Risky Business
Riverbank Ruminations; Observations from The Banks of The Technology River
Tom Evans ~ Ashton Engineer Emeritus
What do the words ‘avoidance’, ‘management’, ‘assessment’, and ‘taker’ have in common? They are often paired with the word risk. We all face risks every day. When we drive our car, if we get on an airplane, and even if we cross the street, there are risks involved. Our risk management will vary by activity. Hopefully, if we are driving, we pay attention to our surroundings and obey traffic laws. This helps to manage risks for ourselves and others. If we cross the street, we look both ways. This helps manage and avoid risks.
How much of a risk-taker are you? Do you skydive? Then you are more of a risk-taker than I am. Have you run with the bulls in Pamplona? Me neither. We all have different levels of risk we will tolerate and we are willing to take different amounts of risk. What is problematic is uninformed risk-taking.
For example, if you were looking for employment and you thought being in the outdoors would be great, would you consider being a logger? That might sound interesting. A little information from this on risky occupations might change your mind. The table shows that logging might be considered a high risk job, and might change your mind.
How about your online activity? Are you a risk-taker there? Do you always hover over a link before you click it? What if the link is a shortened link like this one: https://tinyurl.com/cjz9mt94 (Just so you know the unshortened URL is https://www.donotgohere.com )? Hovering over this type of URL will not tell you anything useful. You have to accept/trust/hope the URL is not malicious if you click on it, unless you want to take the trouble to go to a decoder page to find out what the real URL is.
Another risky behavior is QR codes. For example this one. You have no way of knowing where this will take you. (Same site as before). Why is this risky? This article highlights some issues including one that I hadn’t thought of before. Since QR codes can be used not only to take you to a website but also to download and install a program, bad guys can use them to do you harm. The article mentioned:
“For example, a malicious QR code can easily be pasted over the one provided by a restaurant or bar, to trick a user into paying for the bad actor’s next holiday instead of a round of drinks.”
The same article also notes:
Almost half (48%) of respondents said they don’t know if they have mobile security software installed on their device. A majority also said they didn’t know that scanning these codes could also download an app, start a phone call or initiate a text message.
Nearly two-thirds (65%) believe QR codes only open links.
This probably is not unique to the US population. This is a good example of uninformed risk taking. Do your employees know the risks of QR codes? Are your employees up to date on the threats that exist on the security front? Are you? How about your IT department? I have always felt that the bulk of small business management was centered around risk management. Small businesses typically have small budgets for everything so it means they can’t do everything they might like to or need to do.
Do either of these images below demonstrate your risk management strategy? Reading stories about data breaches and malware attacks would lead me to believe that a lot of smaller businesses follow the procedure in the first sequence when it comes to security. They have some awareness of potential security risks. They take a cursory look at the threat landscape and then take a position that is not very effective.
Or perhaps the second image is more your approach. I don’t see that there is a threat to my business because: a) We are too small b) We are not a financial institution c) Our product is not special d) Insert reason here. This attitude comes from the 3rd monkey, the one that is not listening.
I recently sat in on a webinar put an Ashton partners that handles risk management (Oswald Companies). What was informative for me was how much more insurance carriers are getting involved in the technical aspects of a company’s IT infrastructure. I was interested to learn that how much attention a business paid to security issues could affect its insurability. These days a business without some sort of cyber insurance is acting akin to a business without fire insurance. Unfortunately having a cyber incident is becoming more likely than having a fire.
Just as having a sprinkler system or some sort of fire suppression system can be a prerequisite, being able to prove you are patching regularly and taking appropriate security measures can affect your ability to be insured. You wouldn’t operate without fire insurance, would you? I learned from the webinar that this can be a lengthy and surprisingly detailed process. Unless you like being involved in a risky business, security needs to get a detailed examination and upgraded to accommodate the changing threat landscape.
