Authoring Resilience During COVID-19

By Lowers & Associates,

Business Continuity Plans (BCPs) are funny things.

At their most basic, BCPs are the real-world response to the old “Hope for the best, Plan for the worst” adage.  It’s honest recognition that being stuck between a rock and hard place is better with a hammer, albeit with no guarantee that the hammer is big or small enough to be helpful.

Nonetheless, a well-conceived BCP provides peace of mind, like insurance does, with the added satisfaction that only authorship (or ownership?) brings.  The rub, of course, is that every BCP is, at the end of the day, still just a plan.  As boxer, actor, felon, playwright and corporate strategist ’Iron‘ Mike Tyson once famously said, “Everyone has a plan until they get punched in the mouth.”

Indeed.  Because sometimes pipes break in the 2nd floor ceiling of your office and leak antifreeze everywhere.  And because, other times, there’s COVID-19.

The benefit of having a BCP plan in place to manage either situation is that, well, there is at least a plan.  And despite what Kid Dynamite says, the real truth is that any company with a plan retains, at the very least, a fighting chance to get back up after they’ve been hit.

For Lowers Risk Group, like many others, COVID hit our industry, our business – our people.  We were fortunate, though: our Business Continuity Plan was 5 years in the making.  It didn’t matter, until it did.

Back in 2015, CTO David Lowers, Chief Security Officer Joe Labrozzi and Director of IT and Security Chris Sosnoski recognized the need for our growing staff to have partially, if not fully, remote capabilities.  What was initially driven by space concerns evolved with the access to and the ability of new technology to support fully secure, remote work that reduced cost, increased efficiency and enabled greater flexibility that could support new business opportunities within Lowers Risk Group.  With this foundation in place, Lowers, Sosnoski and Labrozzi were able to take the organization’s global footprint of over 550 people (spread over 3 continents) to fully remote in less than 2 weeks with zero business interruption when COVID hit.

And though Facilities might disagree, being fully remote due to COVID made the impact of that leaky pipe one less headache to manage when stress levels are already elevated.

We asked Labrozzi and Sosnoski to tell #OurStory of transition to a fully remote work environment.  We asked them what made it possible and to share a few insights that could help other organizations with the creation and implementation of their own BCPs to author their future resilience.  Below is a transcript of our conversation.

On behalf of the entire organization – thank you both for your efforts and keeping the organization on its feet as COVID hit.  How did your teams manage this transition?

Sosnoski
Our ability to go remote during COVID was strategic and began 5 years go.  Wholesale Screening Solutions, our largest division at Lowers Risk Group, was beginning to test our space limitations.  At that time, the VA HQ had about 400 people on-site.  Additionally, the Wholesale team recognized a need that they had to hire in different areas, not just in VA HQ.  We were tasked with how to support that, and it was clear we had to embrace the cloud.  Buy-in from David and other executive leadership there was the first step.

Labrozzi
What really drove the process was what was happening in Wholesale’s Georgia office, our first off-site campus.  We needed a base to get our people into the courts to do research.  That organically began to create resiliency in our operations – rather than rent out trailers, for example, in the event of something happening, our second location offered redundancies as technology matured.  As we gained more experience managing this remote location in GA from our VA HQ, we saw it was possible to have and manage a remote workforce while still doing secure work.  We then built a series of processes around this concept that laid the foundation for more remote work, and we’ve been working at that ever since.

Sosnoski
Right before COVID hit, for example, we launched phase 1 a Unified Communications as a Service (UCaaS) initiative with plans to roll-out Phases 2 and 3 in the coming months.  What would have been a much more measured roll-out was accelerated by COVID.  But, had we not been building towards that – not just with the UCaaS launch, but all the work leading up to the launch – it would not have been as easy or seamless.  However, we had our BCP in place and were able to activate it,.  Our teams stepped up and, again, the full support of leadership helped make it happen.

What were the steps you were taking to build that initial foundation over 5 years?

Sosnoski
The goal was always to keep the working experience as secure and as available as possible, so it was about taking small bites at the apple.  Exploring, testing, and implementing remote training, for example.  Cloud-based email.  Our UCaaS environment.  We were able to leverage cloud resources like Microsoft, Adobe, Salesforce, AWS and Zscaler to achieve this.

The complicating factor was the cost associated with it – we had to be willing and able to spend monthly on subscription services.  For a while, that was a barrier, but we continued to make the business case while moving from a hybrid environment to a cloud environment.  Transitioning the phone system to UCaaS, for example, was a two-and-a-half-year effort to make happen and now our teams are loving the flexibility it offers.  Our teams can do remote assessments and maintain contact with each other and clients easily.

How did you each manage the workload during the COVID transition to remote work?

Labrozzi
Teamwork.  At VA HQ, Chris and I have sat next to each other for years, so we have a great working relationship – that’s part of the culture at LRG, which is probably also a reason the transition was smooth.  But it’s about the quality of who you work with.  Chris’ IT team knows what needs to get done – they’re reliable and fast.  I focused on the human capital element, making sure that we were dealing effectively with any productivity concerns, making sure teams were staying connected.  We all operate from a leadership mindset and depend on each other to play our parts.

Sosnoski
The real risk in remote work is not technology, it’s management process.  My team trusts each other to get things done.  When COVID hit, we found a useful strategy was to use quick, daily stand-up meetings.  For the most part, these types of meetings continue in some capacity across all departments; I know upper management remains committed to finding one-on-one time for their direct reports.  Process is super important in all this, but equally so is everyone’s ability to do their job.

Any key takeaways to offer other organizations from your experience?

Sosnoski – I think there’s really three that worked for us:

  • We started planning early and had already explored the risk environment, developed the processes that would provide us a path of least resistance to continuity and had leadership buy-in.
  • We identified the right digital tools and had assessed, budgeted for and tested them as part of the plan strategically; having to do this during COVID would have been very difficult.
  • We were all aligned on the work that had to be done to achieve the vision; for us that was finding a secure, scalable and available environment to perform our risk mitigation work.

Lowers Risk Group provides comprehensive enterprise risk management solutions to organizations operating in high-risk, highly regulated environments and organizations that value risk mitigation.  Our human capital and specialized industry enterprise risk management solutions protect people, brands, and profits from avoidable loss and harm.  With Lowers Risk Group you can expect a strategic, focused approach to risk assessment, compliance, and mitigation to help drive your organization forward with confidence.  Contact us.

College Admissions Scandal: Are We too Quick to Blame the Institutions?

By Lowers & Associates,

College Admissions Scandal

The college admissions scandal has caused quite a stir in the media over the last few weeks. The stories have varied, the fraudsters are unique to each situation, but in the end it’s the same old tale; the rich use money and power to influence the morally weak and advance those closest to them to undeserved positions of grandeur. The key in this case is that schools across the US are being brought down to the same level as the criminals and fraudsters that perpetrated the crime in the first place.

Yale University, founded in 1701, has graduated five U.S. Presidents, and prides itself on its motto, ‘Lux et veritas’ or in English “Light and Truth.” However, a Yale soccer coach was able to pull off a scholarship-based fraud in which a student was accepted without merit. Is this Yale’s fault? Perhaps in part, but I would like to blame it on a much larger, systematic fraud scheme that can easily be discovered and rectified with appropriate planning and execution.

Other schools were involved in Title IX fraud, SAT proctoring schemes, and direct fraud from payoffs or bribes. Each school left a back door open for a fraudster to come barging through and in the end, will be sued for millions of dollars. These lawsuits, some frivolous and others merited, will need to be tried and tested. What can your institution do to avoid situations such as this?

In our experience, fraud is perpetrated in larger educational institutions and corporations when the controls breakdown or are antiquated. There are simple ways to enhance controls and become a much more aware organization.

Some important tips that we feel will mature your organizational fraud prevention controls are below.

Enhance Internal Controls

When looking at sophisticated organizations such as a university, one might think that internal controls are deployed across the enterprise. However, this was not the case in athletics, where some of the fraud was perpetrated. Entities should implement enterprise wide systems of internal “dual control” whereby a minimum of two people are involved in the decision-making process/function. The purpose of dual control is to deter fraud, provide a properly documented audit trail, maintain quality assurance, and prevent extortion. This dual control process creates a system of “checks and balances” in which a single person (authorized person(s) within a department) does not have the sole authority to decide without the verification and approval conducted by a secondary and separate department (authorized person(s) within that department). This helps to mitigate the potential for collusion. These obvious changes can deter fraudulent actions and lead to much more effective fraud deterrence. Internal control is vital when trying to ensure that protocols and regulations are carried out according to policy.

Make your organizations aware, and force reporting

Create a fraud risk policy with demonstrative cases that establish consequences for perpetrators. It sounds simple, but this is a critical step in setting up the consequential deterrence that is sometimes needed to stop amateur fraudsters. If individuals in the organization are aware that management is looking for certain types of fraud, they might think twice before acting.

An additional aspect of organizational awareness is to implement reporting. In any instance where there is a violation of policies or an employee feels there is a violation by someone else, encourage reporting. Anonymous reporting/tip lines have historically been the number one means by which occupational fraud is discovered. These reports and tips need to be vetted and followed up to ensure there are consequences. As the fraud risk policy matures, there should be a noticeable difference that will help secure organizations from becoming victims of fraud.

Know Your People

Fraudsters tend to demonstrate behavioral traits that can indicate they have committed or are candidates to commit fraud. Comprehensive background screening can be the first step in ensuring that there are no concerns prior to offering employment. However, initial background checks are not enough.

Employers and leaders need to listen to what employees are saying. If there are divisional leaders, or in this case coaches and deans, that are deeply respected or far too entrenched in the internal control environment, they can create circumstances that could lead to fraud. For instance, USC, who saw their senior athletic director implicated, was victim to the college admissions scandal when the water polo coach recruited a student who didn’t even play water polo! Had USC screened each scholarship athlete and ensured there were controls and reporting in place, this could have been avoided. Now, USC is at the mercy of the judicial system.

In conclusion, it is amazing that these events transpired in today’s digital environment, but it clearly demonstrates a lack of understanding when it comes to the willingness of fraudsters to attain what they want. Legacies are now tarnished over the acts of bad actors and their accomplices.

Lowers Risk Group prides itself in delivering solutions to our clients that rectify these types of situations.

Contact us to learn more.

  Category: Risk Management
  Comments: Comments Off on College Admissions Scandal: Are We too Quick to Blame the Institutions?

The Crypto Conundrum: What Are We Insuring?

By Lowers & Associates,

With the surge of cryptocurrencies, mainstream investors are looking at them as alternative vehicles for transactions and the storage of value. Despite their relative volatility, they have advantages in permitting transactions of any size on-demand, growing worldwide acceptance, anonymity of stakeholders, and independence from traditional financial institutions.

The security of the blockchain is inherent in its technology. Each step forward in time, when a new block is added to the chain with the guarantees of either the power of work (POW) or power of stake (POS), the transparency and permanence of transactions is theoretically immutable, as long as the private encryption keys are secure.

Every unit of cryptocurrency is exposed to investment risk, just like any other commodity that is traded in a market. Investors may seek hedges in the market against loss, but this kind of loss is not insurable in the ordinary sense.

So, the general answer to the question “what are we insuring?” is against the loss of value due to institutional failure or theft. But in the case of cryptocurrency, how is the value determined?

The institutional structure of cryptocurrencies is a wild west of new businesses emerging to manage the flow and storage of value. The most prominent type of business in this ecosystem is the exchange, where the market value of crypto can be traded for a traditional fiat currency. You can sell your Bitcoin for U.S. dollars, products or services, or almost any other currency.

Unfortunately, the exchanges have proven to be insecure. Billions of dollars’ worth of cryptocurrency have been stolen by hackers who break into the online system. In an odd feature of the blockchain, it has been possible to see which accounts received the stolen money, but without the encryption keys it cannot be recovered.

Shifting the risk offline.

A response to the risk of storage of value on a crypto exchange (in a “hot wallet” online) is to move the currency to a “cold wallet” that is offline. In other words, you download the value onto private keys.

Therefore, the insurable event is when either the encryption key or the currency value, or both, are stored offline. Whenever this happens, you are no longer in the purely digital world of the blockchain, and the risk of loss through theft arises.

Insurers will want to replace the fiat currency system’s security rules with procedures and processes that duplicate their functions. For instance, they will want to replace ‘Know Your Customer’ regulations with procedures that identify the owners of the currency and/or encryption keys. They will also want to see custodial procedures that safeguard the offline items with security commensurate to the value.

There is some irony in the fact that the blockchain, which was devised to do away with all the cumbersome regulations of fiat currencies, maintain anonymity, and offer a high level of confidence, is now evolving toward systemic guarantees much like fiat currencies already have.  There is a cost for having secure transactions and storage.

For much more information about cryptocurrency storage and transportation, see our new white paper, Custodial Crypto Transportation and Storage: Understanding the Risks.

  Category: Custodial Crypto
  Comments: Comments Off on The Crypto Conundrum: What Are We Insuring?

4 Step Approach to Building Your Business Continuity Plan

By Lowers & Associates,

To stay prepared, organizations must expect the unexpected. Business Continuity Planning (BCP) addresses the need to have contingency plans in place to deal with potential threats that can turn an organization on its head. Continuity planning is a necessary part of coming out on top in the face of the most challenging circumstances such as a natural disaster, a significant market crash, or a serious hit to a company’s brand or reputation.

As a risk manager, CEO, or any party responsible for the long-term success of an organization, you need to have a plan in place to clearly outline what you would do if the worst were to happen tomorrow. Here are four phases to putting your BCP in place.

1. Business Impact Analysis (BIA)

The first step to building your company’s BCP is to consider the potential impact of each type of disaster or risk event that your company may face. For example, a company in the finance industry may consider the role of the stock market, data breaches, or the possibility of a fraud scandal. The BIA helps you discern which processes are the most critical to recover or initiate in a state of a disaster and assigns a monetary value to the protection of assets involved in specific business processes.

Key goals of the BIA should include:

  1. Identifying the impact of uncontrolled events
  2. Prioritizing critical functions
  3. Establishing maximum tolerable outages

2. Risk Assessment

Upon identifying the impact of the risks facing various functions across your business, the next step is to determine the potential magnitude of these risks. This is a critical assessment to perform, as it helps establish which risks should be most emphasized in the BCP. Priorities can be established by looking at which risks are most likely to occur to determine the breadth of coverage for your company’s BCP. To do this, you can run a gap analysis to compare your company’s current contingency plans against that of the proposed risks to identify any holes you need to fill. With knowledge of these gaps, you can analyze various threats to identify their respective impact.

To aid in this process, it is helpful to work from a list of potential emergencies or viable threats as well as the likelihood and impact of such events such as to personnel, assets, or monetary impact. These can help formulate different scenarios to plan for, such as natural disasters or terrorist threats, as well as minor events such a power outage.

A best-practice risk assessment report should cover the following:

  • Summary of Business Operations
  • Risk & Vulnerability Analysis
  • Critical Support Infrastructure
  • Physical Environment
  • Recovery Time Objectives
  • Business Recovery Strategies & Priorities

3. Business Continuity Plan Preparation

During this step, the BCP is developed, taking into account the likelihood, magnitude, and potential impact of the risks that were identified in the previous step. The BCP preparation stage will take it a step further by documenting strategies and procedures to maintain, recover, and resume critical business functions as quickly as possible. Part of this preparation will entail a list of procedures to address priorities for critical and non-critical functions, services, and processes.

The BCP should include:

  • Business Operations
  • BCP Organization
  • Plan Activation & Operation
  • Preparation & Readiness Checklists
  • Emergency Operations
  • Facility Restoration & Relocation
  • Emergency Communications
  • Emergency Forms & Terms
  • Incident-Specific Response Checklists

4. Business Continuity Plan Testing and Table Top Exercises

Once a plan is established, it’s time to put it to the test with table top exercises. During this final step, key staff members and management will come together to simulate their response to various emergency situations that were identified as likely risks. Using the procedures outline in the BCP, these exercises will identify gaps in the plans to improve them in a controlled setting. This process can also help establish the different roles and responsibilities across team members.

When it comes to risk mitigation, hope for the best but plan for the worst. Take your risk planning to the next level by getting started with your Business Continuity Plan. Talk to a risk mitigation expert today.

  Category: Risk Management
  Comments: Comments Off on 4 Step Approach to Building Your Business Continuity Plan

Threat Assessment: Knowing Your Risks

By Lowers & Associates,

threat assessment

The ultimate goal of any security program is to manage and mitigate risks. What do we mean by risk? In its broadest sense, risk can be defined as the likelihood of loss of anything having value, including people, facilities, information, equipment, and reputation. In a sense specific to security and loss prevention, risk is the probability that a particular threat will exploit a given vulnerability, leading to an unwanted result.

Knowing your risks is the obvious first step. But what is the best approach? And where do you go from there? Here are some key considerations:

Identifying Threats

First and foremost, identifying the threats to your business is instrumental. It is likely that your institution already has experience with a number of risk factors, but it is important to understand the rate in which new threats arise. It is crucial, therefore, to monitor emergent threats targeting your industry. This can often be accomplished by reading trade publications, engaging in discussions at industry conferences and loss prevention forums, and by obtaining case studies. Also, a number of sources provide crime metrics, some of which are industry specific, and can be very beneficial in identifying threats. … Continue reading