A while back, I wrote a factual article about the possibility that some crook employers may sell the personal information of their own employees to make an extra buck. Although this is a low risk that would present itself in any corporate security and privacy risk assessment, I wrote that particular article based on a reported piece of news of one such case in which the employer, for whatever reason, sold the personal information of its own company employees. Soon after the publication of my factual article, a blogger made a comment about backing my article with facts, evidence and reported news. So I updated my article to add the piece of the news based on which I had originally drafted the factual article as evidence. The point I want to make is not only in this case I had identified the possibility of such scenario (risk identification), I also had evidence (reported news) that my described risk (employer selling employee information) can actually occur and has occurred. But, we don’t always need to have concrete evidence to prove that identified risks in our assessments and articles are possibilities that can and will actually occur in real life. Why? Because that would be identifying risks after the fact. Companies perform risk assessments to foresee what challenges, threats and impact they might face in the future so that they can prepare for those scenarios by identifying where they might be most vulnerable. It’s OK to develop one’s risk assessment objectively and write a factual article based on professional judgment and occurred events, but most sophisticated risk managers must subjectively foresee the future risks even if they have not yet occurred.
Consider for a minute the events of the September 11, 2001 attacks also known as 9/11, which consisted of a series of coordinated terrorist and suicide attacks upon the United States of America. Is this something that had occurred in the past? No. Should have the building owners or the insurance companies foreseen and identified those events in their risk assessments to protect their assets? Yes. I admit that risks cannot always be foreseen as exactly as they might occur, however, astute risk managers should be able to predict certain threatening events to protect their companies and assets. When performing a risk assessment for the protection of a building like the World Trade Center, all risk scenarios must be considered. For example, flood, power outage, shattered windows, non-operational emergency exit doors, earthquake, and even building collapse of various levels might be considered. Having said that, a collapse can be caused by a bomb placed inside the building, missile attack, or a suicide plane. If we fail to identify the various possibilities of building collapse due to external threats in our risk assessment because such event has not occurred or been reported in the past, then our risk assessment is not complete and when such event occurs, we might lose billions because the event wasn’t identified as a risk and was excluded from the insurance contract.
The same example can be applied to the possibility of employers selling the personal information of their own company employees. Any time and in any corporate environment, we make a decision to grant access to certain people and certain confidential information, we take a risk that those people with privileged access may at some point abuse their access privileges and sell the valuable information in the marketplace. Even though, there may not be a reported news about an employer selling its clients’ information, the fact that anyone with privileged access can abuse his or her access is a possibility, whether it’s the president of the company or the secretary who has been granted similar access rights by the boss. Personal information trade is very lucrative business and last time I checked, you can acquire a social security number online for $35 to $45 US dollars among other personal information like personal cell phone logs and more.
In conclusion, we must see risks for what they are and what they might be in the future in order to protect the companies we work for and our own assets. Some risks are known facts and others just happen to be future threat possibilities based on changes in the social environment, corporate culture, global conflicts, and technology. All of the identified threats have to be carefully assessed for their occurrence probability, impact, and potential safeguards. We may choose not to protect ourselves against some of the threats, but at least we have to acknowledge their possibility of occurrence and selectively decide to ignore them based on educated risk assessment.
Go back to home page from factual article.
Identity Protection Insights Newsletter
Effective identity protection requires dynamic and integrated solutions. This site provides awareness, education and many solutions to address the growing problem of identity theft. Please sign up for the Identity Protection Insights newsletter to receive periodic notification of important articles and solutions, major identity theft news analysis, fraud alerts, and other service announcements.