4 Key Sources of Cryptocurrency Exchange Risk

By Lowers & Associates,

It is no secret that cryptocurrency is captivating audiences and opportunists on a global scale. By utilizing the cryptocurrency model of block chain technology, users can perform transactions more quickly and anonymously. As such, many believe cryptocurrency was initially created to facilitate illicit activity such as human trafficking and narcotics. That impression has since been replaced as more and more people discover the ability to purchase goods and services without bank fees and potentially a higher gain on the amount of currency invested in the blockchain system.

Still, many risks remain. And the crypto exchanges are looking for new ways to mitigate these risks, which include:

Dispersed Risk:

Spreading risk is a widely accepted way to succeed in the financial market. But the complex way in which certain risks are dispersed across anonymous networks or computers in a crypto exchange makes is difficult to pinpoint the exact source of a threat or risk in the system.

Anonymity:

The anonymous, digital nature of cryptocurrency transactions means there is a natural lack of control and physical security. This allows new opportunities for someone with malicious intent.

Lack of Control:

Typically, network administrators and advanced computer engineers can develop robust controls to ensure the cryptocurrency is able to be stored and used as appropriate. But what happens if the device is stored on a thumb drive and is stolen or damaged? What happens if someone performs a tiger kidnap and forces transactions to take place?

Potential for Significant Loss:

Unlike in a vault robbery where millions of dollars in bulky and heavy currency takes multiple trips to remove from a vault, the same amount can be removed in seconds with a thumb drive into an anonymous sea of computers.

These and many other areas of risk are driving the cryptocurrency exchanges to invest in insurance. Insurance syndicates and others are responding by addressing how to validate the actual quantum of the currency and how to define the policies and exclusions that will protect these growing networks.

Meanwhile, the cryptocurrency exchanges will continue their efforts to identify and mitigate current and future threats to the trust and safety of their networks.

  Category: Risk Management
  Comments: Comments Off on 4 Key Sources of Cryptocurrency Exchange Risk

7 Components of Risk Assessment for Crypto Cold Storage Service Providers

By Lowers & Associates,

Cryptocurrencies have two faces that present two different sets of custodial issues. One face of these digital assets is that they are weightless strings of binary code that can be flashed around the globe instantaneously. They are accessed through a network of servers with heavy encryption at every step the main custodial tactic.

The other face is physical. Cryptocurrency investors have become highly aware of the fact that “hot” storage of digital assets (storage in an online encrypted file) is more risky than “cold” storage in an offline “wallet” because the online storage methods have proven vulnerable to hacks of different kinds (phishing, social engineering, etc.). The custodial risks of offline cold storage have a lot in common with the physical risks of other small but highly valuable items, but they include some digital risks as well.

A growing number of firms ranging from startups (like Bitgo) to financial giants (like Fidelity) have devised or are in the process of devising cold storage services—a kind of vault for digital assets—for the growing number of investors who want better protection for their crypto assets. A cold storage vault provider has to assess the risks of digital assets in offline storage and devise methods to mitigate them. Note that these risks exist in a largely unregulated system where normal fiat currency controls do not exist.

Here are seven risks providers need to assess and address:

1. Is the safe or vault the right kind for the level of risk, for the value of the asset?

The physical security of the vault must be strong enough to match the value of the asset. Since literally billions of dollars in value can reside on a tiny device, physical resistance to penetration is not a trivial matter.

2. Are digital threats adequately controlled through electronic and physical means?

Digital assets are vulnerable to magnetic or radio radiation, by malicious intent or by accident. Storage areas should be shielded, including all access routes on the premises. No devices capable of memory or carrying magnetic fields can be allowed in the vicinity of the asset.

3. Is physical access to the vault properly controlled?

Almost every armored car robbery begins with the thieves evaluating the access route. To generalize, cold storage providers have to do the same kind of assessment and control the risks. CCTV coverage of access areas is essential, and recordings should be kept 30 to 45 days. Guard presence is required, with escorts for people asking to access the vault.

4. Do procedures sufficiently check the identity of individuals seeking access?

The absence of a legal system of Know Your Customer controls means that storage providers have to develop other means for identifying the people who seek access. This includes every person involved in the chain of custody, such as drivers, guards, and managers. The level of control established by the entities in the chain of custody will vary, and could introduce risks during hand-offs.

5. Are dual control procedures in place at each step in the access process?

Every hand-off and every episode of access to the asset should be under dual control, with appropriate segregation of duties.

6. Are logs maintained to document access and hand-offs of assets, either in or out?

In addition to the CCTV record, every event in the vault that includes access to an asset should be logged according to an established procedure. Personnel on the ground should make the entries and sign off on them.These records should maintain an audit trail including the nature and value (if known!) of the digital asset.

7. Is every member of the staff researched for security and trained in all procedures for control?

Training and understanding of the mission of the vault, as well as job-specific duties, must be verified for every vault employee. Again, outside individuals in the chain of custody may present unknown risks, so efforts should be made to determine the level of control they are under.

Many of these risks are familiar to vault service providers in the cash management industry. For some risks, the addition of digital cold storage is a matter of extension of policies that already exist. However, the addition of the digital issues, especially since cryptocurrencies do not have an external source of control like a fiat currency has, raise the level of risk and the related need to mitigate risk for cryptocurrency.

Download and read Lowers & Associates new white paper, Custodial Crypto: Transportation and Storage, to get a broader understanding about how crypto affects custody.

Defining the Risk of Cryptocurrency

By Lowers & Associates,

The fundamental risk of cryptocurrency (‘crypto’), aside from market risks, is custody. Simply put, the high value of crypto, with the equivalent of over $100 billion in circulation (at this time), provides ample motivation to steal it.

Hot vs Cold Storage

If the crypto is stored in a “hot” (online) environment, strong encryption is the essential safeguard, but the entire environment must be secured. The digital asset and the private encryption key that accesses it must be stored separately. Since the online account storing the asset is generally known to the public through the blockchain, the biggest risks are hacking attacks on the online storage or theft of the private key. Whoever holds the private key controls the asset.  History has shown that online storage is highly vulnerable to theft.

If the crypto or its private key are held in “cold” storage (offline)—as many experts recommend—then both digital and physical risks exist. As large and more traditional investors choose cryptocurrencies for value stores and transactions, the cold storage option is likely to increase. The need for strong encryption remains, and specific kinds of threats against digital assets, like electromagnetic radiation, have to be mitigated.

That said, once the crypto and its private key are in the physical realm, many of the risks of crypto are similar to those that apply to compact high value objects like gems, bearer bonds and cash. A small cold storage “wallet”—a digital device that might be the size of a thumb drive—can hold and transfer any amount of cryptocurrency. These tiny devices are highly vulnerable to damage or theft, and even if a thief does not get the private key, they can still hold it for ransom.

A second major source of risk to crypto is the very reason it exists: it is outside of any traditional currency ecosystem, without the insurance and security protocols that accompany fiat currencies. No institution is monitoring crypto transactions, and no law enforcement agency is routinely tracking suspicious actors. In fact, the identities of investors in crypto may not be publicly known.

Financial institutions are beginning to evolve private ways to duplicate some of the protections of traditional currencies, like Know Your Customer (KYC) and Anti-Money Laundering (AML) protocols. Cash in Transit providers are building on their experience in cash management to devise secure ways to store and transport crypto.

Crypto is still in the wild west phase. It is growing very rapidly, and a financial system is developing to make it a reasonable option to fiat currencies.

For more information about the risks of crypto, and how to manage them, request a copy of our new white paper Custodial Crypto Transportation and Storage: Understanding and Mitigating the Risks.

The Opioid Crisis and Your Public Restrooms: Mitigating the Risks

By Lowers & Associates,

Opioid Crisis and Restrooms

As the opioid crisis continues its rise in the U.S., an unexpected threat has confronted businesses and other entities that offer public restrooms. It turns out more and more public restrooms are being used by addicts as a relatively safe, clean, and private place to get high.

For their part, the businesses who operate these restrooms report more cases of syringes and drug remnants left behind. Overdosed individuals (dead and alive) are being found by unsuspecting employees and customers in increasing numbers.

The situation of opioid use and public restrooms, which NPR referred to as “ground zero in the opioid epidemic,” presents businesses with a difficult decision. Do they restrict access, close their restrooms entirely, or keep their restrooms open and find other ways of managing the risks?

4 Aspects of Risk Mitigation:

Addict or not, no business owner wants to have someone die or harm themselves, especially on the company’s property. The opioid crisis is forcing business owners and managers to find ways to ensure the safety and convenience of customers and staff who use the restrooms, while also considering measures to increase the safety of addicts.

Measures taken must be based on a clear-eyed risk assessment. Managers cannot simply hope the addicts will go away.

There are several aspects of risk mitigation, some purely local managerial actions and others involving police or policy responses. Here we look at four areas you may want to consider in addressing the issue:

1. Access Control

The first thought for many owners is access control. If an addict cannot get into a restroom, problem solved. However, it’s harder to do than you might think. Here are some tactics companies have tried:

  • Keys or lock combinations controlled by staff can limit access. However, these are also easily defeated, as the addict could just linger near the door until someone exits, then grab the door before it closes.
  • Some businesses station a guard next to the restroom entrance and require a receipt for access. To combat this, according to the NPR report, an addict named ‘Eddie’ says he just gets a receipt from the trash.
  • Design can help in some cases. Airports, for example, usually have restrooms that are permanently open via hallways that block visibility from the main corridor, removing the privacy that the addict needs. This can be an overly-expensive or impossible undertaking for many businesses.

2. Adaptation

Given that addicts exist and will continue to exist, some owners have modified restrooms to limit the attractiveness of the room for the addict.

  • Restrooms can be modified to be less accommodating by removing shelves, cubbies, ceiling tiles, or other hiding places where an addict might store drugs or paraphernalia.
  • A popular tactic has been the use of blue lighting, which makes it more difficult to find a vein for injection. However, many addicts will inject anyway, increasing the chances of a botched attempt that spreads blood and potentially disease.
  • Some managers even train staff to use naloxone, a drug that can reverse opioid overdoses, in case someone is found passed out. Naloxone is widely available.

3. Policy

Public intervention to reduce the risk of overdosing deaths is controversial, part of the wider debate over criminalization versus rehabilitation. Several states have considered laws to permit “supervised injection facilities,” though these may run afoul of Federal law. Nevertheless, there have been several public policy attempts that businesses might look to for inspiration in forming their own policies.

  • CNN reports that Health Canada has approved a number of “safe injection sites” where addicts can use openly in a controlled environment. One site in Vancouver has been operating since 2003 and has not had a single person die even though there were 6,000 cases of overdosing.
  • A city could install “Portland loos,” named after the Oregon city where they were invented. The loos have no running water, no mirrors, no porous surfaces, and limited privacy because police can peer into them at top and bottom.
  • One ambitious example is the Corner Project in New York City, a syringe exchange program. The Project offers a restroom to users which its managers insist is just a restroom, not a supervised injection facility. There are no medical personnel on site, but an intercom is used to check on users, there is naloxone on site, and employees can quickly enter if necessary.

4. Design

A number of agencies have stipulated how restrooms should be designed to increase safety for addicts to use as injection havens. Public restroom managers may be able to adopt some of these practices.  One example is from the New York state “Syringe Exchange Policies and Procedures” guide.

  • Restrooms should support hygiene: cleaner injections reduce risk of infection.
  • Tables and other surfaces should be a non-porous material for easier cleaning.
  • Staff should have a means to access the restroom at all times.
  • Doors should swing out, not in, so a collapsed addict does not block entry.
  • Intercom systems for two-way communication are desirable.
  • The restroom needs a regular cleaning schedule.
  • A biohazard box for used needles, drugs, or bloody patches should be provided.

The unfortunate reality is that there are millions of people who are addicted to opioids and too many of whom graduate to injection. If managers want to continue providing access to public restrooms as a valued service to their customers, they will have to address the risks that addicts pose. How is your company addressing the concern? Talk to a Lowers & Associates risk management consultant for a complete risk assessment and advice.

  Category: Risk Management
  Comments: Comments Off on The Opioid Crisis and Your Public Restrooms: Mitigating the Risks

5 Current Threats to Hospital Security

By Lowers & Associates,

Treating patients is far from the only concern faced by hospitals today. To protect the safety of patients, visitors, and staff, hospitals must now take extra efforts to anticipate and prepare for security threats.

Hospitals are vulnerable to crime and violence from patients, visitors, and occasionally their own staff members. Therefore, security systems in hospitals must include proactive measures to create and reinforce effective security protocols geared towards accountability, readiness, and responsiveness.

The first step to designing an effective security system is understanding the threats themselves.

Here are some of the top security issues concerning hospitals today:

1. Abuse and battery towards medical staff

Assault and battery towards medical staff are the most common types of abuse-related injuries to occur within healthcare facilities. 80% of serious violent incidents reported in healthcare settings were caused by interactions with patients and were usually caused by patients hitting, kicking, beating, and/or shoving medical staff. There are many reasons that contribute to this. For one, patients may be victims of an incident caused by a dispute, creating a hostile or volatile environment inside the hospital. In other cases, patients may suffer from instabilities due to addiction or mental health issues.

At highest risk of patient-inflicted violence are psychiatric aides, who are more than ten times at higher risk than nursing assistants, the second-most affected group. Other high-risk groups include emergency departments, geriatrics, pediatrics, and behavioral health providers.

2. Active assailant attacks

Researchers at Brown University reported 241 hospital shootings between 2000 and 2015. Breaking this down, the majority of in-hospital shootings happened in the emergency room (29%), next to the parking lot (23%), and in patient rooms (19%).

As recent stories exemplify, simply having a plan is not enough. A recent active shooter situation at Dartmouth-Hitchock Medical Center exhibited the need for a much more comprehensive security approach. When the shooter entered the hospital and shot a patient, “Code Silver” was announced to all staff members. However, most staff did not know what the code meant, let alone how to react. The code has since changed to “Active Shooter,” along with other modifications to improve overall hospital security.

Bethesda Butler Hospital in Hamilton, Ohio is working to enhance training. They hired actors to practice emergency response to a hospital shooting. As Ronald J. Morris, the Director of Corporate Security for Tri-Health puts it, “It’s all about preparation and telling people about developing the right mindset so they can be more prepared.”

3. Infant abductions

Infant abduction is the most common type of abduction in healthcare facilities. According to the National Center for Missing and Exploited Children, 317 cases of infant abductions occurred between 1965 and 2017. The majority of cases of infant abduction occur in the mother’s hospital room, with violence inflicted on the mother in 8% of cases. Before more advanced security protocols came to form, many of the perpetrators disguised themselves as medical personnel to steal a child, usually from the hands of the mother.

In response, hospitals have cracked down on security measures and patient education practices that directly address this type of risk. The system does not need to be complex, but it should be effective. For example, access to maternity wards should be limited to qualified personnel or individuals who can prove their relationship to a patient. This can be further reinforced with badges that identify the security clearance of medical staff.

4. Supplies and property theft

From drugs, food, and medical supplies, you could make an A-Z list of items that are stolen from healthcare facilities. In 2009, hospitals reported 272 incidents of theft. By 2015, this number rose to 2,926 – a 166% increase. The result can be extremely costly. As a single example, the Santa Clara Valley Medical Center in San Jose, CA counted 383 stolen pieces of equipment between 2010 and 2014, totaling to over $11 million in value.

Culprits include patients, visitors, and also staff. An employee at the Christus Santa Rosa Hospital-Westover Hills in San Antonio, TX admitted to stealing over $400,000 worth of equipment because “it was easy and no one asked any questions.” Hospital theft is a good indication of a vulnerable security system, and also contributes to unnecessary overhead costs.

5. Pressure to cut costs

While 49% of hospitals reported an increase in crime between 2016 and 2017, nearly 1 in 4 hospitals (23%) reported a decrease in its hospital security budget over the same period. Part of this involves a reluctance to hire more security staff. In an anonymous survey, hospital workers mentioned “more [security threat] incidents, no increase in staff,” as a key challenge for hospitals.

Given its impact on security measures such as employee training, staffing, and security equipment, the pressure to cut costs is one of the most devastating restraints to an effective security solution. With $3.6 billion in federal budget cuts announced for 2018, hospitals need to prioritize security measures that combine effectiveness with cost-efficiency to strive for the best return on investment and highest possible level of security.

Security demands are changing, and hospitals must keep up to protect the security of their patients and staff. To address the increasing risk of in-hospital crime, hospitals must prioritize prediction and prevention of crime just as much as how they respond to and manage incidents. Solutions to achieve this include more advanced technology and data collection, increased security visibility to deter criminals, and bolstering in-house security presence and security response.

Now is the time to examine and refresh whether your hospital is in need of updated practices. Explore our healthcare security and risk mitigation solutions.

  Category: Healthcare Security
  Comments: Comments Off on 5 Current Threats to Hospital Security