10 Tips of Computer Ethics
In today's world, Computer Ethics is very necessary to maintain corporate ethics and core values. This blog explains 10 computer ethics that used in any organization or company in 2019.
Computer Ethics 1:
Special Training for Executives
With the emergence of IT as an integral part of every business, cybersecurity has become a critical concern for all executive activities. As a result, we recommend that you consider investing in special training to sharpen the focus of executives on how they should incorporate cybersecurity considerations into their decision-making processes.
Consider also investing in additional ethics training for executives. Your executives are responsible for not only serving as the epitome of your ethics program; they also are your principal enforcers.
Many organizations invest in additional ethics training for executives not only to highlight ethical behavior and business practices but also to give them the tools to recognize and deal with employees who violate ethical standards of behavior.
Regrettably, executives often are the people in organizations who make the most egregious ethics mistakes and violations. We have seen numerous executives who were on the fast track toward the highest leadership levels in their organization yet stumbled due to unethical behavior.
We have seen some engage in business transactions with IT firms that resulted in an unacceptable conflict of interest.
We have seen others whose personal financial interests inappropriately guided their transactions such as steering business; for example, large computer and information service contracts, to companies that they owned stock in.
Others had their careers derailed when they accepted special gifts such as free or “specially discounted” software and games from IT firms. You invest a lot to develop and grow your executives. Make sure you invest in their ethics training as well.
As the people who will enforce your acceptable use, employee use, and Internet monitoring programs, your executives also should be given special training regarding your policies and enforcement mechanisms. You do not want an uninformed executive jeopardizing due process or violating someone’s rights when confronted by a violation of your policies.
Executives should clearly understand their roles and company processes when handling disciplinary situations arising from violations of these policies. The general counsel should be a key player in making certain your executives are well trained to handle violations of your policies fairly, quickly, and decisively.
Computer crime is on the rise. It can come from inside as well as outside your organization. Your executives may be among the first supervisory levels notified of incidents of computer crime.
Make sure they know what to do! Whether the crime involves physical or information theft, your executives need to know the proper process to preserve potential evidence, respect individual rights, alert law enforcement authorities, and protect your business. Invest in special training for your executives on how to handle instances of computer crime.
Privacy and anonymity are two increasingly hot topics for Internet users. In the aftermath of Edward Snowden’s disclosure that the NSA had collected sensitive information from several companies, anxiety over the exposure of private information and assumed anonymity on the Internet has become front-page news.
Your company likely is the custodian of sensitive information your clients, customers, and employees want to be protected. They expect you and your organization will protect information about them and not release that information to a third party without their permission.
Intellectual property and trade secrets are among your company’s most valuable assets. Your executives must understand the value of these assets and how to protect them from inadvertent disclosure, theft, or tampering. Invest in training your executives so they know the proper procedures for handling your intellectual property and trade secrets.
They identify several indicators that are common to those who engage in intellectual property and trade secret theft, including previous violations of rules, policies, practices, or law; personality and anger issues; and disgruntlement.
Train your executives how to recognize telltale signals that your intellectual property and trade secrets are at risk. You’ll be glad you did.
Globalization and the Internet are tightly coupled. Being able to sell to anyone anywhere in the world presents special issues about which your executives need to be aware.
For example, every entity that uses the Internet to conduct its business is a global business. Every one. Now, a small quilt shop in Eureka Springs, Arkansas, can advertise its patterns to prospective customers around the world.
They can sell to anyone with a PayPal or credit card account and use worldwide shipping services to deliver their products to the consumer quickly and efficiently. What does that company do about sales taxes at home and abroad?
Each country has its own importation and taxation laws. Does the quilt shop need a lawyer who understands the laws of every customer’s country to ensure they stay on the right side of the law? Perhaps they do!
Your executives can make you a lot of money through their expertise, imagination, and managerial and leadership skills. They also can cost you a lot when they are ill prepared and make big mistakes. You cannot afford for your executives to be unprepared in a hotly contested cyberspace environment.
Make sure you give them the training they need to best protect your vital information and business processes. It will be one of the best investments you make.
Computer Ethics 2:
If you are an executive in an organization identified as being part of the critical national infrastructure, you have special responsibilities above and beyond that of many of your peers. Those who operate and maintain critical national infrastructure are the custodians of special public trust.
Critical infrastructures such as defense, financial and banking, transportation, pharmaceuticals, water supply, and power production are heavily dependent on computers and networks. Regrettably, many of those computers and networks and the software they depend upon were not designed with cybersecurity in mind.
As a result, much of the world’s critical infrastructure is exposed to numerous vulnerabilities that could permit bad actors to disrupt, disable, or destroy these vital infrastructures that our modern society relies upon.
Cybersecurity incidents involving critical infrastructure can have huge effects that threaten public health and safety, potentially damage the environment, and cause significant financial loss. Because of these effects, critical infrastructure is a high-visibility target for hackers, terrorists, and others who are intent on creating mayhem.
It even is a target for insiders, some of whom deliberately launch cyber attacks on critical infrastructure, while others do so by accident. Regardless of the attack vector, executives charged with the management and control of critical national infrastructure have a special responsibility to protect the well-being of the public by guarding against cybersecurity incidents.
Cybersecurity experts often cite the computers that operate and control industrial systems as being an Achilles heel for many critical infrastructures.
We agree. Because many of these automated control systems were designed and fielded without cybersecurity controls, many companies are scrambling to retrofit or replace their control systems to protect the systems from attack and exploitation.
These are the smart ones. They surveyed their automated control systems looking for vulnerabilities and are taking proactive measures to insure against threats.
Regrettably, other companies are blithely unaware of the vulnerabilities their automated control systems may have and are doing nothing or taking inadequate measures to protect against accidents or attack. If you are in an organization that is part of the critical national infrastructure, which best describes you?
Are you an organization that is proactive and is making sure your automated control systems are secure or do you trust the security that the manufacturer built into the system, so you believe there is nothing to fear? What’s the worst that could happen? (Clearly, the answer is plenty!)
When thinking about worst-case scenarios (and as an executive in critical infrastructure sectors, you should know what your worst-case scenarios are and protect against them), two examples leap to mind. First, a cyber-based attack against your automated control systems could cause catastrophic results.
Cyber attacks could alter your products, disable safety controls, or introduce dangerous flaws in products or processes. Secondly, misconfigurations or other accidental alterations of automated control systems can have equally catastrophic effects. You must defend against both threats.
Many executives mistakenly believe they are immune to cyber attacks. They cite isolation from the Internet as one of their “insurance policies” that allow them to consider themselves protected against cyber attack. Especially for those in critical infrastructures, this is a foolish belief.
As was demonstrated with the Stuxnet virus incident, even systems isolated from the Internet are vulnerable to cyber attack when inadequate cybersecurity controls and procedures are not implemented, such as protecting against malicious code transported by contaminated USB thumb drives.
Are you one of these people who believe that you are immune from cyber attack because your ICS are not connected directly to the Internet? Do you think because you operate on an intranet that you are adequately isolated and protected?
Isolating critical infrastructures from the Internet whenever possible is a very good cybersecurity step yet is not the only step you should take.
Thorough employee training, strong policies, disciplined procedures, and rigorous testing (such as penetration and red team tests) ought to be part of your overall cybersecurity program to protect critical infrastructures.
We recommend you invest in training your executives on cyber threats to ICS not directly connected to the Internet. The Stuxnet case study is a good starting point but is only one of many examples worthy of your consideration.
Just because your systems may not be directly connected to the Internet doesn’t make you bulletproof. Be prepared.
Executives in critical infrastructure operations are the custodians of a special public trust. Public health and safety, environmental protection, and economic well-being all depend on effective, efficient, and secure critical infrastructures.
Many people refer to the operation of critical infrastructures as “zero-defect” operations, that is, the consequences of failure are so severe to such a large segment of the population that it is unacceptable to endure a failure.
Cybersecurity is a new element in the decision matrix for executives in critical infrastructures and needs to be incorporated into every training program, into how systems are monitored and controlled, into maintenance programs, and into procurement processes. Cybersecurity needs to be an integral part of critical infrastructure internal controls.
If you are an executive in critical infrastructures, what should you do to safeguard the systems and information under your control from threats? How do you control your risk?
These are good questions that executives in every sector ought to be asking. Many executives are quickly overcome by the breadth and depth of the cybersecurity issues. Our clients ask us, “Where do I begin?” We recommend they start by “Knowing Your Enemy and Knowing Yourself.” You should too.
Know yourself by asking, “What am I protecting?” Surprisingly, many executives do not conduct a thorough analysis of what it is that they are actually trying to protect.
Are you trying to protect public safety, intellectual property, or perhaps both? Are you trying to protect machinery such as valves or regulators from inadvertent changes that could result in harmful effects?
Are you trying to prevent bad actors from altering processes or information that could result in catastrophic effects? Are you trying to preserve the integrity of your ICS to safeguard your critical infrastructure processes and products?
Are you trying to protect intellectual property or trade secrets from falling into the wrong hands, from destruction, or from alteration?
Successful executives, particularly in critical infrastructure businesses, seek to know the second-, third-, and fourth-order effects of their decisions. Know yourself like these executives by asking deeper questions and seeking more specific answers. Know what your systems are connected to.
This is critically important in critical infrastructures as more and more ICS are being connected to business and industrial safety systems that may be connected to the Internet or potentially may introduce malicious code in a Stuxnet-style attack.
In order to best manage and control risk, you need to understand your systems, your processes, your people, and yourself. You need to know where you are vulnerable and what are your options to address each vulnerability.
You should also know your enemies. Your enemies include adversaries, competitors, and potential employees who are disgruntled or incompetent. As you conduct your risk analysis, make sure you look at all possible threats and don’t expect that the list will remain static every year. In fact, threats to critical infrastructures are growing every day.
Stay abreast of the evolving threats to critical infrastructures and regularly schedule management-level risk reviews to ensure your risk management posture and internal controls remain potent to control the risks presented by contemporary threats.
Many of our clients ask for a prescriptive checklist they can follow to “achieve cybersecurity,” especially those who operate critical infrastructure. We hate to disap point them, but there is no singular checklist that applies to every organization; every organization should be analyzed and managed separately.
Nonetheless, there are several best practices that every critical infrastructure organization (and many noncritical infrastructure organizations as well) should incorporate into its cybersecurity program:
Make cybersecurity a stated organizational priority and act upon it. Because so many critical infrastructures are susceptible to cyber attacks and accidents, senior management needs to focus attention on actions to mitigate weaknesses that may be exploited.
For example, you may be an executive in the oil, gas, or water industries. If so, your facilities may use wireless sensors to monitor and control the flow of oil, gas, or water products.
“Bake in” cybersecurity to everything you do. Your strategy, plans, policies, procedures, and training should all incorporate cybersecurity best practices.
With critical infrastructures increasingly reliant on IT and automated control systems, the need to incorporate cybersecurity best practices into your organization is no longer an option; it is an imperative.
Executives in critical infrastructures should make a point of making sure that all due diligence and due care is accomplished to ensure that appropriate cybersecurity controls are in place throughout the organization. Remember that cybersecurity is much more than technical controls.
Cybersecurity is about risk management. Control your risks by addressing cybersecurity early and often in the creation of your key business and technical activities. It is much more expensive to add cybersecurity later than to “bake it in” from the very start.
Don’t buy anything without evaluating its cybersecurity risks. With the advent of automated industrial control and safety systems, cybersecurity risks to critical infrastructures have risen significantly. Many vendors may try to sell you automated controls that are susceptible to cyber attacks. Scrutinize every potential purchase through the eyes of a hacker.
How could a hacker exploit this particular unit? Consider hiring a certified ethical hacker to evaluate the unit to give you information that will help you with your business case analysis.
It may turn out that the great deal that the vendor is giving you will quickly be offset by the costs associated with a cyber vulnerability that is exploited.
Implement strong internal controls and tightly monitor. Executives in critical infrastructures need to safeguard their systems to ensure public health and safety, protect the environment, and maintain economic stability. You can’t let your guard down and must maintain constant vigilance.
Make sure you have strong internal controls that give you the ability to monitor and control your key processes and procedures. Don’t solely rely on automated systems and their reports.
Factor in human monitoring and control mechanisms too. Your internal controls should maintain defense-in-depth principles with checks from primary and secondary systems.
Identify and have a plan to address all single points of failure. Single points of failure are items in a system where an item malfunction or failure could cause the entire system to fail.
Systems that require high availability are frequently built with redundant components and subsystems to ensure that the system continues to function in the event of a failure of a component or subsystem. A common single point of failure in your house is your electrical power.
Many people mitigate this single point of failure by installing uninterruptible power units and generators to provide continuous power to their critical electronics such as medical devices, computers, and (sometimes) their televisions.
Critical infrastructures typically can’t afford to have single points of failure, which could have catastrophic effects. Primary and secondary systems are normal configurations.
If you are involved in critical infrastructure management, make sure you avoid single points of failure. Conduct a failure modes and effects analysis of your systems.
Identify all potential single points of failure and analyze your risk to determine whether you need to mitigate, accept, or ignore the risk of single points of failure.
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide.]
Computer Ethics 3:
Train your personnel
Your people are your most valuable resource and are the key element in protecting your resources against cyber attacks and exploitation. A well-trained and focused workforce is best prepared to find and fix vulnerabilities quickly and efficiently.
When your workforce is cyber hardened and “cyber smart,” they are more likely to recognize unsafe practices and procedures and detect aberrations that could be the early signs of a cyber attack or probing of your systems.
Invest in your workforce by training them well to understand cyber threats and vulnerabilities. Teach them the procedures to follow to safely and securely operate and control your systems. Make sure they understand what to do when things go wrong including who to notify and when to do it.
Practice! Many critical infrastructure operators conduct training exercises to make sure employees, local authorities, and other key stakeholders are familiar with risks and what to do when “the unthinkable” happens.
The authors have been involved in countless defense, nuclear, and industrial disaster preparedness exercises and drills that have honed the skills of mission partners across multiple sectors.
Exercises help gauge the effectiveness of plans and training. We believe exercises are invaluable and best prepare people to perform at high levels when confronted by emergency or unplanned situations.
We recommend you make exercises part of your operations yet caution that in critical infrastructures your exercises should be carefully choreographed to protect against undesired effects. At no time should exercise controllers ever allow a condition to occur that could possibly jeopardize safety. Executives at all levels should insist that all plans and personnel be tested regularly and safely.
Audit. Trusted independent audits of your systems should be regular parts of your business rhythm when you operate critical infrastructures. Don’t just audit your policies and business processes. Invest in penetration tests and red teams that probe your systems for cybersecurity weaknesses.
It is important to find and fix problems before bad actors find and exploit them. Audits also may find bad actors in your own organization. Take the case of “Bob,” a software programmer for a critical infrastructure company. Bob was a longtime employee of the organization and was widely regarded as one of the firm’s best coders.
Supervisors praised him in performance reviews for his “clean, well-written” coding. All the attaboys evaporated when security audits revealed that Bob’s account had been repeatedly accessed from addresses in China.
In the ensuing investigation, it was discovered that Bob had outsourced his own job to software programmers in China, paying them one-fifth of his six-figure salary to produce the software he was responsible for.
He had his Chinese employees adjust their work schedule to coincide with him in the United States and sent his security token to them via FedEx so they could access his computer system to make it appear that he was doing the work.
While they toiled away, Bob surfed the net, watched cat videos, updated his Facebook and LinkedIn profiles, and dutifully sent his supervisors an end-of-day report detailing all the good work he (more precisely, his Chinese employees) had accomplished during the day. Bob no longer works for that critical infrastructure firm, thanks to that security audit.
Does your organization audit for cybersecurity vulnerabilities? Do you include penetration and red team assessments of your systems as part of your risk management program? Critical infrastructure audits should be comprehensive and not just limited to business functions.
Computer Ethics 5:
Cybersecurity Training Plan Outline
Purpose: Describe why your organization is investing in the training and why it is important that they need to pay attention:
Your organization needs reliable, accurate, and accessible information.
Your information has value and needs to be protected; it is essential to maintaining your competitive advantage.
Bad actors, such as hackers, and even some employees pose potential threats to your information.
Need to balance security and effective information access.
Cybersecurity and risk management: Describe the threats and vulnerabilities facing your organization. Emphasize how they create risk if you don’t protect against them.
Natural: lightning, fire, hurricanes, earthquakes, tornados, floods, etc.
Unintentional: accidents, safety violations, poor security practices, carelessness, and ignorance
Deliberate: hackers, spies, disgruntled employees, and social engineering Social engineering
Phishing, spear phishing, and whaling
Procedures: Describe how you want your employees to protect your vital information. Inform them how you defend in depth.
Security classification, data accuracy, data quality, timeliness, authoritative sources, user authentication, roles and permissions, and need to know
Passwords, email policy, backups, threat awareness, antimalware software, firewalls, encryption, network design, demilitarized zones (DMZs), access control lists, redundancy, and physical controls
Computer Ethics 6:
Facility access, escort control, screen locking, clean desk, and equipment control
Privacy: Remind your employees of the importance to protect the privacy of clients and themselves. Don’t forget to discuss the legal requirements and liability concerns:
Personally identifiable information
HIPAA and other regulations
Foot stompers: In the college setting, “foot stompers” are things that you need to pay attention to because you’ll see them again on the test. They generally are the things your professor believes are so important that you can’t get wrong and are repeated often.
These are some of our preferred “foot stompers” for everyone, regardless of whether you are at a business or at home:
Acceptable use, employee monitoring, and content filtering
Email rules and email etiquette
The U.S. Department of Defense maintains a database called the Joint Universal Lessons Learned System (JULLS) that catalogs lessons learned during operations.
One of the benefits that users discover is in finding out how people made mistakes and learned how to prevent or fix them.
I find learning from other people’s mistakes is very helpful, so I like to share some of the most common cyber security mistakes with you in the hope that if you are aware of them, you don’t make them too:
Failure to install and keep antivirus software current
Opening unsolicited e-mail attachments without verifying source and contents
Executing games, music, videos, and programs from untrusted sources
Failing to install security patches
Not making and checking backups
Not installing the security features on your computer and network
Leaving default passwords on your computer and network devices
How to protect yourself at home and the office: Here are some “best practice” techniques that everyone should follow at home to protect themselves and their information:
Regularly scan with up-to-date antivirus, antimalware, and antispyware.
Scan all email attachments and downloads you get from the Internet.
Update and patch your software regularly.
Install and use a firewall when you are connected to the Internet.
Turn off and disconnect your computer from the Internet when not in use.
Back up important files.
Use complex passwords and keep them secret.
Don’t click on untrusted links.
Don’t reply to spam and don’t send it.
Don’t send emails to people who don’t need the information.
Don’t surrender your personal information (i.e., birth dates, birthplaces, social security numbers, mother’s maiden name, etc.) to untrusted sources.
Computer Ethics 7:
Don’t use the same username and password for multiple sites
Ethics: While your acceptable use policy should address ethics, we believe it is important to reinforce the importance of the ethical use of computers. Our lawyers do too.
Because a violation of ethical standards frequently is viewed as an offense worthy of termination, consider making ethics a special “foot stomper” in your training program:
Computer Ethics 8:
Many of our clients like to compare their cybersecurity training programs to a driver’s test. Prove yourself capable of safe driving on the highway and you get your driver’s license.
Prove yourself capable of safe driving on the information superhighway and you get access to the corporate network appropriate to your job.
Prove yourself incapable of safe driving and your license gets suspended. Many of our clients decertify their employees and suspend their network privileges when they exhibit poor cybersecurity practices and only renew their privileges after they are retrained and demonstrate they understand and will follow the corporate policies. We believe this is the best practice.
Computer Ethics 9:
Training timelines for accomplishment: If you offer your cybersecurity training through a web-based or network-based training method, establish a policy that addresses when the training must be accomplished.
Most organizations require the training be accomplished before the employee is given an account on the network with annual keep-it-current training. We believe this is a reasonable training rhythm that you should adopt.