“Hack of Saudi Plant Targeted Safety System,” The Wall Street Journal, January 19, 2018 B4. Cyberattack focused not on the theft of information, but on a critical emergency safety shut-off system.
So, this is more about information security than it is about information governance. Or is it? This is the type of attack that keeps the information security folks awake at night. A big deal in the oil patch.
Who’s responsible? The vendor of the equipment (and software) that was hacked? Or the owner of the plant that had the equipment on-line?
Do your company have information that is critical to the safety of your operations? Who’s responsible for protecting that from outside attack?
Which is better? Government regulation or market regulation? I guess we’ll find out.
“FCC Reverses Rules on Net Access,” The Wall Street Journal, December 15, 2017 A1. The move reverses the utility-based rules that were previously in place.
Were the rules neutral before, or are they neutral now? Does the government control how we get our information, or do market forces? How much does it matter?
“Three From China Indicted in Cyberattacks,” The Wall Street Journal, November 28, 2017 B4. Allegedly hacked into the email account of an economist at Moody’s and gained access to gigabytes of confidential data of Siemens beginning in 2011.
Who has access to your data? Is the email account of a third-party vendor a potential source of a major leak? Even an economist?
Filed under Access, Compliance, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Information, Interconnections, Internal controls, IT, Oversight, Protect assets, Security, Third parties, Value
Cybersecurity involves protecting the enterprise from internal or external attack and responding after the enterprise has been attacked. How do you ensure your business continues to operate if its cybersecurity is breached? It’s not just sending notices to affected customers and paying for credit watches.
“Banks Create Cyber Doomsday System,” The Wall Street Journal, December 4, 2017 B1. By requiring banks and credit unions to back up their data so that operations can be restored after a breach. This also protects confidence in the overall banking system.
Do you have a business continuity plan? Does it address how you will access your critical information so that you can continue to operate?
What’s surprising is that this is newsworthy.
Filed under Access, Board, Business Case, Business Continuity, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Interconnections, Internal controls, IT, Operations, Oversight, Protect assets, Protect information assets, Security, Value
“Afghanistan Orders WhatsApp Blocked,” The Wall Street Journal, November 4, 2017 A9. Some providers don’t comply.
King Canute ordered the tides to recede. With limited success. Does your company issue policies that just won’t work? What does it say about the person issuing the policies and what does it say about your company’s culture? What about how well the company’s other policies will be adhered to?
Internet neutrality – is the power to regulate (and tax) the power to prohibit? Whether exercised or not?
How do you protect against intrusions (including hacking and viruses and ransomware)? Policies and technology, mainly. How do you protect against internal breaches (phishing, etc.)? Policies, training, and a bit of technology. How do you respond to an actual breach? Policies and procedures, training, and technology.
In the response, keep the notice requirements in mind. The rules vary from state to state.
“States Quiz Equifax on Disclosure,” The Wall Street Journal, October 30, 2017 B1. Several states initiate investigations into by Equifax’s delay in reporting after the hack that may have compromised the records of 145.5 million credit accounts. What did they know, when did they know it, and when did they report it, and to whom? Notice to the state, to the fed, to the consumers, and to investors? What’s reasonable, or what’s required by statute?
It’s all about notice. Given the business, should the directors have been on top of this?
Filed under Communications, Compliance, Controls, Corporation, Directors, Duty, Governance, Information, Interconnections, Internal controls, IT, Legal, Oversight, Requirements, Security, To report, Value
“Hackers Target Schools,” The Wall Street Journal, October 24, 2017 A3. Cyberthefts and ransomware attacks at a whole host of schools, targeting data on students, as well as the normal financial stuff.
So, how much money should schools spend to prevent hacking and subsequent release of student data? And isn’t it nice of the news media to report how much ransom the attackers got?
So, whose data is it, anyway? And who’s the custodian?
Filed under Access, Compliance, Controls, Duty, Duty of Care, Governance, Government, Information, Interconnections, Internal controls, IT, Oversight, Ownership, Protect assets, Security, Third parties, Value