We asked industry experts, colleagues and compliance officers what they believe will be the top issues impacting workplace ethics and corporate compliance programs in 2015. We gathered their best thinking and prepared our annual summary of trending issues and the steps you should consider taking as you plan for the coming year.
The starting point for every ethics and compliance program must always be an analysis of the ethics and compliance risks faced by the organization.
In that light, it’s important to listen to James Comey, Director, U.S. Federal Bureau of Investigation, who said at a 2014 conference: “There are two types of companies when it comes to cyber security. Those that have been hacked and those that do not know they’ve been hacked.”
The risk is real and it is growing every day. The “connectedness” of our digital world makes reaching across the globe a lot easier—for those with good and bad intentions.
In spite of these risks, many compliance officers still see cyber security as solely an IT concern. While it’s true that the primary responsibility for cyber security is shared across departments, and that IT must provide subject matter expertise, compliance officers must have a seat at the table. Cyber security is both an ethics matter—we have a responsibility to protect our organization’s information as well as that which is entrusted to us—and it is a compliance matter as well. Regulatory drivers including Sarbanes Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI) all require controls to prevent unauthorized access to data.
Key Steps For Organizations To Take:
- Take a step-by-step approach to address the cyber security threats facing your organization. If your organization lacks the in-house expertise to tackle cyber security, get help now. This is not an issue that can be left for later.
- If senior leadership is not convinced of the threat, marshal your in-house resources and allies and make the case.
- You probably do not need to look far for a peer company that has suffered a public breach, along with the reputational and financial consequences.
- Educate your board and employees on the risks to the organization’s infrastructure and inform them of the steps you are taking and the role they must play in keeping the organization safe.
- Teach stakeholders about phishing emails and the importance of only visiting “safe” websites from work devices.
- Evaluate your organization’s exposure on an ongoing basis. Make sure cyber risks are included in your compliance and enterprise-wide risk assessments. In addition, focus immediately on high priority data and records that need to be secured. Include in your appraisal of the risk level of particular data a calculation of the reputational as well as the legal and operational hit that your organization would take if a cyber attack occurred. At a minimum your high priority list should include customer and employee Personally Identifiable Information, as well as intellectual property—both yours and your business partners.
- Assess the adequacy of your policies, oversight and training related to cyber security. Most organizations have not kept pace with the development of new technology. The use of tablets, smartphones and social media provide additional entryways to critical organization information. Strong IT usage policies and procedures are critical to mitigating your cyber risks.
- Ensure that you have strong alert protocols and breach response plan. The plan is essential, but it must be practiced to be effective. Breach response time is critical to your organization’s ability to recover from an attack. Your plan and processes should allow for quick scanning of your networks to determine the intrusion points. As this risk continues to garner worldwide attention, expect to hear more news on the formation of additional, designated bodies of government dedicated to addressing this risk area. As a matter of fact, as we write this we were notified that the senate approved the formation of a separate committee within the Department of Homeland Security dedicated to governing the sharing of cyber security information, an act that was anticipated to take place in 2015 but was expedited due to the urgency of this emerging risk area.