Category Archives: IT

Chinks in the chain

“Wi-Fi Flaw May Endanger Security,” The Wall Street Journal, October 17, 2017 B4.  A wi-fi flaw opens up systems to hackers.  Impact mostly for corporations, affecting WPA2 protocols.  But does affect older Android phones and use of Wi-Fi networks while traveling.

Is cyber-security too complex for humans to understand?

Hopefully, the corporations will install the patches on a timely basis.  What other steps should we take in the meantime?

Advertisements

Leave a comment

Filed under Access, Controls, Interconnections, IT

Equifax and SEC Hacks

A lot in the news of late about the hacks at Equifax and the SEC.

“SEC Discloses Edgar Corporate Filing System Was Hacked in 2016,” The Wall Street Journal, September 21, 2017 A1.

“Equifax Hackers Spied for Months,” The Wall Street Journal, September 21, 2017 A1.

“Equifax Board Weighs Clawbacks,” The Wall Street Journal, September 30, 2017 B3.  How many years’ compensation will be affected?

“Equifax Lawyer in Hot Seat,” The Wall Street Journal, October 2, 2017 A1.  Chief legal officer probed for clearing stock sales after executives knew, but no one else did, about the hack.

“Equifax Ex-CEO Lays Out Lapses,” The Wall Street Journal, October 3, 2017 B1.  Staffers blamed for not reacting to public warning.

“Lawmakers Slam the Ex-CEO Of Equifax,” The Wall Street Journal, October 4, 2017 B1.  He and others “weren’t aware of the significance of the company’s data breach ….” “[A]n employee failed to notify other staff to patch the software ….”  For want of a nail ….

“Senators Rap Credit-Reporting Model,” The Wall Street Journal, October 5, 2017 B1.  “[W]hy consumers shouldn’t have power over the data [credit companies] collect on them”?

“Lawmaker Asks SEC To Delay Trade Log,” The Wall Street Journal, October 5, 2017 B12.  Head of House Financial Services Committee pressures SEC to delay release of trading database following hack of SEC systems. Can you have too much information?

“Equifax Timeline Criticized,” The Wall Street Journal, October 6, 2017 B10.  How long did Equifax sit on news of the hack before alerting the Board, the market and the Feds?  Is five weeks too long?  Executives selling stock in that window will be investigated.  Three weeks before he informed the Board.

“After Breach, SSN Reliance Is Criticized,” The Wall Street Journal, October 7, 2017 A4.  One reaction to the Equifax hack is a move to find a replacement for Social Security Numbers.

“Index Firm Flagged Equifax for Security,” The Wall Street Journal, October 7, 2017 B9.  Company warned about Equifax data security flaws in August 2016.

“Equifax Probes Possible New Breach,” The Wall Street Journal, October 13, 2017 B1.  A code installed on Equifax’s website by a vendor “serve[s] ‘malicious content’ to consumers.”  Just when you thought ti was safe to go back in the water again.

“GOP Bill Would Boost Checks on Credit Firms,” The Wall Street Journal, October 13, 2017 B10.  The horse having left the barn, the government wants to exercise more oversight.

Leave a comment

Filed under Board, Compliance, Compliance, Compliance Verification, Controls, Corporation, Culture, Directors, Duty, Duty of Care, Governance, Inform market, Inform shareholders, Information, Internal controls, Investor relations, IT, Oversight, Oversight, Protect assets, Protect information assets, Security, Value, Vendors

Another hack

“New York Investigates Deloitte Cyberbreach,” The Wall Street Journal, October 13, 2017 B10.  New York AG investigates breach, which “compromised information on a small number of clients.”  The breach started a year ago and wasn’t detected until April 2017.  The information compromised may have been limited to access credentials and the like, rather than account information.  Sort of like Equifax.

Who else has been attacked and (a) knows about it but is still keeping it quiet, or (b) doesn’t know about it yet?

Leave a comment

Filed under Access, Board, Compliance, Compliance, Controls, Corporation, Duty, Duty of Care, Governance, Information, Internal controls, IT, Oversight, Oversight, Ownership, Protect assets, Protect information assets, Security, Value

A top goal?

“CEOs Make Protecting Data a Top Goal,” The Wall Street Journal, October 13, 2017 B4.  Unfortunately, the focus is on cyber-security rather than the broader information risk profile.  While this affect CEOs’ email habits, as they are phishing targets?

While this is a start, do CEOs really understand how much their company’s proprietary information is worth?  Or their duty to protect the company’s assets (people, physical equipment, cash, and information)?  Why not?

And where are the boards?  Don’t they have an overarching duty to oversee the major risks the company is facing and to make sure there’s an effective program in place to address?

I hear the violin.  Is Rome burning?

Leave a comment

Filed under Access, Board, Compliance, Compliance, Compliance Verification, Controls, Corporation, Culture, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, IT, Managers, Oversight, Oversight, Ownership, Policy, Protect assets, Protect information assets, Security, Value

More military hacks

“Australia Hack Nets Data on U.S. Arms,” The Wall Street Journal, October 13, 2017 A6.  Hacker hacks a defense contractor’s computers and carried off “commercially sensitive data on sophisticated U.S. weapons systems.”  The ease of the hack is mind-boggling.

Is there a common scheme here?  Or otherwise solve this equation for X.

Leave a comment

Filed under Access, Controls, Corporation, Duty, Governance, Government, Information, Interconnections, Internal controls, IT, Oversight, Protect assets, Security, Third parties, Vendors

Electrical banana (reprise)

Slack is a new communications software in use in many companies.  Do your policies deal with the implications of the use and misuse of yet another new technology?  How will you handle this when litigation comes in?

“Tips to Tighten Slack Users’ Skills,” The Wall Street Journal, October 12, 2017 B4.

Leave a comment

Filed under Access, Communications, Compliance, Content, Controls, Corporation, Discovery, Duty, Duty of Care, Employees, Governance, Information, Interconnections, Internal controls, IT, Legal, New Implications, Oversight, Policy, Protect assets, Security

Internet woes

“Internet Connection Enabled Seoul Hack,” The Wall Street Journal, October 12, 2017 A12.  Use of third-party Korean cyber-security software led to problem when a military network was connected to the internet.  The hackers first attacked the software firm, which also sold to the South Korean military.  The connection to the internet was enabled through a missed connector jack left behind after routine maintenance.

Remind you of the Target point-of-sale hack?  Watch out for your vendors and the connections to the outside world?

Leave a comment

Filed under Controls, Duty, Governance, Government, Information, Interconnections, Internal controls, IT, Oversight, Protect assets, Security, Third parties, Value, Vendors