Showing posts with label fraud. Show all posts
Showing posts with label fraud. Show all posts

15 February 2025

Infinistructure: Who Knew What When...

Who knew what when? This is the question of the last few months as we now embark on the path towards recovery.

The Operational Risks that have plagued our aging county, state and federal institutions are growing and the convergence factor has brought us even bigger systemic organizations "Too Big To Fail."

While many will be side tracked by the need to deal with the toxic assets still on the books or in sinking agencies the "Zero's and One's" don't lie.

The information, digital evidence and just pure data audit trails will remain for many to be caught, charged, indicted and then sent before a jury to decide their fate.

Managing risks in the enterprise today takes on many flavors and within several departmental or enterprise domains of expertise.

Whether it be the C-Suite, legal department, the IT department, Internal Audit, Security department or even the Operational Risk Management Committee the "Zero's and One's" don't lie.

Think about how much time the people behind organizational malfeasance spend on trying to cover their tracks, clean up the digital "Blood Trail" of their crimes and wrong doing all the while knowing that someday, a smart investigator or forensic examiner will connect the dots. Game over.

Regardless if you are two paid-off programmers who have been enforcing the "Business Rules" in their software by the boss or an internal threat actor does not matter.

Whether they are copying, stealing, altering or damaging the digital information within the organization does not matter; these Operational Risks still remain constant.

The resources and the money devoted to continuous due diligence, monitoring and preemptive strategy to Deter, Detect and Defend the digital assets of the enterprise need to grow dramatically to stay ahead of the curve.

The best way to figure out “What to do” and “How to do it” will require outside assistance. Moving your digital assets to be professionally managed makes sense for economic and other financially prudent reasons.

Yet this migration away from large numbers of people managing and maintaining your information technology infrastructure internally and on your payroll is just the standard "outsourcing" strategy right?

It has it's own set of 3rd party supply chain set of risks. After your next incident who will be asking: Who knew what when?

Many private sector and government enterprises who are augmenting their COOP and the economic strategy of "Cloud Computing" have realized the smart course of implementing and migrating to managed services and infrastructure suppliers.

"How can the utilization of an "Infinistructure" with the knowledge and application of a legal compliance ecosystem in your enterprise mitigate the risks associated with bad actors, unprepared personnel and the digital loss of key evidence?"

Stay tuned for more on this later. In the mean time remember this.

All of the newest technology, fastest AI computers and neural networks enabled with encryption and secured physical locations will not be enough to save your institution from Operational Risks.

It is just one more piece of the total risk management mosaic, that will still require the smartest people and the most robust policy and processes imaginable.

Who knew what when? This will continue to be the biggest question of the next decade.

Posted by at No comments:
Labels: , , , , , , , , , ,

11 May 2019

Insider Threat: Corporate Integrity Culture...

Does your organization have a culture of "Corporate Integrity?" One can only wonder how these findings have changed since these results.

The depth and breadth of Operational Risks were apparent over eight years ago in the 2011 CyberSecurity Watch Survey by CSO Magazine, USSS, CERT and Deloitte.

The most common insider e-crime at 63% is unauthorized access to / use of corporate information. Here are the others:
  • 57% - Unintentional exposure of private or sensitive data
  • 37% - Virus, worms or other malicious code
  • 32% - Theft of intellectual property
When asked which electronic crimes were most costly or damaging the results were:
  • 38% - Outsiders
  • 33% - Insiders
  • 29% - Unknown
Regarding the "Insiders" reasons were given for not referring for legal action, the one that stands out in our mind is this one. 40% could not identify the individual(s) responsible for committing the eCrime. And maybe even more astonishing is that 39% did not have enough information or a lack of evidence, to proceed with either civil or criminal litigation.

So what is really going on with these survey results presented so far? Even though the respondents say that 33% "Insiders", they have done little to collect enough evidence to identify who the responsible parties are to the incident. This may be for several reasons including the lack of internal expertise to preserve evidence and conduct timely investigations.

We have addressed the "Insiders" that make up one third of the digital incidents, yet what about the "Unknowns" who add an additional 29%. The combination of the two make up 62% of all the incidents in the study.

This is where Operational Risk professionals can have a significant impact within the enterprise.

The unauthorized access to information and use of that information is at the center of this issue. When an organization realizes that this "information" has impacted them, the funds have been stolen, the trades have been placed or the press has published a trade or national security secret.

Regardless of the high tech tools utilized or the systems and controls within the organization, there are always methods and processes that if properly implemented, will reduce the number of "Unknowns" and "Insider" threats.

In your particular case, it just may come down to developing more effective situational awareness with your employees.

Suppose you create a mandatory program for all employees that is focused on corporate integrity and each year the CEO kicks off the first session with their own attendance and their own direct reports, including the Board of Directors.

Next, all senior staff attend the program and posted on the corporate Intranet are webcast shows with several 5 minute clips of parts of the one day session.

Finally, the roll out for the remainder of the employees is tied to the annual 360 degree review, that each manager does with their subordinates in the company.

Employees must understand the ethical behavior expected of them. New employee orientation should detail the organization's mission, values and code of conduct, types of fraud, compliance, their responsibility to report violations of ethical behavior and impropriety, and details of the hotline or other ways to report incidents and other integrity concerns.

Periodic training throughout an employee's career reinforces awareness and the cost of internal incidents.

If your organization does not currently have a program as we have described earlier, then maybe it's time to start one.

If you already have one in place, how effective is it in detecting the "Insider Threat" and the spectrum of Operational Risks within your organization...
Posted by at No comments:
Labels: , , , , , , , , , ,

19 August 2018

Information Threat: Battle for Superiority...

What continues to be the greatest economic threat to your organization? Is it "Internal" or "External" to your institution? Could it be both?

Insiders rarely work alone and therefore the nexus with some outside influence, whether it be a person, life factors or some other entity are typically in play.

Is an engineer in R&D copying precious intellectual property information from within the enterprise company, that could be worth hundreds of thousands or even millions to the highest competitive global bidder? Could your small business have an accounting supervisor that has been diverting funds to a private bank account for the past two years?

Would it be possible that a supplier or 3rd party partner is capable of inflating the number of billable hours on a project?

Whether it's IP Theft, Fraud or other white collar corporate malfeasance, these Operational Risks are real and growing at a double-digit percentage rate annually. The greatest economic threat to your organization could be complacency or an apathetic staff, who works without adequate resources and little communication with the Executive "Powerbase".

The compliance and oversight mechanism's are in full swing from the federal governments around the world as highly regulated critical infrastructure organizations are implicated in a myriad of corruption, scandal, ethics and criminal matters.

Litigation is an Operational Risk that many organizations have realized the necessity for more robust internal teams to address the continuous requests for information from the government.

There is one common denominator across all of the insider threats, external forces and other vectors that seem to be attacking our institutions night and day. That common denominator is "Information".

And underlying this is the data and meta data that all to often ends up being the key or clue to finding the "Smoking Gun" and the source or person(s) associated with the scheme or attack on the organization.

Managing information in a mobile and interconnected planet is a major issue in any global company. Providing the tools and the right information faster and more accurately than the competition can be the difference in your own survival on the corporate battlefield.

So how does the CxO suite even begin to address the risks, opportunities and resilience in our demanding "Information-centric" environment?

They believe in having a strong culture of ethics, training and continuous monitoring of employees, systems and their supply chain. They understand the importance of providing the vital resources to the people on the front line of risk management and to make sure that their early warning systems and methods are not compromised.

This breed of CxO's are the new breed of organizational management, that are leveraging information to their most significant advantage:
Whether you are trading in a marketplace, analyzing assets on a map or manufacturing widgets and selling them to qualified buyers, operational risk management begins and ends with information. Managing that information effectively and more accurately than your competition is the name of the game. What have you done today to insure your survivability in the face of the next crisis?
Posted by at No comments:
Labels: , , , , , , , , ,

22 April 2018

Unthinkable: Adapting in New World Disorder...

Will 2018 bring more data breaches, lost laptops and insider threats than 2017?  This is why CSO's, CPO's and corporate General Counsels have their teams working overtime.

When the enemy is increasing their attacks, utilizing new strategies and leveraging the existing base of compromised organizational intellectual and data assets, the future horizon becomes ever more clear. 

The statistics don't lie.  1579 documented Data Breaches occurred in 2017. Up 44.7% according to reports by the Identity Theft Resource Center (ITRC) compared to the previous year.  It is the new normal.

The Insider Threat Program (InTP) however, remains a key focus for Operational Risk Management (ORM) professionals because human behaviors are exaggerated during periods of stress, fear and uncertainty. This means that people who may have never considered doing something to jeopardize their reputations, may now be up against a wall.

When there is no obvious exit and no way out, people will do extraordinary things to get ahead, beat the odds and hedge their own risk portfolio of life.

In Joshua Cooper Ramo's book "The Age of the Unthinkable", "Why the New World Disorder Constantly Surprises Us and What We Can Do About It" the author discusses the concept of Deep Security. His analogy of how to think about "Deep Security" is the biological immune system:
"A reactive instinct for identifying dangers, adapting to deal with them, and then moving to control and contain the risk they present."
The key word in Ramo's writing is "Adapt".  Being Adaptive.  However, prior to this there are two other very vital words that we feel are even more imperative. Instinct. Identifying. In other words, Proactive Intuition.

Ask any savvy investigator on how she solved the case and you may hear just that, "I had a hunch."

Talk with a Chief Privacy Officer in any Global 500 company.  You might get them to admit they have a sense that their organization will be the target of an "Insider data breach" incident in the coming year or two.

Do you remember signing off on reading and your acceptance of the employee handbook?  When did your organization last make changes to the Corporate Employee policies?  We would start with the updates to the following sections:
  • MEDIA CONTACT
  • SOCIAL MEDIA POLICY
  • REMOTE ACCESS POLICY
  • E-MAIL, VOICE MAIL AND COMPUTER NETWORK SYSTEM PRIVACY
  • (YOUR ORGANIZATION) RIGHT TO ACCESS INFORMATION
  • SYSTEMS USE RESTRICTED TO COMPANY BUSINESS
  • FORBIDDEN CONTENT
  • PASSWORD SECURITY AND INTEGRITY
  • INTERNET ACCEPTABLE USE POLICY
  • POLICY ON USE OF SOFTWARE
  • COMPANY PROPERTY
  • PROTECTION OF TRADE SECRETS/NON-DISCLOSURE OF COMPANY INFORMATION 
Due to the increasing complexity of IT systems, cloud computing, data networks and the hundreds or thousands of laptops and mobile devices circling the globe with company executives and employees is enough to predict that a major breach will occur.

Being adaptive and having proactive intuition in the modern enterprise does not come natural. You have to work at it and it requires a substantial investment in time and resources to make it work effectively.  Proactive Intuition.

Once you realize that all of the controls, technology and physical security are not going to keep you out of harms way, you are well on your way to reaching the clairvoyance of "The Age of the Unthinkable."
Posted by at No comments:
Labels: , , , , , , , , , , , ,

04 February 2017

Higher Purpose: A Mission of Trust...

As you walk into that next meeting with another co-worker or even a colleague for a coffee catch-up, pause and reflect.  Think about how you could (1) make this encounter not only productive and (2) simultaneously enhance the relationship of trust.

All too often we are focused on getting something of value from the meeting.  We are blinded by the purpose of the meeting or have preconceived ideas on how the time together will be of value, or a waste of time.  Now think differently.

A true professional in any business, unit, agency or organization is there to "Build Trust".  The day-to-day or hour-to-hour interactions you have with others is vital.  A true professional in any domain, industry or vocation, can aspire to a higher purpose than the normal roles of a stated job description.

One thing is certain when it comes to meeting with other people and the value or outcomes obtained, trust is a major factor in the future outcomes of the relationship.  Have you ever wondered why certain people you meet, take so long to trust you?  How are you going to accomplish your intended purpose working with this superior or subordinate if they don't trust you?  What about that new client or business partner?

At the most fundamental level, the trust gurus and authors have been writing about a spectrum of trust for eons:
Zero Trust >>>>>Trust Exists >>>>>Implicit Trust

From ground zero of your first encounters with another person, your goal is to move towards a point on the spectrum where "Trust Exists".  Then your goal is to keep moving to the right and towards a place of "Implicit Trust".  This is when you don't even think about it anymore.  How many people do you know where this is the case, even within your own family?

So what?

As an Operational Risk professional, velocity is everything.  Yet you already know that uncontrolled velocity alone can be fatal.  The risk factors associated with business, government or the manufacturing process of a highly engineered electronic component are always present.  Always changing.  Creating new obstacles or new harm.  In our current state, 24x7x365 pervasively connected society, the trust factors are even more important and vital to moving towards "Implicit Trust".

Here are a few examples in the news this past year, where Operational Risk Management (ORM) was a factor:
Samsung Galaxy Note 7

On 2 September 2016, Samsung suspended sales of the Galaxy Note 7 and announced an informal recall, after it was found that a manufacturing defect in the phones' batteries had caused some of them to generate excessive heat, resulting in fires and explosions. A formal U.S. recall was announced on 15 September 2016.
Yahoo

When Yahoo said on Thursday that data from at least 500 million user accounts had been hacked, it wasn't just admitting to a huge failing in data security -- it was admitting to the biggest hack the world has ever seen.

Until Thursday, the previous largest known hack was the 2008 breach that hit almost 360 million MySpace accounts, according to a ranking by the "Have I been pwned" website. Like the Yahoo breach, the hack was only publicly disclosed this year after data was offered on a hacker forum.
National Healthcare Fraud

Attorney General Loretta E. Lynch and Department of Health and Human Services (HHS) Secretary Sylvia Mathews Burwell announced today an unprecedented nationwide sweep led by the Medicare Fraud Strike Force in 36 federal districts, resulting in criminal and civil charges against 301 individuals, including 61 doctors, nurses and other licensed medical professionals, for their alleged participation in health care fraud schemes involving approximately $900 million in false billings.
National Security Agency

A federal contractor suspected in the leak of powerful National Security Agency hacking tools has been arrested and charged with stealing classified information from the U.S. government, according to court records and U.S. officials familiar with the case.

In each one of these few example cases, relationships between people started with a meeting encounter.  Over time, the product, service or personal relationship outcomes involved a failure of people, processes, systems or external events.  The core components of Operational Risk Management (ORM).

Raising the level of trust across personal, business or government encounters is only possible, with effective "TrustDecisions".  The Decisions to Trust another person, product or service have several elements.  These are vital for the mission to grow towards "Implicit Trust" and simultaneously with the safety and security necessary to reduce the risk of failure.

The Mission

The mission as a co-founder of a new startup or the CEO of a Global 500 is to ensure the survival of the organization. We all know the failure rate for new companies. Just ask Dun & Bradstreet for the statistics or even your local Venture Capitalist who is celebrating failures these days. So beyond just the survival of the organization, is the imperative to establish a cultural and operating environment where people feel encouraged, creative and unencumbered to fulfill their job requirements and goals.

The Take Away

Operational Risks are inherent in any new or established business endeavor. The earlier the Operational Risk Management (ORM) design begins in the trusted relationship evolution, the more resilient you will ultimately become. The framework of the system-of-systems, the look and feel of the cultural environment and the end state visions are all at stake. Take the time and include the expertise to work on the "TrustDecisions" foundation of your enterprise.

Ensure the survivability of the new products or service solutions, that are so valuable to our economy and our nation.  Embrace Operational Risk Management early in your relationships and allow it's presence while it preserves all that you have worked for and dreamed of...
Posted by at No comments:
Labels: , , , , , , , , , , ,

09 October 2016

Forest for the Trees: Inside the True Threat...

After we checked in,  our elevator ascended to the 4th floor of the Washington Post on October 6th, where everyone on board was anxious to get their seat inside the "Live Center."  The 6th Annual Cybersecurity Summit was at 9:00AM just on the tails of international news from Yahoo, Julian Assange and the NSA.

The TV cameras were lined up in the rear and the chairs were set on stage, for 30 minute talks with key thought leaders across the United States.  One could not miss the ceiling-based sensors capturing the faces of each person attending.  The moderators from the Washington Post, were all prepared with their specific area of questions to address such topics as:
  • Protecting Personal Data
  • Political Hacks and Leaks
  • Cyberspace:  A 21st Century Warzone
  • A Focus on Critical Infrastructure
  • The White House and Cybersecurity
Flashback 6 years to Harrison Ford's movie Firewall, and the viewer is entertained with a combination of Seattle bank heist, kidnapping and good old fashioned Hollywood chase and fight scenes.  There is even a degree of deception and conspiracy mixed in to spice up the story line.  The plot is full of social engineering lessons, that even those with little knowledge of high technology can learn a thing or two.

While the actual high technology bank heist turns out to be nothing more than a simple stealing of account numbers and a transfer of $10,000 from 10,000 high net worth customers, the movie title is a ploy.  In only one short sequence is there any focus on the fact that the bank is being attacked on a daily basis from other locations on the other side of the globe.  Those attackers using new and increasingly sophisticated strategies, are consistently giving financial institutions new challenges to secure their real assets, binary code.
In early 2005, a criminal gang with advanced hacking skills had tried to steal GBP 220 million (USD 421 million) from the London offices of the Japanese banking group Sumitomo and transfer the funds to 10 bank accounts around the world. Intelligence on the attempted theft via key logging software installed on banks' computers had been circulating in security circles at that point in time.  Soon thereafter, warnings were issued to financial institutions by the police to be on the alert for criminals using Trojan Horse technology that can record every key stroke made on a computer.
In this decade old case and even in the movie, the "insider" is a 99.9% chance.  A person has been bribed, threatened or spoofed in order for the actual fraud or heist to occur.  The people who work inside the institution are far more likely to be the real source of your catastrophic digital incident, rather than the skilled hacker using key logging software.  More and more, the real way to mitigate these potential risks is through behavior profiles, continuous monitoring and deep learning analysis.

The human element, which relates to situational awareness, can't be ignored any longer.  And this can only be changed through more effective education, training, and testing of employees.  An organization that procures technology worth millions of dollars is naive, if you don't invest in educating your employees to make the investment worthwhile.  Sometimes the human element stands alone.  Just ask Mr. Robot.

Awareness, detection and determination of threat, deployment, taking action, and alertness are key ingredients for security.
"Predictive Intelligence comes into play as organizations recognize that detecting threats, starts long before the firewall is compromised, falsified accounts established and bribes taken."
The Israeli Airline El Al has known for a long time, the power of humans as a force in security.  An empowered, trained and aware group of people will contribute to the layered framework, as a force multiplier that is unequaled by any other technology investment.

The cyber topics and IP theft news this week should be a wake-up call for those institutions who still have not given their employees more of the skills and their Operational Risk Management (ORM) professionals the predictive tools for detecting human threats, long before any real losses occur.

The truth is, that "Insider Threat" data is being collected by the minute and the hour.  The public and private sectors have the highest concern about malicious insider activities to this day.  What are some examples of the behavior?  Some of these are observable by other humans and others only by machines and software.  Do you currently measure the number of times per day a user on your network copies files from their system to a removable drive or Dropbox account?

Executive Order 13587 was just the beginning to address the single point failures in the Defense Industrial Base supply chains.

Think inside the true threat.  Ask questions about relationships, personality, job satisfaction, organizational structure, punctuality and who is leaving the organization.  Who has just joined the company?  The interdependencies are vast and complex and both data and metadata need to be collected for effective Activity-Based Intelligence (ABI).

Anomaly Detection at Multiple Scales (ADAM) and the research on better understanding the "Forest for the Trees" scenarios is our destiny for the true threat.  We will continue our security vs. privacy policy debates, yet at the end of the day, maybe the answers are as simple as Rubik's Cube.
If you start thinking of the Super Bowl championship as your motivation, you are going to miss the trees for the forest or the forest for the trees. I never could understand that one. Marv Levy
Read more at: https://www.brainyquote.com/search_results.html?q=forest+for+the+trees
Posted by at No comments:
Labels: , , , , , , , , , ,

24 January 2016

Adverse Consequences: Enabling Digital Trust of Global Enterprises...

In the World Economic Forum 2016 - Global Risks Report, there are several insights and alarms that Operational Risk Management (ORM) professionals and the Board of Directors are quickly analyzing.  This years Davos, Switzerland Annual Meeting and report has the underlying theme of the "Fourth Industrial Revolution".

Our first insight, is the rise in "Cyber Dependency" that is called out in the "Risk-Trends" Interconnections Map.  It is tied directly to the following technological "Global Risks" ranked by highest impact:
  1. Cyberattacks
  2. Critical Information Infrastructure Breakdown
  3. Adverse Consequences of Technological Advances
  4. Data Fraud or Theft
#1 makes sense in the Upper Right Quadrant of High Impact and High Likelihood.  The alarms however are going off, with #2 and #3 for several reasons.  First, they are in the Upper Left Quadrant of "High Impact" and "Low Likelihood".  Why does this create concern?

The Upper Left Quadrant has risks that some of the most experienced OPS Risk professionals will pay attention to the most.  This is the place that organizations usually ignore with people and resources and where enterprises are caught off guard or blindsided by asymmetric threats.  These are the risks that no one has really exercised for and is not actively developing proactive hypotheses, to address in a real-time crisis.

There are two other risks shared in this same Upper Left Quadrant in 2016:
  • Weapons of Mass Destruction
  • Spread of Infectious Diseases
These are risks that nation states spend hundreds of millions of dollars each year collecting intelligence on and devoting substantial resources to try and keep the likelihood of these occurring, as low as humanly possible.  The impact on humanity is far to great not to devote attention to these, yet the private sector is rarely involved.

Now, let's consider the other two in the same quadrant, slightly less in impact and just a little higher in likelihood.  What does each really mean as a global risk?
"Critical Information Infrastructure Breakdown": "Cyber dependency increases vulnerability to outage of critical information infrastructure (e.g. internet, satellites, etc.) and networks causing widespread disruption.

"Adverse Consequences of Technological Advances":   Intended or unintended adverse consequences of technological advances such as artificial intelligence, geo-engineering and synthetic biology causing human, environmental and economic damage. 
  • global risk is an uncertain event or condition that, if it occurs, can cause significant negative impact for several countries or industries within the next 10 years.
  • global trend is a long-term pattern that is currently taking place and that could contribute to amplifying global risks and/or altering the relationship between them.
Although organizations may recognize the benefit of cyber technologies for their bottom lines, they may not be fully internalizing cyber security risks and making the appropriate level of investment to enhance operational risk management and strengthen organizational resilience. Particular attention is needed in two areas that are so far under-protected: mobile internet and machine-to-machine connections. It is vital to integrate physical and cyber management, strengthen resilience leadership and organizational and business processes, and leverage supporting technologies. (Page 23 of WEF_GRR16)
The combination of the two aforementioned technological global risks, are almost invisible to the major stakeholders of our vital organizations and governments.  This is because the focus on "Cyberattacks" and "Data Fraud or Theft" has dominated the news cycles.  It makes sense.  However, we must consider this:
As is often the case, however, public-private partnership can be held back by lack of trust and misaligned incentives. Businesses may fear exposing their data and practices to competitors or to law enforcement agencies. And the private sector’s primary interest in rapid recovery and continuity of business operations may not align with the public sector’s primary interest in apprehending and prosecuting perpetrators. In addition, governments need to balance their investments in cyber offensive weapons and efforts to enhance capabilities for cybersecurity and defence. (Page 83 of WEF GRR16)
 Cyber Dependency.  A long-term pattern that is currently taking place that could contribute to amplifying global risks and/or altering the relationship between them.  The underlying root cause of the disruption and the perceived risks are focused on the integrity of "Digital Trust"and the continuity of "Trust Decisions":

  • Machine-to-Machine
  • Person-to-Person
  • Business-to-Business
  • Government-to-Government
  • Country-to-Country

Business Executives and Leaders of Nation States, have one thing in common.  Their employees and their citizens are evermore connected by mobile digital devices.  Their economic engines of banking, finance and trading are dependent upon the confidentiality, integrity and assurance of data.  The abilities and the opportunities by the mass of humanity to continuously leverage their personal digital devices, is simultaneously a global risk.  So what?

You see, the 2016 Global Risks Report is flawed.  It relies on an outdated and soon to be irrelevant set of four Quadrants.  The axis of Impact and Likelihood, are no longer capable of addressing risk management and the human perceptions of both.  On the planet Earth, in the Internet ecosystem of 500 Billion computing machines, lies the answer to our future quest:

Enabling Digital Trust of Global Enterprises...
Posted by at No comments:
Labels: , , , , , , , , , , ,

03 January 2016

2016: A New Era of Operational Risk...

As we launch into 2016, Operational Risk Management (ORM) professionals are ready for another challenging year.  The current state of global events that includes uncertain political or economic behavior by nation states and the continuous barrage of certainty with "Internet Asymmetric Warfare," is the new normal.

Reflecting back on 2015, here are the top 5 blog posts by number of page views:

Insider Threat: Trusted Systems of the Future...

Trust Decisions: Beyond RSA and Our Digital Future...

Data Rupture: The Risk of Over-Classification...

Trust Decisions: The Extinction of Risk Management...

InTP: Quality of Design in a New Age of Terror...

There is now anticipation that the world economies are going to continue a meager growth rate, as we enter our 8th year since "The Big Short" in 2008:
When the crash of the U. S. stock market became public knowledge in the fall of 2008, it was already old news. The real crash, the silent crash, had taken place over the previous year, in bizarre feeder markets where the sun doesn’t shine, and the SEC doesn’t dare, or bother, to tread: the bond and real estate derivative markets where geeks invent impenetrable securities to profit from the misery of lower- and middle-class Americans who can’t pay their debts. The smart people who understood what was or might be happening were paralyzed by hope and fear; in any case, they weren’t talking.
From the analysts desktops at "Liberty Crossing" to the Cyber Security Operations Centers (SOC) of dozens of Global 500 private sectors companies, one thing remains certain.  The adversaries are too nimble, unpredictable and ever more so capable of operating on the front lines for months and years in plain sight or even for weeks and months totally undetected.

However, relying on certainty alone and not being simultaneously adaptive or innovative in an accelerating pace of business or Decision Advantage, can get your Board of Directors in real trouble.

In 2016, the dawn of a new Operational Risk Management era shall begin.  In a future state, where people and machines will operate making "Trust Decisions" with greater ease and increasing velocity.  Stay tuned...
Posted by at No comments:
Labels: , , , , , , , , ,

13 December 2015

Beware of the Cowboy: Risk Driven by Fear...

Beware of the cowboy.  Operational Risk Management (ORM) spans the hazards on the flight deck on the USS Ronald Reagan (CVN 76) or behind enemy lines or even to employee behavior on the front lines of the private sector on Wall Street:
"The recent conviction of Michael Coscia in the Federal District Court in Chicago in the first prosecution for “spoofing” provides more clarity to high-frequency trading firms about how they can operate. The message is to tread carefully when a strategy depends on using orders that will be quickly canceled because the government may claim they are an effort to manipulate the market by fooling others into trading.

Spoofing was made illegal in the Dodd-Frank Act, which prohibits “bidding or offering with the intent to cancel the bid or offer before execution.”
Believe it when we say that people who try to be cowboys in your organization are operating without regard to risk. Now multiply the number of cowboys by the number of people that they surround on their team, who think that this is the way to operate. It doesn't take long to find out that these are the root causes of many of the operational risks in your organization. And it starts out with the basics even in the vast private sector beyond Wall Street:
  • Revenue is not booked according to the rules. Products sit in the warehouse yet revenue ends up on the sales reps commission report because (s)he had a signed order.
  • Assets are not valued correctly. Bank accounts are not validated to make sure they actually exist and accounts receivables are inflated.
These are just two of the many facets of occupational fraud that starts with a few cowboys who have little regard for managing risk and all the incentives to line their pockets with new found cash or bonuses.

From Leadership Lessons of the Navy SEALS

The Cowboy
"Neither of us knows if such a thing has ever been tolerated in modern commando teams. Yes, sometimes you need to charge forward. But, there are simply too many potential casualties and too much political currency resting on commando missions to entrust one to a cowboy. Authorization for an operation depends on the accurate calculation of operational risk. This requires an assessment of proven forces ability to perform a task. All this is contrary to the cowboy philosophy of depending on experimentation, pluck, and luck in order to succeed."
"The problem with being a cowboy is that your bosses won't employ you if they can't trust you, and they can't trust you if they don't know what you'll do. And then you're stuck with the reputation."
        --LT. CMDR. Jon Cannon

You might think that the reason is ego or just plain greed. However, the real motive may not be so clear. More than likely, the motive is fear. And that fear is something that grows until it gets to the point of creating harm, loss and destruction. You have to find the cowboys in your organization and you have to follow the mantra of quality gurus from years past, "Drive out Fear".
Posted by at No comments:
Labels: , , , , , , , ,

22 November 2015

Velocity: Integrity of Enterprise Architecture...

Operational Risk Management (ORM) is a discipline that requires several elements to remain effective.  Whether you are working on the deck of the USS Gerald R. Ford (CVN-78) or analyzing data from the corporate Security Operations Center (SOC), your tasks continuously rely on achieving "Trust".

At the core of these decision-making roles, are the processing of rapidly changing data on a split second basis.  The sensors or tools we use day-by-day to assist our quest for greater levels of safety and security, are interdependent minute-by-minute, second-by-second, on the trust of data.  It is imperative at the early stages of process and product development, to effectively test and improve these tools and sensors.  Why?

The "Quality Assurance" phase of any process whether in design, assembly, manufacturing or implementation is based upon a foundation of the quality of trust.  You are reading this now on a device connected to an Internetwork, that has layers of business rules and technology rules that are executed according to industry standards.  The process and the rules have been implemented utilizing QFD and Mean-Time-Between-Failure (MTBF).

There are three vital components of building digital trust in this scenario, for the systems in play and the requirements of end users:
  • Authentication
  • Data Integrity
  • Encryption
All three must be present to provide you with the highest level of assurance, that you are working with a trusted system:
  1. How can you be sure that the party you are communicating with, on the other end of the line, is who they claim to be?
  2. How can you be sure that the data has not been altered, deleted or changed in transit?
  3. How can you be sure that no one can intercept and understand the information being transferred?
All three of these vital components must be present all the time, in order to build integrity and assure your level of trust.  They must be consistent and persistent from end-to-end.  In essence, we are protecting against our adversaries from listening in, tampering with the data and impersonating the destination.

Are you operating any vital component of your business operation, where any of these three components are absent?  Are any of the three not persistent, 100% of the time?  If so, then you are in jeopardy of an erosion of trust with your stakeholders and the increased likelihood of an adverse event.  With your customers, your reputation and probably both.

So what?  How does this translate to your role and the work that you are in charge of, within the operations of your enterprise?  The short answer is, "Velocity and Wealth".  You see, the business rules, technology rules and the legal rules are all connected.  Your job, is to make sure that you understand, your organizations unique "Operational Risk Enterprise Architecture" (OREA).

The velocity at which your business process can execute transactions with integrity, versus your competition or adversary, can mean the difference between victory or defeat.  The margin or profit that you are able to gain by successfully executing millions of your transactions, can mean the difference between prosperity or disadvantage.

Is your organization advertising on Internet web sites?  Is the business model for your company, based upon revenue from advertising?  The trustworthiness of your systems operating with the goal of generating ad revenue, are now at stake.  Informationweek DarkReading explains:
'Xindi' Online Ad Fraud Botnet ExposedBillions of dollars in ad revenue overall could be lost to botnet that exploits 'Amnesia' bug.

Online fraudsters have amassed a botnet of millions of infected machines that exploits a security flaw in a digital advertising technology in order to execute phony online ad impressions.

The so-called Xindi botnet was designed to exploit a known vulnerability called Amnesia (CVE-2015-7266) in implementations of the Open RTB Internet advertising protocol. Unlike most online ad fraud attacks, it doesn't use clickjacking-based click fraud, but rather, generates large numbers of phony ad impressions. According to researchers at Pixalate, which published a report today on the botnet, some 6- to 8 million machines at more than 5,000 enterprises are at risk of being used as bots in Xindi.
Jalal Nasir, CEO of Pixalate, says his firm has spotted traffic from the IP addresses of major Fortune 500 firms, government agencies, and universities, associated with Xindi. While it's unclear if the IP addresses are spoofed or legitimate, he says the IP addresses used by Xindi are owned by those organizations, which include Citigroup; General Motors; Lowe's; Marriott; Wells Fargo; California State University's Office of the Chancellor; Columbia University; the University of Maryland; and many other big-name corporations and colleges. 
The Quality Assurance of the Online Advertising enterprise is in jeopardy.  The trustworthiness of e-commerce and the digital business models executing the rules for producing revenue, are now in question.  How effective is your enterprise in understanding the true business problem and then solving it?

"Bob Liodice, president and CEO of the ANA, whose membership includes more than 640 companies with 10,000 different brands that spend more than $250 billion in marketing and advertising, says the more than $6 billion of losses to advertisers is actually on the low end of estimates. He estimates the number may be closer to $10 billion."

"Achieving Digital Trust" and the "Trust Decisions" to create wealth require that we begin with a sound architecture.  It continues with the widely adopted information governance processes and three factors.  Authentication, Data Integrity and Encryption.  The "Advertising Industry" is not the only business segment at risk.  The next time you open that piece of mail with a new credit card that utilizes the EMV chip, you will begin to understand the true business problem.

You are in control of the velocity of the process of change with your current state. The opportunity for the future state of "Trust Decisions" is now coming into the light.  In your country, industry, company and DevOps team.
Posted by at No comments:
Labels: , , , , , , , ,

13 July 2014

ID Analytics: Risk of the Unknown...

Operational Risk Management (ORM) has been at the top of the news in the past few weeks.  Digital media and the metadata of "Big Data" is the topic of choice.  It is a revealing look behind the curtain of what is possible these days, with the tools and capabilities that exist for exploitation and analysis.  Is too much privacy an operational risk to your personal and professional well being?  What "Trust Decisions" did you make to arrive on this page in the universe of the Internet?

In the spirit of full disclosure, if you are reading this now, we tracked how you found this blog and perhaps what search terms you used to be referred here.  Some of you, revealed their company identity. So why do we do this?  The main reason is that we want to make sure that we understand what is on your mind these days, when it comes to the global Operational Risk Management (ORM) universe. Here are a few examples in the past day or so that caught our eye:
  • management of operational risk - Latvia
  • operational risk management - Nigeria, Illinois, South Dakota, The Vanguard Group
  • common board of directors mistakes - Turkey
  • lessons learning from fail in operational risk - Malaysia
  • predictive intelligence - North America
  • rogue trader operational risk - United Kingdom
  • fund industry operation management discussion topic - Luxembourg
  • operational risk management game - Unknown
  • reputation risk management process - Unknown
  • operational risks in bank call center - Qatar
  • coso definition of operational risk - Unknown
  • black swan incident that occurs once in a lifetime - Unknown
  • ubs operational risk case analysis - Unknown
  • business resiliency definition - JP Morgan Chase
  • "operational risk" outliers - France
  • a risk effect on a daily operation - DeVry
  • examples of smart objectives risk - United Kingdom
  • black swan incident\ - South Carolina
  • black swan incident - Computer Sciences Corporation
  • what is a black swan incident - South Carolina
  • duty of care board of directors - United Kingdom
Collection of data is one thing.  Relevance and sense-making is another.  Can you imagine some of the search terms that are tracked just by Google or Bing?

What about the companies that know us the best?  Those marketing and personal data sites that keep track of where you live, how much you spend on your credit cards and where, or even the name of your pets.  How often do you give them your phone number or e-mail address at the point-of-sale (POS) to get a discount at the local retailer, gas station or pharmacy?  Believe us when we say that there are hundreds of organizations that know more about you in the private sector than some government across the world.

The trail of "digital finger prints" you leave behind everyday are vast.  A snap shot of your face at the local ATM or a snap shot of your desktop when you login to the online banking web site.  In either case, these examples are just a few of the ways that your habits, locations, preferences and lifestyle are profiled each and every day.  Where did all of this begin?  Fraud Management.  Not Homeland Security.

As a citizen traveling across the country or a consumer, you willingly give up these digital bread crumbs of your journey through life.  Your goal now, is to make sure that you are not mistaken for someone else.  After all, you or your organization have developed a profile and a reputation that is being recorded and therefore, it could be a prudent strategy to make sure that you are not mixed up with another person or organization with the same name or brand identity.

How can you do this?  Operational Risk Management (ORM) is about monitoring yourself and your organization to make sure you understand your competition (good or bad) for the same personal or business identity space.  Do you have Biometric and DNA samples of all of your key executives?  If you don't, then the question is why not?  You may have considered this in light of some of the places that your executives are traveling.  Cities and countries across the globe with the risk of kidnapping, improvised explosive devices (IED) and other risks to their lives.

As we look into the crystal ball of our digital futures, we see the scenes from movies past that have already captured our own human imagination.  A world where everyone is known and you may even choose to "opt-in" to be tracked.  After all, you are unique.  You make your own choices in life.  The risks that you face may very well be greater, for those who choose a life to remain private, anonymous and even unknown.

Posted by at No comments:
Labels: , , , , , , , , , ,

15 June 2014

TOC: The Implications of Consumer Privacy...

Operational Risks are pervasive in most every business both large and small. A small business can learn a tremendous amount from those failures by large corporate enterprises. Privacy laws in the United States are for all business owners whether they be a sole practitioner or a soon to be corporation with a $100 Billion valuation.  Operational Risk Management (ORM) is present in any serious business that makes important "Trust Decisions" on a minute-by-minute basis.

Consumer privacy and the risks associated with the protection of personal identifiable information of clients, members and customers is at stake. Learning the lessons from the organizations who have made changes and are working on a daily basis to comply with the regulatory frameworks, can be a very beneficial lesson to all.

Beyond the cost of a breach of data, Operational Risk Management (ORM) professionals understand that human behavior is the reason behind many of these incidents. Employees and supply chain insiders not clandestine hackers or malicious code sent from afar can be the major threat. So what can a Chief Privacy Officer or CISO do to mitigate the risks of employees and their behavior? All of the education and awareness campaigns may help, but the "Trust Decision" process itself is the place to begin.

Information Governance and the steps that are utilized to ingest or acquire and process that information is also paramount.  Hayley Tsukayama from the Washington Post highlights part of the issue:
Facebook came under fire Thursday from privacy advocates who say that changes to its ad network mark an unprecedented expansion of its ability to collect users' personal data. The advocates are also criticizing the Federal Trade Commission for allowing Facebook to make the changes and argue that the network's size gives it too much knowledge about its users.
Whether you are in the business of "Social Networking" like Facebook or you are the regional health care system in your state, the privacy of information of the consumer is at stake. Where that stolen information ends up in many cases, is in the hands of "Transnational Criminal Organizations" where it becomes of the lifeblood of their business operations to perpetuate their fraud schemes. These schemes are impacting the economic security of major organizations in the private sector and so the U.S. government (USG) has ramped up in the past 3 years to address the threat. Combined with other factors associated with legitimate business operations, organized digital crime syndicates have infiltrated the country and is costing the United States billions of dollars per year.

Here are several actions USG will be taking as the TOC strategy continues to be enabled:

Action

  • Implement a new Executive Order to prohibit the transactions and block the assets under U.S. jurisdiction of TOC networks and their associates that threaten critical U.S. interests.
  • Prevent or disrupt criminal involvement in emerging and strategic markets.
  • Increase awareness and provide incentives and alternatives for the private sector to reduce facilita- tion of TOC.
  • Develop a mechanism that would make unclassified data on TOC available to private sector partners.
  • Implement the Administration’s joint strategic plan on intellectual property enforcement to target, investigate, and prosecute intellectual property crimes committed by TOC.
  • Enhance domestic and foreign capabilities to combat the increasing involvement of TOC networks in cybercrime and build international capacity to forensically exploit and judicially process digital evidence.
  • Use authorities under the USA PATRIOT Act to designate foreign jurisdictions, institutions, or classes of transactions as ‘‘primary money-laundering concerns,” allowing for the introduction of various restrictive measures on financial dealings by U.S. persons with those entities.
  • Identify foreign kleptocrats who have corrupt relationships with TOC networks and target their assets for freezing, forfeiture, and repatriation to victimized governments.
  • Work with Congress to enact legislation to require disclosure of beneficial ownership information of legal entities at the time of company formation in order to enhance transparency for law enforce- ment and other purposes.
  • Support the work of the Financial Action Task Force, which sets and enforces global standards to combat both money laundering and the financing of terrorism.

The FTC is continuously working with companies like Facebook. The White House NSC is working on strategies that have a nexus with stealing consumers information to exploit the financial system. Yet all of this will be for nothing, if the private sector does not work in concert with government. Public-Private partnerships are in full swing and are making some progress.

In addition, nation state industrial intellectual property theft and economic espionage has eroded our global competitive advantage in several industry segments.  Ellen Nakashima explains:
A Washington think tank has estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion — or almost 1 percent of global income. 
The estimate by the Center for Strategic and International Studies is lower than the eye-popping $1 trillion figure cited by President Obama, but it nonetheless puts cybercrime in the ranks of drug trafficking in terms of worldwide economic harm. 
“This is a global problem and we aren’t doing enough to manage risk,” said James A. Lewis, CSIS senior fellow and co-author of the report, released Monday.
Changing peoples behavior inside your own business will require substantial oversight and continuous education. Remain vigilant at the risk of your organizations own peril!

Posted by at No comments:
Labels: , , , , , , , , ,

20 April 2014

The "New Age" of Unreason...

In the new age of unreason, Charles Handy the author of The Age of Unreason would say that discontinuous change is upon us. He would say that we need to outsource everything that is not a core function of the enterprise. And he would say that learning is the same as change from a different worldview.
Heartbleed 
Heartbleed is a catastrophic bug in OpenSSL: 
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users. 
Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it. 
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
Adaptation in order to survive in the corporate world is nothing new. The risks associated with making new decisions depend on how that decision will impact the other persons, processes or systems in the enterprise. As a simple example, adapting a process for entering orders from the field sales force could have a dramatic effect on productivity and at the same time subject an enterprise to new found risks.

How would your risk profile change if the following scenario took place at your business?
Sales reps are entering orders in the field via a web application that is protected by a user name and password. There is no VPN or encrypted connection. The application doesn't even use OpenSSL. The information on new customers includes name, address, phone number, credit card number, expiration date and the three or four digit security code. As the reps are entering their orders, the paper based sales forms are being put into a folder to be sent by Fedex to the home office. Each rep makes a copy for their files, to make sure that they have the right commission check at the end of the month. The VP of sales finds out that many of the orders are lacking the security code or that the consumer is giving them the wrong numbers. He asks for a change in the sales order process with the CFO in order to streamline the flow of orders and diminish the backlog. The CFO instructs the CIO to have her department change the business rules in the order entry system to eliminate the need for the security code in processing orders. Also, the lag time for the company hard copy to reach the accounting department is a problem and he asks for this step to be eliminated. Everything is completed and now the sales reps do not require this piece of information any longer to process an online sales order. Productivity increases and the backlog is eliminated.
What potential operational risks exist today with this particular business process?

1. The privacy of the customers personal identity and credit card information may be at risk if the sales rep is not securing the hard copies of the sales orders at their business office or home office.

2. The lack of the credit card security code could increase the number of fraudulent orders due to the high rate of identity theft with stolen credit card numbers with expiration dates.

3. The personal identifiable information being entered on each new customer could be compromised due the lack of controls on the network connection.

4. The privacy policy may not have been updated and amended to reflect the new business process and to document that a security code is not needed as of (date.)

The new age of unreason is certainly upon us because simple changes like this are taking place by the dozens, hundreds or thousands every day in the largest enterprises. Making changes is also about learning what those changes will mean to everything that interfaces with that change. It means that testing must take place in a lab or compartmentalized area of the business to insure that the change doesn't impact the core operations. It means observing performance and measuring the results to determine if the change is worth the new risks that the organization is about to encounter.

In the words of Charles Handy:
"Learning is not finding out what other people already know, but is solving our own problems for our own purposes, by questioning, thinking and testing until the solution is a new part of our lives."
"If changing is, as I have argued, only another word for learning, then the theories of learning will also be theories of changing. Those who are always learning are those who can ride the waves of change and who see a changing world as full of opportunities rather than damages. They are the ones most likely to be the survivors in a time of discontinuity."
Posted by at No comments:
Labels: , , , , , ,

22 February 2014

Fraud Trends: Hedging Transnational Organized Crime...

The facts and the results of forensic investigations across the cyber domain are telling a significant story.  The question remains, will CxO's take the time to digest and think about what is happening within their Enterprise Risk ecosystem?  Operational Risk Management (ORM) has four key dimensions:

  • People
  • Processes
  • Systems
  • External Events

Each of these dimensions must be looked upon in a holistic and interdependent manner, realizing that they are all indeed interconnected.  One may impact another or managing risk in some but not others could bring the entire enterprise to it's knees.  This is understood.

You are no doubt utilizing a myriad of strategies to deter, detect, defend and document the Operational Risks within your specific industry and associated with the adversaries and regulations pertinent to your business.  So why is this still the state-of-play?
Companies are beginning to change how they think about cybersecurity – viewing it as a business issue, not just an IT issue. Forty-four percent of U.S. organizations that experienced fraud in the past 24 months suffered from cybercrime; and 44 percent of all U.S. respondents indicated they thought it was likely their organization would suffer from cybercrime within the next 24 months. 
Seventy-one percent of U.S. respondents indicated their perception of the risks of cybercrime increased over the past 24 months, rising 10 percent from 2011. U.S. respondents' perception of the risks of cybercrime exceeded the global average by 23 percent. Despite having more to lose, U.S. respondents were generally less aware of the cost of cybercrime: 42 percent of U.S. respondents were unaware of cybercrime's cost to their organizations, compared to 33 percent of global respondents.

Didier Lavion, PwC principal and lead author of the U.S. report, said, "U.S. corporations need to better leverage and implement the computational and analytical power of cybersecurity technologies to help combat the increasing global presence of cybercrime."  --Source:  PwC's Global Economic Crime Survey 2014

The reason that the state-of-play remains in turmoil, is the inverse of what the survey is reporting. 29% of U.S. respondents have no perception that the risks of cybercrime has increased over the past 24 months. The 29% who do not perceive this, must be in an industry group that is either not connected to the Internet, does not use mobile devices or are using paper and pencils to run their business.
So for the other 71%, the perception of the risks of cybercrime has increased.  Again, what are the business details of these respondents?  What would be interesting is to ask the question:  How many U.S. citizens have been issued a new credit or debit card last year due to fraudulent charges?  Perhaps the 29% are the unbanked population of the U.S. who are not issued cards because they do not participate in the formal banking system?  Unlikely.

 Cybercrime analysis needs to go deeper.  As an example, it would be interesting to discover what percent of cyber fraud victims in 2013 currently run a Microsoft-based operating system on their computer? No doubt the highest, due to the vast installed base of Microsoft-based PC's over the years.

 Executive Management of companies with over 1000 employees who do not perceive the risk of cybercrime on the rise, may have other more pressing issues.  Labor, raw materials, weather, or other factors that may be impacting their business.  It makes some sense.

 Over the next decade, the tide will turn on the motivation to pursue petty cybercrime and fraud.  Not because the laws and enforcement are more effective.  Not necessarily because the fraud opportunity becomes too difficult because of the effectiveness of new technology. Not even because the Microsoft Operating System installed base, dwindles to a minority percentage.  Why?

 It is because the best cyber Transnational Organized Crime (TOC) organizations will become allies with nation states or even terrorist non-state actors.  They will be paid much more handsomely and they may not even have to disclose their true identities.  The stakes and the fortunes to be made in TOC are rising.  The cyber domain is now a race for superiority.  The best of these skills and knowledge will come from the "dark side" to start, and at a high premium.  So what are you to do, if you are the CxO of a top Global 500 organization?

 Pray longer.  Allocate a treasure chest to invest in your long digital war ahead.  Hedge the risk...
New threat actor: Spanish-speaking attackers targeting government institutions, energy, oil & gas companies and other high-profile victims via cross-platform malware toolkit 
Today Kaspersky Lab’s security research team announced the discovery of “The Mask” (aka Careto), an advanced Spanish-language speaking threat actor that has been involved in global cyber-espionage operations since at least 2007. What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone). 
The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world – from the Middle East and Europe to Africa and the Americas. The main objective of the attackers is to gather sensitive data from the infected systems. Several reasons make us believe this could be a nation-state sponsored campaign.
Posted by at No comments:
Labels: , , , , , ,

16 November 2013

Insider Threat: Corporate Integrity Culture...

In August 2011, this Operational Risk Management (ORM) blog posted the following.  In light of the increasing impact of "Insider Incidents" in 2013, this is worth revisiting:

Does your organization have a culture of "Corporate Integrity?" The depth and breadth of Operational Risks are apparent in the 2011 CyberSecurity Watch Survey by CSO Magazine, USSS, CERT and Deloitte.

46% of the respondents said damage caused by "Insider Attacks" is more damaging than "Outsider Attacks". The most common insider e-crime at 63% is unauthorized access to / use of corporate information. Here are the others:
  • 57% - Unintentional exposure of private or sensitive data
  • 37% - Virus, worms or other malicious code
  • 32% - Theft of intellectual property
When asked which electronic crimes were most costly or damaging the results were:
  • 38% - Outsiders
  • 33% - Insiders
  • 29% - Unknown
Regarding the "Insiders," the reasons that were given for not referring for legal action, the one that stands out in our mind is this one:
40% could not identify the individual(s) responsible for committing the eCrime.  And maybe even more astonishing is that 39% did not have enough information or a lack of evidence to proceed with either civil or criminal litigation.
So what is really going on with the facts presented so far? Even though the respondents say that "Insiders" are the most damaging, they have done little to collect enough evidence to identify who the responsible parties are to the incident. This may be for several reasons including the lack of internal expertise to preserve evidence and conduct timely investigations.

We have addressed the "Insiders" that make up one third of the digital incidents but what about the "Unknowns," who add an additional 29%. The combination of the two make up 62% of all the incidents in the study. This is where Operational Risk professionals can have a significant impact within the enterprise.
The unauthorized access to information and use of that information is at the center of this issue. When an organization realizes that this "information" has impacted them, the funds have been stolen, the trades have been placed or the press has published a trade or national security secret. To narrow this down further, you might say the Fraudsters and the WikiLeakers are bringing the institution into a torrential storm of criminal activities.
Regardless of the high tech tools utilized or the systems and controls within the organization there are always methods and processes that if properly implemented, will reduce the number of "Unknowns" and "Insiders."
 
In your particular case, it just may come down to developing more effective situational awareness with your employees. This particular educational and awareness building process may indeed also uncover the individuals within your company, who may be already down a path of fraud, embezzlement, insider trading or corporate espionage.

Suppose you create a mandatory program for all employees that is focused on corporate integrity and each year the CEO kicks off the first session with their own attendance and their own direct reports, including the Board of Directors.
 
No one that we know of can explain the basis for this process better than Martin T. Biegelman:
"Obviously, a poor working environment provides a motive and rationalization to commit fraud. Here's a quick health check: does management appear not to care about their employees? Does it have unreasonable expectations or financial targets? Is the organization autocratic or participative? Is there a lack of training or promotion opportunities? Does management say one thing but do another? Are senior executives treated differently than rank and file employees when it comes to discipline?" 
Employees must understand the ethical behavior expected of them. New employee orientation should detail the organization's mission, values and code of conduct, types of fraud, compliance, their responsibility to report violations of ethical behavior and impropriety, and details of the hotline or other ways to report fraud and other integrity concerns. Periodic training throughout an employee's career reinforces fraud awareness and the cost of fraud to an entity."
So what?  
 
If your organization does not currently have a program as we have described earlier, then maybe it's time to start one. If you already have one in place, how effective is it in detecting the "Insider Threat" and the spectrum of Operational Risks within your organization?

Posted by at No comments:
Labels: , , , , , , ,

22 April 2012

Workplace Trust: Integrity, Ethics & Legal Risk...

Operational Risk Management professionals wonder about the "Tone at the Top" and decisions at the latest Board of Directors meetings to ignore or investigate a whistleblowers claims of ethics or governance violations in the workplace.

The financial services companies have for years been the target of scrutiny for claims of fraud, mistreatment of consumers and violations of several U.S. federal regulations many under further examination by the SEC.  As time goes on in the evolution of maleficence you will find examples of wrong doing in other private sector areas, such as the Defense Industrial Base (DIB), Retail and Information Technology (IT).  Think about your own company and ask yourself how you treat and respond to the 800 number Ethics Line and those who staff the Internal Audit, Risk Management or Information Security departments.  Are these enablers or impediments to your future success?  Your answer may be a clue to the issue at hand.

The professionals in the Inspector Generals office, the Operational Risk Management department and the General Counsels office are also there for a good reason.  Think about them as the last "Thin Blue Line" between your company becoming a success or falling into a cultural abyss that will plague the institution for decades.  Steven Pearlstein explains from the Washington Post:

Steven Pearlstein: How could SAIC miss this? By , 
Last week in these pages, The Post ran a profile of John Jumper, the straight arrow former Air Force general who was brought in as chief executive of local contracting giant SAIC in the wake of an embarrassing overbilling scandal involving bribery, kickbacks, foreign shell corporations and a safe deposit box stuffed with $850,000 in cash. 
A year ago company officials were publicly denying that there were any problems at all with its contract to build a new timecard system for New York City, which by then was so late and so over budget that “CityTime” had become a frequent target for the New York tabloids and political embarrassment for Mayor Michael Bloomberg. 
It was just last June that SAIC executives and directors first informed shareholders that there might be a little $2.5 million overbilling problem with the contract and that federal prosecutors had brought criminal charges against six employees of an SAIC subcontractor. Shareholders had to read deep into Note 9 of that quarterly report to learn that there might be “a reasonable possibility of additional exposure to loss that is not currently estimable” that “could have a material adverse impact” on the company’s finances.


This episode by one DIB contractor, was not the first nor will it be the last.  One has to ask whether the advice these companies are getting from their outside counsel is always the right course of action.  The government and the internal risk management departments are going to be continuously deluged with new whistleblower claims.  Not just because new laws are in place to protect them and to provide them with the incentives to come forward.  It is because good people are sick and tired of having their organizations reputation tarnished and their respective ethical practices being jeopardized by a few bad cowboys or rogue actors.  Yet now, the Retail sector is being taught a serious lesson regarding a potential FCPA violation by Wal-Mart.  David Barstow at the NYT has this to report:

By  
Published: April 21, 2012  MEXICO CITY — 
In September 2005, a senior Wal-Mart lawyer received an alarming e-mail from a former executive at the company’s largest foreign subsidiary, Wal-Mart de Mexico. In the e-mail and follow-up conversations, the former executive described how Wal-Mart de Mexico had orchestrated a campaign of bribery to win market dominance. In its rush to build stores, he said, the company had paid bribes to obtain permits in virtually every corner of the country. 
The former executive gave names, dates and bribe amounts. He knew so much, he explained, because for years he had been the lawyer in charge of obtaining construction permits for Wal-Mart de Mexico. 
Wal-Mart dispatched investigators to Mexico City, and within days they unearthed evidence of widespread bribery. They found a paper trail of hundreds of suspect payments totaling more than $24 million. They also found documents showing that Wal-Mart de Mexico’s top executives not only knew about the payments, but had taken steps to conceal them from Wal-Mart’s headquarters in Bentonville, Ark. In a confidential report to his superiors, Wal-Mart’s lead investigator, a former F.B.I. special agent, summed up their initial findings this way: “There is reasonable suspicion to believe that Mexican and USA laws have been violated.”

Mitigation of Operational Risks in the workplace, such as fraud and corruption is different than it is outside the enterprise.  The difference is, that corporate executives do not always believe that their own employees would behave this way.  They could be naive to the reasons why fraud finds its way into the psyche of some of the organizations must trusted officers.  Corruption and the signs that an organization has lost its way from a place of cultural integrity and one that condones others to look the other way or for many to help perpetuate schemes of wrong doing, requires a massive organizational transformation.  A transformation that is lead by focused and talented Operational Risk professionals.

But most of all, even if you have these professionals on your team already, there are still some important ingredients to achieving your own "Defensible Standard of Care":

1.  If you think you have funded the risk management department in your enterprise adequately, you haven't.  Do not confuse your outside audit function with your internal risk management function. 
2.  If you don't understand how your 800 number ethics line works and the outsourced organization that runs this, then you need to do so immediately. 
3.  If you have a favorite outside counsel to help you with investigations, it might be time for a check up.  Even more importantly, it might be time to get your outside counsel firms and your outside audit firms invited to a meeting of the minds on corporate integrity. 
4.  If you find any indications that 1 through 3 have been ignored, pushed aside or been giving you a false sense of security, then you might consider making a career change.

Tech Inc., a rapidly growing software company operating in 45 countries, learns that the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) are investigating payments made by its subsidiaries in Brazil and China for possible violation of the Foreign Corrupt Practices Act (FCPA). Bob, the general counsel for Tech Inc., suspects that the source of the investigation is an employee who anonymously lodged a hotline complaint alleging that the company was 1) paying independent sales agents excessive commissions and 2) providing generous discounts and rebates to some of its channel customers and distributors. The complainant also said he believed the problem extended beyond Brazil and China based on discussions he had with other employees.


Posted by at No comments:
Labels: , , , , , , , , , ,
Subscribe to: Posts (Atom)