Serious problems with information technology controls recently surfaced at five major oil companies. No, we're not talking about obvious problems with deepwater drilling, oil spills and related damage, discussed in Chapter 6, but rather about protecting critically sensitive corporate information. You may have seen the media coverage; a recent New York Times headline announced, “Hackers Breach Tech Systems of Multinational Oil Companies.”
Now, we've long known the importance of identifying and analyzing risks related to corporate information and establishing relevant controls to keep that information secure. IT managers and security executives, internal auditors, and others in many companies have worked diligently to provide assurance that specified sensitive information is available internally on a need-to-know basis, and that valued trade secrets remain as such. And we've known the risks of hackers getting inside the secret vault of information, with the potential to wreak havoc. Certainly we would like to think the largest corporations have well-designed and up-to-date control systems to achieve these important operational objectives.
Back to the oil industry: Cyber attacks apparently emanating from somewhere in China hit what might be viewed as a corporate jackpot. According to media reports, experts at IT security firm McAfee said systems at the five (unnamed) multinational oil companies were breached, with the intrusions aimed at corporate espionage. What did the ...