RSA Conference 2014: The Aftermath and the Consequences...

The 2014 RSA Conference USA is complete and yet what have we learned?  Operational Risk Management (ORM) is still top of mind from the "Board Room" to the back office.  The mitigation strategies are permeating the 3rd Party supply chain, as management realizes that operational risks really do exist with partners and suppliers.  By now the RSA attendees are reviewing their notes, connecting with people on LinkedIn and sorting the stack of business cards on their desk.  Now what.

• Have some of the largest retailers been the victims of massive data breach hacks?  Yes.  Have those attendees of the RSA Conference who downloaded the mobile app been exposed to a potential data leak of their information.  Yes.
• Meanwhile, Operational Risks exist far beyond Moscone and San Francisco.  Have financial institutions been fined by government regulators over alleged violations of the sale of mortgage securities, that lead to the 2008 financial crash?  Yes.  
• Have the age old competitive intelligence tactics evolved into full blown "Industrial Espionage" funded and supported by nation states?  Yes.
• Has the polar vortex created a vast economic risk for millions of businesses due to adverse weather? Yes.

And the Operational Risks to your organization will continue, that is for certain.  How after a week of RSA can you return to your enterprise and know where to begin?  What to change.  What new initiative to begin.  What new vulnerability to remediate.  Don't worry, the list will not be getting any shorter.  The priorities however may be changing.

So maybe it is time for a new "Consequence Assessment."  Here are the key variables for the rows of your matrix:

1. Loss of life:  Likely fatality count.
2. Economic damage:  Estimated costs of the attack or hazard.
3. Psychological impact:  Considerations of change in population behavior toward social functions.

Now, the consequence levels become your columns of the matrix:

• 0 - None or Negligible
• 1 - Minor
• 2 - Moderate
• 3 - Significant
• 4 - Catastrophic or Severe

In order to make the consequence assessment relevant and applicable to your business size, industry sector and geographic location, you now need to define each of the cells of the matrix.  So as an example, if we go to the matrix cell of Economic Damage / Moderate (2), what is your definition?  In the range of $1 billion to $10 billion.

If you are JPMorgan Chase then this may be the case for a consequence of legal liabilities, due to adverse litigation by the U.S. government in the Madoff case:

JPMorgan Chase has been fined more than $2 billion for violations of the Bank Secrecy Act tied to failure to report suspicious activity related to Bernie Madoff's decades-long, multi-billion dollar Ponzi scheme. Madoff was sentenced in 2009 to 150 years in prison for his deception. 

The fines against Chase were the result of three settlements. A settlement with the U.S. Attorney's Office for the Southern District of New York included a $1.7 billion penalty; a separate settlement with the Office of the Comptroller of the Currency included a $350 million penalty. Additionally, the Treasury Department's Financial Crimes Enforcement Network fined Chase $461 million for BSA-related violations. But FinCEN determined that its fine was satisfied by Chase's payment to the U.S. Attorney of New York.

If you are a mid-level business enterprise in the software industry that develops an "App" for consumers to file their income taxes online, then the metrics will be different for a moderate consequence of "Economic Damage." Your matrix will be entirely different and fine tuned to what is relevant in your industry sector.

The Loss of Life category will be an interesting exercise.  None or Negligible will be zero fatalities. Yet how do you define the difference between minor (1) and moderate (2).

The Psychological Impact category will span:

0 - None or Negligible = No major change in population behavior; no effects on social functioning
to
4 - Catastrophic or Severe = Loss of belief in government and institutions; widespread disregard for official instructions; widespread looting and civil unrest

Once you have designed your particular matrix for your size and type of business, the real work begins. You must now begin developing the "Use Cases."  What are the scenarios that you will apply to the exercise that will take place next with the effected stakeholders?

In a generic fashion, you will design specific and customized scenarios that address the major business revenue components of your particular enterprise.  You are imagining an attack or hazard outcome, that impacts that component of your business.  Such as these typical cases:

• Earthquake destroys data centers
• Tsunami overcomes nuclear reactors
• Data hack exposes millions of customers PII
• Infectious disease outbreak across work force
• Government prosecutes for violations of regulatory laws
• Employee sues company for management harassment
• New Customer Order Management system launch encounters substantial bugs/failures

After you have cleaned off your desk from a week away at RSA, the work really begins.  Start your new "Consequence Assessment" soon.  Gather senior executives for an off-site for two days to review the new scenarios you have designed.  Get their independent feedback and perception of the variables of your matrix.  Ask your Board of Directors for the resources and budgets to address the outcomes and insights from the exercise.

“ Man must be arched and buttressed from within, else the temple will crumble to dust. ”
— Marcus Aurelius Antoninius

operational risk

Fraud Trends: Hedging Transnational Organized Crime...

The facts and the results of forensic investigations across the cyber domain are telling a significant story.  The question remains, will CxO's take the time to digest and think about what is happening within their Enterprise Risk ecosystem?  Operational Risk Management (ORM) has four key dimensions:

• People
• Processes
• Systems
• External Events

Each of these dimensions must be looked upon in a holistic and interdependent manner, realizing that they are all indeed interconnected.  One may impact another or managing risk in some but not others could bring the entire enterprise to it's knees.  This is understood.

You are no doubt utilizing a myriad of strategies to deter, detect, defend and document the Operational Risks within your specific industry and associated with the adversaries and regulations pertinent to your business.  So why is this still the state-of-play?

Significant Uptick in Cybercrime

Companies are beginning to change how they think about cybersecurity – viewing it as a business issue, not just an IT issue. Forty-four percent of U.S. organizations that experienced fraud in the past 24 months suffered from cybercrime; and 44 percent of all U.S. respondents indicated they thought it was likely their organization would suffer from cybercrime within the next 24 months. 

Seventy-one percent of U.S. respondents indicated their perception of the risks of cybercrime increased over the past 24 months, rising 10 percent from 2011. U.S. respondents' perception of the risks of cybercrime exceeded the global average by 23 percent. Despite having more to lose, U.S. respondents were generally less aware of the cost of cybercrime: 42 percent of U.S. respondents were unaware of cybercrime's cost to their organizations, compared to 33 percent of global respondents.

Didier Lavion, PwC principal and lead author of the U.S. report, said, "U.S. corporations need to better leverage and implement the computational and analytical power of cybersecurity technologies to help combat the increasing global presence of cybercrime."  --Source:  PwC's Global Economic Crime Survey 2014

The reason that the state-of-play remains in turmoil, is the inverse of what the survey is reporting. 29% of U.S. respondents have no perception that the risks of cybercrime has increased over the past 24 months. The 29% who do not perceive this, must be in an industry group that is either not connected to the Internet, does not use mobile devices or are using paper and pencils to run their business.

So for the other 71%, the perception of the risks of cybercrime has increased.  Again, what are the business details of these respondents?  What would be interesting is to ask the question:  How many U.S. citizens have been issued a new credit or debit card last year due to fraudulent charges?  Perhaps the 29% are the unbanked population of the U.S. who are not issued cards because they do not participate in the formal banking system?  Unlikely.

Cybercrime analysis needs to go deeper.  As an example, it would be interesting to discover what percent of cyber fraud victims in 2013 currently run a Microsoft-based operating system on their computer? No doubt the highest, due to the vast installed base of Microsoft-based PC's over the years.

Executive Management of companies with over 1000 employees who do not perceive the risk of cybercrime on the rise, may have other more pressing issues.  Labor, raw materials, weather, or other factors that may be impacting their business.  It makes some sense.

Over the next decade, the tide will turn on the motivation to pursue petty cybercrime and fraud.  Not because the laws and enforcement are more effective.  Not necessarily because the fraud opportunity becomes too difficult because of the effectiveness of new technology. Not even because the Microsoft Operating System installed base, dwindles to a minority percentage.  Why?

It is because the best cyber Transnational Organized Crime (TOC) organizations will become allies with nation states or even terrorist non-state actors.  They will be paid much more handsomely and they may not even have to disclose their true identities.  The stakes and the fortunes to be made in TOC are rising.  The cyber domain is now a race for superiority.  The best of these skills and knowledge will come from the "dark side" to start, and at a high premium.  So what are you to do, if you are the CxO of a top Global 500 organization?

Pray longer.  Allocate a treasure chest to invest in your long digital war ahead.  Hedge the risk...

New threat actor: Spanish-speaking attackers targeting government institutions, energy, oil & gas companies and other high-profile victims via cross-platform malware toolkit 

Today Kaspersky Lab’s security research team announced the discovery of “The Mask” (aka Careto), an advanced Spanish-language speaking threat actor that has been involved in global cyber-espionage operations since at least 2007. What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone). 

The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world – from the Middle East and Europe to Africa and the Americas. The main objective of the attackers is to gather sensitive data from the infected systems. Several reasons make us believe this could be a nation-state sponsored campaign.

operational risk

Evidence: True or False On Privacy Apps...

What is a Chief Legal Counsel to do these days about new messenger focused Apps such as Wickr, Silent Circle, or now even Confide?  Operational Risk Management (ORM) is a constant chess match.

The ranks of the deal makers and the Executive Suite who are more concerned about so called eDiscovery and evidence coming back to haunt them, are using these new found "Privacy Apps."  Buyer beware and the CxO's should be on the look out for this new "Operational Risk" trend within the enterprise.

Regardless of whether employees are potentially circumventing corporate communication networks, or using their own personal devices, these new apps are indeed collecting potential discoverable data:

Confide, Inc. (“Confide”) is pleased to offer you the ability to send and receive encrypted messages (“Messages”) that will self-destruct after a pre-set period of time (the “Service”). We make the Service available to you through a variety of Internet-enabled devices, including smart phones and tablets (collectively, “Devices”). Portions of the Service may also be available to you through our website at getconfide.com (the “Website”).

We provide our Service to you subject to the following Terms of Use, which may be updated by us from time to time without notice to you. By accessing and using the Website or the Service, you acknowledge that you have read, understood, and agree to be legally bound by the terms and conditions of these Terms of Use and the terms and conditions of our Privacy Policy, which is hereby incorporated by reference (collectively, this “Agreement”). If you do not agree to any of these terms, then please do not access or use the Website or the Service.

And this little item in the "Privacy Policy" caught our eye:

5. Geolocational Information
Certain features and functionalities of the Service may be based on your location. In order to provide these features and functionalities, we may – with your consent – collect geolocational information from your mobile Device or wireless carrier and/or certain third-party service providers. Such information is collectively called the “Geolocational Information.” Collection of such Geolocational Information occurs only when the Service is running on your mobile Device.

So since the message is not stored on the corporate server, and it disappears from the App after it is read on the device, does that mean digital forensics on the device are useless?  The answer is, "That depends."

It depends on what you are trying to collect.  It will depend on many aspects of the Operating System (iOS/Android) and whether there is a "forensic wipe" capability for use on the device.  There are dozens of dependencies here. However, is that really the issue at hand?

Off the record communications take place on a daily basis, from "Party A" to "Party B".  Typically this is done verbally.  Now there are a myriad of new phone Apps, that are trying to mimic this same practice using encryption and self-destruct modes.  These provide secure and private communications from digital device-to-device.  What this really is about, is called evidence.

Evidence: 

Law. data presented to a court or jury in proof of the facts in issue and which may include the testimony of witnesses, records, documents, or objects.

It may be time for the CxO to educate the enterprise about the use of these new Apps as it pertains to corporate "Off-The-Record" conversations.  The formal or informal method for doing so should include:

1.  A review of the risk of using untested, unauthorized apps for corporate communications.

2.  A dialogue on what is evidence.

3.  A set of "Use Cases" that will illustrate to the potential end users why these apps do not circumvent eDiscovery.

Some may argue that when a subpoena is presented, that there is nothing to hand over.  Are you sure about that?

The cautionary tale that many reference is the case of Hushmail, an encrypted mail service that used to claim that "not even a Hushmail employee with access to our servers can read your encrypted email, since each message is uniquely encoded before it leaves your computer" — words that echo Wickr's own proclamations. Sell tells Mashable that Wickr's "architecture eliminates backdoors; if someone was to come to us with a subpoena, we have nothing to give them." 

As it turned out, Hushmail wasn't so impenetrable. In 2007 it was revealed that, actually, Hushmail could eavesdrop on its users communications when presented with a court order.

operational risk

OPS Risk: Best of 2013 and 2014 Forecasts...

This Operational Risk Management (ORM) blog has been posting since September 2003.  Over a decade later, the 1000+ pages of content on the discipline and profession of Operational Risk Management provides continuous learning and significant new insights.

Here are a few of our most visited "Operational Risk" blog posts of 2013:

• Walking the Talk: Asymmetric Lessons Learned...
• Social Media Risk: Situational Awareness on Wall Street to Main Street...
• Business Resilience: Supply Chain Risk to National Security...
• Cyber Risk: Human Factors vs. Automation...
• Unintentional Insider Threat (UIT): Human Factors Risk...
• Legal Risk: Forensic Analysis of Supply Chain...

As we approach the end of 2013 and embark on our journey into 2014 in the United States, there are many reflections and new aspirations on our mind.  When we look back over the past 12 months, we see old Operational Risk vectors pioneered in the days prior to the Internet, now making their way online.  Why?  It is far easier and more efficient to rob banks, extort people, defraud consumers and conduct psychological warfare, over a global network of interconnected digital devices.

2014 will continue to accelerate the needs and requirements for more robust Operational Risk Management strategies and increased adaptive tactics to neutralize a rapidly evolving set of new adversaries.  This however, may be one of the most compelling challenges for OPS Risk professionals across the globe:

Correcting the record on the NSA review

By Michael Morell, Published: December 27 

Michael Morell is the former acting director and deputy director of the Central Intelligence Agency and a member of President Obama’s Review Group on Intelligence and Communications Technologies. 

One of the dangers of a 304 -page report on a complex subject is that everyone gets to choose what he or she thinks is the bottom line. Many of those commenting on the report and recommendations of the recently completed Presidential Review Group on Intelligence and Communications Technologies must have read a different report than the one I helped write. 

As one of the five members of the panel, let me try to clear up some of the confusion and misperceptions. One such misperception is the extent of the changes called for in the report. Commentators have used the word “sweeping” to characterize the recommendations, arguing that they would“roll back” the capabilities of the intelligence community.  This is incorrect.

The reason that the ambiguity on the "Security vs. Privacy" debate will challenge the OPS Risk professionals, is obvious.  Uncertainty and indecision, increases vulnerability.  As a policy maker, U.S. military officer, consumer or a corporate CxO, the same applies.

2014 will require augmented abilities to adapt and to increase our adaptive speed.  What is your latency to change, from the time your adversary measures your behavior after a test of your controls or defenses?  In these continuously asymmetric ecosystems operating on a global basis, the response time window has narrowed to minutes or even seconds.  Not hours or days:

Target: Deceive first, answer questions later

Issuing deceptive statements is no way to win back customers' trust. That's a lesson for anyone who might find itself in Target's position someday. 

Evan Schuman December 28, 2013 (Computerworld)

For Target to get beyond its data breach disaster, it needs to regain the trust of its shoppers. Mystifyingly, it has opted to issue statements that are, at best, misleading. Some tiptoe beyond misleading, since the chain had to know they were untrue when it issued them. 

The latest example came Friday, when Target confirmed that encrypted PIN data was stolen. Then came the whopper: "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken." 

Of course those debit card accounts have been compromised. Webster's dictionary defines compromise as exposing something "to risk or danger." When personal identification numbers that give full access to someone's bank account are in the hands of experienced and sophisticated cyberthieves, I think it's safe to say that those bank accounts are indeed exposed to risk or danger. How could anyone argue otherwise?

2014 Operational Risk Management (ORM) will include "lessons learned" from the advice given to and within companies, such as Target Corporation.  Corporate counsel in collaboration with external private sector Incident Response companies including government agencies, will debate the disclosures, the sources and methods, as well as the timing of public relations press releases.

2014 will embark with the political narratives that are necessary to gain psychological advantage over the masses. Business media interests will begin managing the risks associated with any negative outcomes of their favored Pawns, Bishops and Knights.  Protecting the King or even the Queen for the first time, is the name of the game.  Political chess has an impact on governance, regulatory and compliance environment for business.

In 2014 horizontal thinking will "Break out" to bridge the gaps between public and private strategies. Managing catastrophic risks to vital critical infrastructure requires private sector willingness with public sector cooperation.  Big picture problem-solving and addressing global issues, requires more focus on the World Economic Forum  Global Risks Report agenda:

• Testing Economic and Environmental Resilience

• Digital Wildfires in a Hyperconnected World

• The Dangers of Hubris on Human Health

In an interdependent, fast-moving world, organizations are increasingly confronted by risks that are complex in nature and global in consequence. Such risks can be difficult to anticipate and respond to, even for the most seasoned business leaders.

Finally, 2014 will provide new opportunity and a positive outlook not seen since 2007.  The global investors are still bullish on the possibilities for long-term growth.  The religious wars will continue to spark new regional conflicts, yet the super powers will continue to find common ground.  Resilience to systemic failures will define what countries emerge, as the next tier of global influence.

At the end of the day, we are all the same.  Love for our family and the constant anxiety of providing a safe, secure and nourishing environment for them to live out their days.  As we close our eyes each night to try to sleep, we plan our next day on managing the "Operational Risks" in our path ahead.

operational risk

Unauthorized Access: Civil CFAA Legal Risk Strategy...

A tutorial on the definition of a "loss event" is appropriate for those who seek greater understanding of "Operational Risk Management" (ORM).   Specifically when it comes to the civil litigation strategy utilizing the "Computer Fraud and Abuse Act" (CFAA) 18 U.S.C. 1030.

What is a loss?  Easy:  Loss = cost.  "Any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment and restoring the data, program, system or information to its condition prior to the offense and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service."

So the remedies available are economic damages, loss damage and injunctive relief.  Not exemplary damages or attorneys fees.  Don't let that last one scare you from using CFAA, as an effective deterrent in your arsenal as a General Counsel.  The basic threshold is that the victim incurred a loss during any one year period, of at least $5,000.00.

For the focus of this blog post, we will talk about "Insiders" who exceed authorized access, that is access in a way not entitled.  Typically employees or others in the business supply chain, who may have the use of a password or key to gain access to information only known or available by another employee, such as a supervisor or system administrator.

It is imperative here to state the importance of finding an attorney that truly understands this law, from a civil, not a criminal perspective.  The complaint must provide factual content that the Plaintiff has suffered the type of damage to "data, a program, a system or information."  Think more about business interruption and the expenses related to investigation, remediation and integrity of operations.  An employee who leaves the company and has e-mailed proprietary information of clients or proposals to their personal account, is not what we are talking about here.

What about the employee who decides to damage or destroy organizational records or of their primary area of responsibility, (database of client contacts, meeting notes, reports and proposals) or even those of the entire company.

The term “damage” means any impairment to the integrity or availability of data, a program, a system, or information and the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.  Here is just one example:

Tech Systems, Inc. v. Pyles, 2013 WL 4033650 (ED VA Aug. 6, 2013) (4th Cir)
After being terminated, former employee forwarded company emails and deleted company emails from mobile device before returning it to employer because they contained incriminating evidence. Court granted spoliation finding and jury returned verdict for violating Computer Fraud and Abuse Act, among other claims.

This is just a single case of how a single disgruntled employee, decided to proactively get revenge with a former employer, Tech Systems, Inc. of Alexandria, VA, a U.S. defense contractor.  Why organizations do not utilize the tools such as CFAA to find civil remedy, on a more regular basis is the question at hand.

CFAA is designed to be legally effective on a broad scale and for good reason.  It does however, require that someone uses it with the right intent and legal purpose.  We predict that more civil cases will be filed, as General Counsels and attorneys better understand how to effectively utilize it, in combination with other laws associated with Intellectual Property Theft.  As judges and more cases are tried, the momentum will pick up.  So what?

Booz Allen Hamilton v. Snowden.  Not yet?  Just a Violation of a "Code of Ethics" and fired?  Not likely.

The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data. 

One provision of the bill would earmark a classified sum of money - estimated as less than $100 million - to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization. 

The bill also requires that the Director of National Intelligence set up a system requiring intelligence contractors to quickly report to spy agencies on incidents in which data networks have been penetrated by unauthorized persons.

 United States of America v. Edward J. Snowden.  Filed under seal June 14th, 2013. Offenses include 18 U.S.C. 641, Theft of Government Property.  18 U.S.C. 793(d), Unauthorized Communication of National Defense Information.  18 U.S.C. 7989a)(3), Willful Communication of Classified Communications Intelligence to an Unauthorized Person.

Civil CFAA Legal Risk Strategy can be utilized in many cases where the magnitude of the loss and the economic exposure to a U.S. government contractor, is not on the radar of the U.S. Attorney.  Keep it in mind...

operational risk

eDiscovery Risk: The Marketing of Privacy...

Operational Risk Management (ORM) professionals from London to Paris, Berlin to Brasilia and Silicon Valley to Washington, DC are quietly smiling these days.  It is ironic, that now privacy is the new vogue marketing strategy.  After so many years of trying to explain to executives the risks that exist around confidentiality, integrity and assurance of data--now a rogue U.S. citizen charged with espionage, finally has convinced some senior business executives of the value of marketing increased privacy of their technology products and services.  Chris Strohm explains:

While Google, Yahoo, Microsoft and Facebook Inc. provide data to the government under court orders, they are trying to prevent the NSA from gaining unauthorized access to information flowing between computer servers by using encryption. That scrambles data using a mathematical formula that can be decoded only with a special digital key. 

The NSA has tapped fiber-optic cables abroad to siphon data from Google and Yahoo, circumvented or cracked encryption, and covertly introduced weaknesses and back doors into coding, according to reports in the Washington Post, the New York Times and the U.K.’s Guardian newspaper based on Snowden documents. He is now in Russia under temporary asylum.

Mitigating the risks of being hacked by a group of criminals stealing personal identifiable information from consumers on a transnational basis has not motivated these same executives to move towards investing in more effective data and information assurance strategies.  Yet now that the adversary has been described by the mainstream media as the U.S. Government, industry executives have started to listen.  Go figure...

What are the industry executives motivation for now improving the confidentiality, integrity and assurance of customers information?  Improved market share and presence.  The payback will be rapid and those organizations that have been in denial that customers expect and demand more systems and tools to protect their information, are now doing an about face.

As we quickly approach Cyber Monday and the commerce of the Internet is at a peak of annual transaction volume, some servers will be talking to each other on encrypted networks for the first time. All seamless to the end user and consumer, yet not to the adversary.  So who really is the adversary these days; the criminal organizations or the U.S. Government?  The strategists mitigating risks at commercial private organizations unfortunately in many cases, see both in the same category.  This is a real mistake and one that should be evaluated, discussed and agreed upon.

You see, U.S. based companies must have an effective symbiosis with it's legal system and rule of law. What does that mean?  Operational Risk encompasses the risks to the institution from a legal perspective.  That means that the process of processing, storing, archiving and retrieving information is subject to the laws of electronic discovery and forensic evidence.  It means that as an organization, having an effective way to encrypt information to stay ahead of the criminal organizations simultaneously requires that your organization is also adaptive to current legal statutes.  Tomorrow, you may need to identify, decrypt and produce evidence to the U.S. Government or as a result of another legal order.

As organization executives embark on the "new new" trend of marketing privacy to their customers, they should also be working along side the legal staff.  The risk management and information technology professionals should be briefing both corporate executives on the implications of being responsive to their consumers and non-responsive to plaintiff lawyers, or the U.S. Attorney or State Attorney General:

Fearful of adverse consequences if they inadvertently discard electronic documents that are deemed to be relevant in litigation, some of the biggest companies in the U.S. are simply saving all documents, including email sent via employees' electronic devices. 

A minority of federal courts say companies can be sanctioned even if they discard documents without intending to. All allow sanctions, which can mean the loss of a big case, when documents are intentionally destroyed. So companies including Exxon Mobil Corp. and Microsoft Corp. are asking the federal Judicial Conference to recommend a new rule that would provide uniform standards for document retention and allow sanctions only when documents are destroyed willfully or in bad faith, reports the Wall Street Journal(sub. req.).

So this is where the marketeers and the legal staff need to get their heads together.  The privacy vs. government legal requests space is still not widely understood inside corporations let alone the average John Q. Citizen, who has never even heard of eDiscovery:

Microsoft General Counsel Brad Smith said yesterday that there are "significant inaccuracies" in last week's news reports. He added in a blog post, referring to Outlook.com: "When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency."

operational risk

Insider Threat: Corporate Integrity Culture...

In August 2011, this Operational Risk Management (ORM) blog posted the following.  In light of the increasing impact of "Insider Incidents" in 2013, this is worth revisiting:

Does your organization have a culture of "Corporate Integrity?" The depth and breadth of Operational Risks are apparent in the 2011 CyberSecurity Watch Survey by CSO Magazine, USSS, CERT and Deloitte.

46% of the respondents said damage caused by "Insider Attacks" is more damaging than "Outsider Attacks". The most common insider e-crime at 63% is unauthorized access to / use of corporate information. Here are the others:

• 57% - Unintentional exposure of private or sensitive data
• 37% - Virus, worms or other malicious code
• 32% - Theft of intellectual property

When asked which electronic crimes were most costly or damaging the results were:

• 38% - Outsiders
• 33% - Insiders
• 29% - Unknown

Regarding the "Insiders," the reasons that were given for not referring for legal action, the one that stands out in our mind is this one:

40% could not identify the individual(s) responsible for committing the eCrime.  And maybe even more astonishing is that 39% did not have enough information or a lack of evidence to proceed with either civil or criminal litigation.

So what is really going on with the facts presented so far? Even though the respondents say that "Insiders" are the most damaging, they have done little to collect enough evidence to identify who the responsible parties are to the incident. This may be for several reasons including the lack of internal expertise to preserve evidence and conduct timely investigations.

We have addressed the "Insiders" that make up one third of the digital incidents but what about the "Unknowns," who add an additional 29%. The combination of the two make up 62% of all the incidents in the study. This is where Operational Risk professionals can have a significant impact within the enterprise.

The unauthorized access to information and use of that information is at the center of this issue. When an organization realizes that this "information" has impacted them, the funds have been stolen, the trades have been placed or the press has published a trade or national security secret. To narrow this down further, you might say the Fraudsters and the WikiLeakers are bringing the institution into a torrential storm of criminal activities.

Regardless of the high tech tools utilized or the systems and controls within the organization there are always methods and processes that if properly implemented, will reduce the number of "Unknowns" and "Insiders."

 

In your particular case, it just may come down to developing more effective situational awareness with your employees. This particular educational and awareness building process may indeed also uncover the individuals within your company, who may be already down a path of fraud, embezzlement, insider trading or corporate espionage.

Suppose you create a mandatory program for all employees that is focused on corporate integrity and each year the CEO kicks off the first session with their own attendance and their own direct reports, including the Board of Directors.

 

No one that we know of can explain the basis for this process better than Martin T. Biegelman:

"Obviously, a poor working environment provides a motive and rationalization to commit fraud. Here's a quick health check: does management appear not to care about their employees? Does it have unreasonable expectations or financial targets? Is the organization autocratic or participative? Is there a lack of training or promotion opportunities? Does management say one thing but do another? Are senior executives treated differently than rank and file employees when it comes to discipline?" 

Employees must understand the ethical behavior expected of them. New employee orientation should detail the organization's mission, values and code of conduct, types of fraud, compliance, their responsibility to report violations of ethical behavior and impropriety, and details of the hotline or other ways to report fraud and other integrity concerns. Periodic training throughout an employee's career reinforces fraud awareness and the cost of fraud to an entity."

So what?  

 

If your organization does not currently have a program as we have described earlier, then maybe it's time to start one. If you already have one in place, how effective is it in detecting the "Insider Threat" and the spectrum of Operational Risks within your organization?

operational risk

Veterans Day: Operation Stigma Continues...

One year ago on the Marine Corps Birthday, 10 November 2012, we raised our glasses to celebrate.  It had been a long day, and here is that post from this Operational Risk Management (ORM) blog, from the front lines of Hurricane Sandy:

On Sunday morning, observing Veterans Day in the United States began with a few words from a leader from the American Red Cross at a local shelter near North Brunswick, NJ  USA.  We heard his words of recognition and what it felt like for him to return to our country after serving in Vietnam and being ridiculed and spit upon.  The veterans in the room were all gearing up for another day on the front lines of a new domestic battle with the aftermath of Hurricane Sandy.  Team Rubicon and it's growing presence of agile, selfless and highly skilled professionals have been working along side other national and international NGOs.  They are projecting a rapid and significant force on the ground, from New York to previously unrecognized communities such as Union Beach and Montoloking, NJ.

Serving along side veterans with Team Rubicon (TR) in the face of a major disaster zone is one honor.  The journey this past year has been a rewarding one, working with and to support veterans.  Five months after this first hand experience, one of our TR colleagues in NJ committed suicide.  Neil was not alone.  The numbers are staggering at this point.  Here is the post soon after, on May 11, 2013:

Invisible Wounds: Risk to the One Percent... 

There is an alarm bell ringing within the ranks of Operational Risk Management executives in the United States.  As brave, experienced and motivated veterans enter the U.S. civilian work force, it is growing louder by the hour.  Our "One Percent" who serve in the military, leaders returning from over a decade of war and those who have earned the Global War on Terrorism Expeditionary Medal (GWOTEM), now have a new adversary.  Does your organization hire veterans or spouses of vets?  How are you taking an active role in the veterans hiring, career goals, aspirations and training?  What are the potential indicators of an employee at risk? 

Almost once an hour – every 65 minutes to be precise – a military veteran commits suicide, says a new investigation by the Department of Veterans Affairs.  By far the most extensive study of veteran suicides ever conducted, the report, issued Friday, examined suicide data from 1999 to 2010.

Melanie Haiken, Contributor - Forbes

Since then, this blogger has been serving in another veteran focused non-profit.  One that fills the gaps between natural disasters.  And for good reason.  The wounded, injured and ill can't wait for the next tornado, hurricane, earthquake or tsunami to get out of the basement of their house.  The thousands with Traumatic Brain Injury (TBI) or Post Traumatic Stress Disorder (PTSD) are living their lives each day, until they end up like our colleague Neil.  There is not a cure.  Only treatment.  Only living with an outcome from serving your nation.  This is a global epidemic for all those who have served in and around the conflicts across the globe.

In order to really understand this, you have to get close to it.  For the past six months, serving those wounded, injured and ill has assisted in the education of what is missing and how to fill the gaps.  The biggest gap we face, is the one that took Neil from us.  The Stigma.

stig·ma 

noun, plural stig·ma·ta [stig-muh-tuh, stig-mah-tuh, -mat-uh] Show IPA , stig·mas.
1.a mark of disgrace or infamy; a stain or reproach, as on one's reputation.
2.Medicine/Medical .a.a mental or physical mark that is characteristic of a defector disease: the stigmata of leprosy.b.a place or point on the skin that bleeds during certain mental states, as in hysteria.
3.Zoology .a.a small mark, spot, or pore on an animal or organ.b.the eyespot of a protozoan.c.an entrance into the respiratory system of insects.
4.Botany . the part of a pistil that receives the pollen. See diag.under flower.
5.stigmata, marks resembling the wounds of the crucified body of Christ, said to be supernaturally impressed on the bodies of certain persons, especially nuns, tertiaries, and monastics.

Yes, the stigma surrounding PTSD and TBI is now our Operation.  Our target.  Ending it, is our mission. You see, this blogger has identified "Stigma" as a likely adversary.  How can we say this? One only has to read the heart felt prose of Sgt. Jeremy Conway from his blog, started a few months ago:

Who Dwells Within
November 8, 2013 PTSD &  TBI PTSD, TBI, Army, Veterans, Navy, Depression, Family,Civilians, Soldiers, Marines, Medical, Anxiety, Health, Memory loss, TBIAir Force, fellow Veterans, the Veteran Community, Conditions and Diseases, Charity, Donate 

Who Dwells Within 

Day to day
I wait to see
What awaits and what I’ll be
Who dwells within
To all who care
For those I love
No answers come from Heaven above
Who dwells within
Never understood
Read every book
About what overpressure and shockwaves took
Who dwells within
Each day I wake
Where darkness resides
I become whatever my mind decides
Who dwells within
Day to day
To all who care
Never understood
Each day I wake
Who dwells within 

--Jeremy Conway

We know people like Jeremy Conway are out there and may also want to raise the awareness of "Operation Stigma".  Sgt. Conway has the continued courage to face this vital mission and we look forward to reading his blog for years to come.  He is a true "Quiet Professional"....

This Veterans Day 2013 as we lay a wreath in Arlington Cemetery at the Tomb of the Unknowns, we will be remembering Neil and praying that we all continue to "Bridge the Gap."

operational risk

Hidden Lynx: Transnational Group for Hire...

The current state of organized transnational criminal and cyber espionage groups are becoming more robust. CIO's and corporate "Active Defense" teams are gearing up for a continuous barrage of new exploits and phishing vectors. Operational Risk Management is more of a priority than in recent years.

A Symantec report by Stephen Doherty, Jozsef Gegeny, Branko Spasojevic, Jonell Baltazar highlights the latest:  

The Hidden Lynx group has been in operation since at least 2009 and is most likely a professional organization that offers a “hackers for hire” service. They have the capability to attack many organizations with concurrently running campaigns. They operate efficiently and move quickly and methodically. Based on these factors, the Hidden Lynx group would need to be a sizeable organization made up of between 50 and 100 individuals.   The members of this group are experts at breaching systems. They engage in a two-pronged strategy of mass exploitation and pay-to-order targeted attacks for intellectual property using two Trojans.

The Bit9 incident is one of a few documented targets by this organized team known as "Hidden Lynx."  They are no different than those known "Base" groups in 2001 who have attacked our nation by hijacking airplanes.  Hidden Lynx exploits the little known weaknesses in the design, implementation or configuration of ICT systems, instead of our transportation and border protection controls.  Their trade craft for cyber espionage and potential sabotage is characteristic of an organized set of professional fraudsters, bank robbers, special operators and intelligence professionals.

So what does this mean to the average Fortune or Inc. 500 company with a dedicated IT and Information Security Task Force?  It is time to call in reinforcements and to realize that you are already behind the curve of the OODA Loop.  The enterprise executives who are now tasked with reporting material losses and other adverse events to shareholders, understand the magnitude and the expenses involved to remediate a significant breach.

The cyberspace narrative is changing in the U.S. after the transparency of significant requests by law enforcement for intelligence information on U.S. persons.  Private sector companies will be more open about how many times information was requested.  An open public debate will heighten the dialogue to a level not possible before and will produce a faster response to the necessary change in policies, both public and private.  The citizens rights and the equilibrium necessary to protect those same citizens will be the crux of the dialogue.

While the debate continues, "Hidden Lynx" will continue to operate and this transnational criminal group will grow stronger.  Our U.S. critical infrastructure assets may be subjected to new attacks that produce additional losses and damage to shareholder equity.  Policy makers continue to work in joint sessions with public agencies and private enterprise to craft the right mix of new disclosure requirements.  Operational Risk professionals know one thing for certain.  The pace and magnitude of the attacks will increase.  How and when we counter is still in major debate.  In the mean time, "Hidden Lynx" will continue to be in the cross hairs of the professionals in Ft. Meade, Chantilly, Pittsburgh and Orange County.

operational risk

Privacy 3.0: The Genesis of EarthCom...

Information classification in the private sector is gaining traction again as the nature of sensitive national security leaks are published in the popular press.  Data breach laws and cyber legislation is a daily discussion on Capitol Hill.  CISOs and CSOs even at the Washington Post are in "Incident Response Mode" after a successful phishing exploit by the Syrian Electronic Army.  These Operational Risk Management (ORM) challenges are not only on the rise because of the amount of information that is exchanged each day in an era of the "Internet of Things"; these risks are now front and center as "Privacy 3.0" evolves in the Cloud.

Andrew Serwin of The Lares Institute puts it all in context:

The question confronting modern-day privacy scholars is this: Can a common law based theory adequately address the shifting societal norms and rapid technological changes of today’s Web 2.0 world where legislatures and government agencies, not courts, are more proactive on privacy protections?

As private sector companies produce the technology solutions to accomodate the exponential expansion of our global ICT ecosystem, we must acknowledge the genesis of it's origin.  Human beings.  The products, systems, software and patents are the result of inventions by mankind.  Yet there is evidence that the evolution of ICT, whether it be in hardware, software or the data itself has similarity to biological evolution.  For decades scientists have studied the similarity of the ecosystems of information to the biology of immune systems.  These same smart and bold people have written books, journals and peer tested papers on the subject of transformational systems thinking.  Growth and change in the digital universe follows a biological path found in nature.

The organizational growth cycles are:

• Forming = entrepreneurship
• Norming = production
• Integrating = diversification

This cycle of growth has many labels, yet systems and organizational experts will say that the integrating phase of growth will encounter a bifurcation point, where it is necessary for the system to again innovate and form something new.  To adapt to its new environment.  If the system does not break away and create a new forming stage of the growth cycle, it will eventually perish.  This is why organizational change experts invented such innovations as the "Skunk Works" or why a private sector company breaks off a business unit and creates a whole new company.

Privacy 3.0 is now four years old.  Are we now at the bifurcation stage of the societal information growth cycle and the speed of business is leaving existing government rule of law in the rear view mirror?  Andy Serwin from his 2009 paper said:

Given the changes in society, as well as the enforcement mechanisms that exist today, particularly given the FTC's new focus on “unfairness,” and the well-recognized need to balance regulation and innovation, a different theoretical construct must be created--one that cannot be based upon precluding information sharing via common law methods. Instead, the overarching principle of privacy of today should not be the right to be let alone, but rather the principle of proportionality. This is Privacy 3.0.

As information flows through the manmade veins of supersonic light or invisible waves of zeros and ones around our planet, we are approaching a "Breakpoint."  A place in time, where the system will need to bifurcate in order to survive.  The system of privacy proportionality in government circles has been four levels of classification:

• Restricted = For Official Use Only (FOUO)
• Confidential
• Secret
• Top Secret (TS)

In the years ahead, as you hold your IP Phone (iPhone) to update Twitter, Foursquare, Facebook or WordPress App, you are behaving in the Privacy 3.0 ecosystem.  While you are at work in the public or private sector using Google Business Apps in the cloud, your behavior and your words including personal data such as your semantics or GPS coordinates, are entering one of four levels of sensitivity.

In order to make the leap to our next systemic "Breakpoint", we will need to design in proportional privacy to our Operational Risk Framework.  Without it, the system will decay and ultimately cease to exist.  Is privacy an after thought in your organization?  What information governance education takes place on a continuous basis?  How do you monitor and measure?  Have you tagged the information into four levels of sensitivity?  These are just a few of the questions that the Privacy 3.0 enterprise is encountering, at the genesis of an ICT "EarthCom."

operational risk

The Franklin Project: Preserving Certain Unalienable Rights...

On this July 4th, 2013 in the United States we reflect on a declaration.  The Operational Risk Management (ORM) of the nation was a priority in 1776 and the "word smiths" surrounding Thomas Jefferson penned our most precious document.

The information contained in the "Declaration of Independence" has withstood 237 years of debate, rule of law and service to the Republic to defend all that it stands for.  However, only 1% of U.S. citizens now serve in the military defense of what the country believes in and preserving our "certain unalienable Rights".  This is a failure of leadership and the Operational Risks of our nation will continue to increase from within our borders, without a substantial solution to comprehensive civilian service.

There are however a few brave people across the United States who have served not only as leaders of the 1%, but as future leaders of the 100%.  You see, the "Franklin Project" is the ideal way for our country to manage a spectrum of current and future risks upon us.  Even a way for the thousands of 501(c)3 charities to converge and share a single and cohesive strategy for not just a few people to serve, but for all those U.S. citizens able to serve, early in their lives:

What is the Franklin Project?
The Franklin Project is a new venture by the Aspen Institute to marshal the best case for a voluntary civilian counterpart to military service in the United States. At the 2012 Aspen Ideas Festival, General Stanley McChrystal called for large-scale civilian national service to engage more Americans in serving community and country. We believe national service can and should become a common expectation and common opportunity for all Americans to strengthen our social fabric and solve our most pressing national challenges. To realize this vision, the Franklin Project engages outstanding Americans from the private sector, higher education, government, the military, the faith community, the philanthropy, and nonprofit organizations, to develop innovative policy ideas and to build momentum around advancing a new vision of civilian service for the 21st century. Our goal is to create one million new opportunities for large-scale civilan national service. 

What is national service? Why now?
National service has always been in the DNA of Americans. By committing to spend a year or more serving our nation full-time, we have the opportunity to strengthen our social fabric, improve on individual skillsets, and solve some of the nation’s most pressing challenges. Today, application numbers for national service programs such as AmeriCorps, City Year, and Teach for America, are higher than ever before. The Corporation for National and Community Service, which supports AmeriCorps programs, reported that there were 582,000 applications for just 83,000 national service positions last year. This means that nearly 500,000 people who were ready and willing to commit themselves to full-time national service were turned away. The current capacity for national service opportunities is thus outpaced the incredible demand.

- See more at: http://www.aspeninstitute.org/policy-work/franklin-project/about-us#sthash.J3m9HyFj.dpuf

So America, what are we waiting for to change the way our youth serves and our nation treats national service?

Each citizen has the opportunity to give back to the improvement of our nation through non-profit charities, religious institutions and especially our military.  What we have accomplished so far is only a start and still years away from what America is capable of achieving.  Civilian National Service will someday be a way for our youth to establish their sense of leadership, philanthropy and strong moral foundation.

God speed to the Franklin Project on our national birthday celebration!

operational risk

Invisible Wounds: Risk to the One Percent...

There is an alarm bell ringing within the ranks of Operational Risk Management executives in the United States.  As brave, experienced and motivated veterans enter the U.S. civilian work force, it is growing louder by the hour.  Our "One Percent" who serve in the military, leaders returning from over a decade of war and those who have earned the Global War on Terrorism Expeditionary Medal (GWOTEM), now have a new adversary.  Does your organization hire veterans or spouses of vets?  How are you taking an active role in the veterans hiring, career goals, aspirations and training?  What are the potential indicators of an employee at risk?

Melanie Haiken, Contributor - Forbes
Almost once an hour – every 65 minutes to be precise – a military veteran commits suicide, says a new investigation by the Department of Veterans Affairs. By far the most extensive study of veteran suicides ever conducted, the report, issued Friday, examined suicide data from 1999 to 2010.

The fact is that about 31% are vets, who are under 50 years old and in the prime of their lives and careers.  The Operational Risks associated with a growing workplace with veterans comes in different areas of concern and opportunity.  The awareness building program within a workplace, that is focused on mitigating risks to the enterprise, should be focused on behaviors and pre-incident indicators.  Especially when it comes to humans.  "Invisible wounds" are just that.  They are hard to see.

Has your organization been faced with an employee, who was a veteran and took their own life?  The cues and clues may not be so obvious.  Human Resources departments, Organizational Development management, senior executives are starting to hear that alarm.

There are people walking around your organization at this very moment, who are at risk and you may be naive to the indicators.  Begin the process today to change this growing epidemic.  Create a mechanism for awareness building, of the potential pre-incident indicators.  More importantly, what are you doing to proactively evaluate and monitor employees who are veterans?

60 Minutes - Invisible wounds of war by David Martin
An estimated quarter million servicemen and women have suffered concussions over the past decade of war. Tens of thousands -- no one knows the precise number -- are dealing with lasting brain damage. The Pentagon, which did not recognize the problem until the war in Iraq was almost over, is now scrambling to treat these invisible wounds. And soldiers suffering from them sometimes end up wishing they had a wound people could see.

There are programs for building awareness with employees and even a growing number of non-profit organizations that are making a difference.  The point is, what is management doing to proactively engage fellow executives to be more proactive on multiple fronts?  Here is one example that you should be investigating immediately.  Pretend for a moment that you as a CEO, are a veteran that is applying for a job at your company.  Go to your own career web site page and apply for a job at your company.  Why?  See how easy it is.  See what happens next.

The reason is clear.  You don't have any idea what a veteran goes through to first apply for a position with your company.  Second, you do not fully understand, how your own HR and recruiters follow-up and provide any feedback to the applicant, once they have navigated the vast maze of your latest outsourced online job platform.

We would also request, that you investigate your organizations process for doing periodic assessments of employee performance?  How is this the same or different for a veteran?  Has it been modified or is it done with a trained professional, who may be able to use substantial experience to provide an early warning system for vets, who may be at risk in your workplace.

Whether you are in the military ranks now as a commander or you are an executive in the government, business or part of a non-profit, you think you know the stakes.  You think you understand the Operational Risks associated with the hiring and employment of veterans.  You do not, because no one does completely.  This complex mosaic of laws, health care and human psychology issues may very well be, one of the greatest operational risk challenges before us as a nation.

Begin your journey to better understanding this, by visiting this U.S. Department of Veteran Affairs web site:  http://www.veteranscrisisline.net

This Memorial Day, we will remember all those heroes who have fallen, especially here at home.  In our own town.  We can and must do better...

operational risk

Offshore Strategies: Global Integrity Risk...

Global 500 organizations are managing Operational Risks across their respective enterprises, utilizing a portfolio of controls, tools and strategies.  One of those strategies, is getting more attention by nation states and treasury departments.  Larger than Wikileaks, this ICIJ investigation, is a digital peek behind the offshore strategy that is legal in many jurisdictions across the world:

An anonymous source has provided extensive insights into a worldwide network of tax evaders. 

Media in more than 30 countries are currently sifting through a mountain of data.
260 gigabytes of documents - that's the printed equivalent of 500,000 copies of the Bible. 

This is the massive amount of data that was passed on more than a year ago by an anonymous whistleblower to the International Consortium for Investigative Journalism (ICIJ) in Washington. More than two million emails and other confidential documents sketch a picture of a dubious shadow world. More than 130,000 people from 170 countries are alleged to have secreted their money in tax havens. Analyzing the data is a mammoth task that is still nowhere near completion.

The governance and the transparency that a global enterprise displays to its shareholders, employees and the governments is continuously at stake.  Some countries are considered more corrupt and global organizations operating in that part of the world, shall be more aware of the risks of doing business there.

Some other interesting revelations:

• The largest shares of the people setting up offshore accounts live in China, Hong Kong, Taiwan, Russia or another former Soviet republic. 
• In turbulent Greece, both the upper and middle class are increasingly keeping their money in undeclared accounts — a situation that finance officials have since vowed to investigate.
• A number of the world’s largest collectors use offshore accounts to buy and sell art without paying taxes. 
• Offshore accounts are popular in Russia, where President Vladimir Putin has repeatedly asked politicians to stop using them: the deputy prime minister’s wife and top managers of Russian military contractors and government-controlled companies are thought to have secret offshore investments. 
• Offshore accounts are a major source of investment in China and Russia. China’s second-largest source of capital investment is the British Virgin Islands.
• You can read the full ICIJ report here.

Billionaires and politicians are hedging risks on the advice of tax attorneys, accountants and the financial strategies that are as old as tax laws.  Inside the private business compliance and legal departments, lie a vast staff of dedicated personnel who are tasked with mitigating risks to the organization.  Some global enterprises such as Siemens AG have paid the price, of a governance architecture that was in failure.  Today, those lessons learned are still being taught even as others are implicated in alleged wrong doing:

IBM Says Justice Department Investigating Bribe Allegations
By Sarah Frier on May 03, 2013

International Business Machines Corp. (IBM) is being probed by the U.S. Justice Department over corruption allegations in Poland, Argentina, Bangladesh and Ukraine, adding to bribery charges from the Securities and Exchange Commission. 

The Justice Department is investigating whether IBM violated the Foreign Corrupt Practices Act, the company said in an April 30filing (IBM). In Poland, the department is focusing on a transaction that the Polish Central Anti-Corruption Bureau already was studying, the company said. It involves allegations of a former IBM employee selling to the Polish government. 

The Justice Department probe adds scrutiny in new territory as IBM tries to settle with the SEC over activity in China and South Korea. The global reach of the investigation indicates that this isn’t an isolated matter, said Charles Elson, corporate-governance professor at the University of Delaware. 

“If it happens in one country, you can say it’s an individual,” Elson said. “If it happens in multiple, you have to ask, is it systemic? And how well was the compliance program put in place to prevent it?”

So what can a General Counsel, VP of Operational Risk, Chief Risk Officer or even the Audit Committee do, in light of these continuous incidents?  The trust that any person or organization has with its bankers, outside counsel, compliance subject matter experts, accounting advisory and management consultants is at stake.  The integrity of the entire global payments and economic ecosystem is at risk.  This source of systemic risk to governments, global enterprises, stock markets and average consumers is growing beyond control.

What can be done?  The serious conversation going on right now between your independent counselors  continues to focus on trust and the people who are behind that trust.  You have got to have that serious conversation as a CEO, not with your first line of management Vice-Presidents, but several layers below them in the corporate hierarchy.  Believe us when we say, as the CEO, you can't see two layers below you, where all of the real work on daily transactions is getting done everyday.  You are not on the front lines, where deals are being made and information is being exchanged that can have a material impact on daily business.

You see, it really all still comes back to people communicating information ethically.  How and when people act on that information.  Why people behave the way they do when they learn the information.  As a CEO in charge of a global enterprise you will never have the transparency or the integrity being controlled from HQ on the executive floor, or on your executive analytic GRC dashboard.  Your only chance is to reach those people, who are at the source of doing business in your line processes, not staff, but "line".  The "line" is the life blood of daily business commerce and the power base for making a difference on how business is done and the integrity behind it.  The future of your enterprise depends on these people, communicating information that is true, validated and researched to uncover any possible errors, omissions or other ethical issues.

The power base of the global economy is constantly changing.  The risks to the economic enterprise continues and the investigations are just beginning.  Offshore strategies are at the core of global integrity risk.

operational risk

Social Media Risk: Situational Awareness on Wall Street to Main Street...

It has been a wild few weeks for Twitter and the Operational Risks associated with account hijacking and "Tweets" that may compromise the positions of active police activities. The Boston Police were
warning people via their official Twitter account:

The first official announcement that law enforcement agencies had concluded their manhunt for Boston Marathon bombing suspect Dzhokhar Tsarnaev didn’t come at a press conference by police commissioner Ed Davis or Mayor Tom Menino. It didn’t come from a press release or a dispatch over a police scanner. It came instead from two tweets:

Boston Police Dept. ✔ @Boston_Police#MediaAlert: WARNING: Do Not Compromise Officer Safety by Broadcasting Tactical Positions of Homes Being Searched.   8:52 AM - 19 Apr 2013 

Boston Police Dept. ✔ @Boston_Police#MediaAlert: WARNING - Do Not Compromise Officer Safety/Tactics by Broadcasting Live Video of Officers While Approaching Search Locations 1:14 PM - 19 Apr 2013

Social Media and a hacked AP Twitter account were the catalyst for a sudden drop in the financial markets. As the news service realized what had occurred they contacted their employees in the White House briefing room to refute the information:

Twitter Inc. plans to bolster security on its site after the account of the Associated Press news service was hacked and an erroneous post triggered a stock- market decline, according to a person familiar with the matter. 

Two-step authentication will be introduced to make it harder for outsiders to gain access to accounts, said the person, who declined to be identified because the information isn’t public. In addition to a password, the security measure requires a code sent via text message to a user’s mobile phone, or generated on a device or software. 

Twitter’s defense against password theft came under scrutiny this week after a hacker sent a false post about explosions at the White House, triggering a drop that wiped out $136 billion in value from the Standard & Poor’s 500 Index.

Social Media is becoming a way of real-time situational awareness and organizations that have ignored the potential impact on its Operational Risk are now paying attention. Proactive steps are now being taken to not only monitor the daily feeds on official company twitter accounts and also upgrade the security of those feeds by using multi-factor authentication.

Companies such as Duo Security are going to start seeing an uptick in their web site activity as a result of these latest hacks on Twitter and others. Why? Because it works.

Corporate integration of public relations and information security are not anything new per se. What is getting more attention is how social media has become a catalyst for changing human behavior. Even more revealing is how automated trading systems react to a false tweet on Twitter. Have the algorithms gone too far in high frequency trading? Not really. HFT professionals don't let Twitter change their strategies. Here is a dose of reality:

There is little predictive value in the events of the, "Hack Crash." However, there are some key takeaways for traders. First is the importance of protective stops. One never knows what could happen next. Second, verify news reports. I have the AP's iPhone app, which alerts me to breaking news and had no mention of the tweet until after the fact. Therefore, the corporate disconnect between Twitter and their app was my first clue it was bogus. Finally, cut the high frequency traders some slack. Their programs are based on risk and reward just like our own and the liquidity they provide in times of dramatic events is exactly what allows us to get out of the market and keep some powder dry until the smoke clears.

What will continue to be an ongoing trend in corporate ranks is the need to continuously monitor social media and to spend the time on due diligence to determine what is real and what is simple "Information Operations." (IO) in the corporate ranks and across Wall Street is the name of the game. Those who understand how to manage their monitoring and deal with the daily anomalies will be able to mitigate the major risks to the enterprise.

Our only hope is that the thousands of major law enforcement agencies across the globe, are doing the same. @Boston Police is a good place to start with any lessons learned.

operational risk

BCOT: Insuring Privacy and Civil Liberties...

The U.S. Nationwide SAR Initiative brings the conversation of privacy and intelligence collection to a point of convergence. Guidance for local, regional and state agencies can be found in the "Building Communities of Trust" (BCOT) program being rolled out across the country.

The continued priority is to safeguard the privacy, civil rights, and civil liberties of United States citizens (including the assurances that not only is information shared appropriately with authorized personnel but that the information that is exchanged is “quality” information). Can a nation continue to increase it's daily home town "Situational Awareness" while simultaneously preserving the constitutional rights and trusted relationship with its own citizens?

The Suspicious Activity Reporting (SAR) initiative is about Homeland Security Intelligence (HSI) engineered for the United States, to insure privacy and civil liberties of its citizens. Governance of vital intelligence data is at the core of the program design, combining the correct process for access and compartmentalization and the retention policies on certain types of relevant information.

The BCOT Guidance describes the challenges that must be addressed by fusion centers, local law enforcement agencies, and communities in developing these relationships of trust. These challenges can only be met if privacy, civil rights and civil liberties are protected. For fusion centers, this requires strong privacy policies and audits of center activities to ensure that the policies and their related standards are being fully met. For law enforcement agencies, it means that meaningful dialog and collaboration with communities needs to occur in a manner that increases legitimacy of the agency in the eyes of that community. Law enforcement must establish legitimacy in the communities they serve if trusting relationships are to be established. For communities, their leaders and representatives must collaborate with law enforcement and share responsibility for addressing the problems of crime and terrorism prevention in their neighborhoods.

Relationships of trust will not be established until key community leaders understand the intent of the information sharing environment and the preventive role that fusion centers and the SAR process plays in protecting the community from crime and violence. A fully transparent explanation can be the foundation for broad community understanding of the importance of these initiatives as well as the critical privacy, civil rights, and civil liberties protections that are in place.

The issue of trust is paramount in any relationship, whether it be personal or a JTTF working in concert with the local Metropolitan Police Department. In either case, the "Four Cores of Credibility" are necessary for humans to operate at the "Speed of Trust":

Integrity - is deep honesty and truthfulness. It is who we really are. It includes congruence, humility and courage. To increase your integrity, make and keep commitments to yourself. Stand for something and then live by it. Be open. Do you seriously consider other viewpoints? 

Intent - is your fundamental motive or agenda and the behavior that follows. It includes motive, agenda and behavior. To improve your intent, examine your motives. Are everyone's interests being served? Share the "why" behind the "what" wherever possible. 

Capabilities - is our capacity to produce and accomplish tasks: talents, attitudes, skills, knowledge and style. To build your capabilities run with your strengths. Match your strengths to unique high-value opportunities. Know where you are going and keep the vision in front of you. 

Results - is your track record. People evaluate you on three key indicators of performance. Past, current and anticipated. To improve your results take responsibility and adopt a "results" mind-set. Expect to win and create a climate of high expectations. Finish strong and avoid the "victim mentality." 

Trust in a relationship and an environment of trust in the economy, national security or the stock market makes all the difference. The behaviors that you exhibit in public and behind closed doors with your stakeholders will set the tone for everyone inside and outside the organization. Can you think of any companies or people over the past two years that you have lost trust in?

When a person loses trust in another person, a company or its government, in many cases it comes back to information governance. The time, place and method for information dissemination or sharing will in many cases, become the basis for the reason why trust is maintained or eroded in the eyes of the other.

Suffice it to say that more than ever, "Open Source" information is becoming the starting point for all intelligence collection activities. In the context of the corporate policy regarding the use of systems, most if not all companies have the right to monitor all applications for "Red Flag" indicators of fraud, espionage or other violations of state and federal laws. Corporations are using "Open Source" information to determine the initial profile of potential candidates for open positions including the analysis of FaceBook or LinkedIn social networking sites.

Executive Order 12333 emphasizes US citizens rights:
The Executive Order maintains and strengthens existing protections for Americans' civil liberties and privacy rights. The Executive Order retains and reinforces the provisions in place in the original Executive Order 12333 to ensure that all intelligence activities are conducted in a manner that protects the civil liberties and privacy rights of Americans. All collection, retention, and dissemination of information regarding United States persons must be conducted in accordance with procedures approved by the Attorney General.

The future of "Building Communities of Trust" in the United States will require significant investments in building awareness, training front line officers and implementing effective oversight mechanisms. It will be achieved without the sacrifice of the rule sets established in 1791.

operational risk