The Ins & Outs: Which Internal Errors & External Threats Affect Business Compliance

by Francine Breckenridge, Compliance & Legal Officer, U.S. Money Reserve

Errors and threats can come from anywhere in business. Here’s what you need to know about them.

We all deal with risk every day, whether we’re driving to the grocery store or simply picking our kids up from school. Think about it — a bus could come out of nowhere and hit us. We could pick up a deadly virus (much more likely during these days of coronavirus). We could suddenly be diagnosed with cancer.

Risk is simply part of daily life, but it also plays a significant role in our corporate and business lives. A supplier could suddenly be unable to deliver needed parts. A software upgrade could go horribly wrong. A natural disaster could hit your office.

Though this kind of risk is a natural and normal part of daily life, that doesn’t mean we should just ignore it and hope for the best. To protect ourselves, our families, and our loved ones, we need to have a plan in place to minimize or mitigate risks. That goes for our business lives as well as our personal lives.

When it comes to business risks, both internal errors and external threats can affect business compliance. These threats can impact the success (and failure) of a business. It is essential to understand what they are and how they can affect your company. Here are some of the ins and outs of internal errors and external threats that involve compliance.

Operational Risk vs. External Risk in Business

Before we get into the nitty-gritty, it’s important to understand the difference between operational risk and external risk in business. Simply put, operational risk is the kind that comes from inside the company. These risk issues can range widely based on what type of business you are running, but most operational risk tends to include everything from HR issues (hiring and firing practices, employment policies, employee guidelines, and others) to business ethics. Operational risks can also include technology security as well, since these kind of threats can come from inside the company.

External risk often comes in the form of government regulations (changes to policies, etc.), local laws, and external attacks in the form of hacking or phishing. These threats can and do change and evolve regularly based on the current economic and political climate. It’s essential to keep track of these items and ensure that you always stay on the right side of the law and use the most up-to-date technology. The risks of breaking these rules and regulations can be tremendous and being hacked is a constant threat that can absolutely destroy a company in one fell swoop.

The compliance officer’s job is to ensure that everyone at the company adheres to both the operational parameters and the legal and regulatory rules applicable to the business. Any failure to do so can result in a wide variety of penalties ranging from hefty fees to jail time for those responsible for breaking the law. It’s also the compliance department’s job to ensure that technology is current to protect valuable business assets from potential internal and external attacks.

In addition to these risks, many issues can result from unhappy customers, clients, or even employees. Social media is pervasive, and people use it both as a tool and a weapon. It can leave companies vulnerable to a wide variety of issues, including hacking. While social media can help get your product in front of customers, it can also prove to be an incredibly vulnerable point of contact.

Internal Risks that Affect Compliance

There are a few common, significant internal compliance risks that can affect a business. This handful of risks can impact any business of any size. They must be considered no matter whether you are just starting your business or already have a well-established business up and running.

Information Theft Perpetrated by Employees

If you run a business, you handle tons of private information about your employees and customers all the time. Your databases and payroll contain everything from medical and health information to Social Security numbers, home addresses, banking information, and contact information. This kind of information can be incredibly valuable to anyone looking to make a quick buck or anyone looking to damage your organization. It can even happen by accident.

For example, in 2017, the City of Calgary was hit with a $93 million class-action suit when one employee sent data about workman’s compensation, medical records, insurance information, and address and contact information to another employee in a different city. The breach lasted from 2012 until 2017, leaving more than 3,700 employees vulnerable to hacking and identity theft.

Additionally, there are trade secrets, special technology, and intellectual property that many employees must have access to in order to do their jobs. Should a well-placed employee become disgruntled with management, they could decide to take the issue into their own hands and steal valuable information from the business. The massive theft at GE that happened back in 2011 is a prime example. Two employees stole advanced computer models for calibrating turbines made by GE, as well as marketing and pricing information for the service. One of the employees started a new company that competed with GE to calibrate turbines. In 2020, after many years of investigation by the FBI, the two employees were arrested and fined $1.4 million. They are currently serving jail time.

The truth is that the damage those employees did to GE’s intellectual property is probably worth well more than $1.4 million. In many cases like this, the long-term financial damage can last for years. Once the cat is out of the bag, you can’t put it back in.

Intentional Damage by Employees

We all aim to hire and keep fantastic employees, but if you have bad business practices or a toxic work environment, you leave your company extremely vulnerable to disgruntled employee attacks. Take Cisco as an example. A former employee gained unauthorized access to the company’s cloud infrastructure and deployed a malicious code that deleted 456 virtual machines used for Cisco’s WebEx Teams application. As many as 16,000 users couldn’t access their accounts for two weeks, and the company spent approximately $1.4 million in employee time to audit infrastructure and fix the damage. The company also had to pay a total of $1 million in restitution to the affected users.

What We Can Learn from These Internal Errors and Threats

In all of these cases, security could have been enhanced by requiring some form of double-authentication or sign-off from those who managed these employees. Additionally, ensuring that you have a compliant and healthy workplace can make a world of difference. If you have happy employees, they’re far less likely to try to damage to your company. If you have a toxic environment, you make your company that much more vulnerable to these kinds of compliance issues.

External Threats that Affect Compliance

It’s not only internal errors and issues that can affect compliance. External threats are a constant concern for business compliance managers. Here are a couple of common situations companies get into trouble with when it comes to external threats that affect compliance.

Compromised Apps

In this day and age of remote work, we increasingly rely on external applications to get our work done. Software like Slack, Zoom, and others are all integral parts of our work-from-home world, but they are continually vulnerable to attack. If app makers and corporations that your company contracts with don’t secure their own technology or accidentally deploy a bug fix that makes the system more vulnerable, you are at risk.

Take Marriott as an example. Back in January 2020, hackers abused a third-party application that Marriott used to provide guest services. The attackers gained access to 5.2 million Marriott guest records, including contact information, gender, birthdays, loyalty account details, and personal preferences. Marriott’s security team noticed suspicious activity and sealed the insider-caused security breach at the end of February 2020. Marriott is still working to untangle the mess and deal with the significant fines that various governments worldwide have imposed.

Shoddy Security

Back in 2017, Equifax, the credit reporting company, was massively hacked. Hundreds of millions of users’ information was stolen over a period of two years (until 2019), and it all came down to an unrenewed security token and unsegmented servers.

More recently, take a look at the massive and ongoing SolarWinds hack. SolarWinds is a company that handles sensitive data for several organizations from Homeland Security to the U.S. Treasury Department. Hackers embedded code in some of the systems at SolarWinds, and when it sent out a regular software update, that hacked code went with it, widening the hack. The hackers stole personal information, classified information, and other content related to many of the dealings of major corporations and the U.S. government. It’s believed that Russia is behind this hack.

In both cases, shoddy security processes were to blame.

How Do You Protect Your Company from These Internal Errors and External Threats?

The truth is that you can only do your best to protect yourself and your company from these kinds of vulnerabilities. Having very clear, easy-to-follow rules and regulations in place internally and making sure that your security is as tight as possible can help dissuade the casual interloper from doing any real damage. But for a determined person or entity, not much will stop these kinds of threats from hurting your business and your bottom line. The best thing you can do in those cases is simply to be prepared and have a plan in place to move quickly and efficiently to stem the loss. It can also pay tremendous dividends to ensure that your own internal company culture isn’t toxic and offers all employees the opportunity to do their best work. The more you can ensure that you have a plan in place for when and if things go wrong, the better off you’ll be.