You would think that this is so obvious as to not need saying, but too many people appear to operate as though downplaying or ignoring risks have any impact on their reality.
That sign announcing “bridge out” isn’t really concerned with how much you believe it or agree with it. It doesn’t care if you are too busy to deal with it. All it knows is that unless you happen to be flying by in a plane or helicopter at the time that you read it, it does apply to you. (It might even apply to you if you are in a boat, depending on where the bridge has ended up.)
Technology-based risks DO exist. In fact, they are quite prevalent. This is primarily because the gory guts of technology are understood by relatively few, while used by increasingly many. And the cuter and more friendly the interface, the greater the likelihood that there is serious complexity behind the scenes.
Over time, technology has become ubiquitous in more facets of our lives. We rely on it for many things, but in very few cases are any of us able to manage the risks it represents. In fact, many of us are totally unaware of most technology-based risks, because we are only focused on the functionality and style that such technology affords us.
So far this year, we have seen several significant failures/breaches of technology infrastructure that highlight the risks we are vulnerable to.
Many Internet services were adversely impacted when cloud computing pioneer Amazon.com experienced a significant outage in a portion of their Elastic Computing Cloud environment. Many of these companies transferred a variety of operational and financial risk into the cloud, but inherited new risks that they ignored or did not fully understand, and thus did not properly address. One notable exception was Netflix, which *did* address their risk to a great degree. Some, however, has experienced permanent data loss.
Many consumer brands were adversely impacted when email service provider Epsilon was breached. And there will be long-term fallout for the consumers of those brands as well, in increased SPAM, increased spear-phishing attacks, and possible identity theft.
Many online gamers were adversely impacted when Sony suffered a major breach of its Playstation Network in which personal and financial data was accessed from some 77 million customers! Oops – make that ~100 million accounts. And there are already reports that some of these gamers mightalready seeing credit card fraud attempts.
Risks must be managed. They can be transferred, but there is generally a price to pay for that, and you have to be sure that they entity that is taking on the risk is prepared to handle it. Why? Because an improperly transferred risk is like a dropped baton at the time of handoff – both parties are impacted.
As a business, make sure your contracts clearly outline the risks you are likely to face, and provides some relief for them. BUT, don’t just rely on legal remedies. Ensure that you have appropriate backup plans and/or insurance to mitigate or deflect the fallout from technology based risks.
For consumers, legal remedies are harder to put into place on a per person basis, but it is still important to understand what risks you have and how you can diminish their impact.
These risks won’t go away by themselves. In fact, they are only increasing. Think about it: Was it even possible for a single breach of a non-financial organization to impact the financial data of ~100 million people just 10 or 20 years ago? The corporate trends towards consolidation and outsourcing are only going to make this worse as we move forward.
Years ago, when trying to justify the Information Security budget I was proposing, it was remarked to me that “we are not a bank.” Well, moving forward, many organizations might have to fortify themselves as though they were a bank, if they are going to handle any aspect of our financial info.
Technology makes many things faster and easier. Unfortunately, this is true for the criminal element as well. Only you can prevent/minimize your technology risks – there is no incentive for anyone else to do so.