The Business Continuity Institute - Jul 01, 2016 10:24 BST
Are business continuity managers internal optimists, and do we really believe that we will be effected by an incident? Do we peddle our profession secretly believing, or hoping, that it will never happen to us and that our plans will never be implemented? This has happened to me. I, until the very last moment, believed that ‘remain’ would prevail and I didn’t need to worry about the vote.
There was recently a section on the 1 o’clock news when a number of pollsters and punters gave their predictions for the vote, and almost all said they believed that remain would win. Even a farmer who had four pigs, two named after remain politicians and two named after the leave campaign, including one called ‘Boar-is’, and raced them every day to predict who would win, said the remain campaign would win as remain pigs won more races. I was so sure Brexit would never happen that I hadn’t even bothered to write a business continuity bulletin on the subject. The people in the BC Training office recycled a Scottish Independence bulletin to cover the subject.
Perhaps I was not the only business continuity person who was of this mind-set. I was at the East Midlands BCI forum on the day of the vote, and there was very little talk of the referendum, perhaps we were all fed up of the agro associated with it, and absolutely no talk of any contingency plans for Brexit.
So what should we be doing, as business continuity people, to deal with this new situation? If, like me, you haven’t prepared for this, then let me share a few thoughts:
A good incident tool is to plan for different scenarios taking into account all the different variables. Will it be the two year exit under Article 50 which will be fast and unpredictable, or will it be a slower negation, which gives us time to prepare? What is our exposure to European trade and how might if effect our staff if they are EU, non UK, citizens? There is also the extra dimension of a further Scottish referendum. As the news people would say, we are in uncharted territory, so I think you have to look at all variables and all possible options.
We should then look at what is our worst case, best case and most likely case, and develop appropriate risk mitigation measures. These should be agreed by top management and the organisation should monitor events as they occur and adjust the mitigation measures as the situation changes.
In all crises or incidents there is always an opportunity and the smart business continuity manager will recognise this. As David Cameron warned, we have now jumped out of the plane and we cannot clamber back into the cockpit, so we must embrace the change and look for the opportunity that this new world brings. Maybe it is also for me to review my business continuity plan, because as we tell everyone else, the incident we don’t want to happen could occur tomorrow!
Sorry I’ve been quiet on the blog post front but I’ve had a hectic few weeks involved in all kind of interesting conversations and events (even manning the booth at a couple of them), what’s been noticeable at these events is the amount of similar discussions I’ve had with businesses of all sizes, from small to large and all that’s in between and there’s been some interesting areas of commonality.
Over the next few weeks I’d like to share some of those with you. Up first has been something really interesting that has gone right to the top of my list and actually it came to light again this week when in a meeting with one of my favourite CIO’s. For this post let’s call him Bill (can’t share his or his companies name on this occasion), but Bill is a very astute CIO, very well connected, spends time doing all the things that you would expect, what is always interesting is when I bring something to the table he hasn’t thought about before.
Today was one of those rare treats, as I was sharing with him my last few weeks and some of the fascinating chats I’ve had, so what caught Bills interest?
While the long-term impact of Britain’s vote to exit the European Union remains to be seen, the immediate impact is uncertainty, which is rarely a good thing for any market, including the data center market.
Some of the biggest data center providers in Europe saw that immediate impact of uncertainty in their stock performance right after the referendum’s outcome was announced last Thursday. Equinix, Digital Realty Trust, and Interxion stock value dropped immediately, and while US-based Equinix and Digital have since recovered – Digital’s stock was actually trading higher than ever in the afterhours on Wednesday – the Netherlands-based Interxion had yet to regain its pre-referendum level.
As far as Brexit’s possible long-term impacts, among the chief concerns are potential expenses associated with compliance with whatever new regulations the UK establishes if and when its process of severing from the EU is completed, data center customers adjusting their infrastructure location strategies, the status of data center industry workers in the UK who are EU citizens but who do not have British passports, and whether or not British tech and financial-services industries, both of which have historically been a big source of revenue for data center providers and equipment vendors, will continue to see the same level of investment they have seen in the past.
When enterprises such as health insurance providers and supermarket chains hold millions of customer names together with social security numbers or credit card details, they become preferred targets for hackers.
One successful attack can garner huge amounts of valuable data, and beats launching millions of attacks at one end-customer per attack (even if that were possible).
The same holds true for businesses, instead of private customers. If you have not asked the following information security questions to your third party service suppliers, now is the time.
Third party suppliers can hold a surprisingly large amount of information about businesses like yours, and about your customers too.
In a new Radware survey 84 percent of US and UK information technology executives at companies that had not faced ransom attacks said they would never pay a ransom; however, 43 percent of respondents from companies that had been attacked said that ransoms had been paid. This is one of the findings from Radware’s 2016 Executive Application & Network Security Survey. Radware polled more than 200 IT executives across the US and UK for the study.
The study found that US companies were far more willing to admit that they would pay a ransom. Among US firms who had not been attacked, 23 percent indicated they were prepared to pay a ransom, in contrast to the 9 percent in the UK.
Companies that paid ransoms reported an average of $7,500 in the US and £22,000 in the UK.
“This is a harbinger of the challenging decisions IT executives will face in the security arena,” said Carl Herberger, Radware’s Vice President of Security Solutions. “It’s easy to say you won’t pay a ransom until your system is actually locked down and inaccessible. Organizations that take proactive security measures, however, reduce the chance that they’ll have to make that choice.”
In addition to the responses to ransom attacks, the survey also found that companies see work-from-home arrangements as an increasing risk. The survey found a big jump in changes to telecommuting policies, with 41 percent of respondents saying they have tightened work-from-home security policies in the last two years.
The most commonly cited obstacle to Business Continuity (BC)/Disaster Recovery (DR) program success is a lack of management support, and this is for good reason. New and non-established BC Management (BCM) programs have to overcome serious inertia in order to succeed.
Business continuity is not a core competency of most organizations and few employ a full-time team of BCM professionals. According to the 2014 CI/KPMG benchmarking survey, the majority of organizations have between 0 and 2 FTEs dedicated to primary BC/DR functions:
When natural disasters strike, news stories frequently cover damage to homes and consumers, but businesses often experience greater losses, ranging from physical destruction to downtime. A key element for firms to survive in a disaster scenario is the development and deployment of a strong business continuity (BC) plan.
Evolve IP, a cloud services company based in Wayne, Pennsylvania, warns that now is not the time for businesses to become complacent about their business continuity plans because of the historical patterns of two related events: El Nino and La Nina. Both of these conditions occur when the Pacific Ocean and the atmosphere sustain significant temperature changes.
The most recent El Niño season was the worst in two decades, causing billions of dollars in damages and losses. But now comes La Nina. The last significant La Niña was tied to record winter U.S. snowfall, spring flooding across the country, and drought conditions in the south and Midwest. The National Oceanic and Atmospheric Administration (NOAA) says there is a 75 percent chance that La Niña will be in place by the fall and potentially last up to three years. This one could result in larger hurricanes making U.S. landfall; that would have a significant impact on hundreds of thousands of businesses.
(TNS) -- When a glitch in phone company systems left Baltimore without 911 service for over an hour last week, The Baltimore Sun wanted to know how often such outages occur.
Public records made it clear that the outage wasn't unique, but much of the information about problems with 911 is confidential, making it difficult to figure out just how often the emergency phone system is out of action. The secrecy highlights the 911 system's strange role as a critical lifeline to police and fire departments, but one that is almost entirely run by private companies.
The Federal Communications Commission requires phone companies to submit reports about outages that affect a large number of people or that last for a long time. But the agency doesn't release the reports because they could contain proprietary information about how the companies set up their networks. When the Government Accountability Office investigated outages in 2015, it didn't even bother to look at the reports. Investigators wrote in a footnote that they saw no point in reviewing data they couldn't talk about publicly.
The average cost of a data breach for companies surveyed has grown to $4 million, a 29% increase since 2013, with the per-record costs continuing to rise, according to the 2016 Ponemon Cost of a Data Breach Study, sponsored by IBM. The average cost hit $158 per record, but they are far more costly in highly regulated industries—in healthcare, for example, businesses are looking at $355 each, a full $100 more than in 2013. These incidents have grown in both volume and sophistication, with 64% more security incidents reported in 2015 than in 2014.
Leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach–saving companies nearly $400,000 on average (or $16 per record). In fact, response activities like incident forensics, communications, legal expenditures and regulatory mandates account for 59 percent of the cost of a data breach. Part of these high costs may be linked to the fact that 70 percent of U.S. security executives report they don’t have incident response plans in place.
With so much on the line, more and more companies and consumers continue to search for whom to hold accountable for cybersecurity failures, and the message is becoming clearer: executives need to get serious or watch out.
(TNS) - A severe weather event during Burlington Steamboat Days was used Tuesday afternoon as a situational example for Des Moines County to discuss how they would respond in an emergency.
If tornadoes, flooding and power outrages were to occur during a major community event - how would county agencies work together to mitigate the disaster?
The almost 80 business leaders, public officials and safety officers participating in the Federal Emergency Management Agency's training course worked through how their different agencies would respond when faced with infrastructure damage and personal injury across the county.