“Unless you trust the sender, don’t click the link”

On February 12th 2013, President Obama signed an Executive Order, “Improving Critical Infrastructure Cyber security.”  Under the order, government agencies are expected to draft standards and share information regarding unclassified cyber threats.  In theory, the government and private industry will collaborate on this critical priority and develop voluntary standards, i.e. “Best Practices.”

So what is the incentive for private industry to share?  Historically companies have no desire to share information regarding breaches unless they are required.  If a company is successful at avoiding a threat, they have a competitive advantage over their competitors who may not be as prepared.  However, if the company is unsuccessful at avoiding a breach, disclosure risks damage to their brand when customers lose trust in them.

But cyber threats are very real and growing.  According to the Symantec Internet Security Threat Report (ISTR) 2013, “Last year’s data made it clear that any business, no matter its size, was a potential target for attackers. This was not a fluke. In 2012, 50 percent of all targeted attacks were aimed at businesses with fewer than 2,500 employees. In fact, the largest growth area for targeted attacks in 2012 was businesses with fewer than 250 employees; 31 percent of all attacks targeted them.”

It makes sense that cyber threats will migrate to smaller companies that most likely do not have security protocols as extensive as the Fortune 100 companies that spend millions on security.

So what can a small business do to protect itself and mitigate cyber risk?

Understand the current security expectations of management and key stakeholders of your firm.  This step is required not only to uncover concerns you may not be aware of, but to also develop buy-in.  The end result of this process will be more control and internal policies, which may cause frustration, i.e. restricted access to data, segregation of duties, system change management.  Early buy-in is highly recommended.

Analyze the firm’s current situation to identify security gaps.  The first part of this activity looks at system access internally and how remote employees access your system externally.  The second part of this task is to understand what employees need to access vs. what they should not need to access.  Private client information should not be readily accessible to all employees of the firm.

Develop strategies to close the gaps and prioritize the work required.  After the first two activities, you will quickly develop a list of process and policy changes that should be implemented.  The ability to implement all changes quickly will be constrained by time and money.  As such, your first priority should be items that if are not done will expose you to financial loss, regulatory action, brand damage, and/or client loss.

Test the effectiveness of your strategies.  There will be unforeseen consequences to your cyber risk mitigation strategies.  It is recommended to test the effects, prior to widespread implementation, to avoid business disruptions.

Educate staff on their cyber security responsibilities.  This activity introduces the policies and procedures to your staff; while underscoring the importance of any changes they will need to adopt.

Continually test the effectiveness of your strategies; and modify them as risks change.

It is better to prepare for a threat that may never touch your firm, than be in a reactive mode when a situation occurs.

Author: Regis Quirin
Visit Regis's Website - Email Regis
Regis Quirin is a financial executive with 23 years of corporate experience, i.e. New York Stock Exchange, JP Morgan Chase, and GMAC ResCap; and 15 years working with small and medium-sized entities, i.e. joint ventures, start-up entities, established businesses. In 2014, Regis published "Redesign to Turnaround Underperforming Small and Medium-Sized Businesses" available via Amazon.

What do you do with a whistleblower that is not satisfied?

As a result of the Dodd-Frank Wall Street Reform and Consumer Protection Act, the Whistleblower program within the Securities and Exchange Commission was launched August 2011. Since that time, 3,335 complaints were received, from which four rewards have been granted, i.e. one Aug 21, 2012 and three June 12, 2013.

But the SEC is not the only program – In March 1867 the Treasury began a form of a Whistleblower Tax program.  The IRS program was modified in December 2006 as a result of the Tax Relief and Health Care Act. From 2006 through 2012, 40,110 cases were received, with 1,077 awards paid.

What is of concern is that even though people are reporting issues to the respective regulatory bodies, the conversion from claim to outcome is very low, i.e. 0.1% for SEC and 3% for IRS.  The low SEC rate is most likely attributed to the newness of the program.  So when the SEC program reaches the seven year mark of the IRS program under review, will the claim rate reach 3%?

Now as more and more companies launch whistleblower programs internally they should tread lightly and consider how they will address issues raised.  If a process is established to address a legal or ethical issue raised by an employee, and the process fails, dis-satisfaction will be created. As such, creating an internal program where companies can identify issues and resolve them, prior to them becoming public brand blemishes, may backfire.  When a company does not act on information provided, the whistleblower may become unhappy and seek resolution outside the organization in a public forum.

“Markopolos began contacting the SEC at the beginning of the decade to warn that Madoff was a fraud. He sent detailed memos, listing dozens of red flags, laying out a road map of instructions for SEC investigators to follow, even listing contacts and phone numbers of Wall Street experts whom he said would confirm his findings. But, Markopolos’ whistle-blowing effort got nowhere.” (Madoff whistleblower blasts SEC by By Allan Chernoff, Sr. Correspondent, CNN 02.04.2009 CNN Money)

“Interviews with university officials, former players and members of the board, as well as reviews of internal documents and legal records, show that when the most senior Rutgers officials were confronted with explicit details about Mr. Rice’s behavior toward his players and his staff, they ignored them or issued relatively light penalties.” (Rutgers Officials Long Knew of Coach’s Actions by Steve Eder 04.16.2013 New York Times)

The SEC and Rutgers will be attempting to repair their respective images for some time.

While not every report of unethical or illegal activity will be valid, every claim should be treated the same way, until the results of a qualified investigation are finalized.  When training employees on the existence of a program, where they may freely lodge complaints without fear of retaliation, let them know that there is an established process that will be followed to investigate each and every claim.

Prior to embarking on establishing an internal Whistleblower Program, engage a Labor Attorney.  Understand the Federal Laws, as well as the laws within the states you operate.  Note – the Department of Labor has their own Whistleblower program.

Author: Regis Quirin
Visit Regis's Website - Email Regis
Regis Quirin is a financial executive with 23 years of corporate experience, i.e. New York Stock Exchange, JP Morgan Chase, and GMAC ResCap; and 15 years working with small and medium-sized entities, i.e. joint ventures, start-up entities, established businesses. In 2014, Regis published "Redesign to Turnaround Underperforming Small and Medium-Sized Businesses" available via Amazon.