1. Intellectual property and security challenges for management of eBusiness MGMT 230 Week 12

2. In today’s class we will cover.... Additional intellectual property (IP) challenges related to online business Security issues for eBusiness:

3. Laws that apply to traditional commerce apply equally to the online world Examples include: – business incorporation and name registration – taxation – consumer protection and deceptive advertising – importing/exporting – product safety and product standards – criminal code – trade treaties and trade embargos – intellectual property and liability Companies must comply with the law of any jurisdiction where it is considered to be “carrying on business.” (Source: Canada Revenue Agency) However, as we discussed with respect to SPAM, prosecution is sometimes difficult

4. Examples of legal issues of particular interest to online businesses Copyright law (discussed last week) Trademarks and domain names The downside of the user-generated web: Defamation / libel / incorrect information or damaging gossip

5. Enforcing trademarks and “cybersquatting” Should a brand or trademark owner have automatic rights to a related domain name? First come, first served? Intention of registration (bad faith; what is the domain being used for? Bruce Springsteen took this case to WIPO arbitration in 2001 (and lost) – BruceSpringsteen.com (fan site now taken down) BruceSpringsteen.com – BruceSpringsteen.net (the official site) BruceSpringsteen.net – BruceSpringstein.com (mis-spelling opportunity) BruceSpringstein.com Most countries have arbitration procedures to resolve domain name disputesarbitration procedures – Cheaper and faster than going to court – Apple gains control over porn-related domains Apple gains control over porn-related domains Marketers must be proactive and purchase domain name variants www.googel.comwww.googel.com

6. Defamation and the control of information How do you balance free speech rights with the right of an organization to protect its reputation from defamation? In a universe of “customer conversations” how do marketers control potentially damaging messages? – WalmartSucks.org WalmartSucks.org – Electronic Arts use of DRM in Spore resulted in an Amazon review bomb Amazon review bomb – JP Morgan’s twitter disastertwitter disaster – Bad Yelp reviews (and reprisals) Bad Yelp reviews

7. Thoughts? What is the best reaction for an organization to take in response to possibly defamatory content on the web? – In comments on the company blog or company social network pages? – On third party websites or social networking sites?

8. SECURITY IN EBUSINESS

9. Why is security an important management issue? Information is a key business asset – It needs to be accessible to all who need it – It needs to be protected Managers need to develop and implement an overall strategy for security Managers need to understand the threats Managers need to understand specific techniques for protecting systems Particularly important as organizations move into eBusiness and open up McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

10. Why is this such a high profile issue? eBusiness – inevitable exposure to additional vulnerabilities in using networks High profile websites and businesses under attack Sony Playstation hack (April 2011) Sony Playstation Adobe in October 2013 Target 2013 – 40 million stolen CC numbers Target 2013 Ashley Madison 2015 Consumer impacts (credit cards exposed, viruses, malware, spyware etc) – loss of reputation, brand equity, and loss of customers Consumer impacts

11. Management problem? “Airtight security is not possible because companies have to allow on-line commerce. They have to make trade-offs between absolute information security and efficient flow of information.” McNurlin + Sprague The management challenge is that of finding the balance “..the key components for managing a security program are the likelihood and the likely impact of an attack.” McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

12. What are companies worried about? Canadian Cyber Crime research (2013) from International Cyber Security Protection Alliance https://www.icspa.org/fileadmin/user_upload/Downloads/ICSPA_Canada_Cyber_Crime_Study_May_2013.pdf

13. Types of direct threats and attacks: Risks to physical infrastructure – Distributed Denial of Service attacks (DDoS) Wikileaks (2010) Wikileaks Anonymous attacks on Anti-Piracy Websites (2011) – “Operation Payback” Anonymous attacks on Anti-Piracy Websites – Hacking – web site defacement MIT website in 2013

14. Threats to corporate(and personal) infrastructure Malicious code Viruses – piece of code attached to an executable file that must be opened for the code to run. Viruses spread by human action (usually via attachments) Worms – similar to viruses, but worms replicate themselves Trojan Horses – a piece of downloaded software that initially looks innocuous and relies on people believing that it comes from a legitimate source – Eg. CrypoLocker RansomwareCrypoLocker Ransomware

15. Types of threats and attacks: Attacks on data – Intercepted transmissions (eavesdropping / sniffing) – Attacks related to insecure passwords - are “strong” passwords and frequent changes the answer? – social engineering (and how to protect against it)(and how to protect against it) – Phishing – Security holes related to BYOD McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall

16. THE “4 PILLARS” SECURITY FRAMEWORK FOR ONLINE BUSINESS

17. Managing key security issues – the 4 pillars of security eCommerce sites must guard their own data, and their customer’s data and create a secure and predictable environment for commercial exchange - they must create TRUST 4 pillars of basic security for eBusiness: ‘PAIN’ – Privacy (and confidentiality) – Authentication and Authorization – Integrity – Non-repudiation

18. PAIN: Privacy and Confidentiality Protecting data Customer data Firms need to ensure that information that is private or sensitive is kept secure and not used for any purpose other than that agreed to – credit card numbers – health records etc Company data – trade secrets / proprietary information – business plans Data must be protected from intrusions and theft while it is stored Confidentiality during transactions is usually ensured by encryption

19. PAIN: Authentication When someone submits something to your website, how can you be sure that they are who they claim to be. eg. – using credit cards – making a contract or application – registering for an email newsletter Authentication is the process by which one entity verifies that another entity is who they claim to be Authentication requires evidence in the form of credentials: : – “something you have” plus “something you know” plus something you are (biometrics) eg. username and password Two-factor authentication (Video - Gmail example) Two-factor authentication credit card - match exact billing name and address digital signatures, and digital certificates to authenticate web servers SSL Certificates: What are they? (video) SSL Certificates: What are they?

20. PAIN: Authorization Once a person has been authenticated, we need to be satisfied that she is authorized to access or do certain things on our site Does the person (or program) have the right to access particular data, programs, or system resources (particularly important when protecting a server from hackers) Authorization is usually determined by comparing information about the person or program with access control information associated with the resource being accessed (permissions)

21. PAIN: Integrity Integrity is the ability to prevent data from being altered or destroyed in an unauthorized or accidental manner – This could include hacking to deface a website – Altering data held on your website or database – Intercepting data The parties to a transaction must be assured that all data and documents connected with it cannot be altered without detection

22. PAIN: Non-repudiation The ability to ensure that neither side in a transaction can later claim that they for instance – didn’t order something using a credit card – or didn’t accept an order or offer for something Non-repudiation ensures that neither side can back out of a transaction by claiming it never took place – Particular problem with credit cards Verified by Visa Non-repudiation is usually achieved by using digital signatures that make it difficult to claim that you weren’t involved in an exchange