“Ethical conduct in its highest sense, however, is a product of personal character—an acknowledgement by the individual that the standard to be observed goes beyond that of simply conforming to the letter of a list of prohibitions.”
The explosion of technology over the last 30 years has changed the way we do business—but have we given enough consideration to its ethical impacts? For example, there’s no question that practical technology issues such as cybersecurity, email, and data protection carry ethical consequences. So how do we measure ethics in relation to these technology issues?
When looking at how technology is used in our organizations, we can start by asking if professional behaviour has been demonstrated and due care has been applied. Additional actions include the following: Checking for data integrity; ensuring those who oversee our technology have the necessary professional competence; making sure that we guard confidentiality through adequate protocols; and considering whether we need the help of competent and objective outsiders to accurately assess risks and aid with any policy and procedural changes required.
Example 1: Ethics and cybersecurity
A data breach can affect hundreds of millions of people and cause irreparable damage to a company’s reputation and bottom line. The reason for a data breach can be as simple as the misconfiguration of a firewall. To make sure this doesn’t happen to your organization, ask the following questions:
- Have you applied due care when configuring your firewall rules?
- Has your firewall been adequately reviewed and tested?
- Are those who are implementing your firewall sufficiently skilled and appropriately trained?
- Have you evaluated all risks and benefits objectively, without bias?
Example 2: Ethics and email
Every organization uses email, but not every organization has implemented adequate security protocols. Questions to ask here include: “Do the emails sent from our organization demonstrate professional behaviour?” and “Are we taking due care to ensure that we’re protecting confidentiality?”
A useful set of tools and processes available with some email services is data loss prevention (DLP). DLP will identify, monitor, and automatically protect sensitive information from being shared outside of your organization. For example, it will block an email that contains a social insurance number or credit card number from being sent outside of the organization. The person attempting to send the email will be notified, and the system will report the issue.
Does your organization have DLP in place? If not, what other steps have you taken to ensure professional behaviour and protect confidentiality?
Example 3: Ethics and data protection
How are you protecting data from unauthorized access? For most organizations, data protection comes down to a single line of defence: the user password. Often, that password is left to the user to create.
In the article, “Your Pa$$word Doesn’t Matter,” Alex Weinert, director of identity security at Microsoft, warns against this practice, saying: “[Your] password, in the case of a breach, just doesn’t matter—unless it’s longer than 12 characters and has never been used before—which means it was generated by a password manager.”
In addition to making the case for password managers, Weinert advocates for the use of multi-factor authentication (MFA), noting: “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”
This poses a clear ethical question for anyone not currently using a password manager and MFA: “Have we taken the necessary steps to ensure data integrity?”
Get the conversation started
When it comes to technology, opinions on what constitutes ethical behaviour can vary significantly. If your organization hasn’t yet reviewed technology through an ethical lens, hopefully this article will spark the discussion.
Ward Blatch is a CPA, CA, in Nova Scotia, where he provides accounting, tax, training, and support services, as well as network evaluations for small businesses and not-for-profit organizations. He also provides consulting and training services throughout North America as a partner with K2E Canada and teaches a variety of technology-related courses for CPABC’s PD Program. Learn more about Ward's upcoming courses.
The full version of this article was originally published by CPABC in Focus.
Interested in learning more? For workplaces looking to raise their cybersecurity level, the Canadian Centre for Cyber Security offers information and resources for small and medium businesses (SMBs). This includes its CyberSecure Canada program, a cyber-certification program developed from the baseline security controls identified by the Canadian Centre for Cyber Security. This program is ideal for SMBs and organizations with less than 500 employees.