Willie Sutton (a famous bank robber) was reportedly asked, “Why do you rob banks?” He reportedly said, “Because that’s where the money is.” https://www.snopes.com/quotes/sutton.asp
“Hackers Plunder Crypto Exchange,” The Wall Street Journal, January 27, 2018 B5. More than $500 million in credits hacked from the Coincheck site in Japan. One assumes virtual banks are easier to rob than brick and mortar banks.
This is a concrete example of the cost of a cyber breach. But it also follows on from an earlier post (Law School Exam Question) equating cash money and information, in terms of value.
If businesses (including the Board of Directors) treated information assets as cash, and managing, protecting, and controlling the organization’s information as currency, would that be “information governance”? Why do they handle information assets differently? Why should the Board and the officers get a pass on this? The shareholders certainly don’t.
Filed under Board, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Oversight, Oversight, Ownership, Protect, Protect assets, Protect information assets, Security, Third parties, Value
“Firm Settles Russia Probe,” The Wall Street Journal, December 12, 2017 A5. Company working on US defense projects had Russian employees who lacked appropriate security clearances (and who stored some material on servers in Russia).
No fine reported; company to institute new security protocols and thereby resolve criminal complaint.
One would have thought someone would have gotten more than their hands slapped over this one.
Filed under Access, Compliance, Compliance, Controls, Corporation, Duty, Governance, Government, Internal controls, Management, Oversight, Protect
What do you do when a rogue employee decides to express his or her politics by messing with your product? Could that affect your brand?
No, this isn’t about the NFL.
“Twitter Tightens Security,” The Wall Street Journal, November 4, 2017 B3. Security lapse allows a departing and now former Twitter employee to shut down President Trump’s Twitter feed for eleven minutes.
Cybersecurity focuses not only on external hackers but also internal bad-deed doers. Sometimes, even well-designed security plans fail. But those third-party plans are protecting your information in their control.
Do you have special controls for special celebrity cases? Do you take extra steps for departing employees?
Not sure Twitter is a brand.
Filed under Access, Business Continuity, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Management, Oversight, Protect, Protect assets, Security, Supervision
As if Facebook weren’t enough, the Russians allegedly go after the phones of NATO soldiers.
“Russia Targets NATO Soldiers in Phone Hack,” The Wall Street Journal, October 5, 2017 A1. Use of drones suggests a national actor.
Do you control what your employees have on their phones? Can you? How? What if it is your company’s proprietary data? Or overseas?
Filed under Access, Compliance, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Information, Internal controls, IT, Oversight, Ownership, Protect, Protect assets, Security
“Key Filing Made in Battle Between Alphabet, Uber,” The Wall Street Journal, October 2, 2017 B3. Uber apparently knew that “a former Google engineer had confidential Google files before buying his self-driving-car startup.” 50,000 emails, among others.
Do you have processes in place to prevent this from happening when you hire a competitor’s former employee or buy their company? What about when one of your employees (or contractors) leaves?
Filed under Access, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Oversight, Ownership, Protect, Protect assets, Third parties
Sony was not alone. HBO gets hacked, too, and Netflix. Is nothing sacred?
“Hackers Stole HBO Programming,” The Wall Street Journal, August 1, 2017 B2. Game of Thrones may be coming sooner than planned. Hacker also got personal information on at least one executive.
How well is your information protected? What’s that protection worth?
Filed under Access, Controls, Governance, Information, Internal controls, IT, Management, Protect, Protect assets, Protect information assets, Security, Value
Do you have contractors who analyze your data for you? Do they use cloud storage? Do you know? How secure it that? Is that prohibited by your service contract?
“Data on 198 Million Votes Exposed Online,” The Wall Street Journal, June 20, 2017 A4. Deep Root Analytics, a Republican party consultant, used an online storage system that was reportedly open to the world for several days. Most/some of the information exposed was publicly available information on voters. A lot of voters.
Well, at least the Russians (or the DNC) didn’t hack it. Or did they?
What controls do you have that protect information your consultants are using and the opinions you are paying them to provide you? Do you care? It’s not like it’s money or anything.
Filed under Access, Board, Controls, Corporation, Duty, Governance, IT, Management, Oversight, Protect, Protect assets, Protect information assets, Security, Third parties, Vendors