Catastrophes and Information Security Risk

The world has certainly experienced its share of natural catastrophes over the past few months—major hurricanes, extensive flooding, powerful earthquakes, record-breaking wildfires—as well as manmade tragedies—mass shootings, vehicles driven into crowds, refugees escaping from warring countries, and the like. In all these situations, mitigating the threat to life and limb is certainly of paramount importance and the initial focus must always be to save lives and reduce human suffering.

But we must also consider threats to information security due to increased opportunities for identity theft, fraud, scams, and other nefarious activities. Little has been written about these issues since, as one would expect, the news media swamp us with the physical side of these catastrophic events. But the information security risk aspects can also be devastating. As you watch footage of people fleeing wildfires in California with a few precious items in hand and then returning to the piles of ash that were their homes and contents, as information security experts, you must be asking yourself what is happening to all the victims’ data, especially identifying information and personal records. How will they recover this information? Who will try to impersonate them and steal money from their bank accounts, get financial aid that should be going to the real victims, use victims’ credentials to get healthcare services, and a long list of other crimes? And, importantly, shouldn’t we be doing things differently with our information in preparation for such events?

As I pointed out in my article “Responsibilities and Liabilities with Respect to Catastrophes,” in Cyber Crime: Concepts, Methodology, Tools and Applications, edited by IRMA (Information Resources Management Association), IGI Global, 2011, which was in response to the impact of Hurricane Katrina on New Orleans, you cannot necessarily count on your records being stored elsewhere. The offices and records of your doctors, lawyers, accountants, government agencies, hospitals, etc., could all have been wiped out in the same disaster, and so not only will your primary data have been destroyed but your backups also. I argue that catastrophe contingency planning is an entirely different animal from regular continuity and recovery planning and must be treated as such.

I am reminded how, because of the 9-11 terrorist attack on the World Trade Center, a certain major bank had both its downtown-Manhattan headquarters and its primary processing center both knocked out for days, even though these buildings were some ten blocks apart. No one had considered that they could both be affected by a single incident.

I also wrote a couple of chapters relating to how to handle various information security issues in turbulent times, namely, “Combined Impact of Outsourcing and Hard Times on BPO Risk and Security,” in Cyber Security, Cyber Crime & Cyber Forensics: Applications and Perspectives, edited by Raghu Santanam et al, IGI-Global, 2010, and “IAM Risks during Organizational Change and Other Forms of Major Upheaval,” in Digital Identity and Access Management: Technologies and Framework, edited by Raj Sharman et al, IGI Global, 2012.

My interest in these topics goes back more than 35 years, when I published “Security during Recovery and Repair” in the Handbook of IS Management 1992-93 Yearbook, edited by Robert E. Umbaugh, Auerbach Publications (Boston), 1992. Here I advocated securing data during the recovery and reconstruction processes when most folks’ attention is elsewhere.

I do believe that attempts will be made to upgrade catastrophe contingency plans to deal with physical catastrophes following the succession of disasters that we have encountered of late. Although this might not happen given that we don’t appear to have learned the lessons of Katrina when it comes to recovery. We still seem to have the “Brownie, you’re doing a heck of a job” attitude that accompanied FEMA’s efforts on Katrina.

I only hope that, if we do eventually put together much-needed comprehensive catastrophe contingency plans, due consideration will have been given to information security and recovery aspects, which, like cyberattacks versus physical attacks, do not make for dramatic visuals in the news, but can have enormous negative impact and are extremely expensive to deal with.

Post a Comment

Your email is never published nor shared. Required fields are marked *