Over six years later approaching 2017,
Operational Risk Management (ORM) professionals are experiencing the
"New Normal." In a 2010 CSO Magazine sponsored eCrime Digital Watch
Report
and survey of 535 companies there are some observations on Operational
Risk Management worth examination.
This CERT report the same year was focused on the "Insider Threat" and the area of concern is still on "Digital Incidents by Insiders." Seven years later, these numbers have only increased:
- Past 12 months the number of incidents reported increased 16%
- The per incident monetary loss (mean) was $394,700.00
Yet
these two items are just the trend these days as our global work place
becomes more mobile and stratified using more partners, offshore
suppliers and other 3rd parties to accomplish the daily tasks and
workloads. What is even more alarming are the following stats from the
survey:
- 72% of the incidents were handled internally without any legal action or law enforcement.
- 29% of these incidents could not identify a subject responsible for committing a crime.
- 35% of these incidents could not proceed due to a lack of evidence.
Interpreting these numbers prompts several questions worth discovering. First, why were 28% of the incidents handled with some form of legal action or law enforcement?
One of two reasons that we can surmise. The incident was exposed to
the public as a result of the magnitude or harm that was caused by the
incident. The organization was prepared to capture evidence, properly
investigate the incident and pursue a recovery of the loss either in a
civil or criminal process of law.
Second, why were 35% of the incidents unable to proceed due to a lack of evidence?
The organization may be lazy or apathetic to these loss events or may
have an insurance policy that covers these types of losses and was able
to successfully recover the almost $400,000.00 incident average through
this process.
Or, the organization is not capable of
leveraging a sound "Digital Governance" and "Legal Policy" framework in
order to properly investigate incidents that come from their own
internal work place ecosystem of employees, partners, suppliers and
other 3rd parties.
In order to gain "Strategic Insight"
into these vital Operational Risk matters within the enterprise the
organization must establish an intelligence-led investigation. Once the
proper evidence collection and analysis is completed on the incident
then members of a corporate crisis team or threat management council can
make more informed decisions. That brings us to the final question. Why in 71% of the incidents was a subject not identified as being responsible?
The answer to this question has much to do with the previous one where there was a lack of evidence. However, our hunch is that many of these insider incidents were the result of an employee error, mistake or unintended consequences. The lost or stolen laptop from the unlocked car may fill some of this category.
Why would it be in the best legal interest of an organization to have a robust evidence collection capability supported by a sound "Policy Governance and "Legal Framework"?
- Duty of Care
- Duty to Warn
- Duty to Act
- Duty to Supervise
This
blog has touched upon these four vital areas of vulnerability to
adversarial litigation in the past because we know that whether you ask
these questions internally or the state's Attorney General and the FBI
ask these questions the answers must be discovered:
- What did you know?
- When did you know it?
- What are you doing about it?
While
the number of loss events due to errors or omissions and many times due
to a lack of proper training and awareness programs is growing, so are
the incidents as a result of the insider threat from:
- Fraud
- Sabotage
- Espionage
- Trade Secrets Theft
The
modern day enterprise with preemptive, robust and collaborative law
enforcement mechanisms in place has accepted the reality of the threat
perspectives in their workplace ecosystem:
- Some individuals who make threats ultimately pose threats.
- Many individuals who make threats do not pose threats.
- Some individuals who pose threats never make threats.
Make
sure you read those a few times. As a result of the reality that the
workplace ecosystem is an evolving, dynamic and rapidly changing set of
human elements, behaviors and motivations the justification for creating
more "Strategic Insight" is a necessary mitigation strategy. There is a
growing trend today for these enlightened organizations to create and
effectively provide the resources for a corporate threat management
team. This team is comprised of a spectrum of members that span the
digital to physical domains within the company. This includes the Chief
Risk Officer, General Counsel, Internal Audit, Public Relations, Human
Resources, Corporate Security and Information Technology.
In another less formal survey by Dr. Larry Barton
of 630 employers the question was raised on the employee communication
channel that caused the company to act on a risk. 38% were through a
digital messaging medium such as e-mail, text messages and blogs or
social networking sites. The ability to monitor over one third of
employee communication channels remains a daunting task to this day.
Beyond
the utilization of threat assessment or management teams, enterprises
are going to the next level in creating a "Corporate Intelligence Unit"
(CIU). The
CIU is providing the "Strategic Insight" framework and assisting the
organization in "Achieving a Defensible Standard of Care."
The
framework elements that encompass policy, legal, privacy, governance,
litigation, security, incidents and safety surround the CIU with
effective processes and procedures that provides a push / pull of
information flow. Application of the correct tools, software systems
and controls adds to the overall milestone of what many corporate risk
managers already understand.
The best way in most cases
to defend against an insider attack and prevent an insider incident is
to continuously help identify the source of the incident, the person(s)
responsible and to correlate information on other peers that may have
been impacted by the same incident or modus operandi of the subject.
"Connecting The Dots" with others in the same company or with industry
sector partners increases the overall resilience factor and hardens the
vulnerabilities that are all too often being exploited for months if not
years.
In retrospect, you can be more effective
investigating and collecting evidence in your company to gain a
"DecisionAdvantage". To pursue civil or criminal recovery of losses
from these insider incidents, you may not go to law enforcement, but
it's likely they will come to you once they get a whistle blower report,
catch the attacker and/or they have the evidence that you were a
victim.
What side of the incident spectrum you are on,
either proactive or reactive could mean the difference on whether the
attackers continue their schemes and attacks while continuously
targeting those with the greatest vulnerabilities. In some cases, those
attackers include the plaintiff bar and your evidence of "Duty of Care"
is the bulls eye.