Category Archives: Technology Risk

Want to scan your crypto wallet for risks? Check: AML crypto BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money.

Cyber’s Human Side

Posted on by

People are often tired, distracted and overworked. They are bound to make mistakes, inadvertently overlook policies and procedures and have quick lapses in judgement—forgetting hours and hours of training.

Human error is a significant problem when it comes to managing cyber exposures. Most cyber surveys point to people as the root cause of a breach.

buy tretiva online medilaw.com/wp-content/uploads/2015/03/jpg/tretiva.html no prescription pharmacy

The Information Commissioner’s Office (ICO) compiles statistics about the main causes of reported data security incidents. In its first 2018 quarterly report, four of the five top causes reported to them involved human errors:

  1. Loss or theft of paperwork – 91 incidents
  2. Data posted or faxed to incorrect recipient – 90 incidents
  3. Data sent by email to incorrect recipient – 33 incidents
  4. Insecure web page (including hacking) – 21 incidents
  5. Loss or theft of unencrypted device – 28 incidents

James Bone, author of the “Cognitive Hack: The New Battleground in Cybersecurity…the Human Mind,” will lead a RIMS webinar Aug. 23 that explores the cognitive risk framework. Bone asks: are risk professionals considering the “human element” in their cyber risk management plan?

According to Bone, “The purpose of creating the cognitive risk framework is to begin to educate risk professionals about the need to incorporate the human element into their risk programs, to identify areas where human error or lapses can cause significant damage, and then design effective solutions.”

Bone points to the airline and automotive industries as examples where the value of human element risk management planning has already been realized. “Automation in cockpits, navigation systems, lane assistance technology and, even something as simple as the seatbelt demonstrate organizations’ and industries’ attention to human error risk mitigation.”

“All of us have a limit in our ability to work and focus at a very detailed level for long periods of time,” Bone said. “The ability to design a work environment that simplifies the work that people do will help reduce risk.

buy flomax online medilaw.com/wp-content/uploads/2015/03/jpg/flomax.html no prescription pharmacy

And, while human error is a piece of the cyber risk management puzzle, it isn’t the only human element cyber concern. Human routine, tendencies and employee processes are constantly monitored by cyber predators. “A sophisticated hacker can spend up to 18 months to two years setting their strategy to attack your organization,” he said. “They are studying the rhythm of the workflow and the movement of data across the firm. They gain a tremendous advantage by just sitting silently and watching.

buy renova online medilaw.com/wp-content/uploads/2015/03/jpg/renova.html no prescription pharmacy

Implementing a cognitive risk framework is no easy task. The key is data. “A lot of data is mislabeled, making it difficult for risk professionals to see the connection between an end result and the human behavior that caused it. In order to use data to its fullest, it needs to be properly categorized with descriptors that allow risk professionals to be able to leverage it,” Bone said.

Organizations with risk frameworks that fail to incorporate the human element are, in his opinion, acting on assumptions. “They are assuming people will be able to follow thousands of policies and procedures with perfect accuracy every time,” he explained. “We shouldn’t assume that people won’t be distracted at work and click on phishing emails. We shouldn’t assume that people will change their passwords as frequently as we want them to. We shouldn’t and can’t be afraid to incorporate new ideas and solutions to improve routines or, at least, make them more difficult to track.”

People are the common denominator. They are not perfect by any means, but incorporating a cognitive risk framework can be a valuable advantage that allows organizations to stay ahead of human element risks while identifying opportunities to improve processes and increase productivity.

Data Breach Risk: What’s Next?

Posted on by

Ten years ago, many companies didn’t even ask about using encryption to protect data. Over the years, that has changed. More security and privacy professionals began to see it as an option in their cybersecurity defense.

buy desyrel online medilaw.com/wp-content/uploads/2015/03/jpg/desyrel.html no prescription pharmacy

Then it eventually became a necessary component of most companies’ security strategies and the use of encrypted laptops became a condition precedent for many cyber and privacy insurance policies.

Now, after strengthening their cybersecurity with encryption and other measures, companies need to identify the next potential data exposure points where bad actors can likely turn their attention. One overlooked vulnerability is the visual display of sensitive data on screens.

Protect Visual Privacy
Not every risk management, security and IT professional is familiar with visual hacking, but they should be.

Visual hacking is the unauthorized capturing of sensitive, private or confidential information for unauthorized use. It can include visually stealing information from someone’s phone screen, viewing information left on a printer at work or other opportunities of information that is in plain sight. Very likely, it is already happening to workers in your organization.

It is commonplace for professionals who travel for work to access sensitive corporate material on the go. They could be riding on a train, plane or bus and simply open their laptops, giving those seated next to them full view of their work. In these situations, no one can be certain they are not exposing sensitive information—even something simple like a network username. It is not likely such a road warrior can be aware at all times whether another person is viewing or capturing what’s on their screen.

A study conducted by the Ponemon Institute revealed that 87% of mobile workers have caught someone looking over their shoulder at their laptop in a public space. Yet, despite this potential risk, more than half of mobile workers surveyed said they took no steps to protect important information while working in public.

Visual privacy risks don’t just exist outside the office. A worker who steps away from his or her computer or has a screen facing a public walkway can also expose highly sensitive data to onlookers.

Reduce Your Risk
As with any risk, companies should evaluate the severity and potential frequency of visual privacy exposures to better understand their risk. An insurance broker can help determine if insurance coverage is available for these risks or if insurance premium credits may be available for implementing additional safeguards.

There are other steps any organization can take to reduce the risk of visual hacking. Working with IT departments and information-security officers, companies can implement small, easy changes to existing policies and procedures.

For example, companies can deploy privacy filters on laptops or mobile devices that darken screen data when viewed by onlookers from the side. These filters can also be fitted on device screens in an office to help limit the views of potential insider threats. For example, a receptionist should likely have such a privacy screen in place if his or her screen can be viewed by visitors.

Clean-desk policies should also be in place. Such a policy can reduce the display of sensitive information in printed and electronic forms when workers are away from their desks.

buy champix online medilaw.com/wp-content/uploads/2015/03/jpg/champix.html no prescription pharmacy

Workers should also be printing or storing sensitive information in locked areas and use crosscut shredders to destroy sensitive material.

buy aricept online medilaw.com/wp-content/uploads/2015/03/jpg/aricept.html no prescription pharmacy

Finally, because visual privacy can only exist if workers adhere to policies, training is obviously important. Workers should be trained on the importance of visual privacy and being aware of their surroundings. They should also receive regular training on an organization’s privacy policies and associated safeguards.

Tackle Uncertainty with Certainty
Visual privacy may seem like an additional, unnecessary risk management burden to bear. But, like any other potential threat to sensitive data, it deserves attention. After all, a visual hack can leave no trace of when, where or how it happened—and such uncertainties may become problematic when addressing a data breach.

The Data Analytics Adventure

Posted on by

Is your audience changing? Are your products still relevant and addressing customers’ needs? Are there opportunities for organization to predict—or least make an informed guess—about the future of the market or other trends? Answers to these difficult questions are often buried in the overwhelming amount of data organizations are already collecting and storing.

In this digital age, data analytics is a hot topic for businesses and their risk professionals. In fact, nearly half of the survey respondents (46%) from the RIMS MARSH Excellence in Risk Management XV survey agreed that to successfully become digital, using data and analytics to unlock value and make decisions faster was critical.

Where to begin?
Gathering, organizing and understanding data can be such a daunting task that many often choose to put it off for “another day.

buy minocin online orthosummit.com/wp-content/uploads/2023/10/jpg/minocin.html no prescription pharmacy

Paul Koziatek, Enterprise Risk Manager for Coca-Cola Beverages Florida, LLC and an upcoming presenter for the RIMS’ Aug. 2 webinar titled “Mother Lode—Driving Results from Your Data Analytics” offered strategies for risk professionals to get their hands dirty and embark on this data-crunching adventure.

Before getting started, risk professionals must realize that data analytics is an ongoing process, not a project. “One of the biggest misconceptions is that it is a one-off deal,” he said. “It’s the complete opposite. Data analytics is a living, breathing adventure. If you go in with a project-like mindset, you’ll be doomed from the start.”

A great advantage risk professionals have today is the software available to them. “There are a lot of risk professionals who are under the impression that data analytics software is expensive. That might have been the case several years ago, but now RMIS systems can be tailored to meet specific needs and purchased in pieces.”

Additionally, he notes that data analytics programs must constantly be reevaluated.  As information begins to trickle in, risk professionals might have to take a closer look at what they are requesting. “Risk professionals should examine and maintain the program frequently because the original variables used to obtain the data might not always produce the same outcomes.”

Engaging co-workers
A data analytics program requires information and clarification from various subject matter experts from a range of business units. To build these relationships, risk professionals need support from leadership to ensure others in the organization are committed to the process and aware of leadership’s expectations.

With that support, risk professionals can overcome a lack of urgency from others in the organization. “There is a potential to hear feedback such as ‘There is not enough time,’ or ‘We’ll get to that later.’ It is the risk professional’s job to help department leaders see that risk management can create value and is not just a cost-center,” Koziatek said. “Consider those experts as tools and resources. They are going to be the ones who pull the data and provide what it is you need.

buy cipro online orthosummit.com/wp-content/uploads/2023/10/jpg/cipro.html no prescription pharmacy

The ability to explain to those experts exactly what you need to get the job done is important. If that’s not accomplished, you can wind up with a bunch of usable or corrupt data.”

He added, “Sales, marketing and planning teams are a great place to start. In some organizations already have the tools, packages and software risk professionals need to analyze data.”

Quick Wins
Quick wins will be a bit different for every organization. Many data analytic adventures get started because of a legacy of bad workers’ compensation cases or a rash of claims against the organization. “For some, a quick win might be focusing the program on a hot, troublesome and expensive activity to quickly reduce the cost of the risk. Key to determining what might constitute a quick-win is understanding the business’s strategy. “Listen to the board of directors, to the CEO and CFO. Then tailor your analytics to that communication and help drive the company’s strategy,” Koziatek said.

Realizing the Value
Data analytics is like a treasure hunt.  With the right information, guidance and support, organizations and their risk professional can discover hidden potential, revenue streams, cost-saving measures and new opportunities.

More than figuring out where the weak points are for the organization, data analytics uncovers connections. “Data analytics is all about the correlation between different variables and outcomes.

buy cytotec online orthosummit.com/wp-content/uploads/2023/10/jpg/cytotec.html no prescription pharmacy

It offers great value by allowing risk professionals to identify those variables before it’s too late,” Koziatek said.

He points to workers compensation and employee-related injuries as an example of data analytics at its best. His organization found that the frequency of injuries and claims were highest among short-term employees (two years or less). Thus, the correlation between claims, length of employment and training were quickly realized. “Without data analytics it might take an organization much longer to really identify the root cause of the activity and, as time goes by, more money can be lost.”

Data analytics’ greatest value for the risk professional is its ability to justify and gain even more support for risk management initiatives. “There is nothing more important than having the data to back up my solutions, my ideas and my needs. That is what the board, senior executives and business leaders want to see. Without these analytics, their outcomes and the reports we produce as a result, it would be extremely difficult to ‘sell’ my ideas to leadership,” Koziatek concluded.

Resiliency in 2018: Q&A With BCI’s David Thorp

Posted on by

Organizational resiliency is a focus of the Business Continuity Institute (BCI) and executive director David Thorp. It was the theme of this year’s annual Business Continuity Awareness Week, which Risk Management Monitor covered in May, and was the focus of BCI’s updated manifesto.

We reached out to Thorp to get his insight on organizational resiliency, how businesses can improve their continuity plans and for ways to better incorporate them into their culture.

Risk Management Monitor: What companies have best demonstrated resilience?

David Thorp: A few examples of organizations that have displayed a high level of resilience are Apple, TomTom, and PostNL.

Apple displayed resilience when they reemployed Steve Jobs to reshape the company.

TomTom started by making software for Palm computers. It has dealt with a rapidly changing marketplace and over the years it has:

  • produced navigation software for PDAs (personal digital assistant)
  • produced its own navigation devices
  • developed live traffic information
  • acquired a digital mapping company
  • developed navigation software for smartphones
  • struck up deals with car manufacturers

PostNL (formerly TNT) has had to adapt to the decline in regular mail as well as tapping into the requirement to deliver more packages (outside working hours) as a result of an increase of web shops.

RMM:  What do organizations most commonly overlook in their continuity planning?

DT: Two most commonly overlooked aspects are keeping plans up to date and exercising/testing.

Business continuity management is often initiated as a project, usually assisted with external expertise. Internal personnel frequently have this role in addition to their “normal” functions. As the organization changes, these plans often get overlooked. After one or two exercises have been carried out, the focus on exercising quickly diminishes.

Unfortunately, these two aspects have a large impact on the ability to recover as planned. It could be argued that this is an indication of a lack of management commitment.

RMM: Why do so many companies overlook their continuity planning and emergency preparedness?

DT: The biggest reason is that it is not a requirement for many organizations. When not required by a regulator or a customer, the organization must:

  1. know about continuity planning and emergency preparedness
  2. understand their risk
  3. understand its value before there is a possibility of it being implemented

By not having done a risk or impact analysis, it is also easy for organizations to think that a disruptive event will not happen to them and therefore not worth the hassle and investment.

RMM: How much time and effort does creating and initiating a business continuity plan take?

DT: This depends on the size and complexity of the organization, the ambition level and the resources available. For small organizations, it is possible to create and exercise plans within a month—but this would typically take a little longer as the required people will also have other tasks. For a large and more complex organization, it may take two-to-three years to reach the desired maturity level.

RMM: What advances would you like to see the global risk management community achieve with regard to planning and preparedness?

DT: I would like to see a better understanding of each other’s disciplines and a better collaboration between them. There is much overlap between the two disciplines and with better collaboration, we can more efficiently and effectively minimize risks and improve the continuity. We are currently working on better understanding how we achieve synergy between business continuity and risk management. We see this as being a prerequisite for achieving organizational resilience. Collaboration with other disciplines is also necessary.

RMM: We’ve seen examples of reputation crises that have in some cases forced companies to close. How can organizations avoid these pitfalls?

DT: A major factor in managing the extent of the reputation damage is the quality of the crisis communication. How well and honestly you inform those affected and of course how you deal with social media makes the difference in how you are perceived. The subsequent actions need to be in line with the messages communicated.

RMM: What has changed in the BCI’s Manifesto for Organizational Resilience that risk professionals should know about?

DT: The manifesto is built on the simple premise that resilience is not the responsibility of one part of the organization—it is the responsibility of discipline within an organization working closely together toward a common purpose. Risk Management, emergency planning, disaster recovery, security, facilities management, business continuity management, supply chain management, IT management, HR management…all have an equal role to play in delivering resilience.

The manifesto contains our undertaking to seek out alliances with other professional bodies along the spectrum of what might be termed “resilience disciplines” in order to work collaboratively. This would make organizations more resilient than if we each work within our own silo.