Espion is calling on organizations not to overlook the risks posed by workers increasingly packing their own clouds and apps into their virtual briefcase without consulting their IT department.
The growth of ‘shadow IT products’(non-approved SaaS applications), has skyrocketed in recent years, with the latest research revealing that 81 percent of enterprise employees admit to using unauthorised applications. The scale of this was also highlighted at Espion’s recent 101 Series on App Security with attendees agreeing it is a growing concern in their organization.
Without doubt apps and cloud solutions such as Basecamp, Salesforce, Dropbox and Google Apps are great for productivity and flexible working. However, organizations need to be highly cognisant of the potential downside these time-saving, skill-boosting, collaboration-enhancing, process-streamlining (and more) apps and software pose to corporate information.
UK organizations are struggling to stay on top of costly technology risks, according to a new report by KPMG. The Technology Risk Radar, which tracks the major technology incidents faced by businesses and public sector bodies, reveals the cost of IT failures over the last 12 months. It found that, on average, employers had to pay an unplanned £410,000 for each technology-related problem they faced. The report also reveals that an average of 776,000 individuals were affected - and around 4 million bank and credit card accounts were compromised: by each IT failure.
Incidents caused by ‘avoidable’ problems such as software coding errors or failed IT changes accounted for over 50 percent of the IT incidents reported over the past year. Of these, 7.3 percent of reported events were the fault of human error: a figure which shows that basic investments in training are being ignored at the employers’ cost. Further, while data loss related incidents continued to be a major problem for all industries, a significant number of those (16 percent) were unintentional.
KPMG’s Tech Risk Radar reveals that customer-facing organizations are quickly realising the true cost of systems failures if they are left unchecked. For instance, a utility company faced a £10 million fine when technical glitches during the transfer to a new billing system meant customers did not receive bills for months and were then sent inaccurate payment demands or refused prompt refunds when errors were eventually acknowledged.
Commenting on the findings of the Technology Risk Radar report, Jon Dowie, Partner in KPMG’s Technology Risk practice said: “Technology is no longer a function within a business which operates largely in insolation. It is at the heart of everything a company does and, when it goes wrong it affects an organization’s bottom line, its relationship with customers and its wider reputation.
“Investment in technology will continue to rise as businesses embrace digital and other opportunities, but this needs to be matched by investments in assessing, managing and monitoring the associated risks. At a time when even our regulators have shown themselves to be vulnerable to technology risk, no one can afford to be complacent.”
With financial services under enormous pressure to maintain highly secure technology infrastructure, KPMG predicts IT complexity will continue to be the single biggest risk to financial services organizations in the coming year. This is closely followed by ineffective governance, risk and non-compliance with regulations. Security risks – such as cyber-crime and unauthorised access - are rated fifth.
Jon Dowie adds: “With ever greater complexity in IT systems – not to mention the challenge of implementing IT transformational change – companies are running to stand still in managing their IT risks. The cost of failure is all too clear. It is crucial for both public and private sector organizations to understand the risks associated with IT and how they can be managed, mitigated and avoided.”
The Australian Prudential Regulation Authority (APRA) has released the final version of its new risk management standard, and associated guidance.
APRA consulted extensively during 2013 and 2014 on both the risk management standard and prudential practice guide. The package released includes final versions of Prudential Standard CPS 220 Risk Management (CPS 220) and Prudential Practice Guide CPG 220 Risk Management (CPG 220) as well as a letter to industry summarising APRA’s response to submissions on the most recent consultation, which commenced on 7th October 2014. The letter sets out a small number of minor refinements that were made to the prudential practice guide as a result of the submissions received; there were no further changes to the prudential standard.
The new requirements are applicable to authorised deposit-taking institutions (ADIs), general insurers and life companies, and authorised non-operating holding companies (authorised NOHCs), and take effect from 1st January 2015.
APRA Chairman Wayne Byres said the new standard harmonises risk management requirements across the banking and insurance industries, bringing together a range of risk management requirements into a single standard.
‘The new standard, together with the new practice guide, reflect APRA’s heightened expectations with regards to risk management, consistent with the increased emphasis that has been placed on sound governance and robust risk management practices in response to the global financial crisis.’
Early data suggests that the current 2014-2015 flu season could be severe, with related human resource business continuity issues for organizations.
The Centers for Disease Control and Prevention (CDC) urges immediate vaccination for anyone still unvaccinated this season and recommends prompt treatment with antiviral drugs for people at high risk of complications who develop flu.
So far this year, seasonal influenza A H3N2 viruses have been most common. There often are more severe flu illnesses, hospitalizations, and deaths during seasons when these viruses predominate. For example, H3N2 viruses were predominant during the 2012-2013, 2007-2008, and 2003-2004 seasons, the three seasons with the highest mortality levels in the past decade. All were characterized as ‘moderately severe.’
Earlier this year, Steelhenge launched the Crisis Management Survey 2014 with the aim of developing a better picture of how organizations are building their preparedness for a crisis. Questions ranged from strategic ownership of the crisis management capability through plan development and training to the tools used to support the crisis management team. Respondents were also asked about the challenges they face in creating a crisis management capability and how they rate their overall level of preparedness.
One of the most striking results from the survey, published in 'Preparing for crisis: safeguarding your future', was that less than half of the respondents rated the overall crisis preparedness of their organization as ‘very well prepared’ with 13% responding that they were either ‘not well prepared’ or ‘not prepared at all’. The greatest challenges to crisis preparedness cited by the survey respondents were lack of budget, lack of senior management buy-in, time constraints, operational issues taking precedence and employees not seeing crisis preparedness activities as a priority.
The crisis communications function was found to be lagging behind when it comes to crisis preparedness; while 84% of organizations surveyed had a documented Crisis Management Plan, less than a quarter of respondents recorded that they do not have a documented plan for how they will communicate in a crisis and 41% responded that they do not have guidance on handling social media in a crisis.
In the Business Continuity Institute's 2014 Horizon Scan report, the influence of social media came second in the list of emerging trends or uncertainties with 63% of respondents to the survey identifying it as something to look out for.
Other key themes to emerge from the Crisis Management Survey include:
- Embedding – Less than half of the respondents had a programme of regular reviews, training and exercising that would help embed crisis management within an organization and create a genuinely sustainable crisis management capability.
- Engagement – In the face of high profile crises befalling major organizations year after year, 29% of organizations taking part in the survey still waited for the brutal experience of a crisis before creating a plan. Crisis preparedness is still a work in progress for many, particularly with regard to crisis communications planning.
- Ownership – Ownership of crisis management at the strategic level amongst the survey population lay predominantly with the Chief Executive. However, responsibility for day-to-day management of the crisis management capability was spread widely across a broad range of functional roles with business continuity/disaster recovery and incident/emergency management featuring most with 50% between them.
The report concludes that the fact that a large number of organizations still do not have plans, and such a large percentage of organizations do not run a programme of development to maintain and improve their crisis management capability, suggests that too many organizations are not yet taking crisis management seriously enough. Any doubters as to the value of crisis management only have to speak to organizations who have suffered a crisis. As one survey respondent said "we have suffered a number of potential crisis situations including an actual terrorist attack. Good planning and preparation has stood us in good stead.
Would you put all your investment into shares in just one company? Or into just one piece of property? Or even just into gold? While people are free to put their money where they please, many financial investors have identified diversification of investment as a better solution. Similarly, in business continuity the right mix of safer measures with lower returns and more innovative strategies with higher returns can optimise resilience without requiring unduly heavy expenditure (which in itself could threaten business continuity). This portfolio approach requires a certain attitude and tools, but can pay dividends.
LOS ANGELES — In the most sweeping campaign directed at earthquake safety ever attempted in California, Los Angeles officials proposed Monday to require the owners of thousands of small, wooden apartment buildings and big concrete offices to invest millions of dollars in strengthening them to guard against catastrophic damage in a powerful earthquake.
The mandate to retrofit buildings was part of a raft of proposals made by Mayor Eric M. Garcetti to deal with what is widely viewed as a longtime failure of Southern California to prepare for a damaging earthquake. In a report issued Monday, Mr. Garcetti also proposed that the city take steps to create a new firefighting water supply system, using ocean and waste water, to help battle as many as 1,500 fires that could break out in a major earthquake. Such a temblor is likely to leave large parts of this region without water or power.
The retrofitting requirements must be approved by the City Council, and would have to be paid for by the building owners, with the costs presumably passed on to tenants and renters. The costs could be significant: $5,000 per unit in vulnerable wooden buildings and $15 per square foot for office buildings, Mr. Garcetti said.
It’s that time of year—security experts are looking ahead to the coming months and discussing their predictions. I have seen a number of predictions that I believe deserve further discussion, so over the month of December, I’ll be looking at some of those issues more in depth. Today, I’m going to take a look at cloud security.
A recent IBM study found that 75 percent of security decision makers expect their cloud security budgets to increase in the next five years. At the same time, according to MSP Mentor, 86 percent of CISOs say their companies are adopting cloud computing. So it makes sense that there will also be a greater interest in funding cloud security efforts.
But it isn’t just a matter of securing the data in the cloud. The cloud is also going to have a much stronger influence on the way we approach overall security practices, says Paul Lipman, CEO of iSheriff. That’s because the cloud is changing the entire business computing structure, which will cause it to have a ripple effect into security concerns. In an email conversation, Lipman provided his five predictions for the future of cloud security. In a nutshell, they are:
Knowledge Vault today announced the general availability of its namesake analytics-as-a-service platform that provides more insight into how documents are being consumed and shared beyond anything IT organizations could hope to accomplish on premise.
Knowledge Vault CEO Christian Ehrenthal says that starting with Microsoft Office 365 deployments, IT organizations can use Knowledge Vault to discover and audit content and apply governance policies to documents stored in the cloud. Next up, says Ehrenthal, will be support for Dropbox, Microsoft OneDrive and Box.net.
Knowledge Vault itself makes use of a Big Data analytics engine based on Hadoop that runs on Microsoft Azure to analyze the content of documents that it accesses via the application programming interfaces (APIs) that various cloud service providers expose. That data then gets stored on top of Hadoop as a Knowledge Vault object.
(TNS) — The Federal Emergency Management Agency unveiled a broad series of reforms Friday to address concerns contractors conspired to underpay flood insurance settlements to homeowners after superstorm Sandy.
In a strongly worded letter to private companies that work for the government-run National Flood Insurance Program, FEMA administrator W. Craig Fugate said he had "deep concern" over allegations engineers falsified documents to deny claims.
"We must do better," Fugate wrote. "Policyholders deserve to be paid for every dollar of their covered flood loss."
The reforms include: