Who is Responsible for the Ethics of an Organization?
Posted In Human Resources, Legal, Regulatory Compliance on June 30th, 2011 Tags: Agilent Technologies, Business Ethics, Ethics Program, Ethics Training, Markkula Center for Applied Ethics
I recently came across a discussion between Markkula Center for Applied Ethics’ Executive Director Kirk Hanson and Craig Nordlund, former general counsel of Agilent Technologies. Nordlund believes the concern for ethics must be shared by everyone in the organization, but suggests ethics programs will be ineffective without leadership from the company’s top executives.
It is hard to argue with his comment stating “ethics programs will not work unless there is leadership on ethics from the company’s top executives”.
However, lessons learned and incidents seem to clearly reveal that leadership from the company’s top executives is not enough.
So why is creating an ethics culture so difficult for organizations? Perhaps ethics training is not enough or not even part of the solution?
The definition of training is a process to teach or learn a skill or job…and like the title of the article (Creating an Ethical Business Culture), I would agree that ethics is more of a culture than a job or skill.
Training is typically a once-a-year task on a learning management system with a one-size-fits-all general training module that everyone clicks through aimlessly because it is on the checklist of items that their organization thinks they need to do.
The definition of awareness seems to be a much better fit if an organization is serious about creating an ethical business culture. Awareness is to be aware of the difference between two versions, watchful and wary and having or showing realization and perception or knowledge. Awareness is not taught once-a-year, awareness (especially situational awareness) is an ongoing process that must be specific to the organization’s culture and supported by top executives.
Every individual is part of the ethical business culture so organizations must also make sure they have a platform to manage, update, communicate, document and measure situational awareness at the indiviidual level…because most everyone knows if you can’t measure it, it doesn’t exist.
No Comments
Email This Post
How are Organizations Managing Policies Ongoing?
Posted In Business Continuity, Financial, Financial, Human Resources, Regulatory Compliance, Research, Validations on May 3rd, 2011 Tags: Accountability, auditability, OCEG, policy management, status quo
OCEG recently announced poll results from a One Minute Poll about Policy Management. In their poll, 429 members replied to the following question:
How do you primarily manage lifecycle of internal policies, procedures and guidelines?
- 32% use an internally developed database or intranet system
- 24% have no formal structure
- 18% use file folders or centralized network drive
- 14% use document or policy management software
- 8% track changes in Word
- 4% use other methods
Lessons learned: Bad guys already know what the results from this poll clearly reveal…People are an organization’s weakest links. As long as 86% or more of organizations continue to use status quo methods that provide little or no accountability and little or no auditability to ensure situational awareness at the individual level, organizations will be vulnerable to attacks, mistakes, lawsuits, fines and disconnects that have a negative (potentially significant) effect on their bottom line.
No Comments
Email This Post
The ERC on Whistleblowing Workplace Misconduct
Posted In Government, Human Resources, Incident Reporting, Workplace Violence on May 3rd, 2011 Tags: employee misconduct, Ethics Resource Center, Incident Reporting, infosec island
The Ethics Resource Center’s (ERC) recent survey revealed that 40% of employees observing misconduct do not step forward to report it out of fear of retaliation, mistrust or feel their reports will be ignored.
Lessons Learned: Organizations must develop secure, anonymous and/or confidential reporting solutions to empower all employees (and third-parties) to report suspicious incidents, violence, fraud, misconduct, ethical violations, etc. And once an incident has been reported, all appropriate personnel (ethics, legal, management, compliance, safety, law enforcement, etc) should be immediately and automatically notified to ensure a timely response and ensure red flags do not fall through the cracks.
Based on other surveys and reports, the percentage of people reporting incidents is even lower and when tips are not reported, it is nearly impossible for organizations to proactively prevent or intervene.
No Comments
Email This Post
Missed Opportunities With Red Flags and Warning Signs
Posted In Campus Safety, Human Resources, Incident Reporting, Risk Management, School Safety on January 20th, 2011 Tags: Incident Reporting, Prevention, Red Flags, Tucson
Already in 2011, tragedies in Tucson and Omaha have reminded each of us about the consequences of missed opportunities involving red flags and warning signs. Lives were lost and lives will be changed forever because of these and many other tragic incidents.
We are now learning numerous red flags and warning signs existed involving the gunman in each tragedy, which has many people asking why these two tragedies were not prevented and how can we prevent future incidents like these from occurring?
Some people are suggesting new gun control laws in Arizona or new laws that do not allow guns within 1000 feet of government officials. In Omaha, some are suggesting school metal detectors and cameras.
Unfortunately these suggestions are knee-jerk reactions that miss the point. The ‘big picture’ issue is prevention and what organizations need to do differently to improve their prevention and intervention efforts.
For example, what are schools’ responsibilities for sharing information with appropriate entities in the community and how can we ensure all dots are connected across multiple locations, multiple levels of law enforcement, mental health professionals, etc.?
Organizations need to encourage and empower people (students, faculty, staff, law enforcement, parents, employees, community members, etc.) to report suspicious incidents, red flags and warning signs as soon as they identify them.
All personnel should be trained to look for early indicators – behaviors and warning signs (bullying, intimidation, threats, harassment, targeted violence, etc.) – that require immediate reporting.
Organizations need to offer anonymous incident reporting options and the ability to automatically deliver incident reports to the right people…even if the right people are in multiple locations or at multiple organizations. Once incidents have been reported it is also critical to ensure all necessary follow-up actions are documented, appropriate authorities are notified and red flags do not continue to fall through the cracks. Traditional and status quo incident reporting systems rarely offer this level of holistic functionality.
Organizations need to centralize and securely share information more effectively across silos, organizations and communities. Sharing has been difficult because of paper-based methodologies and because of lack of awareness involving privacy regulations such as FERPA and HIPAA, as well as political and authority breakdowns.
Organizations need ongoing training based on individual roles and responsibilities, more comprehensive policies and procedures, increased awareness on how to recognize behavioral changes, secure access to professional threat assessment and behavioral analysis teams, and effective ways to continually connect the dots (people dots and process dots). Organizations need to empower their people (and third-parties) with proactive prevention tools that replace status quo and reactive approaches that are not working.
With improved situational awareness, improved information-sharing and proactively identifying red flags, organizations will be able to prevent incidents, rather than reading about them in the news.
No Comments
Email This Post
Phishing for Mobile Users? They Are Taking the Bait
Posted In Human Resources, Incident Reporting, Information Privacy, Information Security, Risk Management on January 6th, 2011 Tags: Acceptable Use, Information Security, Mobile Security, Phishing, security awareness training, Smishing, Trusteer, Vishing
In a recent Dark Reading article, new research from Trusteer revealed that mobile users are the most likely to fall victim to fake e-mail messages and visit phishing sites.
Once they arrive at the fraudulent site they are also three times more likely than users on PCs to provide sensitive login information.
Why are mobile users more vulnerable?
- Availability – smartphones are with their users 24/7 so e-mails are checked more frequently. Phishing attacks generally get their victims during their initial launch, as after a certain time frame sites are taken down, blocked or shut down.
- Size – the smaller screens of mobile devices can inadvertently hide clues that the e-mail contains false information or fraudulent web site links or URLs. Users on smart phones miss the basic signs of phishing emails like slightly tweaked URLs, hidden URLs behind links, poorly spelled e-mails, etc.
- View – many times the way e-mails are displayed is different on mobile devices. For example, on a BlackBerry, the “From” field may just include the name of the sender, but not the e-mail address.
The report also mentioned that iPhones users were more likely than BlackBerry users to visit fraudulent phishing sites. One potential explanation was that BlackBerrys are used by more enterprises, while iPods are popular with end-consumers and as we know, organizations are working diligently to educate their employees, implement security policies, acceptable use policies, etc…right?
Has your organization implemented ongoing security awareness training to ensure your employees (and third-parties) are aware of risks from mobile devices?
Do your employees understand what phishing is? What about smishing and vishing?
Do they know how to recognize the signs of a phishing attempt?
Do they know where to report suspicious incidents and phishing e-mails?
What should they do if they accidentally respond to a phishing e-mail and provide sensitive personal or organizational data?
It is critical for organizations to implement clearly defined policies for using mobile devices. It is also important that organizations continue to update their employees as risks, threats, requirements, etc. change on an ongoing basis. A once-a-year general training program is not enough; employees need ongoing awareness reminders.
One recommendation I would make is to share this Trusteer study with your employees. Many of your users may have no idea of the potential risks they can encounter on their mobile phone. Lessons learned make for great awareness tips and will help your employees understand your security requirements and acceptable use policies are there for good reason.
No Comments
Email This Post
Does Information Equal Awareness?
Posted In Business Continuity, Human Resources, Incident Reporting, Information Privacy, Information Security, Risk Management on November 18th, 2010
General Information
Personally Identifiable Information
Intelligence Information
Industry Information
Regulatory Information
Legal Information
Risk Information
Customer Information
Emergency Information
Competitive Information
Etc….
Most people and their organizations would agree they are overwhelmed by information that is spread all over in e-mails, web sites, binders, intranets, etc.
BUT, most people and their organizations would also agree they are not overwhelmed by awareness, and more specifically they are not overwhelmed by Situational Awareness.
Lessons learned continue to reveal that just having information is not enough. Most of the highly publicized tragedies and incidents reveal that information in the form of red flags or intelligence or risk assessments actually existed BEFORE the incident occurred.
And many incidents could have been prevented had the information been translated into Situational Awareness and shared with the right individuals in the right place at the right time so they could have taken appropriate actions to prevent or intervene or respond more proactively.
For the next week or month or longer, when you become aware of an incident or a mistake in your organization or another organization ask yourself these questions:
- Did information exist that could have helped prevent the incident or mistake?
- Does my organization have a good way to turn information into situational awareness?
- Do all appropriate individuals have the ability to access confidential situational awareness?
- Does our incident reporting system just pass along information?
- Do our threat assessment and security teams have access to situational awareness?
- Do our decision makers and leaders have on-demand access to updated situational awareness?
No Comments
Email This Post
Is Your Incident Reporting System Putting Your Organization At Risk?
Posted In Emergency Management, Human Resources, Incident Reporting, Legal, Regulatory Compliance, Risk Management, School Safety, Workplace Violence on November 11th, 2010 Tags: bullying, Cyberbullying, deliberate indifference, incident reporting system, Red Flags, threat assessment
How is your incident reporting system working for you?
Or perhaps the question should be – Is your incident reporting system working against you?
Lessons learned continue to show that organizations find themselves in ‘reaction mode’ more than they are in ‘prevention mode’. How can this be when most every organization claims to have an incident reporting system in place?
Are traditional incident reporting systems obsolete?
Multiple surveys reveal that 90% of bystanders who witness a bullying incident DO NOT report the incident. So why aren’t bystanders not reporting incidents?
Perhaps bystanders are not reporting because of one or more of the following reasons:
- Scared to get involved
- Not sure how to report incidents
- Not comfortable with incident reporting options such as paper, in person, phone or text
- Lack of anonymity when reporting incidents
- Bystander does not trust the incident reporting system will work
- Bystander does not trust the organization will take action
- And many others…
Victims are also reluctant to use traditional incident reporting systems. Victims want to be heard, but many victims do not trust traditional incident reporting systems due to:
- They tried using the traditional incident reporting system and nothing happened
- No anonymous option to report incidents
- Not knowing who was on the other end of the incident reporting system
- Afraid their information would not be kept confidential
- And many others…
Like bullying and cyber bullying, workplace violence incidents seem to be increasing too. Mounting stress related to economic challenges, job layoffs and mortgage foreclosures continue to affect millions of individuals and families. And some individuals have taken out their frustration on their bosses, their co-workers or their family members where they work….and many of the incidents could have been prevented based on red flags that were discovered after the incident.
Suicides and bullycides seem to be increasing too. According to statistics from support organizations, 5,000 teenagers commit suicide a year and perhaps as many as 500,000 or more teenagers contemplate suicide or attempt suicide each year. What if these 5,000 teenagers had a trusted incident reporting option they could have reached out to for help?
So is your traditional incident reporting system really working for you if bystanders are not reporting incidents and victims are not reaching out for help?
Red Flags and Prevention
Without red flags, it is nearly impossible for security teams and threat assessment and intervention teams to prevent incidents from happening. Yet after almost every bullycide or workplace violence incident, people come forward and say they were aware of multiple suspicious incidents and red flags, but did not report the suspicious incidents because they did not know how to or did not understand what suspicious activities should be reported. In some cases, people DID report the incidents and unfortunately the organization did not connect the dots.
Legal Defensibility
In our highly regulated and litigious society, victims and their families are taking organizations to court when they fail to respond as mandated. Many lawsuits brought against organizations cite “deliberate indifference” or the conscious or reckless disregard of the consequences of one’s acts or omissions.
Deliberate indifference is often the result of:
- Lack of Awareness – meaning people did not know what to do in different situations even though previous incidents, legal obligations and regulatory mandates exist
- Lack of Follow Through – meaning people knew about the issues, but did not take immediate actions to end the issue and did not take appropriate actions to eliminate the hostile environment and prevent future incidents
- Failed efforts based on the situation, state mandates or organizational obligations
Experts seem to be in agreement that reacting to incidents is much more expensive (and embarrassing) than preventing the incidents from happening, but prevention requires a more comprehensive suite of incident reporting tools to ensure:
- Anonymous or non-anonymous incident reporting tools
- Threat Assessment and Security Team collaboration tools
- Secure and confidential information sharing tools
- Situational awareness tools for all appropriate individuals and team members
- Accessibility options for anytime access to suite of tools
- Documentation / Reporting tools of entire process for compliance and legal defensibility
- And adaptability options as needs and situations continue to change
Is your traditional incident reporting system helping you or working against you?
Comments (2)
Email This Post
Social Engineering: Need $11K?… Just Ask a Wal-Mart Employee
Posted In Human Resources, Incident Reporting, Information Privacy, Information Security, Risk Management on September 24th, 2010 Tags: Security Awareness, Social Engineering, wal-mart
In a recent incident, a man called a 24-hour Wal-Mart in Ohio and explained to an associate that he was with Wal-Mart’s IT department and needed the associate to activate several gift cards, read to him the card numbers and then provide the authorization codes from the back of the cards. The associate willingly did so – and not until $11,000 in online fraud later, did the store realize they had been tricked.
This is a great lesson learned to share with your employees (and third-parties). Do your employees understand your organization’s policies on providing/protecting information in different situations?
The Wal-Mart caller did not give the associate any reason to believe he was really from the IT department…do your employees understand authentication procedures and passwords?
The Wal-Mart caller did not explain why the IT department was making the request…would your employees be suspicious? Would they know how and where to report the suspicious caller to the appropriate personnel?
Do your employees understand how to protect sensitive information or would they willingly provide information over the phone in the spirit of good customer service?
Do your employees participate in ongoing situational awareness training? Are you updating your employees as new social engineering techniques, risks, and threats change?
Have your employees acknowledged their individual roles and responsibilities in case of a lawsuit or termination?
Even if your IT department has the most sophisticated and expensive technology solutions in the world, all of it can be bypassed if your employees fall for simple social engineering scams.
Are you educating your employees on best practices for protecting information?
No Comments
Email This Post
Dissemination Trap vs. Implementing/Building and Maintaining
Posted In Human Resources, Incident Reporting, Information Security, Risk Management on September 10th, 2010 Tags: advanced persistent threat, CIO Insight, dennis mccafferty, enterprise security
Dennis McCafferty of CIO Insight recently did a two part overview on Enterprise Security Risks and in part 2 he talked about the hottest security catch phrase of 2010 – Advanced Persistent Threat (APT).
According to the overview, an Advanced Persistent Threat is an insidious attack by a well-funded, state-sponsored intelligence organization. The overview goes on to describe how APT attackers are more patient than a bored Gen Y hacker or financially motivated crook. They are willing to slowly gather information and data from multiple sources and social media sites and then execute a targeted, social-engineering attack on their terms.
Are bad guys out-thinking the good guys….again? Yes, but if the good guys are paying attention to lessons learned, they would know the key to defeating the APT risk (and numerous other escalating risks) is not falling into the dissemination trap.
Most organizations fall victim to the dissemination trap because they are simply disseminating policies, procedures, general training, best practices, regulatory requirements and etc. using binders, e-mails, memos, intranets, portals and shared drives. The article correctly points out that every employee and endpoint is a potential point of entry yet organizations and their leaders continue to believe that dissemination of documents and general training is enough. The bad guys know this too, which is why APT and thousands of other risks and new attacks target your employees, contractors, vendors, consultants, temps and etc.
Implementation is not dissemination. Implementation is building environments of security awareness, situational awareness, risk awareness, accountability, compliance, preparedness, legal defensibility, trust and others…and it must be maintained ongoing to keep up with the bad guys.
Are you keeping up or falling into the dissemination trap?
No Comments
Email This Post
Veterans Affairs: Why Not Implement Data Breach Lessons Learned?
Posted In Human Resources, Incident Reporting, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on August 26th, 2010 Tags: Awareness Training, Data Breach, Information Security, lost laptops, Veterans Affairs
Dissemination vs. Implementation
The Veterans Affairs Department recently announced they will be publishing monthly online accounts of data breaches and lost BlackBerrys and laptops in order to improve accountability and increase transparency.
What was shocking to me was that from April through July of this year, the VA has lost 72 BlackBerrys and 34 laptops. Patient information has been sent to the wrong address or mailed incorrectly 441 times. There were 9,746 breach incidents involving notifications to patients and 2,501 incidents in which credit reporting was required.
Almost 10,000 breach incidents in 3 months! What is wrong with this picture? Instead of just disseminating data breaches after the fact, what if the VA actually explained and implemented lessons learned and took proactive steps towards prevention?
I think the VA needs to ask a couple of questions:
1) Why are so many handheld devices and laptops being lost? Are there ways we can educate our employees on best practices for protecting devices? Are there consequences?
2) With so many devices and laptops lost each month, how do we ensure these devices are protected with encryption? Are employees taking home sensitive information that should not be placed on personal devices? Do employees know what information is sensitive?
3) What should be done to improve efficiencies in the mail room and prevent mailing errors with patient information? How do we know there were only 441 errors; were these just the mistakes that were caught?
4) How can we implement ongoing awareness and educate our employees (and third-parties) on protecting sensitive information?
Breach notifications are expensive. Credit reporting is expensive. Replacing BlackBerrys and laptops is expensive. Correcting errors and re-mailing information is expensive.
Prevention is a lot less expensive for the Veterans Affairs and a lot less expensive for us tax payers too… is anyone interested in implementing lessons learned?
No Comments
Email This Post
