Secure Digital Assets: Cybersecurity for Organizations - Essay Sample

Introduction

Cybersecurity for physical and digital assets is a growing concern for organizations that obtain, use and store personal information of clients and employees. In the age of vast improvements in the field of information technology, it is common practice that organizations have to go through great lengths to guarantee the protection of consumer information so that it does not land in the wrong hands. Cybersecurity is vital in organizations considering that most of these firms collect and store unprecedented amounts of data in their computers and other devices. Most of this information could contain personal details of consumers ranging from their credit card information and financial data (Atoum, Otoom & Abu Ali, 2014). Unauthorized access to such information could have adverse effects on the lives of the consumers, and thus the increased focus on the development of measures that would ensure improved protection of private information.

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

Despite the understanding of cybersecurity and its importance in organizations, there are pervasive challenges in the area of data security and information management. One of the most crucial problems that organizations must be ready to deal with is the ever-evolving nature of security risks. The security threats that might have been identified a decade ago do not necessarily pose a significant threat to organizations today (Umar, 2013). Thus, companies must continually assess the cybersecurity environment to identify the new security threats and ensure that they have measures in place to protect consumer/ client information. Besides, there is also the concern that, in some instances, it could prove to be challenging for firms to have entire management on-board with the investment that would be required to protect company data. In retrospect, this paper is an analysis of the Uber data breach reported in 2016 to determine the nature of the problem and measures that could have been taken by the management to prevent the reccurrence of the problem.

Uber Data Breach

Uber Technologies Inc. is an American international corporation operating in the taxi industry. The company relies on the use of a mobile application where the users conveniently find a car, make a call, take a trip, and pay for the service. At the inception, the company enjoyed a competitive advantage over taxis that operated under the traditional system. Users found it more convenient and, thus, the increased market base across the globe. However, over time, some companies entered the market, increasing the level of competition that the company had to compete in the market. The company currently operates in about 630 cities across the globe (Conger, 2018). Nonetheless, it has had to deal with several issues over the years, especially concerning how they conduct business, which ultimately impacts their reputation. One of the critical concerns that the company's management has had to deal with recently was the Uber breach of data that compromised the security of their clients' and drivers' information.

In 2016, the management team publicly admitted that the company had been a victim of data security incidents. It stated that the breach had resulted in unauthorized access private data belonging to about 57 million consumers and drivers working with the company worldwide (Conger, 2018). Some of the information that might have been compromised during the access includes the names and personal data of the customers, their email addresses, contact numbers, and the driver's financial details, including their location and trips. Besides, there was also a concern that the hackers may have accessed the license information of the drivers.

The main concern that brought the issue into the limelight is the fact that the company's management failed to report the incident immediately to law enforcement agents. It took the company over a month to realize that its system had been breached. Instead, the company opted to give in to the demands of the hackers who asked for $100,000 ransom (Conger, 2018). The agreement was that they would not disclose that they had breached the company's security system and would delete all the information acquired upon receipt of the payment. This was not a first offense for the company, as it had dealt with an almost similar incident in 2014 (Conger, 2018).

Considering the nature of the breach and the reaction of the company's management, Uber's case settlement is often regarded as one of the biggest in data privacy history and involved 50 states (Conger, 2018). The company eventually agreed to pay all the affected parties $148 million, which was divided across all the states (Conger, 2018). Other than the settlement, the company was also held accountable for their decision not to disclose the breach and the fact that they engaged in illegal trade practices (Conger, 2018). In the age of technology and the internet, there are laws in place which aim to ensure that companies take the necessary action to protect the consumer and private information for third parties.

Other than the monetary implication emerging from the data theft, it would also be crucial to consider the possible implications that it had on the brand reputation. Consumers might have been reluctant to continue using the hailing taxi service under the assumption that there was no guarantee that their data would be secure. The company's management actions were a clear indication that they did not have the consumers' interest at heart. With the high level of competition that the company faces in most markets, it would be expected that the event adversely affected the revenue flows of the firm at the time.

The Problem in the Case Study

After accessing the client and driver information, the hackers contacted Uber attempting to extort money from them. This makes it evident that their main objective was to have leverage that would help them get ransom money in exchange. However, the main problem was that there was no guarantee that the hackers would delete the information after they got the money. Other than ransomware attacks, different motivations could lead to hackers working to gain access to client information from a company (Atoum, Otoom & Abu Ali, 2014).

Firstly, one must consider the fact that the hackers sell breached data to third parties, such as advertisers and gamers. Data breaches such as in the case of Uber was designed to steal personal data of the clients and the company's drivers. The attackers could use the information obtained to hack into private accounts of the individuals or probably use it for identity theft. Secondly, hackers might also use the information collected to conduct credit card fraud (Geers, 2011). There are millions of people in the United States who have been victims of credit card fraud and often do not understand how their personal information fell into the hands of hackers. The reality is that cases such as the incident at Uber could be an example of how hackers gain access to personal information used to conduct credit card fraud.

However, there are cases in which individuals hack systems to prove their expertise. Some could be ethical hackers or malicious individuals aiming to test their skills and determine whether they can breach an organization's cybersecurity. In the case of ethical hackers, there is a minimal threat as they examine the vulnerability of systems and report the findings to a company's IT teams. However, it is challenging to determine whether hackers are ethical or not, especially when they access the personal and financial information of clients and employees.

Analysis of the Problem

According to an analysis of the issue, the hackers gained access to the company data through an Amazon web server owned by Uber. They accessed private information using credentials that one of the company engineers had left on the GitHub repository (Conger, 2018). The hackers then used the login credentials to access the company infrastructure account, which handled the computing tasks of the company. It was through this infrastructure account that the hackers discovered a backup file that contained archived information on the drivers and the company's clients. Based on the report from an investigation conducted on the incident by the Federal Trade Commission, the hackers obtained a significant number of files, including the company's redundancy file, which contained the company's information on millions of their clients as well as drivers' information (Conger, 2018).

Since the company had dealt with an almost similar incident in the past, it would have been prudent for the company's management to take necessary measures to protect its data. The fact that the company fell victim to a similar attack two years later is an indication of the reluctance of the IT department and the management in deliberately protecting clients' and employees' data from malicious hackers (Atoum, Otoom & Abu Ali, 2014). The company needed to realize that it stored personal client and driver information in their system and had an obligation to protect the data. More importantly, the company needed to have a business continuity plan to ensure that employees understood the proper actions to take in the event of another attack.

The Solution to the Problem

History is brimming with examples of incidences that turned into crises based on the effort by the company and individuals to try and hide the truth. Although the Uber data breach was significant based on the fact that the hackers accessed 57 million customer and driver records, had the management followed the standard breach protocols by notifying the authorities and the users, the impact of the breach could not have been as severe as reported (Atoum, Otoom & Abu Ali, 2014). The company should have made the public aware of the breach in their systems and laid out the measures to remediate the situation and prevent another possible attack in the future. It would be imperative to note that Uber was under a legal obligation to notify the regulators, clients, and drivers who had been affected by the security breach.

The company's security breach involved hacking the database through a misplaced password. As such, Uber's case is a clear indication that changing passwords regularly and using the 2-factor method is necessary for protecting company data. For this reason, the company needs to consider developing a more advanced security model and antivirus modules to detect, and defend the systems in case of a breach. For instance, the company should institute measures to require authentication, encryption, and authorized access to the company's databases (Kuhn, 2018). Breaches such as in the case of Uber are easily avoidable as they require strong passwords as the first line of defense. In this case, the company's inept preparedness and laxity in protecting third-party data is not easy to exonerate. Considering the amount of data the company takes from its customers and drivers, it would be imperative to consider working with regulators and industry experts to protect its data from potential misuse. The regulators provide sufficient information regarding steps to take in case of breach of data.

Additionally, the company should consider carrying out a security audit regularly to ensure the systems run optimally. Security audit refers to the systematic evaluation of the company information system to determine how well it conforms to the established security criteria (Umar, 2013). It helps the management identify areas of vulnerability in the security system that might create a loophole for a cyber-attack. Besides, identifying weaknesses helps IT experts to take the necessary measures to detect and prevent the occurrence of data theft and other malpractices in the future. Also, security audits aim to determine the...