COMM226 Business Technology Management Engagement Activity: You Are a Data Security Specialist Preface (IMPORTANT) If you have already done the Interactive Business Case 2 activity and generated your snapshot to do your assignment, you do not need to use this document. This document is offered as a textual alternative to account for student preferences. Likewise, if you have decided to use this document to complete your assignment, you do not need to do the Interactive Business Case 2 activity as the content of the activity and this document are identical. Assignment Instructions This interactive business case (in which you roleplay as a Business Technology Consultant) illustrates course concepts through a concrete, real-life scenario with ctional characters going through a situation in which you, the learner, will be presented with choices you must make to resolve problems faced by the characters. Requirements 1. Read through the business case. 2. You will be provided with a selection of technological solutions from which you must choose three. 3. You will then be presented with a choice of three cyberattacks, you must choose w to defend against using the three solutions you chose previously. Choose whichever one you feel would be the most interesting to write about. 4. Make note of which solutions and which cyberattack you chose for each issue and submit your reection response to the Interactive Business Case 2 Reection on the assessments page. Sweet Shop update i You are a Data Security Specialist Five years have passed since Simon was advised on the IT strategic plan for the pastry shop that he inherited from his parents, and the \"Sweet Shop Empire" he had dreamt of has become a reality. Sweet Shop is no longer just a \"Montreal phenomenon.\" Their stores can be found in every major Canadian city, and they have begun to expand into other countries, including a new flagship store in New York city. Taking their cue from other popular businesses in the food service industry, Sweet Shop launched a loyalty program where customers could earn points to get free items after a certain number of purchases. After a few years, this evolved into the Sweet Deal credit card, which allows customers to earn Sweet Shop points on purchases made in affiliated online shops. In order to make their credit card work, Sweet Shop had been required to collect sensitive personal data from their users. Last month, they suffered an embarrassing data breach which resulted in some of their customers' data being stolen. As the CEO and face of the Sweet Shop brand, Simon was obliged to write to those customers who could potentially be affected. The fallout of this breach has resulted in Sweet Shop losing 1i5 of the subscribers to their online credit card, and, after a slew of negative comments on their social media profiles, they have also seen a downward trend in new subscribers. Simon wants to avoid such situations in the future and hopes to reassure the Sweet Shop fan base that they are acting to do so. To help him in this he asks Serge to recommend him a Data Security Specialist. Serge reaches out to Annie, an acquaintance of his who is very skilled in this area. You will be roleplaying as Annie in this scenario. Annie and Simon In Conversation As Annie, you greet the entrepreneurial pastry chef who has sought out your services, "Hi Simon, it is great to meet you. i am sorry that this has happened to you, but rest assured i am here to heip. So, how about you teii me what happened exactiy. \" 'Ddlpparentiy, some hackers broke into our system. i don 't know how they did it, but they got the personai information of a fat of our ciients. The first i heard of it was when i heard that the info was for sate on the dark web, and the thieves ciaimed they got it from our servers. Of course, ihad to write to aii our customers, just in case they were affected, and now we are being destroyed oniine. \" Simon sighs, before continuing, \"The y are saying that i am negiigent and incompetent. They're saying i shouid stick to baking and stop trying to 'piay with the big boys. \" "t am sorry to hear that, Simon. Clearly, that was some incredibly important information that the hackers got away with. To preserve your reputation, we need to make sure nothing like this ever happens again. is there any other corporate data you want to protect?\" Simon pauses a second, before revealing the next piece of information to you, "We also have all the secret family recipes that my mother and father developed in our database, we share them amongst our stores, and have all employees that have access to them sign a non-disclosure agreement. l am worried that if our competitors get a hold of them that we might lose our competitive edge in the artisanal pastry market.\" \"Oh, trade secrets! Those are invaluable, you really can't afford to let those teak. So, let me ask you, what data security solutions are you currently employing?\" "We have a rewall that was installed along with the original system, and we subscribe to an anti-virus and anti-malware provider.\" "Hmm yeah, with the importance of the data you are trying to protect, you are going to need some stronger defences than Jiust those. t can provide you with an effective array of technological interventions that will ensure nothing like this ever happens again. \" "That sounds greatl\" says Simon, sounding relieved, \"We can afford to give you $25,000 to implement them.\" \"Perfect! l will get back to you soon.\" Annie's Recommendations \"5 As Annie, you can afford to choose three solutions from the following list. 1. Purchase an anti-virus software to scan for potential threats. 2. Implement an employee monitoring system. 3. Buy an improved rewall and better anti-malware. 4 . Use a control access system to set different levels of employee authorization. 5. Use encryption and a private VPN to protect sensitive data. 6. Arrange cybersecurity training for all employees. 3* As a student in the COMMZZB course offered through eConcordia, you make a note of your three choices, and your reasons for choosing them, as you will need this information to aid you in an upcoming reection assignment. The Second Cyberattack (A) Soon after your solutions have been implemented, there is a second attempt to gain access to Sweet Shop's data. The hacker tried to use phishing to get the credentials of one of the company's data entry clerks. The scenario will play out differently depending on the solutions you had recommended to Simon previously. If you did n_ot choose to arrange cybersecurity training for all employees (6), nor implement an employee monitoring system (2), or you did not use a control access system to set different levels of employee authorization (4), then you got this result: at The data breach was successful. Although you advised Simon to purchase several technological solutions, these neglected to take into consideration human error. Phishing attacks prey on employees who are naive about the importance of good data security practices on their part. If you chose to arrange cybersecurity training for all employees (6), then you got this result: 0 The data breach was unsuccessful. Thanks to your recommendation to provide thorough cybersecurity training, the data clerk was easily able to recognize the phishing attempt for what it was so rather than engaging with it, they deleted and reported the fraudulent email immediately. If you chose to implement an employee monitoring system (2), and you did not arrange cybersecurity training for all employees (6), then you got this result: 0 The data breach was unsuccessful. Thanks to the solution you implemented which monitors employees, system administrators were able to step in and stop this data breach as it was in progress. If you chose to use a control access system to set different levels of employee authorization (4), and you did not arrange cybersecurity training for all employees (2) or implement an employee monitoring system (6), then you got this result: 0 The data breach was unsuccessful. Thanks to the solution you implemented which limits the authorization of certain employees, getting the credentials of this low-level employee did not allow the hackers to access anything important. Other Potential Cyberattacks Do not feel bad if your recommendations did not protect Sweet Shop from the phishing attack. There are other forms of cyberattack that you need to protect your clients from, and perhaps your mix of solutions would have protected Simon's company from one of the following cyberattacks. Cyberattack B In this cyberattack scenario, an agent working for Sweet Shop's main competitor, Dough-Ray-Mi, tailgated one of your employees into the building to try and steal a device with confidential information. The scenario would play out differently depending on the solutions you had recommended previously. If you did not choose to use a control access system to set different levels of employee authorization (4) nor use encryption and a private VPN to protect sensitive data (5}, then you got this result: 0 The data breach was successful. Although you advised Simon to purchase several technological solutions, these neglected to take into consideration the simple theft of devices. Smaller devices with increased storages such as laptops, smart phones, and thumb drives are becoming increasingly easy for attackers to steal. If you chose to use a control access system to set different levels of employee authorization (4), then you got this result: 0 The data breach was unsuccessful. Thanks to the solution you implemented which limits the authorization of certain employees, the device stolen did not allow the hackers to access anything important as it belonged to a low-level employee. Things could have been different had they snatched a different device. If you chose to use encryption and a private VPN to protect sensitive data (5), then you got this result: ' The data breach was unsuccessful. Due to your initiative to encrypt data and use a VPN, all important data is now located in a private network that is not accessible without the relevant credentials. Furthermore, the most sensitive data is encrypted so even if the thief can get at the information, there is a double layer of protection due to that info being encoded. Cyberattack C In this cyberattack scenario, the attackers tried to install clandestine alien software on an employee's device without their knowledge. The scenario would play out differently depending on the solutions you had recommended previously. If you did not choose to purchase an anti-virus software to scan for potential threats (1), nor buy an improved firewall and better anti-malware (3), or you did not arrange cybersecurity training for all employees (6), then you got this result: . The data breach was successful. By focusing on technological solutions that mitigate human error, you neglected to empower Sweet Shop's workforce with the knowledge to avoid risky online behaviour. As a result, one of the senior employees clicked on a suspicious link and attackers were able to install a keystroke logger and discover all his passwords. If you chose to purchase an anti-virus software to scan for potential threats (1), then you got this result: 0 The data breach was unsuccessful. Thanks to your suggestion to purchase an early warning system that proactively scans the web for new viruses, Sweet Shop was alerted to the danger of this alien software and was able to put defences in place against it in particular. If you chose to buy an improved firewall and better anti-malware (3), and you did not purchase an anti-virus software to scan for potential threats (1), then you got this result: 0 The data breach was unsuccessful. The improved rewall and anti-malware that you recommended Sweet Shop upgrade to was much better equipped to combat this new alien software than what they had before. If you chose to arrange cybersecurity training for all employees (6), and you did not buy an improved rewall and better anti-malware (3) nor purchase an anti-virus software to scan for potential threats (1 ), then you got this result: 0 The data breach was unsuccessful. Thanks to the thorough and detailed cybersecurity training that Sweet Shop's workforce was given, employees are much more cautious about clicking on suspicious links or downloading les or software from untrusted sources. As you have seen, there are benefits to choosing a wide range of solutions as different protections can combat different types of cyberattacks. 3 As a student in the COMM226 course offered through eConcordia, choose to defend from cyberattacks A, B, or C, and then nd the result which corresponds to the mix of solutions you chose while roleplaying as Annie. When deciding on which cyberattack to defend against, you may simply choose the one you feel would be most interesting to write about in the reflective assignment. Conclusion Well done! You have advised Simon on how to protect his business from cyberattacks. Hopefully, you learned a valuable lesson from this experience, whether your recommendations ended up protecting Sweet Shop or not. If you have not done so yet, make a record of all the advice you have given to Simon, and the reasons you made the decisions you did, as you will need this for the reection assignment due on the week of Lesson 11. 3 Once completed, submit your reflection response to the submission page titled Interactive Business Case 2 Reection, which can be accessed via the preceding link or via the Assessments page on the course Moodle