Privacy in Greater Peril

C. Warren Axelrod
Author: C. Warren Axelrod, Ph.D., CISM, CISSP
Date Published: 23 November 2021

There is a saying that states “May you live in interesting times,” but it is considered to be a curse. Unfortunately, we are living through a particularly interesting period that is turbulent, high risk and oftentimes devastating. Of course, your personal level of concern, exposure and impact depends on who you are, what you do and where you are, as well as many other factors.

Globally, we are all still at risk health-wise and economically from a pandemic as well as from a rapidly changing climate, likely causing unprecedented wildfires, floods, droughts, hurricanes and tornados. In addition, there are natural disasters, such as earthquakes, tsunamis and volcanic eruptions that can occur with little warning. At the same time, cyberattacks are taking center stage with significant increases in ransomware and other forms of compromise being reported. This elevation of cyber to a top existential threat is no accident. Forces have been at work for decades, and the confluence of increased vulnerabilities, more effective exploits and catastrophic events have only made things worse—a lot worse. Why is this?

The simple answer is opportunity. For example, the virtually instantaneous shift of many workers to remote facilities has vastly increased the attack surfaces of systems, networks and data, which were previously safer behind organizations’ defenses. They are now more exposed to attacks in the remote-work environment. Distracted by new requirements of operating through the pandemic and subjected to economic stress, many organizations have not been focusing sufficiently on their cybersecurity needs, and privacy has suffered as a result.

One thing is certain—the world of privacy has been, and continues to be, dynamic, as described in “The Dynamics of Privacy Risk,” in the January/February 2007 issue of the ISACA Journal. No sooner does one cite an example of the impact of catastrophes on privacy than new ones appear. For example, during the 6 January 2021 attack on the US Capitol, the private offices of members of US Congress were invaded. In one documented case, someone stole US House Speaker Nancy Pelosi’s laptop and reportedly attempted to fence it to Russians.

More recently, some of the most egregious compromises of personal privacy have occurred. One, of a more general nature, was the RockYou2021 leak of some 8.4 billion items of personal data. Yes, billions! One might ask whether anyone could have escaped such a leak. More specific to the pandemic, it is asserted that as much as US$400 billion in unemployment payments may have been fraudulently paid out to criminal gangs, domestically and in countries such as China and Russia. Furthermore, there have been explosive increases in the seeking of ransom payments and, if that were not enough, the exfiltrating of sensitive information. Payment to prevent the disclosure of such information is in addition to the ransom to get encryption keys.

We need to respond to these huge privacy infringements and gigantic frauds with commensurate actions. It appears that lawmakers are finally waking up to the enormity of these losses and are considering how to deter cyberattackers and prevent them from exercising their exploits. It is late in the game, especially for those of us who have been waving red flags for many years, but it is better late than never. Let us hope that we address the problems and resolve the issues while we still have a chance of doing so.

Editor’s note: For further insights on this topic, read C. Warren Axelrod’s recent Journal article, “Accessing Data and Maintaining Privacy Before During and After Catastrophic Events,” ISACA Journal, volume 1, 2021.

Don't forget—Members can earn free CPE from ISACA Journal quizzes!

ISACA Journal