Many of us still maintain a slim outpost on Facebook — despite pronouncements that, “THIS time, I’m really leaving.” One of the more interesting features I enjoy in my occasional forays into the platform — aside from the annual parade of birthday wishes — are the “Your Memories on Facebook” posts.
Eighty-five percent of these are pleasant memory jogs (5 years ago — “Nice to have the kiddos in town for Daniel’s wedding”), 10% are cryptic (8 years ago — “As much as he scared the bejesus out of me, going to miss Henry”) and only a slim 5% are business-related (7 years ago — “At the Microsoft office in DC — I want one of these touch screens!”)
But one of those business-related memories struck a chord with me given recent events. It reminded me that just as a stopped clock is right twice a day, so too can an industry prognosticator be right a couple of times per decade. Ten years ago I posted the following with an accompanying picture: “Hey, if there’s a Moore’s Law, how about a Mancini’s Law!”
Ransomware: A Key Consequence of Information Chaos
Rising system complexity and volumes of information create enormous challenges for organizations. Simply maintaining existing systems operating and functional to keep pace with this complexity consumes a disproportionate share of information management resources. For too long, organizations have assumed if they raise their firewalls high enough they will keep their information and systems safe. But information security is much more complex and intertwined than that, especially when the adversary takes the form of state-sponsored — or at minimum state-ignored — cyber attacks.
We’ve all seen the recent news about ransomware attacks and the long-tail consequences on activities that at first glance seem to have nothing to do with information security. Maybe it took the bubbling over of ransomware into the consumer space to finally get our attention. Activities like buying gas or a hamburger or taking a subway or a ferry or scheduling a surgery. The #RansomwareTaskForce report on A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force should be required reading for every information professional.
Ransomware attacks present an urgent national security risk around the world ... In 2020, thousands of businesses, hospitals, school districts, city governments, and other institutions in the US and around the world were paralyzed as their digital networks were held hostage by malicious actors seeking payouts ... Despite the gravity of their crimes, the majority of ransomware criminals operate with near-impunity, based out of jurisdictions that are unable or unwilling to bring them to justice. This problem is exacerbated by financial systems that enable attackers to receive funds without being traced.
When a rising tide of information chaos meets: 1) radically disruptive technologies; 2) lots of money; 3) state-sponsored agents and 4) political paralysis among those we’ve traditionally relied upon to be the good guys (at least sort of), the potential for devastating consequences rises. Consider these data points from the report:
Related Article: Information Governance Is Boring, But Necessary
Information Professionals Have Their Work Cut Out for Them
Given some of the complexities surrounding this issue — the sections of the report tied to cyber currency alone make my head spin — there's a tendency to assume that “technology people” will somehow fix all this. Lest C-level folks think that information governance can just be left to IT folks, with rising risks covered by insurance, consider this assessment by the Task Force:
In the insurance industry, periods of falling premiums, expanding coverage, and loosening underwriting standards (resulting from increased competition) are referred to as “soft markets,” whereas periods of rising premiums, coverage restrictions, and heightened underwriting standards (due to increased underwriting losses) are often referred to as “hard markets.” According to multiple reports, cyber insurance has entered a “hard market” phase. In a hard market, the insurance industry can push insured organizations to better manage their risk ....
Underwriters may refuse to offer insurance coverage to organizations that do not first establish an appropriate level of cybersecurity preparedness. For instance, this may mean that an organization must confirm that it follows a recognized cybersecurity framework, or that it has deployed multi-factor authentication, or is managing the risks associated with remote access to computer networks.
What does this mean? The demand for insurance to hedge cyber risks is growing rapidly. But at the same time it is quickly becoming apparent that how an organization manages the security and availability of its information assets will soon be a precondition for whether they can even get cyber insurance.
Better get busy, information professionals.