Risk News

12/4/2018
Revealed: Marriott's 500 Million Hack Came After A String Of Security Breaches
"On Friday, hospitality giant Marriott revealed a massive hack led to the theft of personal data of a whopping 500 million customers of its Starwood hotels."
Annie's take:

Paying the cost of replacing guests' passports may be the least of their problems at this point. This appears to be a good example of third party risk.
11/19/2018
Power outages, bank runs, changed financial data: Here are the 'cyber 9/11' scenarios that really worry the experts
"For years, government security specialists have predicted the inevitable "cyber 9/11," an event originating as a digital attack that spills over into other aspects of society, causing widespread harm to people and the global financial sector."
Annie's take:

Each of these scenarios seems quite feasible to me.
11/13/2018
US banks prepare for Iranian cyberattacks as retaliation for sanctions
"As the United States reinstated economic sanctions on Iran on Monday, American banks were gearing up for retaliatory Iranian cyberattacks."
Annie's take:

Breaking the agreement and imposing these sanctions are just about the worst actions that the administration could have taken. And the banks will feel it first.
11/12/2018
Urgent Threats in Today's Environment
"I am nearing the end of the autumn quarter, teaching enterprise risk management to University of Washington Informatics majors."
Annie's take:

I look at the world today, and Liz Crooks authors an excellent piece on the U.S. State Department.
11/11/2018
Converting Challenge to Opportunity: Security and Privacy as Advantage
"It’s human nature to prefer the easy path and be frustrated by challenges that get thrown in our way. In business, challenges usually mean we have to outlay capital to address them or see a dip in our corporate results. But we see time and again that challenges seen in another light present opportunity to those willing to have the foresight and appetite to embrace the opportunity."
Annie's take:

Great opinion piece by my colleague, Tom McAndrew, CEO of Coalfire.
11/11/2018
Converting Challenge to Opportunity: Security and Privacy as Advantage
"It’s human nature to prefer the easy path and be frustrated by challenges that get thrown in our way. In business, challenges usually mean we have to outlay capital to address them or see a dip in our corporate results. But we see time and again that challenges seen in another light present opportunity to those willing to have the foresight and appetite to embrace the opportunity."
Annie's take:

Great piece by CEO Tom McAndrew, of Coalfire.
11/11/2018
Fanning the flames: Trump and the fascist playbook
"t is time to stop pussy-footing around right-wing violence in this country."
Annie's take:

The flames of violent extremism are rising.
11/11/2018
Facebook pulls more pages linked to Iran’s ‘fake news’ push
"Facebook has taken down another co-ordinated campaign from Iran that was spreading divisive political messaging to more than 1m people in the US and UK, as the social network struggles to control disinformation on the platform in the run-up to the US midterm elections."
Annie's take:

This is turning out to be a never-ending problem for Facebook and for Twitter.
10/24/2018
Consumerism driving hospitals to break down cybersecurity boundaries
"It starts with hiring "hardcore cloud animals," to change the culture and rethink infosec’s role in patient experience."
Annie's take:

Good summary of the situation. I am myself an end user of software designed by my hospital to allow me to communicate with my doctor, and see my test results.
10/18/2018
Twitter releases 10M tweets, reveals decade of foreign influence, including Russia’s efforts during 2016 election
"A dataset of more than 10 million Tweets released by Twitter Wednesday included a detailed picture of Russia’s attempt to influence voters away from Hillary Clinton and, eventually, toward Donald Trump."
Annie's take:

We're not surprised, except for the sheer volume of the operation.
10/15/2018
No One Can Get Cybersecurity Disclosure Just Right—Especially Lawmakers
"When you give an organization your data, and then that data gets exposed or stolen, you probably want to know about it. Seems simple enough. If a friend lost your sweater, you'd expect him to tell you. But a seemingly endless parade of massive data exposures—including, most recently, at Facebook and Google—reveal just how complicated that practice of disclosure can be."
Annie's take:

It's a bloody patchwork of guidance (FTC, FFIEC, GLBA, GDPR) and rulemaking by states. Not a pretty picture, and I suspect it will be a long time before we see something else.
10/8/2018
The Right to Vote is Hard Earned
"When the U.S. Constitution was adopted in 1789, it was meant to be a means by which the states ascribed powers to the federal government, but its first ten amendments -- the Bill of Rights -- defined limits on the federal government to enumerate constitutional protection for individual liberties."
Annie's take:

Feeling powerless? VOTE!
10/5/2018
Takeaways from the Trump administration’s new counterterrorism strategy
"The White House’s just-released National Strategy for Counterterrorism is a worthy attempt to rationalize U.S. counterterrorism policy and contains many excellent ideas—its major flaw is that it is more aspirational than prescriptive."
Annie's take:

Good high level analysis of the document, along with a link to the new counter-terrorism strategy.
10/4/2018
Facebook faces $1.6 billion fine as top EU regulator officially opens probe into data breach
"The Irish Data Protection Commissioner (DPC) has opened a formal investigation into the data breach at Facebook that affected nearly 50 million accounts."
Annie's take:

Facebook reported the breach so quickly as to avoid violating the 72 hour GDPR rule, but that won't save them from the fine.
10/3/2018
Facebook's security breach shows even significant security investment might not help
"The biggest technology companies, finance firms and technology giants — including Facebook which now reports up to 50 million user accounts may have been taken over by criminal hackers — invest many millions in cybersecurity and still fall victim to significant attacks."
Annie's take:

This article covers not only Facebook but several other large data breaches, and makes a good point about looking forward.
9/20/2018
The role of corporations in addressing AI’s ethical dilemmas
Annie's take:

A good article. If the private sector can't come up with broad standards, then it looks like the government will do it.
9/10/2018
A Free and Independent Press
"Douglass’ words reflect the importance that the founding fathers attached to the rights of a free press, which had been so instrumental in making the case for independence from England and in spreading information about the American Revolution."
Annie's take:

This month's newsletter looks at the role of a free and independent press in our country. The new research note is from Jeff Leonard, examining risks around our election infrastructure.
8/31/2018
Cyber Threat Intelligence Leader Warns of Changing Nature of Attacks
"As billions more Internet of Things (IoT)-related devices come online, the barrage of cyber threats will not only continue but will target users in new ways."
Annie's take:

Recent Congressional testimony.
8/29/2018
Chinese hackers lead attacks on IoT devices
"New research from F5 Labs has shed light on the fact that Telnet brute force attacks against IoT devices have risen a staggering 249% year over year (2016-2017) and dominated by traffic originating from China."
Annie's take:

Interesting new research from F5's threat lab.
8/28/2018
“This is now the new normal”: an expert explains why cybersecurity risks aren’t going away
"The crazy Trump-centric news cycle has become the new normal in the United States. So has the scenario of constant cybersecurity risks, where it seems like there’s a new worrisome development every week, if not daily."
Annie's take:

As more incursions are spotted and blocked/dropped, we face even more of them going into November.
8/27/2018
Corporate Cybersecurity Is Becoming Geopolitical. Are U.S. Tech Companies Ready?
"This week’s news that Microsoft, Facebook, FireEye, and Google disrupted ongoing Russian and Iranian influence campaigns should garner significant attention in corporate boardrooms."
Annie's take:

Traditional protection measures for corporate data won't be sufficient anymore. The cyber team is going to have to be examining its social media platforms as well.
8/23/2018
Our politicians have no idea how the Internet works
"Here’s the bad news: We can’t trust Silicon Valley to police itself."
Annie's take:

Her reporting is not exactly news. One way or another, we do understand that many in Congress and in the White House have no clue how technology works.
8/21/2018
Just 65% of Companies Have a Cybersecurity Expert on Staff, Survey Says
"When it comes to cybersecurity, many businesses aren’t as prepared as they should be. A survey conducted by Gartner (NYSE: IT) revealed although 95% of CIOs expect cyber threats to increase in the coming years, only 65% have a cybersecurity expert on staff."
Annie's take:

Especially in light of all the hacking going on, this is not good news. The survey did not focus on small business. Rather over 3,000 CIOs from 98 countries were surveyed.
8/20/2018
One thousand GAO recommendations to remedy cybersecurity shortcomings remain unaddressed
"With one click of a mouse, could an enemy of the United States black out major parts of the country or shut down the nation’s electronic communications? Could a hacker access a major bank and gain your personal information, and then clean out your accounts or steal your identity? Or send the stock markets into a tailspin, disrupting the economy?"
Annie's take:

Of the 3,000 cyber recommendations that the Government Accountability Office (GAO)has made since 2010, one thousand remain as open audit items.
8/17/2018
Security’s bane: The false positive
"Nothing makes security look worse than the false negative – when we miss an attack and damage is suffered. As security professionals, it’s something we all obsess a lot about. However, the number two thing that makes us look bad is the false positive."
Annie's take:

A good read.
8/16/2018
Sizing up the FBI’s new cyber leadership
"FBI CYBER PICKS WIN PRAISE — The FBI made an excellent choice in tapping Amy Hess to lead the Criminal, Cyber, Response and Services Branch, which oversees the bureau’s Cyber Division, according to former FBI officials and agents who spoke to MC on Tuesday after the bureau filled two of its key vacant cyber positions."
Annie's take:

A big win for cybersecurity, and for women.
8/15/2018
Why US elections remain 'dangerously vulnerable' to cyber-attacks
"Sixteen months ago, Marilyn Marks was just another political junkie watching a high-profile congressional election on her laptop when she saw something she found abnormal and alarming."
Annie's take:

Hoping to hear more from the feds in the coming weeks about how they are partnering with local election machinery to overcome these vulnerabilities.
8/14/2018
Now Available on Amazon -- Annie Searle's "Risk Reconsidered"
"The field of operational risk management is relatively new."
Annie's take:

I'm so happy to announce the new book!
8/13/2018
Black Hat USA 2018: IBM researchers developed AI powered malware to demonstrate future threat models
"IBM researchers at Black Hat USA 2018 announced their development of DeepLocker, described as a highly targeted and evasive attack tool powered by AI."
Annie's take:

Another point to keep in mind with AI. Concealing the malware in a video training app, undetectable, shows just what we are up against.
8/10/2018
Cyber Incident Risk: From IT Headache to Business Threat
"Cyber incident risk is one of the most consequential areas of risk management organizations face today."
Annie's take:

Excellent article!
8/9/2018
The Security Industry's Talent Shortage is a Crisis of Diversity
"If you think everything’s gone cyber now, just wait. “Digital transformation” is shifting all aspects of modern life — think automated grocery stores, driverless cars and trucks, even our social lives — and it all brings new forms of risk."
Annie's take:

A clarion call to the industry.
8/7/2018
Amid cybersecurity fears, tech firms are offering to help secure the U.S. elections for free or at a discount
"American democracy is under attack, with foreign spies and trolls throwing wrenches into the workings of U.S. elections—be it attempts to hack candidate websites, scramble voter rolls, or spread fake news on social media platforms."
Annie's take:

I'm glad that tech firms are stepping up to help. We've all got a role to play -- including voting!
8/2/2018
How AI Could Become the Firewall of 2003
"One of the shortcomings of the cybersecurity industry is a preoccupation with methodologies as solutions, rather than thinking about how they can be most useful. This scenario is happening right now with artificial intelligence (AI) and machine learning (ML) and reminds me of discussions I heard about firewalls back in 2003."
Annie's take:

An interesting take on what AI represents.
7/31/2018
Why risk management should underpin a cyber security strategy.
"Q: Lloyd’s Register is all about safety; what is more important for cyber security professionals to focus on - is it threats or is it vulnerabilities?"
Annie's take:

An extremely interesting interview.
7/27/2018
Houston runs 3-day cyberattack stress test
"The City of Houston is running a three-day exercise to test its ability to deflect and cope with cyberattacks, Mayor Sylvester Turner announced Wednesday."
Annie's take:

We need more such tests.
7/26/2018
Global Finance Leader Study: Finance Leaders Share the Top Risks that Matter Most
"CFOs operate in an increasingly volatile business environment, from geopolitical uncertainty to the universal threat of cybercrime."
Annie's take:

These lists are beginning to look remarkably the same.
7/24/2018
White House says Trump wants to revoke security clearances for former officials critical of him over Russia
"President Trump moved to retaliate against some of his strongest critics Monday, threatening to revoke the security clearances of former top officials who have raised alarms about Russian interference in the 2016 election or questioned the president’s fitness for office."
Annie's take:

Nothing shocks us anymore, especially when Trump plays to his base.One would hope that Congress and his own advisors would stop this plan dead in its tracks.
7/21/2018
5 use cases for smart city IoT
"Cities across the world are running internet-of-things pilots to gain insights that will them run more efficiently. A new white paper from the Georgia Institute of Technology's Center for the Development and Application of Internet of Things Technologies takes an exhaustive look at promise of these burgeoning technologies."
Annie's take:

In this respect, the public sector may be moving more quickly than the private sector.
7/17/2018
‘Very much counter to the plan’: Trump defies advisers in embrace of Putin
"Administration officials had hoped that maybe, just maybe, Monday’s summit between President Trump and Russian President Vladimir Putin would end differently — without a freewheeling 46-minute news conference in which Trump attacked his own FBI on foreign soil and warmly praised archrival Russia."
Annie's take:

Operational risk levels in this country are at an all time high. We need Republicans as well as Democrats to strongly condemn Trump's words.
7/16/2018
Cryptocurrency, Cyber Fraud Focus of Trump Task Force
"On an executive order by President Trump, four agencies established the Task Force on Market Integrity and Consumer Fraud last week, charged with guiding “the investigation and prosecution of cases involving fraud on the government, the financial markets and consumers, including cyber fraud and other fraud targeting the elderly, service members and veterans, and other members of the public,” in addition to other provisions."
Annie's take:

Better late than never?
7/13/2018
Building his A-Team: Prosecutors specialized in cybercrime and counter-espionage join Robert Mueller's probe into Russian election meddling
"Special Counsel Robert Mueller is stocking his team of prosecutors with experts in cyber-espionage, counter-intelligence, political corruption, and violent crime in the ongoing and expanding Russia investigation."
Annie's take:

This story was reported yesterday, before the indictments of 12 intelligence officers from Russia were announced this morning. #timely
7/12/2018
Waging cyber war without a rulebook
"For years, security experts have warned of an impending cyber Pearl Harbor: an attack so big and bold that it cripples U.S. infrastructure and demands a military response."
Annie's take:

Possibly one of the worst possible and high risk outcomes would be misunderstanding another country's actions and proceeding to attack them. We need a better set of rules and protocols here.
7/11/2018
Battling Fake Accounts, Twitter to Slash Millions of Followers
"Twitter will begin removing tens of millions of suspicious accounts from users’ followers on Thursday, signaling a major new effort to restore trust on the popular but embattled platform."
Annie's take:

What Twitter can charge for ads will undoubtedly be affected by this purge, but it's a necessary one.
7/10/2018
Privacy and Cyber Risk - Turning uncertainty into opportunity
"Australia’s technological landscape is ever evolving. Across sectors, digital technologies are constantly shifting business rules by facilitating new business models. Technology has not only been fundamental in assisting corporations in reducing cost and increasing productivity, digitalisation has substantially changed the business landscape promising increased opportunity and innovation. However, with this new opportunity comes new risks, particularly cyber risk and the risk of breach of privacy."
Annie's take:

It's interesting to read how these twin issues are being handled in another country.
7/9/2018
"All Rise!"
“All rise!” is what the clerk of court calls out when a judge enters a courtroom, at all levels of our legal system, from traffic court to the Supreme Court.
Annie's take:

A quick walk through the rule of law.
7/6/2018
The Morning Risk Report: Midsize Firms Take Cybersecurity ‘Sweet Spot’
"Good morning. Big companies have more sophisticated systems and more cash to throw at keeping hackers out, but tests of firms’ vulnerability indicate that doesn’t make them safer than their smaller counterparts."
Annie's take:

Another interesting Coalfire report!
7/5/2018
How Smart TVs in Millions of U.S. Homes Track More Than What’s On Tonight
"The growing concern over online data and user privacy has been focused on tech giants like Facebook and devices like smartphones. But people’s data is also increasingly being vacuumed right out of their living rooms via their televisions, sometimes without their knowledge."
Annie's take:

The casualness with which people give away their privacy is asounding. #NOSAMBAHERE
7/2/2018
Banks to be subjected to ‘cyber stress tests’ to see if they could withstand a major hacking attack
"Financial services companies will be subject to “cyber stress tests” to establish if they could recover in the event of a major breach, the Bank of England said today."
Annie's take:

Brits seem to be in the lead here...
6/28/2018
Security & Fraud Black Hat: Cybersecurity Is More Than A Tech Problem
"Cybersecurity was once seen as purely a matter of technology, but more and more, security experts are bundling issues such as personal privacy, politics, business, ethics and risk into the package. A recent report by Black Hat on the current state of cybersecurity shows how the concerns, attitudes and plans of top security pros are adapting to keep pace with evolving threats."
Annie's take:

Glad to see that Black Hat's annual survey points exactly to the related fields of inquiry that I teach.
6/26/2018
Congress Lays Out Tech Funding in Spending Bills and Focuses on Supply Chain Threats
"The Senate Appropriations subcommittees forwarded a smorgasboard of funding bills to the full committee last week. Here’s a rundown."
Annie's take:

At least the Senate Appropriations Committee seems to understand the threat.
6/19/2018
Cryptocurrency Mining Tops Ransomware Attacks as New Cyberthreat
"While ransomware attacks continue to preoccupy the minds of healthcare IT security pros, a new threat is emerging—cryptocurrency mining. Not as devastating as ransomware, cryptocurrency mining malware can still degrade system performance and cause vital healthcare IT systems to slow down or even shut down due to the enormous processing power the malware uses to mine cryptocurrency."
Annie's take:

Another kind of threat to the healthcare industry.
6/18/2018
US warns of North Korea cyber campaign, days after historic summit
"The US Department of Homeland Security said that it has identified malicious cyber activity by the North Korean government, according to a new report released on Thursday, just days after the historic summit between President Donald Trump and North Korean dictator Kim Jong Un."
Annie's take:

There is not much anymore that surprises us, least of all this report.
5/17/2018
Whistleblower Leaked Damning Cohen Financial Documents Because They Were Disappearing From Government Financial Crimes Database
"A recent string of disclosures about payments made to bank accounts linked to Michael Cohen and his shell company, Essential Consultants, used to pay off porn star Stormy Daniels, raised a host of new legal questions for the longtime personal lawyer to Donald Trump."
Annie's take:

A colleague pointed out at the inception of the current administration that we should be concerned with information disappearing, and it looks like she was right.
5/16/2018
White House eliminates cybersecurity coordinator role
"The Trump administration no longer has a cybersecurity coordinator."
Annie's take:

Perhaps the most careless move yet by John Bolton.
5/14/2018
Gaudeamus -- Let Us Rejoice!
“Among the map makers of each generation are the risk takers, those who see the opportunities, seize the moment and expand man's vision of the future.” -- Ralph Waldo Emerson
Annie's take:

This month's column features a Q & A on risk management careers. Zhou Shan has written a research note on privacy and big data.
5/3/2018
One Cybersecurity Metric To Dwell On
"Having a robust set of indicators is important to assessing an agency’s cybersecurity, but how long hackers have access to a network may be the most important, one federal IT official said."
Annie's take:

This metric -- the average time to detection -- is still way too high.
5/2/2018
Bringing It All Together: NYS DFS, SWIFT, SEC and GDPR
"The Financial Services industry tends to be at the cutting edge of technology, and as a result, is often the group to be ahead of the curve of both its benefit and hazards. Whether it’s faster transactional processing in support of gaining even the slightest edge in trade execution or leveraging big data to gain unprecedented insights, financial services is the place to be. On the other hand, the power of all that technology and data has also led to businesses running the risk of exposing customer’s data and committing fraud."
Annie's take:

Assimilation, finally?
5/1/2018
Digital Identity Makes Headway Around the World
"As our real lives and online lives become increasingly intertwined, the old ways of authenticating identity are failing us."
Annie's take:

A quick trip around the world.
4/27/2018
Cyber Adversaries: It's Not Just Russia
"The first great cyberattack of the century was a deliberate, targeted and slow-moving affair. It was a sophisticated operation tailored toward a specific tactical outcome to serve American and Israeli strategic purposes."
Annie's take:

Fascinating article!
4/25/2018
House seeks feedback on cyber challenges posed by legacy systems
"The House Energy and Commerce Committee has issued a request for information from industry stakeholders on how to address the cybersecurity challenges posed by legacy healthcare technologies and medical devices."
Annie's take:

A wise move. The question is, what will they do with the information?
4/18/2018
Fintech professional’s tech predictions: 5 – better understanding of privacy settings
"In this post the fintech IT professional looks at how the public will become better informed about the privacy settings online and how website operators will be forced to adopt rules including default settings that protect consumers."
Annie's take:

If just one of these predictions -- that a standard definition of privacy would be arrived at by the government -- came true, I would be thrilled.
4/16/2018
Syria news latest: Russia 'could launch cyber warfare within weeks' after US-led military action, expert warns
"Russia could “launch cyber warfare within weeks” in retaliation to US-led airstrikes on Syria bringing down City firms, the UK transport network and the NHS, experts have warned."
Annie's take:

One would hope that U.S. cyberintelligence would be making the same assessment and preparations for a cyber blitz at this time.
4/12/2018
After Cambridge Analytica, privacy experts get to say "I told you so"
Annie's take:

"The times, they are a changin'."
4/9/2018
DHS Is Making A List and Checking It Twice
"The Department of Homeland Security (DHS) has launched a bid request to create a “media monitoring services,” describing a plan to identify, then gather and monitor professional journalists and “top media influencers” – from the RFI, we learn that DHS will track more than 290,000 news sources around the world as well as social media in over 100 languages (with immediate translation into English).
Annie's take:

The tension between the administration and the media has never been more pronounced. This RFI exacerbates the situation.
4/5/2018
CEO says Facebook will impose new EU privacy rules “everywhere”
"Facebook CEO Mark Zuckerberg took an apologetic tone in a call with reporters Wednesday afternoon, weeks after the Cambridge Analytica debacle that has put a new level of pressure on the social media giant."
Annie's take:

I am pleased to say "I told you so." Where Facebook leads, can Google and Twitter be far behind? All this before the Congressional hearings!
4/4/2018
The Next NSA Chief Is More Used to Cyberwar Than Spy Games
"After sailing through two friendly Senate hearings—one so uncontroversial that only six senators tops bothered to even show up at any given point in the hour—Lieutenant General Paul Nakasone seems set for confirmation as the next director of the National Security Agency."
Annie's take:

Too much power in one place when these two positions are combined? As the article points out, each agency asks different skills from its leader.
3/30/2018
The Seemingly Random and Definitely Worrisome Cyberattack on Atlanta
"Last Thursday morning, the Atlanta city councilmember Howard Shook walked into his office and immediately began following the urgent recommendation of his I.T. department."
Annie's take:

Though the article does not suggest it, let's hope that the city has found federal or state resources to help them close holes and (if possible) retrieve the data.
3/29/2018
Is Facebook Undermining Our Military?
"The U.S. military has long laid claim to having the best-equipped, best-trained fighting force in the world, and to spending more on defense than the next eight top-spending nations combined. But when the battleground is cyberspace, does that claim hold up?"
Annie's take:

Incisive article.
3/28/2018
Combating cyber threats in critical infrastructure through due diligence
"Regardless of the implementation method, it’s important for critical infrastructure industries to assess their cybersecurity risks and to protect themselves. An optimal way to start is to adopt the NIST CSF, which will bring depth and breadth to your due diligence for your organization."
Annie's take:

Good article.
3/27/2018
5 ways the 2018 omnibus promotes IT modernization, cybersecurity
"Rep. Will Hurd (R-Texas) said about 10 days before the end of the latest continuing resolution that he was optimistic that congressional appropriators would find some money for the Technology Modernization Fund."
Annie's take:

Good news here, at least.
3/21/2018
Facebook’s Lax Data Policies Led to Cambridge Analytica Crisis
"Facebook Inc.’s loose approach to policing how app creators and others deployed its user data persisted for years, including after a 2015 effort by the social network to restrict access, according to court documents and people familiar with Facebook."
Annie's take:

More background information continues to emerge. Nice to see former Seattle reporter Kirsten Grind on this story!
3/20/2018
FTC Probing Facebook for Use of Personal Data, Source Says
"Facebook Inc. is drawing scrutiny from the main U.S. privacy watchdog and half a dozen powerful congressional committees over how the personal data of 50 million users was obtained by a data analytics firm that helped elect President Donald Trump."
Annie's take:

The CISO was evidently overruled more than once on his recommendation that Facebook be more transparent about Russian efforts on the site. He's been marginalized. Now the FTC and Congressional committees will step in. Facebook has shown it will never be able to regulate itself.
3/19/2018
How Trump Consultants Exploited the Facebook Data of Millions
" As the upstart voter-profiling company Cambridge Analytica prepared to wade into the 2014 American midterm elections, it had a problem."
Annie's take:

This is only the beginning of the story. More information continues to appear, as Congress prepares to interrogate Facebook's CEO. As you'll read here, Facebook was once years ago subject to a consent decree without fines via the Federal Trade Commission.
3/14/2018
Cyber risks to your finances are rising as big banks rely on the oligopoly of big tech
"It is often said that practice makes perfect. Maybe that’s why a few of Canada’s larger financial institutions were recently asked to participate in what one regulator called a “severe but plausible cyber scenario.”"
Annie's take:

This analysis is probably as applicable in the United States as Canada.
3/13/2018
Cybersecurity Challenges For The Boardroom: What Publicly Traded Companies Should Consider
"Steven Grimberg and Mark Ray are Managing Directors at Nardello & Co., a leading global investigations firm that, among other things, specializes in cybersecurity consulting, internal investigations and incident response."
Annie's take:

Good question and answer content. NACD, pay attention.
3/12/2018
Guns, Bluster and Global Crapshoots
"February was a short month, dominated by Congressional inaction when DACA or gun control reform legislation was beaten back again by lobbyists."
Annie's take:

This month's column focuses on exactly what its title indicates.
3/9/2018
Corporate boards will face the spotlight in cybersecurity incidents
"In my last article, I noted that corporate boards, especially those of public companies, are facing increased scrutiny and liability exposure in relation to cybersecurity and data privacy."
Annie's take:

How alert must boards of directors be? Here's a terrific article that lays it out.
3/5/2018
Six Common Misconceptions About Cybersecurity
"Interest in cybersecurity is escalating across the legal profession, reflecting the complex and potentially catastrophic threats that clients, particularly financial services firms, now face. Because these risks are deep and potentially disastrous, lawyers are increasingly tasked with counseling clients about how to contain them."
Annie's take:

Excellent article!
3/5/2018
Women cybersecurity leaders: RSA Conference can't find you
"At a major cybersecurity event in April, the only woman out of 20 keynote speakers will be a social commentator."
Annie's take:

Women are their own conference in San Francisco and you can get the details here: https://www.oursa.org.
3/2/2018
Equifax Releases Updated Information on 2017 Cybersecurity Incident
Annie's take:

The drama continues, and Equifax leads the way for providing stellar lessons learned on what was a broad cultural problem.
3/1/2018
Cryptocurrency Firms Targeted in SEC Probe
"The Securities and Exchange Commission has issued dozens of subpoenas and information requests to technology companies and advisers involved in the red-hot market for cryptocurrencies, according to people familiar with the matter."
Annie's take:

The SEC has turned out to be the most actively forward looking agency that the current administration has. This will be quite interesting.
2/28/2018
SEC Refreshes Cyber Guidance
"It's been seven years since the U.S. Securities and Exchange Commission (Commission) issued its initial guidance to public companies on cybersecurity disclosure."
Annie's take:

Good summary of the guidance.
2/27/2018
Global megatrends that are problematic for the state of cybersecurity
"The majority of senior-level IT professionals fully expect their organization will experience a catastrophic data breach that could greatly impact shareholder value, according to a study conducted by the Ponemon Institute."
Annie's take:

We're starting to see some honest answers in these surveys.
2/26/2018
Interpol warns IoT devices at risk
"Cyberattacks against IoT devices have grown markedly over the past two years, prompting a warning from Interpol that nearly any IoT device – from refrigerators to smart phones - is vulnerable to attack."
Annie's take:

No surprises here, except the numbers.
2/23/2018
The global cyber war is heating up: Why businesses should be worried
"Last Friday, the Department of Justice indicted 13 Russians and three Russian companies for interfering with the 2016 elections. Also last week, several countries including the U.S., the U.K., Canada, Australia, and Denmark accused Russia of being behind last summer's NotPetya attack."
Annie's take:

Excellent advice.
2/22/2018
US regulator warns companies over cyber attack delays
"The main US financial regulator has beefed up its rulebook for companies faced with cyber attacks."
Annie's take:

The new SEC guidance is essentially a rehash of 2011 guidance. Note that in May, GDPR will require notification on breaches within 72 hours of the event.
2/21/2018
How the FTC Act, HIPAA Privacy Rule Impact Healthcare Orgs
"Collecting and sharing consumer health information is fairly standard practice for covered entities and their business assets."
Annie's take:

There's more than one government agency involved in monitoring healthcare organizations for violations.
2/20/2018
Global regulators neutral on new rules for 'hyped' fintech
"Global banking regulators signaled on Monday they were in no rush to adapt their rules to financial technology firms that have begun nibbling away at banks’ markets."
Annie's take:

"Volumes are still low" seems to be the rationale provided by global regulators at this time.
2/19/2018
State elections officials fret over cybersecurity threats
"At a conference of state secretaries of state in Washington, several officials said the government was slow to share information about specific threats faced by states during the 2016 election. According to the Department of Homeland Security, Russian government hackers tried to gain access to voter registration files or public election sites in 21 states."
Annie's take:

Entirely appropriate to start assessments now!
2/15/2018
FS-ISAC enables safer financial data sharing with API
"In an effort to keep consumer financial information and businesses safer from cyber attacks, the Financial Services Information Sharing and Analysis Center (FS-ISAC) is providing a new API free of charge."
Annie's take:

Hats off to my friends and colleagues at FS-ISAC. This is a big win for everyone involved.
2/14/2018
How IoT, Edge Computing Can Impact HIT Infrastructure in 2018
"Many healthcare organizations are going through digital transformations and are interested in what evolving advanced technology is working for other entities. The Internet of Things (IoT) and edge computing are just two areas that could have significant impacts on HIT infrastructure in the coming year."
Annie's take:

Good analysis.
2/13/2018
America lost a cyberwar to Russia in 2016. When will we have truth?
"Trump’s fantasy of a military parade and Trump’s choice to release or block congressional memos about the Russia investigation were the two big stories of last week."
Annie's take:

Dwindling resources at Justice, State and Defense to get the story out.
2/12/2018
Looking Toward a More Just Society
"To ask whether a society is just is to ask how it distributes the things we prize--income and wealth, duties and rights, powers and opportunities, offices and honors."
Annie's take:

From my column: "We need to find a balance between bearing witness and enacting change that will lead to a more just society."
2/8/2018
New SEC Cyber Unit Hunts for Fraudsters
"The SEC's recently launched Cyber Unit, which the agency rolled out in September, is starting to show serious results. In late January, as Forbes reports, the SEC "obtained a court order halting an allegedly fraudulent initial coin offering (ICO), which targeted retail investors to fund what was claimed to be the world's first 'decentralized bank.'"
Annie's take:

Such good news!
2/8/2018
Olympics 2018: Drills Held In Pyeongchang Prepare For Threats Of Terrorism, War
"When Pyeongchang was awarded the 2018 Winter Olympic Games more than seven years ago, tensions in this region were much lower and North Korea did not have nuclear weapons thought capable of hitting the United States."
Annie's take:

These drills and other such scenario tests cannot be overvalued.
2/6/2018
Olympics 2018: Drills Held In Pyeongchang Prepare For Threats Of Terrorism, War
"When Pyeongchang was awarded the 2018 Winter Olympic Games more than seven years ago, tensions in this region were much lower and North Korea did not have nuclear weapons thought capable of hitting the United States."
Annie's take:

The importance of drills and scenario tests cannot be overemphasized.
2/5/2018
Hacking threats loom over 2018 Olympics
"Nation-state and criminal hackers are targeting the Winter Olympics at a rapidly increasing rate, raising fears of phishing scams, hacks and other disruptive attacks."
Annie's take:

Best advice for travelers to the Olympics: buy a burner phone and leave your smartphone at home.
2/2/2018
Appeals court: Twitter can’t be sued for “material support” of terrorism
"An appeals court has ruled that Twitter is not liable for the deaths of two American military contractors who were killed in Jordan in 2015."
Annie's take:

Seems entirely appropriate!
2/1/2018
War room to boardroom: The new era of cybersecurity
"Facebook’s hire of its first ever head of cybersecurity policy is recognition that protecting corporations from foreign hacking is an increasingly serious matter."
Annie's take:

"Corporate cybersecurity is not an IT problem."
1/31/2018
Defending Our Nation's Cyber Services
"As the chief cybersecurity official for the Department of Homeland Security, Jeanette Manfra is laser-focused on preventing cyberattacks that could destabilize the U.S. financial system or open the federal government up to spying."
Annie's take:

Nice to see a senior female cyber official at DHS.
1/30/2018
U.S. military personnel aren’t the only ones oversharing on fitness apps
"Soldiers using fitness tracking devices inadvertently revealed the locations of U.S. military bases — including classified ones — and the incident has lessons for anyone with a smartphone."
Annie's take:

Whoa!
1/29/2018
EC issues GDPR guidance
"With just under four months to go before the General Data Protection Regulation (GDPR) takes effect, the European Commission (EC) published guidance Thursday meant to help organizations apply the new rules to their businesses."
Annie's take:

Compliance is expected to be in place by the deadline. This article has a link to the full guidance.
1/25/2018
When #MeToo Becomes Catch-22
"A number of high-profile men have recently lost powerful positions over their alleged sexual misconduct. But for female victims of harassment, speaking up often is just as career damaging."
Annie's take:

"Harassment pervades the workplace."
1/23/2018
Tsunami Advisories Lifted After Alaska Earthquake
"Within four hours of a major earthquake striking off the Alaskan coast early Tuesday, the authorities lifted all tsunami advisories, after initial concerns prompted guidance for coastal areas as far south as the American border with Mexico."
Annie's take:

Very clear explanation of what type of earthquake this was. I am speaking tomorrow afternoon to University of Washington Access students on "Assessing Personal Risk in Challenging Times." Earthquake preparation will certainly come up.
1/22/2018
The Five Laws Of Cybersecurity
"As we enter the new year, I can't help but recall these words from Star Trek II: The Wrath of Khan -- one of my favorite movies. 2017, by all accounts, ended up being the year of the hacker in many ways."
Annie's take:

Interesting take on the situation.
1/19/2018
Exchange body issues cyber security best practice guidelines
"The global trade association for exchanges has issued a set of cyber security best practice guidelines that proposes reducing bonuses for staff who fail tests and including awareness in performance indicators."
Annie's take:

Tying performance to bonuses will get their attention.
1/18/2018
CISOs' No. 1 Concern in 2018: The Talent Gap
"The top concern among CISOs for 2018 falls outside the typical realm of attacks, employee negligence, or staffing shortages, according to findings released this week in a Ponemon Institute Survey."
Annie's take:

No surprises here. The UW information security/cyber Informatics and master's degree programs are helping to turn out qualified candidates.
1/17/2018
Who should be responsible for cybersecurity?
"The news today is flush with salacious stories of cyber-security breaches, data held hostage in brazen ransomware attacks, and compromised records and consumer information."
Annie's take:

Good piece.
1/16/2018
Think you are in control? Think again! New Data Protection Regulations Are Here
"If a stranger on the street asked me for my address and credit card details, I would be suspicious and would think about calling the police. However, multiple organizations are often collecting and saving this type of data all the time, usually without my consent. Unfair, don’t you think?"
Annie's take:

The new Global Data Protection Regulations should filter down to us Americans after August, when all the large tech companies have complied in order to do business in Europe.
1/12/2018
Donald Trump's 'racist slur' provokes outrage
"US President Donald Trump has sparked outrage after he was reported to have used crude language to describe foreign countries in an Oval Office meeting."
Annie's take:

He can try to gloss over what he said in the meeting, but by now everyone (his supporters and the rest of us) know that is how he think and how he speaks. To friends and colleagues all over the world, I offer an apology on his behalf. And mine.
1/11/2018
House Passes Bill Authorizing Array of Foreign Electronic Surveillance
"The House on Thursday approved an extension of an expiring surveillance law, reauthorizing the FISA Amendments Act through 2023."
Annie's take:

The bill was passed without any modifying amendments. If ever you needed a reason to get out and vote, this is it.
1/9/2018
Can we really automate how security analysts think?
"In some conversations with security leaders, I inevitably run into a skeptic view that automation will never be able to replicate the decision making of security analysts. The truth is we can already automate a lot more of the decision making today than was possible just a couple of years ago."
Annie's take:

A good article.
1/8/2018
Our Darkest Hour is Still Ahead
"Just like that, we are in a new year."
Annie's take:

My thoughts on the changes that have taken place this past year in our democracy
1/6/2018
Cellphone and Computer Searches at U.S. Border Rise Under Trump
"Customs officers stationed at the American border and at airports searched an estimated 30,200 cellphones, computers and other electronic devices of people entering and leaving the United States last year — an almost 60 percent increase from 2016, according to Homeland Security Department data released on Friday."
Annie's take:

Here's another case or two for the Supremes.
1/5/2018
Contractors Must Contend With New Cybersecurity Rule
"The April 2017 issue of National Defense reported on key aspects of the Defense Department rule on “Safeguarding Covered Defense Information and Cyber Incident Reporting” and actions that contractors could take to implement the rule."
Annie's take:

Now we're making progress!
1/4/2018
“Meltdown” and “Spectre”: Every modern processor has unfixable security flaws
"Windows, Linux, and macOS have all received security patches that significantly alter how the operating systems handle virtual memory in order to protect against a hitherto undisclosed flaw."
Annie's take:

This is the clearest analysis I've read.
1/3/2018
NAIC Adopts Model Law on Cybersecurity: Will States Adopt It?
"On Oct. 24, the National Association of Insurance Commissioners (NAIC) formally approved the Insurance Data Security Model Law (model law). The NAIC is a standard setting and regulatory support organization consisting of the top insurance regulators from the 50 states, District of Columbia, and five U.S. territories."
Annie's take:

I am very anxious to see where this goes.
1/2/2018
The everyday attacks in modern cyber warfare
"The Department of Homeland Security has identified 16 critical parts of our infrastructure that are at risk for a cyber attack — energy, financial services, transportation, water, and defense, to name a few."
Annie's take:

Nibbled to death.