IT and Boards

An article in the WSJ suggests that boards are getting more interested in cybersecurity. Actually the line just below probably says it all:

Facing threat of regulation

I doubt most boards are remotely able to carry on a meaningful conversation in this area. They don’t know what questions to ask and in general, they aren’t really interested. Likely, the reports they receive are just done to show that they’ve reviewed the matter.

Cybersecurity is hard.

Equifax

Much is being written about the Equifax data hack. You can read about it here or here or here if you’ve not yet read much about it.

I saw a post on Twitter the other day that cracked me up.

Screen Shot 2017-09-11 at 10.34.40 AM.png

One report in the NY Times suggested that Equifax doesn’t even know who is impacted.

Here is the deal, Equifax’s business is to gather this information and sell it to 3rd parties. When you need a loan or want a new credit card, the company extending credit to you goes to this company, or ones like it, to check on your credit. They gather this information from lots of different places and you have no options to tell them to stop doing this. They are creating this database of information about you and you have no control on how they protect this most sensitive information.

We are the ones impacted by their lack of security. We are the ones further impacted by the huge delay in telling us. What was stolen is about us and it impacts us. Equifax might take a stock hit, but not much more.

 

This company needs to be put out of business. The class action law suit should put them out of business. There should even be clawbacks on executive compensation and stock options.  

A year of credit monitoring is not even meaningful punishment for this poor stewardship and lack of property security protection.

Company and organization leadership teams need to take the protection of confidential information seriously.  There need to be examples, like here, where the company is put out of business because of their lack of proper attention and focus. Probably the CIO will be fired, but really, the board and the senior leadership team should be fired.

 

Complexity of our Devices

I’ve been thinking lately that our devices are getting so complex that we no longer are sure about how to manage, secure or protect them.

My wife’s phone recently went nuts and started flashing the LED for alerts but that setting was not turned on under settings. Another friend’s phone started acting strangely and randomly and the vendor ended up giving him a new device. His phone was an iPhone 6 which is awfully old to be getting a free exchanged unit. My wife’s Apple Watch battery/system was so poor that the battery ran down every day mid-afternoon with everything turned off. She had to charge it twice a day. Apple support said it was within specifications. Right.

Our home networks are vulnerable and we don’t even know what we need to do to harden. Apple TV can support multiple streaming sources, but nothing is simple and they each authenticate differently. We have devices to open our garage doors with who knows what security. What about our cars?

Apple and Steve Jobs used to talk about removing and simplifying. Matthew May writes about subtracting and eloquence in his books (well worth the read).

Unfortunately, companies continue to make things more complicated.

Our ice maker has a light to remind us to clean the filter. I have no idea how to clean the filter.

Turn it Off

Just finished reading the book The Seventh Sense: Power, Fortune, and Survival in the Age of Networks by Little, Brown and Company. Lots of great content about networks and their impact and implications on everything. There is this great quote about how to really, really secure your computer:

Robert Morris Sr., a cryptographic and security genius who towered over NSA code-breaking programs for decades in the last century, compressed his lifetime of experience cracking machines into three golden rules of computer security:

RULE ONE: Do not own a computer.

RULE TWO: Do not power it on.

RULE THREE: Do not use it.

pablo-3

This is hilarious but it goes with my prior post. The footnote indicates that he might not have actually said this, but it is attributed to him by multiple sources.

The book is about how connections are having significant and unstoppable changes to everything: government, military, commerce, social, etc. Everything is changing and we don’t understand this fully yet. Consider the following:

This new set of forces, invisible to many, is now applying a merciless and grinding pressure to the familiar structures of an older age. The struggles of our cherished institutions—the U.S. Congress, the military, the news media, our universities, our once-inclusive capitalism—to achieve the very aims that they once elegantly and efficiently met is visible evidence of this shift. Repeated government shutdowns. Years of unwinnable war. No news source we feel we can rely upon. Expensive, debt-funded degrees that don’t fit our modern economy. An ever-more-skewed distribution of profits. Pull your focus wider to encompass Europe, the Middle East, and Asia, and you find similarly vexing struggles as nations try to dig their economies out from financial landslides or resist nationalism and unrest. Power is now passing with a rippling, ripping energy from old, once-useful people and institutions. If this passage has so far wiped out only encyclopedias, telephone companies, and taxi medallions, it is merely because it is just beginning. Buried underneath these failures and the impending collapse of many institutions is a common force.

The title of the book about the seventh sense, is really then, “the ability to look at any object and see the way in which it is changed by connection.”

Also some great material on AI and what that really might mean.  Not AI as we traditionally think about it but really just fast access to lots and lots of data and the associated correlations.

Really good ideas. Recommended.

Securing our Assets

pabloI’ve about reached the point in believing that we have no chance in securing our personal information technology assets (home network, computer, mobile phone, tablet) etc.

There are simple steps we can all take to secure our equipment and network, but they are likely just not enough. I’ve done several communications sessions with family and friends and others to discuss how they can best protect their equipment. I wrote about that on my security page.  I just keep reading about more risks, threats and how organized those who want in are and what capabilities they are bringing to bear to get access where they don’t belong.

Is it time to start disconnecting more? Should we have a computer at home that only occasionally is connected to the network, even if that helps at all? Updates now require network connections so it is almost unavoidable.

Keep all the firmware and software up-to-date on all our devices and that requires network connectivity again. But are all these updates secure, tested and safe? Of course they aren’t all safe. We are unsafe with the flaws in our existing devices and we are unsafe with the updates that add more flaws or new flaws. What to do?

Maybe a simple mobile phone that only does calls and text messages? But that can be hijacked and listened to as 60 minutes has told us.

All our technology (Watch, tablet, laptops, Kindle, Apple TV, Netflix, etc.) require network connectivity. What to do?

What about our parents and friends who are not that computer literate?

I want to watch Stranger Things on Netflix and that requires a lot of technology on my end be up-to-date and working. What to do?