[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
\nAnd so, now the news<\/p>\n
* QinetiQ : Lack of process and security culture are chief factors leaving firms open to cyber attack
\n* Smartworld to launch ME\u2019s first of its kind Cyber Security Centre
\n* Auto Dealers Under Imminent Threat of Security Breaches, Helion Technologies Announces
\n* Cybercrime damages expected to cost the world $6 trillion by 2021
\n* OT, Compliant with Discover\u2019s Latest Specifications on Dual Payment Cards
\n* Reserve Bank takes action to fend off sustained cyberattacks[South Africa]
\n* Rio Olympics sees more IT security events than London games
\n* Third-party vendors — your weakest link?
\n* How to get your network and security teams working together
\n* Data security and breach notification in Belgium
\n* Feds plan to investigate more healthcare breaches
\n* Data security and breach notification in Singapore
\n* Risk Management: Time for Introspection for Asia-Pacific Security Leaders
\n* Week in Review: Proposed Rule Changes and Another Data-Breach Decision
\n* California to mull biometric standards in data breach law
\n* Proof Of Concept: Tips For Successful Testing
\n* Infrastructure Pros Look To Add Skills
\n* To really improve corporate culture, it must be measurable<\/p>\n
QinetiQ : Lack of process and security culture are chief factors leaving firms open to cyber attack
\nA lack of understanding of how to mitigate employee negligence is leaving firms wide open to cyber-attacks, a whitepaper published by defence and security consultancy QinetiQ has warned.
\nIn an analysis of government data and work with its own clients, QinetiQ has identified a clear gap between employee knowledge and their actions, concluding that security training alone will not change employee behaviours, with QinetiQ advocating a more holistic approach to security, designed with the integration of people, process and technology in mind.
\nRecent government data has shown that 81% of large organisations that were victims of hacking in 2015 stated that the actions of their employees aided the attacker, with 90% of large organisations suffering some sort of overall breach.
\nDespite widespread awareness of this threat, the security consultancy found that most organisations lack a clear understanding of the complex interaction between human behaviour, technology and organisational process.
\nThis often leaves cyber security processes below par, and creates an ideal route for attackers to cause serious damage and disruption to major companies and organisations.
\nEnsuring company best practice is written in plain English is of utmost importance.
\nPolicy should provide context and relevance to employee’s day to day lives, and be drafted and considered in line with the wider goals of the business.
\nAnalysis has shown that employees will often sign\/agree to policy documents without reading the contents because of too much jargon, leading to situations where employees are unaware of protocol when they are most needed.
\nHuman behaviour analysis should form the bedrock of any security strategy and should actively steer policy direction.
\nA clear assessment process can give a 360-degree view, often yielding invaluable knowledge of where security is optimal or needs improvement.
\nWith this knowledge, businesses can save significant investment and maintain a clear view of the performance of security policies, such as monitoring recent training and how this has impacted employees across different sectors of the business.
\nTraining must be designed to be regular, relevant, short, engaging and empowering to bolster its effectiveness and prevent employees from unwittingly (or deliberately) causing a security breach.
\nThe common pitfalls of training practices are often that it is long and laborious, but infrequent.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=06386539b1&e=20056c7556<\/p>\n
Smartworld to launch ME\u2019s first of its kind Cyber Security Centre
\nSmartworld, a joint venture between Etisalat and Dubai South, has signed an agreement to launch the Middle East\u2019s first of its kind \u2018Cyber Security Centre.\u2019 The UAE is among the top three targeted countries in the world in terms of cyber attacks, according to the data shown at the new Cyber Security Centre at Smartworld Headquarters in Dubai.
\nIn its 2015 Internet Security Threat Report, Symantec noted that the UAE has jumped dramatically in the world ranking from 49 in 2014 to 41 in 2015.
\nThe initiative is in line with the vision and development strategies of the UAE and Dubai especially toward technological advancements in all areas and supports the most critical component of security for organisations.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c4d6448180&e=20056c7556<\/p>\n
Auto Dealers Under Imminent Threat of Security Breaches, Helion Technologies Announces
\nTIMONIUM, MD, UNITED STATES, August 22, 2016 \/EINPresswire.com\/ — Helion Technologies announced today that 75 percent of small businesses have experienced security breaches in the last 12 months, according to a recent survey conducted by Osterman Research.
\nThe findings were published in a July 2016 report titled IT Security at Small to Mid-Size Businesses (SMBs): 2016 Benchmark Survey.
\nThe results were obtained from organizations ranging in size from 100 to 3,000 employees.
\nSmall businesses, defined as having fewer than 500 employees, were most vulnerable to security attacks as they are less likely to have full-time security experts on staff.
\nNearly one-third of the survey respondents have two or fewer IT personnel focused solely on security, indicating that smaller companies do not have the expertise necessary to deal with attacks, infections and other problems quickly and efficiently.
\nThe survey also found that for SMBs, overall security-related costs have increased an average of 23 percent in the last 12 months.
\nThe increase is likely correlated to the growing number of security threats; for example, in 2015 the number of phishing URLs increased by 55 percent and the total volume of new malware increased by 14 percent.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=994867da8d&e=20056c7556<\/p>\n
Cybercrime damages expected to cost the world $6 trillion by 2021
\nCybercrime will continue its stratospheric growth over the next five years, according to a recent report published by Cybersecurity Ventures. (Disclaimer: Steve Morgan is the Founder and CEO at Cybersecurity Ventures.)
\nWhile there are numerous contributors to the rise in cybercrime — which is expected to cost the world more than $6 trillion by 2021, up from $3 trillion in 2015 — the most obvious predictor is a massive expansion of the global attack surface which hackers target.
\nData remains the primary hacker target.
\nMicrosoft predicts by 2020 data volumes online will be 50 times greater than today.
\nThere are 111 billion lines of new software code being produced each year \u2014 which will include billions of vulnerabilities that can be exploited, according to research conducted by Secure Decisions.
\nThe $6 trillion estimate of costs related to cybercrime damages by 2021 is based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation state sponsored and organized crime gang hacking activities, a cyber attack surface which will be an order of magnitude greater than it is today, and the cyber defenses expected to be pitted against hackers and cybercriminals over that time.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8e796e0f01&e=20056c7556<\/p>\n
OT, Compliant with Discover\u2019s Latest Specifications on Dual Payment Cards
\nCOLOMBES, France–(BUSINESS WIRE)–OT (Oberthur Technologies), a leading global provider of embedded security software products and services, today announced that its dual EMV payment cards are certified by Discover with its latest specifications, D-Payment Application Specification (D-PAS) version 1.1.
\nThese cards can be used worldwide across the Discover Global Network, which includes Discover Network, Diners Club International, PULSE and affiliated networks.
\nOT\u2019s Discover-certified EMV dual interface payment cards can be used to make payments simply by tapping them in front of a contactless terminal.
\nIt further strengthens OT\u2019s wide EMV certified cards portfolio.
\nOther functionalities, such as transport, micropayment or access control, can accompany Discover\u2019s payment functionalities.
\nThese cutting-edge payments cards meet international security standards in order help decrease fraud and improve cardholders\u2019 protection.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c6f9ec7682&e=20056c7556<\/p>\n
Reserve Bank takes action to fend off sustained cyberattacks[South Africa]
\nThe Reserve Bank has established a special forum of all SA\u2019s major financial institutions to put together contingency measures to protect SA\u2019s critical financial infrastructure from a prolonged cyberattack.
\nThis was revealed on Tuesday by Governor Lesetja Kganyago in Johannesburg at the first ever cybersecurity conference organised and hosted by the Bank.
\nNoting that the Financial Sector Regulation Bill currently before Parliament will make the Bank responsible for ensuring the safety and soundness of financial institutions, not just overseeing their regulation, Kganyago said the Bank was serious about deepening cyber resilience in the sector.
\nTo this end, the Bank had established the Financial Sector Contingency Forum (FSCF), representing all major financial sector stakeholders.
\nOne of the responsibilities of the forum will be to put contingency plans in place for such an attack.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=cba5a0aa70&e=20056c7556<\/p>\n
Rio Olympics sees more IT security events than London games
\nOlympic IT partner Atos has published a report on its performance and the main highlights of the 2016 Rio Summer Olympic Games.
\nAtos installed and managed a complete IT infrastructure at 37 competition venues, while the number of IT security events per second amounted to 400, compared to 200 per second in London.
\nA total of 300,000 accreditations were processed and activated using the Atos IT system (up 20 percent since London 2012), while over 100 million messages were sent to media customers to share the real time results and data from all 42 Olympic sports and 306 events (up from 58.8 million at London 2012).
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=7b27b30476&e=20056c7556<\/p>\n
Third-party vendors — your weakest link?
\nIn my experience, too many organizations still don’t pay close attention to their third parties.
\nAccording to an article by Evantix, of 450 breaches investigated in 2013, a staggering 63% involved a third party.
\nExperian, in their 2015 Data Breach Industry Forecast, made the case well, saying “As more companies adopt interconnected systems and products, cyber attacks will likely increase via data accessed from third-party vendors.” The same report expresses concern about the growth of a different sort of third party exposure — Internet of Things devices, a risk that the business world is just now beginning to face.
\nWhile the lack of appropriate security precautions and risk management processes are very common among small vendors, the big guys have lapses too.
\nIn late 2015, Hartford Hospital shared a $90K HIPAA-related fine with tech giant EMC, because of their failure to safeguard customer data on laptops.
\nCorporate leadership must make third-party risk management a priority for it to be successful.
\nSuch a program requires resources, and often involves delays in the purchase of products and services while the related risk is assessed.
\nWithout strong support from the C-Suite, managers will simply ignore third-party risk, and just buy whatever they want whenever they get in a hurry.
\nThird-party oversight should begin with a structured program, with proper documentation and procedures.
\nThe program must be an ongoing effort, rather than a one-time review.
\nThis should include complete analysis of each vendor BEFORE a contract is signed.
\nFor ideas on how to structure such a system, I would suggest that you review “Third-party risk management — not just papering the file.”
\nBottom line — unmanaged third parties can pose a risk to your company that is even greater than that posed by your own internal security issues.
\nBad actors know this as well, and they will exploit this opening unless you step up and manage the risk.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=7a5a89c9d1&e=20056c7556<\/p>\n
How to get your network and security teams working together
\nYour network and security teams may have different goals and objectives, but as networks grow more complex, it\u2019s time to get these two teams on the same page to help avoid miscommunication around security threats.
\nOne of the biggest reasons these two teams aren’t known for strong communication and teamwork, according to Vigna, is their “conflicting goals.” Network teams are focused on network availability and usability, while security teams are focused on potential risks and vulnerabilities.
\nAnd security measures can often slow things down — adding things like two step authentication, firewalls or other precautions that might hinder how fast networks can get up and running.
\nSo, for a team focused on speed and availability, security can often be seen as a roadblock in reaching those goals — and vice versa.
\n“This becomes a problem when network professionals feel that security measures are red tape getting in the way of their processes, and security professionals feel that network team’s expansion and development of complex architectures are opening up the system to potential attacks,” says Vigna.
\nThe best solution to this problem.
\nStart communicating, says Vigna.
\nThe time to communicate isn’t after something bad has happened; it’s before. “Both network and security teams should proactively reach out to one another and discuss trends and issues on a day-to-day basis in order to be prepared for the worst,” he says.
\nHiring the right tech workers might seem obvious, but if you want your network and security teams to get along, include it in your hiring process.
\nWhile network and security professionals have different skillsets, you can still emphasize during the interview process that you encourage collaboration between the two teams, so they come in knowing what to expect.
\nSchwartz also points to the CIO as a guidepost for the rest of the department.
\nAs the CIO, he says, you need to encourage both teams to understand one another’s priorities and goals.
\nYou can’t expect your teams to understand how they can help one another if they don’t even know how the other operates on a day-to-day basis.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c7548e4929&e=20056c7556<\/p>\n
Data security and breach notification in Belgium
\nArticle 16(4) of the Act of December 8 1992 on the Protection of Privacy with respect to the Processing of Personal Data (the \u2018Data Protection Act\u2019) provides that data controllers and data processors must implement sufficient technical and organisational security measures with respect to the protection of personal data against destruction, accidental loss and any non-authorised processing of data.
\nAlthough the Data Protection Act imposes no specific security measures, the notification form used by the Belgian Data Protection Authority for the notification of data processing activities lists a wide range of possible security measures, including physical access control, encryption, appropriate clauses in contracts with personnel and processors, access logging and prevention plans.
\nData owners or controllers must inform the individuals of a data breach without undue delay if there is a high risk that their data could be used by third parties.
\nNotification is not required if the data is encrypted or if measures have been taken to ensure that the data subject cannot be identified.
\nHowever, the Belgian Data Protection Authority can always order the data controller to inform the individual of the data breach.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=3c84eb844c&e=20056c7556<\/p>\n
Feds plan to investigate more healthcare breaches
\nThe HHS Office for Civil Rights, which enforces rules surrounding HIPAA, has announced it will investigate breaches of protected health information affecting fewer than 500 individuals.
\nIn the announcement, OCR cited five recent settlements with covered entities that had smaller breaches; the settlements included financial fines and imposition of corrective action plans.
\nBut some of these smaller breaches are not recent, highlighting settlements reached one or more years ago.
\nThe settlements included Catholic Healthcare Services of the Archdiocese of Philadelphia ($650,000 on June 29, 2016), Triple-S Management Corp. ($3.5 million on Nov. 30, 2015), St.
\nElizabeth\u2019s Medical Center in Brighton, Mass. ($218,400 on July 10, 2015), QCA Health Plan ($250,000 on April 22, 2014), and Hospice of North Idaho ($50,000 on Jan. 3, 2013).
\nIt\u2019s not surprising that OCR now has formally announced more aggressive reviews of smaller breaches, says Thad Phillips, a principal consultant at tw-Security, a consultancy.
\nIn 2013, Leon Rodriguez, then director at OCR, warned covered entities that regardless of size, providers needed to better protect patient information and said OCR would expand investigations of smaller breaches, Phillips says.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=bd9d26d169&e=20056c7556<\/p>\n
Data security and breach notification in Singapore
\nSection 24 of the Personal Data Protection Act obliges an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
\nUnder the Personal Data Protection Act, no explicit requirement exists for organisations to notify individuals in the event of a breach.
\nHowever, the Personal Data Protection Commission (PDPC) Guide to Managing Data Breaches provides that it is good practice to notify individuals affected by a data breach.
\nNo general requirements for organisations to notify the regulator in the event of a breach exist.
\nHowever, there are industry specific requirements.
\nOn July 1 2014 the Monetary Authority of Singapore instructed financial institutions to report all security breaches within one hours of their discovery.
\nFor further information see the Technology Risk Management Notice and Guidelines.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=05906f5147&e=20056c7556<\/p>\n
Risk Management: Time for Introspection for Asia-Pacific Security Leaders
\nCyberattacks are increasing at an alarming pace.
\nWith that, the cost of a data breach is also increasing.
\nIn India, for example, the average total cost of data breach increased from 88.5 million Indian rupees in 2015 to 97.3 million Indian rupees in 2016 \u2014 an increase of 10 percent.
\nBecause of the nature of data, certain industries have a higher average breach cost compared to others.
\nAs a result of all this, CISOs are faced with big, tough challenges.
\nSecurity leaders should ask the following questions about their risk management posture:
\n-Are you protected from the latest threats?
\n-Have you protected your most critical data?
\n-Do you have access to the right skill set?
\n-Are you adapting to changing platforms?
\n-Are you operating at an appropriate maturity level for your industry?
\nYou need to find out where you are in your risk management journey.
\nAre you just starting out or are you well on your way.
\nWhatever the answer, it is imperative to plan accordingly.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c619f771ec&e=20056c7556<\/p>\n
Week in Review: Proposed Rule Changes and Another Data-Breach Decision
\nToday\u2019s round-up takes a look at the potential impact on class-action litigation of some recently proposed amendments to the Federal Rules of Civil Procedure, and continues our exploration of what type of injury it takes to sustain a data-breach class action.
\nFor Data-Breach Class Actions, the Spoils of the Heist Matter: A case could be made that 2016 is the year of the data-breach class action\u2014we\u2019ve certainly devoted substantial attention to the subject here.
\nThis month\u2019s ruling in Attias v.
\nCarefirst, Inc. adds another weapon to defense practitioners\u2019 arsenal on the issue of whether a data breach alone is a sufficient injury to support a claim.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c74c017cc0&e=20056c7556<\/p>\n
California to mull biometric standards in data breach law
\nA California lawmaker has proposed that a standard be established for businesses to protect personal consumer information including location and biometric data.
\nThe newspaper notes that the new bill would expand the definition of personal information in California law beyond social security numbers, driver\u2019s license numbers and medical information to include geolocation and biometric data, tax identification numbers, passport numbers, military identification numbers, and employment identification numbers.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8a41b0d215&e=20056c7556<\/p>\n
Proof Of Concept: Tips For Successful Testing
\nThe most important part of the POC is to know what you\u2019re looking for from the outset.
\nWith this in mind, it\u2019s very important to work with all stakeholders to first identify what it is you\u2019re trying to accomplish or what problems you need to solve with the software.
\nAdditionally, POCs are a great way to compare and contrast multiple vendors at the same time.
\nIn doing so, you can often quickly figure out if what their salespeople say is really true, or, if they’re just providing a \u201cmarketing checkbox\u201d of hyped features that serve no real purpose or merely meet obligatory criteria.
\nThe first test in any POC is the vendor\u2019s reaction.
\nIf the vendor tries to talk you out of conducting it or uses delay tactics, that generally means the reps know their product won\u2019t do well.
\nOn the other hand, if the vendor is actually pushing for a POC, that could mean the reps are confident in their technology\u2019s ability to perform and have a high rate of success in these situations.
\nAlso be wary if the vendor asks you to pay for a POC.
\nHaving to pay can depend on the complexity of the software being evaluated.
\nHowever, if you\u2019re looking at other products that offer a true \u201ctry before you buy\u201d approach, a vendor requiring money could indicate issues ranging from possible financial strains and an inability to compete to a lack of ongoing support..
\nPOC criteria should always be developed by a team of business stakeholders, not the vendors.
\nVendor-supplied criteria for a POC is designed to make the vendor look good, but may not meet your business requirements.
\nThat doesn\u2019t mean you can\u2019t change criteria if one vendor has a feature you find useful; it just means you shouldn\u2019t let any one vendor determine the boundaries of the POC-playing field.
\nNext, be prepared.
\nMost vendors will give you a list of criteria (requirements) for a lab environment to ensure proper testing.
\nIf the vendor has agreed to come onsite and help set up the POC, it can be a long day if the lab is not arranged properly.
\nFor this reason, ask each vendor for its prerequisites and get things set beforehand.
\nWhile not always possible, it\u2019s also a good idea to have a separate lab environment for each vendor if you\u2019re doing multiple POCs.
\nFor cloud-based applications, this step is actually easier whereas most vendors will provide you with a \u201csandbox\u201d area to test the software.
\nStill, be ready to provide any data or testing criteria that you specifically want to evaluate.
\nDuring the POC, stick to timeframes.
\nAsk each vendor how long the POC should take and then make sure that everyone sticks to the allotted time.
\nEndless POCs don\u2019t really do anyone any good, and if the vendor can\u2019t get things working in the environment you provided – especially with agreed-upon criteria – only allow so many chances to make it work.
\nAfter all, if it doesn\u2019t function properly in the lab, do you think it will work in production.
\nMoreover, how long installation and configuration takes in the lab also is a good indication of how long it will take in production.
\nFinally, make sure that you allot enough time for the POC.
\nVendors understand you have a job to do, but if there\u2019s not sufficient POC time scheduled on your calendar, you\u2019ll never get it done or you may cut corners.
\nRemember, timeframes are also important in keeping salespeople off your back: If you tell them it will take a week, they will call you in a week, and will continue to do so until you answer.
\nThe better everyone does in setting proper expectations, the happier all involved will be, and the more likely it is that you\u2019ll get the proof-positive results you\u2019re seeking.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=5e293a6b39&e=20056c7556<\/p>\n
Infrastructure Pros Look To Add Skills
\nAs data center and networking jobs change with the rise of cloud and software-defined infrastructure, those working in the infrastructure field are actively looking to expand their skillsets.
\nWhen asked what specific skills they planned to learn in 2016, survey respondents chose security as their number one priority, at 50%.
\nStaff-level employees also cited network engineering and operations (36%), cloud integration (28%), wireless (20%), and data storage (19%).
\nThose at the management level chose leadership skills (37%), project management (31%), cloud integration (30%), and business skills (21%).
\nIn follow-up interviews, respondents also specified they’d like more training in Amazon Web Services, Microsoft Azure, and agile project management.
\nWhen it comes to the type of training respondents would like, the more technical the better.
\nSeventy-seven percent of staff and 63% of managers chose technology-specific training as most desirable, followed by certification courses at 61% for staff and 34% for managers.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d29ae0081b&e=20056c7556<\/p>\n
To really improve corporate culture, it must be measurable
\nDouglas W.
\nHubbard, who developed Applied Information Economics as a practical application of scientific and mathematical methods to complex decision making, goes out further on a limb when it comes to measurement.
\nAccording to Mr.Hubbard:
\n\u201cAnything can be measured. If something can be observed in any way at all it lends itself to some type of measurement method. No matter how \u2018fuzzy\u2019 the measurement is, it\u2019s still a measurement if it tells you more than you knew before.\u201d<\/p>\n
For the auditor, compliance professional, and others charged with evaluating (i.e., measuring) the effectiveness and value of compliance program activities, Hubbard\u2019s treatise, How to Measure Anything: Finding the Value of Intangibles in Business,3rd Edition, is a worthy read.
\nUndertaking this methodology forces clarity in considering the objectives you are trying to achieve.
\nWhen computing the value of information, you may learn that you have been measuring all the wrong things.
\nIf your \u201cprogram\u201d is providing a service the value of which cannot easily be measured, maybe you need to reconsider what you are trying to achieve.
\nSome kind of observable consequence must be present if it really matters (even if dictated by laws and regulations).
\nMeasuring things just because they are easy to measure is ultimately useless.
\nA thought experiment to try, which Hubbard calls a \u201cclarification chain\u201d is to imagine \u201cif we didn\u2019t do this, would there be an impact, and how would we notice the difference?\u201d For example, a safe work environment has been shown to relate directly to safe employee behavior; similarly, a climate for customer service is known to predict customer satisfaction.
\nFor compliance programs, if we care about an \u201cintangible\u201d that we call culture or ethical climate, because it impacts certain things\u2014such as perceptions that your supervisor and company sets a good example of ethical behavior, or that employees do not fear retaliation for reporting misconduct\u2014we should be able to measure such outcomes.
\nAs described in its February 2016 Targeted Exam Letter, FINRA requested firms submit eight categories of information related to the organization\u2019s cultural values, stating \u201cWe will formalize our assessment of firm culture to better understand how culture affects a firm\u2019s compliance and risk management practices.\u201d Significantly, FINRA is, \u201cparticularly interested in how your firm measures compliance with its cultural values, what metrics, if any, are used, and how you monitor for implementation and consistent application of those values throughout your organization.\u201d
\nThe evaluation of culture and compliance effectiveness are in fact empirical issues.
\nThe elements of a compliance program and vague indicators should not be taken on faith.
\nWhenever practical, tactics based on studies by social scientists should be field-tested using randomized controlled trials to estimate their economic benefits.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d6559256c1&e=20056c7556<\/p>\n
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=2e11572e9e)
\nUpdate subscription preferences (http:\/\/paulgdavis.us3.list-manage1.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)
\n============================================================<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.] And so, now the news * QinetiQ : Lack of process and security culture are chief factors leaving firms open to cyber attack * Smartworld to launch ME\u2019s…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1255","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1255","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1255"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1255\/revisions"}],"predecessor-version":[{"id":3742,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1255\/revisions\/3742"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1255"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}