week 1

8.1 Security risks

8.1.1 Know the type of confidential information held by organisations:

• Human Resources:

Human Resources (HR) departments play a pivotal role in managing various aspects of employment, including salaries, benefits, and employment data. Ensuring the security of this data is paramount, as it involves sensitive personal information. Understanding the rights and responsibilities associated with this data is crucial for both employers and employees.

Salaries

HR is responsible for developing and managing compensation structures that are equitable, competitive, and compliant with legal standards. This involves handling sensitive data such as employee names, job titles, pay grades, bank account details, and tax information. Protecting this data is essential to prevent unauthorized access, fraud, and identity theft.

Benefits/perks

Beyond salaries, HR administers various benefits and perks, including health insurance, retirement plans, and other employee incentives. Managing these benefits requires collecting and processing additional personal information, such as medical records and beneficiary details. Ensuring the confidentiality and security of this data is vital to maintain employee trust and comply with legal obligations.

Staff personal details

HR departments maintain comprehensive records for each employee, encompassing personal details, employment history, performance evaluations, and disciplinary actions. According to the UK government, employers can keep certain data about their employees without their permission, including name, address, date of birth, and employment terms. However, they need employees' consent to retain sensitive data, such as information about race, religion, or health conditions.

In any sector, not just digital support services, employee information must be carefully managed. Just like in any other field, information about employees’ roles, performance, and any disciplinary actions should remain private.

Examples:

• IT Access Permissions: Digital support employees often have access to sensitive areas of the system. Information on who has access to what is confidential and should not be shared, as it could allow unauthorized personnel to access restricted data.

• Employee Performance Data: Digital support teams may monitor employees for productivity and quality of service. This performance data is confidential and should only be accessible to authorized managers and HR.

• Training and Skill Levels: Employees in digital support services may have different skill levels or special certifications. This information can affect the roles they take on, but it should remain private to prevent workplace discrimination or bias.

Commercially sensitive information:

Commercially Sensitive Information refers to crucial data that businesses keep confidential to remain competitive and protect their operations. This type of information gives companies an advantage, and if it falls into the wrong hands, it could lead to financial losses, damage to reputation, or even legal issues. Let’s explore key types of commercially sensitive information, why they’re essential, and how this applies particularly to the digital sector.

o client details

Client or Customer Details include information such as names, contact details, purchase histories, and preferences. Businesses invest heavily in building customer relationships, and competitors gaining access to this data could result in lost customers.

• Example of Breach: In 2019, Facebook experienced a significant data breach where the personal information of over 500 million users, including client contact details, was leaked. This harmed Facebook’s reputation for privacy and led to a decline in user trust.

o stakeholder details

Stakeholder Details involve information about individuals or groups with an interest in the company, like investors, employees, and suppliers. Disclosing this information could lead to unwanted interference in business relationships.

• Example of Breach: In 2020, Marriott Hotels suffered a data breach that exposed sensitive details of guests and other stakeholders. Hackers stole data including names, birth dates, and email addresses, which damaged Marriott’s reputation and created security concerns for stakeholders.

o intellectual property

Intellectual Property (IP) includes inventions, logos, designs, and content created by the company. Protecting IP is crucial as it helps distinguish a brand’s unique offerings.

• Example of Breach: In 2014, Samsung was accused of copying Apple’s designs and technology for smartphones. Apple sued Samsung for patent infringement, claiming Samsung’s phones closely resembled iPhones. This led to a long legal battle, showing the high value companies place on protecting their IP.

o sales numbers

Profit Margin is the percentage of revenue a company retains as profit after covering its costs. This information helps businesses decide on pricing and manage expenses. Revealing it can give competitors insights into how much a company spends and how it prices its products or services.

• Example of Breach: In 2015, the “Panama Papers” scandal exposed the profit margins and tax details of many large companies, leading to public backlash. Companies like Apple and Nike were shown to have set up offshore accounts to reduce tax bills, revealing their real profit margins and financial strategies. This damaged their reputations and led to a decline in public trust.

Trade Secrets are unique formulas, processes, designs, or techniques that give a business a competitive edge. Think of Coca-Cola’s secret recipe or Google’s search algorithm. If these secrets get out, anyone could copy them, undermining the business’s advantage.

• Example of Breach: In 2019, former Google employees were found to have shared trade secrets with rival companies after leaving the company. For example, Waymo, Google’s self-driving car division, accused a former engineer of stealing sensitive technology and sharing it with Uber to advance its self-driving car project. This jeopardised Waymo’s competitive position in the autonomous vehicle market.

o contracts

Access information:

o usernames

o passwords

o multi-factor authentication details

o personal identification number (PIN)

o access codes

o passphrases

o biometric data.

8.1.2 Understand why information must be kept confidential by organisations:

• salary and benefits:

o prevent competitors from offering higher wages to attract staff

o prevent employees from comparing salaries/demanding

comparable pay

• staff details:

o protect privacy

o prevent competitors from directly contacting them

• intellectual property:

o prevent competitors from copying designs

• client details:

o prevent competitors from contacting clients

o protect client privacy

• sales numbers

• access information:

o prevent unauthorised access.

“Protect the Secrets: A Commercially Sensitive Information Case Study.

Objective:
Students will identify different types of commercially sensitive information, consider the implications of breaches, and discuss ways to protect data in the digital sector.

Materials Needed:
• Whiteboard or flip chart
• Markers
• Printed case study cards (or a digital version if working online) with a scenario related to each type of commercially sensitive information:
• Sales Revenue
• Trade Secrets
• Profit Margins
• Client/Customer Details
• Stakeholder Details
• Contracts
• Intellectual Property (IP)


Setup:

Prepare 7 cards, each with a brief scenario that describes a data breach or misuse of one type of commercially sensitive information. Ensure each scenario includes enough detail for students to discuss its impact and how the data could have been protected.


Activity Steps:

Step 1 (5 minutes): Introduction & Discussion

1. Start by briefly reviewing what commercially sensitive information is, why it’s valuable to companies, and the types you’ll be exploring (sales revenue, trade secrets, profit margins, client/customer details, stakeholder details, contracts, and IP).

2. Explain that the group will be looking at real-world scenarios where sensitive information was compromised and considering the consequences and preventive measures.

Step 2 (10 minutes): Group Scenario Discussion

1. Divide the students into 7 small groups (or pairs if necessary). Give each group one of the scenario cards related to a specific type of commercially sensitive information.

2. Ask each group to discuss the following questions for their scenario:
• What type of sensitive information is involved in this scenario?
• How might this data breach or misuse impact the company, its customers, or its reputation?
• What steps could the company have taken to protect this information?

3. Allow 5 minutes for the groups to discuss their scenarios and prepare a brief summary of their findings.

Step 3 (5 minutes): Group Share & Debrief

1. Invite each group to share their scenario and their answers to the three questions.
2. After each group shares, highlight key points on the board (e.g., impacts of breaches, potential protections like encryption, secure networks, employee training).
3. Wrap up with a debrief, discussing how the digital support sector plays a critical role in preventing these breaches and why companies invest in data protection.

Extensions (if time permits):
• Class Discussion: Talk about recent high-profile data breaches and what they mean for companies and customers.
• Reflection Question: Ask students to reflect on why data security is increasingly important in a digital world where information is easily accessible.
 

Research the following examples
Emotet botnet
 

8.1.3 Understand the potential impact to an organisation of failing to maintain

privacy and confidentiality:

• non-compliance with regulations:

o loss of licence to practice

• loss of trust

• damage to organisation’s image

• financial loss:

o fines

o refunds

o loss of earnings/termination of contracts

• legal action

• reduced security.

Last Updated
2025-12-17 15:04:12