Yesterday morning, I checked the ISO27k Forum messages as usual. Among the ping-pong of ongoing conversations was a sad request to stop emailing a Forum member who died just last week. His widow sent a few polite messages through his email account to the whole list, replying to an assortment of recent Forum emails. Presumably she didn't read or comprehend the 'unsubscribe' instructions from Google at the bottom of every message, and given the circumstances, it's entirely understandable - not least because I think she is Spanish, while the Forum and its instructions are in English.
Unsubscribing someone from an
email list is a simple example – something that’s easy for those of us who
frequently use managed mailing lists (or groups or reflectors or Special
Interest Groups or whatever they are called) but is not necessarily obvious to
those who don’t, especially when they are in turmoil, grieving and overloaded
with a million difficult tasks all at once. It’s an extraordinarily
stressful time. Thinking logically is an effort.
The same thing applies to
other forms of social media, both professional and casual, plus various work
systems, plus online banking, tax systems and so forth – online systems that
our loved ones may need to access when we’re unable. And the same again
for local accounts including boot passwords. These are our ‘digital
footprints’.
Both pre-
and post-mortem information security issues cover the whole CIA gamut:
- Confidential
passwords, passphrases, account numbers, IDs etc. may be (and jolly well should
be!) hard or impossible for someone to retrieve on our behalf –
password vaults being a classic example. Don’t forget that
super-strong passwords/passphrases and biometrics are useless without the
key person;
- Integrity
concerns mean we can’t simply demand access to someone else’s
affairs: there are procedures to be followed, things to prove, legal and
administrative hoops to jump through, which takes time and effort, plus
there are trust aspects to this (to what extent should we trust those
tasked with dealing with our affairs? What if they turn out
to be unable, or unsuitable?);
- Availability of information assets is certainly an issue: recall the recent story about the death of a Canadian CEO for a cryptocurrency exchange business with sole access to the vault containing $millions of customer as well as corporate assets? Without the essential key, the crypto did exactly what it was meant to do. The inability to access someone’s smart phone or tablet or safety deposit box without their access PIN code are everyday examples, and can be a distinct challenge even for the spooks.
It is generally possible for our
survivors (or rather, ‘executors’ with the legal right to manage our affairs)
to gain access and control of, say, our bank and investment accounts, pensions
and insurance etc. through official mechanisms, but for obvious reasons the
authorization and control transfer process is formal, tedious and can be slow …
which can be a massive problem if there is a desperate need for cash to pay for household and funeral expenses etc.
A pragmatic approach is to
think ahead. Make sure we don’t take all our super-duper passwords with
us to the grave, for starters … which may mean writing them into our wills,
sharing them with our nearest-and-dearest or lawyers or trusted colleagues, or
at least leaving behind sufficiently strong clues for someone who knows us very
well (and isn’t totally consumed with grief) to figure out the secret phrase
that opens our password vault. Simply letting someone know that we use a
particular password vault is a good start, ideally showing them how it
works.
Making escrow arrangements
for our source code is another example – a delicate subject that I need to
broach, again, with a talented programmer friend.
By the way, our simply
forgetting a password or whatever can cause real problems. It’s not just
about death. Forgetfulness, stress, overload, mental illness and old age can put us in the same spot. The sheer number of passwords and their complexity is the main reason that password vaults rock.
Giving someone we trust ready access to our email accounts
is another tip, especially as so much revolves around email – including ‘lost
password’ retrieval mechanisms for instance.
That’s why hackers and
social engineers are so keen to gain access to a victim’s email
account/s. Aside from simply impersonating them and exploiting their
social networks, the ability to reset their passwords on other systems extends
the identity fraud. Federated identity management can make this issue
even worse: imagine all the mischief someone can do with control of your
Google, Facebook, government or work ID!
There are other practical
things we can do to prepare for our incapacity and ultimate demise, such as
writing a will (in a proper, legally valid manner – not as easy as it may
appear), maintaining/updating it (e.g. whenever we change our vault passwords),
nominating and informing suitable executors (including ‘digital executors’ if
that means anything to you and your legislature), arranging insurance, clearing
our debts and so on. Those of us lucky enough to have investments ranging
from savings accounts, houses and businesses to golf clubs, vintage motorbikes
and priceless collections of antique Star Wars figures (still sealed in their
original boxes, naturally) can help by preparing written lists and descriptions
of our assets with approximate “fire-sale” values and either instructions for
their disposal or who to contact for help …
… And that leads to my final
Hinson tip for those of you still reading and thinking about this dark and
depressing topic: we can help each other. Aside from ourselves, what about our relatives, friends, colleagues and acquaintances. Are they on top
of this? Do they need a hand to understand the issues and make
preparations while they are still able? Would they welcome our
assistance post-mortem? What about organ donation: is that something they'd consider?
This is a tough topic to
raise and address, taboo for some, but the alternative is even tougher.
If I’ve set you thinking, there are loads
of resources on the web. If you find anything particularly
helpful and interesting Out There, or have anything you’d like to add or modify
in what I’ve said here, please comment below. This is NOT a taboo topic. It deserves a good airing.
PS Further suggestions from friends and colleagues:
PS Further suggestions from friends and colleagues:
- "I have a file in my desk labeled Death. It leaves instructions for those that will survive me, and includes the password to my password safe." [Not so useful if you die in a house fire though ...]
- "I have a password vault with a password that uses an algorithm that needs to be derived using some obscure documented rules that only people very close to me would know." [A little puzzle, what fun!]
- "Someone I know has a two part password to a password vault where his wife has one half and a close friend who lives abroad has the other half." [That's fine if they both survive your friend, and can both be contacted!]
- "My password vault also has instructions on what do with each account e.g. 'Log onto this hotel booking site and cancel any bookings'" [... or opt for a late check-in maybe]
- "As with all business continuity plans you need to tell people about it and test it from time to time. Every so often I get one of my children to “test” my BCP to make sure they can get at my passwords. This is one of those kinds of BCP that you are 100% certain will need to be invoked at some point and where the key objective is to minimise the impact on your loved ones. Don’t underestimate the importance of doing something like this." [True. It's so sad to hear about grieving family and friends facing additional nightmares due to the departed's lack of foresight and prep. Denial is a fifth form of risk treatment after avoidance, mitigation, sharing and acceptance.]
No comments:
Post a Comment