Immediate Vault Immediate Access

Grow Employee Engagement with a Strong Investigation Process

In a tight labor market, employers are seeking to gain or retain a workforce with more pay, work for home and other perks. They can also improve retention through a culture of trust and consideration. Improve how you listen and investigate when someone on your team speaks up about compliance. If you investigate with urgency and respond, then you’ll gain trust and build employee engagement.

Here is an anecdotal case, from the perspective of the business: An anonymous report comes in from a small foreign office, that says “It seems like there is something going on between the marketing lead and a partner. I suspect they are wasting marketing funds.” The seriousness of the issue is not entirely clear—maybe the person reporting the issue is questioning the quality of the marketing campaigns. It is a challenge to reach people overseas.  Some initial questions are asked, but the case sits for months before anyone starts reviewing the matter closely. 

After almost a dozen interviews, no one reveals anything useful. The answer has to be found by sifting through years of email. The investigation ultimately uncovers how the company is being taken advantage of. It is shocking how so many people in the office know the marketing lead is stealing company funds, but said nothing. 

After the late start, combined with actual wrong-doing that is festering, the person who reported the wrongdoing and the rest of the office have stopped caring. The business is left with a problem infecting the whole office, instead of having to deal with only one or two bad actors.

Compliance is a Retention Issue

A compliance report may raise questions about potentially uncomfortable topics: harassment, fraud, conflicts of interest or any number of issues highlighted in a typical code of conduct. When a report is substantiated, someone might be disciplined or fired—thus, colleagues may view the person who reported the issue as disloyal to the team. Those who come forward may also fear that their company may not care about the reported issue or try to cover it up, and maybe even retaliate against them.

With the risks reporting presents, it is likely to be the most engaged, loyal employees who report, so you risk losing your best if you fail to listen. This happens when you leave reported issues unaddressed, where you fail to rectify a substantiated report or when you let a report languish unresolved. But if you follow up and respond quickly, you will win trust. When a talented employee feels listened to, they will have higher morale, trust the boss more and be more committed.

Improving Investigations

Listening to a compliance reporter is about taking the issue seriously and expediciously running it to ground. The foreign office scenario above would have gone better had the investigators seen through the vagueness of the report to the potential seriousness of the underlying misconduct and then doggedly pursued a resolution from the start. With those in the office uncooperative in interviews, having access to past email made it possible for the investigation team to close the case.  

Here are five tips to improve and speed up how you investigate:

  1. Have a process: Implement a disciplined approach for following the routine steps in a compliance investigation—assessing the initial report; developing an investigation plan; finding, verifying and analyzing to formulate a decision; and resolving with discipline, prevention, and training.
  2. Be selective when choosing your investigators: Staff your investigative team with individuals who are not wired to let cases sit. Provide them investigation training and consider augmenting with outsourced external investigators if an issue is large or complex.
  3. Define objectives: Set a clear objective for the investigation at the outset to keep investigators on track. The investigation can move on when they have obtained sufficient facts about the objective—finding that “smoking gun” email, for example. When you learn something new that needs further review, flag it for later but do not let it interfere with your first objective.
  4. Use technology: Give your investigators direct access to the data. It is frustrating for an investigator to receive a report and then have to wait for IT to provide the relevant emails or other data, then wait for IT to provide additional materials when the investigator learnes something new. The team’s investigation times accelerate when it has direct access to email and other communications through archiving platforms and other technology.
  5. Track timing: The time to complete an investigation is dependent on the circumstances. The investigation team should set period of time to resolve the investigation when a compliance issue arises.

A business builds a strong culture when it supports those who speak up. Having a strong investigative team, defining objectives, using technology and being aware of completion timing will allow you to quickly learn what is going on. You will also demonstrate that you are not using a haphazard approach.  This will give your employees more confidence in your company and encourage them to stay around.

Travel Risk Management for LGBTQ+ Employees

LGBTQ+ travelers can face unique challenges when traveling abroad—many countries do not legally recognize same-sex marriage and more than 70 countries consider consensual LGBTQ+ relationships a crime. If an employee travels on business to a country where their sexual orientation or expression of gender identity is criminalized, an extra layer of complexity is added to duty of care responsibilities. Corporate risk managers need to consider how to best protect employees in a way that doesn’t make them feel singled out, working with them to stay safe and respect local laws without compromising their own values. 

This process begins by providing up-to-date guidance on laws and cultural variations as part of an organization’s duty of care. Attitudes towards the LGBTQ+ community vary considerably around the world, and employers therefore need to shape their duty of care policies around a wide range of considerations, both legal and cultural.

Understand the Law

Risk managers need to ensure they have relevant and up-to-date information at hand to fully understand the traveler’s destination. There are nuances within each country’s legislation, and acceptance can vary dramatically even within different regions of the same country, also evolving over time. Employees need to be informed of the laws to which they will be subject at their destination before they travel. Duty of care procedures should incorporate pre-travel advice and awareness, educating employees on what to expect when on business travel as well as how to respond and whom to contact in an emergency.

Legislation may impact an employee’s behavior in a given destination and travel managers can provide advice on best practices. In the United Arab Emirates for example, transgender, gay and gender nonconforming people have been arrested for violating a law against men “disguised” as women. To the extent possible, it is best for travelers in these countries to remain in resort areas and for same-sex couples to refrain from holding hands, hugging or kissing in public.

Understand the Culture

In addition to local laws, social norms are another factor to consider for deciding whether a destination is safe. While many countries officially recognize homosexuality and allow gender confirmation measures, some communities within these “safe” countries still harbor prejudice against the LGBTQ+ community. In such environments, LGBTQ+ travelers who engage in open displays of affection with each other or appear gender nonconforming may be at risk of harassment and assault, and may also feel intimidated when reporting the incident to local police. There may be few or no local venues that provide a safe space for members of the LGBTQ+ community and the risk of hate crimes and police raids at such establishments cannot be ruled out. Travelers are advised to maintain a low profile in countries that lack full protection for the LGBTQ+ community and exercise caution about where and with whom to discuss related topics in public spaces.

Social media can also put travelers at risk. For example, while dating apps can help people connect with local members of the LGBTQ+ community when traveling or relocating for work, employees should be advised to exercise caution if they plan to use these in communities that are not LGBTQ-friendly. In Russia, where prejudice is widespread and a law against “gay propaganda” has been in effect since 2013, far-right activists and gang members have used dating apps to lure gay men to assault and extort them. Prior to travel, risk managers should advise employees to review privacy settings on social media platforms and reconsider the use of dating applications while abroad.

With some countries still refusing to accept—let alone recognize—the LGBTQ+ community, LGBTQ+ employees often feel compelled to take additional precautions that others would not have to even consider. However, corporate risk managers can help employees to stay safe while on business travel by being aware of the local laws and social norms of the destination before departure.

For other guidance on how to support LGBTQ+ employees and advance diversity, equity and inclusion programs, check out these additional pieces from Risk Management Magazine and the Risk Management Monitor:
Beyond Pride: Building Strong Diversity and Inclusion Programs
The LGBT Travel Risk Dilemma
The Benefits of Diversity & Inclusion Initiatives
Engaging Employees in Their Own Duty of Care
Developing a Strategy for Transgender Workers
The Case for Effective DE&I Training

Successfully Navigating Identity Management Strategies

For many CISOs, overseeing identity management represents a significant challenge and a substantial component of their broader security ecosystem. In a nod to its importance, the National Cyber Security Alliance even recently kicked off the first ever Identity Management Day. It is also central to a number of critical issues that urgently need a CISO’s attention, namely data access governance, data loss prevention and cloud application security.

When navigating the vital issue of identity, the top considerations include:

Data Access Governance

Data security spans two areas of organizational risk: unauthorized data use and privacy issues associated with authorized data processes. When evaluating an identity management strategy, it is imperative to start at a high level, which includes data access governance to limit access and meaningfully reduce the risk of loss or theft.

An effective end-to-end approach provides visibility and controls to identify risk and protect sensitive information across cloud and on-premise networks while also keeping digital communications compliant. This approach involves establishing a data governance program, which includes data inventory, data mapping, needs-based permissions and, ultimately, data retention and erasure. Critical components in overall data access considerations include understanding what data is being collected, where and how it is stored, who is accessing that data, protection mechanisms in transit and at rest, and how long the data is being retained.

Proper data access governance is essential to ensuring successful digital transformation as remote/hybrid work continues, both email and cloud apps remain core communication channels, and social media continues to drive business.

Data Loss Prevention

Protecting information both at rest and in motion are important elements of another identity management issue: data loss prevention (DLP). Data is lost due to negligent, compromised, or malicious users and it is important to approach DLP in manageable terms. For example, full data classification and discovery is idealistic for many. Complete reliance on both fronts is hard, if not impossible.

Traditional data loss prevention approaches, such as full data discovery, have arduous requirements and usually involve mandatory outsourcing for development and monitoring. In fact, many CISOs only want to tackle the DLP challenge once in their career.

Fortunately, modern strategies are available to manage DLP efforts that focus on protecting the most sensitive information in terms of content type, context, and user behavior. These include systems that issue accurate alerts, reduce investigation time, and focus security teams on risky user behavior rather than solely on classification violations.

online pharmacy female cialis with best prices today in the USA

An approach that places an emphasis on user behavior, in addition to classification, is pivotal to identifying compromised accounts and phished users. Data does not lose itself, but proper DLP can stop bad actors and insider risks from siphoning critical assets.

Cloud Application Security

In a Cloud Security Alliance study of 200 IT professionals, 83% indicated that cloud security is a top area for improvement. This is not surprising in our current climate as CISOs are constantly struggling to ensure they have visibility and control over how users access and share sensitive data in the cloud. It only takes one compromised account to expose an organization to significant risk.

For example, according to a 2020 Proofpoint analysis of over 20 million cloud account users and thousands of cloud tenants across North America and Europe, attackers are increasingly abusing legitimate OAuth authorization apps to exfiltrate data and maintain persistence on specific cloud resources after compromising an account.

Over the last year, threat actors targeted 95% of organizations with cloud account compromise attempts, and more than half of organizations were successfully compromised at least once. Discovering cloud apps and reducing shadow-based IT—including third-party OAuth authorization apps—helps limit accessing and sharing data to only authorized users.

Every cloud app security broker (CASB) strategy needs to address how individuals handle data and the threats targeting them. It is imperative that threat visibility and adaptive controls extend to the most attacked people and operate effectively in the cloud.

online pharmacy avodart with best prices today in the USA

This includes deployment of multifactor authentication solutions, the ability to detect suspicious login attempts, and user education.
online pharmacy amoxicillin with best prices today in the USA

Also, deployed cloud DLP policies need to align with those for email and on-premises file repositories. Finally, DLP incident management should be centralized and span across cloud apps.

The issue of identity management will continue to play a central role in security strategies for years to come. Focusing on data access governance, modern DLP and effective cloud app security can help significantly reduce an organization’s risk.

Combating Fraudulent COVID Unemployment Claims

As federal and state officials scramble to send unemployment and stimulus funds to help people hit hard by COVID-19 business shutdowns, it has become a perfect storm for cyber fraud.

The payments are an easy target for cybercriminals as hackers and cyber gangs around the world have started to file unemployment claims use stolen identities. Some criminals claim benefits in the names of dead or incarcerated people, while others set up shell companies, “hiring and firing” fictitious employees to collect payments.

For example, cyber gangs in Nigeria have stolen millions in benefits from multiple states using hacked names, Social Security numbers and other information sold for as little as two dollars each on the dark web. In New York, a man was charged with filing more than $1.4 million in false COVID-19 unemployment claims, using the stolen identities of over 250 unknowing victims. According to U.S. attorneys, he was caught in part because he used the same IP address and security question and answer—the name of his family dog, Benji—to submit the applications.

The U.S. Department of Labor estimates fraudsters may already have stolen at least $63 billion through phony jobless claims, while other reports say the losses could be as high as $200 billion. In addition, unsuspecting victims are at risk of receiving surprise tax bills because cybercriminals stole their identities and filed fraudulent claims for COVID-19 unemployment payments.

Watch Closely for Signs of Fraud

The Federal Trade Commission warns that unemployment fraud puts workers at additional risk of identity theft crimes including tax fraud. What can you do to help protect your employees?

Unemployment fraud is often uncovered when employers are notified by state officials that employees have applied for benefits. If they are still working, they may be the victim of identity theft.

Be alert to the signs of cybercrimes and unemployment fraud. Contact your human resources department or tax administrator and ask them to look carefully at any notices or requests they receive from state unemployment officials. If you get a report about unemployment benefits that an employee did not request or receive, contact the employment division of your state labor department. Unemployment fraud is so widespread that most states have set up special procedures to deal with these situations.

Warn Your Employees

Let employees know that unemployment scams are a serious problem. Identity theft can also lead to tax fraud, credit card theft and loans taken out in their names. Notify a working employee immediately if the state informs you they have filed for unemployment benefits. They may be the victim of identity theft and should file a police report. Officials say workers scammed by cybercriminals do not have to pay unemployment taxes, but they must report the crime to the state labor department. And they should file their federal and state taxes on time for the correct amount of their income. The U.S. Labor Department has created a special website for victims of unemployment fraud.

Review Your Cybersecurity

Much of the personally identifiable information used by cyber thieves comes from data breaches, phishing schemes and other cyberattacks. Remind employees, particularly in human resources and tax departments, to be alert for suspicious emails, telephone calls and text messages about payroll information or W-2 forms.

The threat will continue beyond the pandemic. Business email compromise, in which employees are tricked into paying company funds into fraudulent accounts, is at an all-time high, so make sure employees have regular cybersecurity training. If you haven’t conducted a data inventory, do so now. Once you know what data you keep, you can determine what controls you require to protect that data. Store employee records securely and dispose of personally identifiable information carefully. It is also advisable to use a secure email gateway, which protects from spam, viruses, malware and denial-of-service attacks, and make sure employees working remotely are using secure company devices. Install patches and software updates, setting up automatic software updates whenever possible.

Unemployment or tax fraud targeting multiple employees may indicate a data breach. If you have a theft or cyberattack, contact your insurance carrier and, if necessary, seek expert help to identify the source, the extent of the problem and how best to respond.