Table Of Contents:
Scrooge starts the book as a famously terrible boss and a lousy human being. But as information security specialists, we’re also appalled by how useless his security measures are. “A Christmas Carol” is really one long catalogue of infosec disasters.
A tragically departed employee
Scrooge’s first ghost is Jacob Marley, who spookily enters his bedroom. He passed on from the Scrooge organisation seven years ago, but still retains full access rights to every part of his ex-partner’s home! No doubt he can also walk right into the office whenever he fancies.
That’s a big information security failure. ISO 27001’s Annex A.11.1 Secure Areas makes sure that physical access rights are stripped from all departed employees. If Scrooge had had a decent ISMS, the dearly-departed Marley wouldn’t have been able to bother him.
A ghostly GDPR breach
Marley’s access rights must be admin-level (tssk!), because he can then invite three other ghostly visitors in. The first one’s the Ghost of Christmas Past, who finds and shares some intimate details of Scrooge’s personal history. That’s a GDPR breach right there.
Of course, Christmas Past Ghost uses his powers for good. But imagine the damage he could cause if he was a black hat phantom! Not to mention the very substantial fines and reputational hit that would follow the release of personal details to the wrong person.
An ISO 27001 compliant ISMS would have stopped him dead (if you can do that to a ghost).
Clause A.18.1 makes sure you’re complying with GDPR and any other legal requirements. And Annex A.9.2 Management of Privileged Access Rights would have doubled down on Jacob Marley, removing his admin privileges as well as his physical access ones.
A poorly-secured home worker
The Ghost of Christmas Present spirits Scrooge away to watch his clerk’s family Christmas. They see every detail of Bob Cratchit’s family life. From an infosec point of view, things are getting worse and worse. A key employee’s security has also been very fully compromised!
That resonates with us because security at home’s been such a big theme in 2020. Covid’s created millions of new home workers across the world. Making sure they’re as secure there as they are in the workplace has been a big challenge.
But of course, an ISO 27001-compliant or certified ISMS will already have that covered. Annex A.6.2.2 makes sure organisations have full home working arrangements in place. It’s been very satisfying helping our customers through that this year.
A hacked business network, plus supplier challenges
Finally, Scrooge meets the Ghost of Christmas Future. The Ghost instantly locates some of Scrooge’s business associates and takes him to eavesdrop on them. Then they visit some of his suppliers, including his cleaner and laundress. Scrooge sees them steal from his estate.
Even Scrooge’s confidential business partnerships are now fully exposed to any random passing supernatural entity! And it’s hard to imagine that his suppliers, who can access the most intimate parts of his life, have treated his information assets with any sort of respect. It’s entirely his fault for managing them so badly, but it’s a big problem nonetheless.
Once again, ISO 27001 would have rescued him. Annex A.15 would have helped him secure and manage his commercial and supplier relationships. And while we’re talking about the future, remember that the standard’s going to become even more effective. An updated version of it should be launching within the next couple of years.
Nobody ever wants to be Scrooge
Marley and the Ghosts of Christmas Past, Present and Future are the good guys. They help Scrooge become a much better man. His transformation is powerful and moving. It’s what’s made the book such an enduring classic.
So we agree with Charles Dickens.
He was quite right to delete the book’s original final scene, where Jacob Marley’s ghost reappears and has a quiet word with Scrooge about information security. But it too shares an important message, which we hope has resonated with you as 2020’s festive season begins.