Information technologies have penetrated nearly all fields of human activity so that they are increasingly becoming a compulsory part of any business. However, it is worth saying that these technologies harm it, as well. To be more exact, a tendency of data breaches has become a threat to the world of business and causes the activity of the entire computer crime gangs. In fact, data breaches occur to different extents on a day-to-day basis. Thus, the clearest example of regular data breaches is the attacks of the Freezone Finance. Data is breached via particular activities of employees, who are not aware of participating in the attack, or in terms of private usage, when an individual is potentially vulnerable target. As a consequence, the matter of continual data breaches within Freezone Finance has become a strong concern for IT specialists. Thus, this problem has to be discussed and solved.
This paper suggests a training of all employees in order to preserve Freezone Finance from being attacked. Actually, the paper lingers upon the following issues.
- First of all, the background of the case should be given. As a result, a statement of need has to be clearly formulated.
- Then, it is necessary to outline a particular plan of action. It is needless to say that this plan should be evaluated. Further, the schedule is supposed to be created in order to trace the stages of the outlined actions. Hence, planned actions, budget and scheduling are supposed to be illustrated on the example of a particular plan phase.
- Finally, recommendations and conclusion have to be outlined, as well.
Speaking about data breaches in general, it should be admitted that they occur on a regular basis because of different reasons. However, in the majority of cases, users are not aware of possibility of being attacked and even help a hacker access the target information. In such a way, the targets of attacks are various, depending on the purposes of hackers. It can be stealing of private information for blackmailing and taking revenge, or stealing of corporate data for sale. Still, it is important to emphasize that evidence of data breaches can be seen in every single case. Thus, Freezone Finance is not an exception.
To be more exact, Freezone Finance suffers from constant attacks due to numerous reasons. First of all, as it has been mentioned before, employees simply do not realize that they encounter a hacker attack. What is more, in some cases, employees help hackers avoid the security system. It is needless to say, that such mistakes occur unintentionally. Hence, such issues can be explained by the following facts. Firstly, the majority of Freezone Finance employees are busy with their working duties. Therefore, they are focused on their tasks’ completion, so that they are more likely not to notice that something is wrong with the security. As a consequence, hackers attack average employees who are not responsible for the security. Secondly, some percentage of employees is incapable of attack identification a priori because of their specific orientation within the organization or being recently employed. Besides that, it is worth saying that security system of the organization can be weak to be openly attacked. However, the main party, which suffers from data breaches is customers. Therefore, a statement of need should be based on this fact.
Statement of Need
Customers suffer from constant data breaches and it is needless to say that it can be reflected on the general company performance. Doubtless, customers will not trust the organization, which delivers such inconveniences because of invalid data processing. Besides that, it is worth saying that customers usually report about data breaches. Thus, the organization keeps working without realizing that something may be wrong with Freezone Finance. Actually, it is a common problem when the organization is informed about data breach by a third party (Mitchell, 2009, p. 5). Taking this point into account, it should be mentioned that the company has to take preventive measures concerning the evidence of regular data breaches.
Though, it is a rather complicated procedure. First of all, customers should be ensured that they will be serviced appropriately. However, the main preventive procedures have to be conducted towards employees, who actually fall preys to the hacker attacks. To be more specific, a meaningful training program is needed. In fact, workers will be expected to learn how to recognize attacks and what they can do before reaction group takes an action. Furthermore, employees will need to learn the basic principles of using protective software. Still, some other procedures have to be conducted as well.
By the same token, new protective system is supposed to be implemented. In case hackers manage to avoid the current one, it is obvious that it does not protect the organization’s database sufficiently. In such a way, new soft and hardware should be incorporated. Desirably, it has to be some warehouse, which is based on the cloud computing platform. All in all, it is the main needs concerning the problem of regular data breaches of Freezone Finance. Hence, the plan of action should be outlined.
Plan of Action
To begin with, it is important to note that, first of all, employees have to be aware of the upcoming training. Speaking about this aspect in a more specific way, it is to be mentioned that trainings should be planned at the working time. Otherwise, the majority of workers will refuse to attend trainings as unsociable hours. Instead, it is desired to reward employees, who will demonstrate the best results. With regard to the ethical background, workers are supposed to be informed that training is an important event with the organization because customers’ attention depends on the quality of data security.
Then, tutors have to be hired. Together with the company’s specialists, they will create a program which includes theoretical and practical perspectives. It can be explained by the fact that workers need to be aware of the importance of data security. In such a way, the testing should be conducted with a particular frequency, in order to trace the success of the training. Besides that, it is worth mentioning that the results of training have to be recorded during the performance of the organization. In other words, the evidence of data breaches still should be watched.
After the training, the final test should be conducted. Moreover, such tests are supposed to be conducted on a regular basis in order to keep workers motivated. Thus, rewards for the best performance concerning data security are important. However, particular software should be also chosen. In general, it is accepted to implement any protective software, which blocks fishing links, unverified software installation, and e-mail messages from unknown addresses or of suspicious content (Morley, 2014, p. 165). In addition, it is essential to train employees to be able to use this software appropriately.
It is doubtless, that such important event as data security training of employees requires an in-depth budgeting. First of all, it can be explained by the fact that costs take the farther extents than the period of training. In other words, some additional costs should be spent after conducting a training program. Therefore, the budget has to be planned. Taking this point into account, it is necessary to outline key aspects of the budget. Moreover, it is worth mentioning that the overall budget of the organization has a separate amount of money for arrangement of special operations and events. Thus, costs should be planned within the limit.
To start with, it is important to mention that educating staff does not have to exceed the number of four people. Namely, it will be the main training panel, who will organize the entire training. As a consequence, employees who are supposed to be trained, comprise the number of approximately 50 people. Except these costs, some additional material has to be funded. To be more exact, it can be articles, posters, newsletters, and insight blogs. Hence, they require some part of the budget. Needless to say, the budget is expected to have some backup and funds for recovery in case of unpredicted circumstances. Therefore, these costs should also be included.
Overall, the budget for the data breach security training for the employees of Freezone Finance is supposed to be the following:
- Official License for 50 members: $4,995
- 50 End points for 50 members: $1,350
- Backup and recovery: $3,840
- Total Arrive: $10,185
- Other materials such as newsletters, insight blogs, and articles: $1,000
- Total Arrive: $1,000
- Capital expenditure and other spending are $11,185
All in all, as the plan of action has been outlined and the budget has been confirmed, it is necessary to proceed to the scheduling of the training program.
It is increasingly difficult to ignore the fact that the majority of information security breaches are committed because of human error, lack of experience, and malicious intents (Herold, 2011, p. 5). Therefore, the schedule of the training program is expected to include a phase of awareness creation. As it has been mentioned before, workers should comprehend ethical and theoretical knowledge as well in order to be aware of the training’s importance. However, it is necessary to share the responsibilities. In such a way, IT specialists are responsible for the development of the software and involvement of the entire staff. As a consequence, the business managers supervise and encourage employees. Concerning the implementation team, it should be admitted that they have to incorporate new techniques. However, some specific issues have to be also discussed. In fact, it is crucially important to pay attention to the monitoring, which will be conducted in the end of the program. Actually, it is supposed to be a kind of summing up the training outcomes because testing should be conducted every day in order to record which aspect workers comprehend better.
In general, the training program is expected to obtain a period of approximately 6 months, and the phases within this period are the following:
|Understanding and actualizing the need||15 days|
|Planning and definition||30 days|
|Execution and implementation||60 days|
|Testing and monitoring||30 days|
|Closing and knowledge application||15 days|
Though, it is worth saying that this schedule can be changed due to unexpected difficulties during the training. Still, the phases of the schedule will be the same but terms of their embodiment may be altered. Eventually, it is necessary to evaluate the training program.
It is commonly accepted that evaluation of the project should be conducted right after the project implementation. In fact, it is recommended to evaluate the training program during its entire process of implementation. Thus, it is also important to differentiate the evaluation from the testing. In fact, the evaluation estimates the training program as a procedure, while testing identifies the outcomes. In such a way, the evaluation should touch upon the following aspects.
To begin with, it is important to mention that training actions have to be evaluated. Hence, the theoretical part of the training is quite underpinned in this case. As it has been discussed previously, awareness is a vital factor concerning the data security that is why employees should comprehend the theoretical knowledge. In addition, the ethical outlooks of the staff are widened as well due to the understanding of data security importance. In a similar way, the empirical perspective of the training is efficient because workers will be capable of eliminating emergency problem immediately and on their own. On the contrary, the development of the protective software leaves much to be desired. Initially, the management should have emphasized on the development of the software. It can be explained by the fact that as long as hackers manage to avoid the protective layers, the software is not powerful enough to resist hacker attacks and alarm their evidence. Still, the protective software is not effective without a sufficient commitment of employees. In such a way, this aspect cannot be completely regarded as unfulfilled because the main objective of the project is training of the staff regarding data security and awareness. However, it is only the first aspect to be evaluated, that is why it is necessary to proceed to the next one.
Furthermore, budget has to be evaluated. To be more exact, it is important to verify whether the suggested costs are reasonable in this case. On the contrary, one may say that maximal funding of the problem solution will outcome the best results, but it is worth saying that the organization can be affected by other factors, so that related segment of the budget will equal null. In particular, the number of educators should be verified. As a consequence, the number of workers to be trained has to be also evaluated. Concerning the budgeting of the additional materials such as posters, articles, and insight blogs, it should be noted that the evaluation of this aspect obtains a primary importance. It can be explained by the fact that such costs are not underpinned. Therefore, these costs can be spent step by step so that the implementation team can trace a particular tendency regarding the response to these materials. Again, it is important to pay more attention to the protective software budgeting because it is also an important aspect, but it is not kept in the focus of this project. Still, the budget has to coincide with the schedule.
In such a way, it has to be admitted that budget does not necessarily have to cover the scheduled period equally. Needless to say, that at certain stages particular items will be no longer in use, so that their budgeting is not appropriate at this phase (Jaffe & Holtsnider, 2012, p. 164). Hence, this issue has to be taken into consideration. Finally, it should be noted that evaluation of the training program is also important for the further project implementations; the experience of this training is recommended for recording. In such a way, the evaluation of Freezone Finance training program should be conducted.
As Freezone Finance is an organization, which deals with financial operations, it is needless to say that it has become a vulnerable target for computer criminals. To be more specific, hackers attack the company in order to make false transactions or commit a forgery of official documents. Thus, it is not just a violation of customers’ private information, but financial harm, as well. Taking this point into consideration, it is important to demonstrate the training program’s efficiency.
For starters, it should be noted that employees will pass the tests on a regular basis. What is more, they will not be informed about the testing because some attacks will be simulated, so that workers will be given an opportunity to act in a real situation. As a consequence, the reactions to the attacks will be evaluated separately. To the broader extent, such simulations should be conducted with a certain frequency in order to keep employees stimulated (American Bar Assosiation, 2008, p. 12). Besides that, it is to be said that theoretical knowledge will be combined with empirical one, so that workers will acquire the principles of data security in the widest range of its importance. Moreover, the training is not expected to be a special event, even though it is regarded as an important procedure. It can be explained by the fact that the staff should not feel any pressure from the side of the head team.
All in all, this phase of training program completely addresses the objective of the project. In a similar way, the rest of the training phases will be conducted according to the principles of the real life situation environment. Therefore, a combination of theory and practice is justified. Still, the program is supposed to meet the budget limitations but does not have to be measured only by terms of the outlined schedule.
Conclusion and Recommendations
To conclude, it is to be admitted that the current paper has lingered upon the discussion of the data security training of employees of Freezone Finance. This topic has been chosen due to the constantly increasing evidence of hacker attacks and related need to protect the organization’s customers from computer crimes. To be more specific, this paper has suggested the solution to the issue of the staff training. In such a way, the paper has discussed the following aspects. Actually, the background has been given, and the statement of need has been outlined. Then, the plan of action has been described. As a consequence, the budget and the schedule have been created in accordance with the plan of action. Furthermore, the evaluation of the project has been provided with the example and recommendations. Hence, a fragment of the training program has been demonstrated.
Taking all these points into consideration, it is worth saying that the solution to this problem definitely lacks the attention to the software development. Though, this issue requires a wide range of questions to be included so that it will be reasonable to touch upon this issue in terms of the related research. It is doubtless that this aspect also requires a combination of theoretical and empirical perspectives. In addition, it is important to recommend a flexible budgeting and scheduling approach because some specific difficulties may emerge during the training program implementation. To the broadest extent, such serious event does not have to be limited by particular terms because the quality of this training is more important than terms.