Fully Operational Contingency Plans

"Because I could not stop for Death – He kindly stopped for me..."  - Emily Dickinson

Small talk is not a skill I possess. I prefer big talk...important things, like, say, death. Death is a favorite topic of mine. Not that I want to die anytime soon, nor because I take pleasure in others' deaths (well, generally :-), but because everyone seems so unwilling to talk about it and they really need to. Death, you see, in the realm of contingency planning is an adverse event - it has the potential to really mess things up. When someone dies death goes from being an incident candidate to a full-blown incident. Death, being inevitable, needs an incident response (IR) plan to go along with it. 

Okay, how is death relevant to an infosec blog?

It's an attack against information assets - what you know, including how what you know gets you into more information assets, is gone after death happens. Death is pretty efficient when it does its thing so its chance of success is high. Death definitely threatens the availability of your information assets, although one could make an argument for enhancing the confidentiality of them. 

It's important for an organization to plan for deaths of its employees, from the C-suite to the cleaning crew. No, not plan to kill them (although one wonders sometimes...), but a plan for how to react and recover after death occurs. From an obvious perspective, at the very least whatever tasks the person was assigned to do will not be getting done and someone else will have to do them. It's easier to respond when a plan is in place than make things up on the fly - and if the death is of someone close to the people making the decisions their thinking will be affected, even if the death is expected. The story of how a small organization handled the death of one of their founders provides a good foundation for planning on that level: http://www.smallbusinesscomputing.com/tipsforsmallbusiness/business-survival-after-death.html

On a personal level, contingency planning for death is even more vital. This summer I had a long-distance friend die unexpectedly. No one can get into her digital assets, so her Facebook page and LinkedIn account remain open as though she is still alive. Her non-technical family doesn't even know where to begin - and no one wants to bring up the specifics of how those accounts can be closed by the vendors. (Someone did inform her employer.) Not talking about death doesn't make it go away. In the past couple of months I know of more people recently who have died unexpectedly, leaving their families to deal with digital legacies on top of the grief and expenses. No one wants to go up to the widow and say, "hey, I know you're in shock and numb with grief right now, but have you thought about how to get into your partner's digital accounts?" Not even I am that goth. (Yes, I'm thinking it, but my mother raised me better than to say it out loud :-) 

The recent Equifax breach gives criminals a chance to capitalize on their theft by making it easier to purloin the identities of the deceased: unless the deceased was receiving Social Security payments there is no automatic notification to the credit bureaus that someone has died and that their accounts should be marked that way (see http://www.bankrate.com/finance/credit/happens-dead-persons-credit.aspx for more details). My friend's credit report looks like she's alive. She's not there to notice anything sketchy coming up. Of course, she's dead, and had no dependents, so no one is being directly hurt if someone absconds with her identity, but, still.

Everyone dies at some point. This incident will occur. There are many logistical aspects of death that don't necessarily involve digital assets that need to be secured, but in our modern times nearly everyone has digital assets. We all have some sort of device, either a computer or a mobile device. We probably have email assets and social media assets. While financial service relationships typically have a physical aspect, many people access their financial service accounts digitally, with authentication credentials. How about e-commerce? Kindles? What about Alexa (who might be able to help solve the case) or Siri (who is more helpful to the perpetrator)?

I'll pause. I admit this has to be overwhelming to anyone who hasn't thought about it before. 

Because death is such a scary concept, let's talk instead about space alien abduction. There is a chance that if someone is abducted by space aliens they could return. But, while they are being entertained by the space aliens one would not have access to their digital assets unless one had a contingency plan in place. So, it's like death, but not exactly death. 

Think about how people back home would carry on with your digital activities if you were abducted by space aliens. How should they react? How would they recover? If you've planned now, before the abduction, they have a list of what to do after they have detected that the aliens have zoomed away with you. They can then focus on acquiring, preserving, and securing the assets you have left behind, for instance, your mobile device (presuming it wasn't destroyed in the abduction process).

More organizations are offering practical advice for digital contingency planning. https://www.funeralwise.com/learn/digitallegacy/ is an example. It's important to note that legislation has not caught up to digital realities. It's unclear in many jurisdictions how digital legacies are to be handled and the most obvious option, impersonation, might not be exactly legal, even if it's not exactly illegal, even if an executor is given specific authorization by the deceased space alien abductee.

Whether you plan for this adverse event, or not, it will happen. Think of setting up a contingency plan for securing digital assets in the event of death as a kindness to those left behind - a final gift.