Living Under the Information Highway

What Homeless People Can Teach You About Efficiency

Skip Schreiber working on his laptop in his van, which is also his home. Picture Source

The year of 2008 scared a lot of people including myself and the year of 2009 is no day at the carnival either; however if you have a street address right now, you’re doing better than some. In my hometown of San Francisco alone, there are about 6,500 homeless people; some push around shopping carts all day arguing with themselves, and some work the streets looking for a helping hand from generous people—and some surf the internet on their laptop computers!

In this day and age, some of the homeless have decided that staying connected to the information highway is a non-negotiable term. The job might go, the house might go, but the laptop is going nowhere.

According to the Wall Street Journal, a 37-year old Charles Pitts has accounts on Facebook, Myspace, and Twitter, and even runs an internet forum on Yahoo: all from the un-comforts of his residence under the bridge. Mr. Pitts claims that you don’t need place to live a TV to watch or newspaper to read, “but you need the Internet.”

I have to admit that I don’t know too many homeless people personally, but I have befriended one or two in my past and I certainly hear and read real stories based on actual accounts. It’s very easy to misconceive that “the homeless” are somehow a different class of people; however, nothing could be further from the truth. Some homeless people are highly intelligent and resourceful due to their conditions. There’s a lot that can be learned by understanding how they cope with their situation.

Paul Weston, a 29-year old hoping to be a computer programmer someday was laid off in December from his job as a hotel clerk and was forced to move into a shelter. With his PowerBook in hand, he stations himself at places that offer free Internet service. Once wired, he’s free to search for work, and even write the computer program that he hopes to sell someday.

This economy also took its toll on Robert Livingston, a 49-year old who quit his job as a security job late last year. Unable to find a new job, he lost his apartment in December and was also forced to move into a shelter. When he realized he was going to be homeless, he bought three things: a backpack, a padlock (for his locker at the shelter), and a premium account on Flickr to display the digital photos that he takes. And although his only monthly income is a $59 welfare check, he stays clean cut and meticulous, with notebook under arm.

Long time veteran of the streets, Skip Schreiber knows a thing or two about staying wired without a permanent address. The former HVAC specialist took a turn for the worse 15 years ago and has been living on the streets ever since. These days you might find him in his van working on his Mac laptop. He draws power from his van’s battery and saves power by keeping the wireless antenna off, and avoiding videos. He also cools the computer down by setting it on a damp cloth. Using these techniques, he is sometimes able to get 16 hours of life out of his computer’s battery.

These are just a few examples of many, on how people without homes are managing to stay connected to technology and the information highway. No, I’m not homeless, but when forced into the unusual circumstances of the 2008-2009 economy I had to become resourceful just like the rest of us.

The point is this. We as human beings are very, very good at being resourceful: much more than you realize until you’re forced to. The opportunity here is that you can absolutely make your compliance program much more efficient than it already is, but you need to realize the following:

• You need to be absolutely crystal clear on what you’re minimum future state and ideal future state is. You can have grey area in between, but you must be extremely clear on the scope boundaries of your future state.
• Achieving your minimum future state cannot be optional.
• You need to know how to get help. Know who to trust for advice, and then trust them.
• Lock in the outcome, but allow the means to be fluid. It doesn’t matter how you get where you need to go, as long as you get there.
• Trust the power of the collective wisdom of a team to solve problems. As humans we have our shortcomings, but our amazing ability to solve problems is what makes us the higher species. Enlighten the human spirit and anything can be accomplished.

Your potential for an efficient operation is already within your team; you just need to tap into it. Don’t wait until you’re forced into an urgent situation like a lawsuit; this is the worst time to rally resources and get your act together. And don’t ever believe it’s not possible to reduce your company’s exposure for less cost. If Robert Livingston can survive on $59 a month and still stay connected to the Internet, you can get more out of your compliance program for less cost.

The Ultimate Insiders

SEC Cracks Down on Employee Insider Trading

The SEC OIG has filed an official Report of Investigation on the two SEC attorneys under criminal investigation for insider training. You can download the report from CBS News. Picture and Document Source

In just about every large company that I’ve consulted for, I’ve had to agree to be an “insider.” Because I’m typically working closely with the company’s financial data, I usually have access to information that’s not available to the general public. Therefore, I need to be very careful about the stock trades I make that are related to my client company. The SEC has very strict rules against this, which come with steep fines let alone public humiliation.

But it seems now that the watchdogs themselves have a few problems of their own. The SEC won’t release the names of the two attorneys, but according to CBS News we do know that a man and a woman who work as investigative attorneys for the SEC are under FBI investigation for allegedly leveraging their very non-public SEC information for personal gain to the tune of hundreds of thousands of dollars. This is completely unacceptable, and Senator Charles Grassley (R-Iowa), the ranking member of the Senate Finance Committee, is not going to take this lying down. And I know from personal experience that once Senator Grassley locks in on a target—look out.

As a result the SEC is cracking down. Here are the steps that are being taken:

• New policy is being drafted that prohibits SEC employees from trading on any company under investigation, regardless of their involvement.
• The SEC is contracting with an outside firm to build a compliance tracking system that will monitor all SEC employee trades in real time.
• Newly elected SEC Chairman Mary Schapiro is consolidating the oversight of SEC employee trades and disclosure under a new chief compliance officer. Previously the oversight was split between two offices.

I like this action, as it highlights a very serious problem that we must all come to terms with, and models that key control actions which are effective. Ask anybody on the Nevada Gaming Commission and they’ll tell you that the most difficult and venomous type of criminal is one that comes from their own agency.

An insider job is the biggest threat to your organization by far, but I don’t think it’s taken seriously enough in organizations. In the next article on “How to Trust the Janitor,” we’ll explore some specifics for controlling against insider threats, but for now we let’s take a few lessons from the government’s chief office of securities governance and oversight:

• Draft Stricter Policy: Policy alone will not keep you compliant, but it’s the only way to establish a firm foundation for compliance. Tightening up your policy around insider risk sets the stage for good things to come (or bad things to not come).
• Leverage Outsiders: An impartial third party is a must to prevent collusion.
• Leverage Technology: Computer systems are cheaper, faster, and higher quality watchdogs than people. Use this to your advantage.
• Consolidate Accountability: There should be one and only one person completely accountable for insider violations. Any other option creates too much ambiguity and loss of control.

If these pressing financial times have taught us anything, it’s that when people are put under pressure anything’s possible. As I highlighted in the above article “Living Under the Information Highway,” people have an unbelievable ability to be resourceful. In most cases this can help your organization, but under the wrong set of circumstances it can force an otherwise honest and ethical person into very questionable behavior. By taking adequate measures to prevent insider trading and other types of “inside jobs,” you are not only protecting your company from the effects, but also keeping your employees honest and out of dangerous territory. Please start today by taking a second look at your insider policies.

How Much Do You Trust Your Janitor?

3 Key Tips for Preventing an Inside Job

The janitor at my building has access to each and everybody’s office including mine. I wonder how many people would be devastated if the janitors decided to steal as much as they possibly could in one night. Under most circumstances I wouldn’t be necessarily devastated, but certainly impacted to a good degree. How about you?

Over 80% of all privacy leaks are caused by insiders, not outsiders. We spend billions of dollars trying to protect outside people from hacking in, while people on the inside are walking out the front door with sensitive information.

Obviously, janitors aren’t the only ones in the organization to worry about. Some of your database administrators have unrestricted access to every piece of information in all of your databases. And, if you outsource or even offshore this function, chances are you don’t even know who these people are!

And of course, even non-technical people can be an insider risk to your company. The people in your Finance department are surely intimate with insider trading laws, and for good reason. And what about your product engineers? What would happen if they farmed out your sensitive product information to your competitors?

But what can you do? To a large extent you must trust the people in your company in the same way I trust the janitor to leave my stuff alone. But what’s the best way to control against insider attacks?

What most paranoid companies start doing is infesting the company with productivity crippling controls in the name of “protecting the organization.” This is exactly what not to do. It doesn’t make any sense to create insurmountable access policy and authorization bottlenecks.

The challenge is to maintain high productivity and throughput of your workers, while simultaneously protecting yourself from insider attack. Yes this is challenging, but not impossible. The first mistake is thinking it’s an “either / or” situation, when in reality you can have your cake and eat it too, you just need to solve for it.

Here are my favorite tips for achieving maximum throughput while controlling the risk of insider attack:

Effective Controls for Insider Attack – Tip # 1: Use Preventive Controls Cautiously

Installing preventative controls for insider attacks is one of the biggest traps people fall into. For instance, to prevent a database administrator (DBA) from stealing sensitive HR information from the database, you might make a blanket policy that nobody has access to the database except one HR DBA. This DBA now becomes a bottleneck for anything HR related. What happens when the one DBA gets sick, or is out on vacation? You’re putting your entire HR database at risk.

Use a preventive control only when you know for certain that a certain action should never take place. For instance, personal identifiable information (PII) should never leave the company, so putting up a firewall to prevent this as PCI (Payment Card Industry) compliance suggests, is certainly appropriate.

Effective Controls for Insider Attack – Tip # 2: Focus Heavily on Contingent Controls

If you’ll remember, both preventive and contingent controls are proactive. However, the difference between the two is whether you focus on the cause or the impact. Where preventive controls will stop something from happening by addressing the cause, contingent controls will allow the risk to happen, but make sure the impact is minimized.

Of course you need to be careful with this approach, and make sure your contingent controls are effective; however, once set they work much better to control against insider attacks. An example of a contingent control for the risk that a renegade DBA will delete all the information in your company’s database; is having a standby database ready to go that the DBA doesn’t have access to. Contrast this to the preventive control of not allowing the DBA access at all.

Effective Controls for Insider Attack – Tip # 3: Make it Extremely Difficult and Unattractive to Execute an Insider Attack

It humors me whenever I witness a parent count to three when their child is acting up, only to get to three and do nothing but stare at them with a scary face. The child obviously knows this routine very well and has no real internal motivation to stop acting ridiculous. As a child, I never really had the luxury of a count or a stare. Once my dad figured out that I was getting into trouble, swift and acute action was taken.

Empty threats and ineffective controls compromise your ability to defend against insider attack. Nobody really cares what your policy says will happen, they care about two things: what are my chances of getting caught, and what will happen if I get caught.

Install a system of real time violation monitoring, and the minute offenders are identified go for the jugular vein. You need to send a very clear message to the organization that insiders will be dealt with swiftly and severely.

Insider attacks; whether they be insider trading violations, internal technical sabotage, privacy data theft, or the selling of company secrets; are a very real threat to your company that you need to take seriously. The key challenge is to protect yourself without imploding your company with policy and process hurdles. To accomplish this, focus on employing contingent controls and be cautious with the preventive controls. Finally, strike quickly and painfully when violators are un-surfaced. Following these three simple tips will put you on the right path to a safe and productive organization.

Violation Inertia

One Problem Just Leads to Another

Taiwanese financier Danny Pang faces government scrutiny from all angles.Picture Source

According to the Wall Street Journal, the Taiwanese (now former) chief executive of the investment group PEMGroup allegedly:

“… made 38 cash withdrawals of just under $10,000 apiece between mid-2007 and early this year. The affidavit showed some of the checks for the withdrawals were issued on the same day or a few days apart …”

To prevent money laundering, the federal government has constructed rules that mandate the disclosure of any cash transaction that exceeds $10,000. Trying to skirt these rules by assembling a series of transactions just under $10,000 to avoid scrutiny is a federal crime. Regardless of his intentions of laundering money, Mr. Pang could be facing up to 10 years in prison.

But this is only the beginning of his problems. To date, Mr. Pang has been accused of lying about his education and credentials, falsifying documents, and even running a Ponzi scheme (seems like Ponzis are really making a comeback this year). In the latest round of mania, the FBI searched his home looking for gold bullion. Allegedly he purchased the bullion with some of the cash he pocketed, just in case things went south. Welcome to the South Pole, Danny!

It’s actually not unusual for federal investigators, or any investigators for that matter, to keep searching for more dirt once dirt is found. This is what I call violation inertia. Once the investigation picks up momentum it’s difficult to slow down.

Good luck, Danny. Let’s hope you don’t have any parking violations!

Dumber and Dumbest

Two Stupid Criminals Caught on Tape

Stupid criminals are always fun to read about, but this month thanks to LawyerShop we get to watch them in action. Check this great video of dumber and dumbest trying to break into a store:

Even the best laid plans go south, but it doesn’t even seem like these two even tried. As compliance professionals I’m sure you know this, but it’s worth repeating. Make sure common sense and good risk planning goes into your projects. Otherwise, they could knock you out!