16 November 2013

Insider Threat: Corporate Integrity Culture...

In August 2011, this Operational Risk Management (ORM) blog posted the following.  In light of the increasing impact of "Insider Incidents" in 2013, this is worth revisiting:

Does your organization have a culture of "Corporate Integrity?" The depth and breadth of Operational Risks are apparent in the 2011 CyberSecurity Watch Survey by CSO Magazine, USSS, CERT and Deloitte.

46% of the respondents said damage caused by "Insider Attacks" is more damaging than "Outsider Attacks". The most common insider e-crime at 63% is unauthorized access to / use of corporate information. Here are the others:
  • 57% - Unintentional exposure of private or sensitive data
  • 37% - Virus, worms or other malicious code
  • 32% - Theft of intellectual property
When asked which electronic crimes were most costly or damaging the results were:
  • 38% - Outsiders
  • 33% - Insiders
  • 29% - Unknown
Regarding the "Insiders," the reasons that were given for not referring for legal action, the one that stands out in our mind is this one:
40% could not identify the individual(s) responsible for committing the eCrime.  And maybe even more astonishing is that 39% did not have enough information or a lack of evidence to proceed with either civil or criminal litigation.
So what is really going on with the facts presented so far? Even though the respondents say that "Insiders" are the most damaging, they have done little to collect enough evidence to identify who the responsible parties are to the incident. This may be for several reasons including the lack of internal expertise to preserve evidence and conduct timely investigations.

We have addressed the "Insiders" that make up one third of the digital incidents but what about the "Unknowns," who add an additional 29%. The combination of the two make up 62% of all the incidents in the study. This is where Operational Risk professionals can have a significant impact within the enterprise.
The unauthorized access to information and use of that information is at the center of this issue. When an organization realizes that this "information" has impacted them, the funds have been stolen, the trades have been placed or the press has published a trade or national security secret. To narrow this down further, you might say the Fraudsters and the WikiLeakers are bringing the institution into a torrential storm of criminal activities.
Regardless of the high tech tools utilized or the systems and controls within the organization there are always methods and processes that if properly implemented, will reduce the number of "Unknowns" and "Insiders." In your particular case, it just may come down to developing more effective situational awareness with your employees. This particular educational and awareness building process may indeed also uncover the individuals within your company, who may be already down a path of fraud, embezzlement, insider trading or corporate espionage.

Suppose you create a mandatory program for all employees that is focused on corporate integrity and each year the CEO kicks off the first session with their own attendance and their own direct reports, including the Board of Directors. Next, all senior staff attend the program and posted on the corporate Intranet are webcast shows with several 5 minute clips of parts of the one day session. Finally, the roll out for the remainder of the employees is tied to the annual 360 degree review, that each manager does with their subordinates in the company. This top down process for injecting the situational awareness of Operational Risks, Insider e-crimes and Corporate Integrity is sure to flush out those who are the current suspects and others who will flee the company.

No one that we know of can explain the basis for this process better than Martin T. Biegelman:
"Obviously, a poor working environment provides a motive and rationalization to commit fraud. Here's a quick health check: does management appear not to care about their employees? Does it have unreasonable expectations or financial targets? Is the organization autocratic or participative? Is there a lack of training or promotion opportunities? Does management say one thing but do another? Are senior executives treated differently than rank and file employees when it comes to discipline?" 
Employees must understand the ethical behavior expected of them. New employee orientation should detail the organization's mission, values and code of conduct, types of fraud, compliance, their responsibility to report violations of ethical behavior and impropriety, and details of the hotline or other ways to report fraud and other integrity concerns. Periodic training throughout an employee's career reinforces fraud awareness and the cost of fraud to an entity.
So what?  What does this have to do with with Operational Risk and those who are experts at deception?  Believe us when we say, they may be standing right in front of you.  Anton R. Valukas has also provided more context on the mindset of insider(s), what may be the most relevant lesson, for early detection of "Insider Threat."  "Information in plain sight.  Information in plain sight for what reason?"  What is missing?  Anton Valukas and his team uncovered the context, on why and how Lehman brought the United States to it's break point:

On January 29, 2008, Lehman Brothers Holdings Inc. (“LBHI”1) reported record revenues of nearly $60 billion and record earnings in excess of $4 billion for its fiscal year ending November 30, 2007. During January 2008, Lehman’s stock traded as high as $65.73 per share and averaged in the high to mid‐fifties, implying a market capitalization of over $30 billion. Less than eight months later, on September 12, 2008, Lehman’s stock closed under $4, a decline of nearly 95% from its January 2008 value. On September 15, 2008, LBHI sought Chapter 11 protection, in the largest bankruptcy proceeding ever filed.
There are many reasons Lehman failed, and the responsibility is shared. Lehman was more the consequence than the cause of a deteriorating economic climate. Lehman’s financial plight, and the consequences to Lehman’s creditors and shareholders, was exacerbated by Lehman executives, whose conduct ranged from serious but non‐culpable errors of business judgment to actionable balance sheet manipulation; by the investment bank business model, which rewarded excessive risk taking and leverage; and by Government agencies, who by their own admission might better have anticipated or mitigated the outcome.
If your organization does not currently have a program as we have described earlier, then maybe it's time to start one. If you already have one in place, how effective is it in detecting the "Insider Threat" and the spectrum of Operational Risks within your organization?

10 November 2013

Veterans Day: Operation Stigma Continues...

One year ago on the Marine Corps Birthday, 10 November 2012, we raised our glasses to celebrate.  It had been a long day, and here is that post from this Operational Risk Management (ORM) blog, from the front lines of Hurricane Sandy:
On Sunday morning, observing Veterans Day in the United States began with a few words from a leader from the American Red Cross at a local shelter near North Brunswick, NJ  USA.  We heard his words of recognition and what it felt like for him to return to our country after serving in Vietnam and being ridiculed and spit upon.  The veterans in the room were all gearing up for another day on the front lines of a new domestic battle with the aftermath of Hurricane Sandy.  Team Rubicon and it's growing presence of agile, selfless and highly skilled professionals have been working along side other national and international NGOs.  They are projecting a rapid and significant force on the ground, from New York to previously unrecognized communities such as Union Beach and Montoloking, NJ.
Serving along side veterans with Team Rubicon (TR) in the face of a major disaster zone is one honor.  The journey this past year has been a rewarding one, working with and to support veterans.  Five months after this first hand experience, one of our TR colleagues in NJ committed suicide.  Neil was not alone.  The numbers are staggering at this point.  Here is the post soon after, on May 11, 2013:
There is an alarm bell ringing within the ranks of Operational Risk Management executives in the United States.  As brave, experienced and motivated veterans enter the U.S. civilian work force, it is growing louder by the hour.  Our "One Percent" who serve in the military, leaders returning from over a decade of war and those who have earned the Global War on Terrorism Expeditionary Medal (GWOTEM), now have a new adversary.  Does your organization hire veterans or spouses of vets?  How are you taking an active role in the veterans hiring, career goals, aspirations and training?  What are the potential indicators of an employee at risk? 

Almost once an hour – every 65 minutes to be precise – a military veteran commits suicide, says a new investigation by the Department of Veterans Affairs.  By far the most extensive study of veteran suicides ever conducted, the report, issued Friday, examined suicide data from 1999 to 2010.
Melanie Haiken, Contributor - Forbes
Since then, this blogger has been serving in another veteran focused non-profit.  One that fills the gaps between natural disasters.  And for good reason.  The wounded, injured and ill can't wait for the next tornado, hurricane, earthquake or tsunami to get out of the basement of their house.  The thousands with Traumatic Brain Injury (TBI) or Post Traumatic Stress Disorder (PTSD) are living their lives each day, until they end up like our colleague Neil.  There is not a cure.  Only treatment.  Only living with an outcome from serving your nation.  This is a global epidemic for all those who have served in and around the conflicts across the globe.

In order to really understand this, you have to get close to it.  For the past six months, serving those wounded, injured and ill has assisted in the education of what is missing and how to fill the gaps.  The biggest gap we face, is the one that took Neil from us.  The Stigma.
stig·ma 
noun, plural stig·ma·ta [stig-muh-tuh, stig-mah-tuh, -mat-uh] Show IPA , stig·mas.
1.a mark of disgrace or infamy; a stain or reproach, as on one's reputation.
2.Medicine/Medical .a.a mental or physical mark that is characteristic of a defector disease: the stigmata of leprosy.b.a place or point on the skin that bleeds during certain mental states, as in hysteria.
3.Zoology .a.a small mark, spot, or pore on an animal or organ.b.the eyespot of a protozoan.c.an entrance into the respiratory system of insects.
4.Botany . the part of a pistil that receives the pollen. See diag.under flower.
5.stigmata, marks resembling the wounds of the crucified body of Christ, said to be supernaturally impressed on the bodies of certain persons, especially nuns, tertiaries, and monastics.
Yes, the stigma surrounding PTSD and TBI is now our Operation.  Our target.  Ending it, is our mission. You see, this blogger has identified "Stigma" as a likely adversary.  How can we say this? One only has to read the heart felt prose of Sgt. Jeremy Conway from his blog, started a few months ago:

Who Dwells Within
November 8, 2013 PTSD &  TBI PTSD, TBI, Army, Veterans, Navy, Depression, Family,Civilians, Soldiers, Marines, Medical, Anxiety, Health, Memory loss, TBIAir Force, fellow Veterans, the Veteran Community, Conditions and Diseases, Charity, Donate 
Who Dwells Within 
Day to day
I wait to see
What awaits and what I’ll be
Who dwells within
To all who care
For those I love
No answers come from Heaven above
Who dwells within
Never understood
Read every book
About what overpressure and shockwaves took
Who dwells within
Each day I wake
Where darkness resides
I become whatever my mind decides
Who dwells within
Day to day
To all who care
Never understood
Each day I wake
Who dwells within 
--Jeremy Conway
We know people like Jeremy Conway are out there and may also want to raise the awareness of "Operation Stigma".  Sgt. Conway has the continued courage to face this vital mission and we look forward to reading his blog for years to come.  He is a true "Quiet Professional"....

This Veterans Day 2013 as we lay a wreath in Arlington Cemetery at the Tomb of the Unknowns, we will be remembering Neil and praying that we all continue to "Bridge the Gap."