Risk News

Risk Management and Mass Shootings
"The risk explored here today is that of mass shootings. The question is whether we are doing all that we can to mitigate that risk – and whether, beyond some very straightforward laws that could be put in place, it is even possible to mitigate the risk."
Annie's take:

My column looks at the terrible, intertwined issues of hate and mass shootings.
How to craft a U.S. privacy law fit for a tech company
"Facebook, Google, IBM, and Microsoft have all reportedly “aggressively lobbied” the current administration to start developing a federal privacy mandate."
Annie's take:

"Regulate principles, not actions" seems like a shrewd way to proceed.
IBM Security: New Report on Cost of Data Breaches
"The average cost worldwide of a data breach has risen 12 percent over the past 5 years to $3.92 million, IBM Security discovered in a new study."
Annie's take:

Staggering numbers.
WHO will take up Ebola emergency declaration question for a fourth time
"Tomorrow Tedros Adhanom Ghebreyesus, PhD, the director-general for the World Health Organization (WHO) will reconvene the Emergency Committee under the International Health Regulations to consider yet again if the current Ebola outbreak in the Democratic Republic of the Congo (DRC) is a PHEIC (public health emergency of international concern."
Annie's take:

CIDRAP's article was written yesterday. Earlier today, the World Health meeting did announce the emergency declaration.
Cybersecurity's Evolution: How It May Look Over The Next Few Years
"Within the next 20 years, cybercrime is going to be one of the greatest challenges faced by humanity. No industry is immune — cybercrime comes with a predicted annual global price tag of over $6 trillion by 2021."
Annie's take:

A good summary of a new FireEye report.
ASA Celebrates Its Tenth Anniversary
An untimely posting of our tenth anniversary look back and forward to discuss how the firm has moved from primarily consulting to primarily research.
Annie's take:

We've got a lot to celebrate this month.
Cloud security weaknesses put 2020 census prep at ‘potentially catastrophic risk’
"A new report says the Census Bureau’s cloud-based IT systems have been plagued by a number of “security deficiencies” — a potentially hazardous situation as the bureau prepares to gather a vast amount of personal data as part of its 2020 population tally."
Annie's take:

Potentially devastating.
America is Still a Killing Field
"In October of 2017, the title of this column was “America as a Killing Field,” after the Las Vegas mass shootings."
Annie's take:

So little has changed!
Chinese Spies Stole NSA Cyberweapons Long Before Shadow Brokers Leak
"Hacking tools allegedly developed by the National Security Agency (NSA) were being used in the wild by at least one APT long before the Shadow Brokers released the now-infamous trove of U.S. cyberweapons, new analysis suggests."
Annie's take:

There are so many suspects these days that it should come as no surprise that the Chinese have also been draining information from the NSA.
Getting More Women into Cyber Roles
"Women are making significant strides in cyber security, a noteworthy development in an industry that for too long was composed of a primarily male workforce."
Annie's take:

The surveys on this topic are various, and certainly the 25% of women in the cyber workforce identified here represented the highest level of employment of women that I've seen. The article is well-reasoned and worth a read -- or perhaps worth tucking into the board of directors materials next month?
Microsoft says it has found Iranian hackers targeting U.S. agencies, companies and Middle East advocates
"In the latest of a string of security actions, Microsoft has seized 99 websites it says were used by Iranian hackers to launch cyberattacks against government agencies, businesses and users in Washington, according to a company blog post and court records unsealed Wednesday."
Annie's take:

Microsoft went to court to take down these sites.
Death by a Thousand Clicks: Where Electronic Health Records Went Wrong
"The pain radiated from the top of Annette Monachelli’s head, and it got worse when she changed positions."
Annie's take:

Here's the sad story of interoperability and medical records.
The Marriott Breach Shows Just How Inadequate Cyber Risk Disclosures Are
"Another year and another hack and what seems like a very long wait to learn that it happened. Recently, Marriott waited 11 weeks to reveal that 383 million customer records had been compromised, exposing at least 25 million passport numbers and 8 million payment cards. Can you imagine a company like Marriott waiting for 11 weeks to disclose its quarterly earnings numbers? That wouldn’t be acceptable; why is waiting that long to disclose this type of incident?"
Annie's take:

A good article, with some sobering questions.
Organizations Challenged By Insufficient IT Visibility, Staffing, Ponemon Findings Reveal
"Among key findings from this week’s Ponemon Institute report “Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture” are: 68% of respondents feel that staffing is not adequate for a strong cybersecurity posture; 60% are challenged by insufficient visibility across IT asset types and esp. unmanaged assets, and 61% report inadequate context on the business impact if a vulnerable asset got breached."
Annie's take:

Another indicator of just how far we need to go in cybersecurity, especially on the operational side.
Major Report: Unsecure Medical Devices Need A Fix
"Healthcare organizations are vulnerable to network intrusions through unsecured devices on their networks. There’s no unified solution yet, as Joseph Marks at the Washington Post reports."
Annie's take:

Mike Simon breaks a long report down into four recommendations.
'We Want IoT Security Regulation,' Say 95% of IT Decision-Makers
"IT professionals often see government regulation as a last resort or even a hindrance to solving their problems. Yet when it comes to Internet of Things (IoT) security, 96% of IT decision-makers say government regulation is necessary – even though some wouldn't actually want it."
Annie's take:

We're going to spend a whole week on IoT in my cyber course. Our guest speaker is MSIM alumni Andy Herman, now at Microsoft.
En garde! 'Cyber-war has begun' – and France will hack first, its defence sec declares
"FIC2019 France’s defence secretary Florence Parly today declared: “Cyber war has begun.” And she said the Euro nation's military will use its “cyber arms as all other traditional weapons… to respond and attack,” as well as setting up a military bug bounty program."
Annie's take:

One wonders how long this new program will last.
Climate and Cyber Risks Top Concerns Facing the World in 2019
"The failure to tackle climate change and extreme weather events are the most threatening global risks this year, according to the World Economic Forum."
Annie's take:

More on the topic we covered here yesterday.
Why Cyberattacks Are the No. 1 Risk
"With the world going digital, the dependence on the availability of IT infrastructure keeps exponentially growing, and many people don't comprehend the true scope of the implications."
Annie's take:

" The World Economic Forum (WEF) says business leaders in advanced economies see cyberattacks as their single biggest threat, even more so than terrorist attacks (No. 2), an asset bubble (No. 3), a new financial crisis (No. 4), or failure to adapt to climate change (No. 5)."
The Cybersecurity 202: How the shutdown could make it harder for the government to retain cybersecurity talent
"The partial government shutdown that's now in its 18th day is putting key cyber policy priorities on hold and leaving vital operations to a bare bones staff. But the far greater long-term danger may be the blow to government cyber defenders' morale, former officials warn."
Annie's take:

This is exactly what I have been worried about: such poor practices from a government that cannot match private sector salaries is sure to be on everyone's mind in this, the third week of the shutdown -- and the week normally employees would be paid.
Shutdown sets back U.S. cyber defenders
"A popular cyber technology showcase is the latest casualty of a partial government shutdown that's taking a toll on U.S. cybersecurity."
Annie's take:

Just one of the many examples of government employees who provide critical services and who are not being paid.
As Facebook Raised a Privacy Wall, It Carved an Opening for Tech Giants
"For years, Facebook gave some of the world’s largest technology companies more intrusive access to users’ personal data than it has disclosed, effectively exempting those business partners from its usual privacy rules, according to internal records and interviews."
Annie's take:

There is so much more to be said on this topic.
Uber CEO Says Market Turmoil Won’t Derail IPO Plans
"Uber Technologies Inc. Chief Executive Dara Khosrowshahi said market turbulence in the U.S. would be unlikely to affect the ride-hailing titan’s plans for a public listing."
Annie's take:

Keeping a close eye on Uber in two areas as they move toward an IPO: culture and marketplace.