Was the COVID-19 pandemic a harbinger of an increase in scope and seriousness of perceived and real threats to individuals and businesses?(1) What should one consider about threats to assess their likelihood of occurring and consequences to gauge the level of risk for a person or business?
It is better by noble boldness to run the risk of being subject to half the evils we anticipate than to remain in cowardly listlessness for fear of what might happen. – Herodotus (2)
There are many definitions of threat, vulnerability, and risk. Recognized definitions from several International Standards Organization publications are used in the context of this article. For example, risk, a deviation from the expected.(3) Vulnerability, a weakness or exposure.(4) Threat, a potential cause of an unwanted incident that can result in harm.(5)
We examine news reports, press releases, and other information to gauge the changing nature of threats. Current threats are the primary concern as they affect people and businesses today. Prospective root causes are not solvable and are thus beyond the scope of this article.
Threats to personal safety and business sustainability have expanded significantly in the last 18 months. For individuals, this means both increased physical and privacy threats. For businesses, this means the threat of property damage through on-site malicious actors, property theft and the threat of financial and reputation loss primarily through Internet cyber threats. In the case of cyber threats, malicious actors could originate from any source and from anywhere in the world.
More to the point, individuals can have their personal information leaked on-line, whether for the average citizen or those whose privacy is closely guarded, like police officers. Data leaks might be from healthcare systems or employers and could include home addresses and other personal details.
Violent events are on the increase in of all places, airports, and even on-board aircraft.(6,7, 8) And that is in addition to increases in violent crimes including murder in the United states.
A study examining crime in 34 cities in the United States in 2020 reported homicide rates were 30% higher than in 2019.(9) Data illustrate a seasonal effect for homicides, peaking in July, as do other crimes like aggravated assault. The sample of cities used in the report were not drawn randomly. As a result, generalizing the results to the nation at large is risky.
In the Spring of 2020, once the pandemic shutdowns began, residential burglaries declined precipitously as might be expected with many more people remaining at home. Coincidentally, non-residential burglaries were somewhat lower than pre-pandemic but still peaked in July as in previous years.
Police departments have been downsized, and many officers have retired or otherwise left the profession. Policing activity has diminished, corresponding to an increase in crime, e.g., 30% to as much as 80%, with large increases in violent crime in the range of 50% to well over 100%.(9)
Technology-enabled business threats are unrelenting and increasing.
Wikr, a provider of encrypted communication serves reported findings from a Cyber-edge report – a record 86% of organizations suffered from a successful cyberattack in 2020 and a record 69% of organizations were compromised by ransomware. Email reportedly is a common threat vector that enables phishing scams, ransomware, links in email to malicious content, and interception of email in transit and email in storage if not encrypted.(10)
The FBI Internet Crime Complaint Center established in 2000 tracks complaints about potential internet-based crimes. Frequent crimes reported by victims include phishing scams, non-payment/non-delivery scams, ransomware, and extortion. Complaints increased from 5 million to 6 million in the early 2020 to early 2021 timeframe.(11, 12)
Police departments are not immune to cyber-attack either. The Washington, DC Metropolitan Police Department was attacked with ransomware late in April 2021. In March and April two other police departments in Maine and California were also do victims of ransomware. Attackers often threaten to release stolen sensitive data on the Internet if their demands are not met.(13)
Technology enabled crime is not limited to cyber-crime via the Internet. Drones are being used to surveil rural and remote areas seeking property, such as farm and ranch equipment, that can be stolen with little chance of interdiction.(14) Technology may also be used by bad actors for photographic surveillance activities in the planning of riots where property is damaged or destroyed.
Supply chains are also affected. In early May 2021, the Colonial Pipeline Company suffered a ransomware attack which affected delivery of fuels such as gasoline, diesel and jet fuel to the East Coast. This attack and the company’s response affected delivery of fuel, resulting in temporary shortages and lack of availability in some of the 17 states and the District of Columbia served by the company.(15, 16)
Health records related to COVID-19 contact racing for thousands of Pennsylvania residents were apparently not password protected and were accessible on-line via search engines. It was alleged that cybersecurity measures were inadequate to protect the data and there is the prospect of a class action lawsuit. Evidently, the breach was detected in February 2021 and not secured until April.(17)
Cyber insurance costs are skyrocketing. Businesses recognize the seriousness of cyber threats and have increasingly purchased cyber insurance. As the US GAO reported in May 2021, a global insurance broker cited an increasing number of clients electing cyber coverage, increasing from 26% in 2016 to 47% in 2020. Along with the increase in cyber threats and use of cyber insurance, the cost of such coverage reportedly increased 10-30% in late 2020.(18)
What can you do about this?
How much peril is there for individuals and businesses? Three actions need to be performed.
First, develop a catalog of as many types of threats, vulnerabilities and risks as possible. Include cyber-threats and as many others that potentially threaten personal safety and business sustainability and continuity. Update this catalog frequently as new threats and vulnerabilities emerge.
Second, assess threats in terms of their likelihood of actually occurring, i.e., what is the probability of a threat happening to me or my business, e.g., 10%, 30%, 90%? Vulnerabilities should also be considered in this assessment. What are the consequences of an event happening? How much damage will result, e.g., minor inconvenience, major work-life interruption, destruction or death? Risk is then determined by the combination of these two dimensions.
Third, one needs to understand the effect of cognitive bias on perception of vulnerabilities, threats and risk. Research has found that 70% of people exhibit “normalcy bias” in disaster situations, meaning they downplay warnings about calamities.(19) Of course, one has to be mindful of the opposite, “worst case scenario bias”, overreacting to minor anomalies in the state of what is considered “normal” at a given time and place.(20) Be mindful of where you are on the normalcy worst case bias continuum.
Situational and cognitive bias awareness and risk assessment will help put you ahead of the ever-changing threat-vulnerability-risk game!
References:
- This article was informed by an interview with a professional with current knowledge of personal and business security and the criminal justice system.
- As listed at https://www.riskology.co/99-risk-quotes/
- ISO 31000 ISO 31000:2018 Risk management — Guidelines. Risk – effect of uncertainty on objectives – An effect is a deviation from the expected. https://www.iso.org/standard/65694.html
- 29147:2018 – Information Technology – Security Techniques – Vulnerability Disclosure. A vulnerability is a behavior or set of conditions present in a system, product, component, or service that violates an implicit or explicit security policy. In other words, it’s a weakness or exposure that permits a security consequence. Read more at the ANSI Blog: https://blog.ansi.org/2018/11/iso-iec-29147-2018-vulnerability-disclosure/
- ISO/IEC 27000 Information technology — Security techniques — Information security management systems — Overview and vocabulary. Threat – potential cause of an unwanted incident, which can result in harm to a system or organization. https://standards.iso.org/ittf/PubliclyAvailableStandards/c073906_ISO_IEC_27000_2018_E.zip
- Falconer, Rebecca. Mon, May 3, 2021. Unruly airline passenger reports surge: 1,300 reports to FAA since February. https://news.yahoo.com/unruly-airline-passenger-reports-surge-032119337.html.
- FAA Press Release. May 5, 2021. FAA Proposes Civil Penalties against Four Passengers for Allegedly Interfering with Flight Attendants. https://www.faa.gov/news/press_releases/news_story.cfm?newsId=26060.
- April 27, 2021. FAA Proposes Civil Penalties Against Three Passengers for Allegedly Interfering with Flight Attendants.
- Pandemic, Social Unrest, and Crime in U.S. Cities 2020 Year-End Update. University of Missouri —St. Louis. https://cdn.ymaws.com/counciloncj.org/resource/resmgr/covid_commission/Year_End_Crime_Update_Design.pdf
- Johnson, Jason. April 9, 2021. Why violent crime surged after police across America retreated: Even the most dedicated officers who now face a greater risk of being sued, fired or prosecuted for doing their job feel pressure to pull back. https://www.usatoday.com/story/opinion/policing/2021/04/09/violent-crime-surged-across-america-after-police-retreated-column/7137565002/
- Wickr, accessed 29 May 2021, https://wickr.com/the-biggest-cybersecurity-threats-to-be-aware-of/, Cyber-edge, https://cyber-edge.com/cdr/
- FBI Internet Crime Center, https://www.fbi.gov/news/stories/ic3-logs-6-million-complaints-051721
- Perlroth, Nicole and Barnes, Julian. C. Police Department Data Is Leaked in a Cyberattack, April 27, 2021. https://www.nytimes.com/2021/04/27/us/dc-police-hack.html
- Souza, Christine. Drones Now Help Thieves to Survey Rural Properties, California Farm Bureau Federation Reports, May 2, 2021. https://goldrushcam.com/sierrasuntimes/index.php/news/local-news/29456-drones-now-help-thieves-to-survey-rural-properties-california-farm-bureau-federation-reports
- Beaman, J. https://www.washingtonexaminer.com/news/colonial-pipeline-cyberattack?utm_source=Daily%20on%20Defense%20051021_05/10/2021&utm_medium=email&utm_campaign=WEX_Daily%20on%20Defense&rid=61594
- Choi, Joseph. https://thehill.com/homenews/administration/552564-white-house-declares-state-of-emergency-over-cyberattack-that-shut. 05/09/21 10:30 PM EDT.
- Mitchell, H. https://www.beckershospitalreview.com/cybersecurity/pennsylvania-health-department-sued-for-covid-19-contact-tracing-breach-that-exposed-72-000.html?utm_campaign=bhr&utm_source=website&utm_content=latestarticles. 10 May 2021.
- S. Government Accountability Office. Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market. GAO-21-477 Published: May 20, 2021. Publicly Released: May 20, 2021. https://www.gao.gov/products/gao-21-477
- Normalcy bias, Wikipedia, accessed 28 May 2021. https://en.wikipedia.org/wiki/Normalcy_bias
- Evans, Dylan. Risk Intelligence: How To Live With Uncertainty, Free Press/Simon & Schuster, Inc., 2012; currently available on Amazon in several formats.