Sunday, March 23, 2014

Security Tip: Know Your Industry Risks


Every business has its own unique challenges. Security and crime concerns are one of those challenges. Some businesses may be at a higher risk of robbery, others may be more likely to encounter violent behavior and some may have safety issues such as chemicals and hazardous materials.
 
A robbery will most likely happen at a business dealing in high-value items, such as cash. Think of banks. Liquor stores and even pharmacies are frequent targets for those looking for artificial ways to enhance their lives. Working in isolation or out in the community adds to the risks, such as taxi drivers or convenience store clerks.
Other industries may be more exposed to violent attacks. Hospital workers, for example, are at a higher risk of assault due to the interactions with patients dealing with substance abuse and withdrawal, as well as those with mental illness.
Think about the crime risks or dangers simply due to the type of industry where you work. Once you realize the general dangers at work, you will be ready to take the right steps to keep those perils away.
 
Eric Smith, CPP is the leading authority on organizational self-defense. He has extensive experience in law enforcement as well as security management. Eric is available for staff education and security awareness training as well as business coaching to help organizations provide safe workplaces. To learn more email Eric at businesskarate dot com.
 
 
If you would like to reprint this post, please contact Eric at Eric at businesskarate dot com.

Thursday, March 13, 2014

5 Communication Rules To Follow When Disaster Strikes


When a disaster or setback interrupts business, getting back in operation is not the only concern. How the information is communicated to customers is extremely critical, but often overlooked. Failure to share information may cost more than the initial interruption; it could mean the loss of customers – perhaps forever.

Let me share my own recent story. I have spent most of last year writing a new book and finished the manuscript at the end of last year (the book is Workplace Security Essentials and now available on Amazon). Now that the proofreading and writing is done, I decided to revamp my website to help market the book.

Redesigning the website and using new software to update it has been a long process. Once I got over the initial learning curve and starting to see a decent website, I have been adding new pages and content in my spare time, usually in the evenings and on the weekends. I was excited about adding a news and events page (visit www.businesskarate.com or click on the “Home” button at the top of this page). The News page includes a recent article in which I was interviewed for a case study in Security Management magazine and I wanted to get the site updated before a networking event.

Unfortunately, I immediately ran into problems. The site was not accessible, either to view it or to access the administration page. I tried to update some files through the file transfer protocol, but that did not work either. I checked a couple of other sites, which stated that the web hosting company was running. However, when I tried to get online help, normally an easy process, I got a message that there was a long delay due to a server problem.

The hosting company does have a status blog to help communicate problems, which I read. The blog itself did not have much information other than there were a few servers not available at that time. Sadly, the comments below the blog were much more informative and interesting, if inaccurate at times. One of the comments claimed that the servers were down as they were located in Ukraine (this was immediately following Russia’s invasion). An employee did respond, explaining that the servers were in the U.S., but the online support personnel were in the Ukraine. There were also numerous comments about switching to other web hosting companies, as this one was down two weekends in a row.

After a couple of days, the status blog was finally updated with a technical statement about a problem with RAID arrays. The next day, there was an email from the company, apologizing for the statement about the RAID arrays and the statement that some of the technical users had pointed out that the problem described did not explain the situation. I am not that technical and would not have caught the error, but clearly, a company that provides web hosting is going to have many techies who would, and did, catch that mistake.

In the end, the company began sending out emails to clients, as well as better updates on the status blog to give some projected timelines on which servers would be available along with prospective times and dates.

For my part, my continuity response was to redirect the URL to this blog. I had considered moving the blog, but decided that I will keep it here as a back-up and may even duplicate some of my main site’s pages as pages on this blog.

More importantly, there were a number of problems with the hosting company’s communications. Initially, there were no communications. Many clients suggested in comments that the company should have notified everyone via email of the down time and issues. After those were posted, the company did begin sending emails with updates and a reminder to check the status blog.

We’ve all seen businesses suffer for one reason or another and I think most customers are willing to be forgiving if the problem is handled the right way. After several frustrating days, my site came back up and I was able to make the updates I wanted. My web hosting is up for renewal this month and as of this moment, I am not sure if I will renew or look for another hosting company. There is a lot of work with switching, from setting up new email servers to the file transfer software and set-up, and I am evaluating what will be best.

There are five key lessons that could apply to any company that encounters an interruption of business.

1.      Fast. Get information out quickly. It may not have all the details and may just be a preliminary note that there is a problem and that it is being dealt with. Do not make your customers investigate to figure out what is wrong.

2.     Accurate. Make sure the information is truthful and even if simplified that the basic facts are correct. Getting caught providing information that is not exactly true undermines the company’s credibility and makes any further information provided questionable.

3.     Ongoing. Keep the information coming. It is nearly impossible to over-communicate. Provide timely updates throughout a business interruption. Following Hurricane Sandy, one company sent clients emails with regular updates about when orders could be processed again. Anyone who needed to place an order would have known how much longer it would take or what the alternatives were based on the periodic updates.

4.     Focus on recovery. Customers want to know when services will be restored. In the case with the web-hosting downtime, many of the customers had customers of their own – businesses that had hired web designers for a web site that was now not available. Be sure to let them know the time line to resume operations. Basically, answer the question, “What’s in it for me?”

5.     Future. Communications should also reassure customers how the problem is being fixed so that it will not happen again. What will the company do differently to prevent a similar problem down the road?

When disaster, or even just a disruption, strikes, follow these five steps with your communications to keep customers in the loop and aware of what is going on. When things return to normal, you will still have customers. And customers are the one thing that your business will find hardest to replace.

 

Eric Smith, CPP is the leading authority on organizational self-defense. He has extensive experience in law enforcement as well as security management. Eric is available for staff education and security awareness training as well as business coaching to help organizations provide safe workplaces. To learn more email Eric@businesskarate.com.

Workplace Security Essentials on Amazon.com
 

 

If you would like to reprint this post, please contact Eric at eric@businesskarate.com.
 

Saturday, March 1, 2014

The Irony of Government Solutions to Data Breaches


The U.S. Attorney General, Eric Holder, urged Congress to pass Federal laws to regulate how retail outlets handled data breaches. This was in response to the breach at Target where hackers stole credit card information from customers in December of 2013.

Holder stated that retailers who fail to protect data should be held liable. He also stated that a Federal law would assist law enforcement with prosecution.

At first glance, it may seem like a good idea. After all, we all deserve to have our identities protected when shopping. However, several questions come to mind. As is so often the case with good intentions, the results may not be everything hoped for.

First, there is a problem with where the blame is focused. Too often, we see cases where the victims are held liable for the actions of crooks. By holding the retailer accountable, the focus shifts to punishing the victim organization rather than focusing on the criminals behind a breach. This same mentality is used at local levels, such as when police will patrol neighborhoods on cold mornings looking for “puffers.” These are cars that someone starts to warm up while waiting inside. True, there are suspects who will steal the warming cars. If the police can take the time to stop and write parking tickets to the would-be victims, then wouldn’t that time be better spent looking for suspicious people hanging out in the areas where the cars are being stolen? Education about the risks and ways to protect yourself, rather than blaming victims, is a much better approach. Of course, as with any harmful event, there is the risk of a company being held liable, especially if the data protection measures were negligent or lacking. Assuming appropriate measures were in place, blaming the organization is counter-productive.

From WikiCommons
Second, it is ironic that the government would be in a position to dictate what standards other industries should follow. After all, one of the most famous cases of a data breach is the government’s loss of hundreds of thousands of confidential documents to a contractor in the case of the National Security Agency and Edward Snowden. It hardly instills confidence in a government solution.

Third, I am doubtful that establishing Federal standards would provide any real assistance to local police. Local jurisdictions do not have the legal ability to enforce Federal laws and Federal prosecutors are often swamped and, in my experience, will not even touch smaller cases. There would be benefit with information sharing between local law enforcement to facilitate investigations, but in many computer crimes, the suspects are out of the country and there is no way local police can ever prosecute. I would like to see more of the details about how these cases could be investigated with a successful prosecution before just accepting that another political solution would actually achieve any benefit.

Last, most states already have laws related to how companies need to respond to and address data breaches. A new Federal mandate could override state laws and might not be as effective as the current law. Plus, any time there are legal changes, there will be additional costs and those will ultimately be passed onto the consumer. There are already limits on how much consumers can be liable for in regards to identity theft. New laws or changes could potentially be more costly to the consumer, the very group these laws are designed to protect.

Too often, when there is a real problem to address, the knee-jerk reaction, especially of politicians, is to announce solutions that may or may not work. As always, look at the goals and the consequences of new measures. These decisions should be carefully vetted and reviewed and the best course of action taken for the good of all, not just as a ‘feel good’ idea. Keep the focus on stopping criminals, not finding someone else to blame.



Eric Smith, CPP is the leading authority on organizational self-defense. He has extensive experience in law enforcement as well as security management. Eric is available for staff education and security awareness training as well as business coaching to help organizations provide safe workplaces. To learn more email Eric at businesskarate dot com.


 

If you would like to reprint this post, please contact Eric at Eric at businesskarate dot com.