• Blending of Personal & Professional Lives: Our digital lives and social media personae can be huge risks. A typical Facebook profile is a treasure trove of password hints – kids names, family birthdays and anniversaries, pet names, favorite teams, movies and songs, etc. The way we meet, socialize and communicate in the digital world makes us vulnerable to cybercrime in many forms. Our personal and professional lives are blending in a seamless ecosystem. That’s why businesses must define clear social media policies and be sure their workers understand the stakes.
• Big Data: As “big data” becomes an everyday reality for more businesses, there is a need for true responsibility and leadership regarding the storage and use of all the information captured. Companies that operate in silos may find themselves at increased risk of both data breaches but also violations of consumer trust.
• Shifting Privacy Standards: As a society, we are still coming to terms with new standards of personal privacy. Concepts like privacy by design, privacy in context and “do not profile” (vs. “do not track”) will define the privacy debate in the near future. It’s possible that European standards for tracking and data anonymity will take hold, because some experts feel that American consumers are not as knowledgeable about current targeting practices, which would alarm them if they knew.
• Rogue Mobile Apps: The mobile app gold rush attracts not just legitimate developers and forward-looking businesses, but also cybercriminals who are not shy about cashing in on well-known brands with “look alike” apps that are designed to steal credentials, siphon data or disable devices.
• Risk Leadership Involvement: Engagement with the full range of business stakeholders is critical for risk management leaders to have an impact – especially in the digital space. That means understanding what the digital opportunities are, and how they can drive the business forward. If all we do is point out the risks and say “no” to everything, no one will call on us for guidance and support in closing vulnerabilities, and the risky and rogue behaviors will continue to go on.

And thank you to all of our excellent panelists:

• Douglas Miller, Vice President and Global Privacy Leader – AOL
• Gordon Hutchinson, Chief Financial Officer – Amtrak
• Gregory Ogorek, Deputy Director – Cyveillance
• Kurt Bertone, Vice President – Fidelis Security
• Angelos Stavrou, Associate Professor – George Mason University

The webinar is sponsored by MetricStream, a market leader in Governance, Risk and Compliance (GRC) and Quality Management Solutions. More information is available here.

Tactically, it sounds like a fairly basic attack; the emails say recipients have been implicated in tax fraud and that their CPA licenses may soon be terminated. Links in the emails lead to third-party sites that contain viruses designed to compromise data on the computers of recipients.

But strategically it’s quite clever and shows how cyberthugs are getting ever more creative in seeking vulnerabilities. Obviously, the firewalls and security systems of the Big Four accounting firms are tougher to crack than going through an independent, non-profit trade group, which surely offers openings to similarly valuable information. And the production value of the email (see image) is a good bit better than your standard scam involving, say, money stuck in Nigerian banks.

So the questions companies must ask themselves are:

• Were any of your CPAs, auditors or employees dim enough to click on the links?
• Would they be able to save confidential files or sensitive data on their own devices?
• How do you know for sure your data is safe?
• Who can provide answers to these questions – and are you confident in their answers?

The bottom line? As cybercriminals get more creative and innovative, your risk management approach must be similarly forward-looking and thoughtful. Innovations like risk visualization and third-party profiling can be a difference makers in terms of protecting key assets and information, even when hackers are willing to try anything and everything to get a peek.

At a recent Congressional hearing, investigators presented initial findings that a big chunk of the missing $1.2 billion could have “vaporized.” Then there was the news that a Jon Corzine piñata (filled with IOUs) was part of the festivities at holiday parties for former employees.

As bad all this sounds, the MF Global debacle really is something of a “dog bites man” story from a risk management perspective. That is, it’s no big or surprising story at all. Consider another recent headline that more or less summarizes the whole debacle:

Lax Oversight Blamed in Demise of MF Global

In our view, the more information comes out about the meltdown at MF Global, the less mystery there is. It will come as no surprise to risk management veterans that the primary reason behind the blow-up was that CEO Jon Corzine simply ignored repeated warnings from his chief risk officer. MF Global’s CRO took it on the chin before Congress, but as this previous story points out. Basically, the MF:

executive in charge of controlling risks raised serious concerns several times last year to directors at the securities firm about the growing bet on European bonds by his boss.

Mr. Corzine … responded to Mr. Roseman’s concerns that some of the scenarios were too extreme and likely impossible

A risk management executive in financial services being ignored by an executive with a higher risk tolerance? Oldest story in the book. What makes it news is the amount of missing client funds and the prominence of the CEO involved.

Of course, it’s worth asking about the auditors and their role, and whether or not the CRO fully lodged his protests before signing the 302 and 404 certificate. This is Sarbanes-Oxley gone wrong, or not providing the protections it was designed to do. It is a recurring problem.

Here’s another story on the company’s policy and how Corzine ignored them:

[Corzine] didn’t rely heavily on the risk-management department at MF Global, a system of internal oversight and controls … In order to avoid potential blowups and satisfy nervous regulators, risk-management chiefs often report directly to the CEO or board, which are responsible for refereeing disputes between traders and risk officials.

Sure, that’s the way it’s supposed to work, though too often it doesn’t. In this case, Corzine basically made his own decisions about trade, and acted as his own risk management function.

Let’s be clear, the board of directors obviously shares some responsibility here, as it approved Corzine-endorsed trades that exceeded the firm’s risk limits. And the cultural element is also not to be overlooked. The board – including the audit committee – enabled excessive risk-taking and fostered a reckless style of leadership. There was one set of rules for the CEO and another for everyone else. It says something about Wall Street culture that such large risk appetites still exist just a few years after the financial crisis. Again, this will not surprise risk management pros.

Another unsurprising element were the words spoken by an MF executive, which are commonly heard at companies that have a major risk event; speaking of the vulnerabilities created by the weak oversight, he said:

“I could kick myself for not recognizing it sooner,”

While initial news accounts implied there was some mystery about what went wrong at MF Global, it continues to strike us as strictly “dog bites man” stuff. There is a lots of blame to go around and the reasons for the collapse of MF Global are among the most common in enterprise risk management.

helping people on the outside to perpetrate fraud either directly or indirectly has been discounted. “Something as benign as someone leaving the company and sending their entire contacts list to their AOL account may not seem like a big deal, but if a hacker got their hands on that, they would have the tools to do a great social engineering scam because they would know who employees and clients are and who they report to, which can be used for spear-phishing.”

Check out the full article and the new publication here. (Free registration required.)

Vazquez touched on a few other key issues, including IT consumerization, where users bring their own devices to work. That phenomena has upped the  stakes and increased the risk for organizations trying to keep tabs on malicious insiders.

Lastly, Vazquez touched on a counterintuitive fact about risk management; while many firms have the tools they need to identify malicious insiders, they lack a holistic and end-to-end perspective on operational risk, which greatly hampers their risk management efforts:

“You need to have a malicious insider’s mind-set. The good news is that most financial firms have all the tools they need in house … In most financial services firms and many corporations the businesses are siloed – they are segmented and there is often no clear understanding of business processes from end to end. The failure to have that end-to-end understanding of the business becomes an opportunity for the cybercriminal, because they are able to create a scheme in a silo that isn’t detected by other parts of the business until it gets big enough but by then it’s too late.”

Stratfor, the global security consultancy, suffered an attack by “hacktivists,” who shut down its site. The company’s silence in response received pretty negative press. Slowly, however, Stratfor got the point that they had to share some information and updates. Interestingly, they turned to Facebook to do it. And ultimately the CEO acknowledged the company’s failure to encrypt certain data.

“It was a truly unforgivable failure and I feel awful about it … Sometimes in rapid growth, you make a mistake. That’s not an excuse, that’s not a justification … It’s an explanation.”

The company certainly waited too long to notify its customers and others about what went wrong and how they were addressing it, but at least in the end they came clean and took accountability.

Compare that to the highly proactive approach taken by Zappos, which sent out an email to all its customers when it experienced a significant breach of customer information:

First, the bad news: We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com … THE BETTER NEWS: The database that stores your critical credit card and other payment data was NOT affected or accessed.

On the one hand, we admire the proactive attitude. It was good that customers first heard about the breach from the company itself, rather in the news media. Further, the candid, down-to-earth tone of the email, fit Zappos brand. The company was saying, in effect, “Here’s what happened and here’s why it’s not the end of the world.”

They also took real steps to deal with customers, putting “all hands on deck” sales team to help customers change passwords. CEO Tony Hsieh communicated to both customers and employees:

“We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident. Over the next day or so, we will be training everyone on the specifics of how to best help our customers through their password change process now that their passwords have been reset and expired. We need all hands on deck to help get through this.”

While this seems to have been a very serious attack, there could be some risk of overcommunicating or communicating too soon (especially as such attacks become more common). At some point, organizations will need to balance the need for transparency with all customers versus the need to amp up their monitoring capabilities or place their risk team and Web operations group on high alert. Since it’s safe to assume that all types of companies around the world are under attack at all times, the question becomes, “when is the right time to communicate?” or “what is the threshold at which point we must notify customers?”

These issues underscore one principle of effective risk management – that is, leadership, communication and other cultural factors are as important as advanced monitoring technology or installing bigger locks. When top management comes out and acknowledges the challenges and issues, it sends a message to the rest of the organization that risk management matters.

While every security event is different, we recommend to our clients that they have a clear plan and process in place for evaluating their communication options and deciding on the best course of action, including whether and how to position senior leadership. Further, we recommend they do some “testing” and “role-playing” to see how they respond in simulated crisis. In our work, we have seen how companies that plan and challenge their teams are more likely to respond properly and effectively within a crisis situation.

The bottom line is that these are all elements in a strong proactive risk management strategy. Because if we know anything, it’s that sooner or later, nearly every company on the planet will have to respond to a difficult risk or security situation that gets in the news.

To say these folks are thinking outside the box (or should we say outside the bowl?) is a major understatement. For instance, most Americans would see no need to reinvent the toilet; plumbing here works just fine. But in the developing world, lack of water and funds to invest in sewage systems mean you’ve got to solve a basic sanitation problem through different means – hence, a reinvented toilet.

Similarly, risk management professionals, who have to stare down impossible-seeming challenges all the time, can benefit from a major rethinking of their organizations’ risk profiles, as well as their risk management approaches. Unfortunately, corporate culture is frequently cited by risk managers as an impediment to positive and sustained change, especially when it comes to creative problem-solving. That’s a plumbing challenge risk managers have to be clever and creative to solve.

We strongly believe that passionate and creative risk managers can change organizations as well be innovative in addressing the many “cr*ppy” problems (this is an article on toilets) they have to face these days – everything from cybercrime and hackers to malicious insiders and costly compliance processes. New and fresh thinking is required because the nature of the threats change all the time.

The point is, innovative thinking and effective risk management “plumbing” help sanitize organizations from a wide range of threats and keep information flowing through the organization hygienically and efficiently.

Talk about your worst-case scenario for risk management professionals! These headlines are about as bad as it gets.  And in a classic case of closing-the-barn-door-too-late, Olympus released a statement about “taking this matter very seriously.”

We believe risk management is as much a matter of culture and leadership as it is of robust controls and sophisticated monitoring technologies – as the Olympus and MF Global scenarios highlight. And let’s not forget that the auditors at Olympus, who appear to have been missing in action, bear some responsibility as well.  See our previous take on Olympus here.

Risk management pros would do well to consider how their companies might benefit from a similar haunting. Indeed, the ghosts of risks past, risks present and risks yet to come might teach us valuable lessons that would significantly improve our lives.

Ghosts of Risks Past:  Scrooge was once a sweet and innocent little boy, as his first ghost reminds him, and he’s touched to recall the days when he wasn’t obsessed with penny-pinching. Many risk management pros may recall a similar time when the pressure wasn’t so intense and threats so diverse.

While we can’t go back to the good old days (which had plenty of their own risks), we can try to learn from the common mistakes. For one thing, don’t always try to solve the last security incident or patch over the gap that caused the last breach. It’s a huge temptation. We believe that risk management should be proactive and forward-looking. That means listening the ghosts of risks past, heeding the lessons and applying them to the current risk profiles and those most likely to emerge tomorrow.

Ghosts of Risks Present: Speaking of current threats, could this ghost be any scarier? Consider the headlines – floods and other natural disasters wiping out global supply chains; cybercriminals using ever more sophisticated and powerful means; malicious insiders at the top and bottom of every org chart; huge incentives to engage in accounting chicanery. If you want to look on the bright side (it’s the holidays after all), risk managers may have real job security.

Seriously, though, many companies must rethink their approach to risk management. It’s not about building heavier locks and higher walls, but rather actively visualizing risk, and instilling sound risk management practices into core business processes. Top-performing risk management functions understand the ghost of risks present and operate with real urgency. Of course, the key is to getting it right in the present is to incorporate the lessons of the past and think strategically about risks yet to come.

Ghosts of Risks Yet to Come: The essential challenge in risk management today may be to strike the right balance between current risks (those that keep us awake this very night) and risks yet to come (those that will keep us tomorrow night). That requires having some predictive capabilities based on a clear understanding of where current vulnerabilities are, and finding opportunities to advance the business through superior risk management practices.

Of course, the ghost of risks yet to come teaches us to that the lesson that are what happened yesterday and today. As Scrooge says:

“I will honour [Risk Management] in my heart, and try to keep it all the year. I will live in the Past, the Present, and the Future. The Spirits of all Three shall strive within me. I will not shut out the lessons that they teach.”

Merry Christmas and happy holidays to everyone!