As budgets grow tighter…how many school Superintendents would approve the following expense requests?
Expense Request A:
I am submitting a request to spend thousands of dollars to print up thousands of pages of information that no one will read…
Expense Request B:
I am submitting a request to spend thousands of dollars for software, hardware and personnel to support the software and hardware so we can upload documents on our intranet that no one will read…
Bottom lines are getting crunched because schools are still spending thousands and thousands of dollars on printing, distributing and updating Student Handbooks, Teacher Handbooks, Employee Handbooks, Department Binders, Code of Conduct Manuals, Emergency Plan Binders, Operations Manuals, Safety Manuals, Regulatory Manuals and others. And after spending thousands of precious dollars, schools have no idea if anyone is reading them and even if individuals do read them, schools have no way of knowing or proving it.
Bottom lines are getting zapped even more thanks to software, hardware and personnel to create “digital handbooks” and “intranets”. Once again schools are spending thousands of dollars and schools have no idea if anyone is reading the documents and even if individuals do read them, schools have no way of knowing or proving it.
And bottom lines continue to get robbed because schools will spend thousands of dollars on labor-intensive efforts to collect paper-based documents that have been signed by students, parents, teachers, staff, bus drivers and others. Then schools will spend even more money on labor-intensive efforts to file the signed paper documents and ongoing efforts keeping track of who signed (or did not sign) with spreadsheets and home-grown databases.
Status quo training costs are also zapping bottom lines. If a school adds up all of the labor-intensive efforts, training documents, training facilities, trainer expenses, overtime, travel time, re-training sessions, spreadsheets and paper-based documentation of attendance and other costs, the numbers can be shocking. Unfortunately we human beings are not very good at remembering a lot of information delivered via a “fire hose” once or twice a year, which leads to mistakes, re-dos, fines, lawsuits and numerous other bottom line killers.
If you would like to see how your school can replace 20th century approaches that are killing your tight budget, click here to see how TIPS is equipping schools with 21st century tools to reduce and eliminate these costs.
I recently came across a discussion between Markkula Center for Applied Ethics’ Executive Director Kirk Hanson and Craig Nordlund, former general counsel of Agilent Technologies. Nordlund believes the concern for ethics must be shared by everyone in the organization, but suggests ethics programs will be ineffective without leadership from the company’s top executives.
It is hard to argue with his comment stating “ethics programs will not work unless there is leadership on ethics from the company’s top executives”.
However, lessons learned and incidents seem to clearly reveal that leadership from the company’s top executives is not enough.
So why is creating an ethics culture so difficult for organizations? Perhaps ethics training is not enough or not even part of the solution?
The definition of training is a process to teach or learn a skill or job…and like the title of the article (Creating an Ethical Business Culture), I would agree that ethics is more of a culture than a job or skill.
Training is typically a once-a-year task on a learning management system with a one-size-fits-all general training module that everyone clicks through aimlessly because it is on the checklist of items that their organization thinks they need to do.
The definition of awareness seems to be a much better fit if an organization is serious about creating an ethical business culture. Awareness is to be aware of the difference between two versions, watchful and wary and having or showing realization and perception or knowledge. Awareness is not taught once-a-year, awareness (especially situational awareness) is an ongoing process that must be specific to the organization’s culture and supported by top executives.
Every individual is part of the ethical business culture so organizations must also make sure they have a platform to manage, update, communicate, document and measure situational awareness at the indiviidual level…because most everyone knows if you can’t measure it, it doesn’t exist.
Recent attacks continue to show that spear phishing is quickly emerging as one of the society’s greatest threats. Technology alone is NOT going to solve this problem. It is critical for consumers to be more vigilant and aware of what they are clicking on, sites they are visiting, e-mails they are responding to, etc.
Lessons Learned: Financial insitutions should make consumer education a higher priority. Awareness training, handouts, seminars, etc. can be a great way for organizations to connect with their customers, improve trust, enhance reputations and help prevent potential incidents, breaches, lawsuits, etc. down the road. Security awareness training and education can become a competitive advantage for those institutions willing to lead the way.
OCEG recently announced poll results from a One Minute Poll about Policy Management. In their poll, 429 members replied to the following question:
How do you primarily manage lifecycle of internal policies, procedures and guidelines?
Lessons learned: Bad guys already know what the results from this poll clearly reveal…People are an organization’s weakest links. As long as 86% or more of organizations continue to use status quo methods that provide little or no accountability and little or no auditability to ensure situational awareness at the individual level, organizations will be vulnerable to attacks, mistakes, lawsuits, fines and disconnects that have a negative (potentially significant) effect on their bottom line.
The Ethics Resource Center’s (ERC) recent survey revealed that 40% of employees observing misconduct do not step forward to report it out of fear of retaliation, mistrust or feel their reports will be ignored.
Lessons Learned: Organizations must develop secure, anonymous and/or confidential reporting solutions to empower all employees (and third-parties) to report suspicious incidents, violence, fraud, misconduct, ethical violations, etc. And once an incident has been reported, all appropriate personnel (ethics, legal, management, compliance, safety, law enforcement, etc) should be immediately and automatically notified to ensure a timely response and ensure red flags do not fall through the cracks.
Based on other surveys and reports, the percentage of people reporting incidents is even lower and when tips are not reported, it is nearly impossible for organizations to proactively prevent or intervene.
Already in 2011, tragedies in Tucson and Omaha have reminded each of us about the consequences of missed opportunities involving red flags and warning signs. Lives were lost and lives will be changed forever because of these and many other tragic incidents.
We are now learning numerous red flags and warning signs existed involving the gunman in each tragedy, which has many people asking why these two tragedies were not prevented and how can we prevent future incidents like these from occurring?
Some people are suggesting new gun control laws in Arizona or new laws that do not allow guns within 1000 feet of government officials. In Omaha, some are suggesting school metal detectors and cameras.
Unfortunately these suggestions are knee-jerk reactions that miss the point. The ‘big picture’ issue is prevention and what organizations need to do differently to improve their prevention and intervention efforts.
For example, what are schools’ responsibilities for sharing information with appropriate entities in the community and how can we ensure all dots are connected across multiple locations, multiple levels of law enforcement, mental health professionals, etc.?
Organizations need to encourage and empower people (students, faculty, staff, law enforcement, parents, employees, community members, etc.) to report suspicious incidents, red flags and warning signs as soon as they identify them.
All personnel should be trained to look for early indicators – behaviors and warning signs (bullying, intimidation, threats, harassment, targeted violence, etc.) – that require immediate reporting.
Organizations need to offer anonymous incident reporting options and the ability to automatically deliver incident reports to the right people…even if the right people are in multiple locations or at multiple organizations. Once incidents have been reported it is also critical to ensure all necessary follow-up actions are documented, appropriate authorities are notified and red flags do not continue to fall through the cracks. Traditional and status quo incident reporting systems rarely offer this level of holistic functionality.
Organizations need to centralize and securely share information more effectively across silos, organizations and communities. Sharing has been difficult because of paper-based methodologies and because of lack of awareness involving privacy regulations such as FERPA and HIPAA, as well as political and authority breakdowns.
Organizations need ongoing training based on individual roles and responsibilities, more comprehensive policies and procedures, increased awareness on how to recognize behavioral changes, secure access to professional threat assessment and behavioral analysis teams, and effective ways to continually connect the dots (people dots and process dots). Organizations need to empower their people (and third-parties) with proactive prevention tools that replace status quo and reactive approaches that are not working.
With improved situational awareness, improved information-sharing and proactively identifying red flags, organizations will be able to prevent incidents, rather than reading about them in the news.
In a recent Dark Reading article, new research from Trusteer revealed that mobile users are the most likely to fall victim to fake e-mail messages and visit phishing sites.
Once they arrive at the fraudulent site they are also three times more likely than users on PCs to provide sensitive login information.
Why are mobile users more vulnerable?
The report also mentioned that iPhones users were more likely than BlackBerry users to visit fraudulent phishing sites. One potential explanation was that BlackBerrys are used by more enterprises, while iPods are popular with end-consumers and as we know, organizations are working diligently to educate their employees, implement security policies, acceptable use policies, etc…right?
Has your organization implemented ongoing security awareness training to ensure your employees (and third-parties) are aware of risks from mobile devices?
Do your employees understand what phishing is? What about smishing and vishing?
Do they know how to recognize the signs of a phishing attempt?
Do they know where to report suspicious incidents and phishing e-mails?
What should they do if they accidentally respond to a phishing e-mail and provide sensitive personal or organizational data?
It is critical for organizations to implement clearly defined policies for using mobile devices. It is also important that organizations continue to update their employees as risks, threats, requirements, etc. change on an ongoing basis. A once-a-year general training program is not enough; employees need ongoing awareness reminders.
One recommendation I would make is to share this Trusteer study with your employees. Many of your users may have no idea of the potential risks they can encounter on their mobile phone. Lessons learned make for great awareness tips and will help your employees understand your security requirements and acceptable use policies are there for good reason.
Personally Identifiable Information
Most people and their organizations would agree they are overwhelmed by information that is spread all over in e-mails, web sites, binders, intranets, etc.
BUT, most people and their organizations would also agree they are not overwhelmed by awareness, and more specifically they are not overwhelmed by Situational Awareness.
Lessons learned continue to reveal that just having information is not enough. Most of the highly publicized tragedies and incidents reveal that information in the form of red flags or intelligence or risk assessments actually existed BEFORE the incident occurred.
And many incidents could have been prevented had the information been translated into Situational Awareness and shared with the right individuals in the right place at the right time so they could have taken appropriate actions to prevent or intervene or respond more proactively.
For the next week or month or longer, when you become aware of an incident or a mistake in your organization or another organization ask yourself these questions:
In a recent incident, a man called a 24-hour Wal-Mart in Ohio and explained to an associate that he was with Wal-Mart’s IT department and needed the associate to activate several gift cards, read to him the card numbers and then provide the authorization codes from the back of the cards. The associate willingly did so – and not until $11,000 in online fraud later, did the store realize they had been tricked.
This is a great lesson learned to share with your employees (and third-parties). Do your employees understand your organization’s policies on providing/protecting information in different situations?
The Wal-Mart caller did not give the associate any reason to believe he was really from the IT department…do your employees understand authentication procedures and passwords?
The Wal-Mart caller did not explain why the IT department was making the request…would your employees be suspicious? Would they know how and where to report the suspicious caller to the appropriate personnel?
Do your employees understand how to protect sensitive information or would they willingly provide information over the phone in the spirit of good customer service?
Do your employees participate in ongoing situational awareness training? Are you updating your employees as new social engineering techniques, risks, and threats change?
Have your employees acknowledged their individual roles and responsibilities in case of a lawsuit or termination?
Even if your IT department has the most sophisticated and expensive technology solutions in the world, all of it can be bypassed if your employees fall for simple social engineering scams.
Are you educating your employees on best practices for protecting information?
In my previous blog I suggested that building a successful preparedness campaign is like building a skyscraper…and in some cases it seems like building a skyscraper may actually be easier than building a successful campus-wide or organization-wide preparedness effort.
I mentioned that building a skyscraper and building a campus-wide or organization-wide preparedness effort have a lot in common and one of those common items is blueprints.
Blueprints can be a technical drawing, a mechanical drawing, an architectural plan, a model, a prototype, a detailed plan of action and etc. Blueprints can also include programs, policies, procedures, processes, guidelines, checklists and etc.
But blueprints are not skyscrapers.
Lessons learned continue to reveal that many organizations are extremely vulnerable because they purchase blueprints (emergency plans, anti-bullying programs, checklists, and etc.) and schedule a meeting or training session and post their blueprints on an intranet/portal and think they have built their “skyscraper”.
More and more organizations are learning the hard way that having blueprints is not enough.
Even though financial organizations have policies, government entities have plans, schools have procedures, healthcare organizations have checklists and organizations have been offering general training on an annual basis for years… tragedies, failures, bullying and lawsuits continue to escalate.
Do your organization’s leaders understand that building organization-wide preparedness efforts or a culture of safety or an anti-bullying environment requires more than disseminating blueprints?