407-445-2414 info@wrmllc.com
The Promise and Risks of Receiving Appreciated Assets

The Promise and Risks of Receiving Appreciated Assets

It is not a risk-free proposition for nonprofit boards to make investment decisions that meet philanthropic goals. This is all the more difficult for those trustees without a background in finance. The simple answer is usually to allocate the investments conservatively and rebalance periodically to at least beat inflation and preserve capital. Large charities like university endowments turn to more sophisticated methods of portfolio diversification, expanding beyond stocks and bonds into vehicles like hedge funds, private equity, venture capital, and real estate.

The Conversation’s detailed article cautions that it is not enough to focus only on returns; in fact, it’s more important to consider risk-adjusted returns. In the case of digital currencies, it would have required nerves of steel for trustee investment committees to commit to pre-established decision-making processes to avoid the bitcoin crash in early 2018, after it rose by 1,318 percent against the US dollar in 2017.

These gains gave way to massive losses in the first eight months of 2018, when digital currencies plunged more sharply than the dot-coms crashed in the early 2000s.

Some charities that received massive cryptocurrency donations in 2017 may not have been able to convert them into regular money before they lost much of their value the next year. Silicon Valley Community Foundation, for example, disclosed in its 2017 audit report that for more than 45 percent of its investment assets, restrictions would prevent them from being converted to cash at any point in 2018.

The fact that charities only disclose their financial data once a year means that the scale of their at-risk wealth, as of now, is unknown.

There are more reasons than volatility to be concerned about holding onto investments of cryptocurrencies. Wallets and exchanges used to hold the investments can be hackedCompliance issues abound. Regulators are still catching up to the IRS ruling in 2014 that treated digital currency as a form of investment property. The sweeping new tax billpassed into law last December may bring more change. Inasmuch as digital money ledgers for transactions are owned and maintained by the users of the systems rather than controlled by a government or a central bank, it is difficult to predict how government will eventually choose to manage this revolutionary type of money.

The Conversation article goes on to examine other forms of appreciated assets being given by a shrinking group of ever-wealthier donors and the “charitable middlemen” needed to help facilitate these donations.

Fidelity Charitable got 61 percent of its donations in assets other than cash in 2017. Other prominent donor-advised fund sponsors saw a similar result. Schwab Charitable obtained over 70 percent of its 2017 donations in non-cash assets. In the last month of the year, that figure was 80 percent for Vanguard Charitable.

These fast-growing charities bring a key skill: harvesting capital gains. That is, they accept tax-advantaged donations, hold onto that wealth, and—in most cases—transfer the money derived from those assets to the donor’s charities of choice when the donor asks.

For nonprofits, it could be said that today’s donor classes are creating as many challenges as solutions. As government funding continues to diminish for many of the issues addressed by the nonprofit sector, private philanthropy becomes all the more important, and along with it, the skills to properly raise, receive, and manage the forms and flavors in which it is given.

Author: Jim Schaffer
Source: Nonprofit Quarterly

Why Assigning A Risk Owner Is Important And How To Do It Right

Why Assigning A Risk Owner Is Important And How To Do It Right

Falling in the middle of the risk management cycle (after developing risk appetite and tolerance and identifying, but before assessing and analyzing risks), the organization then must identify who will “own” or be responsible for a particular risk.

Although the exact definition of what a risk owner is will vary depending on the organization, it can generally be defined as a person or persons responsible for the day-to-day management of a risk. (I will talk later about when to assign a risk owner…)

Assigning an owner for these risks is important for a few reasons…

One, a designated risk owner ensures someone in the organization is accountable for the risk. If there is not one person or a group charged with managing a risk, then by default, the entire organization will own the risk, and therefore it is highly likely the risk will fall through the cracks (a/k/a nothing will be done). Having a risk owner is an important step toward ensuring that a response plan is developed and acted upon in a timely manner.

Two, risk ownership is one way for executives to not only hold individuals accountable for risks, but to show their support for ERM in general.

The third reason for appointing a risk owner is to ensure that the ERM function does not own risks.

It’s important to understand that ERM does not actually manage risks, which is a common misnomer. The role of ERM is to help facilitate a process for identifying, assessing, and analyzing risks, and to ensure that executives and other key players have the information they need to make risk-informed decisions.

The only exception to this rule is if the risk function is responsible for insurance, business continuity, or similar program. This situation applied to me when I was Director of ERM for a large Florida-based property insurance company…in this case, it was only natural for my area to be responsible for these risks. In fact, business continuity can very closely integrate with ERM, so it made perfect sense to have them under a single manager.

In what circumstance will the organization need to assign a risk owner?

Not every identified risk will require an owner. In fact, if your organization has thousands of risks identified through a bottoms-up approach, assigning a risk owner for each one will overwhelm you and your team and nothing will get done.

Instead, start with the most critical risks and then consider adding more once a workable, sustainable process is in place.

Iconic cosmetics brand Estee Lauder for example has 46 critical corporate risks where an owner has been assigned. These particular risks met several guidelines which exceeded their respective risk tolerance or could cross this threshold in the near future.

In short, a risk owner needs be assigned for risks that exceed tolerance levels that were set earlier in the risk management cycle. However, that doesn’t mean risks that are within tolerance levels should be ignored…accepted risks have to be monitored as well.

More specifically, the cumulative result of accepted risks and the inter-dependencies of risks have to be carefully considered as well. If Risk A occurs and could trigger Risk B, a risk owner should be appointed and action taken, especially if Risk B is considered critical and falls outside of tolerance levels should it occur.

You also don’t need me to tell you that things are always changing. Perhaps tolerance levels change down the road or the risk itself changes. Of course, this certainty that things change is why I’m a firm believer in having a maximum time limit for a review of both low and accepted risks to ensure nothing is being overlooked.

Risk OwnershipKey ConsiderationsChallenges, and Options

I could probably write an entire article or even an eBook on how an organization could go about assigning an owner for a particular risk. Before getting into different options though, there are a few key considerations and challenges I should discuss first.

Key Considerations

  1. Ensure there are clear definitions on roles and responsibilities in place before proceeding any further…this is one of the first and most important considerations when it comes to choosing a risk owner. As explained by Chris Corless in this article in Strategic Risk, it’s important for everyone involved to have a clear understanding of expectations when someone accepts the role of risk owner.
  2. Properly train on risk owner responsibilities and how they need to manage and report the risk. Think about it this way – your organization wouldn’t roll out a new time management system and not train employees on how to use it, right? Risk ownership is no different…
  3. Maintain consistent language throughout the firm regarding risks. Frank Fronzo of Estee Lauder explains how the company has a dictionary of terms it uses to ensure everyone is speaking the same language and stays on the same page.

Challenges

One of the most common challenges organizations face when assigning a risk owner is the tendency to give it to the highest accountable person in the organization. While this is okay for risks linked to the strategic plan, the fact is that executives and other leaders simply do not have the time to take many of these risks on. In situations like this, the individual may delegate the responsibilities of owning a particular risk to someone else with time to perform them.

In cases like this, the senior-level person becomes a risk “custodian,” meaning they still have an interest in the risk but do not fulfill the day-to-day responsibilities of an owner.

And as I mentioned earlier, risk ownership should extend down the organization chain for a couple of reasons. One reason is limited time on the part of executives and other leadership. Second to that, appointing a mid-level manager as a risk owner can play a huge part in cultivating a positive risk culturethroughout the entire organization.

Another challenge many organizations face when assigning and managing risk owners is the tendency for risk management activities to fall back within organizational silos. If this type situation occurs, the case can be made that you’re not really practicing ENTERPRISE risk management.

(Click here to learn more about risk management that occurs within a singular business unit vs. a top-level, enterprise-wide process.)

To address this challenge or avoid it altogether, a risk information system should be used that contains details about all risks the organization is managing, who the owner(s) of a particular risk is, recent activities and more. This system should be accessible by all risk custodians and owners…

During a recent conversation, a fellow risk professional mentioned that his organization uses Archer, but other commonly known software tools organizations commonly use include Logic ManagerMetricStreamCURA, and Sword Active Risk. But there are plenty of other options out there, like Aviron Financial SolutionsAudit Comply, and Vose Software, to name a few…

Options

When developing the process and choosing risk owners, company culture and the accountability structure of the organization will play a huge role…

Broadly speaking, risk ownership can be assigned to an individual or a designated risk committee.

Individual risk owner

If your organization has diverse functions and a weak collaborative culture, you will most certainly want to go with an individual risk owner. This individual (…and the risk custodian if applicable) will be the oneperson held accountable for the management of the risk they are charged with handling. I mentioned this in a way in the beginning of this article…having an individual risk owner is not only a way to hold someone accountable for a risk, it is also a way for executives to demonstrate how important they view ERM.

When assigning an individual to be the owner of a particular risk, it’s vitally important they have decision-making authority and the ability to allocate financial and human resources for the risks they are charged with managing.

Another point to consider when determining an individual risk owner is assigning accountability by position rather by name.  (I personally really like this concept!) This is one key point of how Estee Lauder determines the proper owner. Assigning accountability this way ensures risks are continuously managed, even if the individual person moves on from their position.

One situation where an additional person may be involved with managing a risk but not be considered group or committee ownership is when a department is impacted by a risk but another department is better suited to manage the risk. In cases like this, co-ownership and coordination between the departments will be needed, but in the end, one person will still be responsible for monitoring and managing the risk.

Group ownership

For organizations with a strong group or collaborative culture, group ownership of risk(s) may be the way to go. This group can consist of individuals from across the enterprise, which of course can be a positive in that it brings together different perspectives. Specific action-items can be assigned based on responsibilities of individuals within the group.

However, one big drawback of group or committee ownership is that it is hard to hold the entire group accountable. Absent any strong oversight from a management-level risk committee, the group can easily end up pointing fingers when things go awry or otherwise sit around and talk about a risk without ever taking any action.

These management-level risk committees can benefit the organization in many ways, including building a positive risk culture. Click here to learn more about oversight…

As you can see, your organization’s culture is a key part of determining the best model for assigning risk owner(s).

A Word of Caution

Developing your organization’s risk ownership process will take time and require a bit of trial and error, and above all, patience. Long before any risk owners begin their work and report their activities into a software system and to executives, definitions on roles and responsibilities and a consistent language must be developed, plus training for everyone involved.

This, of course, is all in addition to other phases of the risk management process like identification, risk assessment, setting risk appetite and tolerance, and more. But risk ownership should be embedded throughout the process of managing risks; after all, the risk owner will be your main contact for a risk. And by all means, don’t overlook the relationship factor and how it can support ERM success.

If done properly though, having individuals throughout the organization “own” and therefore be responsible for certain risks will go a long way to building a long-term, value-driven ERM program.

Source: ERM Insights

Top 5 Cannabis Legalization Issues for Employers

Top 5 Cannabis Legalization Issues for Employers

5 Cannabis Legalization Issues for Employers

1. Tolerance

Many employers are wondering what level of tolerance they should implement for cannabis use in the workplace. What do they do if an employee is impaired on the job?

It’s important to recognize that just because marijuana is legal does not mean employees can be impaired in the workplace. Just like alcohol, it is not acceptable for an employee to be under the influence on company time, and this is very clear in the new laws.

However, zero tolerance may not be the best route unless employers can absolutely prove that sobriety is a bona fide occupational requirement. Otherwise, a dismissed or disciplined employee could file a human rights or wrongful dismissal lawsuit — and they may win. Employers should check with their lawyers for a case-by-case analysis of tolerance levels.

Some lawyers have recommended a “low-tolerance” policy: addressing the concern if and when it appears and only moving forward to dismissal when there is a repeat violation. Consider this: an employee goes out for lunch one day and has a couple of drinks before returning to work. If this becomes a regular occurrence and lowers performance, it may be necessary to have a conversation and move towards termination if the situation doesn’t change. However, the employee would likely not be immediately dismissed for a one-time occurrence. The same idea may be applicable to marijuana use.

In addition, employers must consider the use of medical marijuana. Cannabis consumption with a prescription has been legal since 1999 for the treatment of various disorders and conditions. While medical marijuana in the workplace may not be new, employers must be careful not to discriminate against these users with new tolerance policies. They must accommodate medical marijuana to the point of “undue hardship”. Consider asking these employees what accommodations they need and what tasks they are able to perform, and make any necessary changes to their duties.

2. Safety

In particular circumstances, employers do have the right to implement a zero-tolerance policy. In “safety sensitive” positions, such as those involving driving or the operation of heavy equipment, employees must be strictly sober for the protection of themselves and others. In these situations, employers can place a ban on cannabis consumption (similar to alcohol consumption) during work hours or in a designated time period before work begins.

Once again, employers are required to accommodate medical users. For example, an employee could be transferred to a different role that is not safety sensitive.

3. Drug testing

Testing for cannabis impairment has not been fully addressed by the government prior to legalization. There are a few key issues in this area:

  • THC (the component of marijuana that makes a user impaired) stays in the body much longer than other substances such as alcohol. Its presence in the body does not necessarily mean that the user is currently impaired.
  • The Charter of Rights and Freedoms would likely prevent any kind of random drug testing in the workplace from being lawful. This would be seen as an invasion of employees’ privacy rights.
  • Drug testing is currently only permitted in very specific employment situations, where safety is a key issue or there are reasonable grounds (for example, if there has been an incident or there is a strong reason to believe the employee is under the influence).

Until there are federal regulations in place to resolve these uncertainties, employers should be very cautious in implementing marijuana testing. In the meantime, they can use assessments of behavior and conduct in place of a hard test. If an employee is regularly underperforming and showing signs of impairment, it may be time to have a conversation. For a more in-depth discussion on drug testing in the workplace, check out this Huffington Post article.  

4. Creating new policies

An employer should consider implementing new workplace policies to address the legalization of marijuana. 
After carefully constructing a tolerance policy considering all of the above factors, employers must ensure it is well-known. For example, employees could receive training on the new policy and marijuana use. The policy should also be displayed and distributed to each employee, perhaps through email.

The tolerance policy must clearly define what is acceptable and what behaviors may be grounds for disciplinary action or dismissal. Doing so ensures the employer will have a strong defence if and when actions are necessary.

Cannabis consumption must also be considered in other workplace policies, such as smoking in designated areas on company property and scent-free policies.

5. Marijuana Stigma

Many members of Canadian society may stereotype marijuana users. These users are assumed to look and behave in a certain way. Now that recreational cannabis is legal, these ideas may become stronger.

As an employer, be careful not to make assumptions about employees. While some managers may not agree with marijuana usage, it is now legally permitted. This means employees cannot be judged on their personal choice as long as it doesn’t impact their ability to do their job. There won’t necessarily be any of the attendance or performance issues that employers fear. Take these situations on a case-by-case basis, similar to any other performance problem.

In certain face-to-face professional settings, employee marijuana consumption may create reputational issues. In these circumstances, employers must carefully construct tolerance policies to find the balance between employees’ choices and customer opinions.

Whenever new legislation comes in, organizations as well as the rest of society must go through an adjustment period. While adapting to marijuana legalization, employers should consult with lawyers before making policy decisions or changes.

By carefully considering new policies and employee safety, employers are prepared to face the risks of cannabis legalization. Ideally, severe issues will not arise and employers can mainly continue as normal. But as in any risk situation, it always pays to be proactive.

Ten key topics to cover in cybersecurity awareness training

Ten key topics to cover in cybersecurity awareness training

Resource challenges and environmental contexts often force those in security to decide which method or methods to include in awareness campaigns – and in which quantities each should be employed.

In this post, we consider the four different types of security awareness training in turn, the pros and cons of each, and an alternative, increasingly favored approach.

1. Am I really a target?

Most cybersecurity awareness training begins by talking about security threats. It seems logical. But doing so may be a mistake – because of the human bias for optimism.

As people, we tend to harbour an inherent bias for optimism. Most of the time, it’s a helpful trait. When it comes to cybersecurity, though, our inherent bias for optimism means most of us struggle to imagine ever really being victims of cybercrime.

A good cybersecurity awareness campaign needs to address this upfront – because discussing threats is largely pointless unless message recipients believe the threats to be relevant and applicable to them. Cybersecurity awareness training should, therefore, begin by overcoming a key reservation to taking training seriously. It should begin by discussing why those taking the training are indeed targets.

2. Preventing identity theft

Identity theft remains the most prevalent form of cybercrime. As such, preventing identity theft is key to any good cybersecurity awareness training campaign. As well as information on preventing identity theft, cover the warning signs and the dangers of oversharing on social media.

It may also be worth demonstrating how simple it now is to steal an identity. Such demonstrations help make training emotional, and behavior change research shows emotions have an unrivalled ability to change the way people behave. Demonstrating how simple it now is to steal an identity can therefore change not just security awareness but security behaviors, too – which should be a key aim of any security awareness training campaign.

3. Passphrases and multi-factor authentication

Today, what constitutes a secure password is becoming increasingly clear. And yet, according to the password manager SplashData, 123456 is the most common password in use today.

Including information on passphrases – ie, secure passwords that are easy to remember – as well as teaching users how to create and remember them, is essential in any cybersecurity awareness training campaign. Be sure to include information on multi-factor authentication and build in time for people to update old passwords during training.

Increasing security awareness is one thing – but changing security behaviors should be the real aim.

4. Public Wi-Fi

The ongoing rise of remote working coupled with an increase in the prevalence of unsecured public Wi-Fi, make training on public Wi-Fi essential.

It’s definitely worth including stories to highlight the personal and professional risks presented by unsecured Wi-Fi. Stories such as that of Howard Mollett, who reportedly lost £67,000 in a conveyancing scam, are unlikely to be forgotten.

However, to really drive training content home, consider demonstrating the additional personal benefits that come from using VPN, such as how to stream your favorite Netflix shows no matter where you are in the world!

5. Social engineering, including phishing and SMShing

The UK government’s 2018 cyber security breaches survey recently polled UK businesses on their experience of breaches. 75% of those that had suffered a breach had done so following “Fraudulent emails or being directed to fraudulent websites” – ie social engineering and/or some form of phishing. Cyber security awareness training should therefore give special focus to both phishing and social engineering as a whole.

It’s worth thinking about how social engineering training is delivered, too. Many companies today highlight the dangers of social engineering through simulated attacks, which test people’s response to attacks “live” in the workplace. Such attacks are backed by behavioural change theory: as well as being emotionally engaging, they help modify people’s schema. Put simply, they train people to expect attacks and, as such, help modify how people respond to genuine day-to-day threats.

6. Browsing securely

The green padlock no longer marks websites as safe to use – a fact few people outside of security actually know. Few people still have configured their browsers to avoid tracking or form auto-filling. Advice on browsing securely is therefore essential to any security awareness training programme.

Given behavioural change as an overall aim, it’s worthwhile going through step-by-step guides on browser configuration.  

7. Device security

As with passphrase management, device security is an area which most are familiar with. Most people know the importance of antivirus software and most know how important it is to keep firewalls running. And yet malware infection remains prominent year in, year out. Why?

Again, it seems as though awareness is failing to change behavior. In the past, tried and tested content on device security has failed, so security awareness training on device security needs to go beyond what’s been done before.

Framing device security training in terms of the personal benefits users can expect is usually a good idea. For example, CybSafe’s module on device security opens with the line “This module will help you save money by showing you how to set up your computer securely.”

8. Malware

Related to device security is content on malware, which should cover the different types of malware and how infections occur. As research shows we tend to ignore security warnings, it’s worth including information on the importance of heeding security warnings, or even going one step further and decoding what ambiguously written security warnings are actually trying to say.

Including content on the signs of infection is also crucial. On average, it takes 197 days to detect a data breach or malware infection linked to data loss – yet the warning signs are often clear.

9. Breach recovery

Most security professionals agree on the naivety of failing to plan for a data breach – yet information on breach recovery is seldom included in security awareness training campaigns. The depth of subject matter necessary will vary depending on the audience. At the most basic level, people need to know how to report breaches. When training security teams though, more detail will be needed.

10. GDPR and data privacy

The General Data Protection Regulation is a far-reaching regulation and one that leaves those who handle data with some additional responsibilities.

Security awareness training that covers GDPR and, most importantly, puts it into context for various areas of an organization, not only helps organisations comply with the regulation, but reinforces the importance of the secure processing of data – an essential point, but one which some seem to have been forgotten.

All ten topics above are now covered in detail by the CybSafe platform, which updates not just as the threat landscape changes but also as your people’s security understanding and behaviours advance.

After learning about individual knowledge levels and behaviour patterns, CybSafe uses behavioural change insights to advance security awareness, behaviour and culture. At the same time, it uses machine learning to continually move key security metrics in the right direction, demonstrably reducing human cyber risk. To see how it works – as well as what’s included – arrange a free demonstration here.

Source: CybSafe

Managing Risk In A Connected World

Managing Risk In A Connected World

As digital transformation takes hold, organizations must learn what their cybersecurity risks are – and how best to address them.

Cybersecurity is in the news, but the risks posed by weak and outdated security measures are hardly new. For more than two decades, organizations have struggled to keep pace with rapidly evolving attack technologies.

With the arrival in May of WannaCry, a massive and highly coordinated ransomware attack that left tens of thousands of organizations around the world hoping for the safe restoration of their data, the threat posed by malware creators took an ominous turn. The attack sent an unambiguous wake-up call to organizations worldwide that now is the time to reassess and reinforce existing cybersecurity strategies.

Connectivity Creates Opportunities and Challenges

Emerging technologies, particularly the Internet of Things (IoT), are taking global connectivity to a new level, opening fresh and compelling opportunities for both adopters and, unfortunately, attackers.

Sadik Al-Abdulla, director of security solutions for CDW, says growing connectivity has ushered in a new era of critical security threats. “The same viruses we’ve been fighting for 20 years, now those viruses grow teeth,” he adds, noting that organizations are just beginning to respond to more dangerous cybersecurity adversaries. “Suddenly, just in the last 18 months, with the explosion of ransomware, we’ve seen really substantial support from outside IT to actually start getting these projects done, because there has been real pain experienced.”

IoT poses a significant new challenge, Al-Abdulla observes. “As new devices are connected, they represent both a potential ingress point for an attacker as well as another set of devices that have to be managed,” he says. “Unfortunately, most of the world is trying to achieve the promise provided by IoT projects as rapidly as possible, and they are not including security in the original design, which creates greater weakness that is very, very hard to get back after the fact and correct.”

Al-Abdulla also notes that many organizations are unintentionally raising their security risk by neglecting routine network security tasks. “Every time our assessment team looks at the inside of a network, we find systems that haven’t been patched in 10 years,” he says. “Sometimes, it’s IoT devices.”

Al-Abdulla’s team has observed devices with “a flavor of Linux or Windows embedded” that have not been updated since they left the factory. Security cameras, badge readers, medical devices, thermostats and a variety of other connected technologies all create potential attack gateways.

“All it takes is the wrong guy to click the wrong thing in the wrong part of the network,” says Martin Roesch, vice president and chief architect of the Cisco Security Business Group. “You get mass propagation throughout the environment, and then you have a huge problem.”

“It’s a very complicated world that we live in right now, because the attacker and defense problem is highly asymmetrical,” Roesch adds.

The changing nature of networks and the devices located within them, combined with the fact that organizations keep introducing new software and hardware into their IT environments, make it nearly impossible to keep pace with a new generation of skilled attackers. “It becomes very, very difficult to respond and be effective against the kind of threat environment that we face today because the attackers are highly motivated,” he says.

The Danger of Giving in to Ransomware

Ransomware is like a thug with a gun: “Pay up, or your data gets it!”

Facing such a blunt demand, many organizations simply cave in and hand over whatever amount of money (usually in the form of bitcoin) is necessary to regain their data.

Problem solved? Not necessarily, says Michael Viscuso, co-founder and chief technology officer of endpoint security provider Carbon Black, who sees no easy way out of a ransomware attack. “It’s still surprising to me that people who have paid the ransom think that the game is over,” he says. “The reality is that the attacker has access to your system and is encrypting and decrypting your files whenever he wants to – and charging you every time.”

James Lyne, global head of security research at security technology company Sophos, notes that many ransomware attackers hide code within decrypted data, allowing them to reinfect the host at a future date. “Because if you’ll pay once, you’ll pay twice,” he explains.

Lyne also warns about the emerging threat of “shredware,” malware that encrypts data without requesting a ransom, effectively destroying it. “I bring that up because I’ve had a lot of board advisory meetings recently where people have said, ‘Well surely, we’ll just keep a fund, and if our data is encrypted, we will just pay the cybercriminals,’” he says.

Instead, organizations can take steps to defend themselves against ransomware. These steps include:

Effective backups: IT staff can save themselves trouble and money by implementing regular backup practices to an external location such as a backup service. In the event of a ransomware infection, backup data can get organizations back on their feet quickly.

User training: Most infections are the result of users clicking on links or attachments that are connected to malicious payloads. IT teams can avoid these pitfalls by training users to look out for them.

Deployment of security solutions: Measures such as anti-malware, firewalls and email filters can help detect ransomware and prevent infections.

The Human Factor

While following security best practices is essential to network security, many organizations remain unaware of or pay little attention to, the weakest link in the security chain: people.

It doesn’t make sense to try to solve what is essentially a human problem solely with technical means, says Mike Waters, director of enterprise information security for management consulting firm Booz Allen Hamilton. “We have to create an atmosphere, an environment, where people can tell us what risks they know about, and we can document them and work through it in a deliberative manner,” he adds.

Booz Allen has 25,000 people working for it, Waters says, adding, “I need 25,000 people to defend Booz Allen.” Educating users — and instilling in them just a touch of paranoia, he quips — leads to an alert organization in which users report every suspicious thing they encounter. “Ninety-nine percent of what they report is not bad, but the 1 percent that’s critical can get to us,” he says. “We reinforce that behavior — tell us everything.”

Meet the Evil Entrepreneurs

In much the same way that organizations boost their results through ambition and innovation, cybercriminals also are improving the way they operate. “The bad guys are entrepreneurial,” says Martin Roesch, vice president and chief architect of the Cisco Security Business Group.

Most successful cybercriminals are part of large and well-structured technology organizations. “There’s a team of people setting up infrastructure and hosting facilities; there’s a team of people doing vulnerability research; there’s a team of people doing extraction of data; there’s a team of people building ransomware; there’s a team of people delivering ransomware; there’s a team of people doing vulnerability assessment on the internet; there’s a team of people figuring out how to bypass spam filters,” says Michael Viscuso, co-founder and CTO of Carbon Black.

Roesch says organizations have found it “very difficult to respond and be effective against the kind of threat environment that we face today,” but says security experts within Cisco have specifically targeted cybercrime organizations and achieved some success in shutting them down.

Weighing Risk Against Benefits

Security boils down to measuring risk against anticipated benefits. “One of the fascinating things about risk is that low-level engineers know where the risks are, but they don’t necessarily tell anybody,” Waters says. As an example, he cites Operation Market Garden, a World War II Allied military effort (documented in the book and movie A Bridge Too Far) that was fatally hampered by poor radio communication. “People knew those radios weren’t going to work when they got over there,” Waters says. “They didn’t tell anybody because they didn’t want to rock the boat.”

Once a risk is identified, users and IT professionals must be committed to addressing it, with the support of executives. Across all departments and in all situations, calm person-to-person communication is always a reliable and effective security tool. “If we’re running around with our hair on fire all the time, they don’t want to talk to us,” Waters adds. “We want everybody to be able to talk with us and share their risks, so we know to prioritize and trust them.”

In a perfect world, security professionals would strive to create a risk-free environment. “We want it all down to zero,” Waters says. That’s not possible, however, because some degree of risk is inherent in every action an organization takes. “As challenging as it may seem, there are risks businesses are willing to accept,” Waters adds.

Too much caution blocks or degrades benefits, particularly when security mandates unnecessarily interfere with routine activities. Simply telling people what not to do is rarely effective, particularly if what they’re doing saves time and produces positive results. “We talk about Dropbox and things like that,” Waters says. “If your policies are too restrictive, people will find a way around them.”

Author: CDW Brandvoice
Source: Forbes