Reposted from Security Management

Mechelle Vinson needed a job. So, she went into the Meritor Savings Bank and met Vice President Sidney Taylor to see if they were hiring. They were, Vinson applied, and she was hired as a teller-trainee under Taylor’s supervision.

During her four years with the bank, Vinson was promoted to teller, head teller, and assistant branch manager. She also endured a pattern of sexual harassment by her supervisor, Taylor.

Shortly after her probationary period at the bank was over, Taylor invited Vinson to dinner and propositioned her for sex. She initially refused but was afraid she would lose her job, so she ultimately said yes.

After that initial incident, Taylor repeatedly demanded sexual favors from Vinson and had sex with her an estimated 40 or 50 times. He also fondled her in front of other employees, exposed himself to her in the women’s restroom, and raped her.

Vinson never reported the harassment to the bank or Taylor’s supervisors because she was afraid of him. But after she was terminated for taking extended leave, Vinson filed suit against the bank claiming she was subject to sexual harassment by her supervisor—a violation of Title VII of the Civil Rights Act of 1964.

Meritor Savings Bank attempted to have the case dismissed, claiming that because Vinson never reported Taylor, the bank could not be held liable for his behavior.

Vinson’s case made its way through the court system before landing at the U.S. Supreme Court. In a landmark ruling, the Court held that sexual harassment is a form of sex discrimination that is prohibited by U.S. federal law. It also held that just because the bank had a procedure to report the harassment—and Vinson chose not to use it—does not mean that the bank was shielded from liability.

“…the bank’s grievance procedure apparently required an employee to complain first to her supervisor, in this case Taylor,” wrote Chief Justice William Rehnquist for the Court. “Since Taylor was the alleged perpetrator, it is not altogether surprising that respondent failed to invoke the procedure and report her grievance to him. [Meritor’s] contention that [Vinson’s] failure should insulate it from liability might be substantially stronger if its procedures were better calculated to encourage victims of harassment to come forward.”

Vinson applied for that job in 1974. Rehnquist wrote his opinion for the Court in 1986. And yet, decades later, sexual harassment in the workplace remains an ongoing problem. In 2018, the most recent year that data is available, the U.S. Equal Employment Opportunity Commission (EEOC) filed 41 lawsuits alleging sexual harassment occurred—more than a 50 percent increase in suits from 2017.

The EEOC also saw a 13.6 percent increase in the number of sexual harassment charges individuals filed with the commission in 2018, and it recovered nearly $70 million for victims through administrative enforcement and litigation—up from $47.5 million in 2017.

One positive, however, is that after the #MeToo Movement took off in 2017, there is greater awareness and acknowledgment of the existence of sexual harassment in the workplace.

“When #MeToo arrived, the big change was the degree that people are willing to speak up and speak out,” says EEOC Commissioner Victoria A. Lipnic. “There’s now a recognition and focus on culture. That was not the case prior to October 2017. That was something that we in our task force report in 2016 made a big, important point about—that culture more than anything matters.”

Lipnic joined the EEOC nearly 10 years ago when she was appointed by then U.S. President Barack Obama and approved by the U.S. Senate to serve as a commissioner. At the time, Lipnic says she was “appalled” at the number of sexual harassment complaints the EEOC continued to see nearly 30 years after the Vinson case—and so was her fellow commissioner, Chai R. Feldblum.

“I talked to all of our offices around the country, and they said that if the EEOC wanted to, we could have a docket of nothing but harassment cases—and more specifically, nothing but sexual harassment cases,” Lipnic says.

So in 2015, the EEOC created the Select Task Force on the Study of Harassment in the Workplace to examine the extent of harassment, what allows it to flourish, and how to prevent it. What the task force found—through interviews with stakeholders, experts, and victims—was disturbing. Almost one-third of the 90,000 charges the EEOC received in 2015 were allegations of workplace harassment. But despite the nearly 30,000 claims it received, the task force learned that most harassment is never reported.

“The least common response to harassment is to take some formal action—either to report the harassment internally or file a formal legal complaint,” Lipnic and Feldblum explained in a report released in June 2016. “Roughly three out of four individuals who experienced harassment never even talked to a supervisor, manager, or union representative about the harassing conduct.”

Most individuals chose not to report the harassment out of fear of disbelief, skepticism, or inaction on their claim. Instead, most people attempted to avoid their harasser, deny or downplay the situation, or ignore, forget, or endure the behavior.

While sexual harassment affects all people, it predominantly impacts women. The task force found that “anywhere from 25 percent to 85 percent of women report having experienced sexual harassment in the workplace,” according to the report. The percentages vary due to how questions about harassment at work are worded.

For instance, when the term was not defined in the survey, 50 percent of women said they had experienced sexual harassment, and 25 percent of women said they had been sexually harassed in the workplace. When asked if they had experienced one or more sexually based behaviors, such as “unwanted sexual attention or sexual coercion,” 60 percent of women said they had been sexually harassed, either inside or outside the workplace.

And when women do experience sexual harassment at work, they often turn to family members, friends, or colleagues for support, instead of formally reporting it.

Risk factors. To better understand why sexual harassment occurs in the workplace, the task force also looked at environmental risk factors that affect organizations.

It found that harassment is more likely to occur in homogenous workforces, where the workforce has little diversity.

“For example, sexual harassment of women is more likely to occur in workplaces that have primarily male employees, and racial/ethnic harassment is more likely to occur where one race or ethnicity is predominant,” according to the report. “Workers with different demographic backgrounds from the majority of the workforce can feel isolated and may actually be, or appear to be, vulnerable to pressure from others.”

Milk tea restaurant chain Tapioca Express and two of its franchises in San Diego, California, were recently charged with allowing the owner to harass young Filipino female employees, taking advantage of time alone with them to make unwanted sexual advances.

Tapioca agreed to pay $102,500 to settle charges brought by the EEOC that all three companies failed to prevent and correct the harassing behavior.

“We commend the young women for coming forward to shine a light on the harassment to which they were subjected,” said Christopher Green, director of the EEOC’s San Diego Local Office. “Their strength may give courage to other young people or those in the Asian American and Pacific Islander community who may be suffering harassment or discrimination in the workplace to come forward as well.”

However, the task force found that workplaces that are “extremely diverse” are also at risk because workers from different cultural backgrounds may be “less aware of laws and workplace norms,” which can allow harassment to occur.

Another risk factor is workplaces where workers do not conform to workplace norms, such as a male employee acting more feminine in a male-dominated work environment. The task force also found that “coarsened social discourse”—even outside the workplace—can make harassment seem more acceptable.

“For example, after the 9/11 attacks, there was a noted increase in workplace harassment based on religion and national origin,” the report explained. “Thus, events outside a workplace may pose a risk factor that employers need to consider and proactively address, as appropriate.”

Other risk factors include organizations with a high number of young employees who may not understand that their actions are a form of harassment; workplaces with significant power disparities, such as factories with plant managers and assembly line workers, or the military; organizations that rely on customer service and client satisfaction; and workplaces where employees are engaged in monotonous tasks because boredom may lead to bullying or harassment.

Chipotle Mexican Grill, Inc., recently agreed to pay $95,000 to settle EEOC sexual harassment and retaliation charges that stemmed from Austin Melton, a 22-year-old manager at a San Jose Chipotle store at the time, who endured physical and verbal harassment from his female supervisor.

Melton’s supervisor propositioned him and his then-girlfriend for sex, “touched him inappropriately, and posted a ‘scoreboard’ in the main office to track the staff’s sexual activities,” according to the EEOC. “When Melton reported the harassment, he faced further mistreatment including being locked in a walk-in freezer…. After Chipotle failed to adequately address the harassment, Melton quit.”

The position at Chipotle was Melton’s first job after high school, and in an EEOC press release he said he found it hard to speak up about the harassment at work and to report it to the EEOC when no action was taken to stop it.

“Austin was simply trying to do his job, as he worked to support himself and his girlfriend,” said EEOC Trial Attorney James H. Baker. “He faced conditions that no employee should have to accept in exchange for a paycheck.”

The task force also pointed out that isolated workspaces, decentralized workplaces, workplaces that tolerate or encourage alcohol consumption, and workplaces with high value employees are also risk factors for harassment.

“Superstars” are individuals seen as bringing high value to their employer, such as high-earning investment traders, surgeons, professors, or law firm partners who attract lucrative clients, the report explained.

“These workplaces provide opportunities for harassment, since senior management may be reluctant to challenge the behavior of their high value employees,” the report said. “The high value employees, themselves, may believe that the general rules of the workplace do not apply to them. In addition, the behavior of such individuals may go on outside the view of anyone with the authority to stop it.”

For instance, in December 2019 rideshare company Uber entered into a nationwide agreement to strengthen its business culture against sexual harassment and retaliation—and pay $4.4 million to resolve charges brought by the EEOC.

The commission began investigating Uber in 2017 and found reasonable cause to believe it permitted a culture of sexual harassment and retaliation against individuals who complained about the behavior. As part of the settlement, Uber agreed to create a system to identify employees who have been the subject of more than one harassment complaint. The system will also identify managers who do not respond to concerns of sexual harassment in a timely manner.

“In particular, employers should take note of Uber’s commitment to holding management accountable and identifying repeat offenders so that high-performing, superstar harassers are not allowed to continue their behavior,” said EEOC San Francisco District Director William Tamayo in a statement. “The tech industry, among others, has often ignored allegations of sexual harassment when an accused harasser is seen as more valuable to the company than the accuser.”

Prevention. While organizations need to have procedures to report and investigate claims of sexual harassment in the workplace, they can also take steps to proactively prevent the behavior in the first place.

In its research, the task force found that to effectively do this, organizations need to have commitment from leadership to create a diverse, inclusive, and respectful workplace. Not only is this the right thing to do, but it is also financially beneficial to the organization.

“At the tip of the iceberg are direct financial costs associated with harassment complaints,” according to the EEOC report. “Time, energy, and resources are diverted from operation of the business to legal representation, settlements, litigation, court awards, and damages. These are only the most visible and headline-grabbing expenses.”

Other expenses, which cannot always be calculated, include decreased workplace performance and productivity, increased employee turnover, and reputational harm.

The report recommends that leaders create a “sense of urgency” about preventing harassment in the workplace, such as assessing risk factors that can predicate harassment.

“For example, if employees tend to work in isolated workspaces, an employer may want to explore whether it is possible for the work to get done as effectively if individuals worked in teams,” the report explained.

Organizations should also have policies and procedures in place to address harassment, and conduct training so the policies can be followed. This means putting resources—money and time—towards this effort.

“Employees must believe that their leaders are authentic in demanding a workplace free of harassment,” according to the report. “Nothing speaks to that credibility more than what gets paid for in a budget and what gets scheduled on a calendar.”

One organization that is putting these recommendations into practice is Deloitte, which hosts an annual Inclusion Summit to bring together individuals from different backgrounds and experiences to hear from leaders and experts about advancing inclusion within Deloitte itself.

In 2019, Deloitte held a Day of Understanding across its U.S. offices to create a space for candid conversations around diversity, inclusion, and unconscious bias.

Deloitte also made a concentrated effort to diversify its cybersecurity workforce—one-third of which are female, including its recently promoted principal, Deborah Golden, who is the first woman to lead the company’s U.S. cyber practice.

“I’ve been here for 24 years, and we’ve always had some form of women in business, diversity, and inclusion program—and we’re continuing to evolve those programs,” Golden says.

This is not always the case across industry, she adds, but Deloitte made a commitment at the leadership level to create a diverse organization where is everyone is welcome.

“Deloitte 100 percent does that,” she says, adding that Deloitte participated in a Pride Ride and other activities in June 2019 to mark LGBT Pride Month. “It’s not only something our executives support—but actively participate in.”

And once leadership makes its commitment to creating a diverse and harassment-free workplace, it then needs to hold those who violate the policies and procedures accountable.

“These accountability systems must ensure that those who engage in harassment are held responsible in a meaningful, appropriate, and proportional manner, and that those whose job it is to prevent or respond to harassment, directly or indirectly, are rewarded for doing that job well, or penalized for failing to do so,” according to the report.

Frontline supervisors have an especially important role because they are often the first to observe behavior at work. They are also often the first people to whom individuals will complain.

“They have to know how to correctly respond—that they don’t just brush it off,” Lipnic says, meaning they need to be trained on how to handle allegations of harassment. And security professionals have a doubly important role to play.

“I’ve spent years on this topic now, and it’s struck me that it’s a coincidence of our legal system that harassment is considered a form of discrimination—that’s just how the law developed,” she explains. “But on a very practical level, it’s a safety issue. And there’s such an opportunity for people who are engaged in the safety of workplaces to gain greater depth on the topic, demonstrate greater engagement, and work on a partnership basis with the leadership of organizations.”

For instance, Lipnic says security professionals can take an active role in conducting climate assessments of their organization so they understand how employees feel about their safety or factors that could encourage harassment.

It is also critical for security officers to have this understanding because they need to have firsthand knowledge of what situations employees find themselves in that impact their safety. This understanding is especially valuable when organizations are planning special events, such as a company party where clients and alcohol might be present—both factors that could increase the risk of sexual harassment. (See “The Intoxication Issue,” Security Management,February 2019)

“Security officers are trained to recognize risk, and if we have learned anything from the #MeToo Movement, I hope that it’s the degree of risk that so many people are in in all kinds of workplace environments,” Lipnic adds.

See Original Post

Reposted from Protocol

Cybersecurity experts fear that the chaos caused by coronavirus provides an opportunity that hackers will take advantage of — and there's already evidence that foreign adversaries, including Russia and China, are launching coronavirus-related cyberattacks.

Companies are increasingly vulnerable to cyber intrusions due to various disruptions caused by the coronavirus outbreak. Many are making sweeping changes to their networks, asking most or all employees to work from home, and may have to deal with critical IT workers getting sick or having to juggle work with taking care of kids. It all adds up to an opportunity that the most sophisticated hackers have been waiting for, said Nico Fischbach, global CTO of cybersecurity firm Forcepoint.

"Nation states play the long game — they have their list of targets and wait for the right moment to get in their systems … This is the perfect time. There's so much noise and so much change," he said.

Those fears were amplified earlier this week after reports of an apparently unsuccessful attempt to compromise the Health and Human Services Department's computer systems. In a Monday press briefing, a reporter asked HHS Secretary Alex Azar if the attack originated from a foreign country like Iran or Russia. Azar said that HHS is investigating the source of the activity, but he didn't want to speculate. Attorney General William Barr told the Associated Press there would be swift and severe action if the attack is linked to a foreign government.

Ben Read, senior manager for cyber espionage analysis at FireEye, said there are already signs that some countries are taking advantage of coronavirus fears. FireEye has been involved in investigating some of the most high-profile nation-state attacks in recent years, including the 2014 attack against Sony that was linked to North Korea and the 2016 attack on the Democratic National Committee that was attributed to Russia.

Since late February, FireEye has observed two Chinese groups targeting entities in Vietnam, the Philippines, Taiwan and Mongolia with phishing attacks that use legitimate statements by political leaders and authentic statistics and advice for people worried about the disease. Malicious files included in the emails carry various payloads that can do things like log a user's keystrokes or provide a backdoor into a device, allowing the hackers to access it at a later time.

FireEye said it also intercepted a similar phishing email sent to Ukranian entities from an espionage group that supports Russian interests. The content of the email appeared to be copied from a legitimate document. Another phishing attack directed at a South Korean nongovernmental organization was linked to North Korean hackers. That email, sent in late February, included governmental health-related instructions and was titled "Coronavirus Correspondence."

It's impossible to know how successful these and other attacks have been so far, but Read suspects organizations are falling for it. "If something isn't working they would usually change things up, and we've seen these kinds of attempts increase, not decrease, so I assume it's working." He added that other factors, like the fact that "every company you've ever given your email address to is emailing you to tell you what they're doing" makes it more likely that people have their guard down when spotting phishing attempts. "People are very hungry for information right now," he said.

Some organizations might find out that they've been compromised only when an attack is carried out, Fischbach said. "It's very likely that we'll find out six to 12 months from now [that many organizations have been breached]," he said.

One bright note is that the attacks don't seem to be more technologically sophisticated than the ones companies typically deal with, Read said. Standard security procedures, anti-malware tools, and phishing email detection software will still prevent many of these attacks, he said. But additional user education is needed to help identify suspicious emails that carry legitimate coronavirus information. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency recently warned companies of such attacks, and advised them on how to improve their cybersecurity posture during the pandemic.

Although FireEye has identified coronavirus-related attacks from China, Russia and North Korea, it hasn't noticed any linked to Iran, Read said. That could be because Iranian phishing attempts haven't been detected, or because the virus has hobbled the country's hacking apparatus. "There are big questions in my mind that we don't have answers to. How do these outbreaks affect Iranian cyberespionage if the people behind the keyboards are getting sick?" he said. "We're still seeing Chinese activity, but you might see more of an impact in Iran because they have a pretty severe outbreak and fewer resources than the Chinese government."

See Original Post

Reposted from Politico

As the novel coronavirus reshapes virtually every facet of American life, it’s also coloring how aspiring terrorists plot attacks. And that shift has caught the attention of American national security officials.

Law enforcement and intelligence officials are watching the virus’s impact on potential terrorist threats — how it is accelerating the plans of some would-be attackers, while presenting macabre new targets of opportunity to others.

It isn’t hypothetical. Earlier this week, the FBI stopped a man named Timothy Wilson who was planning to bomb a Missouri hospital treating COVID-19 patients. Wilson had been planning an attack for months, according to a statement from the FBI’s Kansas City Division, which said he “decided to accelerate his plan” and to target the hospital because of the pandemic. The Bureau also said he was "motivated by racial, religious, and anti-government animus." When law enforcement officials tried to arrest Wilson, he sustained injuries that proved lethal, according to the release.

Homegrown violent extremists are a particular worry. In an interview, John Demers, the assistant attorney general for national security at the Justice Department, said the department and the FBI are closely monitoring how the virus is shaping their plans.

“They do get ideas about, ‘How can I try to weaponize this virus?’” he said. “It’s something we’re focused on, together with the FBI — and making sure on the intel side that we’re on top of whatever’s showing up.”

Officials are also tracking the way the pandemic could influence terrorists’ strategies on timing and targets for more conventional attacks, Demers said. 

“Are they going to accelerate any of their plans?” he said. “Are they going to see windows of opportunities? Obviously a lot of public places are less crowded, but others, like hospitals, are more crowded. Are they going to see these windows of opportunity to take advantage of?”

International travel has gotten particularly complicated because of the pandemic, with the U.S. closing its borders to a host of countries and airlines slashing their flight schedules as demand plummets. Transportation Security Administration (TSA) data shows it checked one-tenth as many travelers on Thursday as it did a year earlier.

“We still have a few cases of people who want to travel to other countries and engage in terrorist activities,” Demers said. “How is this impacting travel plans? Is it accelerating them or deferring them for folks as flights shut down?”

The questions aren't merely theoretical, according to Demers, who suggested that authorities are already observing terrorists change their behavior as the virus alters transportation patterns.

“The same way it impacts all of our lives, it does impact some of the planning that we’re seeing people doing and the way they’re thinking about it,” Demers said. “Sometimes in conflicting ways: Some people are putting off plans, and other people are saying, ‘Well I’ve got to accelerate this because maybe all the borders will be shut down soon.’”

The Justice Department last week charged a Pakistani doctor with trying to help ISIS. The doctor, who was temporarily working in the U.S., initially planned to get to Syria by flying into Amman, Jordan. But, according to a DOJ press release, his plans changed when Jordan closed its borders because of the pandemic. He then decided to fly to Los Angeles and, from there, travel to Syria on a cargo ship. He was arrested at the Minneapolis-St. Paul International Airport on March 19.

Demers said the virus could also give terrorists new ways to attack. 

“There are worries that people could try to weaponize their own illness by trying to infect other people,” he said.

Joshua Geltzer, a terrorism expert who previously worked in the National Security Division and is now at Georgetown Law, concurred that the virus may provoke threats in new ways. 

Social distancing might raise the risk of homegrown radicalization, he noted, as isolated people with loads of free time get pulled down disinformation rabbit holes online.

“The idea that that can lead to particularly deranged interpretations of events and generate an extreme response, even violent action –– I think that threat gets magnified given the social isolation that we as a country are understandably adopting,” Geltzer said. "I feel like the past month and this virus have taken a dangerous information environment and really ratcheted up how lethal, how directly lethal it can be."

See Original Post

by Stevan P. Layne, CPP, CIPM, CIPI
IFCPP President

All individuals and institutions are experiencing significant impacts from the COVID-19 pandemic (and, most likely, the worst part isn’t over).  If we continue to head in the same direction, with closed businesses, rising unemployment, and little or no income, people will inherently become increasingly desperate. Federal, state, and local governments are stepping in to assist where they can, but resources are limited on all fronts. Will assistance efforts put food on the table (and for how long)?  It’s important to look at statistics, as well as human nature. When people become desperate, criminal activity increases. Even previously law-abiding citizens may resort to drastic measures to feed their families.

Where outright theft is concerned, over 90 percent of losses from cultural institutions involve someone connected to the institution.  These losses, as far as we know, are not generated by desperate people. Internal theft is mostly committed out of greed or opportunity.

Remember, valuable collections are not the only assets that warrant strict protection. Theft can include cash, merchandise, computers, tablets, audio-visual equipment, electronics, supplies, and other expensive assets. Small objects are most easily removed without detection. Large objects are vulnerable as well, if someone has the time and opportunity to make proper arrangements.

What this means to management is that our protection efforts need to be absolute. Perimeters must be impenetrable, at every point. Intrusion and access control alarms must be tested regularly, and performing as intended. Every member of proprietary and/or contract security staff must be properly screened, hired, trained, and monitored.  A responsible member of management that understands the entire security program must be designated to monitor all protection activity and security officer performance.

During current institutional closures, all persons (staff, volunteers, contractors), regardless of rank or position, should be thoroughly screened/identified upon entering or leaving facilities.  Every parcel, bag, and container should be professionally searched upon entry and exit to mitigate internal theft.

Video surveillance is a valuable tool, if properly specified, selected, placed, installed, monitored, and tested. While video surveillance, and security and fire protection alarms perform a valuable function, technology alone cannot take the place of an alert, well-trained, and properly supervised patrol officer (in terms of reliability and effectiveness). With the current and significant decrease of regular staff working within our institutions, the importance of proper security inspections, patrols, and physical searches becomes even more critical.

We are all particularly vulnerable during closures, and disrupted operations. Please stay safe and diligently maintain recommended health practices.

Contact us if you have concerns about your unique facilities or assets. We can help directly, or refer you to someone who can.

Reposted from Security Management

Crisis response hinges on two factors: what the organization does and what the organization says. When these halves align, it results in trust and a more positively received and effective response. When they conflict, organizations struggle to recover. In a pandemic, ensuring these elements are carefully calibrated is more essential than ever, says Helio Fred Garcia, a professor of crisis management at New York University and Columbia University. While an organization’s actions during crises depend largely on the circumstances, its communications can rely on a few essential best practices.

Garcia, who is also president of Logos Consulting Group, adds that crisis response around pandemics is inherently different from responding to a natural disaster or a data breach. Natural disasters in particular deeply affect a limited number of people in a specific geographic area. COVID-19, he adds, potentially affects everyone worldwide.

There are six dimensions to the current coronavirus pandemic crisis, Garcia says. It is simultaneously a crisis of public health, business, economics, information and trust, government competence, and society.

“We need to keep all six of these dimensions in mind because this is a moment where people are hungry for understanding what is happening, but also for comfort in their fear,” Garcia says. “Leaders at every level need to find the balance between conveying a sense of urgency and triggering a panic. And that's a very delicate line, especially as people are feeling personally vulnerable—not only on the public health side and in their work, but also in terms of the economy. And any given stakeholder, at any given time, is simultaneously processing all six of these things. And that makes this crisis unusual.”

In addition, this is the pandemic in the social media age, which fundamentally changes the nature of crisis response, Garcia tells Security Management. This means organizations and crisis managers must prepare for the rapid spread of misinformation, panic, and criticism. It also presents opportunities for self-reflection, benchmarking against other organizations’ responses, information gathering, and outreach to people affected by the crisis.

Safeguard Trust

Pivoting classic crisis communications practices to pandemic-appropriate ones requires a shift in perspective: Ask not “what should we do,” but instead “what do reasonable people—from the board to employees to the public—expect us to do?” The coronavirus pandemic also adds another layer to this decision-making process: evaluate what other organizations or similar groups are doing, Garcia says.

One of the most valuable assets an organization has during a crisis is trust, both from internal and external stakeholders and customers. Trust is primarily established based on three factors, Garcia says: promises fulfilled, expectations met, and when an organization’s stated values are lived experiences. For the former, be careful of what promises the organization makes to the public or to employees; in a rapidly evolving situation, those promises might need to be broken. For the latter, he explains, if an organization declares that it has a mission of kindness and charity, but acts in an unkind or uncharitable way, people lose trust in that organization.

Regarding meeting expectations, “we need to be deeply attentive to the quickly evolving expectations that reasonable people have,” Garcia adds. In an environment where it’s easier to see what other institutions are doing—whether through social media or news outlets—the public can quickly evaluate new standards of care and judge organizations accordingly. Once large-scale events started to cancel in response to the spread of COVID-19, for example, people expected other events to follow suit.

Organizations can help set expectations by clearly establishing who holds what role during crisis response and whom people should expect to hear from with new directions or updates. Without absolute clarity on who is involved and where to turn for information, the response can be perceived as confusing or even untrustworthy—even if the crisis managers have matters well in hand.

Maintaining trust is significantly easier than regaining it. It is unlikely that organizations—and countries—that lost their stakeholders’ or citizens’ trust will regain it during the coronavirus pandemic, Garcia adds.

Empathize

In every crisis, Garcia says, stakeholders expect leaders to care; an expression of empathy is a necessary first step to demonstrating a commitment to fulfilling that expectation.

“One of the things that people are looking for is ratification of their feeling of emotional fragility,” he notes. “And when I look at the best statements, whether it's from CEOs or from university presidents or others, one of the things that I find that is most helpful is a statement that begins with an acknowledgment of people's anxieties, fears, or uncertainty and feelings of vulnerability. When they do that first, the communication tends to work reasonably well.”

Even if the message includes an acknowledgment or wish for wellbeing or health later on, people will likely have tuned out or stopped reading by that point, Garcia says. Start with an empathetic statement, then outline the big picture and action items needed to realize it.

The tone for crisis communications must be set at the top, Garcia adds, but communication from the top alone is insufficient. Consider an organization like a series of concentric circles, with the CEO in the center to the customers or employees on the outer ring, he says. The CEO communicates out across the organization, but that message is followed by communication from the next ring, and the next, and the next, radiating outward in persistent, aligned messages that drive action as well as cohesion.

When in doubt, Garcia says, over-communicate.

“Some people won’t have seen or heard the first few messages that you did but will need to hear from you at some point, whether you’re the CEO or the head of security or others,” he says. “The communication needs to be empathetic; it needs to be aligned with the rest of the institution’s communication, at least thematically; and it needs to be clear and avoid euphemism. One of the common missteps is to refer to ‘this unfortunate circumstance,’ as supposed to ‘one of our people has been diagnosed with COVID-19.’ The use of euphemism—which is perceived as an evasion of responsibility by some—has the tendency to confuse, and if we’re already in an information crisis, we need to avoid using communication that would create confusion.”

Garcia notes that “one of the best practices in crisis response is to name the problem with clarity.”

In addition, be mindful of emotions. According to a Kaiser Family Foundation survey conducted in mid-March 2020, four in 10 Americans say their life had been disrupted “a lot” or “some” as a result of the pandemic, and many worried that they or a family member would get sick (62 percent), that retirement or college savings would be negatively affected (51 percent), or that they would be unable to afford testing or treatment for COVID-19 (36 percent). Among workers, especially those in lower income households, 53 percent said they were worried they would lose income due to a workplace closure or reduced hours. These sorts of concerns trigger emotional reactions, which can hamper effective crisis communication.

“People who are emotionally wrought need to be connected with emotionally first,” Garcia says. “You can’t meet emotion with reasoned facts or data. You can only meet emotion with emotion and move people with you.”

The challenge is to be direct and factual after creating an emotionally safe connection. For security professionals, this is especially difficult, seeing as they are often seeking to convey the significance of a threat without panicking the CEO.

“That requires a certain degree of artfulness in the communication,” Garcia says. “People in the C-suite are feeling fragile and vulnerable. They know they’re not going to make their numbers this year. They know that they’re going to have to change a whole bunch of operations. They know that their employees are not productive anymore. So there’s a fair amount of institutional anxiety at the top of the institution, and people at the top may be struggling with feelings of powerlessness.”

By meeting those feelings with acknowledgment and empathy, as well as a solutions-focused attitude instead of a hopeless one, good communications can drive crisis response forward.

“Emotions are contagious. Panic is contagious. Fear is contagious. Anger is contagious,” Garcia says. “But comfort is also contagious. Expression of sympathy is also contagious. Expressions of empathy are also contagious. Expressions of kindness are also contagious. And so the challenge is to be direct, factually, after creating an emotionally safe connection.”

See Original Post

Reposted from Dark Reading

Cybercriminals are capitalizing on the spread of COVID-19 with new phishing emails that pretend to offer information about the virus or request money or data from concerned victims. 

The FBI Internet Crime Complaint Center (IC3) issued an alert late last week to warn people of fake emails claiming to be from the Centers for Disease Control and Prevention (CDC) or other healthcare organizations, pretending to share information about the virus. Officials advise not to open attachments or click links in these emails, and to be wary of websites and apps that claim to track COVID-19 cases. Criminals are using such websites to infect and lock computers.

Some of these emails ask victims to verify personal data so they can receive an economic stimulus check from the government, the FBI says. It emphasizes that while these checks have been mentioned in the news cycle, government agencies are not sending out unsolicited emails asking for private information. Other phishing campaigns may mention charity contributions, airline carrier refunds, fake cures and vaccines, and fake COVID-19 testing kits, officials note.

People are also urged to be on alert for attackers selling products that aim to prevent or treat COVID-19, as well as counterfeit sanitizing products and personal protective equipment (PPE). More information on PPE can be found via the CDC, FDA, and EPA.

Read more details here.

See Original Post

Reposted from the Wall Street Journal

As millions of U.S. workers frantically pivoted to remote work last week, putting new strains on their computer networks, federal officials warned that hackers smelled blood.

But the fallout from coronavirus-related breaches may not become clear for weeks, months or even longer, experts say. The expected delay highlights how confusion from the pandemic has created long-term security risks that could eat up precious resources as the economy hurtles toward a recession.

“Very well-organized criminal organizations or nation-states—they can wait,” said Nicolas Fischbach, chief technology officer of Forcepoint LLC, a cybersecurity firm that specializes in data protection. “They get to more data. They can learn more about the environment.”

Overstretched IT teams might not be able to keep up with updating their networks, experts say, while nonessential businesses that have effectively closed shop could prove to be easy targets. Those challenges come as workers’ use of private devices and services give attackers ample opportunity to avoid employers’ detection tools.

The public and private sectors already have faced an array of threats. The Federal Bureau of Investigation warned of an uptick in phishing scams against businesses. The World Health Organization told Reuters that hackers targeted it with a malicious look-alike website. And the U.K.’s National Crime Agency confirmed to WSJ Pro Cybersecurity that it is investigating an alleged ransomware attack against Hammersmith Medicines Research Ltd., a drug-testing company that has carried out trials for the ebola vaccine and other treatments.

While some attackers use ransomware for an immediate payout, more sophisticated groups could use the upheaval to penetrate networks and quietly search for bank account numbers, trade secrets or personally identifiable information that is financially or politically valuable, Stephen Breidenbach, a cybersecurity and privacy lawyer at Moritt Hock & Hamroff LLP, said in an email.

“They’ll then start siphoning off those resources as inconspicuously as possible, or wait to hit all the assets in one fell swoop when the company is most vulnerable,” Mr. Breidenbach said, adding that attackers could lie dormant for years. “Some hackers even try to get money from the stock market using nonpublic information they acquire.”

The question is whether companies and governments can also play the long game. Widespread office closures over the past two weeks have overloaded some virtual private networks with remote workers, according to cybersecurity experts. Mr. Fischbach, of Forcepoint, said the most common question clients had last week was how to scale up VPNs to handle the surge in traffic.

Debbie Gordon, chief executive of Cloud Range Cyber LLC, which works with businesses to war-game cyberattacks, said IT teams will continue to be pulled between helping employees maintain productivity and aggressively policing potential breaches. That balancing act—let alone new security investments—might prove difficult for businesses tightening their budgets amid an economic slowdown.

“Their focus might not be on the proactive patching and maintenance of the networks as well,” Ms. Gordon said.

The Cybersecurity and Infrastructure Agency at the Department of Homeland Security has urged public- and private-sector workers to patch their systems, be on the lookout for abnormal activity and ensure machines have properly configured firewalls.

But the added wrinkle is that many remote workers may turn to their own computers, email and file-sharing accounts in a pinch, said Paul Martini, chief executive at iboss Inc., a cloud security firm. Often accessed through the public internet, those private tools increase the surface area for attacks and make successful data breaches more difficult for intrusion-detection tools and cybersecurity teams to see.

“My suspicion is we’re going to see a big uptick in terms of the amount of data on these public, information-sharing sites that shows up on the dark web,” Mr. Martini said.

See Original Post

Reposted from Cyberscoop

Coronavirus-themed scams show no signs of letting up as hackers have tried to breach mobile phone users in Italy and Spain, the two countries with the most deaths from the virus.

Attackers laced mobile apps with malware to try to steal data from, or otherwise compromise, Italian and Spanish residents looking for updates on the pandemic, according to Slovakian antivirus firm ESET. The phony apps posed as legitimate ones offering updates on the spread of the novel coronavirus and how to assess your risk of infection.

“Because of the current situation, many [hacking] campaigns are either migrating to a COVID-19 theme or new campaigns are created with a COVID-19 theme,” said Lukas Stefanko, an Android security specialist at ESET.

The apps were available for download for a couple days, Stefanko said. It is unclear how many people downloaded them.  The malicious app targeting Spanish users is no longer available; it is unclear whether the Italian app still is.

It is a reminder of the cruel opportunism with which many cybercriminals approach the crisis. When people turn to their phones for information on the deadly virus, hackers see an opening.

As of this writing, the novel coronavirus had killed 7,503 people in Italy and 4,089 in Spain, according to Johns Hopkins University data. Hospitals have been overwhelmed with patients, forcing health care workers to erect makeshift facilities.

The malicious Android app targeting Spanish users is a banking trojan — code designed to steal financial information — that emerged last year. It was available on a third-party malicious website and not the authorized Google Play store, ESET said.

SoftMining, the Italian company that created the legitimate app for COVID-19 tracking, has warned users that “some hackers are sending counterfeit versions of our app in which they have injected malicious code.”

Stefanko doesn’t know who is behind the attempts to hack these particular users. The two campaigns do not appear to be related, he said.

The malicious activity is part of a broader surge in COVID-19-related fraud and phishing in recent weeks. Some are using attention on the Johns Hopkins COVID-19 map to distribute malware. U.S. Attorney General William Barr has vowed that prosecutors will crack down in response.

It’s not just criminals who are exploiting the crisis. Surveillance-minded hackers from Libya to China are also tailoring their activity to COVID-19 fears.

In response to the increased cyber activity, many security professionals are volunteering their time to protect medical organizations from hacking.

See Original Post

Reposted from Leadership Matters
by Joan Baldwin

This week I had “lunch” with my friend Franklin Vagnone, president of Winston Salem’s Old Salem Village in North Carolina. Frank had finished his first virtual (and emotionally draining) meeting at 8:00 am, so for him noon felt like late afternoon. As someone who was a museum leader in Philadelphia and then New York City through 9/11 and Hurricane Sandy, he’s not unfamiliar with leading in crisis. But like many museum leaders in the age of COVID-19, his Thursday began with planning for temporary layoffs for hourly staff. The layoffs are necessary because they allow staff to collect unemployment until the country emerges from the pandemic and Old Salem rights itself. Vagnone isn’t alone. Last week layoffs were announced by the Carnegie Museums in Pittsburgh, Seattle’s Science Center, and Philadelphia’s Franklin Institute, Science Center and Please Touch Museum, in addition to Colonial Williamsburg, San Francisco’s MOMA and undoubtedly many more. Sadly, the group most affected is the most vulnerable: part-time employees, many without benefits. As another friend put it, “Suddenly work is like trying to wash the dishes only the kitchen sink is missing and the water’s turned off.”

AAM’s President and CEO Laura Lott estimates that since the crisis began, museums collectively have lost $33 million a day. And whether planned or not, the museum world responded with 33,000 messages to Congress supporting AAM’s crisis request for $4 billion dollars, an amount which sent Fox and Friends into gales of laughter as if the arts weren’t a business, and a home-grown one at that. In the end, thanks to AAM’s tireless work, museums and arts organizations were included in the bill although not at levels that make them whole. You can find a full description here, including the full bill if you’re so inclined.

So what should you as a museum person, leader, or organization do?

As an individual: 

• • Take care of yourself and your loved ones.
  • Maintain social distancing. Wash your hands. COVID-19 dislikes soap and water.
  • If you’ve been laid off, don’t delay, apply for unemployment.
  • If you’re working from home, there are many sites to support you, Here are a few good articles from last week: The Muse; Museum 2.0; The Atlantic.
  • Stop looking at your screen. Take a walk. Do the reading you always meant to do, but put off.
  • Plan for the future. Try to imagine, what things you want to keep and nurture, and what things you’ll change in a post-COVID-19 world.

As leader of a team or a department:

• • Take care of your people. This will end, and re-hiring is costly. Protect staff in whatever way you can. If temporary layoffs while maintaining health insurance works for your museum, do it.
  • Make sure everyone–board members, staff and volunteers–has the tools to communicate. Help them learn to stay in touch.
  • Sort out communication methods that are most equitable. Offer tutorials to everyone, and encourage your team or department to talk with one another on a regular basis.
  • Treasure your IT and social media team and build bridges between them and your program.
  • Talk to your community, whether through email, Instagram or Facebook let them know you’re there.

As a Museum Leader:

• • Thank your Congressional representatives.
  • If you’re not an AAM member, join now. Its COVID-19 information is worth the individual membership if you can’t afford more. Ditto your regional museum service organization.
  • Take care of your people. This will end, and re-hiring is costly. Protect staff in whatever way you can. If temporary layoffs, while maintaining health insurance works for your museum, do it. Don’t let HR make decisions because that’s the way it’s always done. We moved out of the world we knew about two weeks ago.
  • Think about your organization’s virtual life. If you can create “A Minute with the Curator” or “A Walk with the Farm Horse” videos they may generate an audience that will outlive the virus. We’ve all watched Tim, the head of security at the National Cowboy Museum. Perhaps you have someone on your staff who’s equally charming and authentic, but never heard from.
  • If you have under 500 employees, you’re eligible for a small business loan to make payroll or pay health insurance.
  • Remember in the midst of the bleakness to have hope. I’ll close where I began with Frank’s video to his community.

See Original Post

Reposted from Forbes

With untold numbers of employees suddenly working from home, videoconferencing has promptly become the go-to method for running meetings and communicating with staff.

But if you’ve ever sat through a poorly-run videoconference meeting (and who among us hasn’t endured dozens of those), you know that simply purchasing the latest videoconferencing platform is not a panacea.

Fortunately, there are four simple techniques that you can implement today that will immediately improve your videoconferences.

Technique #1: Everyone Must Use Video

This might seem like an obvious point, but the majority of videoconferences have at least a few people who eschew video and only use audio. Unless there’s a serious technical glitch, you should require everyone on the call to activate their webcam.

When only a few people use video, it quickly erodes the team’s cohesion. Most of the folks who activated their video will be thinking “It’s not fair that Bob isn’t using video,” or “How come I have to be on video but Sally doesn’t?” or “I know Pat’s not really paying attention and that’s why they didn’t activate their webcam.”

When people are already stressed, and more likely to engage in negative thinking, those are not thoughts that you want to encourage on your team.

Technique #2: Everyone Must Use A Headset

Most people log into a videoconference with their laptop and simply use the computer’s built-in microphone and speaker. And while that’s certainly cheaper than buying an external headset, it makes for a painful videoconference.

If you’ve ever heard disruptive echoes, reverb or someone who sounds like they’re speaking in the middle of an airplane hangar, it’s often caused by two factors. First, the built-in microphones on most laptops and computers are low quality, especially compared to what you’ll find on even fairly inexpensive headsets and external microphones. In fact, if you have kids who play video games, it’s quite likely that they have better equipment than you do.

The second reason you hear those awful echoes or reverb is that when you’re using the internal microphone and speakers, you’re essentially on speakerphone. Thus you run the risk of your microphone picking up sound from your speakers, the speakers playing that sound back, which is again picked up by the microphone, and now you’ve got an infinite loop of annoying sound.

It’s possible that your laptop has an echo cancellation feature, but if you’re experiencing a high CPU load because you’ve got multiple applications running, that feature could be rendered ineffective.

Also, it’s much more difficult to interrupt someone when they’re essentially on a cheap speakerphone. So get everyone on your team using headsets, and you’ll immediately experience a big improvement in the quality of your videoconferences.

Technique #3: Pause Every Three Sentences When You’re Speaking

Apropos interruptions, even with headsets, it can sometimes be tough to hear when someone wants to cut in and ask a question or make a comment. Therefore you’ll need to instruct everyone on your team to pause for a few seconds after they speak (approximately) three sentences.

It’s shocking just how many people can speak uninterrupted for 5-10 minutes (if not more) on a videoconference. And when that happens, the other people on the call are virtually guaranteed to lose focus. And forget the question they wanted to ask. And even become seriously irritated.

It takes a little practice, but if you remind your team at the beginning of every videoconference, and model the behavior yourself, you’ll quickly see a marked improvement.

Technique #4: Have Clear Rules For Your Videoconference

More than 20,000 people have taken the free online test “Is Your Personality Suited To Working Remotely Or In The Office?” Respondents answer ten questions and receive results indicating whether their personality is better suited to working remotely or working in an office.

One of the questions asks people to choose between these two statements:

• I prefer not to be constrained by a set of rigid rules.
• I like having rules and clearly defined expectations.

The data shows that 43% of people like having rules and clearly defined expectations. So if your videoconference doesn’t have a clearly defined agenda with clearly defined blocks of time, a process for everyone to take turns speaking, and strict start and stop times, you risk running afoul of the desires of nearly half your team.

In a typical face-to-face meeting, you can afford to get a little sloppy and careless with your meeting structure; you’ll immediately see via everyone’s body language that things are going poorly and you can regroup quickly. But on a videoconference, the telltale signs of a meeting going poorly aren’t quite so obvious.

Even though a minute-by-minute agenda, or prescribed times for questions, might seem a bit much for a videoconference with your internal team, structure is a good antidote for stress. Structure provides a sense of clarity and calm, because it means there’s one less thing we have to stress about.

With your employees likely feeling all-time-high levels of stress, it’s a great idea for you to eliminate as many irritants and stressors as possible. And with an exponential increase in the number of leaders and employees conducting videoconferences, even small tweaks can deliver significant improvement.

See Original Post