Insights from Digital BrainFest: Getting Real About Risks
If you missed the inaugural Infinitive Digital BrainFest, you missed plenty of interesting perspectives and actionable insights on a broad range of digital risks and security issues. Here are some of the observations I’m still thinking about a few days later.
- Blending of Personal & Professional Lives: Our digital lives and social media personae can be huge risks. A typical Facebook profile is a treasure trove of password hints – kids names, family birthdays and anniversaries, pet names, favorite teams, movies and songs, etc. The way we meet, socialize and communicate in the digital world makes us vulnerable to cybercrime in many forms. Our personal and professional lives are blending in a seamless ecosystem. That’s why businesses must define clear social media policies and be sure their workers understand the stakes.
- Big Data: As “big data” becomes an everyday reality for more businesses, there is a need for true responsibility and leadership regarding the storage and use of all the information captured. Companies that operate in silos may find themselves at increased risk of both data breaches but also violations of consumer trust.
- Shifting Privacy Standards: As a society, we are still coming to terms with new standards of personal privacy. Concepts like privacy by design, privacy in context and “do not profile” (vs. “do not track”) will define the privacy debate in the near future. It’s possible that European standards for tracking and data anonymity will take hold, because some experts feel that American consumers are not as knowledgeable about current targeting practices, which would alarm them if they knew.
- Rogue Mobile Apps: The mobile app gold rush attracts not just legitimate developers and forward-looking businesses, but also cybercriminals who are not shy about cashing in on well-known brands with “look alike” apps that are designed to steal credentials, siphon data or disable devices.
- Risk Leadership Involvement: Engagement with the full range of business stakeholders is critical for risk management leaders to have an impact – especially in the digital space. That means understanding what the digital opportunities are, and how they can drive the business forward. If all we do is point out the risks and say “no” to everything, no one will call on us for guidance and support in closing vulnerabilities, and the risky and rogue behaviors will continue to go on.
And thank you to all of our excellent panelists:
- Douglas Miller, Vice President and Global Privacy Leader – AOL
- Gordon Hutchinson, Chief Financial Officer – Amtrak
- Gregory Ogorek, Deputy Director – Cyveillance
- Kurt Bertone, Vice President – Fidelis Security
- Angelos Stavrou, Associate Professor – George Mason University
Insights from Digital BrainFest: Social Media & Security
Gregory Ogorek, Deputy Director of the Cyber Intelligence Division at Cyveillance, was a panelist at Infinitive Digital BrainFest.
Infinitive Insight in Risk Intelligence Webinar
Don’t miss Infinitive Insight CEO Ray Vazquez at Risk Intelligence: Managing Risks in the Era of Big Data, Tuesday, May 8, 11:00 am Eastern. Attendees will learn more about how to distinguish between risks that must be avoided, and risks that must be taken.
The webinar is sponsored by MetricStream, a market leader in Governance, Risk and Compliance (GRC) and Quality Management Solutions. More information is available here.
Bean Phishing Attack: Was Your CPA Duped?
A fraudulent email scam has been using the logo of the American Institute of CPAs, a non-profit industry association, to entice AICPA members and others to share sensit
ive financial data. More details are available here.
Tactically, it sounds like a fairly basic attack; the emails say recipients have been implicated in tax fraud and that their CPA licenses may soon be terminated. Links in the emails lead to third-party sites that contain viruses designed to compromise data on the computers of recipients.
But strategically it’s quite clever and shows how cyberthugs are getting ever more creative in seeking vulnerabilities. Obviously, the firewalls and security systems of the Big Four accounting firms are tougher to crack than going through an independent, non-profit trade group, which surely offers openings to similarly valuable information. And the production value of the email (see image) is a good bit better than your standard scam involving, say, money stuck in Nigerian banks.
So the questions companies must ask themselves are:
- Were any of your CPAs, auditors or employees dim enough to click on the links?
- Would they be able to save confidential files or sensitive data on their own devices?
- How do you know for sure your data is safe?
- Who can provide answers to these questions – and are you confident in their answers?
The bottom line? As cybercriminals get more creative and innovative, your risk management approach must be similarly forward-looking and thoughtful. Innovations like risk visualization and third-party profiling can be a difference makers in terms of protecting key assets and information, even when hackers are willing to try anything and everything to get a peek.
Dog Bites Man Story: “Thanks to Lax Oversight” MF Global Money “Feared Gone”
You know you’ve had a serious risk incident when CEO piñatas are featured at company holiday parties and the word “vaporized” is being used by investigators. That’s what the latest news from the MF Global saga will teach us.
At a recent Congressional hearing, investigators presented initial findings that a big chunk of the missing $1.2 billion could have “vaporized.” Then there was the news that a Jon Corzine piñata (filled with IOUs) was part of the festivities at holiday parties for former employees.
As bad all this sounds, the MF Global debacle really is something of a “dog bites man” story from a risk management perspective. That is, it’s no big or surprising story at all. Consider another recent headline that more or less summarizes the whole debacle:
In our view, the more information comes out about the meltdown at MF Global, the less mystery there is. It will come as no surprise to risk management veterans that the primary reason behind the blow-up was that CEO Jon Corzine simply ignored repeated warnings from his chief risk officer. MF Global’s CRO took it on the chin before Congress, but as this previous story points out. Basically, the MF:
executive in charge of controlling risks raised serious concerns several times last year to directors at the securities firm about the growing bet on European bonds by his boss.
Mr. Corzine … responded to Mr. Roseman’s concerns that some of the scenarios were too extreme and likely impossible
A risk management executive in financial services being ignored by an executive with a higher risk tolerance? Oldest story in the book. What makes it news is the amount of missing client funds and the prominence of the CEO involved.
Of course, it’s worth asking about the auditors and their role, and whether or not the CRO fully lodged his protests before signing the 302 and 404 certificate. This is Sarbanes-Oxley gone wrong, or not providing the protections it was designed to do. It is a recurring problem.
Here’s another story on the company’s policy and how Corzine ignored them:
[Corzine] didn’t rely heavily on the risk-management department at MF Global, a system of internal oversight and controls … In order to avoid potential blowups and satisfy nervous regulators, risk-management chiefs often report directly to the CEO or board, which are responsible for refereeing disputes between traders and risk officials.
Sure, that’s the way it’s supposed to work, though too often it doesn’t. In this case, Corzine basically made his own decisions about trade, and acted as his own risk management function.
Let’s be clear, the board of directors obviously shares some responsibility here, as it approved Corzine-endorsed trades that exceeded the firm’s risk limits. And the cultural element is also not to be overlooked. The board – including the audit committee – enabled excessive risk-taking and fostered a reckless style of leadership. There was one set of rules for the CEO and another for everyone else. It says something about Wall Street culture that such large risk appetites still exist just a few years after the financial crisis. Again, this will not surprise risk management pros.
Another unsurprising element were the words spoken by an MF executive, which are commonly heard at companies that have a major risk event; speaking of the vulnerabilities created by the weak oversight, he said:
“I could kick myself for not recognizing it sooner,”
While initial news accounts implied there was some mystery about what went wrong at MF Global, it continues to strike us as strictly “dog bites man” stuff. There is a lots of blame to go around and the reasons for the collapse of MF Global are among the most common in enterprise risk management.
Infinitive Insight on “Cybercrime the New Normal”
Ray Vazquez, CEO of Infinitive Insight, was recently featured in Risk Universe, a new publication focused on operational risk. Commenting on “CyberCrime – the New Normal,” Vazquez highlighted how malicious insiders facilitate cybercrime by:
helping people on the outside to perpetrate fraud either directly or indirectly has been discounted. “Something as benign as someone leaving the company and sending their entire contacts list to their AOL account may not seem like a big deal, but if a hacker got their hands on that, they would have the tools to do a great social engineering scam because they would know who employees and clients are and who they report to, which can be used for spear-phishing.” Continue reading
Crisis Management: Contrasting Leadership Styles
CEOs and the chief risk officers who work for them are being tested far and wide these days as all sorts of data breaches, natural disasters and self-inflicted reputational wounds fill the headlines. Clearly, more organizations understand that senior leadership must react when major security events or other issues arise in this brave, new (and much riskier) world. A few recent examples demonstrate the range of crisis leadership styles. Continue reading
Reinventing the Toilet & Rethinking Risk
This video below, which is about reinventing the toilet to prevent disease in developing countries, caught our eye and inspired us in a couple of different ways. First of all, we’re fans of anyone who is willing to take on the world’s biggest problems and apply unconventional thinking and highly creative approaches to solving them.
To say these folks are thinking outside the box (or should we say outside the bowl?) is a major understatement. For instance, most Americans would see no need to reinvent the toilet; plumbing here works just fine. But in the developing world, lack of water and funds to invest in sewage systems mean you’ve got to solve a basic sanitation problem through different means – hence, a reinvented toilet. Continue reading
Olympus: “Rotten to the Core”
The news from Olympus keeps getting worse. Japanese authorities raided the company’s headquarters in Tokyo. And a recent report from an independent panel investigating the company’s accounting chicanery described top management as “rotten to the core.” Further, it recommended Olympus “remove its malignant cancer.” Continue reading
A Christmas Carol: Risk Management Version
In the famous holiday tale by Charles Dickens, Ebenezer Scrooge is visited by three ghosts who warn him about the error of his greedy, miserly ways. Ultimately, they inspire him to become a better man — more compassionate, generous and open to feeling the Christmas spirit. Continue reading
