Twitter, Part II: Security Control Failures

twitter

Today we return to that whistleblower complaint against Twitter announced to the world last week. The complaint contained all sorts of allegations about poor cybersecurity and privacy governance — so what were those allegations, exactly; and what lessons can other compliance and audit professionals learn here?  As you might recall from our previous post, the…

Read More

Fresh Approaches to Cybersecurity Risk

cybersecurity

Every regulator and their uncle is climbing aboard the cybersecurity bandwagon these days. Before that bandwagon starts rolling away with itself, however, we might want to ask whether corporate audit and compliance teams, and even the regulators themselves, are going about all this in the wisest way possible. Two recent posts on Radical Compliance capture…

Read More

Lessons in the HanesBrands Cyber Attack

Before we all forget, compliance and audit professionals should note that HanesBrands coughed up an ugly quarterly report last week — and one principal reason for that awful report was a ransomware attack that apparently cost HanesBrands $100 million in lost revenue.  The ransomware attack itself is not news; Hanes disclosed the matter on May…

Read More

Attestations for Cyber Controls

Last week I was in Atlanta speaking to a group of IT auditors. Conversation turned to the SEC’s proposals for expanded disclosure of cybersecurity risks, and attendees raised a good question: Does this mean that CISOs and other executives will need to attest that, yes, the company’s cybersecurity measures are effective? Under the text of…

Read More

CFPB Warning on Data Protection

cybersecurity

The Consumer Financial Protection Bureau has issued a fresh warning to financial firms that they must keep customer data safe, and cited three specific cybersecurity controls as measures that firms should implement if they want to avoid liability under federal consumer protection law.  The CFPB fired its warning shot on Thursday afternoon in the form…

Read More

On Wisconsin and Cyber Risks

Wisconsin

IT audit professionals looking for a fresh example of cybersecurity risk to study should turn their gaze to Wisconsin. A voter fraud conspiracy theorist there uncovered what is indeed a legitimate risk to election integrity, and his discovery speaks volumes about taking a risk-based approach to design of internal controls. The gadfly in question is…

Read More

Pointers on Preventing Ransomware 

ransomware

Among the many interesting discussions I heard at the Institute of Internal Auditors’ global conference this week, one particularly compelling session was about ransomware: how attackers try to foist it upon companies, and the internal controls you could implement to keep such attacks at bay. Since ransomware risk is going nowhere but up these days,…

Read More

New York Fines Carnival $5M on Cyber Fails

carnival

Financial regulators in the state of New York just served up quite the example of cybersecurity enforcement, with a $5 million fine slapped against Carnival Corp. for failing to report several cybersecurity breaches in a timely manner and failing to implement required technical controls that would’ve reduced the odds of those attacks in the first…

Read More

Cybersecurity Risk: Something’s Happening

cybersecurity

I was working at my desk last week when the phone rang. At the other end of the line was my friend the cybersecurity auditor. “Dude, we have to talk,” he said. “Our team here has discovered an issue.”  Ummm, a lot of people in our line of work have issues, I replied. Can you…

Read More

NIST Pushes More Use of Impact Analysis

NIST

NIST, everyone’s favorite publisher of cybersecurity standards, is asking for public comment on another good idea: how to use business impact analysis to guide your risk prioritization and response efforts.  Performing a business impact analysis (BIA) is already an important element of business continuity and disaster recovery planning. True, most cybersecurity and data privacy frameworks…

Read More