123 Failed Banks…the Killer Gap
123 banks have now been closed this year and questions continue to mount with each bank closing.
One of the questions is: What role is the Killer Gap playing in these bank closures?
Have you heard of the Killer Gap?
The Killer Gap is the result of the following trends:
- Mounting Risks
- Increasing Costs (Security, Compliance, Business Continuity, Management, etc.)
- Escalating Regulations
- Changing Economic Conditions
Combined with:
- Decreasing Budgets
- Limited Resources
- Traditional Management Tools
- Poor/Outdated Decision Making
This widening gap presents difficult challenges for every organizational leader and their organization and can lead to expensive, embarrassing and business ending results.
Is your organization prepared to control and manage the Killer Gap?
Article Cites “Dingbat Data Leaks”
A title to an article in SmartMoney caught my attention because it read “Dingbat Data Leaks”.
I think it caught my attention because over the last 27+ years or so, I have worked with my share of IT and IS department managers, as well spending many years working with end-users and I am not sure I understand who the author is referring to as the “dingbats”?
The author mentions absurd incidents and common blunder incidents….so:
Are the people that throw away sensitive records in the trash the dingbats?
Are the people that lose flash drives and laptops the dingbats?
Is the gas station attendant who refilled the receipt printer with a used roll that had prior customers’ credit card data printed on the back a dingbat?
I get the impression from the article that yes, they are the dingbats. The article closes with an interesting bright side revelation from a Ponemon researcher that only 2 percent of all data breaches result in ID fraud. And the conclusion of the article cites that cluelessness works both ways and says “just as it takes human stupidity to produce a leak, even accidental recipients with criminal tendencies are usually too dense to realize what they’ve received.”
Everyone has their own view, however I see some great Lessons Learned in this article for business leaders.
Isn’t it the responsibility of business leaders (and their managers) to ensure all appropriate personnel understand which records can and can’t be thrown away and which need to be shredded?
Isn’t it the responsibility of business leaders (and their managers) to ensure all appropriate personnel understand how to handle and protect information that is in transit or on mobile devices?
Isn’t it the responsibility of the business leaders to ensure their technology and business devices are compliant with today’s security and privacy regulations?
Is it possible the source of these common problems is the business leaders not implementing situational awareness, regulatory requirements, legal due diligence and accountability for their employees?
After 27+ years experience and research, I know People are very capable and most want to help. I also know People can be an organization’s first layer and best layer of defense in protecting against data leaks, but only if business leaders understand the problem and take steps to implement and enforce simple and reasonable processes and procedures at the individual level.
The Achilles Heel of All Managers
Numerous lessons learned reveal the Achilles Heel for most managers (and organizations) is the Lack of Implementation Tools. The lack of implementation tools has become THE principal weakness for all levels of managers that eventually will lead to their downfall.
So let’s discuss some of the details surrounding implementation.
First, the lack of implementation tools for implementing what you may ask?
Implementing Processes. Processes include: procedures, policies, plans, regulations, specifications, roles, responsibilities, strategies, priorities, etc.
Numerous Processes need to be implemented in every Department in an organization. Numerous Processes need to be implemented to meet requirements in Regulations and Mandates, which continue to mount.
Numerous Processes need to be implemented for Emergency Management, Risk Management, Information Management, Personnel Management, Reputation Management, Vendor Management, Contractor Management, Environmental Management, Credit Management….are you getting the picture?
Numerous Processes need to be updated and re-implemented to ensure adaptability with continuous changes involving risks, budgets, personnel, threats, strategies, goals, lawsuits, layoffs, etc.
By the way, the definition of Implementation is to ensure actual fulfillment by concrete measures or to perform or to carry out. Implementation is difficult and complex because Processes need to be clearly understood by People before they can be fulfilled, performed and carried out.
Over the next several Lessons Learned blogs, the importance of implementation and ensuring managers have proven implementation tools will become obvious…
For example in the Virginia Tech Review Panel Final Report in the A FINAL WORD section:
“Had the recommendations in this report been implemented, many of the problems cited above might have been averted.”
Is Event Training Going Away?
There seems to be a real transformation taking place across all industries…lower turnouts at trade shows and conferences and cutbacks with training.
With trade shows and conferences, I am seeing more and more discounts being offered to attract attendees and some trade shows and conferences are even offing reduced rates on hotel rooms.
With training, I am seeing cutbacks within companies paying for training and I am seeing cutbacks by companies that deliver training services.
The economic downturn and budget cuts are playing a big part in whether or not organizations can afford to send their employees to trade shows and conferences or pay for consultants to come to their offices.
So will Event Training live on or fade away??
Lessons Learned clearly show that training and awareness are necessary, but Lessons Learned also reveal better ways are needed to address training and awareness these days. Why? Because risks, threats, regulations, technologies, processes and people are constantly changing, the event training can be outdated as soon as the training event ends.
While I do not believe that event training will actually go away, I do believe that organizational leaders will need to do a much better job of implementing information more effectively when they spend money to send someone to a trade show or conference, or if they pay to have an expert come to their organization.
With budgets and economic challenges, there is no better way to reduce costs than getting the right information to the right people at the right time so people can do the job right the first time!
President Obama’s 10-point Cybersecurity Action Plan – Part 8
Step 8 of President Obama’s 10-point action plan is:
Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement.
Keywords in Step 8 include: Prepare, Initiate, Dialog, Partnership, Streamlining, Aligning, Optimize.
Preparing an incident response plan is a great idea and can play a critical role in the success of a cybersecurity action plan, however a lot organizations have incident response plans that are not producing much if any feedback.
Why are traditional response plans not working?
Problems with traditional incident response plans lack anonymity on the front-end and they lack innovative tools to manage Dialog, Partnerships, Streamlining, Aligning and Optimizing on the back-end. As incident response incidents become more sophisticated, more sensitive and more regulated by federal and state mandates, organizations will need more innovative tools to manage the entire incident reporting and response process while also building trust and ensuring confidentiality.
Lessons Learned include the DOJ incident where human error exposed the email addresses of approximately 150 employees who had used a House Judiciary Committee whistleblower website to submit tips about “alleged politicization” at DOJ.
I hope the incident response plan that the new Cybersecurity Adviser prepares is more like Awareity’s new incident reporting services and not just another toll free telephone number that is blasted out in a national public awareness campaign or printed on bumper stickers.
Awareity’s next generation incident reporting solutions are coming soon…stay tuned!
Twitter, Your Employees, Hackers and Awareness?
Lessons Learned continue to identify new and changing threats, but are organizational managers helping their organization’s personnel keep up with ongoing awareness or are they falling farther and farther behind?
For example, a recent article highlighted an attack that hit Twitter and may be one of the first time hackers to use the micro-blogging site for profit.
So why do hackers love social networking? Because unaware users (Boards, management, employees, vendors, contractors, consultants, business partners, etc.) will click on interesting links to things like “Best Video” or “Funniest Video” and unknowingly end up on a Russian domain that serves up malware or other exploits that can endanger your data or place “scareware” on their PC.
You mean your organization has not informed you about “scareware” yet? Scareware can be many things but in this case it was fake security software that, once installed, nags users with so many alerts that some users will fork over $50 or more to get rid of the bogus alerts.
As more and more users sign up for Twitter and because one of the main functions of Twitter is to share links with other people, organizational managers should be taking proactive actions to:
- Ensure all types of users are aware of risks and threats
- Help users know how to report potential attacks
- Help users know how to prevent attacks
- Help users know how to respond to an attack
- Help users know how to recover from an attack
- Help users know how to keep up with more sophisticated and changing threats that social networking can present
- And other organization specific awareness and guidelines
Lessons Learned are only valuable if they are implemented at the individual level and within your organization and across third-parties too…how is your organization keeping up??
Social Networking – Good News and Bad News…
The good news is that Social Networking is experiencing explosive growth.
The bad news is that Social Networking is experiencing explosive growth.
According to the third annual Deloitte LLP Ethics & Workplace survey, organizational leaders have some decisions to make when it comes to employee beliefs and management beliefs regarding online Social Networking.
- 60% of business executives believe they have the right to know how employees portray themselves and their organizations in online social networks
- 53% of employees disagree and say their social networking pages are not an employer’s concern
- 63% of younger employees (age 18-34) say employers have no business monitoring their online activity
So where does your organization stand?
The good news is that employees seem to understand that there are risks to using online social networks as 74% of respondents believe they make it easier to damage a company’s reputation.
The bad news is employees continue to use online social networks and continue to post personal videos, pictures, experiences, thoughts and observations that can lead to ethical and unwanted consequences for employees as well as their employers.
The survey showed that only 17% of executives say they have a program in place to monitor and mitigate possible reputational risks related to employee use of social networks and 49% of employees indicate defined guidelines will not change their behavior online.
So…the good news is there is room for improvement…the bad news is most organizations are not monitoring social networking lessons learned and not implementing a program to build a solid culture that encourages employees to behave ethically and helps employees understand their critical role in reputational risk management.
What are your plans for an ethics and reputation risk management program?
Are Fines Becoming a New Revenue Source for States?
The “octuplet mom” story not only created a media frenzy at Kaiser Permanente’s Bellflower hospital , the mom and her eight new born babies also created multiple lessons learned opportunities for every hospital that was paying attention.
The lessons learned started in January when the eight new babies were born and making sure hospital personnel were prepared to handle the media frenzy and what they could say and not say and what actions were acceptable and unacceptable.
Does your organization have policies and procedures in place to handle a media frenzy?
Then in March, Kaiser Permanente’s Bellflower hospital revealed that 15 employees lost their jobs and eight others were disciplined for improperly accessing the “octuplet mom’s” medical records. The lessons here involve multiple departments including management, human resources, information security, legal, risk management, compliance and individual level awareness and accountability.
Does your organization have documentation and proof of due diligence in place to describe improperly accessing information and to ensure your termination and disciplinary actions will stand up to wrongful termination lawsuits?
Then in May, state health officials from the California Public Health Department’s Center for Health Care Quality announced that the Kaiser Permanente’s Bellflower hospital was fined $250,000 because nearly two dozen medical workers, including doctors, illegally view the “octuplet mom’s” medical records.
Does your organization have policies and procedures and documentation in place to explain what is legal and what is illegal regarding personal information covered by state mandates and federal regulations?
Will information breaches become a new revenue source for state governments desperately needing to address shortcomings and deficits?
Organizational leaders should take note sooner than later now that a precedent has been set and new regulations are definitely on their way!
Booted Workers Stealing Data
A recent survey revealed that 59% of workers who were laid off, fired or quit their jobs in the last 12 months, admitted to stealing company data. Many ex-employees are taking information from their organization to help them find new jobs and make them more valuable to competition and other organizations.
With the downturn in the economy and layoffs affecting millions of people nation-wide, organizations must realize employees can easily carry out paper documents, CDs, DVDs, USB memory sticks or simply send documents to personal e-mail accounts before exiting, so it is critical for organizations to communicate acceptable and unacceptable actions to all employees and make sure all employees have acknowledged responsibility for acceptable and unacceptable actions.
Shockingly, the survey also showed 24% of ex-employees still have access to their former employer’s computer systems.
Organizations need to utilize lessons learned from these surveys to more effectively:
- Develop clearly-defined data protection policies and procedures
- Disable account login credentials immediately and monitor access
- Ensure all employees have acknowledged organizational controls and objectives
- Aggressively enforce organizational controls with employees and ex-employees
More importantly, organizations need to establish a “culture of trust”. If employees respect the organization they work for, they are much less likely to steal information from that organization. By empowering and engaging employees, management can inspire trust and loyalty to ensure better results.
As this dangerous trend of employee data theft increases with the recession, what is your organization doing to address these risks and inspire trust among your employees?
Leaders Must Learn From Others’ Mistakes Too
Learning from our mistakes is popular advice and I find it interesting that the majority of the advice and the majority of experts’ quotes have two common themes:
- If YOU are taking risks and moving forward, YOU will make mistakes.
- When YOU make mistakes, the key is not to make the same mistakes twice.
Good advice but not updated for today:
- Today’s challenges include serious economic challenges, accelerating threats and constant changes.
- Today’s leaders will not live long enough to make all the mistakes on their own so today’s leaders must do a better job of learning from the mistakes of others.
Headlines, lessons learned and case studies seem to be occurring almost every day and the incidents are showing alarming and dangerous trends in two key areas:
- Bad guys are taking advantage of known gaps and weaknesses that organizations are not proactively addressing
- Individuals (at all levels) and organizations are making the same mistakes over and over leading to expensive and embarrassing results
While a lot of leaders are saying a lot of the right things when it comes to mistakes and lessons learned, it is time for today’s leaders to take proactive steps to implement and maintain customized knowledge based on their own lessons learned as well as lessons learned from mistakes made by others.
Another good reason to learn from the mistakes of others is impressive ROIs! If it is someone else’s mistake then your costs are $0 and if your proactive efforts reduce, eliminate or prevent thousands or millions of dollars in expenses, fines and lawsuits…why wouldn’t you?
