Retail, by its very nature, is fast-moving: competition is intense and customers are increasingly demanding. In this cutthroat environment, the inability to do business can quickly damage a retailer: and making up lost ground is often extremely difficult, if it’s possible at all.
“All businesses need to have business continuity plans in place to avoid risks and minimise disaster, but retailers operate in a particularly competitive environment,” says Grant Minnaar, Business Continuity Management Advisor at ContinuitySA. “Retailers need to understand their risk profiles and make sure they have strategies in place to ensure they can stay trading, or they risk losing customers and damaging their brands.”
ContinuitySA has identified some of the top business continuity risks faced by retailers:
Craig Young overviews the Bash /‘Shellshock’ vulnerability which was recently identified and looks at whether it really is worse than Heartbleed, as has been widely claimed.
What is the vulnerability?
An Akamai researcher discovered that Bash, the dominant command-line interpreter present on Unix/Linux based systems, will improperly process crafted variable definitions allowing trailing bytes to be processed as OS commands. Bash allows users to define environmental variables which contain function definitions and a flaw within this parsing process means that commands specified after the function are executed when the variable definitions are passed to a Bash interpreter. The problem can easily be reproduced by logging into Bash shell and defining a crafted variable definition with trailing commands but in this scenario there is little risk since the commands are limited to the permissions of the already logged in user. Where this ‘Shellshock’ vulnerability really becomes a problem is when we consider the many ways in which Bash is indirectly exposed to an adversary. The most prominent (and worrisome) example of this is web technologies which use the vulnerable command-interpreter to generate responses to http requests. Since various details from the request are stored in Bash variables and passed to the command-interpreter, a remote unauthenticated attacker can use these scripts to inject commands which will run in the context of the web server.
The BCI’s Australasian Awards will be presented in Melbourne on October 17th 2014. The shortlst for the awards has now been published and is as follows:
Business Continuity Consultant of the Year
Steven Cvetkovic MBCI Managing Director Continuity & Compliance Management Services Pty Ltd
Ian Perry Director Chelmsford Consulting Limited
Oliver Pettit Client Director – Risk Services Deloitte Touch Tohmatsu
Ken Simpson MBCI Principal Consultant The VR Group
Paul Trebilcock MBCI Director JBTGlobal Coporate Advisory
Nalin Wijetilleke MBCI Director/Principal Consultant ContinuityNZ Limited
Business Continuity Manager of the Year
John Doble Business Continuity Manager NBN Co.
Sarah McDonald MBCI Senior Manager – Business Resilience Deloitte Touche Tomatsu
Public Sector BC Manager of the Year
Ian Goldfinch MBCI Manager, ICT Continuity Planning eHealth Systems, SA Health
David Reason Senior Risk Manager EQC (Earthquake Commission)
BCM Newcomer of the Year
Dale Cochrane CBCI Business Continuity Consultant National Australia Bank
Mark Dossetor AMBCI Manager Business Continuity Department of Transport, Planning and Local Infrastructure (DTPLI)
Eddie Ramirez Business Continuity Coordinator Westpac Group
Business Continuity Team of the Year
Australian Taxation Office
Department of Justice, Victoria
Victorian Department of Transport, Planning and Local Infrastructure
Business Continuity Provider of the Year (Product)
Linus Information Security Solutions Pty Ltd
RiskLogic Pty Ltd
Business Continuity Provider of the Year (Service)
Continuity & Compliance Management Services Pty Ltd
Hewlett-Packard Australia Pty Ltd
Linus Information Security Solutions Pty Ltd
Plan B Limited
Business Continuity Innovation of the Year
Continuity & Compliance Management Services Pty Ltd
PAN Software Pty. Ltd.
RiskLogic Pty Ltd
Most Effective Recovery of the Year
Bank of New Zealand
Plan B Limited
Westpac Banking Corporation
Industry Personality of the Year
Steven Cvetkovic MBCI
Howard Kenny MBCI
To help business continuity professionals better understand IT-related risk, they should develop and test risk scenarios. A new guide and tool kit from ISACA provides 60 examples of IT-related risk scenarios covering 20 categories of risk that organizations can customize for their own use.
‘Risk Scenarios Using COBIT 5 for Risk’ provides an understanding of risk assessment and risk management concepts in business terms, based on the principles of the globally recognized COBIT framework. It also defines the following six steps to effectively using risk scenarios to improve risk management:
1. Use generic risk scenarios, such as those presented in the publication, to define a set that is tailored to your organization;
2. Validate the risk scenarios against the business objectives of the organization, ensuring that the scenarios address business impacts;
3. Refine the selected scenarios based on this validation and ensure their level of detail is in line with the business criticality;
4. Reduce the number of scenarios to a manageable set;
5. Keep all scenarios in a list so they can be reevaluated; and
6. Include in the scenarios an unspecified event (an incident not covered by other scenarios)
Risk Scenarios provides scenario examples across categories such as IT investment decision making, staff operations, infrastructure, software, regulatory compliance, geopolitical, malware, acts of nature and innovation. It also provides guidance on how to respond to a risk that exceeds the organization’s tolerance level and how to use COBIT 5 to accomplish key risk management activities.
Risk Scenarios is available at www.isaca.org/riskscenarios
Whenever a breach of some sort occurs, two things tend to happen. First, the general password warning is given: Change them now, change them regularly, and don’t repeat passwords for anything. Second, people experience angst over password use in general. They often feel that the password has come to the end of its usefulness and we need to move on to other sorts of authentication.
You know what we never talk about when news breaks about a data breach and stolen passwords? Usernames. If we look back at two major password-related breach stories from recent months, it’s obviously something that should be considered. When word went out about the Russian hackers who had stolen a billion passwords, it was also reported that usernames were stolen.
It was the same situation with the Gmail incident of earlier this month. But if we look closely at the way an eSecurity Planet story phrased the incident, we see what the real issue is:
The following day, however, Google published a blog post stating that less than 2 percent of the username and password combinations would have worked for Gmail.
Username and password. Not just password alone.
(MCT) -- With flu season approaching, public health officials hope a crowdsourcing app that tracks flu activity will gain additional traction.
Flu Near You, a disease detection app, helps predict outbreaks of the flu in real time. Users self-report symptoms in a weekly survey, which the app then analyzes and maps to show where pockets of influenza-like illness are located.
HealthMap, Boston Children’s Hospital, the Skoll Global Threats Fund and the American Public Health Association developed the app, which was launched in November 2011. It now has more than 120,000 subscribers.
“It engages the public directly,” said Jennifer Olsen, manager of pandemics for the Skoll Global Threats Fund, a San Francisco-based non-governmental organization that works to confront dangers around the world.
We recently received a low ranking by a major market research organization, ranking eBRP Suite among the “Niche Players” in their mystical rating chart. Then why are we smiling?
We have been told that eBRP Suite does not deliver what these industry “experts” expect in a BCM software product. In last year’s review, we were ranked among the top companies. What did we do wrong this year? We did what we always do: act on our Customer’s feedback to continue to improve our products. We also added a stream of new customers – including several Fortune 500 companies and international banks – all of whom found eBRP Suite to be exactly what they needed. So what happened to drop us so far in the rankings? The simple answer is: they changed the survey! We still offer the same great product. We still provide the same world class service. Just as we have for more than a decade.
What those market researchers got right is that eBRP Suite isn’t for everyone. For those looking for a tool to simply conduct a BIA and write plans, there are plenty of companies to choose from. That’s not what we are, or want to be – even if those market “gurus” think we’re wrong.
In 2010, just as the recession’s wave of fiscal calamity was peaking, George Bascom and Todd Foglesong, from Harvard’s Kennedy School of Government, published a report, Making Policing More Affordable. They pointed out that public expenditures on policing had more than quadrupled between 1982 and 2006. But with city budget shortfalls opening up across the country, police departments and their chiefs, once used to ever-growing budgets, were now facing a new reality of cutbacks, layoffs and even outright mergers and consolidations of entire police departments with others. With federal subsidies disappearing (federal support for criminal justice assistance grant programs shrank by 43 percent between 2011 and 2013), thanks to a frugal Congress, police had few options.
With funding spigots turning off, law enforcement agencies must find ways to operate more affordably, according to Bascom and Foglesong. One obvious way is to use technology in more efficient ways. Being more efficient with technology also means being smarter.
One example can be found in Camden, N.J., a poverty-ridden, high-crime city of 77,000, located on the banks of the Delaware River, across from Philadelphia. Desperate to cut costs, the city disbanded its entire police force. The Camden County Police Department rehired most of the laid-off officers, and hired another 100 at much lower salaries and benefits, to create a consolidated regional police force. The move is considered highly controversial and certainly radical. While police departments in other jurisdictions have merged or consolidated to cut costs, none have gone down the path that Camden has taken.
During the January 2014 winter storm that crippled the Atlanta metro area and left thousands stranded on the city’s highways, businesses stepped up to the plate to assist those with nowhere to turn. Home Depot opened 26 stores in Georgia and Alabama to shelter stranded travelers, and other local stores like Walgreens, Wal-Mart, and Target welcomed weary – and cold – drivers who abandoned their cars when it was obvious they were not going to make it home that night. These businesses provided the community with resources and services when people needed them most.
In planning for public health emergencies, communities are quickly learning that businesses are true partners in response and recovery efforts. The private sector has the expertise, resources, and systems that operate every day that can assist in a public health response, be it for a pandemic, terrorist event, or natural disaster. During Hurricane Sandy, for example, big businesses used their commercial supply chain to deliver water, food, and other supplies. As the U.S. Chamber of Commerce says, “when the going gets rough, businesses gets moving.”
Staff at CDC’s Strategic National Stockpile – the largest global stockpile of pharmaceuticals and medical supplies for a public health emergency – are working to help state and local agencies forge these partnerships for both distribution and dispensing efforts and as a way to increase access to medicines in an event that affects that entire community. Partnering with public health is good business, too. These private partners are members of the community and when disaster strikes, they can help keep their employees safe and healthy and their businesses up and running.
“As a global manufacturer of computers and computer services, we have committed ourselves to providing our customers with quality products and services,” said a representative from Dell, the information technology powerhouse that has partnered with public health to assist in dispensing medicine to its employees during an emergency. “We are doing the same thing with our employees. We want them to feel good about coming to work and their company taking care of them. That’s why we have gotten very much involved in the points of dispensing program that is being offered by many of our health departments around the country.”
In addition to serving as closed points of dispensing, which allows businesses to provide medicine to their own employees, companies also are coordinating with CDC and their public health departments to provide volunteers, to assist in communications, and to serve the larger community as public dispensing sites. This type of collaboration and partnership between the private and public sector will augment and support a public health response and ultimately help keep Americans prepared, safe, and protected.
For more information on how businesses can partner for preparedness, visit http://www.cdc.gov/phpr/partnerships/.