Author Archives: Justin Smulison

About Justin Smulison

Justin Smulison is the business content manager at RIMS and the host of RIMScast, the society's weekly podcast.
Immediate Vault Immediate Access

NCSA and NASDAQ Advise Risk Managers to Look ‘Beyond IT’ Following a Breach

Posted on by

NEW YORK — “Incident Response and Recovery” was the theme of the National Cyber Security Alliance (NCSA) and Nasdaq Cybersecurity Summit on April 17. Security and risk professionals from the Department of Homeland Security (DHS) and various companies and organizations convened at the Nasdaq Marketsite to discuss methods that focus on resilience and recovery following a cyber attack or data breach.

NCSA Executive Director Kelvin Coleman led the fireside chat with Matthew Travis, deputy director for the DHS’ Cybersecurity and Infrastructure Security Agency (CISA). The timing of Travis’ appearance was unique, considering that Kirstjen Nielsen–formerly the secretary of Homeland Security and Travis’ director–recently resigned from her post on April 7. While that announcement grabbed widespread attention due to her involvement with the humanitarian and immigration crisis at the U.S.-Mexico border, it also has major impacts for the country’s efforts to counteract cyberrisk and data breaches. Last September, Nielsen announced the formation of the National Risk Management Center (NRMC), an initiative focused on defending critical infrastructure from cyberattacks and providing a single point of access to the full range of government activities to defend against cyber threats.

“There is no doubt [Nielsen] was the most cyber-savvy secretary the department’s ever had. She brought real bonafide domain expertise in cybersecurity to the department,” Travis said. He added that the creation of CISA is her legacy and that the relationship with Kevin McAleenan, the new acting secretary of homeland security, has been harmonious.   

Travis reminded attendees that its partnerships with the private sector were crucial and that CISA regularly monitors national critical functions such as elections, electrical grids and financial transactions, which he said are the “big things that drive our economy.” He also said that companies can leverage CISA resources immediately after a breach as a supplement to the FBI’s criminal investigation.

“We’re going to help you understand exactly what happened and help you recover the data and mitigate some of the impact. The private sector firms do that very well, but the difference is that…

online pharmacy cytotec with best prices today in the USA

[CISA] is free,” he said. “That is where we would like to work with owners and operators, when there is an event, to help them get back on their feet as soon as possible.”

Additionally, Coleman and Travis discussed that though CISA is not part of the intelligence community, it does have access to the intelligence collection and monitors trends that can be used to warn private sector companies of cyberrisks. He cited the recent Domain Name System (DNS) infrastructure hijacking campaign that CISA warned about in February—in which at least 40 different organizations across 13 different countries were compromised—as an example of the agency taking steps to alert both the public and private sectors.   

“When we issue technical alerts or emergency directives,” Travis said, “[we] communicate to our stakeholders what to look out for.”

How to Reduce Uncertainty After A Breach  

In the next session, panelists agreed that even when companies use new technologies to remedy security flaws and migrate data to cloud storages, new vulnerabilities occur. Dr. Michael Siegel, principal research scientist and director of cybersecurity at the Sloan School of Management at the Massachusetts Institute of Technology (MIT), said that the old adage of risks being rooted in people continue to be prophetic.

“It’s always been about people and things that sit in our systems for a long time,” he said. “You’ve heard this since the 2000s and it’s still true, and even more true today.”

Should a business find itself in a situation where ransom is being demanded for intangible assets and information, Siegel advised that then is not the time when stakeholders should first decide whether they’d be willing to pay.

“They should know whether they’d pay ransomware because they have [presumably] done tabletop exercises…that will be absolutely essential because any time you wait and indecision will be [catastrophic],” he said. “You have to have practiced it in advance. You can build a scenario-generator and run it through a classroom.”

Companies can also learn from breaches, if tracking is implemented within their code, noted Tyler Shields, vice president of strategy for Sonatype, and open source governance platform. “The ability to track your code from creation to deployment—that entire life cycle—needs to be instrumented so that when a breach occurs you know what component was affected, where it came from, who implemented it and what protections were in place.”

Incident Response Recovery Beyond IT

The final session panelists agreed that holistic approaches were essential for successful responses and recovery periods. Internal and external communications should be well thought-out and designating a person or team to handle them sets the appropriate company precedent. Lisa Plaggemier, chief evangelist at Infosec and NCSA board member said that, for example, while a company’s lawyers are critical during these times, they might not be the best communicators.

“Lawyers, when they write for communications, tend to sound more scary than reassuring,” she said.

online pharmacy arava with best prices today in the USA

“You want to have collaborations and have that communications person in the room with them.”   

Photo courtesy of the National Cyber Security Alliance

When it comes to crisis communication, Plaggemeir advocated that employees—especially those who detected the incident—should be armed with talking points for traditional and social media outlets to avoid data leakage.

“We want to make sure we equip those people so that the rumor mill doesn’t start flying and we don’t end up with communications that are out of our control,” she said.

online pharmacy chloroquine with best prices today in the USA

buy penegra online https://royalcitydrugs.com/penegra.html no prescription

Dovetailing on that notion, moderator Andrew Derboben, senior director of security operations at Nasdaq was quick to mention reputation risk. He said another way to reduce data leakage and misrepresentations in the media—which can further harm a company’s reputation in the aftermath of a breach—is to arm all company employees with a brief script on what to say to anyone, even just passersby making small talk.

“Don’t even have them say ‘no comment,’” Derboben said. “Point them to the experts who have all the data. Because if we’re missing a key piece of information and it’s not communicated properly it could determine how an article will be written.”

New Distracted Driving Data Shows Emergency Responders At High Risk

Posted on by

April is Distracted Driving Awareness Month, and the National Security Council (NSC) released new data this week that explores added transportation risks when emergency responders are en route to provide aid. It is clear that the mere presence of emergency personnel on the road can cause distractions for drivers and bystanders. To date, 16 emergency responders have been struck and killed by vehicles this year in the United States.

According to a survey released jointly by the NSC and the Emergency Responder Safety Institute (ERSI), 16 percent of respondents said they either have struck or nearly struck a first responder or emergency vehicle stopped on or near the road. Yet still, 89 percent of drivers say they believe distracted motorists are a major source of risk to first responders.

Key findings included:

  • 71% of drivers take photos and text while driving by emergency responders on the side of the road (this drops to 24% under normal driving conditions)
  • 60% take time to post to social media and 66% email about the situation
  • 80% admit to “rubbernecking” – that irritating, but also risky, practice of slowing down all traffic to get a better look
  • 49% say that possibly being struck by a vehicle is “just part of the risk” of being a first responder

As part of its #justdrive campaign, NSC has developed a free Safe Driving Kit to help employers keep their workers safe and is hosting a webinar on April 23, titled “You’re Not As Safe As You Think You Are,” to educate employers on the real risks of distracted driving and what safety-forward companies are doing to combat them.

“The cruel irony is, we are putting the people who are trying to improve safety in very unsafe situations,” said Nick Smith, interim president and CEO of the NSC. “Our emergency responders deserve the highest levels of protection as they grapple with situations that are not only tactically difficult but also emotionally taxing. Save your communications for off the road; disconnect and just drive.”

Already on the NTSB’s List

Earlier this year, Risk Management Monitor reported on the National Transportation Safety Board’s (NTSB) Most Wanted List of transportation safety improvements for 2019-2020, and “Eliminating Distractions” for all vehicle drivers is at its top.

In 2016, more than 3,100 fatal crashes on U.S. highways were attributed to driving-while-distracted. These crashes involved 3,210 distracted drivers, according to the National Highway Traffic Safety Administration (NHTSA), because some of them involved more than one distracted driver. Furthermore, the Virginia Tech Transportation Institute concluded that commercial drivers are at extremely high risk of a crash when texting—23 times greater than when otherwise engaged.

The NTSB states:

Contributing to the problem is the widespread belief by many drivers that they can multitask and still operate a vehicle safely. But multitasking is a myth; humans can only focus cognitive attention on one task at a time. That’s why executing any task other than driving is dangerous and risks a crash.

Personal electronic devices (PEDs), such as cell phones, are one of the greatest contributors to driver distraction and the NTSB recommends banding all PED use on U.S. roadways. The District of Columbia and 37 states restrict the use of cell phones by novice drivers, and 47 states, DC, Puerto Rico, Guam, and the US Virgin Islands ban text messaging for all drivers.

 

Recent Apparent Suicides Highlight Need for Post-Violence Recovery Plans

Posted on by

Three apparent suicides that occurred in late March reaffirmed the need for post-incident plans that address long-term trauma in the aftermath of workplace violence and mass shootings.

All three decedents had either survived a school shooting or had been related to a victim. Two youths who survived the Marjory Stoneman Douglas High School shooting in Parkland, Florida died by apparent suicide just 13 months after a former student killed 17 and injured several more. Shortly after, it was reported that the father of a child killed in the 2012 Sandy Hook Massacre–in which a gunman killed 26 children and adults in a Connecticut elementary school–allegedly died by suicide.

As of March 31, 2019, the Gun Violence Archive confirmed 68 mass shootings for the year, and with statistics sure to rise, companies and institutions should be mindful of the delayed effects of workplace violence. Risk Management Monitor previously reported the number of suicides in the United States has risen in nearly every state between 1999 and 2016. Employers may use these tragedies to reconsider their own prevention and awareness efforts, and ways they can productively contribute to the dialogue and keep their workers safe.

Paul Marshall, managing director of Active Shooter and Workplace Violence at McGowan Program Administrators said post-incident trauma counseling is critical when it comes to preventing or reducing long-term effects.

“The trauma counseling for the mental anguish needs to be aggressively pushed, almost like the way post-traumatic stress disorder is for first responders,” Marshall said.

Counseling for physical and non-physical injury survivors and witnesses is something that could be missed when drafting a premises or employer liability policies, he said. In fact, Risk Management magazine reported that companies may not be aware of potential gaps in their coverage or that the limits of their coverage, when considering active shooter incidents, are insufficient.

Marshall said that instead of a duty to defend when it comes to a commercial general liability policy, insurers can address long-term trauma with a duty of care clause. This, he said, demonstrates an employer’s willingness to help victims from the outset.

“There’s a typically a year limit on these policies – in the insurance industry you need to apply some sort of time limit,” Marshall said. “But it’s still a year longer than you’d otherwise get. And there has been a huge uptick in these policies from a year ago.”

#BeThe1To is the National Suicide Prevention Lifeline’s campaign to empower people to help those in crisis.

How Employers Can Help

Addressing post-incident trauma in an insurance policy is important, but equally paramount is the need to ensure that employers make training available for affected employees – regardless of where the incident occurred. Regina Phelps, president of Emergency Management & Safety Solutions, said that post-incident crisis management protocols should be added to workplace violence preparedness plans. Therapy and grief counseling are critical details of those protocols.

“Always give co-workers the option of attending any funeral or memorial service for the victims,” Phelps said. “Be aware of employees’ feelings of guilt – some might feel that they could have done something to stop the suicide or perhaps the victim told them of their plans, and they dismissed the comments. Incidents like that will make co-workers feel like it is their fault. Engage your employee assistance program [EAP] to provide education and training about the suicide threat and the complexities of the situation. If appropriate, support employees who start a tribute or fund to support the worker’s family.”

Phelps said that regular post-incident training can be just as crucial as prevention.

“It is essential to conduct regular exercises with the individuals responsible for the plan and its implementation. This could include the organization’s crisis management team as well as key departments such as human resources, security, facilities and communications,” Phelps said. “Plans are written in a vacuum. During most incidents, plans are not pulled out and people instead operate on muscle memory.  Exercises are the best way to ensure that the muscle memory will be helpful.”

Finally, Phelps stressed that employers communicate that their EAPs are typically available to employees’ families as well.

“Providing mental health services to employees and their families is essential,” she said. “The incident will affect not only the employee but their families. Ensure that counseling services are very convenient – offering an option at work, off-site as well as virtually is essential to make sure that employees get the help that they need. It is also critical to provide these same services to their immediate family.”

For more about active shooter preparedness, RIMS members can access a new professional report, “Active Shooter Preparedness and Your Organization.” To download the report, visit RIMS Risk Knowledge library at www.RIMS.org/RiskKnowledge.

If you or someone you know might be at risk of suicide, here’s how to get help: In the United States, call the National Suicide Prevention Lifeline at 1-800-273-8255. The International Association for Suicide Prevention and Befrienders Worldwide also can provide contact information for crisis centers around the world.

Spotlight on Risk Management’s Resilient Women

Posted on by

Ahead of International Women’s Day, RIMS is celebrating women’s achievements in the profession. Three women leaders in different stages of their careers recently spoke with Risk Management Monitor about what motivated them to make the move into and within the industry, and what the can be done to even the landscape for all professionals. Download the current RIMScast episode for their full interviews.

Kathleen P. Crowe, Aon Risk Solutions and chair of the RIMS Rising Risk Professionals Advisory Group.

What is your impression of risk management’s playing field?

Crowe: I’ve been in the industry for about six years and even in that time I’ve seen a pretty significant change in the overall makeup of the risk management and insurance positions. A lot of companies – Aon included – have women in leadership positions, which I appreciate. Women represent three of my four largest clients – we’re talking about massive, publicly traded companies and they are responsible for risk management functions.

It used to be the boys club but it’s becoming the women’s club, too, and I am glad to have these fantastic women to look up to. There’s been a lot of significant progress and I’m excited about the future.

How much of a challenge is knowledge transfer in risk management?

Crowe: I think everyone is facing similar issues in finding ways to integrate people into different areas so they can be trained to step up. The knowledge sharing process takes time and effort and though it’s a constant reminder that everyone is busy, it’s a way to prioritize and make sure we’re investing appropriately in the younger generation. This will enable them to succeed in higher positions as they progress through their careers and take on management positions and oversee others.

* * *

Cassandra R. Cole, Department Chair of Risk Management Insurance, Real Estate, and Legal Studies at Florida State University; Director of the Master of Science in RiskManagement and Insurance Program and the William T. Hold Professor in Risk Management and Insurance.

You have been an educator for years. Does your curriculum evolve to reflect news and industry trends?

Cole: Definitely. Much of my research comes from what’s going on in the world. It makes the classroom more exciting and the information you share more relevant. It helps the student better understand the connection between what’s going on in the textbook and what’s going on in the real world.

For example, I teach employee benefits on a regular basis and with the passage of the Affordable Care Act, that had implications for company health insurance plans and we spent a lot of time exploring how that law would impact companies, what they offer, their cost of insurance and how it would affect employees.

Are more female students showing an interest in risk management courses and degrees? What could higher education and the profession itself to generate or maintain enthusiasm? 

Cole: There has been a significant shift overall in terms of a gender spread. At the undergraduate level, it’s probably more 50-50. At the advanced programs and doctoral level is where I’m seeing a difference and where we still need to continue to inspire women to pursue those advanced degrees.

I think one of the things other than the actual teaching experience is connecting with students, helping them make decisions, [and] helping prepare them for that transition into the work. It is nice, though, to hear from a student who says ‘you’re the first female business professor I’ve had,’ because it demonstrates where they can go in their careers.

We are definitely making some advances but there are disparities in pay that need to be addressed and corrected.

* * *

Soraya Wright, founder and CEO of SMW Risk Management Consulting and also a member of the RIMS Diversity & Inclusion Advisory Council.

You were at Clorox for more than 20 years and left as the vice president of Global Risk Management and Crisis Management. What influenced you to go out on your own?

Wright: I initially thought I would be semi-retired, but two friends hired me as a consultant. I realized I had to formalize myself as a company if I was going to take on all these projects.

One of my mentees influenced me to keep working because she appreciated that I was someone who raised the issue of bringing on women and people of color onto strategic projects while I had been at Clorox. I thought about the work I was doing as a consultant and her words and they grabbed at my heart, and I felt another purpose. So, I continue to stay engaged and learn and practice my expertise as a risk manager. But I also devote some time for my passion, which is mentoring and coaching others and influencing change so there are opportunities for under-represented members of our profession.

How do you feel the profession can further encourage women to maintain their careers?

Wright: By providing opportunities for those who demonstrate an interest. Mentorship is important and I believe we’re obligated to reach back and help the next generation and also our peers. Our clients have more leverage than many realize, so just requesting that certain types of people with certain viewpoints work on your project can make all the difference in your work and in someone’s career. If we do that we’ll continue to see this wave of advancement and the leveling of the playing field.