Fall World 2014

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 27, Issue 3

Full Contents Now Available!

Jon Seals

Rainer Hübert
HiSolutions AG

When will the investment for a BCM programme pay off? Most people think that the only correct answer is when a damage scenario has taken place. Hopefully then an effective BCM programme will reduce an otherwise much more costly, or even possibly fatal financial impact to a bearable amount. Then, and only then, will the investment in BCM be paid off – just like insurance policy.

In our finance driven business world however, investment in BCM needs to be justified in financial terms, unless a BCM programme is forced upon an organization by its clients or by regulatory authorities.

...

http://thebceye.blogspot.com/2013/10/the-return-on-investment-of-bcm.html

As the anniversary of Hurricane Sandy approaches, a Carbonite survey has found that most small businesses in the affected area are not prepared for the next disaster.

The survey, conducted by Wakefield Research, found that more than 40 percent of small businesses in the tri-state area hit by Superstorm Sandy last October (NY, NJ, and CT) think it's likely they will be impacted by a natural disaster in the next year, and that only 22 percent feel they are ‘very prepared’.

Downtime and data loss caused by natural disasters can be detrimental to any small business. On average, survey respondents said it would take 16 days to recreate or recover their files – and nearly a third said they would never be able to recover or recreate all of their important business data if it was lost.

In addition to lost time, data loss can hit a small business where it hurts – their bank account. Carbonite found that on average, small businesses would lose $2,976 per day if they were unable to operate. This means the average small business could lose a devastating $47,616 over the 16 days it takes them to recover their data.

...

http://www.continuitycentral.com/news06963.html

HP has published the results from a study conducted by the Ponemon Institute, indicating that the cost, frequency and time to resolve cyber-attacks continue to rise for the fourth consecutive year.

Conducted by the Ponemon Institute and sponsored by HP Enterprise Security Products, the 2013 Cost of Cyber Crime Study found that the average annualized cost of cybercrime incurred by a benchmark sample of US organizations was $11.56 million, representing a 78 percent increase since the initial study was conducted four years ago.

The results also revealed that the time it takes to resolve a cyber-attack has increased by nearly 130 percent during this same period, with the average cost incurred to resolve a single attack totalling more than $1 million.

Key findings from the 2013 study include:

...

http://www.continuitycentral.com/news06966.html

 

I love it when technology people start to focus on a new area, because they always seem to offer a fresh view, even when the topic is well dissected. I think that’s one reason why tech is known for lowering costs in all industries, except one: health care.

MIT Technology Review recently published an excellent package, “A Cure for Health-Care Costs.” At the heart of the articles is this question: Why is it that technology raises the costs of health care, rather than lowering it, and how can we change that?

“Computers make things better and cheaper. In health care, new technology makes things better, but more expensive,” quips Jonathan Gruber, an economist at MIT who leads a heath-care group at the National Bureau of Economic Research, in one article.

...

http://www.itbusinessedge.com/blogs/integration/is-data-the-pivot-point-in-rising-health-care-cost-curve.html

SDN benefits include automating and easing network administration duties and improving application performance. But it also introduces a number of potential threat vectors into your environment. What should you know before you invest in SDN?

 
By David Geer

CSO — Software defined networking (SDN) moves networking from hardware to the software plane, under management of a software controller. Benefits include automating and easing network administration duties and improving application performance. As a new technology, SDN is subject to vulnerabilities.

But with SDN, the industry knows certain vulnerabilities are native to the approach. First, according to Chris Weber, Co-Founder, Casaba, centralizing control in an SDN controller removes protective, layered hardware boundaries such as firewalls. Second, according to Gartner analyst Neil MacDonald, by decoupling the control plane from the data plane, SDN introduces new surface areas such as the network controller, its protocols and APIs to attack.

...

http://www.cio.com/article/741132/SDN_The_Security_Pros_and_Cons_of_Using_it_in_Your_Organization

by Edward Ferrara

Peter Kujawa CEO of Locknet, Steve Tallent from Fortinet, and I were speaking at the recent  Conference in San Jose, California about the cloud revolution. Steve was interested in the conversation because Fortinet is now offering virtualized versions of their Fortigate UTM solution. Peter was interested because his business is built on taking the pain away that platform management entails. Obviously security intersects both of these worlds.

We discussed the changes cloud computing was making to the MSP/MSSP markets and the differences between the SMB and enterprise businesses and what motivates them to consider the cloud IaaS, SaaS, and PaaS model.

Peter talked about one of his clients – a smaller client – that managed their business from a small server stashed in the closet of their offices. Peter’s company offered to replace the box with a cloud-based system that took over patching, updates, and maintenance for the system for a simple monthly fee. The client would access their applications via the Internet.  The risk to this business was huge for so many reasons. The customer leapt at the chance to get rid of the box.

...

http://blogs.forrester.com/edward_ferrara/13-10-08-cloud_and_cloud_security_get_rid_of_the_box

by Hilary Tuttle

In an interview for this month’s issue of Risk Management magazine, lawyer and social media specialist Adam Cohen cautioned businesses that the risks of social networking sites extend beyond explosive posting faux pas.

“In most cases, corporations don’t realize that what they put on these social media services is all subject to the privacy policies and terms and conditions of the services,” said the eDiscovery expert and author of Social Media: Legal Risk and Corporate Policy. “Those provide a shocking amount of access by the social media services where they may take your data.”

As Twitter prepares for its much-anticipated IPO, the social media giant has released a torrent of information on its financial standing and practices. One of the most important tidbits for users concerns the site’s lesser-known side-business: data mining. In the first half of 2013, Twitter made $32 million by selling its data—namely, tweets—to other companies, a 53% increase from the year before.

...

http://www.riskmanagementmonitor.com/twitters-data-mining-profits-show-lesser-known-social-media-risk/

by Renee Murphy

Outside of Tempe is a place called Sahuarita, Arizona. Sahuarita is the home of Air Force Silo #571-7 where a Titan missile, that was part of the US missile defense system and had a nine-megaton warhead that was at the ready for 25 years, should the United States need to retaliate against a Soviet nuclear attack.  This missile could create a fireball two miles wide, contaminate everything within 900 square miles, hit its target in 35 minutes, and nothing in the current US nuclear arsenal comes close to its power. What kept it secure for 25 years? You guessed it...four phones, two doors, a scrap of paper, and a lighter. 

Photo Credit: Renee Murphy

Technology has grown by leaps and bounds since the cold war. When these siloes went into service, a crew supplied by the Air Force manned them. These men and women were responsible for ensuring the security and availability of the missile. Because there was no voice recognition, retinal scanning, biometric readers, and hard or soft tokens, the controls that were in place were almost entirely physical controls. All of the technology that we think of as keeping our data and data centers secure hadn’t been developed yet. It is important to note that there was never a breach. Ever.

...

http://blogs.forrester.com/renee_murphy/13-10-08-four_phones_two_doors_a_scrap_of_paper_and_a_lighter

David Hawkins
Institute for Collaborative Working

Over the past three decades the sourcing programmes and supply chains have increased exponentially not simply in terms of commodities and products, but also in a wider variety of outsourcing and service propositions. These extended networks have now bridged the traditional boundaries between organisations and in doing so introduce a significant spectrum of risk to business continuity and reputation. At the same time the implications for both natural and manmade disasters highlights the interdependence of companies of all sizes and in all sectors. Reliance on these extended relationships to deliver business performance raises the prospect that resilience and business continuity is no longer simply an internal issue for companies and prompts consideration for a much greater awareness in the identification of risk, selection of suppliers and increased focus on collaborative working and the capability of third parties to jointly perform when necessary.

...

http://thebceye.blogspot.com/2013/10/supply-chain-vulnerability-resilience.html

October 9, 2013

Lesson from a doctor

According to an article in the San Antonio Express-News’ mySA site heded Poor penmanship costs doctor $380,000, “A local physician whose illegible handwriting led to the fatal overdose of an elderly patient was ordered by a civil court jury Thursday to pay $380,000 in damages to the woman's family.”

While most Enterprise Risk Management (ERM) and Business Continuity/COOP practitioners eschew the pen in favor of a keyboard, the point of the article, at least as this practitioner sees it, is the necessity to make certain the audience gets the correct message.

It is not the audience’s job to try to interpret the practitioner’s words; it is the practitioner’s job to communicate to the audience in a manner the audience comprehends.

By the way, the operative word is “comprehend,” not “education” or “position.” Neither necessarily equates to comprehension of a specific subject.

According to the San Antonio paper, the doctor “changed his mind about the dosage, intending to increase it (from 10) to 20 millamoles(NB), testimony during the weeklong trial indicated.

“However, instead of scratching out the original amount on the form or starting over, he attempted to write a “2” over the “1,” the doctor acknowledged.

...

http://johnglennmbci.blogspot.com/2013/10/erm-bc-coop-lesson-from-doctor.html