In today’s threat-filled environment, money is not always a hacker’s prime motivation. They could be driven by political reasons or just want to embarrass organizations.
But irrespective of their motivation, hackers often target sensitive company information. Panelists during a session titled “Anticipating Disruptions: External and Internal Threats to Data” at the recent MIT Sloan CFO Summit in Newton, Mass., said there are several steps organizations should take to protect their data.
“As protectors of data, we are in some way sitting ducks to the agility of the cybercriminals who are coming at it from many different vantage points,” Bright Horizons Family Solutions CFO Elizabeth Boland said.
Not taking steps to protect data could be costly: A report from World Economic Forum and McKinsey & Company estimates that cyberattacks could cost the global economy $3 trillion by 2020. The problem will only get worse as cybercriminals become more innovative, Michael Ellis, CFO at online tuition payments service Flywire, added. Josh Siegel, CFO at security software company CyberArk, emphasized the need for speed when it comes to identifying a breach.
“The programs should have speed to detection, speed to contain the breach and then speed to remediate in case there is a breach,” Siegel said. “Get to the problem as fast as possible and then you would have the fastest containment of the issue.”
Training and awareness programs for both employees and board members are critical to enhancing cybersecurity, Ellis stressed. Organizations should have protocols in place so that employees know how to contain, analyze and report when an issue surfaces, he added.
“Audit your employees; make sure they understand,” Ellis said.
As company data has become a prime target for hackers, board members have become more aware about cybersecurity issues and have higher expectations about what their organizations are doing in regards to cybersecurity, according to Boland. Therefore, it is crucial to help board members understand the cybersecurity concerns that CFOs and CEOs have, Ellis added.
To avoid financial disasters, organizations should implement manual controls in their systems that complement automated ones, Ellis suggested.
“Any type of breach can be catastrophic at the enterprise level,” he said. “[An organization’s] reputation is destroyed … and there are financial, operational and legal issues.”
The benefits of segmentation, CISOs
Boland highlighted the need for network segmentation to enhance security. If hackers break into a flat network that is not segmented, they would have access to information assets across the network. She advised the audience to implement a layered approach that goes beyond initial security measures to protect sensitive client and employee information.
“We have to detect intrusion, but more importantly prevent the extraction of any information if there is intrusion,” she added.
Panelists also emphasized the need for hiring CISOs.
“Enterprises need to get CISOs earlier on in the game, because the problem with cybersecurity is it’s a moving target,” CyberArk CFO Josh Siegel said. “The benefit of the CISO is that they are thinking 24/7 about, ‘What do I need to do to keep the enterprise secure?'”
Organizations should also deploy security analytics tools and software to collect, filter, integrate and link diverse types of security event information in order to gain a more comprehensive view of the security of their infrastructure, according to session moderator Chetan Gavankar.
Boland suggested being selective about partners and vendors, and include security protocols in contracts.
“We are not just concerned about our security, but the security of our supply chain, because if our law firms are breached that’s an avenue to breach us,” Siegel reinforced.
CyberArk uses red teams that try to penetrate the company network in order to help the company identify security vulnerabilities, Siegel said. The company also has a very flexible budget for cybersecurity to help fix these vulnerabilities, he added.
“With respects to budgeting, you need to evaluate all kinds of risks — legal, compliance, financial, operational, and reputational — and put it with the business risk itself and quickly evaluate and come up with a number,” Ellis suggested.
On Oct. 21, hackers conducted a distributed denial of service (DDoS) attack against domain name server provider Dyn, causing an internet outage across the country and the world. To launch the attack, the hackers relied on internet connected devices to exploit default passwords.
The massive DDoS attack was a harbinger of bad news, according to TCE Strategy CEO and cybersecurity expert Bryce Austin. It is a prime example that the IoT makes cybercriminals increasingly capable of creating a tremendous amount of havoc without a whole lot of effort, Austin said.
“Your IoT devices are just like having a defensive weapon in your home,” he said. “If you can hack thousands of people at the same time and have those devices do something that they otherwise shouldn’t … or use them for a complete unrelated purpose like the DDoS attack, you have an interesting target.”
Speaking at a session on IoT security at the recent SIMposium 2016, Austin emphasized that it is crucial to fuel discussions to help drive organizational changes that prevent such incidents. Technology leaders are responsible for finding ways to make their systems safer and more secure, including initiating measures to enhance security of internet-connected devices, he told the audience.
Austin said the formation of groups like the Industrial Internet Consortium that was launched to drive standards for IoT devices is a step in the right direction.
“When you are on the internet … things are difficult to anticipate,” he said. “But if you develop programs and you develop processes that are designed to be resilient to those kinds of things, you are going to have a better chance of having these incidents never become a disaster recovery scenario.”
As IoT devices proliferate, it’s becoming hard to even avoid using such devices even though they are not always the most secure choice, Austin said. Consumers are responsible for their security as well, and it is important for them to choose internet-connected devices that do not have any obvious security flaws, he stressed. Adversaries could hack into an internet-connected thermostat and use it to turn the temperature down to freeze water pipes, for example.
Organizations should also have cybersecurity checks and balances in place, whether they are procedural or technical, he advised. Systems should be built to monitor IoT devices to ensure they are not doing something unusual, for example, and be equipped to mitigate damage if a hack occurs.
Developers can do their part too, and build IoT devices to be more resilient to hacks, Austin added. When the marketing team proposes a new internet-connected product, organizations should have their cybersecurity team run a quick check on Google or on the dark web to see what potential financial costs there could be if there’s a cybersecurity flaw in the system, he said.
Companies should consider renegotiating service level agreements and user level agreements with vendors to enhance security in IoT devices, he said. Organizations should also initiate processes like data encryption and/or tokenization to further safeguard data.
“If we are working with an internet of things provider or a service hosting provider and we want them to care… we want to have to ask them to have some skin in the game,” Austin said.
Organizations also typically do not allocate enough money for cybersecurity in their budgets, which is another cause for concern, Austin said.
“Security and maintenance are processes, not events,” he stressed. “There has to be a budget [for cybersecurity] that has to go on every single year, for every single system you have.”
Will President-elect Trump’s transition team follow through on promises to get rid of Dodd-Frank compliance regulations? Also in recent GRC news, tech companies urge Trump to back encryption; and some U.S. phones have been subjected to a back door hack that sends users’ data to China.
Trump team seeks to roll back compliance regs
President-elect Trump’s transition team wants to get rid of the Dodd-Frank Act, the 2,300 page law created in response to the 2008 financial crisis. The law, which puts regulations on the financial industry, has been called, “Bureaucratic red tape and Washington mandates” by members of Trump’s transition team, according to NPR. Trump himself stated during his campaign that as president, he would, “get rid of” the Dodd-Frank Act. He also told Reuters in an interview that his administration’s plans are “close to dismantling” Dodd-Frank.
Some experts predict that the Trump administration could also roll back enforcement of the Foreign Corrupt Practices Act, a law banning bribery to earn or keep business in other countries. In a 2012 interview on CNBC, Trump called the FCPA a “horrible law” that made it harder for U.S. companies to do business abroad, according to the Wall Street Journal.
Other experts, including Mike Koehler, an associate professor at the Southern Illinois University Law School, told the Wall Street Journal that it is too early to speculate the future of the FCPA without the knowledge of who will be Attorney General or lead the SEC after Chair Mary Jo White steps down.
Tech companies to Trump: Protect encryption, curtail surveillance
Tech companies including Twitter, Facebook and Google have urged President-elect Trump to protect encryption and curtail online government surveillance. The companies addressed Trump in a letter that was published Monday by the Internet Association, an organization of whose members also include Uber, Netflix and Amazon, the Verge reported.
Trump was critical of influential members of the tech industry during his presidential campaign, calling for a nationwide boycott of Apple after the company’s refusal to comply with the FBI requests to decrypt an iPhone belonging to a terrorism suspect.
Trump also took aim at Amazon CEO Jeff Bezos during the 2016 campaign, criticizing him for his ownership of The Washington Post. Trump told a crowd at a rally that if he were to become president, Amazon would “have such problems,” Business Insider reported.
Some Android phones sending users’ data to China
Affected users’ text messages, emails, contact lists, call logs and location information is sent to a server in China every 72 hours, with users completely unaware of the transfer in process. Kryptowire vice president Tom Karygiannis told the Times, “Even if you wanted to, you wouldn’t have known about it.”
Devices affected include 120,000 phones manufactured by BLU Products, an American phone manufacturer. Company representatives said that the code has been removed in a recent software patch, the Times reported.
It remains unclear whether the software was intended to facilitate data mining for advertising purposes or a Chinese government effort to collect intelligence. The scope of the data collection is undetermined as well: The Chinese company that wrote the software, Shanghai Adups Technology Company, has code that runs on more than 700 million phones, cars and other smart devices, the Times reported.
New privacy rules passed by the FCC could influence AT&T’s plans for its acquisition of Time Warner. Also in recent GRC news, the internet of things proves useful to hackers and privacy regulators in Europe warned WhatsApp and Yahoo about sharing users’ private information.
Privacy rules impact AT&T’s Time Warner acquisition goals
AT&T’s planned acquisition of Time Warner could be influenced by new FCC-approved privacy rules requiring companies to notify customers and gain their permission in order to use their app and web browsing history for targeted advertisement purposes, according to Politico. AT&T planned on tapping into its customers’ data to generate targeted advertising for viewers of Time Warner’s video content, Politico reported. This is not the first time AT&T has dealt with the ups and downs of acquiring another large media company. AT&T successfully purchased DirecTV in 2014 and aborted a 2011 bid to purchase T-Mobile after the deal was opposed by federal antitrust regulators, the New York Times reported.
IoT becomes hackers’ latest exploit
The internet of things has become the latest weapon in hackers’ arsenal, according to the Washington Post. Devices such as webcams, baby monitors and even smart thermostats were infected with malware to “attack” a New Hampshire-based Internet Performance Management (IPM) company Dyn.
The DDoS-style attack directed large amounts of internet traffic to Dyn, a company that helps connect users to websites, and eventually crippled the company’s servers. The first attack occurred at approximately 7:00 a.m. EST on Oct. 21, and primarily affected users on the East Coast. A second attack occurred later that day at around noon EST. As a result of the attacks, users of websites including Netflix, Spotify, PayPal and Twitter experienced connection issues, the Washington Post reported. A third attack that occurred later in the afternoon led to connection issues for users around the world.
European privacy regulators criticize WhatsApp and Yahoo
WhatsApp and Yahoo have received warnings from European privacy regulators regarding the distribution of users’ data, Fortune reported. WhatsApp came under fire for sharing information with parent company Facebook, while Yahoo was criticized for a large 2014 data breach and for using software to sift through users’ emails at the request of U.S. intelligence agencies.
Yahoo suffered a major data breach in 2014 that exposed more than 500 million users’ email credentials. European privacy regulators wrote to Yahoo asking for complete transparency regarding details of the data breach and for the company to cooperate with “upcoming national data protection authorities’ enquiries and/or investigations,” according to Fortune. The regulators also asked Yahoo to notify all users affected by the data breach and how those users may be adversely affected.
Records management is more vital than ever to business success, but not enough organizations care about it, according to Rick Tucker.
To prove it, Tucker, vice president of sales and marketing at Doculabs, presented a question to the audience attending the “Trends in Data Lifecycle Management and Information Governance” session at the recent SIM Boston Technology Leadership Summit in Newton, Mass.
“Does everybody have a records management program in their organization?” Tucker asked.
“Yes,” the audience answered in unison.
“Does everybody follow their records management program on a regular basis?”
“No,” most of the audience replied.
This could pose a problem for organizations as business and customer data is increasingly digitized, Tucker said, and especially those companies that handle personally identifiable information (PII) or protected health information (PHI): These businesses need to use records management programs to gain better control over their data by moving it to more intense document management systems and repositories, or by disposing of content that’s no longer required, Tucker added.
A lack of foresight could prove costly: The recent Cost of Data Breach Study by the Ponemon Institute that showed the average cost incurred for each lost or stolen record containing sensitive information continues to increase.
“Organizations see that and still go, ‘It’s not going to be me. I’m not going to be hit like that and not going to have that problem,’ until they do,” Tucker said.
Doculabs — a document management consulting company — partnered with Executive Functions Management and conducted two surveys to find out how well InfoSec manages PII and PHI. One surveyed information security leaders and the other surveyed IT leaders.
Fifty two percent of the InfoSec professionals said they had no automated capability to prevent PHI and PII from leaving the company. InfoSec professional reported that they were aware of the risks that can result from unmanaged PII and PHI data, but “reported a lack of maturity in high-risk areas such as network drives.”
“That means when information is created that has PHI or PII, it is not automatically detected or put into the right repository,” Tucker said. “The fundamental problem in information management is that the tools have not matured yet to a point where automation is automatically applied to all the systems.”
Two-thirds of the 550 IT leaders surveyed reported that their organizations are not purging data regularly, which signifies that they are not complying with recordkeeping practices, Tucker said. Half the organizations surveyed said they had no idea where information like trade secrets, HR data and client data lives in their organization, and 65% said that their data was not aligned with their InfoSec policies.
Not purging data regularly also increases storage costs and makes it a huge challenge to find data in an organization, Tucker said.
“The most important thing that records management has done in the past 20 years is identifying that information has an end of life, that it should be disposed of at certain point of time,” he added.
The lack of these records management best practices dramatically increase information risk: 34% of the 144 InfoSec professionals surveyed said that within the last 12 months they had an audit discover a breach of PHI/PII data, Tucker said.
“Having a good correlation between data hygiene and governance, developing an orphaned data policy, decommissioning legacy applications, and assessing and remediating access rights can help InfoSec reduce PHI and PII risks,” he said.
Government intrusion of data privacy continues to be a global issue, as a British court recently ruled that UK security agencies illegally collected citizens’ data for 17 years. Also in recent GRC news: Facebook joins the list of businesses adopting the Privacy Shield framework and more businesses are considering regulatory technology as compliance pressures increase.
Court: Citizens’ personal info illegally obtained by UK security agencies
A British court has ruled that UK citizens had their personal information unlawfully collected by multiple UK security agencies for 17 years. Britain’s investigatory powers tribunal ruled that MI5, MI6 and the Government Communications Headquarters were all implicated in the illegal actions. The agencies “failed to comply with article 8 protecting the right to privacy of the European convention of human rights” between the years 1998 and 2015, The Guardian reported.
Data obtained by the agencies included personal phone and web communications, as well as medical records, tax records, financial data and biographical information.
In 2014, UK security agencies were accused of illegal bulk data collection by groups that included Privacy International and Amnesty International. A New York Times editorial about the accusations noted that the British government neither admitted nor denied the allegations of mass surveillance.
Facebook adopts EU-U.S. Privacy Shield agreement
Facebook has adopted the EU-U.S. Privacy Shield framework, an agreement regulating how U.S. companies transfer EU citizen’s data electronically across international borders, The Telegraph reported. The Privacy Shield compliance requirements will apply to Facebook’s existing targeted advertisements that gather users’ data from other companies, as well as Facebook’s new Workplace application.
The Privacy Shield framework replaced Safe Harbor after the European Court of Justice overturned the agreement in 2015 due to concerns that it was enabling U.S. surveillance, according to The Telegraph. The court ruled that each country in the European Union should be able to decide how their citizen’s online data can be gathered and utilized.
As compliance pressures mount, businesses turn to regulatory tech
Government spending in the post-financial crisis world helped not only economies grow, but “government contracts, emerging market exposure and third-party agents” have also put pressure on companies’ from a regulatory compliance perspective, TechCrunch reported.
The increase in compliance and regulations has led to the coining of a new industry buzzword: regtech, which, according to TechCrunch, describes technologies dedicated to “creating solutions that ease the burden of compliance.”
One example where regtech can be of regulatory compliance assistance is identity management. “No number of new government committees and task forces will be able to protect businesses and organizations if they don’t know, on the most basic level, with whom they are doing business,” TechCrunch reported.
Snap, Inc., the company behind the popular photo and video messaging app Snapchat, is releasing a pair of photo and video-capturing glasses that have some worried about the possible privacy implications of such a device. Also in recent GRC news, an NSA contractor was arrested after being suspected of hacking foreign governments, MasterCard launched a facial-recognition payment-authentication app in Europe and the candidates talked cybersecurity during the latest presidential debate.
Snapchat rebrands, releases first piece of hardware
The company formerly known as Snapchat has been rebranded as Snap, Inc., and is entering the hardware market with the release of image-capturing sunglasses called “Spectacles.”
Users of Snap, Inc.’s Spectacles can record a video by tapping on a button located on the top left of the frames, according to The Verge. Google Glasses were considered a major flop by some, with privacy being cited as a major reason for the failure because individuals would not know whether they were being recorded by Glass users. Spectacles attempt to resolve that issue with outward-facing lights on the cameras: Individuals in users’ fields of vision are notified that a recording is in progress by a ring of lights around each camera located on Spectacles’ lenses.
But despite these precautions, questions are being raised about the potential regulatory and privacy ramifications surrounding Snap Inc.’s first piece of hardware, according to the Wall Street Journal. Even with lights to alert others of a recording, there will likely still be questions about whether users have the ability to secretly record others using Spectacles.
NSA contractor arrested
A former N.S.A. contractor was arrested by the FBI after being suspected of stealing and disclosing highly classified computer code developed by the agency to hack foreign governments, the New York Times reported. The contractor, Harold T. Martin III, reportedly worked for consulting company Booz Allen Hamilton. This event marks the second time a contractor from Booz Allen Hamilton has stolen information while working for the NSA, with the first being Edward Snowden in 2013, according to the Times.
The arrest highlights the ongoing issue of cybersecurity threats facing governments and individuals worldwide. In August, the NSA was hacked by a group called the Shadow Brokers who stole a “cyber arsenal” of hacking tools from the security agency, according to the Washington Post.
MasterCard launches facial-recognition payment app
Apple sparked the biometric payment authentication race with its release of the fingerprint scanner for Apple Pay in 2013, and now other companies are following suit. MasterCard has launched a biometric authentication app in Europe that is informally dubbed “selfie pay.” The app is formally known as MasterCard Identity Check, and allows users to confirm payments through the use of their smartphone’s fingerprint scanner or camera using the app’s biometric authentication software, according to TechCrunch.
Engadget reported that MasterCard has already thought of ways that possible hackers might try to get past the biometric authentication, such as holding up a picture of someone else’s face. To prevent any such breaches of security, the app requires users to blink once before the authentication is complete to make sure they are indeed a real person.
Trump and Clinton talk tech, cybersecurity
As concerns about foreign intervention in the presidential election continue, candidates Donald Trump and Hillary Clinton are speaking out about their cybersecurity plans for the country if elected.
Trump, who has drawn scrutiny for his thoughts on the Internet, said during the debate that cyber-attacks from Russia, North Korea and China are, “our most critical national security concerns.”
Clinton, who has been called, “technophobic” by some for the way she dealt with her private email server situation, said that the United States must become tougher on cybersecurity matters and called for companies to increase cybersecurity technology investment, the San Francisco Chronicle reported.
When Anndorie Cromar received a call from Child Protective Services that they were coming to take her children away, she was flabbergasted. She was unaware that her medical identity was stolen and was used by a pregnant woman to cover pregnancy costs at a nearby Utah hospital. The agency took custody of the pregnant woman’s infant that was born with drugs in her system and the officials assumed Cromar was a drug addict whose other children were in danger. Cromar had to take a DNA test to get her name off of the infant’s birth certificate, and it took years to correct her medical records.
Cromar’s case is used as an example in a recent report by the Institute for Critical Infrastructure Technology (ICIT) to show how hackers are increasingly targeting the healthcare sector organizations for electronic health records (EHRs) that can be sold and resold on the deep Web.
The cybersecurity think tank is hosting a Senate briefing on the report in Washington D.C. tomorrow to expose the impact stolen EHRs have on victims, and why organizations in the healthcare sector should beef up their layered security.
“This briefing initially will be a trickle-down conversation; we are going to start with the actual stakeholders in the federal critical infrastructure space and then they are going to take that back and start working this information into the conversations that they are having within their localized microcosm,” said James Scott, an ICIT senior fellow who co-authored the report with ICIT researcher Drew Spaniel.
Cyber criminals go after EHRs because of their value and also because organizations in the healthcare sector fail to properly secure their systems, according to the report titled Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims. Stolen EHRs can be used for a wide range of fraud, from paying for medical expenses to creating new medical identities.
The report highlights a survey conducted by the Healthcare Information and Management Systems Society, which surveyed 119 acute care facilities and 31 non-acute care providers. The survey found 32% of acute care facilities and 52% of non-acute providers do not encrypt data in transit, and 39% of acute-care facilities and 52% of non-acute facilities do not encrypt data at rest. Without encryption, data is more vulnerable to attacks. To make matters worse, not all acute-care facilities and non-acute providers had firewalls in place, the survey found.
“Vulnerable legacy systems and devices that lack the ability to update and patch are Frankensteined into networks possessing newer technologies that can be updated and patched,” according to the ICIT report.
This makes healthcare organizations’ forage into IoT vulnerable as effective security layers cannot be applied properly, making them easily targetable by hackers. The lack of both cyber-hygiene and endpoint security by healthcare providers allows even the most unsophisticated attackers to easily steal patient records or deliver malware.
The hackers then often sell the stolen health information on the deep Web, and the report also identifies popular market places and forums for stolen EHRs.
Hackers sell health insurance credentials on the deep Web for about $20 a piece and that value increases if a dental or vision plan is attached to the health plan, according to the report. They also use the deep Web to sell information packages known as fullz, “an electronic dossier of a victim that is compiled to specifically facilitate identity theft and fraud.” These “fullz” contain health insurance credentials along with social security numbers, bank accounts, email passwords, and other personally identifiable information.
In this hyper evolving threat landscape, experts who haven’t studied adversary agendas, methods and technical profiles will have a hard time keeping up, Scott said.
“You can’t talk about cybersecurity without understanding the attack vectors, you can’t talk about attribution without forensically defining the intricacies of the breach, you can’t talk about the woes of ransomware without defending the necessity of encryption as a powerful layer of cybersecurity,” Scott said. “You’re only as cyber secure as your weakest vulnerability.”
Wells Fargo has been fined $185 million and fired more than 5000 employees after the discovery of an illegal sales push that duped customers for years. Also in recent GRC news, U.S. businesses with European clients are unprepared for the European Union General Data Protection Regulation (GDPR), Olympians’ medical records were leaked and the 2016 U.S presidential race continues to be targeted by hackers.
Wells Fargo sales tactics under fire
Wells Fargo has fired 5,300 employees after it was discovered that they were engaging in illegal sales tactics. Over the course of five years, the employees used fake email addresses to create around 2 million unauthorized accounts for existing customers, the Chicago Tribune reported.
Former Wells Fargo employees told the New York Times that the tactics were necessary to meet unattainable sales goals. “The reality was that people had to meet their goals — they needed a paycheck,” one former employee, Khalid Taha, told the Times. As a result of the incident, Wells Fargo has eliminated product sales goals for retail bankers in an effort to prevent this type of illicit activity from happening again.
Wells Fargo must also pay $185 million in fines to the Consumer Financial Protection Bureau (CFPB). This is the largest fine ever collected by the CFPB, the Washington Post reported.
U.S. businesses not ready to meet EU data standards
Many U.S. businesses with European clients are unprepared for new regulations under the European Union General Data Protection Regulation (GDPR), according to a survey conducted by software company Compuware.
Compuware surveyed 400 CIOs of large companies in the U.S. and Europe. The survey found that more than half of the U.S. companies that took part in the survey have personal information of European customers, but only a third of those companies are making the necessary preparations to comply with the GDPR, Information Management reported. U.S. companies must comply with the GDPR by May 2018.
Foreign hackers release Colin Powell’s emails
The latest political hacking target is former secretary of state Colin Powell, who had his emails revealed by hackers. The emails contain Powell speaking candidly about Donald Trump and Hillary Clinton, according to the New York Times. In one email, Powell said he would, “rather not have to vote for” Clinton. In another, Powell called Trump a “national disgrace” and an “international pariah.”
The Washington Post reported that the emails were leaked on a site tied to the Russian government, continuing the trend of foreign countries’ tampering in the U.S. election process. In recent months, the Democratic National Committee (DNC) experienced an email leak that lead to the resignation of DNC chairwoman Debbie Wasserman Schultz, and two states’ voter registration databases were breached by Russian hackers.
Olympians’ medical records leaked
Hackers thought to be linked to the Russian government have released medical records and drug testing records of Olympic athletes, including gold medal gymnast Simone Biles and tennis stars Venus and Serena Williams. The hackers tapped into the World Anti-Doping Agency’s (WADA) database to obtain the information, ABC News reported. The hacker group calls themselves “Fancy Bear,” and released personal medical records of 25 athletes, according to a statement released by WADA.
In a statement released on their website, Fancy Bear detailed the motive behind the data leaks, alleging that U.S. athletes “regularly used illicit strong drugs justified by certificates of approval for therapeutic use.”
Last week, San Francisco-based Wells Fargo bank was fined $185 million because employees opened two million unauthorized bank and credit card accounts. About 5,300 employees associated with this fraudulent conduct were fired over a five-year period, the bank said.
The incident has not only marred the organization’s brand, but has also raised questions about its company culture. How can other organizations prevent similar misconduct?
“It is important to address ethics and compliance at the beginning of an employee’s employment, making sure that they know what is expected from the company, they know what the culture is, they know what the values are and they know where to go if they have a question,” said Eileen Krouse, program manager at Staple’s Ethics and Compliance Office, during a recent panel discussion titled Preparing your Employees to be the Compliance Front Line at the Thomson Reuters Compliance and Risk Forum in Boston.
There are several reasons why employees engage in unethical behavior. Financial worries, pressure to reach sales targets, being unaware what they are doing is wrong or not knowing where to seek help if needed can contribute to the problem, panelists said.
But panelists agreed that at the top of this list is an “I don’t care about the company” attitude.
“Especially when you are talking about a large enterprise with frontline employees, the ‘I don’t care’ dynamic is an important one that you have to address somehow. You have to convince them to care,” said panelist Matt Kelly, editor and CEO at Radical Compliance. “The other part is just incentive pressures. Organizations have to know how to tie how people get paid and rewarded to the caring about ethics and compliance.”
Companies need experienced and creative people to figure out what incentives can take employees down the wrong path — and who is most susceptible to head down that path, said panelist Daniel Nathan, a partner at Morvillo law firm.
It is important to show employees that the company values proper ethics and a strong set of principles, he added.
“You got to make sure you are reaching the right group of people with the right message. It’s what people call ‘tone at the top’,” said Nathan.
Organizations can help set these standards by making a helpline available for employees with questions about ethical behavior, regularly holding ethics training, and sending out informative newsletters, panelists said.
At Staples, Krouse’s team doesn’t wait for employees to come to them with questions or problems, but reaches out to them first, she said.
“Associates need to know that the ethics and compliance team are people, and that we are a resource and not the ethics police,” Krouse said.
It’s important to have a robust internal audit program and a disciplinary system where employees who engage in any misconduct are dealt with accordingly, Nathan added.
Kelly talked about how a company can collect useful intel from the organization’s whistleblower hotline to help diagnose a company’s culture.
“Look at as many metrics as you can get from your hotline calls, about retaliation specifically,” he said. “Are people alleging retaliation? Are they alleging it against a specific manager or alleging against a specific type of misconduct that they are alerting you to?”
Partnering and communicating with other departments also helps drive an ethical corporate culture, panelists agreed.
Krouse said her department partners very closely with HR and with employment attorneys so that they can cooperate when ethical issues come up.
It is equally important to have a risk assessment program to analyze potential risks of corporate ethics violations before introducing any new program, product or service, Nathan added.
“The classic formula for setting up a compliance program is to identify upfront the risks of the program, product or sale,” he said. “Identify any conflicts of interest that would cause a potential problem and figure out how to mitigate it.”