A perfect storm of human errors — six of them to be exact — caused the biggest nuclear accident to date, the Chernobyl disaster in 1986. An IT mistake prompted 425 million Microsoft Azure users to experience 10.5 hours of downtime. Lack of communication between maintenance crews caused what would have been a simple fix to, instead, lead to the crash of a 1.4 billion dollar stealth bomber.

While there are many sources of enterprise risk, probably the most dynamic and difficult to contend with are those driven by or otherwise impacted by human capital — that is, people. The fact is, most risks start and end with people. The decisions people make, how they perceive situations, how closely they follow policies and procedures… these and other human-driven factors can significantly influence how risks are identified, managed, and addressed.

In our work in the realm of human capital risk, we see many areas where people have the potential to positively or negatively impact the organization from a risk management standpoint. Unfortunately, when people fail, they sometimes fail in big ways. Here are some of the places where human capital risk can rear its head, causing damage to people, brands, and profits:

1. Cybersecurity

Staying secure goes beyond technology (think servers, network, firewalls, etc.); it requires the aid of humans to maintain that secure digital environment. And while most employees get some degree of IT security awareness training in the course of their jobs, mistakes still happen.

IBM estimates the average number of records lost to data breaches annually to be 25,575, and the average cost per breach of USD $3.92 million. Social engineering, malware, and phishing attempts continue to pay dividends for the fraudsters who deploy them. We all know we’re not supposed to click on that link or divulge sensitive information over the phone, but still, people do it. Lapses in judgment, failure to follow a process, having a sense of overconfidence or the feeling that it won’t happen to them, whatever the reason, humans have the ability to sidestep even the strongest cybersecurity protocols.

2. Occupational Fraud

Risk doesn’t always stem from human error; sometimes it’s the result of deliberate actions by employees. Common types of occupational fraud include asset misappropriation, corruption, and financial statement fraud. In 2017, these types of fraudulent activities resulted in $7 billion in losses, according to ACFE’s 2018 Report to the Nations.

When the workplace lacks internal controls, fails to have separation of duties, or neglects to invest in data monitoring and technologies that could flag anomalies, unscrupulous employees see their opening.  Bookkeepers set up fictitious employees in payroll systems in order to cut checks, executives find ways to alter records and financial statements, and line workers take home company property for personal use. These incidents have a median per-loss cost of $114,000, as noted in the ACFE Report.

3. Physical Security

Check with most workplaces and you’ll find they have certain security protocols in place or at least policies that address physical security. Visitors may be asked to check-in at a front desk, employees might be required to wear ID badges, and doors might be required to be locked at all times.

Unfortunately, over time, employees become complacent and policies become outdated. People forget, or simply choose to ignore, the basics they’ve been taught. They leave doors propped open, inviting strangers to come in the building. They neglect to report a broken lock or missing lightbulb. They forget to keep up their annual emergency exit drill schedule. Or, they fail to log off a computer just as someone else decides it’s okay to let a guest circumvent the front desk sign-in because they “know this person.”

These small, but meaningful, errors in judgment often mean the difference between a workplace that remains physically secure and one that opens itself to the risks of theft, data breaches, or even active shooter situations.

4. Workplace Violence

Workplace assaults resulted in 18,400 injuries and illnesses and 458 fatalities in 2017. Assaults range in severity from threats and verbal assault to stabbings, rape, and intentional shootings. In fact, mass shootings at workplaces, schools, and public venues have become the new norm with an average of at least one happening per day in the United States.

We can’t always know which employees are at high risk for engaging in workplace violence, but experts have begun to identify the behaviors that often precede events like these. They include the inability to focus, crying, social isolation, threatening behavior, concerning posts on social media, or complaints of unfair personal treatment. A sudden change in behavioral patterns, or in the frequency or intensity of these behaviors, is also a red flag.

5. Negligent Hiring and Retention

Exercising due diligence in hiring is the best line of defense against negligent hiring and retention lawsuits. Background checks, of course, are the first course of action in rooting out applicants who might disproportionately introduce risk into the workplace. Gathering criminal background records, doing drug testing (as appropriate), and verifying references and credentials are all critical to mitigating your hiring risks.

Beyond background checks, organizations need to have effective fraud detection methods in place. This is particularly relevant considering 96 percent of fraud perpetrators had no prior fraud conviction, and fraudsters who were employed for more than five years stole twice as much, $200,000 vs $100,000 for newer employees! They need to understand the elements of human risk that can be an early indicator of fraudulent activity, including employees who live beyond their means, are experiencing financial difficulties, or have an unwillingness to share job duties.

Manage Your People, Manage Your Risk

Humans are, well, human. They introduce a spectrum of risk into any workplace, from purposeful criminal behavior on one side to unintentional, garden-variety mistakes on the other.

Managing those risks is an ongoing challenge, particularly when it’s difficult to pinpoint the precise human factors that contribute to failures. If you’d like help identifying those areas in your organization that are most susceptible to the human element of risk – whether it’s your cybersecurity program or your hiring processes — request a meeting with a risk management professional.

“Complacency is the last hurdle standing between any team and its potential greatness.”

Pat Riley, former NBA Coach and Player

You’ve done the important legwork to protect your business against undue risk. You’ve conducted a threat assessment, reviewed security measures, fortified your IT infrastructure, put controls into place, built a business continuity plan, and trained your people. So now what?

Though you’ve taken great measures to prevent and/or mitigate losses, if people fail to consistently follow through with the day-in day-out responsibilities required to keep risks in check, it is all in jeopardy.

Complacency – that sense of quiet pleasure or security, usually accompanied by a lack of awareness of potential dangers or deficiencies – is the enemy of excellence and can be the single largest threat to any business.

Complacency can lead to massive failure. Consider the now infamous example of the Deepwater Horizon explosion which killed 11 people, injured another 126, and caused an oil spill that took three months to get under control. The catastrophe was “the result of poor risk management, last-minute changes to plans, failure to observe and respond to critical indicators, inadequate well control response, and insufficient emergency bridge response training,” according to a federal report. In a nutshell, complacency.

Once complacency takes root in an organization, it’s hard to change course. In this blog, we’ll explore four common causes of complacency and show you how to steer clear of them.

1. Foregoing a “Moment of Insight”

Insights, or those “eureka moments,” abound in our personal lives, in society, and in the workplace. We experience a sudden understanding of something that was previously unknown or incomprehensible. The answer to a puzzle abruptly becomes obvious. A series of seemingly unrelated incidents suddenly reveals a clear pattern.

In the context of risk mitigation these “aha moments” happen all the time. Businesses connect the dots between the events happening around them (e.g., wide area disasters, data hacking incidents) and make the adjustments they need to make in their own operations to stay protected (e.g., creation of disaster recovery plans, beefed up cybersecurity).

So why, then, do some people fail to act despite a clear moment of insight? It often comes down to a lack of leadership or sense of urgency. Often, they are focused on what’s in front of them – the objectives, processes, and budgets before them – rather than presenting a compelling vision for the company. This is especially true during times of change, the thinking being, “The crisis isn’t imminent, and we already have so much on our plates.”

Brent Gleeson, the author of TakingPoint, says, “Most organizations that continue to succeed and innovate have a culture poised for positive change and taking a risk. They don’t wait for the ship to spring a leak. They proactively and constantly set aggressive goals. They sometimes even intentionally develop a sense of urgency.”

2. Maintaining a Sense of Overconfidence

Another reason why organizations stay in a state of complacency is due to an excessive sense of self-confidence, which can express itself in different ways.

Sometimes overconfidence stems from a false sense of security or well-being. “We’ve never had anything bad happen before, and the probability is so small that we can let our guards down.”

Whether it’s a statistical calculation, the illusion of preparedness, or outright arrogance, people operating with this mindset are inviting problems.

Someone leaves the door propped open while they run an errand, crisis communication plans become outdated, or passwords aren’t decommissioned when an employee leaves the company. Teams might even take their cue from management and begin letting practices and policies slide.

3. Having a False Sense of Reality

It’s human nature to be lulled into complacency, especially if you’ve lived the same basic existence in the same company for years on end. You come to believe you’ve lived pretty much every scenario and can reliably predict the outcome of most situations. When we believe we know the answers, our creativity and ability to proactively plan for potential threats become stagnant.

The key in these situations is key to have a learning mindset, to be curious, ask questions and think more deeply. Jeffrey Simmons, President and CEO of Elanco, says it’s helpful to “find people who make you feel uncomfortable, who help you learn a new skill or broaden your perspective.”

4. The Tendency to Make Excuses

Similar to having a false sense of reality, complacency thrives with people and in environments where excuses are made and accepted. Some of the common excuses that lead to inaction, for example are, the failure to conduct quarterly safety trainings, the absence of consistent background checks, or the failure to conduct due diligence with a new business partner.

• The likelihood of a disruptive event (e.g., tornado, data breach, active shooter, embezzlement) happening is so low it’s not worth our time to protect against it.
• We’ve done business with this company for a dozen years, so we don’t need to investigate them as a part of this merger.
• We’ve been very successful so far, so we must be doing something right.
• Our team has very little turnover, so even if something were to occur, most of us were trained at one time on what to do in the event of an emergency or major incident.
• We’re already doing all we can to protect our business from risk, we don’t have the bandwidth to do more.

How to Avoid Complacency

The military has a mantra that “complacency kills.” In fact, signs with this message are often posted at their bases and outposts. They know that complacency in combat may mean the difference between life and death.

In the business world, companies that fail to continuously evolve face obsolescence, at worst, and significant financial or reputational loss, at best.

Here are seven strategies recommended by American Express for warding off business complacency:

1. Be clear on your long-term vision (no more than two years out) and your short-term goals needed to make that vision a reality.
2. Have a specific plan for each day.
3. Give yourself specific time each week—no more than one hour—to think strategically and evaluate where you are and if you are heading in the right direction.
4. Challenge your team to think.
5. Encourage and reward innovation.
6. Create a formal process to learn from mistakes.
7. Invest time and money to improve your skills and knowledge.

Lowers & Associates works with a wide range of industries, helping organizations with a full range of solutions, from assessments to loss mitigation to recovery. Contact us for a consultation to understand what unknown threats you might be facing and how to address them, so that you don’t become a victim of the four culprits of complacency.

Demand is on the rise for cold storage vault services for cryptocurrency. As CIT and vault providers work to meet the demand, they are facing risks that are at once similar and very different from those they encounter with their cash services.

As a vault or transport provider, how well do you understand the risks of cold storage?

Our latest slideshow highlights 7 components of a risk assessment for cold storage providers of cryptocurrency. It looks at the following:

1. The right safe for the job
2. Control of digital threats
3. Control of physical threats
4. Identity verification
5. Dual controls
6. Access logs
7. Procedural integrity

Flip through the slideshow here:

To learn more about custodial crypto transportation and storage, we invite you to download our whitepaper, Custodial Crypto Transportation and Storage: Understanding and Mitigating the Risks.

Cryptocurrencies such as Bitcoin and Ethereum are emerging from the dark side of the web. These currencies have multiplied in number and increased tremendously in value despite their volatility.

However, sad experience has taught storing crypto safely in online exchanges is risky at best. In the infamous case of Mt. Gox, almost $500 million worth of bitcoin was hacked. Some of it seems to have emerged in the hands of potential thieves, but there’s still mystery surrounding the incident. Many other hacks of exchanges have occurred since Mt. Gox, leading to a scramble to find more secure ways to manage cryptocurrency.

The super-hacks have shined a spotlight on the issue of custody. As Philip Martin of Coinbase, a large cryptocurrency exchange, stated in a recent Wired Magazine interview,

“Cryptocurrencies have a threat model that’s fundamentally different from what’s come before. We’re taking the lessons from the past about physical security and blending them with well-structured cryptography.”

Crypto investors are understanding that a diversified approach to storage is wise. They are turning to cold storage (offline storage) for at least a percentage of their coin as a way of managing their risks of loss.

Many are finding that the simplest way to avoid the threat of losing digital coin to a hacker is to move it to an offline storage device, called a “cold wallet”. At the same time, the 128-bit encryption codes that permit access to the currency (especially the private key) have to be securely stored where they can be retrieved.

The moment digital files or keys are transferred to a physical medium, whether it’s a device or plain paper (which may be a legitimate way to store an encryption key), custody is the crucial issue. Many of the same risks exist for offline cryptocurrency as apply to other easily transported high-value items like gems.

The encryption keys add a layer of complexity. There are two high-value items, the currency and the key that accesses it, that must be transported and stored separately in a way that they can be rejoined when the legitimate owner wants access.

Our latest white paper plots a path to security in the storage and transportation of cryptocurrency. Carefully managing the risks involved with the activity is necessary to make cryptocurrency insurable. Get your copy of Custodial Crypto Transportation and Storage: Understanding the Risks.

This is one of those things that seems so obvious that you would have prepared for it. If you are the only one who has the encryption keys to a big stash of cryptocurrency, wouldn’t you take precautions to mitigate the possibility of your death?

In what must be one of the worst nightmares of cryptocurrency investors, news sources report that Canadian firm QuadrigaCX exchange CEO, Gerald Cotton, died in India on December 9, 2018 of complications of Crohn’s disease. He was reportedly the sole possessor of encryption keys to currency worth somewhere between $135 and $150 million. If these keys cannot be recovered, the company and the investors who trusted in it may simply have lost the digital money.

There have been very large losses from cryptocurrency exchanges before, but they have been due to hacker attacks that succeeded. Coindesk, a large American crypto exchange, reports that 2018 saw by far the largest losses of crypto due to hackers breaking into exchanges. They warned against keeping ‘hot’ wallets (coin storage) on the exchanges because the hackers were winning the technology race at the moment. The article argues that using hardware wallets (offline devices to store currency) “gives you the highest protection level.”

It is not clear in reports on this widely-circulating story whether Cotton kept the currency on hardware devices, or if he was just in sole possession of the encryption keys. Regardless where the digital coin is kept, you must have the keys to access it. The keys themselves must be stored in a secure fashion, with a method for retrieving them. Cotton’s wife claims that she has searched diligently for the keys to no avail—highly skilled coders are seeking ways to regain control of millions of dollars, with no success to date.

There has to be a plan.

Further, hardware keys in themselves are not the final security solution. Once encryption keys and/or currency are transferred to any offline medium, you have created an item that in itself is both valuable and vulnerable. Like jewelry or cash, offline stashes of cryptocurrency or the keys to access it become easily transported, high value assets.

Like jewelry or cash, offline crypto storage raises issues of transportation, hand-offs in the chain of custody, and storage security. All of these steps are exposed to significant risks of loss.

Some may look at the QuadrigaCX episode and conclude that cryptocurrency may be too risky for legitimate investors, and not ready for prime time. In the early years, crypto was often used in dark web transactions for drugs and money laundering, and there is a case to be made that it cannot function in a normal economic environment.

However, a greater certainty is that the crypto dream of creating a purely “free” means of exchange beyond the reach of any government is not without significant problems. Standard fiat currencies exist within structured sets of rules that track and evaluate transactions that provide some security. Money transport and storage businesses operate within these systems using carefully crafted risk management protocols to mitigate known threats.

Crypto may need to develop similar rules and work within fiat systems and/or adopt physical security similar to cash—to get the same level of security. To realize the potential advantages of cryptocurrencies for ordinary economic transactions, there needs to be a much higher level of control.