of Jones Regional Medical Center during this system failure, what steps would you take during the outage? What steps would you take after the outage to reduce the likelihood of a reoccurrence of this problem?
While all of these technologies have enabled exciting changes and opportunities for businesses, they have also created a unique set of challenges for business managers. Chief among all concerns about technology is the issue of information security. It seems to be almost a weekly occurrence to see a news article about yet another breach of security and loss of sensitive data. Many people will remember high profile data breaches from companies such as T.J Maxx, Boston Market, Sports Authority, and OfficeMax. In the case of T.J. Maxx, a data breach resulted in the loss of more than 45 million credit and debit card numbers. In many of these incidents, the root cause is a lack of adequate security practices within the company. The same technologies that enable managers can also be used against them. Because of this, businesses must take appropriate steps to ensure their data remains secure and their communications remain
That seems to be the first time the iPremier was attacked due to their desperate situation. They did not know how to handle it, which explains the lack of training and emergency procedures. The company was more focused on profit than protecting their customer's information. If I were Bob, I would avoid panic and stay focused; assemble a team and start the incident response plan; start an investigation to define the details on the extent and nature of the attack; analyze and assess the origins of the violation; draw up a plan for the incident in question; disclose the incident to the parties involved and notify the authorities; and review the incident response plan, strategy, and security policies.
Prevalent to the current trend now is the dependency of the society on Information technology and communication systems. Every aspect of human life is one way or the other linked and controlled by information technology tools. The importance of information technology cannot be over emphasized as its unavailability could lead to a form of disaster or the other. Pivotal infrastructures like finance, healthcare, education and security are driven by information technology. However, information technology and its benefits are accompanied by vulnerabilities and risks that can be exploited by people with the necessary technical skills. Individuals like ‘Hackers’ and ‘Cyber Terrorist’ can cause disruption to information systems, commit financial fraud and also attack computers and networks. These attacks and disruptions could result to violence against people and properties. In some cases, death, serious injuries and severe economic loss could occur as a result of these attacks.
The IDS (intrusion detection system) was unable to contain the infection, however, was able to send Iris a message to her Smartphone. (Whitman & Mattord, 2010 pp. 333 & 334). The case exercise extends this scenario to include Iris, who's smart-phone beeped. Thinking that it was junk e-mail, Iris thought to herself, we need to find a way to control all this spam. She quickly realized that the situation was far more grave that that and scoured her incident response documentation for the phone number of the system administrator on call. The system administrator informed Iris that the alert was caused by some type of virus infection. Iris decided that she needed to have the program manager resume virus control refresher training. Iris inquired as to why the firewall did not stop the virus to which the system administrator responded that the virus must be new enough to evade detection by the patter filters. Iris asked what the plan was to which the systems administrator respond, Cut the Internet connection; initiate recovery operations; shut down infected systems; clean up infected servers; data recovery from tape backups; and notify partners that they may have infected emails sent from our email servers. Iris gave the system administrator the authorization to start the recovery operations. Iris activated the incident response plan and make phone calls
Normally, a company would follow emergency procedures while dealing with crises, but in iPremier’s case, there was no emergency procedure available. Under these circumstances, and with no prior experience with security breaches, I believe the company performed well. Bob Turley communicated well with the other members of the company, but if I were in his shoes, I would have been more conservative and acted faster.
Almost all kind of large and small organizations might face increasing number of attacks into their network or intellectual property. This may lead to data disclosure, data destruction, and damage of organization’s reputation. There are numerous threats in the cyber space which might be capable of stealing, destroying or making use of out sensitive data for financial and non-financial gains. As the amount of computer, mobile and internet users increases, so does the number of exploiters.
Ultimately, CP did a poor IT job because all they did was recognize a problem, escalating
Henceforth, there has been both an emergence and shift from traditional crime to cyber and-or corporate crime. Additionally, there has been a dramatic increase of cooperate internal crime within the business environment a result modern sophisticated technologies; including, highly qualified cybercriminals that constantly dwell on strategies to target businesses internally and externally. For example, corporate (IT) cybercrime most often consists of crime against an organization in which the perpetrator of that crime utilizes a computer and-or host-server to engage in all or part, thereof, of the crime.
The evolution of Information Technology is inevitable, not only on the telecommunication and networking industry, but, it is also gaining more popularity in the business industry by way of Enterprise Resource Planning (ERP) system and rapidly making its move towards the accounting and auditing industry through Data Analytics Software, however, as the IT innovation continues and the concern of capacity and storage progress, and the demand for expansion and accessibility, brings in cloud computing and big data analytics. As the business industry grow after the financial crisis, companies examine opportunities for operational cost reduction and lower the risk of technology infrastructure becoming obsolete. Obviously integrating business functions to more highly technical and sophisticated system is cost effective, however the damage caused by security and privacy risk can be very costly as well. Guillot (2013) indicated that nowadays the inexpensive, effective and efficient business functions was owed to the evolving technology, but technology also makes the fraud easy to facilitate and engineer by perpetrators who can commit fraud anywhere and anytime as the internet, mobile devices, computers and the cloud are used to conduct business (p.43). Guillot quoted Steve Mar, director of IT statement “It’s not that fraud has changed, it’s that technology has made it easier” (p.43).
Based in Seattle, Washington, iPremier a leader in online retail sales became a successful company in the internet-based commerce industry. The company retailed luxury, rare, and vintage goods online. In 2008, the company hired Mr. Bob Turley as their CIO to take their operations management to the next level. Six months into his reign, the company’s website experienced a denial of service (DoS) attack that caused chaos and confusion in the company as no contingency or disaster recovery plan existed. During this incident, it was discovered that there were no standard operating procedures to follow which lead to confusion upon the employees. Furthermore, they failed to get any form of support from the Qdata, an outsourcing hosting company that was in charge of providing internet security services, which led to a cascading of unsuccessful events in dealing with the attack. Many of the existing processes were unproductive including the escalation of the problem. This attack temporarily crippled the company’s online retail website triggering customers to contact the helpdesk. In reviewing this security breach, it is recommended that iPremier revaluate its governing values of “discipline, professionalism, commitment and partnership for achieving profits” and the corrections that ought to be implemented to prevent another occurrence of the problem that was experienced.