Question :Assignment 2: Hacking the AIS
In today's technology environment, hackers present a substantial risk to a firm's accounting or business system. As the result of these attacks, firms suffer huge losses, ranging from financial losses to losses in confidence by consumers, creditors, and suppliers. Firms may have made a significant investment in financial and non-financial resources to secure these systems. For this assignment, research the Internet or Strayer databases and select a company whose database systems have been hacked. Write a 6 page paper in which you: Based on the information you researched, evaluate the level of responsibility of the company in terms of the effectiveness of the response to the security breach. Provide support for your rationale. Imagine that the company that you researched uses a third-party accounting system. Assess the level of responsibility of the software provider to both the business and its clients. Provide support for your rationale. Create an argument for additional regulation as a preventative measure against businesses being hacked. Provide support for your argument. Provide at least three (3) recommendations for businesses to secure their systems and assets from hackers. Provide support for your recommendation. Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources. Your assignment must follow these formatting requirements:
Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions. Include a cover page containing the title of the assignment, the student's name, the professor's name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length. The specific course learning outcomes associated with this assignment are: Examine control and security concepts related to accounting information systems to ensure data integrity and safety. Use technology and information resources to research issues in accounting information systems. Write clearly and concisely about accounting information systems using proper writing mechanics. Database Hacking At Premera Blue Cross- A Leading U.S. Healthcare Organization Premera Blue Cross has been serving the Northwest regions of USA since past 80 years and provides affordable and reliable dental, life, vision and medical coverage to families, individuals, professionals and companies. The company has a range of health plans that have varying costs and coverage for different needs and budgets of its customers. The company also operates its own pharmacy. The Hack The company was exposed to a database hack from 5th May 2014 to 29th Jan 2015. The data hacked included the names, addresses, birthdays, email addresses, member identification numbers, social security numbers, medicals claims information, clinical data and bank account information of the customers. The act of hacking affected Premera Blue Cross, Premera Blue Cross Blue-Shield of Alaska and other affiliated brands of the company like Connexion Insurance Solution and Vivacity among others. Hackers had access to around 11 million consumers and customers of the company. The hacking incidence affected many other members of the Blue Cross Shield plans who were seeking treatment in Alaska or Washington for different diseases. The Subsequent Control Measures Premera Took The company responded to the hack reveal in a swift and precise way. The investigations done by the company staff revealed that the date of the fist and initial attack was 5th May, 2014. The company notified FBI promptly and coordinated with the Bureaus’ investigation later. The company officials and techies also worked with Mandiant, a leading cyber-security firm to get some healing. Mandiant helped the company to remove the IT infections that were created by the hack. Premera took a number of steps to clean the attack residues and to further strengthen its security from future attacks. It also listed in its website certain precautions for the consumers to follow and advised the consumers not to divulge any kind of information to an email or an unsolicited phone call that reaches the consumers and claims to
be in relation to the attack. Customers were also advised to read the EOB or expansion of benefits statements when they reached them and to notify the company if the statements listed services that they did not obtain. Premera also mailed letters to all consumers whose personal information was accessed during the hack attack. The company does not have any evidence of data removal from the system. It also does not have any evidence regarding the use of hacked data for any kind of purpose in an inappropriate manner. Premera never stores the credit card information of consumers and hence this information was not affected by the attack. Since then the company has introduced better means of encrypting the database and has adopted a manifold security layer for protecting data against the attacks. Hence it can be said that the health care organization acted in a responsible and accurate manner. It gave individualized attention to its consumers and mailed each affected consumer specifically. It also notified a government law enforcement agency (FBI) and helped the agency to conduct the investigation. It improved its data encryption and data base security technique and availed services of the world’s best cyber security company for doing so. Responsibility Of A Third Party Accounting System Provider Towards Premera And Its Clients Accounting systems have much more importance than the other database management systems as they contain very important financial data of the firm and its clients. They may contain bank account numbers, payment information, transaction information, debit/credit card details, net banking information and other kinds of financial information. Vendors offering the accounting software and services have a high responsibility towards the efficacy and security of the services and systems as these systems are the backbone of the financial transaction of a company. A third part accounting system provider can provide a cloud-based or otherwise (softwarebased) accounting system and service. Modern third party accounting systems are based on cloud computing and it’s like doing business on the web in real time. Premera Blue Cross will not require its in-house techies and technology infrastructure it the company avails a third party cloud-based accounting system. The modern cloud based systems can easily be deployed on web and do not require on-premise distribution and deployment. The modern third party accounting system software providers have to share a great deal of responsibility when to comes to security and other aspects of the accounting system. The vendor provides the consumer online space and processing power. It must provide a quick implementation process and should see to it that client company has lowest upfront costs. Hence the responsibilities of the vendor are manifold and the service provider must ensure that its services provide for lesser maintenance costs, disaster recovery, back up capabilities and reduce the support costs. The accounting system also has a high responsibility towards the clients of the client firm. The vendor must ensure that services/software has the most-modern security measures and the database has been encrypted and stored in the best way. Accounting data may have credit/debit card information, bank information and other financially vital information of the clients and hence the vendor must have a full-proof online and offline ecosystem for the
accounting system to operate. For cloud based accounting services, it is important that the vendor’s data-center has the AICPA Service Organization Control report. The report is issued after stringently evaluating the various components of the accounting system such as infrastructure, software, people, procedures and data. The vendors are required to own the risk responsibilities and must have a reactive approach towards risk management. Companies give more weight age to factors like cost, quality and delivery but do not give enough consideration to risk management. There are financial service providers and other firms which store highly confidential data of their clients and a hack in this kind of database system can be a cause great financial loss for both company and the client. Risk assessment is crucial as there can be a number of loopholes in the complex global supply chains as more and more companies start to operate internationally. It is important for the vendor and the companies to timely access, monitor and audit their information. The companies should also identify and quantify risk factors and innovate solutions for mitigating hacks. Measures like data retention, back-up, archiving, employment of human controls and physical security, positioning of network controls are some measures to ensure better database security. A recent study found out that around 85% of U.S. organizations had at-least 1 data breach in the year 2009 and the number are bound to escalate in future. Data breaches are even more expensive in monetary terms when third parties are involved. Hence risk management and database security must be prime objectives of the vendor. More Regulations For Preventing Hacks And Protecting Businesses- An Argument In Favour Privacy and security of different kinds of personal and business data is an issue of great concern since the 60s. With internet, the possibility of a business being affected by a breach and hack has increased manifold. Different laws have been enacted to protect the consumers and businesses from loss and these laws affect in one way or the other to all companies who operate in the global market place. The laws that relate to the company databases fall in 3 broad categories. Privacy law defines the extent to which the companies can use the information that relates to the customers and the obligations that they have towards securing the databases and personal information of their clients. The laws that related to data security address the ways through which the information is kept secure and the liabilities and responsibilities each of the parties have in case of a breach. Other laws have been made by combining the components of privacy, data breach and data security among others. In U.S. there are a number of laws that deal with the particular situations of data privacy breach. These include the Fair reporting Act (deals with credit information), HITECH and HIPAA acts which deal with healthcare data and a host of acts that deal with financial data including The Bank Secrecy Act, Gramm-Leach-Billy Act and Red Flags Rules Of The Fair and Accurate Credit Translations Act of 2003 among others. There are also certain other acts that touch the database security sphere like the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act. Still there is no comprehensive law to deal with the threat of hacks. The regulatory framework is different in EU where the union centrally supervises private sector use of privacy data and the Information Directive of 1995 and Privacy and Electronic Communications of 2002 entitles every EU citizen to have a right to privacy. U.S can also change the regulatory patchwork into a more comprehensive law framework and deal with hacking crimes in a more thorough and methodological way. A law that is articulated to
consider all the minutes of data privacy and data base management can also be easily implemented and speedily judged upon. Recommendations for businesses to secure their systems and assets from hackers Recommendation 1 Small businesses should keep their servers and systems in a safe and secure place where no theft can occur. The cables should be safe from rodents and unauthorized access should be blocked. Switches and cables should also be locked. Recommendation 2 It is of paramount importance to follow security protocols and provisions when the company uses wireless connections for internet access. It is very easy to hack a wireless system devoid of security applications and encryptions. Recommendation 3 Authorized users must have login IDs and passwords. The passwords should not be shared and should be changed in a periodical manner. Password leakages and manipulations are an important cause of system and server hackings. Recommendation 4 If laptops are used, then software that can track the whereabouts of laptop is of paramount importance and the laptop must have it. A laptop was stolen from airport lounge, restaurant and hotel rooms every 53 seconds in the year 2008. Laptops can store important financial information and losing them can be disastrous for a business. Recommendation 5 It is important to backup data outside the business premises. Apart from hacks, natural calamities (including floods, thunderstorms and earthquakes) and man-made disasters and accidents (such as fire) can be a cause of data loss. If the data has a back-up, then it can be restored easily. Recommendation 5 When a business decides to sell its computer systems, then it must thoroughly clean the systems before selling them. The systems may contain important business information and stats and somebody may decide to fiddle with the information later on. Recommendation 6 When the computer is being repaired, only licensed repair professionals should be allowed to have access to it. The step would ensure that the data is not stolen or falls into wrong hands. Recommendation 7
Data can be lost via Wi-Fi. Hackers set fake Wi-Fi that resembles the official wireless network. Before a company employee signs into a Wi-Fi, he/she must check that the name of the network is legitimate. It would be also better to use a VPN for better data protection. References 1. Defelice A. (2010, Oct 1). Cloud Computing: What Accountants Need To Know.
Journal Of Accountancy. Retrieved from http://www.journalofaccountancy.com/issues/2010/oct/20102519.html 2. The Liability of Technology Companies for Data Breaches. Zurich. Retrieved from
https://www.advisen.com/downloads/Emerging_Cyber_Tech.pdf 3. Shanker S. (n.d.). Accounting Information Systems & Security. Retrieved from http://smallbusiness.chron.com/accounting-information-systems-security-3955.html