Until recently, Continuous Monitoring was, at best, theoretical.  Why?  Because true Continuous Monitoring required real-time access to court records in order to make actionable, informed decisions on employees involved in legal matters.  Arrest record data and other sources were ok, but to truly get the whole picture, court records were required.  Thanks to progressive advances in automation, true Continuous Monitoring is now very real and can, today, provide organizations the opportunity to actively manage employees that operate in high-risk, high-compliance environments.

True Continuous Monitoring is crucial in the modern workplace because it brings efficiencies to risk mitigation immediately after an event occurs, especially if it’s non-jailable or an unreported offense.  With businesses right now running lean and looking for any advantage as they right-size, re-strategize and build towards a post-COVID-19 economy, they need their people to be who they say they are.  True continuous monitoring enables this.

But what about before something bad happens?  That, as they say, is where the rubber meets the road.

Predictive technology absolutely exists in the mainstream already – it drives the engines powering social media, music streaming, news feeds and online retail, to name a few.  But these insights are typically gleaned from prior activity or stated preferences to predict what a person might next want.  Whether you subscribe to Maslow’s ‘Hierarchy of Needs’ or any other human behavior model derivative, when a need is unmet in a person’s life, it’s true that the behaviors that follow are also (usually) predictive; but the technology that works for Spotify playlists and Amazon purchases doesn’t quite meet the litmus test required to anticipate (and mitigate) workplace violence, fraud or other activities that can profoundly impact a business and the people that work there.

Businesses need predictive insight to identify when a behavior pattern becomes a concern, or at the very least, be able to alert a managing authority to deviations that are outside what’s considered “normal and safe” behavior by an employee in order to mitigate the risk exposure.  The algorithm to perform said task does exist, but it’s still very much analog.

What is this old-fashioned engine that can help predict and manage risk-related behaviors, you ask?

Simply put, it’s communication.  More specifically, it’s employees in high-risk or high-compliance environments at all levels using standardized processes to communicate proactively about, well, anything and everything.  When it comes to mitigating risk, proactive communication’s predictive capacity is less about mind-reading and more about behavior-reading.  It enables a framework that employees can use to identify and communicate red flags before those red flags turn into bad behavior and a court case, or worse, yellow caution tape.

In the final entry of #OurStory series, Jon Groussman crystalizes the ’before and after of risk‘ using an example of a client that took a massive hit to employee morale and reputation that, had proactive communication and continuous monitoring been options, might have been avoidable.

This particular incident occurred at a research and manufacturing facility and involved a supervisor and an employee.  Can you tell us what happened?

Jon Groussman: I remember I’d gotten to the office a little bit early that day to do some catching-up.  My phone rang right around 830, it was an executive from a client’s facility letting me know that they had an incident the night before at around 11pm.  A supervisor on the overnight shift had brought a handgun into the facility, put the handgun to the head of one of the workers and threatened to blow the co-worker’s head off if he ever spoke to the supervisor again.  The police were called, the supervisor was arrested for aggravated assault and possession of a firearm, banned from the property and then, of course, taken into custody.

Clearly, the executives were rattled and couldn’t understand how this could happen at their facility.  I was able to get over to the facility the same afternoon that I received the call, walked through the facility and met with the executives.  Unfortunately, the executives didn’t really know much about what actually went on during this 3^rd shift which, for all intents and purposes, was an overnight shift. A lot of times, not only in this environment, but in other environments that have shift workers or that are open 24 hours, the more senior management doesn’t know what’s actually happening during those hours.  What develops then is a communication gap.  From a safety and security standpoint, that gap can become a real vulnerability because you’re not getting tipped off to issues that may be occurring in situations like this one.  So, I started to interview people.

Of the 16 or so people I spoke with, a common theme started to emerge. The primary one was that they were understaffed. They had a hard time finding employees with the skill set to meet their demands and so they were more tolerant of, not something like this incident, but we’ll say, inappropriate behavior.  The second was that being understaffed, the demands of the business had put them in a position where ignorance was bliss until reality hit – the lack of awareness and how to report inappropriate behavior was a huge issue.

You mentioned a pattern began to emerge.  Were there red flags that went overlooked?

Jon Groussman: There are almost always red flags; this kind of thing generally doesn’t happen out of the blue.  In speaking with people working that 3^rd shift, I was told that the assailant took longer breaks than everybody else.  As he was a supervisor, people didn’t question it because he also got his job done.  The problem was, we found out he was leaving the site – using the only camera that was well-positioned and functioning – to visit a neighboring community that was very well known for selling drugs.  We could see his car come and go at the times when his colleagues said he would be on longer breaks, and this began happening more frequently in the months prior to the attack.

With that revelation, we went to law enforcement to see if he had a record or had any weapons issues beforehand.  It turned out he’d been in court numerous times within that past year for purchasing drugs in the community I mentioned, but this client and facility didn’t have a system in place to know that. Now remember, this was a person in a supervisory role with access to assets within this facility that a loss or accident could have been very bad.  The materials and trade secrets were also very valuable on the secondary market, had he been desperate enough to need money for drugs or been coerced into stealing them.  Had this client and facility utilized some type of continuous monitoring and had a disciplinary policy, this incident would have likely never happened because he would have been gone long before it happened.

You mentioned that even with continuous monitoring in place, there wasn’t a mechanism to be able to report that information, let alone red flag behavior.  Was this a lapse in SOPs or a culture problem?

Jon Groussman: Everyone on that 3^rd shift acknowledged the assailant was unusual – he would go and dance on the roof, for example.  But, to your point, the environment at the facility was one where security and minimizing conflict was not part of the culture.  They didn’t have SOPs that addressed ways to communicate any perceived efficiencies, let alone any threats that somebody may perceive against the people or physical assets at the facility.  There was no standardized method to report much of anything.

So, it was clear we had to implement better access control measures.  We wanted to know when people were coming in and going out, and adding physical security equipment like CCTV to compliment it.  But one of the biggest things we had to do was change the culture.  In the security world, it’s sometimes easy to talk about standard operating procedures and physical security equipment, but all those things are only as good as if people are willing to follow it and buy into the program.

The other piece of culture change is that it requires people that are accountable. This facility didn’t have anybody responsible for security.  They didn’t have a threat assessment team. They didn’t have a facility security manager.  Their primary focus for security was that of the machines that did the manufacturing and research.  It was a deadline driven environment.  To get the work done, there was a willingness to overlook certain human capital elements when it didn’t have to do with occupational safety.  As long as the machines were running properly, the place was considered very safe.  But when it came to a potential insider threat, that wasn’t part of the culture. And that’s why I think it took everybody by surprise.  But that 3^rd shift was an island unto itself.  Nobody had eyes on it, and they didn’t have the protocols in place to try to capture the red flags.

You’ve seen a lot of things in your career.  Did anything about this experience shock you?

Jon Groussman: Unfortunately, no.  Most of the calls I get are when things are going well until they’re not.  The comparisons that always come to mind are insurance and lawyers – nobody wants to pay for either until they need it.  I think it absolutely surprised the executive team within this particular company that this happened.

The problem was that it wasn’t just the guy who had the gun held to his head that experienced the trauma; it was all the co-workers who witnessed the event.  They were fearing for their lives in that moment.  If that gun went off, even accidentally, who’s to say he wouldn’t have kept shooting?  And this was long before there was such heightened awareness about active shooters.

But this scenario still happens, and it happens because of a lack of communication that, had their communication been better, could have been prevented.

Besides more proactive communication, how did this experience become a teachable moment for you?

Jon Groussman: Most of what I do, and much of what security professionals do when they do assessments, whether it’s a post-event assessment or pre-event, is understanding what the threats are and understanding where the vulnerabilities are, and how you can operationalize the mitigation efforts. And for me to help a business change its culture to become more proactive around its security, I have to have an understanding of the way that business operates before making recommendations on how to minimize those risks.  In the process, you have to prioritize the risks.  And then you have to make sure that the business can still function with the recommendations that you’re putting in place, because you’re not there to create a prison.  You’re also not there to spend money unnecessarily that a company doesn’t have.  And, you’re not there to reduce the efficiency of their business.

In this case, there were some very simple things that we were able to do through an awareness campaign, through a 24-hour anonymous call center – which is very simple to do.  Improved access controls, new cameras.  We instituted continuous monitoring for those employees that had certain access to materials and information, and created oversight protocols for management.  We designed a reporting structure and also a disciplinary structure together so that, if somebody wasn’t doing their job or was behaving in an unusual way, you could address those issues.

We basically just connected the dots.  It took a long time for morale to improve, but it eventually did and proactive communication was really the driver of it all.

Business Continuity Plans (BCPs) are funny things.

At their most basic, BCPs are the real-world response to the old “Hope for the best, Plan for the worst” adage.  It’s honest recognition that being stuck between a rock and hard place is better with a hammer, albeit with no guarantee that the hammer is big or small enough to be helpful.

Nonetheless, a well-conceived BCP provides peace of mind, like insurance does, with the added satisfaction that only authorship (or ownership?) brings.  The rub, of course, is that every BCP is, at the end of the day, still just a plan.  As boxer, actor, felon, playwright and corporate strategist ’Iron‘ Mike Tyson once famously said, “Everyone has a plan until they get punched in the mouth.”

Indeed.  Because sometimes pipes break in the 2^nd floor ceiling of your office and leak antifreeze everywhere.  And because, other times, there’s COVID-19.

The benefit of having a BCP plan in place to manage either situation is that, well, there is at least a plan.  And despite what Kid Dynamite says, the real truth is that any company with a plan retains, at the very least, a fighting chance to get back up after they’ve been hit.

For Lowers Risk Group, like many others, COVID hit our industry, our business – our people.  We were fortunate, though: our Business Continuity Plan was 5 years in the making.  It didn’t matter, until it did.

Back in 2015, CTO David Lowers, Chief Security Officer Joe Labrozzi and Director of IT and Security Chris Sosnoski recognized the need for our growing staff to have partially, if not fully, remote capabilities.  What was initially driven by space concerns evolved with the access to and the ability of new technology to support fully secure, remote work that reduced cost, increased efficiency and enabled greater flexibility that could support new business opportunities within Lowers Risk Group.  With this foundation in place, Lowers, Sosnoski and Labrozzi were able to take the organization’s global footprint of over 550 people (spread over 3 continents) to fully remote in less than 2 weeks with zero business interruption when COVID hit.

And though Facilities might disagree, being fully remote due to COVID made the impact of that leaky pipe one less headache to manage when stress levels are already elevated.

We asked Labrozzi and Sosnoski to tell #OurStory of transition to a fully remote work environment.  We asked them what made it possible and to share a few insights that could help other organizations with the creation and implementation of their own BCPs to author their future resilience.  Below is a transcript of our conversation.

On behalf of the entire organization – thank you both for your efforts and keeping the organization on its feet as COVID hit.  How did your teams manage this transition?

Sosnoski
Our ability to go remote during COVID was strategic and began 5 years go.  Wholesale Screening Solutions, our largest division at Lowers Risk Group, was beginning to test our space limitations.  At that time, the VA HQ had about 400 people on-site.  Additionally, the Wholesale team recognized a need that they had to hire in different areas, not just in VA HQ.  We were tasked with how to support that, and it was clear we had to embrace the cloud.  Buy-in from David and other executive leadership there was the first step.

Labrozzi
What really drove the process was what was happening in Wholesale’s Georgia office, our first off-site campus.  We needed a base to get our people into the courts to do research.  That organically began to create resiliency in our operations – rather than rent out trailers, for example, in the event of something happening, our second location offered redundancies as technology matured.  As we gained more experience managing this remote location in GA from our VA HQ, we saw it was possible to have and manage a remote workforce while still doing secure work.  We then built a series of processes around this concept that laid the foundation for more remote work, and we’ve been working at that ever since.

Sosnoski
Right before COVID hit, for example, we launched phase 1 a Unified Communications as a Service (UCaaS) initiative with plans to roll-out Phases 2 and 3 in the coming months.  What would have been a much more measured roll-out was accelerated by COVID.  But, had we not been building towards that – not just with the UCaaS launch, but all the work leading up to the launch – it would not have been as easy or seamless.  However, we had our BCP in place and were able to activate it,.  Our teams stepped up and, again, the full support of leadership helped make it happen.

What were the steps you were taking to build that initial foundation over 5 years?

Sosnoski
The goal was always to keep the working experience as secure and as available as possible, so it was about taking small bites at the apple.  Exploring, testing, and implementing remote training, for example.  Cloud-based email.  Our UCaaS environment.  We were able to leverage cloud resources like Microsoft, Adobe, Salesforce, AWS and Zscaler to achieve this.

The complicating factor was the cost associated with it – we had to be willing and able to spend monthly on subscription services.  For a while, that was a barrier, but we continued to make the business case while moving from a hybrid environment to a cloud environment.  Transitioning the phone system to UCaaS, for example, was a two-and-a-half-year effort to make happen and now our teams are loving the flexibility it offers.  Our teams can do remote assessments and maintain contact with each other and clients easily.

How did you each manage the workload during the COVID transition to remote work?

Labrozzi
Teamwork.  At VA HQ, Chris and I have sat next to each other for years, so we have a great working relationship – that’s part of the culture at LRG, which is probably also a reason the transition was smooth.  But it’s about the quality of who you work with.  Chris’ IT team knows what needs to get done – they’re reliable and fast.  I focused on the human capital element, making sure that we were dealing effectively with any productivity concerns, making sure teams were staying connected.  We all operate from a leadership mindset and depend on each other to play our parts.

Sosnoski
The real risk in remote work is not technology, it’s management process.  My team trusts each other to get things done.  When COVID hit, we found a useful strategy was to use quick, daily stand-up meetings.  For the most part, these types of meetings continue in some capacity across all departments; I know upper management remains committed to finding one-on-one time for their direct reports.  Process is super important in all this, but equally so is everyone’s ability to do their job.

Any key takeaways to offer other organizations from your experience?

Sosnoski – I think there’s really three that worked for us:

• We started planning early and had already explored the risk environment, developed the processes that would provide us a path of least resistance to continuity and had leadership buy-in.
• We identified the right digital tools and had assessed, budgeted for and tested them as part of the plan strategically; having to do this during COVID would have been very difficult.
• We were all aligned on the work that had to be done to achieve the vision; for us that was finding a secure, scalable and available environment to perform our risk mitigation work.

Lowers Risk Group provides comprehensive enterprise risk management solutions to organizations operating in high-risk, highly regulated environments and organizations that value risk mitigation.  Our human capital and specialized industry enterprise risk management solutions protect people, brands, and profits from avoidable loss and harm.  With Lowers Risk Group you can expect a strategic, focused approach to risk assessment, compliance, and mitigation to help drive your organization forward with confidence.  Contact us.

The college admissions scandal has caused quite a stir in the media over the last few weeks. The stories have varied, the fraudsters are unique to each situation, but in the end it’s the same old tale; the rich use money and power to influence the morally weak and advance those closest to them to undeserved positions of grandeur. The key in this case is that schools across the US are being brought down to the same level as the criminals and fraudsters that perpetrated the crime in the first place.

Yale University, founded in 1701, has graduated five U.S. Presidents, and prides itself on its motto, ‘Lux et veritas’ or in English “Light and Truth.” However, a Yale soccer coach was able to pull off a scholarship-based fraud in which a student was accepted without merit. Is this Yale’s fault? Perhaps in part, but I would like to blame it on a much larger, systematic fraud scheme that can easily be discovered and rectified with appropriate planning and execution.

Other schools were involved in Title IX fraud, SAT proctoring schemes, and direct fraud from payoffs or bribes. Each school left a back door open for a fraudster to come barging through and in the end, will be sued for millions of dollars. These lawsuits, some frivolous and others merited, will need to be tried and tested. What can your institution do to avoid situations such as this?

In our experience, fraud is perpetrated in larger educational institutions and corporations when the controls breakdown or are antiquated. There are simple ways to enhance controls and become a much more aware organization.

Some important tips that we feel will mature your organizational fraud prevention controls are below.

Enhance Internal Controls

When looking at sophisticated organizations such as a university, one might think that internal controls are deployed across the enterprise. However, this was not the case in athletics, where some of the fraud was perpetrated. Entities should implement enterprise wide systems of internal “dual control” whereby a minimum of two people are involved in the decision-making process/function. The purpose of dual control is to deter fraud, provide a properly documented audit trail, maintain quality assurance, and prevent extortion. This dual control process creates a system of “checks and balances” in which a single person (authorized person(s) within a department) does not have the sole authority to decide without the verification and approval conducted by a secondary and separate department (authorized person(s) within that department). This helps to mitigate the potential for collusion. These obvious changes can deter fraudulent actions and lead to much more effective fraud deterrence. Internal control is vital when trying to ensure that protocols and regulations are carried out according to policy.

Make your organizations aware, and force reporting

Create a fraud risk policy with demonstrative cases that establish consequences for perpetrators. It sounds simple, but this is a critical step in setting up the consequential deterrence that is sometimes needed to stop amateur fraudsters. If individuals in the organization are aware that management is looking for certain types of fraud, they might think twice before acting.

An additional aspect of organizational awareness is to implement reporting. In any instance where there is a violation of policies or an employee feels there is a violation by someone else, encourage reporting. Anonymous reporting/tip lines have historically been the number one means by which occupational fraud is discovered. These reports and tips need to be vetted and followed up to ensure there are consequences. As the fraud risk policy matures, there should be a noticeable difference that will help secure organizations from becoming victims of fraud.

Know Your People

Fraudsters tend to demonstrate behavioral traits that can indicate they have committed or are candidates to commit fraud. Comprehensive background screening can be the first step in ensuring that there are no concerns prior to offering employment. However, initial background checks are not enough.

Employers and leaders need to listen to what employees are saying. If there are divisional leaders, or in this case coaches and deans, that are deeply respected or far too entrenched in the internal control environment, they can create circumstances that could lead to fraud. For instance, USC, who saw their senior athletic director implicated, was victim to the college admissions scandal when the water polo coach recruited a student who didn’t even play water polo! Had USC screened each scholarship athlete and ensured there were controls and reporting in place, this could have been avoided. Now, USC is at the mercy of the judicial system.

In conclusion, it is amazing that these events transpired in today’s digital environment, but it clearly demonstrates a lack of understanding when it comes to the willingness of fraudsters to attain what they want. Legacies are now tarnished over the acts of bad actors and their accomplices.

Lowers Risk Group prides itself in delivering solutions to our clients that rectify these types of situations.

Contact us to learn more.

With the surge of cryptocurrencies, mainstream investors are looking at them as alternative vehicles for transactions and the storage of value. Despite their relative volatility, they have advantages in permitting transactions of any size on-demand, growing worldwide acceptance, anonymity of stakeholders, and independence from traditional financial institutions.

The security of the blockchain is inherent in its technology. Each step forward in time, when a new block is added to the chain with the guarantees of either the power of work (POW) or power of stake (POS), the transparency and permanence of transactions is theoretically immutable, as long as the private encryption keys are secure.

Every unit of cryptocurrency is exposed to investment risk, just like any other commodity that is traded in a market. Investors may seek hedges in the market against loss, but this kind of loss is not insurable in the ordinary sense.

So, the general answer to the question “what are we insuring?” is against the loss of value due to institutional failure or theft. But in the case of cryptocurrency, how is the value determined?

The institutional structure of cryptocurrencies is a wild west of new businesses emerging to manage the flow and storage of value. The most prominent type of business in this ecosystem is the exchange, where the market value of crypto can be traded for a traditional fiat currency. You can sell your Bitcoin for U.S. dollars, products or services, or almost any other currency.

Unfortunately, the exchanges have proven to be insecure. Billions of dollars’ worth of cryptocurrency have been stolen by hackers who break into the online system. In an odd feature of the blockchain, it has been possible to see which accounts received the stolen money, but without the encryption keys it cannot be recovered.

Shifting the risk offline.

A response to the risk of storage of value on a crypto exchange (in a “hot wallet” online) is to move the currency to a “cold wallet” that is offline. In other words, you download the value onto private keys.

Therefore, the insurable event is when either the encryption key or the currency value, or both, are stored offline. Whenever this happens, you are no longer in the purely digital world of the blockchain, and the risk of loss through theft arises.

Insurers will want to replace the fiat currency system’s security rules with procedures and processes that duplicate their functions. For instance, they will want to replace ‘Know Your Customer’ regulations with procedures that identify the owners of the currency and/or encryption keys. They will also want to see custodial procedures that safeguard the offline items with security commensurate to the value.

There is some irony in the fact that the blockchain, which was devised to do away with all the cumbersome regulations of fiat currencies, maintain anonymity, and offer a high level of confidence, is now evolving toward systemic guarantees much like fiat currencies already have.  There is a cost for having secure transactions and storage.

For much more information about cryptocurrency storage and transportation, see our new white paper, Custodial Crypto Transportation and Storage: Understanding the Risks.

To stay prepared, organizations must expect the unexpected. Business Continuity Planning (BCP) addresses the need to have contingency plans in place to deal with potential threats that can turn an organization on its head. Continuity planning is a necessary part of coming out on top in the face of the most challenging circumstances such as a natural disaster, a significant market crash, or a serious hit to a company’s brand or reputation.

As a risk manager, CEO, or any party responsible for the long-term success of an organization, you need to have a plan in place to clearly outline what you would do if the worst were to happen tomorrow. Here are four phases to putting your BCP in place.

1. Business Impact Analysis (BIA)

The first step to building your company’s BCP is to consider the potential impact of each type of disaster or risk event that your company may face. For example, a company in the finance industry may consider the role of the stock market, data breaches, or the possibility of a fraud scandal. The BIA helps you discern which processes are the most critical to recover or initiate in a state of a disaster and assigns a monetary value to the protection of assets involved in specific business processes.

Key goals of the BIA should include:

1. Identifying the impact of uncontrolled events
2. Prioritizing critical functions
3. Establishing maximum tolerable outages

2. Risk Assessment

Upon identifying the impact of the risks facing various functions across your business, the next step is to determine the potential magnitude of these risks. This is a critical assessment to perform, as it helps establish which risks should be most emphasized in the BCP. Priorities can be established by looking at which risks are most likely to occur to determine the breadth of coverage for your company’s BCP. To do this, you can run a gap analysis to compare your company’s current contingency plans against that of the proposed risks to identify any holes you need to fill. With knowledge of these gaps, you can analyze various threats to identify their respective impact.

To aid in this process, it is helpful to work from a list of potential emergencies or viable threats as well as the likelihood and impact of such events such as to personnel, assets, or monetary impact. These can help formulate different scenarios to plan for, such as natural disasters or terrorist threats, as well as minor events such a power outage.

A best-practice risk assessment report should cover the following:

• Summary of Business Operations
• Risk & Vulnerability Analysis
• Critical Support Infrastructure
• Physical Environment
• Recovery Time Objectives
• Business Recovery Strategies & Priorities

3. Business Continuity Plan Preparation

During this step, the BCP is developed, taking into account the likelihood, magnitude, and potential impact of the risks that were identified in the previous step. The BCP preparation stage will take it a step further by documenting strategies and procedures to maintain, recover, and resume critical business functions as quickly as possible. Part of this preparation will entail a list of procedures to address priorities for critical and non-critical functions, services, and processes.

The BCP should include:

• Business Operations
• BCP Organization
• Plan Activation & Operation
• Preparation & Readiness Checklists
• Emergency Operations
• Facility Restoration & Relocation
• Emergency Communications
• Emergency Forms & Terms
• Incident-Specific Response Checklists

4. Business Continuity Plan Testing and Table Top Exercises

Once a plan is established, it’s time to put it to the test with table top exercises. During this final step, key staff members and management will come together to simulate their response to various emergency situations that were identified as likely risks. Using the procedures outline in the BCP, these exercises will identify gaps in the plans to improve them in a controlled setting. This process can also help establish the different roles and responsibilities across team members.

When it comes to risk mitigation, hope for the best but plan for the worst. Take your risk planning to the next level by getting started with your Business Continuity Plan. Talk to a risk mitigation expert today.