The tone at the top of your enterprise will go a long way if you ever end up in litigation associated with the Economic Espionage Act of 1996 or even the Foreign Corrupt Practices Act. As a CxO with the ultimate responsibility for the resilience of your organization, pay attention. The internal threats to your global 500 company and the Operational Risks associated with the following Mission Objectives are the focus of this posting:
- MO4: Integrate Counterintelligence
- MO5: Enhance Cybersecurity
The U.S. NIS spells out these two mission objectives and for good reason. One may be obvious and we have all heard it before. 80+% of the nations critical infrastructure is owned and operated by the private sector. The reason why the Energy, Financial, and other heavy R & D sectors are being subjected to more attacks by insiders is because these assets are the most valuable in the eyes of the enemy.
The other reason that these two areas are called out in the National Intelligence Strategy is because these are the country's greatest vulnerabilities. So what can a private sector Board of Directors be doing these days to address the two mission objectives that have the greatest nexus with being vigilant and creating the correct "Tone at the Top":
- Implement Human Factors Analysis and Risk Assessments on employees, partners, suppliers and 3rd parties.
- Revitalize, Energize and Capitalize on redesigned policy governance, integrity management and a sound legal framework.
- Create an aggressive corporate executive intelligence and anti-fraud program that is integrated into a robust risk management ecosystem.
- Develop wellsprings of knowledge that engages people in a dialogue focused on intellectual property, valuable corporate assets and their nexus with national security.
The preparation for enterprise disasters has been going on in the Operational Risk environment for years. Even in the most sophisticated companies, these efforts have included the implementation of IT related disaster recovery programs and plans (DRP) as mandated by rules and laws regarding Business Continuity and Continuity of Operations. When and how often these are exercised is another matter.
The crisis management plan is sitting on the shelf next to the DRP or even might be another tab in the same three ring binder. And who knows, perhaps some Director of BCP has even convinced senior management on the use of an EOC portal. This are all fundamentals, baseline and items for every organization to have soon after establishing themselves in business.
What is still being left out, not considered a priority are the two items highlighted above from the United States National Intelligence Strategy, MO4 and MO5. These two items are an Operational Risk Management priority by the Board of Directors in each global 500 company. Why?
USAO/Southern District New York, 11 Feb 10: Mr. Aleynikov was indicted today on charges related to his theft of proprietary computer code concerning a high-frequency trading platform from his former employer, Goldman Sachs. Aleynikov was previously arrested and is expected to be arraigned in Manhattan federal court at a later date.Beginning at approximately 5:20 p.m. on June 5, 2009 –Aleynikov s last day working at Goldman Sachs — Aleynikov , from his desk at Goldman Sachs, transferred substantial portions of Goldman Sachs’s proprietary computer code for its trading platform to an outside computer server in Germany. Aleynikov encrypted the files and transferred them over the Internet without informing Goldman Sachs. After transferring the files, Aleynikov deleted the program he used to encrypt the files and deleted his computer’s “bash history,” which records the most recent commands executed on his computer.
In addition, throughout his employment at Goldman Sachs, Aleynikov transferred thousands of computer code files related to the firm’s proprietary trading program from the firm’s computers to his home computers, without the knowledge or authorization of Goldman Sachs. Aleynikov did this by e-mailing the code files from his Goldman Sachs e-mail account to his personal e-mail account, and storing versions of the code files on his home computers, laptop computer, a flash drive, and other storage devices.
The theft of trade secrets, economic espionage and the movement of data that may have business oriented implications may also have national security impacts. Whether it's going to a competitor or into the hands of foreign entities is not the priority issue. Let's be very specific on this point.
If the vital secret, intellectual property or other data is copied, then how do you know if it's missing from your organization? Sensitive, classified or otherwise proprietary information that is copied and then sold or given to competitors, adversaries of our enemies requires a whole new mind set and a whole new approach to deter, detect, defend and document this behavior in the enterprise.
Aleynikov, 40, is charged with one count of theft of trade secrets, one count of transportation of stolen property in foreign commerce, and one count of unauthorized computer access. If convicted on these charges, Aleynikov faces a maximum sentence of 25 years in prison.
The case associated with competitive intelligence where intellectual property is being transferred to another U.S. company may be just as harmful to the economic fabric of our country. What is more alarming and perhaps the final questions on Operational Risk Management is this:
- What do we know?
- When did we know it?
- What are we going to do about it?
The Board of Directors will be asking these after the crisis is unfolding. The law enforcement investigators will be asking these soon after the immediate incident. The final and perhaps the most painful of all the people who will asking these questions are the lawyers during your deposition and in the court room. Those questions and more will be asked from the front lines of the Goldman Sachs trading pit battlefield to the highly polished tables inside the corporate Board Room.
Revisit the Mission Objectives (MO) in your organization that pertain to MO4 and MO5. It may mean the difference to your corporate shareholders, or to all the citizens of the United States of America.
operational risk