Introduction
Currently, one may observe the rapid development of modern technologies that are used in most aspects of human life. IT technologies are engaged not only in many areas of business, including medicine. However, one may use them for negative purposes. Hacker break-ins and extortion of money have become widespread among private companies and at the state level. Usually, hacking of personal data and the threat of their destruction or dissemination becomes the subject of money blackmailing. Moreover, the target of hackers can be military facilities, including missile launchers, which are often controlled by computers. Therefore, this can pose a serious threat. The aim of this paper is to analyze hacking and its components, such as ethical hacking, and to manage cyber security, on the example of the University’s data break-in.
Main body
Today, there is an increase in demand for security technologies, including hacking prevention. The trend toward digitalization in the provision of services, including healthcare systems that use electronic patient records, has led to a change in safety priorities (Abouelmehdi et al., 2017). Thereby, the concept of ethical hacking emerged, which is legal action aimed at identifying IT security weaknesses voluntarily. It has its pros both for the hacker, as working legally, and for companies, because they can safely discover the downsides of their cyber security. In this case, the “white hacker” not only provides information about the detected weak spots but may also deliver services to eliminate them if one has sufficient competence. However, ethical hacking also has its cons: for example, a cracker may decide to extort a large amount of money at any time if the information is valuable.
Qualitative cybersecurity includes strategies to encrypt sensitive data so there is no way to decrypt the information and use it even if a breach happens. One such strategy in healthcare is “de-identification”: rejecting any information that may help identify the patient (Abouelmehdi et al., 2017). One may also use it in university databases that store important students’ or financial information. In the event of a hack, it is necessary to adhere to a clear plan, namely, contact the relevant security authorities and inform the university management. Further, one needs to negotiate with the hacker and take steps to mitigate the consequences; this is important because a clear plan will help minimize losses in a stressful situation. Having a clear plan is necessary as hacker attacks are usually carried out unexpectedly, much like military operations. A well-thought plan will help one not act chaotically, saving valuable time and reducing stress.
In case of any emergency, including when an organization like a university is hacked, the consequences impact many aspects. There is a definite relation between leadership and core values, in this case, university ones. Thus, leadership implies, primarily, the provision of quality services, which is impossible in an unsafe cyber environment. Among the core values are those related to confidentiality, which is the main target of any attack. Likewise, IT governance provides cybersecurity services to university governance, which links the previous elements between themselves. In addition, communication between the IT department and university governance, especially in an emergency, is usually foreseen in the cybersecurity risk management plan. Therefore, the main component of a cybersecurity plan is communication between the mentioned links. All this formulates the connection between the above elements, as well as the interest of all parties.
In the case under consideration, namely the hacking of the University of an ethical nature, as it was mentioned by a hacker, with a proposal to improve cybersecurity on a voluntary basis, there are several stakeholders. Firstly, the main ones are the hacker and, accordingly, the object of hacking, namely the University’s governance and the IT department. However, stakeholders are also students, as the object to whom the University provides services, and staff (teachers and workers). It is formulated by the University’s success affecting their performance, which also affects the University’s work. Thereby, all parties are interconnected and interested in the successful resolution of the situation.
Considering that the break-in was of an ethical nature, it is necessary to determine whether both parties acted ethically. From a hacker’s perspective, the very proposal to improve cybersecurity seems ethical. However, one should not forget that it was done without warning. Thus, the IT director was obliged to accept the fact of having no choice. Moreover, no legal agreement was concluded confirming the voluntariness and legality of such actions. Consequently, the hacker’s actions seem unethical, although they did not intend to blackmail or extort a large amount of money. The actions of the IT director are ethical, as they were conditioned by the emergency plan and by the fact of a security threat. Namely, the notification of the security service and the university governing bodies and negotiations to de-escalate the situation.
Actions to be taken by IT in the event of a breach include those aimed at leveling the consequences of the situation. Firstly, immediately after receiving a message from a hacker, it is necessary to notify all the relevant authorities. These include the IT security department, governing bodies (in the current case of the University), and senior management. Further, one should analyze the scale of the threat and what information was hacked. Moreover, it is crucial to assess the degree of a threat if the conditions set by the hacker are not met and the potential losses. In addition, one needs to try to negotiate in order to gain time for further actions. It is also important because one may try to negotiate with the hacker or reduce the damage.
Ethical hacks can be helpful in the context of improving cybersecurity in general. Indeed, the IT field is a specific and new one that must be subjected to hacking attempts to enhance security systems. In addition, sometimes hackers have the necessary specialized knowledge that is lacking when training security professionals. Nowadays, extensive data security and privacy are considered a barrier for researchers (Abouelmehdi et al., 2017). In other words, the IT department could partner with white-hat hackers to improve their skills, taking ethical hacking to the next level. Even though companies practice cooperation with ethical hackers, it does not seem to be enough.
Conclusion
Consequently, one may conclude that the development of information technology has led to the use of computers in almost all areas of service provision, business, and industry. This formulates high priority in designing proper protection strategies. In the context of cybersecurity risk management, it is vital not only to have good protection but also to have a clear plan for dealing with a threat. One needs to develop existing cybersecurity strategies, such as de-identification, to provide a higher level of safety. Moreover, in the context of university hacking, it was identified that hackers’ actions are unethical. In contrast, the actions of the IT director are ethical and according to the plan in place to manage the cyber security risk.
Reference
Abouelmehdi, K., Hssane, A. B., Khaloufi, H., & Saadi, M. (2017). Big data security and privacy in healthcare: A review. Procedia Computer Science, 113, 73-80.