Chris Peterson Guest Speaker on Radio Station WCOM 103.5

Posted on 2, Apr | Posted by RMA

On Tuesday, April 1, 2014, Chris Peterson was the guest speaker on the program “Focus on Business” hosted by Lea Strickland which aired on radio station WCOM 103.5. “Focus on Business” provides insights, information and perspective on building strong businesses, sustainable businesses that build sustainable communities. Guests include area business leaders, experts and professionals who share their experience. If you want to start, expand, grow or repair a business, tune in.

Chris and Lea had a discussion on fraud in the workplace and that a typical company loses 5% of their revenue each year. The discussion expanded to the vulnerability of employees bringing their own electronic devices including phones, tablets and computers into the workplace.

WCOM 103.5 is listener-supported, volunteer-powered community radio station located in Carrboro, North Carolina. The mission of WCOM is to educate, inspire, and entertain the diverse populations of Carrboro, Chapel Hill and nearby areas. They cultivate local music and facilitate the exchange of cultural and intellectual ideas, with particular regard for those who are overlooked or under-represented by other media outlets. They provide a space for media access and education by providing equipment and training to our community. “Focus on Business” airs on Tuesdays from 12:00 – 1:00.

Continue reading

Christine Peterson and Marty Coolidge Present at Institute of Management Accountants Luncheon

Posted on 28, Feb | Posted by RMA

Christine Peterson and Marty Coolidge presented at the IMA NC Triangle Chapter and the Carolinas Council Annual Winter Conference on February, 28, 2014, at the Prestonwood Country Club in Cary, NC. The presentation titled Enemies at the Gate or Are They Already Inside? focused on fraud and abuse in the workplace which costs businesses on average 5% of revenue per year.

IMA is the worldwide association of accountants and financial professionals working in business. They are committed to helping more than 65,000 members to expand professional skills, better manage organizations, and enhance careers. For more than 90 years, IMA has been a champion of – and resource for – the financial management and accounting profession. The organization was founded in Buffalo, N.Y., in 1919 as the National Association of Cost Accountants (NACA) to promote knowledge and professionalism among cost accountants and foster a wider understanding of the role of cost accounting in management.

Continue reading

RMA Presents at CSI Week at Meredith College

Posted on 25, Oct | Posted by RMA

Chris Peterson presented Enemies at the Gate – or Are They Already Inside? as part of CSI Week at Meredith College. CSI Week allows students at Meredith to explore career opportunities in law enforcement and related fields. The event is sponsored by the Sociology and Criminology Programs, and the Sociology & Criminology Club (and with the support of Political Science, Accounting, & Social Work).

Other presenters during the week included:

  • Special Agent Jahaira Torrens spoke about Homeland Security Investigations.
  • Cat Flowers, owner of Cat Eye Detective Agency, presented.
  • Police Officer and Social Worker Renea Lockhart spoke about domestic violence and being both an officer and a social worker.
  • U.S. Marshals talked about the work they do tracking down fugitives and other law enforcement activities.
  • Wake Country Prosecutors spoke about their work.
  • RPD Gang Unit talked about their work with gang prevention and dealing with gangs in Raleigh.
  • Crime Scene Analysis, RPD patrol officer, CCBI investigator (the local CSI) and a detective from Raleigh Police talked about how they work and investigate a crime scene.
  • Cary Police Department crime mapping analyst Elise Pierce spoke about her work in the use of Crime Scene mapping to facilitate the work of police in Cary.

Chartered in 1891, Meredith College is one of the largest independent private women’s colleges in the U.S. Meredith also offers coeducational graduate programs in business, education and nutrition, as well as post-baccalaureate certificate programs in pre-health and business, a dietetic internship program, a didactic program in dietetics and a paralegal program. Meredith’s programs – undergraduate and graduate — challenge each individual student to think deeply, push hard, discover new strengths and grow even stronger. Meredith has been cited as one of the “best colleges” in the region and the country by U.S. News & World Report, The Princeton Review and Forbes.com.

Continue reading

Held Hostage by a Dishonest Employee

Posted on 16, Sep | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

power shiftI recently was involved in a case in which a company employee was discovered using a company credit card for personal reasons. This happens occasionally, and one would think that immediately terminating the employee would resolve the issue. But what happens when the employee is the one and only IT person for the company?

Many companies have only one person to manage all of their IT needs. There is nothing wrong with this. Considering that 99.7 percent of U.S. employer firms are a small business (http://www.sba.gov/sites/default/files/FAQ_Sept_2012.pdf), having a sole IT person may be very common. The problem with this situation is the lack of oversight and management of the IT person by company executives and owners. What are the consequences caused by this scenario? How can companies and organizations prevent the backlash experienced when a single person has the “keys to the kingdom”?

This issue can occur in any business with a small IT staff. This particular case involved an employee who had been with the company for eight years. In that time, the employee came to be the only person who dealt with all IT issues. He managed the website, the phone system, the internet service, all servers, all workstation, the data connections for multiple facilities – you get the point. The employee could have brought the company to a standstill for several days if not several weeks, if he had wanted to do so. It was not until deciding that he needed to be fired that someone finally asked the question “What does he do and can we do it without him?” The answer was, “No.”

In this case, the employee was being terminated for cause. What if he had been hit by a bus? The company would still be in the same position. The only option left for the company was to hire someone to come in and inventory the network to help them prepare for the employee’s termination. This involved hundreds of man hours. Fortunately, the transition was successful and the company lost no production time.

There are several steps that can be taken to prevent this from occurring in your business. The person responsible for a company’s IT needs should document everything and provide this documentation to management or ownership in a reviewable format on a regular basis. This document should be considered a living document, and any time there is a network change or system change, the document should be edited to reflect the change. The document should include but not be limited to:

  • A list of service providers and all information needed to contact this service provider for support or changes. This includes the Internet service provider, phone service provider, web hosting company, cell phone provider, cloud services, or any other service provider used by the company.
  • Administrator passwords. These can be sealed in an envelope and/or put in a safe.
  • Device passwords and configuration. Think about firewalls, switches, wireless routers, and other equipment.
  • Software passwords and configurations. The IT administrator may be the only person aware of specialized software used in the office that requires specialized configuration or passwords. Make sure this information is documented and available to company executives.
  • Procedures for backing up and restoring systems.
  • A “What if…” document. This document would include instructions on how to deal with and recover from system outages, power outages, or other unique IT failures.

Depending on your network, the information needed in this document will differ. The best way to determine what you may need to document is to sit back and think of the problems created if your IT person were gone. What questions would you have? The document should answer all of these questions. It is also important to make the person responsible aware that this document is a “Continuity of Operations” document. There are many reasons why an IT employee may not be able to come to work, but their absence should not disable any part of the IT infrastructure.

It is also critical to make sure there are two people on the point-of-contact list with all service providers. The second person on the list should be an owner or executive of the company. If the IT person should be unable to perform his or her duties for any reason, the executive or owner of the company can call the service provider and make necessary changes without jumping through a lot of hoops to gain ownership of the service.

Finally, have a third party review this information at least once a year. That third party could be an outside consultant or even a current employee with knowledge of the network and need for business continuity. An outside consultant has the advantage of being objective when looking at an environment and utilizing their experience to help direct and drive a “Continuity Plan” that will protect the company in the event of any number of unexpected events.

Continue reading

RMA Presents Bring-Your-Own-Device Policies at RTP CFO Forum

Posted on 6, Sep | Posted by RMA

Chris Peterson and http://www.rmasecurity.com/about-rma/team-profiles/russell-w-gilmore/ presented BYOD (Bring Your Own Device): Issues and Implications for Companies at the September RTP CFO Forum. The program discussed security issues and considerations for companies when employees connect personal devices to the company network. What issues need to be considered to accommodate lawsuits, audits, and records requests? How can companies prepare for lost or stolen devices? What steps can and should be taken when terminating employees?

The RTP CFO Forum serves the greater Raleigh, Durham and Chapel Hill region, supporting over 200 senior financial executives. The Forum is designed to provide interactive networking and discussion of technical and strategic topics in an environment created exclusively for senior-level peers. CPE is provided on select topics.

The RTP CFO FORUM is scheduled for the first Friday of every month, from 7:30AM – 9:00AM. Attendance is limited to CFOs or senior financial professionals in similar positions. The RTP CFO Forum is sponsored by Hughes Pittman & Gupton, LLP.

Continue reading

Stealing on the Way Out

Posted on 12, Aug | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

Having to terminate an employee is never easy. To make the process even more difficult, consider the recent survey conducted by Harris Interactive on behalf of Courion which stated that 19% of employees age 18 to 34 would take company data with them if they knew they were about to be fired. Read the full story here.

Depending on the employee’s position at the company, the termination process could be quite cumbersome. Before terminating an employee, it is good to think about their role in the company and what they have access to or control over. Each situation is different and should not be handled in a cookie-cutter fashion. Terminating the IT manager will involve different issues than terminating a sales person.

What steps can you take to minimize risk? Strong policies and procedures are a good starting point. If an employee knows that severe repercussions may result for data theft, he or she may decide against the theft.

As we’ve said before, there are opportunities for companies to preserve data and protect themselves prior to the termination process or as part of the termination procedure itself (When Employees Leave Data Should Stay). When it is evident that an employee must be terminated, steps should be taken to image the computer or devices used by the employee, even if a future computer forensic analysis is not needed. It may even be beneficial to image the computer prior to termination and again after termination. I have often been called to recover data deleted by an employee after they have learned of their impending termination.

As a consultant, I have assisted in a number of terminations, and they are all different. Proper preparation and forethought will not only benefit the company but protect the employee as well.

Continue reading

Security in the Office – A Checklist

Posted on 30, Jul | Posted by Christine L. Peterson, CPP, ISP

  • Comply with and support your company’s safety and security program and regulations, and insist that others do the same.
  • Protect wallets, keys, purses, and other personal valuables on the job. This especially includes smartphones and tablets.
  • Challenge strangers in restricted areas. The best way to approach this is from a helpful perspective, such as “Can I help you?”
  • Do not discuss company affairs off the job.
  • When leaving the office, even for a short period of time, clean up and secure your work space, with special attention to confidential documents. Also provide for the protection of company equipment assigned to you.
  • If you handle money as a part of your job, insist on positive identification before you cash checks, and refuse obviously counterfeit or questionable currency.
  • If you work in a retail establishment or any other business, guard against shoplifting and employee theft within the frameworks of the law. To deter shoplifting, speak to all customers in your area. Be wary of bulky coats, large shopping bags, partially opened umbrellas, and folded newspapers. Know your company’s policy on dealing with shoplifters, and adhere to it.
  • Make certain your employer has clear and adequate guidelines for handling complaints of sexual harassment.
  • Retain security guards, because they provide a substantial deterrent to the criminal’s expectation of success.
Continue reading

RMA Presents PI 230 and PI 240 Training

Posted on 11, Dec | Posted by RMA

RMA presented two days of training to over twenty students in Raleigh, NC.

PI 230 was presented on Monday, December 10. Mike Epperly provided information on Legal Issues for Private Investigators. Marty Coolidge taught a course on Executive Protection. Billy Green presented Elements of Physical Security.

PI 240 was presented on Tuesday, December 11. Rusty Gilmore provided training on Computer Forensics for Investigators. Mike Epperly presented Compliance and Ethics II. Billy Green instructed students on Planning for Catastrophic Emergencies.

Effective January 1, 2012, all PPSB license holders must have completed 12 hours of approved continuing education credit to qualify for license renewal. RMA has developed training programs that are relevant to practice as a private investigator and protection and security professional and is offering these in one-day seminars across the state. Our goal is to provide opportunities for licensees to obtain the required CEU’s and to provide interesting and relevant instruction on protection and investigative topics. The next training sessions will be held on November 14 and 15 in Raleigh, NC. Students can register and pay online on the Continuing Education page of our website.

Continue reading

Employment Law: Can You Police Social Media?

Posted on 23, Oct | Posted by RMA

social mediaGuest blogger Mimi Soule specializes in employment law at the Soule Law Firm in Raleigh, North Carolina. This article was originally published on the website of Forrest Firm.

Lately, the National Labor Relations Board (NLRB) is taking a particularly active interest in employer polices regarding social media.

For those of us living and working in a Right-to-Work state like North Carolina (meaning that employees are not obligated to become members of a union organized in their workplace) where union activity may not be an everyday occurrence, the NLRB is not a familiar regulating administrative body. First and foremost, it is important for business owners to understand that, in general, the NLRB has the authority to regulate private-sector employers—with or without a union—with respect to matters directly or indirectly involving their employees’ right to form a union or discuss the formation of a union.

What does this have to do with an employer’s social media policy you ask? As you have likely read in the news, the NLRB recently issued several decisions citing employers for having overly-broad social media policies, which the NLRB feels restricted employees’ rights to discuss their working conditions—a right protected by federal law and which the NLRB feels unreasonably restricts employees’ ability to discuss the potential formation of a union.

Given these recent NLRB decisions, many employers felt that they were now prohibited from having a social media policy. This just isn’t accurate. Social media policies are indeed lawful; however, because of the recent NLRB decisions, the details of what an employer could regulate within its policy were anything, but clear.

So, what exactly can an employer regulate?

On May 30, 2012, the NLRB issued an Operations Management Memo that provided a summary of its recent decisions regarding social media policies, and, most importantly, at the end of the Memo, the NLRB provided a sample policy that it deemed lawful. A copy of the Operations Management Memo, dated May 30, 2012, is located on the NLRB website (http://www.nlrb.gov/news/acting-general-counsel-releases-report-employer-social-media-policies). Although the NLRB sample policy does not clarify all substantive matters, it does provide some additional and helpful guidance for employers:

  • Employers can continue to prohibit employees from posting information regarding an employer’s private, confidential information and trade secrets as well as confidential internal communications, such as business reports, policies and procedures.
  • Employers can prohibit their employees from representing in a post that they speak on behalf of the company. Employees can only express their own personal opinions.
  • Employers can require that employees be respectful, fair and courteous and to avoid posting statements that “could be viewed as malicious, obscene, threatening or intimidating, that disparage customers, members, associates or suppliers, or that might constitute harassment or bullying.”
  • Employers can require that employees be honest and accurate in their posts, to correct any known mistakes quickly, and never to post any information or rumors that the employee knows to be false about the company, any associates, members, customers, suppliers or competitors.
  • Employers can prohibit employees from posting comments that constitute “discriminatory remarks, harassment, and threats of violence or similar inappropriate or unlawful conduct.”
  • Employers can prohibit employees from using social media while at work or with employer-owned equipment.

For more information on this topic, please feel free to contact Mimi at msoule@soulelawfirm.com.

Mimi Soule is an established management counselor at Soule Law Firm in Raleigh, NC. She focuses her practice on assisting businesses with federal and state employment law compliance in an effort to mitigate litigation risks. Through her partnership with the Forrest Firm, Mimi advises our corporate clients on a host of employment relationship matters, including wage and hour compliance, family and medical leave, independent contractor classifications, handbook policies, effective hiring, firing and disciplinary procedures, and employment, release and non-compete agreements.

Mimi earned a bachelor’s degree in business from Wake Forest University, followed by her juris doctor degree at the Boston University School of Law.

Continue reading

Massachusetts Lab Scandal

Posted on 12, Oct | Posted by Christine L. Peterson, CPP, ISP

HonestyOn Saturday, September 29, 2012, the News and Observer covered the story of Annie Dookhan, a chemist at a Massachusetts drug lab. This story underscores some of the devastation that can result when an organization doesn’t follow basic security principles which require both screening and guardianship. The lack of screening and guardianship at the Massachusetts state drug lab has already resulted in the arrest of Ms. Dookhan, the resignation of the state’s public health commissioner, the potential incarceration of innocent victims, and a political and law enforcement nightmare. As this case moves forward, Massachusetts will spend millions of dollars in investigative costs and reparations, and there is the potential for criminals to be freed due to the actions of Ms. Dookhan. Massachusetts Attorney General Martha Coakley said “Annie Dookhan’s alleged actions corrupted the integrity of the entire criminal justice system.” That is an understatement.

Now I understand that the information in the media is just the tip of the proverbial iceberg, but what can we learn from the surface details that might have prevented this disaster?

Lesson #1: The importance of thorough background screening cannot be overstated.

Two opportunities are often missed. First, was there a pre-employment system in place to verify information that was provided by the applicant and to look for omissions? It has been reported that the organization believed Ms. Dookhan had an advanced degree but she did not. Did anyone verify this information?

Second, did the agency have in place a system in place to verify information that would have a direct bearing on an employee’s position or fiduciary responsibilities post-employment? Life does not end when employment begins. People grow, they change, and circumstances change. Life happens. Employees being promoted or given a change in status should also have an updated background investigation.

Lesson #2: Remember the 10-10-80 rule for fraud.

The general rule of thumb in fraud investigations is that 10% of people would commit fraud at any opportunity, 10% of people would not commit fraud no matter the circumstances, and 80% of people can be swayed one way or the other based on circumstances and conditions. According to the News and Observer story, the only motive that authorities have found so far is the desire of Ms. Dookhan to be viewed as a good worker. Was she part of the 10% or 80%? She’s probably part of the 80% who make decisions based on outside forces which are relative to that person’s situation.

Protection of agency or company assets requires guardianship in the form of oversight. What kinds of protocols in the form of policies and procedures were in place to keep this from happening? Is the same kind of thing happening with other chemists at the agency? Did she work in a bubble with no protocols or collaboration? Did she have no supervision? Were there no quality controls in place?

This article should be an “a-ha moment” for all of us in business, public or private. This is a classic example of a motivated person seeing an opportunity to gain position and presteige within an organization by manipulating the facts. The result is fraudulent information, destroyed lives, damaged careers, sullied reputations, and millions of tax and insurance dollars.

Continue reading