About Awareity | About the Blog | About the Authors
Lessons Learned Blog

Cutting Wasted Expenses Helps Meet Budget Cuts

Posted In Education, Education, Human Resources on February 24th, 2012
Tags: , , ,

 

As budgets grow tighter…how many school Superintendents would approve the following expense requests?

Expense Request A:

I am submitting a request to spend thousands of dollars to print up thousands of pages of information that no one will read…

Expense Request B:

I am submitting a request to spend thousands of dollars for software, hardware and personnel to support the software and hardware so we can upload documents on our intranet that no one will read…

Bottom lines are getting crunched because schools are still spending thousands and thousands of dollars on printing, distributing and updating Student Handbooks, Teacher Handbooks, Employee Handbooks, Department Binders, Code of Conduct Manuals, Emergency Plan Binders, Operations Manuals, Safety Manuals, Regulatory Manuals and others.  And after spending thousands of precious dollars, schools have no idea if anyone is reading them and even if individuals do read them, schools have no way of knowing or proving it.

Bottom lines are getting zapped even more thanks to software, hardware and personnel to create “digital handbooks” and “intranets”.  Once again schools are spending thousands of dollars and schools have no idea if anyone is reading the documents and even if individuals do read them, schools have no way of knowing or proving it.

And bottom lines continue to get robbed because schools will spend thousands of dollars on labor-intensive efforts to collect paper-based documents that have been signed by students, parents, teachers, staff, bus drivers and others.  Then schools will spend even more money on labor-intensive efforts to file the signed paper documents and ongoing efforts keeping track of who signed (or did not sign) with spreadsheets and home-grown databases.

Status quo training costs are also zapping bottom lines.  If a school adds up all of the labor-intensive efforts, training documents, training facilities, trainer expenses, overtime, travel time, re-training sessions, spreadsheets and paper-based documentation of attendance and other costs, the numbers can be shocking.  Unfortunately we human beings are not very good at remembering a lot of information delivered via a “fire hose” once or twice a year, which leads to mistakes, re-dos, fines, lawsuits and numerous other bottom line killers.

If you would like to see how your school can replace 20th century approaches that are killing your tight budget, click here to see how TIPS is equipping schools with 21st century tools to reduce and eliminate these costs.

 



No Comments   


Who is Responsible for the Ethics of an Organization?

Posted In Human Resources, Legal, Regulatory Compliance on June 30th, 2011
Tags: , , , ,

 

I recently came across a discussion between Markkula Center for Applied Ethics’ Executive Director Kirk Hanson and Craig Nordlund, former general counsel of Agilent Technologies.  Nordlund believes the concern for ethics must be shared by everyone in the organization, but suggests ethics programs will be ineffective without leadership from the company’s top executives.

It is hard to argue with his comment stating “ethics programs will not work unless there is leadership on ethics from the company’s top executives”.

However, lessons learned and incidents seem to clearly reveal that leadership from the company’s top executives is not enough.

So why is creating an ethics culture so difficult for organizations? Perhaps ethics training is not enough or not even part of the solution?

The definition of training is a process to teach or learn a skill or job…and like the title of the article (Creating an Ethical Business Culture), I would agree that ethics is more of a culture than a job or skill.

Training is typically a once-a-year task on a learning management system with a one-size-fits-all general training module that everyone clicks through aimlessly because it is on the checklist of items that their organization thinks they need to do.

The definition of awareness seems to be a much better fit if an organization is serious about creating an ethical business culture. Awareness is to be aware of the difference between two versions, watchful and wary and having or showing realization and perception or knowledge. Awareness is not taught once-a-year, awareness (especially situational awareness) is an ongoing process that must be specific to the organization’s culture and supported by top executives.

Every individual is part of the ethical business culture so organizations must also make sure they have a platform to manage, update, communicate, document and measure situational awareness at the indiviidual level…because most everyone knows if you can’t measure it, it doesn’t exist.



No Comments   


Consumer Awareness/Education…Potential Competitive Advantage for Banks?

Posted In Financial, Human Resources, Information Privacy, Information Security, Regulatory Compliance, Risk Management, Validations on May 3rd, 2011
Tags: , , ,

 

Recent attacks continue to show that spear phishing is quickly emerging as one of the society’s greatest threats.  Technology alone is NOT going to solve this problem.  It is critical for consumers to be more vigilant and aware of what they are clicking on, sites they are visiting, e-mails they are responding to, etc.

Lessons Learned:  Financial insitutions should make consumer education a higher priority.  Awareness training, handouts, seminars, etc. can be a great way for organizations to connect with their customers, improve trust, enhance reputations and help prevent potential incidents, breaches, lawsuits, etc. down the road.  Security awareness training and education can become a competitive advantage for those institutions willing to lead the way.



No Comments   


How are Organizations Managing Policies Ongoing?

Posted In Human Resources, Regulatory Compliance on May 3rd, 2011

 

OCEG recently announced poll results from a One Minute Poll about Policy Management.  In their poll, 429 members replied to the following question:

How do you primarily manage lifecycle of internal policies, procedures and guidelines?

  • 32% use an internally developed database or intranet system
  • 24% have no formal structure
  • 18% use file folders or centralized network drive
  • 14% use document or policy management software
  •  8% track changes in Word
  •  4% use other methods

 

Lessons learned:  Bad guys already know what the results from this poll clearly reveal…People are an organization’s weakest links.  As long as 86% or more of organizations continue to use status quo methods that provide little or no accountability and little or no auditability to ensure situational awareness at the individual level, organizations will be vulnerable to attacks, mistakes, lawsuits, fines and disconnects that have a negative (potentially significant) effect on their bottom line.



No Comments   


The ERC on Whistleblowing Workplace Misconduct

Posted In Government, Human Resources, Workplace Violence on May 3rd, 2011
Tags: , , ,

 

The Ethics Resource Center’s (ERC) recent survey revealed that 40% of employees observing misconduct do not step forward to report it out of fear of retaliation, mistrust or feel their reports will be ignored.

Lessons Learned: Organizations must develop secure, anonymous and/or confidential reporting solutions to empower all employees (and third-parties) to report suspicious incidents, violence, fraud, misconduct, ethical violations, etc.  And once an incident has been reported, all appropriate personnel (ethics, legal, management, compliance, safety, law enforcement, etc) should be immediately and automatically notified to ensure a timely response and ensure red flags do not fall through the cracks.

Based on other surveys and reports, the percentage of people reporting incidents is even lower and when tips are not reported, it is nearly impossible for organizations to proactively prevent or intervene.



No Comments   


Missed Opportunities With Red Flags and Warning Signs

Posted In Campus Safety, Human Resources, Incident Reporting, Risk Management, School Safety on January 20th, 2011
Tags: , , ,

 

Already in 2011, tragedies in Tucson and Omaha have reminded each of us about the consequences of missed opportunities involving red flags and warning signs.  Lives were lost and lives will be changed forever because of these and many other tragic incidents.

We are now learning numerous red flags and warning signs existed involving the gunman in each tragedy, which has many people asking why these two tragedies were not prevented and how can we prevent future incidents like these from occurring?

Some people are suggesting new gun control laws in Arizona or new laws that do not allow guns within 1000 feet of government officials.  In Omaha, some are suggesting school metal detectors and cameras.

Unfortunately these suggestions are knee-jerk reactions that miss the point.  The ‘big picture’ issue is prevention and what organizations need to do differently to improve their prevention and intervention efforts.

For example, what are schools’ responsibilities for sharing information with appropriate entities in the community and how can we ensure all dots are connected across multiple locations, multiple levels of law enforcement, mental health professionals, etc.?

Organizations need to encourage and empower people (students, faculty, staff, law enforcement, parents, employees, community members, etc.) to report suspicious incidents, red flags and warning signs as soon as they identify them.

All personnel should be trained to look for early indicators – behaviors and warning signs (bullying, intimidation, threats, harassment, targeted violence, etc.) – that require immediate reporting.

Organizations need to offer anonymous incident reporting options and the ability to automatically deliver incident reports to the right people…even if the right people are in multiple locations or at multiple organizations.  Once incidents have been reported it is also critical to ensure all necessary follow-up actions are documented, appropriate authorities are notified and red flags do not continue to fall through the cracks.  Traditional and status quo incident reporting systems rarely offer this level of holistic functionality.

Organizations need to centralize and securely share information more effectively across silos, organizations and communities.  Sharing has been difficult because of paper-based methodologies and because of lack of awareness involving privacy regulations such as FERPA and HIPAA, as well as political and authority breakdowns.

Organizations need ongoing training based on individual roles and responsibilities, more comprehensive policies and procedures, increased awareness on how to recognize behavioral changes, secure access to professional threat assessment and behavioral analysis teams, and effective ways to continually connect the dots (people dots and process dots). Organizations need to empower their people (and third-parties) with proactive prevention tools that replace status quo and reactive approaches that are not working.

With improved situational awareness, improved information-sharing and proactively identifying red flags, organizations will be able to prevent incidents, rather than reading about them in the news.

 



No Comments   


Phishing for Mobile Users? They Are Taking the Bait

Posted In Human Resources, Information Privacy, Information Security, Risk Management on January 6th, 2011
Tags: , , , , , , ,

 

In a recent Dark Reading article, new research from Trusteer revealed that mobile users are the most likely to fall victim to fake e-mail messages and visit phishing sites.

Once they arrive at the fraudulent site they are also three times more likely than users on PCs to provide sensitive login information.

Why are mobile users more vulnerable?

  • Availability – smartphones are with their users 24/7 so e-mails are checked more frequently. Phishing attacks generally get their victims during their initial launch, as after a certain time frame sites are taken down, blocked or shut down.
  • Size – the smaller screens of mobile devices can inadvertently hide clues that the e-mail contains false information or fraudulent web site links or URLs. Users on smart phones miss the basic signs of phishing emails like slightly tweaked URLs, hidden URLs behind links, poorly spelled e-mails, etc.
  • View – many times the way e-mails are displayed is different on mobile devices. For example, on a BlackBerry, the “From” field may just include the name of the sender, but not the e-mail address.

 

The report also mentioned that iPhones users were more likely than BlackBerry users to visit fraudulent phishing sites.  One potential explanation was that BlackBerrys are used by more enterprises, while iPods are popular with end-consumers and as we know, organizations are working diligently to educate their employees, implement security policies, acceptable use policies, etc…right?

Has your organization implemented ongoing security awareness training to ensure your employees (and third-parties) are aware of risks from mobile devices? 

Do your employees understand what phishing is?  What about smishing and vishing?  

Do they know how to recognize the signs of a phishing attempt? 

Do they know where to report suspicious incidents and phishing e-mails? 

What should they do if they accidentally respond to a phishing e-mail and provide sensitive personal or organizational data?

It is critical for organizations to implement clearly defined policies for using mobile devices.  It is also important that organizations continue to update their employees as risks, threats, requirements, etc. change on an ongoing basis.  A once-a-year general training program is not enough; employees need ongoing awareness reminders.

One recommendation I would make is to share this Trusteer study with your employees.  Many of your users may have no idea of the potential risks they can encounter on their mobile phone.  Lessons learned make for great awareness tips and will help your employees understand your security requirements and acceptable use policies are there for good reason.

 



No Comments   


Does Information Equal Awareness?

Posted In Business Continuity, Emergency Management, Human Resources, Incident Reporting, Information Security, Regulatory Compliance on November 18th, 2010

 

General Information
Personally Identifiable Information
Intelligence Information
Industry Information
Regulatory Information
Legal Information
Risk Information
Customer Information
Emergency Information
Competitive Information
Etc….

Most people and their organizations would agree they are overwhelmed by information that is spread all over in e-mails, web sites, binders, intranets, etc.

BUT, most people and their organizations would also agree they are not overwhelmed by awareness, and more specifically they are not overwhelmed by Situational Awareness.

Lessons learned continue to reveal that just having information is not enough.  Most of the highly publicized tragedies and incidents reveal that information in the form of red flags or intelligence or risk assessments actually existed BEFORE the incident occurred.

And many incidents could have been prevented had the information been translated into Situational Awareness and shared with the right individuals in the right place at the right time so they could have taken appropriate actions to prevent or intervene or respond more proactively.

For the next week or month or longer, when you become aware of an incident or a mistake in your organization or another organization ask yourself these questions:

  • Did information exist that could have helped prevent the incident or mistake?
  • Does my organization have a good way to turn information into situational awareness?
  • Do all appropriate individuals have the ability to access confidential situational awareness?
  • Does our incident reporting system just pass along information?
  • Do our threat assessment and security teams have access to situational awareness?
  • Do our decision makers and leaders have on-demand access to updated situational awareness?


No Comments   


Social Engineering: Need $11K?… Just Ask a Wal-Mart Employee

Posted In Human Resources, Information Security, Legal on September 24th, 2010
Tags: , ,

 

In a recent incident, a man called a 24-hour Wal-Mart in Ohio and explained to an associate that he was with Wal-Mart’s IT department and needed the associate to activate several gift cards, read to him the card numbers and then provide the authorization codes from the back of the cards.  The associate willingly did so – and not until $11,000 in online fraud later, did the store realize they had been tricked.

This is a great lesson learned to share with your employees (and third-parties).  Do your employees understand your organization’s policies on providing/protecting information in different situations?

The Wal-Mart caller did not give the associate any reason to believe he was really from the IT department…do your employees understand authentication procedures and passwords?

The Wal-Mart caller did not explain why the IT department was making the request…would your employees be suspicious?  Would they know how and where to report the suspicious caller to the appropriate personnel?

Do your employees understand how to protect sensitive information or would they willingly provide information over the phone in the spirit of good customer service?

Do your employees participate in ongoing situational awareness training?  Are you updating your employees as new social engineering techniques, risks, and threats change?

Have your employees acknowledged their individual roles and responsibilities in case of a lawsuit or termination?

Even if your IT department has the most sophisticated and expensive technology solutions in the world, all of it can be bypassed if your employees fall for simple social engineering scams.

Are you educating your employees on best practices for protecting information?



No Comments   


Blueprints Do Not Build Skyscrapers

Posted In Business Continuity, Human Resources, Risk Management, School Safety, Workplace Violence on August 11th, 2010
Tags: , ,

 

In my previous blog I suggested that building a successful preparedness campaign is like building a skyscraper…and in some cases it seems like building a skyscraper may actually be easier than building a successful campus-wide or organization-wide preparedness effort.

I mentioned that building a skyscraper and building a campus-wide or organization-wide preparedness effort have a lot in common and one of those common items is blueprints.

Blueprints can be a technical drawing, a mechanical drawing, an architectural plan, a model, a prototype, a detailed plan of action and etc.  Blueprints can also include programs, policies, procedures, processes, guidelines, checklists and etc.

But blueprints are not skyscrapers. 

Lessons learned continue to reveal that many organizations are extremely vulnerable because they purchase blueprints (emergency plans, anti-bullying programs, checklists, and etc.) and schedule a meeting or training session and post their blueprints on an intranet/portal and think they have built their “skyscraper”.

More and more organizations are learning the hard way that having blueprints is not enough.

Even though financial organizations have policies, government entities have plans, schools have procedures, healthcare organizations have checklists and organizations have been offering general training on an annual basis for years… tragedies, failures, bullying and lawsuits continue to escalate.

Do your organization’s leaders understand that building organization-wide preparedness efforts or a culture of safety or an anti-bullying environment requires more than disseminating blueprints?



No Comments   


Older Posts >>





rss  facebook  twitter  linked in 





Better Knowledge. Better Dcisions. Better Results.

Email: info[at]awareity.com
Phone: 1.866.999.MOAT (6628)

All content © 2010-2011