Part and parcel of working with financial professionals in
multiple jurisdictions is a modicum of privacy. Privacy in life choices, privacy in investment choices, and privacy - no
secrecy - when it comes to making strategic investment choices.
Yes I said secrecy - if money center banks and trust company
can refuse to produce their internal methods of analysis and risk weighting on
investment choices because it is a Trade Secret and a proprietary art, we must
take the very same stance to preserve our investment knowledge advantage. After all the value of a trade secret
is that only you have control over the advantage it provides. Once the knowledge is diffuse it is of
little use. And frankly, that’s ware the problem is - the keeping of private
things private and secret things secret.
I have listened to more of the professionals in the industry
gossip about what there clients are doing. The other is the stunning amount of
data being stolen - the tons of
records stolen from the service provider community and the banks and trust
companies are stunning. The industry needs wake up and acquaint themselves with
Operations Security (OPSEC) is a process that identifies
critical information to determine one’s actions can be observed by an adversary
and determines if information obtained by adversaries could be useful to them,
and then suggests selected measures that eliminate or reduce adversary knowledge
of your critical information. OPSEC
is simply denying an adversary information that could harm you or your client or
benefit them. It is not a
thing but a management process designed to secure your client’s and your critical
The process is straightforward
Identification of Critical Information
Analysis of Threats
Analysis of Vulnerabilities
Assessment of the Risk
Application of Appropriate Measures
Assessment of Insider Knowledge
• Critical information is information that either you, as a
professional, do not want others to know, or that your clients do not want
others to know. A client was
stunned that his competitor knew down to the penny the gross sales of his three
stores. How did the competitor get
the information, he asked the fellow’s landlord for the information - the lease
had a percent of gross sales factored into gross rent so the landlord knew the
sales figures and used them to impress other prospective renters looking to
locate to the mall.
• Analysis of threats comes down to who may want to know the
critical information in your possession or control. What parties might see themselves to benefit if they were to
have this information? It could be
a competing service providers or a competing hedge fund manager.
• Analysis of vulnerabilities is a cold hard look at how you
leak information, loose information; disseminate information or how it will be
stolen. Yes critical information
is stolen and about 85% it is stolen by employees.
• Application of the appropriate OPSEC measures to secure
the critical information, prevent leakage of information, train staff and
clients and last but not least - done in an organized planned fashion.
• Assessment of Insider Knowledge of OSPEC is the process of
insuring that all of the employees contractors and vendors understand what you
are doing, why you are securing and restricting information to prevent unintended
or intentional disclosures that can damage a client or your firm.
I have seen information leak from amazing places, none more
so than with, jump drives, social media and the blasted smart phones.
Think about it, how many USB ports does each of your
computers have, 2, 3, 5? I have on
my desk a 512 GB jump drives and 1TB jump drives masquerading as a pen, a key
chain fob, a key, a bejeweled broach, and a Swiss Army knife? A 1TB jump drive would store most of
the client files for most offshore services providers with tons of room left
over! Most desk top computers,
other than those with a good deal of photos or video used no more than 100 GB -
so a TB jump drive could store all of the records and operational software of
10 of the average desktop computers. Dishonesty, cowardice and duplicity are never
impulsive. You cannot let your employees or contractors or vendors have access
to this amount of information so easily. Critical information - really is the
definition of need to know information. With the bounties being paid for
whistleblowers and signing bonuses paid for “knowledgeable” new hires, failure
to secure your critical information is a failure in your fiduciary duty.
I heard a great joke, “Did you hear that MySpace, Facebook
and Twitter are going to merge, yeah, the new company will be called
MyTwitFace.” That says it
all. It is stunning how much
information we leak on social media.
We tell people when we are going on vacation (aka come rob my home) who
we are seeing and what we are doing at work. A famous actor came into a service provider’s office in the
Bahamas - and one of the employees Tweeted that So&So just came into the
office. In 15 min, paparazzi and well wishers were at the door of the
professional business. It was a lapse in a star struck moment with no ill intentions,
and no malice intended, and we know it could have been worse. What else do you or your employees post
to social media sites? Travel
schedules, off the cuff comments like “my boss was in court all day today” -
all of this hurts and begins to give adversaries a very good picture of what we
Smart phones, we know so little on how these devices work and we know
it so fluently. Smart phones are easy to hack - even I have hacked several
iPhones (with owners permission) to prove the point. Someone can hack the phone, jailbreak the phone remotely and just sit and listen to your
conversations even while the phone is not in use, but connected to a network just sitting on a desk. I gained access
to the full phone, give me access to calendars, meeting notes, photo library,
the camera - all of your apps, and your secrete list of stored passwords. Think you are really secure - look at
ForeSquare. A colleague thought that
ForeSquare was so cool until I showed her how I tracked her all about town for
two days using ForeTrace.
We can add to the list of ways we leak such as garbage, casual
conversation, travel plans, overheard luncheon conversations, and one of my
most frustrating is service providers taking proprietary structures designed by
others and then showing to 3rd parties for their use, its all too familiar to
any and all of us in the industry.
Its no longer part of the landscape or is it permissible for services
providers to lose information.
The industry needs to secure its Critical Information and the process
with which to do this is OPSEC.