Spring World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 29, Issue 4

Full Contents Now Available!

Jon Seals

Symantec makes security software for the enterprise market. They also sell a line of products for the consumer market under their Norton brand. All of their anti-virus products use the same core engine and that engine has been found to have high level and potentially devastating security vulnerabilities. Symantec SYMC +1.18% has patched these vulnerabilities and if you are using a Symantec or Norton anti-virus product you should make sure your software is upgraded right now.

The vulnerabilities in Symantec’s core engine were uncovered by a team at Google's GOOGL +0.27% Project Zero and made public in a blog post by Tavis Ormandy. According to Ormandy

These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.

...

http://www.forbes.com/sites/kevinmurnane/2016/06/29/if-you-are-using-security-software-from-symantec-or-norton-you-should-upgrade-immediately/

COMMUNICATIONS PLANS AND SCHEDULES

Regina Phelps recently joined forces with Everbridge and recorded a webinar that explores in-depth strategies for improving your disaster and crisis management. Previously in part four of this five part series, Regina discussed what a governance document and a communication matrix are, and what their content should be. If you missed part four, you can access it here

In this installment of the series, Regina discusses communications plans, as well as why and how to build a communications schedule.

...

http://www.everbridge.com/improving-disaster-and-crisis-management-with-timely-communication-and-response-part-5/

(TNS) - The people handling security for the nation’s busiest malls and amusement parks are no longer retired cops. They are a 24-year veteran of the FBI, a former CIA operative and the onetime chief of counterterrorism for Scotland Yard.

The theme-park industry’s annual security bill, already roughly $250 million a year, is expected to grow by more than $100 million over the next few years, according to one consultant. Disneyland, Universal Studios Hollywood and SeaWorld all installed metal detectors outside their gates for the first time in December.

“Lone wolf” shootings, including those at the Pulse nightclub in Orlando, Fla., this month, and in San Bernardino in December, have forced businesses to shoulder more of the cost and responsibility of securing America against terrorism.

...

http://www.emergencymgmt.com/safety/Cost-of-keeping-America-safe-from-lone-wolf-shootings-shifts-to-business.html

Government and technology are far apart as cultures. Government is deliberate. A wise leader does not subject his roads, power grid and economy to whimsy. He plans everything. Technology is experimental. Technology is Leonardo da Vinci taking a half-dozen naps each day. Technology is making things work now and worrying about the consequences later. Government creates lists, policies and protocols to ensure the bathrooms are stocked with the correct number and type of shampoo, towels and soap. Technology doesn’t like taking showers. Technology is Steve Jobs wearing the same thing every day and only eating fruit. Technology wears an unruly beard. Government wears a tie that’s approved by a policy that was written by a committee following six years of research.

But, alongside society, government’s conservative ways are relenting. Once fearful of inviting criticism, a nudge from the economy has left government willing to ask the public for help. And most importantly, the popularization of technology means the public can help and people are empowered by digital tools. The result is that civic tech — the place where government interests intersect with community-minded activists who are ready to donate their time and talents — is the public sector’s fastest-moving innovation inlet.

People are collaborating across institutional boundaries. The markets and organizations that support civic tech are growing wiser and better organized. Government is opening its doors and converting opponents into allies. Technology itself is exciting — there are scores of new inventions each day — but the civic tech movement, in its immaturity, leaves untouched even more territory, more potential to realize its simple directive of making the nation’s cities, counties and states better places to live.

...

http://www.govtech.com/How-Civic-Interests-Are-Helping-Shape-Government-Innovation.html

Hackers are not only an issue for celebrities with embarrassing photos they don’t want made public. Large corporations are also victims of cybersecurity breaches, and it is an ongoing problem that needs a solution. Trade secrets, internal emails, even unremarkable communications between colleagues can be accessed by criminals and become a major crisis. As recently as May 27, 2016, MySpace passwords were stolen for a price of $2,800, putting the company in a bad light and users at risk.

Cybersecurity breaches can happen at any time to any company. The Security Solutions VP of AT&T, Jason Porter, stated “In 2015, 62 percent of organizations reported having security breaches. Forty-two percent of these businesses said the negative impact on their business was significant. Yet 66 percent of organizations have no effective incident response plan.” Don’t wait until your business is targeted to resolve this problem and protect your valuable data from outside hackers.

The following are tips to help businesses avoid cyber attacks and protect their valuable data:

...

http://corporatecomplianceinsights.com/fortify-business-crippling-cyber-attacks/

It might sound like something that lurks in damp soil, but process ROT is actually becoming a widespread problem for many organizations.

Process ROT occurs when established business processes become hampered by redundant, obsolete and trivial (ROT) information. It’s something that’s happening within large numbers of organizations, yet many are not aware that it is occurring, nor are they aware of the potential risk and compliance implications.

ROT becomes a business problem because humans tend to be natural information-hoarders. Throughout organizations, people tend to collect and store large volumes of documents and other materials and are very reluctant to ever delete them.

...

http://corporatecomplianceinsights.com/does-your-organization-suffer-from-process-rot/

A series of cyber fraud attacks targeting financial institutions through the SWIFT global messaging system has prompted an industrywide review of IT security measures and has highlighted the rising risk of cyber fraud against financial institutions in Southeast Asia and beyond. SWIFT has responded with a five-part customer security program to reinforce the security of the global banking platform, yet its CEO has warned “there will be more attacks.”

Cyber fraud risk is heightened in developing countries that often lack the technological resources to detect and thwart such attacks, while geopolitical dynamics also play into the risk equation. In light of these factors, Access Asia views Southeast Asia as a region of heightened risk for cyber fraud targeting financial institutions due to socioeconomic conditions, proximity to suspected centers of cyber fraud operations in North Korea and China and the existence of strong transnational criminal networks.

Indeed, one of the most recent cases to come to light involves an attempted attack on Vietnam’s Tien Phong Bank (TP Bank), while the money trail of an $81 million cyber heist from the State Bank of Bangladesh’s account at the New York Federal Reserve in February has been traced to the Philippines. Hong Kong (which lies on the periphery of Southeast Asia) is the reported end of the money trail for a US$2 million cyber theft on an Ecuadorian bank in early 2015, while the Philippines was also the target of an earlier attack in October 2015.

...

http://corporatecomplianceinsights.com/cyber-fraud-on-the-rise-in-southeast-asia/

Despite the many potential benefits of big data analytics, the unrestrained creation and retention of data has the potential to bury organizations under a mountain of legal, regulatory and operational challenges. According to IDC, by the year 2020, about 1.7 megabytes of new information will be created every second for every human on the planet. Meanwhile, MIT Technology review estimated that only 0.5 percent of all the data we’re creating is ever analyzed. While most organizations would benefit by increasing this percentage, it’s clear that “dark data” – the information organizations collect and store, but fail to use for other purposes – is mostly debris that serves only to increase infrastructure costs and expose organizations to risk and liability, especially when this data flows beyond the firewall.

Organizations of all sizes and types now typically share information via unified communications, including instant messages, social media channels and text messages, and they rely on third-party information vendors to host and manage their data in the cloud. Unfortunately, such activities can expose organizations to the risk of significant fines and reputational damage because today’s evolving legal and regulatory environment makes organizations potentially responsible for information exposed by third parties. In fact, regulations such as SOX and BCBSS 239, along with evolving privacy laws, have now made compliance departments equally responsible with legal departments for the health of their organizations.

The symbiotic relationship is clear: Compliance investigations can quickly become legal issues and vice versa. This is especially true when it comes to data hosted, managed or controlled by third parties. For example, if an employee posts information about an employer on social media sites and that information falsely influences or encourages an action by a consumer that causes damage, the employer can be held liable. In addition, if a retailer receives data from a market research firm that did not follow EU privacy regulations in gathering that data, the retailer can be sanctioned for any use or retention of that data.

...

http://corporatecomplianceinsights.com/saga-continues-data-creation-data-consumption-data-exposure/

Data security and information governance are critical responsibilities of an IT team, especially when it comes to business intelligence (BI) and analytics strategies. But IT’s goals, needs and objectives as it relates to big data usage are at a stark contrast to their business user counterparts, who, thanks to the self-service movement, require agility and open access.

Business users tasked with analyzing big data to help their companies make timely and more meaningful decisions require immediate access to a wide variety of sources, including multi-structured, semi-structured and unstructured repositories. But IT professionals, who are the ones with their feet to the fire when it comes to data governance and protection, would rather make information available on an as-needed basis.

IT’s concerns around data security and governance are perfectly understandable given that much of the data needed for analysis contains unprotected personally identifiable data (e.g., Social Security numbers), sensitive personal data (e.g., medical records) and commercially sensitive data. And recent research by the Association of Corporate Counsel found that a significant number of corporate data breaches (30 percent) are due to employee error. With the insider threat so prominent in organizations across industries, making information widely available to business users can be a frightening concept.

...

http://corporatecomplianceinsights.com/simple-mask-data-becomes-governance-superhero/

Risk Maturity Models provides focused messages for the risk management function, the internal audit function, and the Board. Combining proven practice and insight with realistic practitioner scenarios, this is essential reading for every risk, project, audit and board professional who wants to move their organization up the risk maturity curve. This book:

  • Provides the tools and knowledge to benchmark the effectiveness of your risk management activities
  • Supports easy comparison of 60 leading risk maturity models, allowing readers to select and adapt
  • Provides focused guidance on improving organizational risk maturity for Risk, Internal Audit, and the Board
  • Bridges the gap between the risk management and audit functions with a common framework and vocabulary

“The book brings to life the benefits of risk maturity models when effectively applied and is simple but effective in its approach.” - Nicola Crawford, IRM UK Board member

The book follows a logical approach and is packed with information designed to explain risk maturity and to help risk professionals use this technique in support of their position as risk leaders and trusted risk advisors. - Julia Graham, AIRMIC Ltd

About the author: Domenic Antonucci is a practicing Chief Risk Officer and senior risk, governance and compliance consultant. An Australian expatriate based in Dubai UAE, Domenic specializes in bringing organizations 'up the risk maturity curve' and building risk practitioner tools for implementing ERM, ISO 31000:2009 and COSO ERM. Formerly with Marsh Risk Consulting, Shell and Red Cross, he enjoys over 30 years’ experience in risk, strategic planning and business management across many sectors in Europe, Africa, Middle East, Asia and Australia-Pacific.

About Kogan Page: Kogan Page is the leading independent global publisher of specialist professional books and content with over 700 titles in print. Its authors come from some of the world’s most prestigious academic institutions, international commercial organisations or professional associations in Leadership, Management, Marketing, Branding, Human Resources, Coaching, Logistics, Entrepreneurship and Careers. Follow @KPMgmtLeaders for information about new books and business insights from author experts.