30 January 2011

Crisis Management: ORM & Public Relations Convergence...

Operational Risk Management Executives will be tuning into CBS 60 Minutes Sunday night. If you are a Bank of America stakeholder and your stock dropped 3% on November 30, 2010 because of a WikiLeaks document release, this episode should be on your mind:

(Reuters) - WikiLeaks founder Julian Assange says he enjoys making banks squirm thinking they might be the next targets of his website which has published U.S. diplomatic and military secrets.

"I think it's great. We have all these banks squirming, thinking maybe it's them," Assange told the CBS television program "60 Minutes" in an interview.

CBS released a partial transcript on Friday ahead of Sunday's broadcast of the full segment.

Bank of America Corp shares fell more than 3 percent on November 30 on investor fears that the largest U.S. bank by assets would be the subject of a document release.

Interviewer Steve Kroft asked Assange whether he had acquired a five-gigabyte hard drive belonging to one of the bank's executives, as Assange had previously asserted.

"I won't make any comment in relation to that upcoming publication," said Assange, who is under a form of modified house arrest in England, awaiting an extradition hearing to Sweden for questioning over alleged sex offences that he denies.

WikiLeaks will not be the last whistleblower web site to provide the dirty laundry on what a government agency or public company may or may not be doing as it does it's daily business. The CBS or TMZ media mechanisms remain the outlet for an information economy that fuels the behaviors of modern day paparazzi or contributors to WikiLeaks and it's future competitors.

What are Operational Risk Managers thinking about when these loss events happen? Another lost or stolen laptop by one of the thousands of corporate executives is now a major incident, not one to be taken lightly, perhaps as it has in years past. This is also why these same managers are working in a diligent strategy to emphasize the use of products that will encrypt the whole hard drive on the mobile systems that are being toted around in taxi cabs and on airplanes. The thought of a loss of these tools will be less of an issue as these programs are implemented and every bit of every data on these mobile devices is now encrypted.

The External Affairs, Public Relations and Corporate Communications strategy for a Fortune 500 company is extensive. With Social Media becoming a major component of the Web 2.0 integration and the booming number of PDA's, iPhones and other mobile devices, "Crisis Management" and "Operational Risk" will continue to be two disciplines that need each other more than ever.

Bank of America will survive just as others have before it once the information is released and people have a chance to determine how damaging it could be or not worth the hype to pay attention to it. What will perpetuate beyond the latest PR crisis is the fact that the speed of data, videos, Tweets and Blogs continues to pile up on the hard disks, Jump Drives, IronKeys and servers in "The Enterprise Cloud." How you manage it, secure it and dispose of data is an Operational Risk that will not diminish any time soon.

Who has seen the light when it comes to the utilization of Cloud Computing, and effective document encryption in transit with embedded information security compliance standards? Uncle Sam for one.

WASHINGTON – The U.S. General Services Administration announced today that federal, state, local, and tribal governments will soon have access to cloud-based Infrastructure as a Service (IaaS) offerings through the government’s cloud-based services storefront, Apps.gov. GSA’s IaaS contract award allows vendors to provide government entities with cloud storage, virtual machines, and Web hosting services to support a continued expansion of governments’ IT capabilities into cloud computing environments.

“Offering IaaS on Apps.gov makes sense for the federal government and for the American people. Cloud computing services help to deliver on this Administration’s commitment to provide better value for the American taxpayer by making government more efficient,” said federal Chief Information Officer Vivek Kundra. “Cloud solutions not only help to lower the cost of government operations, they also drive innovation across government.”

The use of new technologies or platforms such as these only provides the Operational Risk Professional with new found ways to mitigate risks, not eliminate them. Therefore, whether you are the CIO at B of A or part of the Federal CIO Council in the United States the fact remains that people will continue to use lost or leaked information to their advantage. This is a threat to the enterprise no different than the loss of power, catastrophic fire or natural disaster. When you have a known threat out there such as WikiLeaks, then you now realize that this must be addressed in your vulnerability assessments and your risk management planning.

Google Apps is now FISMA Certified. Whether the number of incidents increases or diminishes will still remain with the behavior of people and the ability for OPS Risk management to continue to be part of the executive conversation on the risks of data getting into the wrong hands. With this being an inevitable situation, the convergence of crisis management, PR and media communications will increasingly become part of the Enterprise Risk Management team. Let's just hope they keep a seat for the 28 year old IT staffer who supports the implementation of their enterprise apps and the exponential growth of their information cloud.

22 January 2011

Digital Paradox: Privacy v. Security...

The media communications and advertising industries are buzzing over the new U.S. Federal Trade Commission report and framework entitled: Protecting Consumer Privacy in an Era of Rapid Change. The Operational Risk Management implications to your enterprise could be significant if you currently do not understand how your marketing department provides disclosures or manages consumer collected data. If you think that you are protected because you outsource to a 3rd party, then think again. The power to the consumer is increasing and the data privacy laws are playing a quick game of catch-up on regulation:

Scope: The framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.

Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.

With 500 Million plus people who are self-profiling themselves on Facebook these days, you might wonder if they even truly think about their privacy. See Controlling How You Share, Facebook
A variety of business models involve practices that fall outside the proposed “commonly accepted practices” category. These include, for example, a retailer collecting purchase information directly from a consumer and then selling it to a data broker or other third party that may be unknown to the consumer. Other examples include online behavioral advertising, in which an online publisher allows third parties to collect data about consumers’ use of the website, as well as social media services, where the service or platform provider allows third party applications to collect data about a consumer’s use of the service. In addition, as noted above, using deep packet inspection to create marketing profiles of consumers would not be a commonly accepted practice.

The new framework and panel discussions has focused on the Operational Risks associated with collecting, storing and sharing data on consumers. The regulations that change going forward to assist in consumer protections and disclosures may not have much impact on whether the consumers "Personal Identifiable Information" (PII) is disclosed to nefarious transnational criminal syndicates without their permission.

If you are a U.S. government military employee you may have received notice lately from your PenFed Credit Union that you too may have your PII in the hands of people that will use it for monetary gain. The continuous loss of data by institutions has now been verified as just another criminal business enterprise by organized crime and in many cases sanctioned by nation states. The data protection and data theft game is the modern equivalent of bank robbery yet it is moving at the speed of electrons across fiber optic networks world wide.

And now that this accelerating consumer issue of cybersecurity has made it's way to The White House, one can only wonder what may change. The cost to business is now $204.00 per record according to well respected research by Ponemon Institute. The MOU with DHS, Department of Commerce and the Financial Services Sector Coordinating Council (FSSCC) remains the window dressing on another unfunded effort to deter the cyber plague before us.

There is no shortage of people reporting about the breaches (this blog included), the hacks and the data leakage via employees using Peer 2 Peer file sharing software within the walls of their Fortune 500 company or government agency. Some people who are disclosing the information are doing it with alternative motives and rarely try to provide a potential solution to the problem.

So what can a PenFed or major U.S. Government agency do, to stem the tide of the growing digital tsunami of data thefts and transnational economic crime or acts of espionage? There is not one solution nor is there ever going to be a day when it all comes to an end. Which brings us to the mind set shift that is necessary to make a difference.

The Security vs. Privacy legal topic is somewhere in the mix of the solution. The education of our digital natives at a young age is another. Many kids know how to type with their thumbs better than they can write a legible letter to grand mother. And finally, the implementation of new technologies that will enable law enforcement to their jobs more effectively.

Now back to the mind set shift. Cecilia Kang of the Washington Post reports:

As the United States looks at ways to better protect Internet users’ privacy, Europe is going through its own update of online privacy rules. The 27-nation European Union is taking a more aggressive approach to privacy by setting higher bars for how data can be collected on Web users.

European laws prohibit Web sites from tracking users without their permission. The E.U. is also weighing legislation that would let users delete all their information from a Web site, such as Facebook, and transfer data from one wireless provider to another without leaving profiles behind.

Viviane Reding, the vice president of the E.U. Justice Commission and head of privacy regulation, visited The Post on Wednesday to talk about her approach to protecting users in the age of Internet over-sharing. On Thursday, she is scheduled to meet with U.S. Attorney General Eric Holder to discuss ways the E.U. and U.S. can cooperate on safeguarding consumers' personal information, including data on travel and finances. The talks may also touch on the recent disclosure of classified documents by Wikileaks.

09 January 2011

Cyber Theft Rings: A Nexus with Terrorism...

BSA/AML compliance is an Operational Risk that continues to plague even the largest institutions. The ability to effectively program information systems to address "Politically-Exposed Persons" (PEP) and the risk to the banks reputation are still a challenge for some executives.

Why is this still an OPS Risk issue? In many cases, the lack of procedures being followed by adequate staff in the alert investigations unit where backlogs are prevalent. This becomes a business risk because there continues to be a lack of closure on these alerts. The simple monitoring of funds transfers to ensure timely reporting of suspicious activity associated with PEP's should be AML 101.

Retaining and deploying an independent consultant to review compliance and systems controls is the primary responsibility of an Audit Committee chair of the Board of Directors. For those institutions that have found themselves under the recent oversight of the OCC in the United States, many realize they have underfunded this obligation and the staff requirements to stay in pace with the expanding volume of electronic transactions.

Monitoring accounts of current or former senior political figures is well within the PEP definition and includes their families and any close associates. Therefore, the BSA officer will require even more robust budgets, staffs and systems programming to continue to be effective in regulatory compliance of the Bank Secrecy Act and Anti-Money Laundering statutes. And this just covers the risks associated with the banks regulatory obligations in the United States and many other countries of the world.

Yet this is the area that has traditionally been the foundation for the 20th century criminals and other entities who need to move money to places in large sums or to perpetuate fraudulent activities. Now what about the 21st century asymmetric threat, "Cyber Theft Rings"?

Malware exploiters purchase malware on the black market Internet and use it to steal victims banking credentials. They launch attacks from systems that are already compromised across the globe in small businesses and other commercial or government organizations. This allows the transnational cyber criminal to transfer stolen funds and deter the tracking of their activities. Money Mule networks then transfer funds to other accounts or get cash from ATM's and then buy stored value cards before they ship them back overseas to the crime syndicates.

The victims remain the financial institutions and the owners of the infected systems. So how large is this method of cyber theft? In 2010 the FBI reported close to 400 cases that had attempted loss of $220M and actual losses of $70M.

Today's (October 1, 2010) coordinated operation demonstrates that these 21st-century bank robbers are not completely anonymous; they are not invulnerable. Working with our colleagues here and abroad, we will continue to attack this threat and bring cyber criminals to justice."

Most of the accused hailed from Eastern Europe; many were based in Ukraine, where several worked as Web developers. Ten suspects were arrested in New York on Thursday, with another 10 having been arrested previously. The FBI is still seeking 17 others .

Where is the money going and what is it being used for? In a recent study by officials at the New York State Intelligence Center titled: "The Vigilance Project: An Analysis of 32 Terrorism Cases Against the Homeland", the statistics are the face of the US challenges with money laundering and terrorism:

  • 82 % were between the ages of 18 and 33.
  • 61 % attended some college and of these 64% of the educated terrorists were engineering majors.
  • 50 of the 80 suspects in the study whose citizenship could be identified were born in the U.S. .
  • 11 of the 32 cases studied happened in the past two years. In these cases, 17 of the 19 defendants were in the United States legally.
The banking community understands that it has to remain vigilant when it comes to BSA/AML regulations. Not only to avoid the millions of dollars in potential fines, but also because of the potential nexus with counterterrorism.