Mitigation versus Real Security

Of the many different ways of classifying security types, one seems to me to be of increasing importance in how an organization sets up and structures its security. The two types, which we will call mitigation and real for the purpose of this discussion, are important paradigms to distinguish for an organization to accurately allot funds and resources to the proper locations and will enable them to properly understand the effects they wish to achieve before heading out and buying the most expensive security gadget which turns out to be ineffective as the intent of the system was not understood.

Mitigation security (not to be confused with mitigation strategies) focusses on the concept that nothing is secure forever. The aim of this type of security is to present to interested parties, namely insurers, legislators and interested members of the public, that proper precautions were taken to secure that which requires security. In other words, it allows an organization to claim that all that could reasonably be done was in fact done, and a security breach occurred as an extraordinary occurrence which was not reasonably expected. This involves things like physical assets, unencrypted cloud data, product launch details and really anything which tends to be insured against loss or the loss of which, while damaging, will only expose an organization to potential financial loss or exposure to lower level litigation.

Real security on the other hand, is the paradigm which focusses on actual no fail security measures. Failures in security of this type result in real harm, major financial losses and litigation exposure, as well as public backlash and loss of confidence and possible adverse legislation. Organizations involved in this type of security tend to be government agencies, weapons and energy manufacturers and hi-tech organizations. Losses of this type vary, however they tend to involve cutting and bleeding edge technologies, personal and financial data losses, state secrets and significant intellectual property losses.

The difference between choosing one or the other does not need to be mutually exclusive, quite the contrary. Choosing the appropriate paradigm to put into practice in various areas of your organization shows that proper thought has gone into your security plan, and has the benefit of tailoring costs so that proper levels are used where they are needed. This runs contrary to the plans that many security sales folks may identify, however the truth of it is that high security comes down to planning appropriately rather than spending on the most expensive gadgets.

When you begin your planning for security measures, here are a few quick rules I like to use when planning for my clients:

• Start early in the business life cycle. Starting to think about security hen you are still a small to medium business will allow you to think about how your plan can and should evolve as you get bigger
• Establish what effects you want to achieve rather than what you want to secure. This will give you a better understanding of the variables you need to account for
• Consider everything, not just the gates. I always tell someone the best way for me to breach your data systems if the IT security folks are doing their jobs is to get some dirt on a staff member and blackmail them and have them get it for me, making those expensive IT security plans worthless.
• A plan is never done. Make amendments whenever a breach occurs and regularly as technology and organization changes occur.
• And finally, a security plan is useless unless staff are aware of the plan. Make sure they are aware of your plan, and refresh them on a regular basis (annually as a minimum).

Blog post is courtesy Elemental Investigations: Private Investigator Edmonton, an Edmonton, Canada based private investigator agency. They can be found online at www.elementalpi.ca

Conflict of Interest

Conflicts of interest are some of those issues that people generally know about but tend to fail to notice when they are actually presented with evidence that it is occurring. This is largely due to personal knowledge of the individuals and organizations caught up in a particular conflict, but it can also be caused by attempts by the organization or individual to hide any potential or existing conflict which can be used for gain.

Generally speaking, a conflict of interest is when an individual or organization has a relationship between two or more other individuals or organizations, where the relation to one could conceivably influence the interaction with one or more of the other organizations or individuals. Case in point would be the CEO who owns stock in his own company, trades off the majority of his shares prior to releasing poor economic results for the company. This is also seen in the public sphere where a public servant awards a construction job to her brother in law.

These examples are very obvious and often come under intense scrutiny when they occur, usually by the media for important contracts and major corporations, however they also occur in far smaller groups and circles, which can cost most organizations money and respect in their corporate circles.

Smaller level examples include the most frequent conflict, personal relationships, but also involve finances such as personal loans, memberships in clubs, prior or hidden criminal or ethically dubious acts and social pressures.

In any case, it usually falls to an organization's internal capabilities to keep track of conflicts of interest for its own personnel. Often times, these issues are investigated by HR staff at the time of short listing or hiring, when general checks are conducted internally or with the help of an outsourced HR firm or investigator.

The problem with this method is that things change over time. As people become more settled in a position or they develop professionally, they tend to branch out in terms of stock holdings, memberships and personal ventures. As these develop, the potential for conflicting circumstances to develop increases greatly. The person in the conflicting position usually will not identify the conflict to the organization, either out of ignorance, or more commonly as they recognize the potential benefit to keeping silent. Case in point is the computer software engineer who starts up a small business on the side providing similar services as he performs in his primary employment. Using the skills and resources gained from employment in the business, as well as valuable contacts and commercial opportunities to network, he can gain significant advantage by offering services below the corporate rate, often using resources from the company he works at to enhance his own business and reduce overhead. This scenario is actually one of the most prevalent forms of conflict of interest cases and costs companies major capital as it is often low level but very widespread.

A way for a company to keep on top of this is to run occasional updates to conflict of interest cases. Important times to look out for, particularly for C-suite executives and technical staff (engineers, scientists, etc), are periods of time when new staff are brought on, competitors make major acquisitions, supervisors become aware that staff are starting their own business and if any major bonuses are granted which could offer an employee the opportunity to make cash investments in personal business or stock acquisitions.

Additionally, depending on the type of business, regular checks should be performed on a regular basis (2-5 years) on all C-suite, executive management and major development and technical leaders to ensure that proper disclosures have been made. These checks should be performed out of the Board of Directors offices and can be done by internal staff if the capability exists, however using external organizations ensures the proper skill sets, impartiality in the investigation and allowing for greater flexibility without diverting staff from other tasks.

Blog post is courtesy Elemental Investigations: Private Investigator Edmonton, an Edmonton, Canada based private investigator agency. They can be found online at www.elementalpi.ca

Employee Misconduct

Employee misconduct is one of those catch all phrases which generally captures employees doing things they shouldn't, from misuse of assets to malingering to racial discrimination.

Despite the various disguises that employee misconduct can wear, the effects of misconduct can be felt throughout an organization, and can hit not only employee morale, but the bottom line a well.

What are some of the more common types of misconduct? Well, the list is quite extensive, however some of the most common are:

• Harassment
• Discrimination
• Misuse of company assets (such as using assets for personal use)
• Malingering (claiming to be sick/injured falsely)
• Violations of ethical practices
• Safety infractions
• Legislation and internal policy abuses
• And of course, everyone's favourites, plain old goofing off.

The effects of these activities, particularly those committed by supervisory and management positions (which are most likely to engage in most misconduct types), is to clobber morale within your ranks. Not only does it create a poison environment, it has the effect of spreading, as people see those in power getting away with poor behaviour, which in turn leads others to come to the conclusion or justification to engage in other types of misconduct, if not flat out illegal behaviour within your organization.

This can have an incredible impact on the bottom line as high employee turnover, losses and reduced productivity can grind your capabilities into the ground fairly quickly.

What is needed to effectively identify misconduct issues is to ensure the following are implemented in your organization:

• Institute an active whistleblower program which protects staff from repercussions when reporting instances of employee misconduct
• Ensure that complaints are investigated as soon as possible. if you do not have the capability in house (and most organizations do not), hire outside investigators to come in for complex cases such as harassment and malingering (particularly when unions are involved).
• Communicate the results of the investigation to staff and explain the disciplinary measures taken. Many companies balk at this for fear of coming off as the proverbial bug meanie, however this shows staff that you are committed to stamping out misconduct and that the rules apply to everyone equally....you'd be surprised at how well a firm and fair hand is viewed by staff.
• Take suggestions from staff and management on how to remedy a situation once the dust has settled. Bringing your staff into play gives them a sense of involvement in the wellbeing of your organization and gives them a stake in the future.

Blog post is courtesy Elemental Investigations: Private Investigator Edmonton, an Edmonton, Canada based private investigator agency. They can be found online at www.elementalpi.ca