jump to navigation

Managing online “Reputational Risk” August 24, 2011

Posted by Chris Mark in InfoSec & Privacy, Piracy & Maritime Security.
Tags: , , , ,
add a comment

In today’s world of near instant communication, and social media, it is easier than ever to get information to the world.  Companies would be well advised to consider employing such technologies as they often provide a very good return on investment.  Like many technologies, social media is a double edged sword and must be managed.  Companies can be exposed to many forms of risk including that of “reputational risk”. What is “reputational risk”?  Simply it is a risk to an organization (or person) which derives from a negative association to the brand.  This can be brought on by an executive saying or doing something illegal or an employee voicing a seemingly innocuous statement in what they believe is a private setting that gets forwarded and distributed.  Many Gen X job seekers are learning the hard way that their Facebook pictures of keg stands and Mardi Gras flashing follows them to their interview.  Companies are much more savvy in searching out indiscretions on social media.  The same holds true for companies and their executives.

I am constantly surprised by how little corporate executives seem to understand about the Internet, social media and how easy it is to find information.  In today’s age it is important that company’ have social media policies in place to ensure that 1) OpSec is not being compromised by an employee inadvertently giving away secrets and 2) reputational risk is being managed by ensuring employees understand that everything they do online is publicly available.

All employees should understand that everything they post online is accessible for perpetuity.  While it is certainly every person’s right to have their own views on politics, sexuality, religion, and other topics, posting these views may irreparably harm the very company for which they work.  It should be noted that the level of reputational risk exposure is directly proportional to the person’s role within the company.  A junior level employee that rails on about their views on gay marriage may harm their own reputation in some areas but likely will have less impact than a CEO who rails on about his dislike of women in the workforce.

Recently, I was doing some research on some companies and I found the CEO of a company that listed as his favorite quotation: “F@#K All”.  As a former Marine and Sailor I am not offended by colorful language but I question the professionalism of a CEO publicly listing his favorite quotation as something so patently offensive to so many people.  What is more disturbing is that this quote was not referenced once but many times in various places throughout the Internet (as were other things).  I am sure that this particular person felt his railings had been archived and deleted over time but, as stated previously, it is relatively trivial to find information that is believed to have been long deleted.

To protect yourself and your company from reputational risk follow these simple guidelines:

1) Operate with the belief that anything you post online is there “forever”. While the average user may not be able to retrieve some information, there are some people that can access nearly everything…and can repost.

2) Don’t post anything patently offensive.  While we all have our own political, religious and other beliefs, they may not be in line with our employer’s.  While most companies are tolerant (there are laws that protect expressions) of such beliefs, understand that patently offensive statements can harm the company and your employment.

3) Don’t say anything that is patently offensive.  Remember that this is 2011 and not 1988.  Calls are recorded ‘digitally’ which means they are easy to retain, repost, and republish.  If you are angry at someone, don’t call and record drunken, profane threats.  They are preserved forever (see #1).

4) Be aware that as an officer of a company there are likely people tracking your public online actions in near real time.  This means that if you twitter something and then immediately ‘delete’ it is still captured.   Look at all of the US athletes and actors that have ‘tweeted and deleted’ only to have the press have the original tweet.

Certainly some are reading this post and saying: “this hits close to home”.  It should.  Follow the simply rules above and you can manage online reputational risk for you and your company.

 

 

Security 101: The Human Element – “Trust but Verify” August 24, 2011

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , ,
1 comment so far

As maritime security becomes more lucrative and companies to steps to stop attacks, it is the natural evolution of crime that the pirates will begin looking for new vulnerabilities to support their efforts.  Often the most vulnerable element of any security strategy is the human element.  People often provide the proverbial ‘weak link’ in the strategy.  Often it is not an intentional act by a person that creates and issue.  It could be a simple mistake or the person could be deceived into taking action.  While these are common aspects of security today I want to talk about people that take direct action with intentions that are contrary to the organization.  It not something that any company likes to consider but it is an unfortunate fact of life.  People are rational actors and as such a percentage of any population will be inclined to perform actions that are outside the bounds of what are considered by most to be ethical or moral behavior.   This is where the idea of “trust but verify” comes in.  We all like each other and we all want to believe that we are all honest people.  It is irresponsible however, to simply take people at their word.  It is responsible and appropriate given my access to information.  It is obvious that with increased responsibility comes increased authority.  Often this leads companies to believe that these senior “trusted” individuals do not require the same level of monitoring to which more junior level employees may be subject. This is a serious mistake.  Increased responsibility and authority comes with increased access to information.  It is often these very employees that can do the greatest damage.  I will give an example from my own experience.

Recently through some legal proceedings it was discovered that a former Chief Technology Officer of a company I previously owned had taken steps to download every single employee and contractor’s email to his personal system.  When confronted at the proceeding, he admitted he had indeed downloaded very email.  He then took a number of steps to hide his actions.  His actions were only discovered 2 years later through legal proceedings.  He has not divulged why he took such action.  It should be noted that in many states in the US this is not only a crime but is a felony.  This was not a junior level employee who could plead ignorance.  This was a person with a graduate degree in information security who, by his own admission, “defines security and risk”.  To say I was apoplectic when I discovered his actions would be an understatement.  He not only violated the trust of the company and me personally, but potentially committed a serious crime.  The point of this example is to demonstrate the need to “trust but verify” what ALL employees are doing.

Operational security, or OpSec, is increasingly important in a hyper-competitive world.  Add to that the new threat of information theft by pirates and those supporting piratical acts and the need to protect your information and assets becomes critical.  It is not only the junior level staff that should be monitored and ‘verified’, it is all employees.  Anyone with a security clearance is used to the fact that every few years the Gov’t decides to crawl through your life and put you through a polygraph to ensure that you are still ‘trusted’.  This is a good example of ‘trust but verify’.   When developing a strategy to address information security, and operational security, it is important that all areas of the business are considered and addressed.  Often it is a single trusted person that cause irreparable  harm to the organization.

Somali gets life in prison for hijacking U.S. yacht that left four Americans dead! August 22, 2011

Posted by Chris Mark in Uncategorized.
Tags: , , , , ,
add a comment

NORFOLK, Va. –  A Somali man was sentenced to life in prison on Monday for his role in the hijacking of yacht off the coast of Africa that left all four Americans on board dead, telling a federal judge that he never meant for anyone to get hurt.

“I’d like to express my regret and sorrow to the victims’ families,” Ali Abdi Mohamed said through an interpreter.

Mohamed is the first of 11 men who have pleaded guilty to piracy in the case to be sentenced. Each of the men face mandatory life sentences, although that could eventually be reduced as part of a plea deal with federal prosecutors. A second Somali was expected to be sentenced later in the day.

The owners of the Quest, Jean and Scott Adam of Marina del Rey, Calif., along with friends Bob Riggle and Phyllis Macay of Seattle, were shot to death in February several days after being taken hostage several hundred miles south of Oman. They were the first Americans to be killed in a wave of piracy that has plagued the Indian Ocean in recent years.

The pirates said they intended to bring the Americans back to Somalia so that they could be ransomed, but that plan fell apart when four U.S. Navy warships began shadowing them. The Navy offered to let the pirates take the yacht in exchange for the hostages, but the pirates said they wouldn’t get the kind of money they wanted for it. Hostages are typically ransomed for millions of dollars.

Mohamed told prosecutors he was ordered to fire a rocket propelled grenade at the American warships to keep them away from the Quest. Court documents say that in doing so, he inadvertently killed one of the pirates who was standing too close behind him. Shortly after the RPG was fired, gun fire erupted aboard the yacht.

Somali Pirates attack another tanker in port of Salalah August 22, 2011

Posted by Chris Mark in Uncategorized.
Tags: , , , ,
add a comment

A day after pirate hijacked a ship while it was anchored in the port of Salalah a group attacked another chemical tanker in the same location.  This ship was able to avoid capture however.  As stated by the IMB:

“Pirates in a skiff chased and fired upon a chemical tanker,”…”The pirates made several attempts to board the tanker and finally aborted the attack due to the evasive maneuvers made by the tanker.”

 

Somali Pirates hijack vessel while at anchor! August 21, 2011

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , ,
1 comment so far

In what is being described as the first attack of its kind and the most brazen attack yet, Somali pirates hijacked the chemical tanker MV Fairchem Bogey with a crew of 20 Indians and flagged in the Marshall Islands.

She was taken at anchor off Port Salalah, Oman.  Boarded at 0530 and forced to heave up and steam toward Somalia.  An Omani warship fired across the bow but the Master was forced to call the managers and tell them that the pirates were prepared to kill the crew, all lined up on the bridge, if the pursuit was not called off.  The warship shadowed the vessel until out of Omani territorial waters.

This brazen attack demonstrates the tactics used by pirates will evolve and become more sophisticated over time.  This year alone there have been many firsts; attacks in the Red Sea, vessels hijacked during Monsoon season, not releasing crews after ransoms were paid and now hijacking vessels while anchored at port.