jump to navigation

Managing online “Reputational Risk” August 24, 2011

Posted by Chris Mark in InfoSec & Privacy, Piracy & Maritime Security.
Tags: , , , ,
add a comment

In today’s world of near instant communication, and social media, it is easier than ever to get information to the world.  Companies would be well advised to consider employing such technologies as they often provide a very good return on investment.  Like many technologies, social media is a double edged sword and must be managed.  Companies can be exposed to many forms of risk including that of “reputational risk”. What is “reputational risk”?  Simply it is a risk to an organization (or person) which derives from a negative association to the brand.  This can be brought on by an executive saying or doing something illegal or an employee voicing a seemingly innocuous statement in what they believe is a private setting that gets forwarded and distributed.  Many Gen X job seekers are learning the hard way that their Facebook pictures of keg stands and Mardi Gras flashing follows them to their interview.  Companies are much more savvy in searching out indiscretions on social media.  The same holds true for companies and their executives.

I am constantly surprised by how little corporate executives seem to understand about the Internet, social media and how easy it is to find information.  In today’s age it is important that company’ have social media policies in place to ensure that 1) OpSec is not being compromised by an employee inadvertently giving away secrets and 2) reputational risk is being managed by ensuring employees understand that everything they do online is publicly available.

All employees should understand that everything they post online is accessible for perpetuity.  While it is certainly every person’s right to have their own views on politics, sexuality, religion, and other topics, posting these views may irreparably harm the very company for which they work.  It should be noted that the level of reputational risk exposure is directly proportional to the person’s role within the company.  A junior level employee that rails on about their views on gay marriage may harm their own reputation in some areas but likely will have less impact than a CEO who rails on about his dislike of women in the workforce.

Recently, I was doing some research on some companies and I found the CEO of a company that listed as his favorite quotation: “F@#K All”.  As a former Marine and Sailor I am not offended by colorful language but I question the professionalism of a CEO publicly listing his favorite quotation as something so patently offensive to so many people.  What is more disturbing is that this quote was not referenced once but many times in various places throughout the Internet (as were other things).  I am sure that this particular person felt his railings had been archived and deleted over time but, as stated previously, it is relatively trivial to find information that is believed to have been long deleted.

To protect yourself and your company from reputational risk follow these simple guidelines:

1) Operate with the belief that anything you post online is there “forever”. While the average user may not be able to retrieve some information, there are some people that can access nearly everything…and can repost.

2) Don’t post anything patently offensive.  While we all have our own political, religious and other beliefs, they may not be in line with our employer’s.  While most companies are tolerant (there are laws that protect expressions) of such beliefs, understand that patently offensive statements can harm the company and your employment.

3) Don’t say anything that is patently offensive.  Remember that this is 2011 and not 1988.  Calls are recorded ‘digitally’ which means they are easy to retain, repost, and republish.  If you are angry at someone, don’t call and record drunken, profane threats.  They are preserved forever (see #1).

4) Be aware that as an officer of a company there are likely people tracking your public online actions in near real time.  This means that if you twitter something and then immediately ‘delete’ it is still captured.   Look at all of the US athletes and actors that have ‘tweeted and deleted’ only to have the press have the original tweet.

Certainly some are reading this post and saying: “this hits close to home”.  It should.  Follow the simply rules above and you can manage online reputational risk for you and your company.

 

 

Al-Shabab in Somalia bans three sided pastry! July 27, 2011

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , ,
add a comment

Al-Shabab, a powerful muslim extremist group, which controls roughly one third of the entire country, banned a three sided pastry because it may remind people of the Christian Holy Trinity.

Al-Shabab recently boarded trucks with loud speakers and announced that the popular pastry often filled with meat and vegetables was banned.  The ban comes at a time when the U.N. estimates that 11 million people are being affected by the worst drought in decades.

Somalia’s prolonged drought became a famine in part because the Somali government nor many aid agencies can fully operate in many areas controlled by Al-Qaeda linked militants, and the U.N. is set to declare all of southern Somalia a famine zone as of Aug. 1.

6 Sailors Trapped on MV Iceberg; Indian Government Refuses Ransom Demand July 24, 2011

Posted by Chris Mark in Piracy & Maritime Security.
Tags: , , , , ,
add a comment

Six Indian sailors are trapped aboard the MV Iceberg after the Indian government has refused to pay ransom to the Somali pirates.  Third Officer Jaswinder, who has called his family 8 times in an attempt to get Ransom, described how he and 2 other sailers were tortured by the pirates and one crew member had been killed.  The MV Iceberg was hijacked in March, 2010 by a reported 50 pirates.  Nearly 500 days later, she and her crew are still held captive.  Prior to the ransom demand being rejected by the Indian Government, the demand was rejected by the ship’s owners.  The crew is in desperate need of help.  This should be a wake up call for those companies willing to roll the proverbial dice with their security.  While stories of ransoms being paid and sailors returning home warm the heart, there are still dozens of ships and hundreds of sailors enduring terrible conditions, and brutal treatment at the hands of pirates.  Once a ship is captured the pirates have the negotiating power.  Professionally trained, and experienced armed guards are the best defense against piracy.

Evaluating “Safety & Security on the Cheap” June 21, 2011

Posted by Chris Mark in Risk & Risk Management.
Tags: , , ,
add a comment

Suppose you decide to take of sky diving and are looking for a parachute.  Would you consider buying a parachute from a street vendor at a great price or would you look for a company that specializes in parachutes?  I am confident that everyone reading this would opt for the specialists over the street vendor.

Security and safety are closely related and both are frequently debated topics in which risk and risk analysis plays a critical role (or should play) in allocating spending.  So the inevitable question of all for-profit companies becomes: “What is appropriate security or safety?”  In reading the blog post titled Risk 101 the answer is simply that spending should ensure that the controls are commensurate with the identified risks.  In his article “Safety on the Cheap” Robert Reich succinctly states the issue and challenges when he says:

“Inevitably there’s a tradeoff. Reasonable precaution means spending as much on safety as the probability of a particular disaster occurring, multiplied by its likely harm to human beings and the environment if it does occur.

Here’s the problem. Profit-making corporations have every incentive to underestimate these probabilities and lowball the likely harms.”

This is consistent with accepted risk management doctrine and where the challenges arise.  Companies are often willing to roll the proverbial dice and underestimate the likelihood of an event occurring or the impact should it occur.  While still a sensitive subject, the earthquake and tsunami that devastated Japan and resulted in the meltdown of nuclear reactors is a case study in this phenomenon.  Investigations after the tsunami indicated that the managers of the plant grossly underestimated both the likelihood of the tsunami and the impact.

While it is easy to talk in the abstract about spending on security, it is a difficult question to answer.  It is impossible (or nearly impossible) to determine a Return on Investment for security spending.  In the early 2000’s a number of companies attempted to define what they were calling the ROSI or Return on Security Investment.  The problem is that you cannot quantify a return for an event that does not occur.  In short, the only time you can see the value of your investment is when an incident occurs which the controls work and when you can quantify what the loss would have been.  Having been involved in many of the largest data breaches I have seen first hand the impact of underestimating the risk and ‘rolling the dice’. Another challenge that exists is the lack of actuarial data for events such as piracy.  While insurance companies have actuarial data refined to the n’th degree for automobile theft, the data does not currently exist to accurately predict the risk to ships.

According to the Dodd report, between 2007 and 2010, the average success rate of an attack is roughly 31%.  IMB reports that in spite of the presence of various task forces, piracy is at an all time high in the first quarter of 2011 with 150 incidents of the coast of Somalia in the first quarter of 2011, alone.  The average reported ransom is between $3.5 and $4.5 million. It should also be noted that pirates have captured 338 crew members, killed 7 and wounded 38 in the first quarter of 2011.  While it is difficult to precisely quantify anecdotally it is understood that piracy is increasing in both frequency and in violence.

Shipping companies, like all companies, are focused on revenue and the bottom line.  Spending on safety and security is always difficult as it is difficult to quantify a return on investment.  While it is not always possible to calculate with exacting precision the risk associated with an event, qualifying the risk is often enough to justify the spending.  When evaluating the level and type of security to engage for your ships, the same risk management principles apply as they would in information security, safety and any other industry where safety and security are critical.  It simply does not pay to buy parachutes from street vendors or approach the safety of your ships crews and the security of your ships by adhering to “security on the cheap”.

Cyprus to Legislate Allowing Armed Guards on Ships June 20, 2011

Posted by Chris Mark in Laws and Leglslation, Piracy & Maritime Security.
Tags: , , , ,
add a comment

Cyprus is poised to become the first European country to legislate allowing guards on ships to fire on pirates to defend the ship.  Recognizing the seriousness of the increasingly frequent and violent attacks on ships, Cyprus is preparing draft legislation which would allow ships sailing under the flag of Cyprus to use armed guards as part of the ships defense.  The conditions under which the guards will be allowed to engage the pirat es will be strictly controlled under the law.   “Guards will not be allowed to fire first,” said George Mouskas, president of the Cyprus Union of Shipowners. According to Mr Mouskas, the move to allow armed guards on board is primarily meant to be a deterrent as pirates largely avoid well-defended vessels.  Tellingly, Mr. Mouskas states: “no ship that has armed guards on board has ever been taken by pirates, so it has been very effective,”

This marks a watershed moment in maritime security and makes a definitive statement that armed security is needed to protect ships and their crews from the increasingly violent attacks.  The Cyprus government is to be applauded for their efforts and vision on this front.