Managing Technology-based Risks
You would think that this is so obvious as to not need saying, but too many people appear to operate as though downplaying or ignoring risks have any impact on their reality.
That sign announcing “bridge out” isn’t really concerned with how much you believe it or agree with it. It doesn’t care if you are too busy to deal with it. All it knows is that unless you happen to be flying by in a plane or helicopter at the time that you read it, it does apply to you. (It might even apply to you if you are in a boat, depending on where the bridge has ended up.)
Technology-based risks DO exist. In fact, they are quite prevalent. This is primarily because the gory guts of technology are understood by relatively few, while used by increasingly many. And the cuter and more friendly the interface, the greater the likelihood that there is serious complexity behind the scenes.
Over time, technology has become ubiquitous in more facets of our lives. We rely on it for many things, but in very few cases are any of us able to manage the risks it represents. In fact, many of us are totally unaware of most technology-based risks, because we are only focused on the functionality and style that such technology affords us.
So far this year, we have seen several significant failures/breaches of technology infrastructure that highlight the risks we are vulnerable to.
Many Internet services were adversely impacted when cloud computing pioneer Amazon.com experienced a significant outage in a portion of their Elastic Computing Cloud environment. Many of these companies transferred a variety of operational and financial risk into the cloud, but inherited new risks that they ignored or did not fully understand, and thus did not properly address. One notable exception was Netflix, which *did* address their risk to a great degree. Some, however, has experienced permanent data loss.
Many consumer brands were adversely impacted when email service provider Epsilon was breached. And there will be long-term fallout for the consumers of those brands as well, in increased SPAM, increased spear-phishing attacks, and possible identity theft.
Many online gamers were adversely impacted when Sony suffered a major breach of its Playstation Network in which personal and financial data was accessed from some 77 million customers! Oops – make that ~100 million accounts. And there are already reports that some of these gamers might already seeing credit card fraud attempts.
Risks must be managed. They can be transferred, but there is generally a price to pay for that, and you have to be sure that they entity that is taking on the risk is prepared to handle it. Why? Because an improperly transferred risk is like a dropped baton at the time of handoff – both parties are impacted.
As a business, make sure your contracts clearly outline the risks you are likely to face, and provides some relief for them. BUT, don’t just rely on legal remedies. Ensure that you have appropriate backup plans and/or insurance to mitigate or deflect the fallout from technology based risks.
- Are you prepared to deal with the theft of mobile devices?
- Is your network easily accessible for your employees and partners, but suitably protected from infiltration by the dedicated and persistent attacker?
- Do you have an inventory of your equipment?
- Do you monitor the network for anomalies?
- If your primary hosting provider or internet service provider was inoperable for several days, would you still be able to run your business?
For consumers, legal remedies are harder to put into place on a per person basis, but it is still important to understand what risks you have and how you can diminish their impact.
- Given all the connectedness of your smartphone or tablet, what would happen if you lost them (or if they were stolen)?
- What data only resides on those devices?
- What critical data resides on those devices that would expose you to problems if the wrong people had it?
- Would you be able to function in a useful way without your primary technologies?
- What would you do if the various service providers you use were breached?
- How concerned are you about your privacy in relation to your connectedness via social networks?
- Do you give away financial or other sensitive information to websites that are not using encryption?
- Are you using the same email and password combination for all your online activities?
- Are you using strong password practices?
- Do you realize that these things are all important in containing your risk?
These risks won’t go away by themselves. In fact, they are only increasing. Think about it: Was it even possible for a single breach of a non-financial organization to impact the financial data of ~100 million people just 10 or 20 years ago? The corporate trends towards consolidation and outsourcing are only going to make this worse as we move forward.
Years ago, when trying to justify the Information Security budget I was proposing, it was remarked to me that “we are not a bank.” Well, moving forward, many organizations might have to fortify themselves as though they were a bank, if they are going to handle any aspect of our financial info.
Technology makes many things faster and easier. Unfortunately, this is true for the criminal element as well. Only you can prevent/minimize your technology risks – there is no incentive for anyone else to do so.