- An outside audit three years ago of the major East Coast pipeline company hit by a cyberattack found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author told The Associated Press.
- How far the company, Colonial Pipeline, went to address the vulnerabilities isn’t clear. Colonial said Wednesday that since 2017, it has hired four independent firms for cybersecurity risk assessments and increased its overall IT spending by more than 50%.
- Colonial’s inability to locate a particular maintenance document. “You’re supposed to be able to find it within 15 minutes. It took them three weeks.”
- One of the main recommendations was that Colonial hire a chief information security officer, a position that cybersecurity experts consider essential in any company with infrastructure vital to national security.
- Colonial said it instead assigned those responsibilities to a subordinate of chief information officer
- The audit found no security-awareness training, which mostly teaches employees not to fall victim to phishing, the cause of more than 90% of cyber-intrusions.
- But Colonial said its expanded cybersecurity regime includes regular simulated phishing campaigns for employees.
– Frank Bajak | May 12, 2021