« October 31, 2009 | Main | December 31, 2009 »

November 30, 2009

November 30, 2009

Uninvited Guests Spoil White House Dinner

How to Defend Against Social Engineering

Uninvited guest Michaele Salahi shakes hands with President Barack Obama. Picture Source
What do feel would be the consequences of an uninvited guest wandering around your company? What if you threw a party at your house, and noticed somebody meandering that you didn’t know? The White House certainly has some explaining to do after allowing Tareq and Michaele Salahi to shake hands with the President of the United States recently at a dinner—a couple who wasn’t even invited to the event!

This month, the White House threw a star-studded gala event littered with dignitaries, celebrities, and the Salihi’s—relative nobody’s until shortly after event when it was painfully apparent to the secret service that they had not only “crashed” the event, but they had full and seemingly unfettered access to some very important people, including President Obama himself. As of this writing, we haven’t heard their side of the story, however according to Fox News, secret service director Mark Sullivan has already issued the following statement:

“although these individuals went through magnetometers and other levels of screening, they should have been prohibited from entering the event entirely. That failing is ours."

Yes, I agree. Our government is actually very good at telling us things we already know. I don’t know whether they’re trying to make the point that they shouldn’t have been there, or that it’s their job to make sure unauthorized people don’t get to shake hands with the President, or both. In all cases, I think we know that already. They shouldn’t have been there, and the controls that were in place to prevent something like this from happening obviously failed.

Contrary to what you might expect, I’m not really going to beat up on the secret service here. Reason being, I think this is more sensationalism at work, than any real threat to national security. I’m not saying it’s okay, but let’s face it—this is really newsworthy, isn’t it? What put me over the edge was the angle these people were coming from. Again with the reality stars! Don’t you find it interesting how current and / or aspiring reality stars (why would anyone aspire to be a reality star?) get about 100 times more media coverage than say—US soldiers losing their lives in Afghanastan?

Anyway, back to the Salihis. We all know they weren’t supposed to be there, and I sincerely doubt the secret service was in on it, so how exactly did they get into the party? As I understand it, they also had a camera crew with them? Don’t you think this is a bit conspicuous? They certainly didn’t “sneak” into the party, in fact they probably made more of a scene than most there.

If you’ve seen the pictures, didn’t they look like they belonged there? Doesn’t it seem like they spoke and acted just like everybody else? They actually worked the environment in a calculating way, playing off the dynamic of the event itself. They tacked into the wind instead of avoiding it. I think if they actually dressed up in black body suits, and repelled down the White House wall with grappling hooks they would’ve been arrested in seconds. Instead, they practiced the sacred art of social engineering.

This time-honored underground profession is one of the most difficult things to defend against. They look like they belong, the sound like they belong, they actually feel like they belong—but they don’t. Unlike reality stars, real social engineers aren’t there to boost their pseudo-celebrity image, they’re there to undermine your business and they can do real damage.

So, what’s the best defense against social engineers? The answer is familiarity. It goes back to what we learned when we were small children, “don’t talk to strangers.” As much as the Salihis looked and acted the part, nobody there really knew who they were. But as most politicians and celebrities know, it’s social suicide to not know somebody important, so they all pretend that they’ve known each other since grade school.

This is dangerous in Corporate America when you’re playing with sensitive or confidential company information. The rule is simple, there’s a defined list of people that you know that get access to your sensitive information. If they’re not on the list, they don’t get the information. No ticket, no laundry, end of story. Any grey area will get you into trouble, so don’t even go there.

And the next time a couple shows up at your company’s gates with a camera crew, at least check to see if they’re on the access list.

Posted at 05:00 PM in 200911 - Issue #23, What in the World? | | Comments (2) | TrackBack (0)

| | | |

Navigating Around the Storm

Managing Risk in Cloud Computing

There was no documented evidence of a black swan until the eighteenth century. Picture Source
Cloud computing seems to be the rage these days, but doesn’t it seem risky? This is something that’s definitely on peoples’ mind these days, and I’d like to spend a little bit of time in this article addressing the issue. The obvious answer is, “yes it’s very risky,” but why is it risky?

The key problem with cloud computing is it’s a black swan of sorts. This is a term popularized by Nassim Nicholas Taleb a couple of years ago in his book of the same name, and it references an outlier (i.e. low probability) event that has a dramatic impact. We’ve actually seen a few black swans in the last few years including the implosion of the global economic system, the uncovering of a series of unimaginable scandals, and the accelerated rise in popularity of cloud computing. Characteristically, black swans have significant impacts; however, they’re not always negative. Cloud computing and its rapid adoption in the industry is actually quite positive, however from a risk perspective the insomnia stems from the fact that we’ve never seen this before, so we don’t even know what to be afraid of.

I think if we address this basic concern, we can start to make progress. As an aside, please note that the concern is risk, not compliance. Compliance will not protect you against the risks of cloud computing, so don’t naively belay your fears with this crutch, as I’ve seen some companies do. Rules of compliance will progress, as we uncover, through a series of very unfortunate “risk events,” what the real risks of cloud computing are. This is more than a prediction—it’s a prophecy. Furthermore, the companies tangled up in these messes may or may not be compliant with the regulations of the times. It doesn’t matter. They will go down.

So, let’s get at the core of the issue. What’s the real risk with cloud computing? Fundamentally, you should be concerned that your information will get into the wrong hands. If it happens, this risk will manifest itself in any of a variety of problems depending on the type of information that’s compromised. If your customers’ personally identifiable information is breached, you’ll have privacy problems to deal with. If your company secrets are hacked or leaked, you’ve got competitive issues to deal with. And, if any of this goes public, your public relations department will be working overtime to restore your image.

Unfortunately, there’s no silver bullet here, but I do have some recommendations. By definition, when engaging with a cloud computing company, you’re surrendering control of your data to a third party so it goes without saying that this company should be an organization that you can absolutely trust. This is not the time to experiment with new vendors. Stick with large, well-known companies that are universally trusted, like Google, Microsoft and PayPal. This won’t give you any guarantees, but you need to know that if there is a breach, your cloud computing partner has more at stake than you do.

Second, guard the information that you have in the cloud. You don’t need to arbitrarily hand over all the company secrets to every cloud vendor that comes along. Try to build an interface model, where your cloud computing partner doesn’t even have access to sensitive information. For instance, don’t farm out the function of collecting personal information on your customers. That should be something you control behind your own gates.

Finally, know your own limitations. This may sound contrary to the second point raised above, but you need to know when it’s appropriate to let the experts handle things. A good example is credit card processing. Why would you put yourself at risk when processing credit cards online? Your credit card processor should have all the necessary controls in place to manage privacy issues around processing an order, so just let them handle it.

The cloud offers great opportunities for the brave, but don’t be foolish. With this opportunity will come great peril as the seemingly innocent black swan gracefully glides by. Know and trust your cloud partners as well as somebody you would give the keys to your house. In essence, that’s exactly what you’re doing.

Posted at 04:00 PM in 200911 - Issue #23, Center Stage | | Comments (0) | TrackBack (0)

| | | |

With My Sincere Platitudes

Building Cognitive Consonance

Wouldn’t you agree that in order for your compliance efforts to be successful in your company, your leadership must be taken seriously? Did you know that you could be undermining your own credibility by simply communicating the wrong message?

I get the opportunity to work with a lot of leaders, not just compliance officers, and I’ve picked up on a pattern where leaders and managers tend to address their organization with a series of platitudes that eventually don’t ring true with their actions. For some reason, it’s more acceptable when politicians do this, but when a leader does this, their credibility instantly goes out the window for me, and I’m not the only one.

Especially when addressing a group for the first time, it seems like there’s a standard template that leaders tap into. They talk about “open and honest communication,” and “open door policies,” yet the minute someone in the organization raises a concern, they’re stoned like a heretic. When leaders do this (and it happens a lot), they create a cognitive dissonance within the organization. In other words, what’s being said is not what’s being observed. The byproduct of this is leader who is not respected or influential, and they won’t be effective in the achievement of their goals. What leaders should strive for is just the opposite—cognitive consonance.

This is especially true within the compliance organization. The advantage other leaders have, is that it’s typically easier to tie in the corporate strategy with each individual’s best interest. If the organization does well, the individuals within the organization prosper. Once a leader issues an empty statement, their credibility may dissipate, however the individuals may still behave in a way conducive to supporting the leader’s goals, purely because it’s in their best interest. Compliance leaders don’t have this luxury.

Most likely, a compliance leader’s goals have nothing apparently to do with the individuals’ self interest. In fact, it usually takes away from the “real work” that everybody needs to get done. Every year at PayPal, just around this time, most of the people I know are required to recertify on their compliance training (including consultants!). It’s a breeze for me because I’m familiar with the space, but for others it can be challenging to get this done in tangent with meeting promised dates for deliverables.

Therefore, it’s vitally important that what you declare publically actually resonates well with your actions. If the organization perceives that there’s no meaning behind your words, they will not take you seriously, and it will jeopardize you chances of success, exposing your organization to unnecessary risk. Here are some things to keep in mind to help create cognitive consonance:

  1. Choose your communications carefully. Don’t say something just because it “sounds good,” say things you know you can follow through on. For instance, if you make a statement that tailgating (people walking in behind another person to gain access to a controlled building) will be policed, take decisive and visible actions to make sure it happens. I consulted for a company that installed special sensors to catch tailgaters, which would trip alarms if somebody tried to sneak in behind somebody else.
  2. Follow through on communicated dates. You will no doubt have plans that will involve the organization’s cooperation. Make sure there’s little risk in the project plans, and execute on them without fail. Don’t let dates slip. One way to do this is by making sure you have plenty of time to get done what needs to get done before the date that’s communicated. The timeframe doesn’t really matter, what matters most is that the date communicated is met.
  3. Document your communication, and periodically assess your own efficacy. People in the organization are not going to approach you to tell you that you’re not following through. They’ll just start ignoring you. It’s important to assess your own performance and make adjustments if necessary. If you notice that things were said that are not happening, publically acknowledge your shortcomings, and make a renewed commitment to the organization for follow-through. This is much better than sweeping things under the rug, and hoping everybody forgets.

Platitudes are the enemy of trust, and as a leader you must steer clear from empty promises, especially the banal ones that people have heard over and over again. Choose your communication carefully, and make it a point to follow through on absolutely everything you say. Meet project dates, and assess your own efficacy periodically. Create cognitive consonance, not dissonance, and the respect your organization gives you, will make your life that much easier.

Posted at 03:00 PM in 200911 - Issue #23, Hello Rubber, Meet the Road | | Comments (0) | TrackBack (0)

| | | |

FSA Turns Up the Heat on Watanabe

Japanese Brokerage fined 1.75 Million Pounds

Mr. Kenici Watanabe, CEO of Nomura Holdings, Inc. Picture Source
Kenichi Watanabe is in the miso soup this month, as the UK unit of his company Nomura Holdings, Inc. was fined 1.75 million pounds (approximately $3 million) by Britain’s Financial Services Authority (FSA). Nomura Holdings, Japan’s largest brokerage, was charged with having inadequate controls that would prevent the mis-marking of certain financial derivatives. According to Compliance Exchange, Margaret Cole, the FSA’s enforcement director stated:

“Financial instruments must be valued correctly by traders and a firm’s systems and controls must be able to minimize the risk of traders mis-marking their positions.”

I agree, but I think it’s a bit ironic that even the FASB and the IASB are having a hard time coming to terms on an agreed-upon reporting structure, and the sticking point is—valuation.

Mr. Watanabe’s tenure in the soup was short-lived. Nomura holdings cooperated fully with the investigation, and maintained open lines of communication. This actually qualified them for a “discounted” fine, which could have been 2.5 million pounds.

Nice move, Mr. Watanabe. Nobody wants to be in the soup, but if you find yourself there, get out before things get too hot!

Posted at 02:00 PM in 200911 - Issue #23, In the Soup | | Comments (0) | TrackBack (0)

| | | |

The Wrong Direction

When to Make an About Face

Don’t you feel like this kitty sometimes?

If things don’t seem to be moving forward, sometimes you need a slight adjustment, but sometimes you need to make a 180 degree turn.

Posted at 01:00 PM in 200911 - Issue #23, Life's Gag Reel | | Comments (0) | TrackBack (0)

| | | |

Flawless Compliance

  • A free monthly newsletter on today's compliance issues based on the ideas, concepts and practices of John Weathington for Excellent Management Systems, Inc.

    ISSN 1948-2949

    Subscribe here to have the Flawless Compliance Newsletter delivered directly to your mailbox every month.





    Copyright 2010 John Weathington. All Rights Reserved. Flawless Compliance is a registered trademark for Excellent Management Systems, Inc.

John Weathington

  • John Weathington is President and CEO of Excellent Management Systems, a management consultancy that helps organizations dramatically increase their contractual and regulatory compliance, bringing peace of mind to nervous and anxious compliance officers. His clients include Fortune 500 icons like Sun Microsystems, Cisco, and eBay. Recently, John helped fortify a $100 million government contract for a high-profile technology firm. Contact John today to discuss your specific needs.

Categories

Archives