This document summarizes a security breach that occurred at Barings Bank due to violations of safeguards by a trusted employee, Nicholas Leeson. It discusses how Leeson was able to hide significant trading losses through unauthorized accounts on the bank's systems by exploiting lax security controls. The corporate culture at Barings Securities Limited emphasized profits over proper financial controls, leaving the organization vulnerable. Had Barings implemented stronger hierarchical controls and ensured proper supervision of employees, Leeson may not have been able to conceal his actions and cause the bank's collapse.
This document discusses risks to data security and privacy for businesses and the growing liability risks associated with data breaches. It notes that commercial general liability and professional liability policies often have gaps in coverage for privacy breaches. The document recommends that businesses obtain specialized privacy and data loss liability insurance policies to transfer risks and cover costs associated with first and third-party losses from security incidents. It emphasizes reviewing existing insurance policies and procuring appropriate risk transfer solutions to limit liability for privacy data breaches.
Managed Security For A Not So Secure World Wp090991Erik Ginalick
Â
This white paper discusses the need for managed security services given the growing threat landscape and constrained IT budgets. It notes that good security requires continual monitoring and adaptation to new threats. Compliance with regulations is also difficult given shrinking resources. Outsourcing security to an expert provider allows organizations to focus on core operations while gaining access to skilled professionals, comprehensive solutions, and expertise in managing security risks. The white paper concludes that a managed security strategy can help reduce costs and ensure compliance while allowing IT staff to focus on business needs.
This document discusses the emerging risks of data security and cyber liability. It notes that virtually every business handles sensitive data and can face risks from data breaches or cyber attacks. The costs of a small data breach involving 1,000 records is estimated at $210,000 on average. It also notes that 40% of small businesses with less than 500 employees have experienced a data breach. Data security and cyber liability risks can result in both first-party losses for a company as well as third-party liabilities.
In todayâs media and technology age, website owners, designers, hosts and Internet Service providers are presented with multiple risks with regard to business and cyberspace. E-commerce now comprises approximately one-third of all the
business conducted on the Internet according to the Insurance Journal. Further, in 1999, businesses lost more than $20
billion because of power outages and hackers. Therefore, protection for your Internet-based resources must be a top
priority.
The document discusses the risks that businesses face from internet and technology usage and the need for cyberliability insurance. It outlines various risks like hackers, data breaches, employee internet usage, intellectual property issues, and technology failures. Cyberliability insurance is presented as an important way to protect businesses from these growing digital risks and economic losses, since traditional insurance does not adequately cover these new exposures. The policies can provide coverage for issues like security breaches, viruses, unauthorized access, lost data, and more.
The document summarizes the findings of a survey on global information security trends. It finds that while social media and cloud computing present new security risks, companies are taking steps to manage these risks such as monitoring employee social media use and ensuring virtualized environments are properly configured. It also notes that while outsourcing of security functions had been expected to grow, the economic downturn has led more companies to keep these functions in-house. Overall security budgets are holding steady despite cost-cutting in other areas.
If you missed the webinar Marianne Halvorsen of http://Halvorsenonrisk.com gave on March 25th, 2013, please take a look at the slide presentation that accompanied the webinar. In it you will learn the different types of risks to your company, the costs when an event happens, and how you can protect yourself in the event of a cyber breach.
Cyber liability insurance provides protection against the risks associated with data breaches and loss of personally identifiable information. As property owners and managers collect large amounts of private data on residents, employees, and applicants, the costs of a cyber attack or data breach can be substantial. Cyber liability policies cover expenses like notification of affected individuals, credit monitoring, lawsuits, investigations, and loss of business resulting from attacks. While prevention is important through security measures and policies, the growing threat of cyber crime means companies should evaluate cyber liability insurance as part of their risk management strategy.
This document discusses risks to data security and privacy for businesses and the growing liability risks associated with data breaches. It notes that commercial general liability and professional liability policies often have gaps in coverage for privacy breaches. The document recommends that businesses obtain specialized privacy and data loss liability insurance policies to transfer risks and cover costs associated with first and third-party losses from security incidents. It emphasizes reviewing existing insurance policies and procuring appropriate risk transfer solutions to limit liability for privacy data breaches.
Managed Security For A Not So Secure World Wp090991Erik Ginalick
Â
This white paper discusses the need for managed security services given the growing threat landscape and constrained IT budgets. It notes that good security requires continual monitoring and adaptation to new threats. Compliance with regulations is also difficult given shrinking resources. Outsourcing security to an expert provider allows organizations to focus on core operations while gaining access to skilled professionals, comprehensive solutions, and expertise in managing security risks. The white paper concludes that a managed security strategy can help reduce costs and ensure compliance while allowing IT staff to focus on business needs.
This document discusses the emerging risks of data security and cyber liability. It notes that virtually every business handles sensitive data and can face risks from data breaches or cyber attacks. The costs of a small data breach involving 1,000 records is estimated at $210,000 on average. It also notes that 40% of small businesses with less than 500 employees have experienced a data breach. Data security and cyber liability risks can result in both first-party losses for a company as well as third-party liabilities.
In todayâs media and technology age, website owners, designers, hosts and Internet Service providers are presented with multiple risks with regard to business and cyberspace. E-commerce now comprises approximately one-third of all the
business conducted on the Internet according to the Insurance Journal. Further, in 1999, businesses lost more than $20
billion because of power outages and hackers. Therefore, protection for your Internet-based resources must be a top
priority.
The document discusses the risks that businesses face from internet and technology usage and the need for cyberliability insurance. It outlines various risks like hackers, data breaches, employee internet usage, intellectual property issues, and technology failures. Cyberliability insurance is presented as an important way to protect businesses from these growing digital risks and economic losses, since traditional insurance does not adequately cover these new exposures. The policies can provide coverage for issues like security breaches, viruses, unauthorized access, lost data, and more.
The document summarizes the findings of a survey on global information security trends. It finds that while social media and cloud computing present new security risks, companies are taking steps to manage these risks such as monitoring employee social media use and ensuring virtualized environments are properly configured. It also notes that while outsourcing of security functions had been expected to grow, the economic downturn has led more companies to keep these functions in-house. Overall security budgets are holding steady despite cost-cutting in other areas.
If you missed the webinar Marianne Halvorsen of http://Halvorsenonrisk.com gave on March 25th, 2013, please take a look at the slide presentation that accompanied the webinar. In it you will learn the different types of risks to your company, the costs when an event happens, and how you can protect yourself in the event of a cyber breach.
Cyber liability insurance provides protection against the risks associated with data breaches and loss of personally identifiable information. As property owners and managers collect large amounts of private data on residents, employees, and applicants, the costs of a cyber attack or data breach can be substantial. Cyber liability policies cover expenses like notification of affected individuals, credit monitoring, lawsuits, investigations, and loss of business resulting from attacks. While prevention is important through security measures and policies, the growing threat of cyber crime means companies should evaluate cyber liability insurance as part of their risk management strategy.
The document discusses insider threats and how to mitigate them. It covers how insider threats can come from employees with malicious intent, but also from inadvertent actions like clicking a phishing link. Insider threats also include third party contractors who are given access to networks. The document provides recommendations for organizations to mitigate insider threats such as conducting background checks, monitoring unusual employee behavior, and escorting outsiders within the company's physical sites. It also discusses the ongoing threat of spam being used to distribute malware and how organizations need to protect their users from inadvertently enabling attacks through emails.
1) The security landscape has changed dramatically in recent years as threats grow at alarming rates and existing security solutions become quickly outdated.
2) The article investigates the changes in security and compliance driven by increased regulatory requirements, the need to align security strategies with business needs, a growing focus on information over infrastructure, and new threats like social media and cloud computing.
3) Interviews with security leaders from three organizations reveal how they are addressing these changes through initiatives like deploying Symantec solutions for centralized security and compliance management and adhering to standards like ISO 27001.
The top 3 security concerns for enterprises are mobile security, cloud security, and human error. Mobile security is challenging as mobile devices accessing business information can be compromised if lost or stolen. Cloud security is a concern as companies lose visibility and control over their data in the cloud. Most security breaches are caused by human error through misconfigurations, not system flaws. CIOs must implement security strategies and policies to address these growing threats to protect companies' sensitive data and systems from cyber attacks and breaches.
The Big Picture: Beyond Compliance To Risk ManagementNeira Jones
Â
1) Compliance alone does not eliminate risk, and companies need governance plans to manage resources and risks effectively.
2) Recent high-profile data breaches have exposed inadequacies in current governance, risk, and compliance practices, prompting stronger oversight.
3) By connecting controls to risks, companies can achieve improvements in enterprise risk management and use GRC solutions to help make this connection.
The document discusses the growing importance of proactive log management in the insurance industry due to its increasing reliance on technology. It outlines several reasons why data breaches commonly occur in insurance, including carelessness, outsourced data, hacking for profit, and employee retribution. The industry should care because data breaches are very costly to fix, can damage a company's brand, expose intellectual property, and violate numerous regulations and laws. Vigilant log monitoring of servers and applications is crucial to detect and prevent breaches, but many insurance IT teams are inhibited from doing so by the tedious nature of the work and lack of time and resources.
"Cybersecurity, which is viewed as one of todayâs most prominent threats, has not yet been highlighted as a key issue for the real estate sector. However, with the transition to intelligent buildings, SMART everything, enabled by the Internet of Things and the matter of corporate liability, concerns within the sector are now rapidly changing."
http://www.ey.com/Publication/vwLUAssets/ey-managing-real-estate-cybersecurity/$File/ey-managing-real-estate-cybersecurity.pdf
art - MM Transformer - CIO Council (09-16) v1Marlon Moodley
Â
This document discusses the legal risks and responsibilities that CIOs face. It contains several articles that address topics like:
- How CIOs need to understand laws related to both technology and business operations since technology and business are now intertwined. This means CIOs must comply with a wide range of legislation.
- Upcoming laws in South Africa that CIOs need to be aware of, such as the Protection of Personal Information Act, Cybercrimes and Cybersecurity Bill, and King IV corporate governance principles.
- Specific actions a CIO could take that could result in criminal charges or jail time, as defined in the South African Companies Act. CIOs have access to privileged information and
[Webinar Slides] Data Privacy â Learn What It Takes to Protect Your InformationAIIM International
Â
Follow along with these webinar slides as we take a close look at what it takes to prepare for all kinds of data privacy regulations â learn how to protect your data in order to be compliant with regulators or for healthy business practices in general.
Want to follow along with the webinar replay? Download it here for free: http://info.aiim.org/protect-your-information
All clear id_whitepaper__not_all_breaches_are_created_equalNicholas Cramer
Â
This document discusses considerations for responding to a data breach. It outlines a typical timeline for notifying affected individuals once a breach is discovered. It also describes different types of identity theft that can result from a breach and factors to consider when determining the level of harm. The document emphasizes the importance of understanding these risks to properly address harm through identity protection services.
This document summarizes an article from The Corporate Governance Advisor on tools for boards to oversee cybersecurity risk. It discusses the business impacts and litigation/regulatory risks of cyber attacks. It outlines how boards have an oversight duty to ensure proper information and reporting systems exist to manage cybersecurity risk. The document provides examples of cybersecurity disclosure from companies like Target and Home Depot. It discusses SEC guidance on cybersecurity disclosure and notes boards must exercise oversight in good faith to avoid liability for failures.
This document summarizes a paper about increasing data breaches and the need for legislation to address the problem. It notes that over 233 million US records have been exposed due to breaches since 2005. The document discusses the costs of breaches to companies and common causes, such as lost or stolen devices. It argues that while some states have breach notification laws, federal legislation is needed to standardize security practices and privacy protections across industries. The paper aims to examine if legislation is needed to reduce breaches, when people should be notified of breaches, and if compensation should be required.
This document provides an overview of transaction security issues in e-commerce. It discusses how online transactions face threats from infrastructure, organizational, network and application vulnerabilities. Proper security management, including firewalls, network security controls and authentication are needed to protect sensitive information. Specifically, internet banking requires intrusion detection systems and legal frameworks to address security problems from insiders and across borders. Improving consumer education and trust are important for the long term success and growth of secure e-commerce transactions.
Has your credit union considered how member relations, legal compliance and brand reputation might be affected during a data breach? In this 2012 NAFCU Technology & Security Conference session recording you will learn about the risks of data breaches and how they could impact your credit union. http://www.nafcu.org/affinion
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
Â
Invited speaker: "Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches â
with Mark W. Ishman, J.D., Masters in Law in Information Technology and Privacy Law
Quick Start Guide to IT Security for BusinessesCompTIA
Â
IT security is constantly changing, which means it can be hard for businesses to keep up. This guide from CompTIA educates IT solution providers on the importance of providing clients with up-to-date IT security, identifies the risks of inadequate or poor security, and examines the technology shifts and factors affecting security in in the workplace.
10 Legal Challenges in Creating a BYOD Policy - Lou MilradLou Milrad
Â
This document discusses the legal challenges of creating a Bring Your Own Device (BYOD) policy for employees. It outlines 10 key legal risk issues that need to be addressed, including privacy of personal information, data security, intellectual property rights, and employee training. Developing a comprehensive BYOD policy requires considering privacy laws, data protection, device usage policies, and ensuring all legal bases are covered to avoid liability issues from employees' personal device use for work.
This presentation covers the current and future exposures that construction-related firms face related to cyber incidents. In addition, it covers how insurance carriers view underwriting cyber risks in the current market. Finally, the presentation provides an overview on how firms can prevent and repsond to cyber incidents.
The document discusses various compliance issues related to information security and data protection legislation in South Africa and the United States. It notes that while some US laws like Sarbanes-Oxley have no equivalent in SA, the King II report and ECT Act are the primary drivers of compliance locally. However, it cautions against overstating legal requirements, as King II is not law and parts of the ECT Act lack implementation regulations. The document advocates a risk-based approach to compliance rather than fear-based responses to legislation.
Has your credit union considered how member relations, legal compliance and brand reputation might be affected during a data breach? In this 2012 NAFCU Technology & Security Conference session recording you will learn about the risks of data breaches and how they could impact your credit union.
Booz Allen's U.S. Commercial Leader and Executive Vice President, Bill Phelps, recently released his list of 10 Cyber Priorities for Boards of Directors. As we peer into how business, technology, regulatory, and cyber threat realities are evolving in the coming year, here is a reference guide for board members to use in validating their company's cybersecurity approach.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
âą Fiduciary responsibility
âą How to efficiently deal with personal liability and the threat of court action
âą The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
âą How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
The document discusses insider threats and how to mitigate them. It covers how insider threats can come from employees with malicious intent, but also from inadvertent actions like clicking a phishing link. Insider threats also include third party contractors who are given access to networks. The document provides recommendations for organizations to mitigate insider threats such as conducting background checks, monitoring unusual employee behavior, and escorting outsiders within the company's physical sites. It also discusses the ongoing threat of spam being used to distribute malware and how organizations need to protect their users from inadvertently enabling attacks through emails.
1) The security landscape has changed dramatically in recent years as threats grow at alarming rates and existing security solutions become quickly outdated.
2) The article investigates the changes in security and compliance driven by increased regulatory requirements, the need to align security strategies with business needs, a growing focus on information over infrastructure, and new threats like social media and cloud computing.
3) Interviews with security leaders from three organizations reveal how they are addressing these changes through initiatives like deploying Symantec solutions for centralized security and compliance management and adhering to standards like ISO 27001.
The top 3 security concerns for enterprises are mobile security, cloud security, and human error. Mobile security is challenging as mobile devices accessing business information can be compromised if lost or stolen. Cloud security is a concern as companies lose visibility and control over their data in the cloud. Most security breaches are caused by human error through misconfigurations, not system flaws. CIOs must implement security strategies and policies to address these growing threats to protect companies' sensitive data and systems from cyber attacks and breaches.
The Big Picture: Beyond Compliance To Risk ManagementNeira Jones
Â
1) Compliance alone does not eliminate risk, and companies need governance plans to manage resources and risks effectively.
2) Recent high-profile data breaches have exposed inadequacies in current governance, risk, and compliance practices, prompting stronger oversight.
3) By connecting controls to risks, companies can achieve improvements in enterprise risk management and use GRC solutions to help make this connection.
The document discusses the growing importance of proactive log management in the insurance industry due to its increasing reliance on technology. It outlines several reasons why data breaches commonly occur in insurance, including carelessness, outsourced data, hacking for profit, and employee retribution. The industry should care because data breaches are very costly to fix, can damage a company's brand, expose intellectual property, and violate numerous regulations and laws. Vigilant log monitoring of servers and applications is crucial to detect and prevent breaches, but many insurance IT teams are inhibited from doing so by the tedious nature of the work and lack of time and resources.
"Cybersecurity, which is viewed as one of todayâs most prominent threats, has not yet been highlighted as a key issue for the real estate sector. However, with the transition to intelligent buildings, SMART everything, enabled by the Internet of Things and the matter of corporate liability, concerns within the sector are now rapidly changing."
http://www.ey.com/Publication/vwLUAssets/ey-managing-real-estate-cybersecurity/$File/ey-managing-real-estate-cybersecurity.pdf
art - MM Transformer - CIO Council (09-16) v1Marlon Moodley
Â
This document discusses the legal risks and responsibilities that CIOs face. It contains several articles that address topics like:
- How CIOs need to understand laws related to both technology and business operations since technology and business are now intertwined. This means CIOs must comply with a wide range of legislation.
- Upcoming laws in South Africa that CIOs need to be aware of, such as the Protection of Personal Information Act, Cybercrimes and Cybersecurity Bill, and King IV corporate governance principles.
- Specific actions a CIO could take that could result in criminal charges or jail time, as defined in the South African Companies Act. CIOs have access to privileged information and
[Webinar Slides] Data Privacy â Learn What It Takes to Protect Your InformationAIIM International
Â
Follow along with these webinar slides as we take a close look at what it takes to prepare for all kinds of data privacy regulations â learn how to protect your data in order to be compliant with regulators or for healthy business practices in general.
Want to follow along with the webinar replay? Download it here for free: http://info.aiim.org/protect-your-information
All clear id_whitepaper__not_all_breaches_are_created_equalNicholas Cramer
Â
This document discusses considerations for responding to a data breach. It outlines a typical timeline for notifying affected individuals once a breach is discovered. It also describes different types of identity theft that can result from a breach and factors to consider when determining the level of harm. The document emphasizes the importance of understanding these risks to properly address harm through identity protection services.
This document summarizes an article from The Corporate Governance Advisor on tools for boards to oversee cybersecurity risk. It discusses the business impacts and litigation/regulatory risks of cyber attacks. It outlines how boards have an oversight duty to ensure proper information and reporting systems exist to manage cybersecurity risk. The document provides examples of cybersecurity disclosure from companies like Target and Home Depot. It discusses SEC guidance on cybersecurity disclosure and notes boards must exercise oversight in good faith to avoid liability for failures.
This document summarizes a paper about increasing data breaches and the need for legislation to address the problem. It notes that over 233 million US records have been exposed due to breaches since 2005. The document discusses the costs of breaches to companies and common causes, such as lost or stolen devices. It argues that while some states have breach notification laws, federal legislation is needed to standardize security practices and privacy protections across industries. The paper aims to examine if legislation is needed to reduce breaches, when people should be notified of breaches, and if compensation should be required.
This document provides an overview of transaction security issues in e-commerce. It discusses how online transactions face threats from infrastructure, organizational, network and application vulnerabilities. Proper security management, including firewalls, network security controls and authentication are needed to protect sensitive information. Specifically, internet banking requires intrusion detection systems and legal frameworks to address security problems from insiders and across borders. Improving consumer education and trust are important for the long term success and growth of secure e-commerce transactions.
Has your credit union considered how member relations, legal compliance and brand reputation might be affected during a data breach? In this 2012 NAFCU Technology & Security Conference session recording you will learn about the risks of data breaches and how they could impact your credit union. http://www.nafcu.org/affinion
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
Â
Invited speaker: "Growing Trend of Finding Regulatory and Tort Liability for Cyber Security Breaches â
with Mark W. Ishman, J.D., Masters in Law in Information Technology and Privacy Law
Quick Start Guide to IT Security for BusinessesCompTIA
Â
IT security is constantly changing, which means it can be hard for businesses to keep up. This guide from CompTIA educates IT solution providers on the importance of providing clients with up-to-date IT security, identifies the risks of inadequate or poor security, and examines the technology shifts and factors affecting security in in the workplace.
10 Legal Challenges in Creating a BYOD Policy - Lou MilradLou Milrad
Â
This document discusses the legal challenges of creating a Bring Your Own Device (BYOD) policy for employees. It outlines 10 key legal risk issues that need to be addressed, including privacy of personal information, data security, intellectual property rights, and employee training. Developing a comprehensive BYOD policy requires considering privacy laws, data protection, device usage policies, and ensuring all legal bases are covered to avoid liability issues from employees' personal device use for work.
This presentation covers the current and future exposures that construction-related firms face related to cyber incidents. In addition, it covers how insurance carriers view underwriting cyber risks in the current market. Finally, the presentation provides an overview on how firms can prevent and repsond to cyber incidents.
The document discusses various compliance issues related to information security and data protection legislation in South Africa and the United States. It notes that while some US laws like Sarbanes-Oxley have no equivalent in SA, the King II report and ECT Act are the primary drivers of compliance locally. However, it cautions against overstating legal requirements, as King II is not law and parts of the ECT Act lack implementation regulations. The document advocates a risk-based approach to compliance rather than fear-based responses to legislation.
Has your credit union considered how member relations, legal compliance and brand reputation might be affected during a data breach? In this 2012 NAFCU Technology & Security Conference session recording you will learn about the risks of data breaches and how they could impact your credit union.
Booz Allen's U.S. Commercial Leader and Executive Vice President, Bill Phelps, recently released his list of 10 Cyber Priorities for Boards of Directors. As we peer into how business, technology, regulatory, and cyber threat realities are evolving in the coming year, here is a reference guide for board members to use in validating their company's cybersecurity approach.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
âą Fiduciary responsibility
âą How to efficiently deal with personal liability and the threat of court action
âą The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
âą How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
The document discusses the challenges of cybersecurity in today's data-driven age. It notes that the rapid growth of technology and data has created significant challenges for data security and regulatory compliance. Additionally, as organizations adopt more sophisticated digital business models, the board's need for assurance around data access and security increases. The document outlines some of the key challenges in combating cybercrime, such as consumers and SMEs not fully comprehending the threat or how to defend against it. It also notes that increased regulation around data protection and privacy adds further complexity, highlighting the importance of transparency and education.
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
Â
This document discusses cybersecurity risks that boards of directors need to address. It notes that 48% of directors cited data security as their top concern in a recent study, up from 25% in 2008. The document recommends that boards oversee management's efforts to mitigate cyber threats, assess risks, and devote adequate resources. It emphasizes that boards should communicate the importance of cybersecurity to management and create a culture that views it as a responsibility. While technical issues may be daunting, boards are not expected to be experts and should rely on management and consultants for advice.
Why Accountants Canât Afford to Ignore Cyber Security in 2023incmagazineseo
Â
Discover why accountants must prioritize cyber security in 2023 â essential insights to safeguard sensitive financial data and ensure business resilience.
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfProtected Harbor
Â
Protected Harbor's 2022 Legal Services Data Breach Trend Report is a comprehensive analysis of the evolving cybersecurity landscape in the legal industry. This report offers valuable insights into emerging trends, challenges, and opportunities that legal professionals and firms may encounter in the year ahead. Through in-depth research and expert analysis, it sheds light on the impact of technological advancements, changing regulations, and client expectations on legal services. Stay ahead of the curve with this indispensable guide to the future of legal services.
This article discusses cybersecurity issues relevant to corporate treasurers. While cybersecurity is not typically part of a treasurer's job description, many treasury functions are now digitized, raising risks of compromised information. The article describes practices and tools that can help secure modern financial systems, with a focus on small and mid-sized organizations that may lack dedicated cybersecurity resources. It emphasizes the importance of preventing data breaches, eliminating data loss, and complying with relevant laws and regulations. Examples of basic security steps and third-party providers are provided.
Cyber Risk Quantification for Employees | Safe SecurityRahul Tyagi
Â
Humans
the weakest link in cybersecurity
âAmateurs hack systems, professionals hack people.â
Companies are built by the people it hires, yet, if you
ask the Chief Information Security Officer about their
weakest link, more often than not, they will say that itâs
the very same people that make the company.
Furthermore, according to a report by CybSafeâs
analysis of data from the UK Information Commissionerâs Office (ICO), human error was the cause of
approximately 90% of data breaches in 2019!
How to quantify human risk in your organization visit : https://www.safe.security/safe/people/
This document discusses cyber risks faced by corporate treasury departments. It finds that treasuries are prime targets for cyber criminals due to the large amounts of money they handle and authorize payments for. Sophisticated hackers use social engineering and inside information to execute scams like business email compromise, where they impersonate senior executives and trick treasury staff into making fraudulent payments. While companies are taking basic security measures, the research found gaps in defenses against third party risks. Nineteen percent do not verify identity authentication methods for suppliers and 14% do not extend security rules to subcontractors. Treasury departments can help by ensuring third parties are properly secured despite not being directly responsible for technical security.
The SEC has published new guidance recommending that publicly traded US companies disclose cybersecurity risks and incidents related to IT asset retirement. If assets like laptops are lost or stolen during retirement, exposed data could constitute a cyber incident negatively impacting the company. The SEC guidance specifies six disclosure areas companies should consider, including risk factors, business descriptions, legal proceedings, and financial impacts. Given increased focus on cyber risk disclosure, companies should ensure IT assets are securely retired to minimize risks and protect the company.
A 5 step guide to protecting backup data by Iron MountainPim Piepers
Â
This document discusses the growing problem of data theft and security breaches. It provides the following key points:
- Data theft and security breaches have been issues since the inception of business computing, but they have become far more common in recent years due to factors like money to be made from stolen data and the increased accessibility of confidential information.
- While organizations invest heavily in perimeter security like firewalls, internal threats are underprotected as storage infrastructure and backup data remain insecure. Backup encryption is rarely used despite tapes containing sensitive data.
- To properly address data security risks, the document recommends that organizations develop comprehensive security strategies that integrate storage protection best practices, including encrypting backup data.
CIOs need a strategy for securing enterprises as data breaches have increased significantly in recent years. While IT budgets and staffing have decreased, compliance requirements have increased. Outsourcing security functions to a managed security provider can help CIOs address these challenges more effectively by leveraging provider expertise, advanced tools and economies of scale, allowing IT to focus on business needs. Failure to comply with regulations through inadequate security practices can result in penalties, loss of customer trust and damage to reputation.
Being aware of the trends that are expected to shape the digital landscape is an important step in ensuring the security of your data and online assets.
Amongst others, the webinar covers:
âą Top Cyber Trends for 2023
âą Cyber Insurance
âą Prioritization of Cyber Risk
Presenters:
Colleen Lennox
Colleen Lennox is the Founder of Cyber Job Central, a newly formed job board dedicated to Cybersecurity job openings. Colleen has 25+ years in Technical Recruiting and loves to help other find their next great job!
Madhu Maganti
Madhu is a goal-oriented cybersecurity/IT advisory leader with more than 20 years of comprehensive experience leading high-performance teams with a proven track record of continuous improvement toward objectives. He is highly knowledgeable in both technical and business principles and processes.
Madhu specializes in cybersecurity risk assessments, enterprise risk management, regulatory compliance, Sarbanes-Oxley (SOX) compliance and system and organization controls (SOC) reporting.
Date: January 25, 2023
Tags: ISO, ISO/IEC 27032, Cybersecurity Management
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27032
https://pecb.com/article/cybersecurity-risk-assessment
https://pecb.com/article/a-deeper-understanding-of-cybersecurity
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/BAAl_PI9uRc
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
Â
The document discusses an interview with James Christiansen, VP of Information Risk Management for Optiv Security, which was formed from the merger of Accuvant and Fishnet Security. Christiansen discusses how the role of CISO is changing to focus more broadly on information risk management (CIRO). He emphasizes the importance of aligning cybersecurity spending with business objectives and risk exposure. In an ideal security program, there would be clear governance, reporting to the executive team, and balance between protective measures, visibility, and incident response capabilities. The document ends by discussing questions boards should ask executives about cybersecurity risks and oversight of the security program.
This document discusses the importance of appointing an Information Security Officer (ISO) to oversee a bank's cybersecurity and regulatory compliance programs. It notes that reputation, cybersecurity, and regulatory compliance are top concerns for bank executives. An ISO can help address these concerns by implementing the NIST Cybersecurity Framework and ensuring adherence to regulations like the Gramm-Leach-Bliley Act. However, hiring an in-house ISO can be expensive. The document proposes that All Covered's virtual ISO service can provide cybersecurity and compliance functions at a lower cost.
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Proofpoint
Â
Insider threats come in all shapes and sizes and affect organizations across all industries and geographies. Understanding the motives behind them is key to defense.
One of the best ways to do this is to study some of the bold, headline-generating insider threats that have taken place recently, like the big Twitter debacle of July 2020. This is just one example of what has become a very common problem.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
Â
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power gridâs behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
A Comprehensive Guide to DeFi Development Services in 2024Intelisync
Â
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of whatâs possible in finance.
In summary, DeFi in 2024 is not just a trend; itâs a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Â
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Fueling AI with Great Data with Airbyte WebinarZilliz
Â
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Â
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Â
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Â
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Â
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
Â
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
Â
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
Â
An English đŹđ§ translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech đšđż version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Â
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind fĂŒr viele in der HCL-Community seit letztem Jahr ein heiĂes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und LizenzgebĂŒhren zu kĂ€mpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklĂ€ren Ihnen, wie Sie hĂ€ufige Konfigurationsprobleme lösen können, die dazu fĂŒhren können, dass mehr Benutzer gezĂ€hlt werden als nötig, und wie Sie ĂŒberflĂŒssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige AnsĂ€tze, die zu unnötigen Ausgaben fĂŒhren können, z. B. wenn ein Personendokument anstelle eines Mail-Ins fĂŒr geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche FĂ€lle und deren Lösungen. Und natĂŒrlich erklĂ€ren wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt nĂ€herbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Ăberblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und ĂŒberflĂŒssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps fĂŒr hĂ€ufige Problembereiche, wie z. B. Team-PostfĂ€cher, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
2. Violation of Safeguards by Trusted Personnel and Understanding
Related Information Security Concerns/Gurpreet Dhillon
Bank and the violation of safeguards by Nicholas Since Leeson had gained an immense amount of trust
Lesson, a trusted employee, are used to interpret the through his profits, ÂŁ30 million for Barings in 1994
nature and scope of such security breaches.This is fol- alone, he was able to circumvent many of the security
lowed by a discussion that forms the basis for generat- inquiries against him without consequence. Leeson lost
ing principles for effectively managing the violations of ÂŁ126 million in Nikkei futures and Japanese
safeguards such that the security of computer based Government bonds on 23 February 1995 after losing
systems within organizations is not compromised. ÂŁ701 million over the past two years. Given the lack-
adaisical organizational and information security con-
straints at BB&Co., Leeson was able to hide his losses
Violation of Safeguards at Barings in a secret account created using Baringsâ accounting
Bank computer systems.This was account 88888.
This section reviews the violation of internal orga- The basic problem at BB&Co. that is of relevance to
nizational controls by an employee to gain undue this paper, is the lack of correctly enforced organiza-
advantage. It stresses the importance of instituting tional information security measures. Even though a
informal controls if computer security situations are functional security plan was in place at BB&Co., it
to be adequately managed.The security issues arising did not take into account any interpretive data in its
from the misuse affect information systems integrity, implementation, so leaving BB&Co vulnerable.
formal and informal control mechanisms, and
organizational cohesion in terms of culture.
Corporate Restructuring Challenges
As BSL expanded and contributed increasing amounts
Background to the revenues of the entire Barings Group, rivalry
Barings Brothers & Co. (BB&Co.), a 223-year-old developed between BSL and BB&Co.Also, as internal
institution specializing in traditional merchant bank- competition between the companies accelerated, so
ing, decided to expand into investment banking in did the incentive to take on more risk at BSL. The
1984 as a result of deregulation in the British financial risk-taking management style and fast expansion of
markets. BB&Co. established a brokerage firm under BSL left little time for implementing proper control
the name of Barings Far East Securities, but this was mechanisms that would guard against financial impro-
later changed to Barings Securities Limited (BSL). priety. Barings Group directors became concerned
The new company adopted the corporate culture and initiated a corporate restructuring.
from its founder Christopher Heath, a man recruited
from the brokerage firm Henderson, Crosthwaite & The first thing that went wrong with the corporate
Co. Heath brought many like-minded people into the restructuring was that the preferred corporate cul-
new Barings subsidiary and created a strong corporate ture of fiscal conservatism could not be transferred
culture. This culture was more profit seeking and from BB&Co. to BSL. Had the original conservative
money-oriented than the traditional merchant bank- culture been instilled at BSLâs development, perhaps
ing culture that had existed at BB&Co for centuries. through the transfer of existing managers
from BB&Co. instead of recruiting risk-takers, there
BB&Co collapsed in 1995 due to one individualâs probably would have been less rivalry and less
wrongdoing and many other individualâs security unwarranted risk-taking.
negligence. Nicholas Leeson, the General Manager
of Barings Futures Singapore Pte, Ltd. (BFS), a Problems could also have been controlled if it was
subsidiary of BB&Co. exploited substandard not for the matrix structure.The structure per se was
information security systems and caused the not wrong, but it was not implemented correctly,
company to be placed under judicial management causing confusion and unclear reporting lines.
and eventually to go bankrupt. Managementâs lack of understanding of its own
166
3. Computers & Security, Vol. 20, No. 2
responsibilities allowed Leeson and others to go One of the first things accounting auditors learn in
unsupervised locally, which could have prevented their studies is that examining the internal controls
the unethical behaviour and its escalation. Adopting of an organization can tell a great deal about the
a hierarchical control system that limits decision- company, how effectively it works, and how aware
making could have prevented this. By standardizing management is of their business processes.
jobs, implementing direct supervision, and making Management is responsible for maintaining the enti-
sure that checks and balances were in place, no tyâs controls. Of course, the controlsâ effectiveness
employee would have been able to take covert depends on the competency and dependability of
actions that would have jeopardized the entire orga- the people using it. Clearly, in this case the size,
nization.The situation at Barings Group was a disas- structure, and personnel were available to have effec-
ter waiting to happen. It defies probability that the tive controls, but Barings did not manage them,
entire collapse did not happen earlier. There are prioritize them, or take responsibility for maintain-
several factors that contribute to this assertion. ing them.
The most problematic cause of disaster lies in the roots When management establishes its system of internal
of BSL itself. BB&Co. began their subsidiary by hand- controls, there are several principals that are important
ing over total control to Christopher Heath.The bank to their plan. One fundamental principal is segrega-
even requested that the staff of the new subsidiary con- tion of duties. It is important to segregate the areas of
sist of employees of Heathâs current company, revenue generation, or custody of assets, and record
Henderson, Crosthwaite & Co., where he was a part- keeping. This principal is extremely important
ner. It was from this moment that BB&Co. placed because it prevents a single individual from commit-
complete trust of BSL in the hands of an entity unfa- ting misappropriation of company assets or revenue
miliar to Barings Group. BB&Co. had essentially relin- and then concealing the defalcation by altering the
quished control. Even though Heath was a positive records. Some companies even separate controls even
influence in creating a company culture that fostered in further in such a way that it would require two or
ambition and individualism, he also created an envi- even three individuals to commit this crime and
ronment lacking in formal control mechanisms. conceal it on the books.
Another factor that foreshadowed the demise of
Barings was the rivalry that developed between the two This internal control was not present at BFS. Leeson
main firms in Barings Group: BB&Co. and BSL. was responsible, as part of his position, for overseeing
the trading and trade processing, settlement, and
When Nicholas Leeson came to Barings Future administration. He had access to the authorization
Singapore (BFS), a subsidiary of BSL, as General and creation of trading accounts on the IT system;
Manager, he would soon be credited with bringing responsibility for generating income by trading a
down the entire banking organization. He effectively âbook of businessâ, and also the ability to make jour-
kept his gross misconduct from being openly discov- nal entries that were posted to the system, apparently
ered because of two main reasons: (1) the autonomy without review.
of BFS from the central hierarchy and (2) the absurd
lack of internal controls throughout the entire Another key problem was the lack of an effective
Barings Group. internal auditing department. Problems or weakness-
es with the design of the internal controls and dis-
crepancies with the adherence to those internal con-
Evaluation Of Organizational Controls trols are the primary responsibility of the internal
auditing department. Internal auditing departments
Internal Controls prioritize their activities based on a risk analysis.
The implementation of internal controls for any Areas that are potentially more vulnerable to the
organization is key to running a âwell-oiledâ business. company are their responsibility. Obviously this
167
4. Violation of Safeguards by Trusted Personnel and Understanding
Related Information Security Concerns/Gurpreet Dhillon
department failed to do its job if the activities of a was discovered in later years that there was evidence
small branch in Singapore were able to bring down of memoranda flying around about this blatant lack of
the entire bank. separation of duties long before the collapse, yet noth-
ing was done to change it. Fourth, information tech-
The key risk items that should have been looked at nology is used to gather company transactions and to
was, first of all, the lack of segregation of internal con- maintain accountability to clearly communicate what
trol at the branch level. Leeson was a General is happening in the organization. At Barings Bank the
Manager who was responsible for both making trades management, internal auditors, and external auditors
and recording them. Second, a small branch in were all staring at the â88888â account problem, after
Singapore was showing abnormally large profits. all, it was a glaring piece of information, yet no-one
Third, account balances were not reconciled. Daily attempted to reconcile this piece of reported infor-
reconciliation in the computer age is not unreason- mation. It is true that Leeson hid things, forged doc-
able. Fourth, why were receivables in the Singapore uments, had information shredded by subordinates,
Office so high? The internal audit department was restricted access to financial information, etc., but the
either incompetent or lacking in sufficient fraud could still have been uncovered. Leeson simply
organizational support to be effective. had the confidence that even with all the controls in
place and the inquiries into discrepancies that were
There are five components of an ideal internal control found, he would still be able to beat the internal con-
mechanism that management should use to design trol system and recover the severe losses he was accu-
and implement controls to give reasonable assurance mulating because the system was weak, flaky, and,
that the control objectives are being met.These com- therefore, easily circumvented. Fifth, monitoring the
ponents are the control environment, risk assessment, quality of controls periodically is essential to have
control activities, information and communication, effective controls. The internal audit department of
and monitoring. Barings can best be described as pathetic. Clearly it
seems that people at all levels of Baringsâ control func-
First, the control environment consists of actions, tions used varying degrees of the âhands-off â approach
policies, and procedures that reflect the overall atti- in performing their jobs.
tudes of top management about control and its
importance to the corporation. Clearly Barings Bank External Controls
had some internal controls in place, but they were
performed more as a checklist than for true discovery The external auditors also failed in their professional
or prevention. Second, management should assess the responsibility to detect material fraud at the Singapore
risk in the design of its internal controls to minimize office. Deloitte & Touche were the auditors through
errors and fraud. Having the level of autonomy that 1993, the time during which account 88888 was
BFS did from the Bank, the risk was much greater and established. By then Leesonâs loss was ÂŁ23 million;
should have caused increased sensitivity for strict this clearly would have been material to BFSâ opera-
adherence to a good internal control system. Third, tions. Essentially, on the financial statement, Leeson
control activities include other policies and proce- was booking an entry to record the loss as income and
dures that help to ensure that necessary actions are as a receivable in order to conceal this loss. Deloitte &
taken to address risks in the achievement of the com- Touche failed in their audit of both the revenue of
panyâs objectives. Such control activities, adequate BFS and the assets of BFS.The unprofessional manner
documents and records, physical control, and inde- that they used to satisfy themselves that the receivable
pendent checks on performance are important com- was correct was a major factor contributing to their
ponents of internal control mechanisms. Baringsâ demise.
management knew Leeson had control of both the
front and back offices of a After 1993, Coopers & Lybrand were the auditors
division (BFS) they hardly knew anything about. It for BFS. Coopers also failed in their confirmation of
168
5. Computers & Security, Vol. 20, No. 2
the bogus Spear, Leeds & Kellogg (a New York trad- combination of personal factors, work situations and
er) receivable. Leeson had earlier claimed it to be a available opportunities [2]. Hearnden [8] believes that
computer error. However, when the auditors pur- most of the perpetrators are motivated by greed,
sued the point further, he claimed that it was a financial and other personnel problems. Forester and
receivable. Confirmations should be requested Morrison [7] suggest that sometimes even love and
directly from the debtor by the creditor but returned sex could provide a powerful stimulus for carrying
directly to the auditor. Since Leeson produced the out computer crimes. A survey conducted by the UK
documents himself, it was not credible evidence for Audit Commission in 1994 found, in addition to per-
auditing purposes. Second, if they were to be relied sonal factors, disregard for basic internal controls
upon, Coopers & Lybrand could have made a phone (password not changed, computer activities not trace-
call to Leesonâs point of contact to confirm the doc- able etc.) and ineffective monitoring procedures con-
uments. The biggest question was why no-one tributed significantly to incidents of computer crime.
noticed that BSLâs Singapore branch had one indi- An earlier study by Parker [13] found that in most
vidual responsible for both the front and back organizations, sufficient methods of deterrence, detec-
offices, and realized the possibility for fraud. tion, prevention and recovery did not exist. Clearly
Everybody involved with BSL knew the answer: the Barings Bank situation was a case in point.
they were enjoying the benefits accrued from the
status quo and did not see a need to scrutinize the In the previous section, a number of issues have been
BFSâ business processes. presented which could be considered as reasons why
information system security breaches occur in the
first place. However there is considerable debate as
Understanding the Issue to the extent to which information system security
The discussion on Barings Bank and the violation of problems exist in reality. Parker [12] found that there
safeguards by Leeson, a trusted employee, constitutes was a wide range of opinions regarding the extent of
a kind of an information system security breach that computer security breaches due to the subversion of
is intentional in nature. Generally, intentional acts controls by internal employees. There were reports
could result in frauds, virus infections, and invasion suggesting that only 374 cases were directly related
of privacy and sabotage. Parker [11] uses the term to computer misuse, hence portraying computer
âcomputer abuseâ to describes such acts as vandalism crimes as being of minor significance. However dur-
and malicious mischief and places them in the same ing the same period nearly 150 000 computers had
category as white-collar crime.White-collar crime is been installed within US organizations. Clearly the
defined by Parker as âany endeavour or practice reported computer crime cases were an underesti-
involving the stifling of free enterprise or promoting mation and what we actually see is just the tip of the
of unfair competition; a breach of trust against an iceberg.The UK Audit Commissionâs study suggests
individual or an institution; a violation of occupa- that many individuals and organizations fail to rec-
tional conduct or jeopardizing of consumers and ognize computer crime as a problem. Its survey
clienteleâ. Information system security breaches found employees at the managerial and supervisory
resulting from the violation of safeguards by internal levels as falling short of understanding the risks that
employees can therefore be defined as a deliberate computer misuse presents. In fact two-thirds of the
misappropriation by which individuals intend to perpetrators were supervisors who had been in the
gain dishonest advantages through the use of the organization for a minimum four years [1]. Another
computer systems. Misappropriation itself may be study based in the US found an astonishing 31% of
opportunist, pressured, or a single-minded calculated computer crimes were being carried out by low paid
contrivance. clerks, 25% by managers and 24% by computer per-
sonnel [10]. Indeed Balsmeier and Kelly [3] suggest
Computer crime committed by internal employees that most organizations had no method to minimize
is essentially a rational act and could result from a or deter computer crime and that the rewards for
169
6. Violation of Safeguards by Trusted Personnel and Understanding
Related Information Security Concerns/Gurpreet Dhillon
unethical behaviour seem to outweigh the risks.This auditors from both firms made a serious mistake.
clearly suggests that Barings Bank, with all the flaws They relied on the internal controls of BFS when the
in its internal reporting and control structures, was a internal controls were defective in the first place.
victim of an information system security breach that They did not perform any substantive procedures to
has been considered a significant threat for a while. ensure that this material weakness was not causing
Yet no learning was incorporated into Baring Bankâs materially incorrect balances to certain accounts.The
thinking process. auditors then reported to the board of directors that
everything was fine when in reality that could not
From an auditing perspective, consideration could have been further from the truth.
have been given to at least two aspects. First, the
internal audit should have been reported to the audit
committee, comprised of the board of directors of Discussion
the company. Additionally, these members of the Since most of the computer security breaches occur
audit committee should have been independent because internal employees have subverted the exist-
board members, rather than board members who ing controls (see Dhillon [4]), it is important that
work for the company in the capacity of manage- emphasis is placed on the more pragmatic aspects of
ment or other professionals who provide service to an organization. Considering the particular case of
the company. The independent, external auditors Leeson, an individual gets involved in particular acts as
should also have reported to the audit committee. a consequence of a combination of a personâs
This is necessary to ensure that the auditors are behavioural and normative beliefs. If a personâs atti-
reporting to a level high enough to ensure that rec- tude to perform an illicit act needs to be influenced,
ommendations and warnings do not fall on âdeaf one has to focus of changing the primary belief sys-
earsâ. Internal and external audits are designed to tem. More than any specific communication instru-
help assure the board of directors and stockholders ment, an organization-wide feeling of working
that the financial statements of management are together to solve problems and not hide them is the
materially correct and that management is acting key.This ties together the cultural and reporting stan-
responsibly to maximize shareholder value and safe- dards, so that Barings could have moved forward and
guard their assets. If they were to report to anyone its subsidiaries would not have hidden losses. Rather
but the audit committee, that responsibility could be they should have worked together to solve problems.
jeopardized by internal politics. This, combined with proper auditing techniques,
would have allowed Barings and its subsidiaries to
Second, an accountability and responsibility structure avoid collapse. The paragraphs below identify some
for internal auditors should have been created. specific guidelines that organizations should consider
Although internal auditors report directly to a com- if violations of safeguards by trusted personnel are to
mittee of the board of directors, the internal audit be avoided.
department still needs to be accountable and respon-
sible in order to use the resources that they are given
in the most effective manner. The fact that internal Formalized Rules
auditors let a serious problem with the segregation of It has been argued that if an organization has a high
duties pass without âraising a major ruckusâ was neg- level of dependence on IT, there is a greater likelihood
ligent. External auditors also needed to be held of it being vulnerable to computer related misuse
accountable. In public accounting, a partner with }(e.g. see Moor [9]). It is therefore important that
over 20 years of experience would normally sell the organizations implement effective and systematic
engagements.The client then will not see the partner policies.The demand for establishing security policies
until the job is over. Unfortunately, most of the audit within organizations has long been made by
is performed by staff members, who are usually just academics and practitioners alike, however such calls
one to three years out of college. In this case, the have largely gone unheeded. Formalized rules in the
170
7. Computers & Security, Vol. 20, No. 2
form of security policies will help in facilitating prevalent work situation and the opportunity to
bureaucratic functions such that ambiguities and mis- commit criminal acts affected the primary belief
understandings within organizations can be resolved. system of Leeson, thus creating an environment con-
Lack of formal rules or an inability to enforce the ducive to a crime being committed.This suggests that
rules was very well evidenced in the case of Barings monitoring of employee behaviour is an essential
Bank and Leesonâs activities. Most regulatory bodies step in maintaining the integrity of an organization.
(e.g. the Securities and Exchange Commission in the Such monitoring does not necessarily have to be
US) demand that certain procedures should be fol- formal and rule based. In fact, informal monitoring,
lowed. There are even explicit rules regarding super- such as interpreting behavioural changes and identi-
vision. However because of an increased pressure to fying personal and group conflicts, can help in
perform and be profitable, many of the formal rules establishing adequate checks and balances.
were overlooked at Barings Bank.The case of Barings
Bank suggests that although organizations cherish to
instill a culture of efficiency and good practice, poor Conclusion
communication often has a negative impact.The case This paper has presented an analysis of violation of
also suggests that formalized rules are essential for the safeguards by trusted personnel by considering the
functioning of an organization and often something case of Barings Bank and the activities of Nicholas
more needs to be done. Perhaps there should be an Leeson. The analysis has suggested that organizations
adequate emphasis on informal or normative controls. need to focus on the underlying beliefs that lead indi-
viduals to engage in intentional illicit acts resulting in
computer security breaches. Clearly, behavioural
Normative Controls change is ultimately the result of changes in beliefs.
Clearly, mere technical or formal control measures are Thus it is important that people within organizations
inadequate to prevent computer security breaches. In are exposed to information which will produce
other related work Dhillon [4] cites cases where it was changes in their beliefs. In proactively managing the
relatively easy for insiders to gain access to informa- occurrence of adverse events, it is essential that we
tion systems and camouflage fictitious and fraudulent trace those changes in primary beliefs that result in
transactions. In the US, one of the most publicized particular attitudes and subjective norms.
examples of this kind of behaviour is evidenced by
the demise of the Kidder Peabody and the dealings of Acknowledgments
Joseph Jett. Jett was able to exploit a loophole in the
accounting system to inflate the profits. It was possi- Acknowledgments are due to Dr. James Backhouse,
ble to engage in criminal activities because the person director of Computer Security Research Center at
involved was an insider. It therefore becomes obvious the London School of Economics, for extensive dis-
that no matter what the extent of formal and techni- cussions, comments and feedback on various aspects
cal controls, prevention of insider security breaches of information security management. The assistance
demands certain normative controls. Such controls and comments of number of graduate students at the
essentially deal with the culture, value and belief sys- University of Nevada, Las Vegas and London School
tem of the individuals concerned (for details see of Economics, including Russell Cook, Roy Dajalos
Dhillon [4]). and Freddy Tan are also acknowledged.
Employee Behaviour References
Previous research has shown that besides personal [1] Audit Commission, Opportunity makes a thief.
circumstances, work situations and opportunities Analysis of computer abuse, The Audit Commission
available allow individuals to perform criminal for Local Authorities and the National Health
acts (e.g. see [2]). In the case of Barings Bank the Service in England and Wales, 1994.
171
8. Violation of Safeguards by Trusted Personnel and Understanding
Related Information Security Concerns/Gurpreet Dhillon
[2] Backhouse, J. and Dhillon, G., Managing comput- [8] Hearnden, K., âComputer crime and people,â in
er crime: a research outlook, Computers & Security, Hearnden, K., ed., A handbook of computer crime,
14, 7, (1995), 645-651. London: Kogan Page, 1990.
[3] Balsmeier, P. and Kelly, J.,The ethics of sentencing [9] Moor, J.H., What is computer ethics,
white-collar criminals, Journal of Business Ethics, 15, Metaphilosophy, 16, 4, (1985), 266-275.
2, (1996), 143-152.
[10]Oz, E., Ethics for the information age, Business
[4] Dhillon, G., Managing information system security, and Educational Technologies, 1994.
Macmillan, London, 1997.
[11]Parker, D.B., Crime by computer, Charles
[5] Dhillon, G.,âChallenges in managing information Scribnerâs Sons, New York, 1976.
security in the new millennium,â in Dhillon, G.,
ed., Information security management: global challenges [12]Parker, D.B.,âEthical dilemmas in computer tech-
in the new millennium, Hershey: Idea Group, 2001. nology,â in Hoffman, W.M. and Moore, J.M., ed.,
Ethics and the management of computer technology,
[6] Dhillon, G. and Backhouse, J., Information system Cambridge, MA: Oelgeschlager, Gunn, and Hain,
security management in the new millennium, 1982.
Communications of the ACM, 43, 7, (2000), 125-128.
[13]Parker, D.B. and Nycum, S.H., Computer Crime,
[7] Forester, T. and Morrison, P., Computer ethics: cau- Communication of the ACM, 27, 4, (1984),
tionary tales and ethical dilemmas in computing, The
MIT Press, Cambridge, 1994.
172