Spring World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 29, Issue 4

Full Contents Now Available!

Jon Seals

Compliance training, when not executed properly, can prove to be costly to organizations. Very often, compliance violations are not because of willful offenders, but ill-informed or unwitting employees who might not have paid attention or did not understand the implications of a particular action.  Today, most organizations opt for online compliance training, as it is cost-effective, practical and can also be monitored easily. However, online courses can be boring and uninspiring if they are not engaging the participants.  As a result, the learning may not be complete and as desired.

However, with simple elements in an online course and the right learning strategy, you can make courses effective and learner-friendly, as well as engaging.  At the same time, you can also ensure that the participants complete all course modules without skipping and thereby missing important content. Given below are some important elements I have identified, based on my experience developing online compliance courses for leading organizations.



What would you expect residents of Sydney to be doing Sunday afternoon and evening, 5 June 2016? Watching the big fight? In a way, they were. Storms hit the city and real clouds slugged it out with virtual clouds.

Nature scored points and something of a knockout in the first round, taking out some of Amazon’s Sydney web services and data centre facilities.

Amazon virtual clouds staged a comeback and had services back up and running by the next morning. In the meantime, end-users went to social media to complain about the breakdown and lack of business continuity.

Worrying enough perhaps, but sometimes it takes far less than giant storm clouds to bring communities to their knees, as the following example shows.



Despite acute awareness of the millions of dollars in annual costs, and the business risks posed by external Internet threats, security leaders highlight the lack of staff expertise and technology as a key reason that these attacks are unchecked, according to results from a new Ponemon Institute study sponsored by BrandProtect. 79 percent of the IT and IT security practitioners polled indicated their defensive infrastructure to identify and mitigate those threats are either non-existent, ad hoc or inconsistently applied throughout the enterprise. The findings reveal that the companies represented in this research averaged more than one cyber attack per month and incurred annual costs of approximately $3.5 million because of these attacks.

The report ‘Security Beyond the Traditional Perimeter’ examined the threats, costs and responses of companies to external internet cyber attacks. These threats include executive impersonations, social engineering exploits, and branded attacks arising outside a company’s traditional security perimeter. Security professionals cited an urgent need for expertise, technology, and external services to address their growing concerns about these external threats.

Some of the key findings include:

  • Fifty-nine percent of respondents say the protection of intellectual property from external threats is essential or very important to the sustainability of their companies.
  • External Internet attacks are frequent and the financial costs of these attacks are significant. Respondents in this study report they experienced an average of 32 material cyber attacks or slightly more than one per month, costing their companies an average $3.5 million annually.
  • Seventy-nine percent of respondents described their security processes for internet and social media monitoring as non-existent (38 percent), ad hoc (23 percent) or inconsistently applied throughout the enterprise (18 percent).
  • Sixty-four percent of security leaders (directors or higher) feel that they lack the tools and resources they need to monitor, sixty-two percent lack the tools and resources they need to analyze and understand, and sixty-eight percent lack the tools and resources they need to mitigate external threats.
  • Security leaders agreed that monitoring the internet and social media is critical to gaining intelligence about external threats. Top monitoring priorities include mobile app monitoring (cited by 62 percent of respondents), social engineering and organizational reconnaissance (61 percent of respondents), branded exploits (59 percent of respondents) spear-phishing infrastructure (58 percent of respondents), and executive and high value threats (54 percent of respondents.)

Read the report.

Even as middle market businesses in all parts of the world view their exposures to natural catastrophes as increasing many fall short of managing these risks effectively, according to a new survey. Assurex Global polled senior executives at more than 80 leading independent insurance brokers from around the world whose commercial clients operate primarily within their own countries and found that many mid-sized firms lack adequate insurance, business continuity planning, risk management and civil infrastructure support to prepare for and recover from large-scale natural disasters.

In the survey, inland flooding was considered the most significant natural catastrophe risk for middle market businesses, cited by 70 percent of the brokers; followed by hurricanes, cyclones and windstorm (50 percent), and earthquakes and tsunami (38 percent). Understandably, responses varied somewhat by region, with hurricanes rated the top risk in the US and Canada; earthquakes/tsunami in Latin America and the Caribbean; and inland flooding in the Asia/Pacific and across Europe, the Middle East and Africa (EMEA).

“Although the types of natural catastrophe risks facing businesses vary somewhat in different areas of the world, there’s a common thread in terms of what must be in place for middle market businesses to manage them effectively,” said Jim Hackbarth, CEO, Assurex Global. “Certainly, having sufficient catastrophe insurance, effective business continuity management and a civil infrastructure that supports preparedness, response and recovery are all keys to managing these significant exposures. Further, senior leadership’s support of the company’s risk management measures is universally paramount to their implementation as well as to the company’s ultimate success and survival.”

Natural disaster risks on the rise

Worldwide, more than half the brokers indicated their clients believe that their exposure to natural catastrophe risks has increased in the past five years, including 78 percent of those in Latin America and the Caribbean and 67 percent of those located in the Asia/Pacific.

Many businesses unprepared

In the face of increased risks, nearly one-fourth of the brokers surveyed worldwide estimated that fewer than 20 percent of middle market businesses in their regions now feel they are adequately prepared and insured for natural catastrophes. These estimates varied sharply by region, with 44 percent of brokers in Latin America/Caribbean citing the same low level of preparedness; 33 percent in the Asia/Pacific, 28 percent in EMEA, and 11 percent of US and Canadian brokers.

Insurance and business continuity planning are key elements of catastrophe risk management

When asked to list steps taken by clients that feel adequately prepared for natural disasters, 90 percent of the brokers worldwide cited client purchases of catastrophic property insurance, 68 percent pointed to the establishment of business continuity plans, and 40 percent indicated their clients retrofitted their facilities to withstand a disaster. In addition, 30 percent indicated these clients had worked to strengthen supply chains and 27 percent noted client efforts to increase worker response training.

On the other hand, when brokers were asked to list reasons clients might offer for not being adequately prepared for natural disasters, lack of effective business continuity planning was the biggest factor, cited by 60 percent of the brokers. Meanwhile, 39 percent mentioned lack of affordable insurance coverage for catastrophe risks and 36 percent, lack of support from leadership for measures to manage catastrophe risks.

Lack of civil infrastructure and leadership issues undermine readiness

Although one-third of the brokers worldwide indicated their clients would tie inadequate readiness to the lack of available government/civil infrastructure to facilitate preparedness, response, recovery and protection of affected plant and equipment, the issue is especially pronounced for businesses in the Asia/Pacific, where it was cited by 67 percent of brokers. By contrast only 13 percent of brokers in the US and Canada expressed the same concerns. In addition, issues related to lack of leadership support also appear acute in the Asia/Pacific region, cited by 60 percent of the brokers.

Among the most significant factors flagged by brokers around the world in determining whether a client is adequately prepared for a natural catastrophe, 71 percent cited internal support from senior leadership; an equal percentage identified company size and resources, believing clients view these factors as correlated with better protection and preparedness. In addition, 45 percent of brokers cited the presence of a corporate risk manager or risk management function and 42 percent, the availability of a civil infrastructure (including emergency responders, evacuation routes, shelters, and related resources) to help facilitate preparedness and recovery.

According to the brokers surveyed, middle market clients would cite several elements of disaster risk management as needing improvement, with the responses varying markedly by region. For instance, although 25 percent of brokers worldwide cited the availability of adequate and affordable property catastrophe insurance, 56 percent of those in Latin America/Caribbean identified that issue, ranking it the region’s top factor for improvement. And while 25 percent of brokers around the world cited improvements in government infrastructure to facilitate preparedness and recovery, these needs were cited by nearly half those in the Asia/Pacific and 38 percent in EMEA, making it the biggest element to target for improvement in those two regions.

The survey was conducted in June and July 2016.


Data breaches are getting more sophisticated, more common, and more expensive; the average cost of a breach has reached $4 million, up 29% in the past three years. No organization, regardless of size or industry, can afford to ignore information security. The shortage of qualified cybersecurity personnel, combined with modern organizations preferring to outsource ancillary functions so they can focus on their core competencies, has resulted in many organizations choosing to outsource part or all of their cybersecurity operations, often to a managed security services provider (MSSP).

There are many benefits to outsourcing information security, including cost savings and access to a deeper knowledge base and a higher level of expertise than is available in-house. However, outsourcing is not without its pitfalls, and there are issues that organizations should be aware of when choosing a cybersecurity vendor. This article will discuss five best practices for outsourcing information security.



ransomware infographic, ransomware and healthcare

Cybersecurity is top of mind for every hospital IT person these days. Cyberattacks can come from a myriad of sources and expose patient data, or with ransomware, can put patients’ health at risk by blocking access to EHRs.

A few facts:

  • 11 million patient records have been breached so far in 2016
  • Ransomware attackers often charge up to $17,000 to return access, and that cost doesn’t include the impact of downtime on your IT team and the hospital in general
  • The Department of Health and Human Services recently released ransomware guidelines to help hospitals fight these insidious attacks

When it comes to ransomware, you need to get the attention of people in your department and throughout the hospital system.  We have prepared a white paper, Protecting Your Hospital from Ransomware, which covers six steps to thwart a would-be attacker.



Phoenix is fast approaching. As proud sponsors of Disaster Recovery Journal (DRJ) Fall World 2016, we look forward to discussing our latest technologies and best practices at the conference. Our software innovators and enterprise consultants for Business Continuity Management (BCM) and Governance, Risk & Compliance (GRC) will join customers to share valuable insights and case studies. Strategic BCP’s participation at DRJ Fall World will include:

Breakout Session, Regulatory Agencies: Friend or Foe of the Banking Industry?, on Monday, Sept. 19 from 4:45 to 5:15 PM PST. Strategic BCP’s Christopher Duffy (Chief Innovation Officer and Vice President of Professional Services) will join Jay Geppert from PlainsCapital Bank, Wayne Stadnik from TCF Bank, and David Underwood from United Bankshares. This roundtable discussion will include perspectives from several premier financial institutions. Insights include expanding cloud technology, vendors, and cyber security concerns. Learn more

General Session, A BC Professional’s Survival Guide: Five Steps to Avoiding the Axe and Prospering, on Wednesday, Sept. 21 from 8:15 to 9:15 AM PST. Joining me will be Keith Cantando (CBCLA), manager of Global Business Resiliency at Cisco Systems—a Strategic BCP customer and user of our ResilienceONE BCM software. We will present a five-step process to survive and thrive as a BC professional. Proven methods, tools, and activities utilized by hundreds of the most-successful professionals in the industry will be discussed—along with the biggest pitfalls to avoid. This session is geared towards all levels of experienced professionals. Learn more

Software discussions and demos during exhibit hours at Booth #505-507, where our team of BCM and GRC consultants will offer insights and answer questions. We will showcase the latest capabilities in ResilienceONE including Advanced Dependency Mapping Processes, Plan Workflow Visualization, and Integrated Mobile Solutions.

Private advisory consultations, where Enterprise Consultants from our Professional Services division will be on hand to discuss their capabilities and successes for: Business Impact Analysis (BIA); Staff Augmentation; BIA & BC Plan Auditing; Compliance Validation; Continuity & Risk Governance; Risk Mitigation Strategies; and BC Lifecycle Management.

See why Strategic BCP was positioned as a “Leader” in Gartner’s Magic Quadrant for Business Continuity Management Planning Software three years in a row.

More information about Strategic BCP can be found here.

Don’t forget to follow us on Twitter at the conference @strategicBCP or with the hashtag #drjfall.

I hope to see you in Phoenix!

AUSTIN, Texas — FEMA is looking to hire Texas residents as temporary employees to help with the state’s recovery from the past year’s storms and flooding.

FEMA is hoping to hire as many as 14 people—mostly in Austin and Houston but with a few positions in Denton and Bon Wier—to fill a variety of temporary positions working on disaster recovery.

“FEMA always seeks to employ local residents in its disaster recovery operations,” said Federal Coordinating Officer William J. Doran III, who is in charge of FEMA’s operations in Texas. “Not only does this help the economy recover by putting people to work, but these employees bring a wealth of local knowledge to the organization.”

Temporary local hires may be employed for 120-day terms, which may be extended up to one year maximum. They do not get hiring preference for other federal jobs as a result of their temporary employment. Selected health benefits are offered for these positions.

The wages vary depending on the nature of the work being performed and are set based on the prevailing wages of the state and locality. The positions range from administrative work to media relations.

Most temporary workers can be hired under a streamlined process instead of a competitive process. They must be 18 years old, have graduated high school or obtained a GED and have the appropriate qualifications for their positions. They will also be required to undergo a standard credit and criminal background check.

“We try to give preference to people who have actually suffered damage or losses from the disaster,” Doran said. “Many current FEMA employees began their careers as local hires.”

To find out more about the positions available and to apply, visit the Texas Workforce Commission’s website at workintexas.com.

For more information on the Texas recovery, visit the FEMA webpage at fema.gov/disaster/4272 or visit the Texas Division of Emergency Management website at txdps.state.tx.us/dem. Follow FEMA on Twitter @femaregion6.

# # #

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Tina Esposito of Advocate Health Care diiscusses the basics of developing a big data strategy in healthcare, emphasizing the importance of aligning analytics strategies with overall business objectives and detailing her organization's experiences. Recorded at the 2016 Big Data & Healthcare Analytics Forum in San Francisco.



“Show me an IT professional who can predict the exact timing, size, method, and location for their next data center and I will show you someone with a defective crystal ball. That’s the nature of this industry,” says Data Center World speaker Jack Pouchet, the VP of marketing development and energy initiatives for Emerson Network Power.

Change has always been the cornerstone of technology, and that has never been more apparent than today. The sheer amount of data being generated by Internet users is reason alone that the data center of today must change. Pouchet will address other key emerging trends he expects to substantially impact future data centers are built and designed at Data Center World, Sept. 12-15 in New Orleans. Here’s a sneak peek.


The Cloud of Many Drops

More and more companies are looking beyond virtualization and to the cloud to address underutilization of computing resources, and for good reason. A 2015 study by Stanford’s Jonathan Koomey, found that enterprise data center servers still only deliver, on average, between 5 and 15 percent of their maximum computing output over the course of a year. A surprising 30 percent of physical servers had been comatose for six months or more. Enter the shared services cloud arena. The fact that companies can now offload space-consuming applications and non-critical workloads to shared space means fewer data center builds and a little breathing room. “That allows for more intelligent decisions on the core building they already have,” said Pouchet.