Fall World 2016

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 29, Issue 3

Full Contents Now Available!

Jon Seals

The average cost of a data breach for companies surveyed has grown to $4 million, a 29% increase since 2013, with the per-record costs continuing to rise, according to the 2016 Ponemon Cost of a Data Breach Study, sponsored by IBM. The average cost hit $158 per record, but they are far more costly in highly regulated industries—in healthcare, for example, businesses are looking at $355 each, a full $100 more than in 2013. These incidents have grown in both volume and sophistication, with 64% more security incidents reported in 2015 than in 2014.

Ponemon wrote:

Leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach–saving companies nearly $400,000 on average (or $16 per record). In fact, response activities like incident forensics, communications, legal expenditures and regulatory mandates account for 59 percent of the cost of a data breach. Part of these high costs may be linked to the fact that 70 percent of U.S. security executives report they don’t have incident response plans in place.

With so much on the line, more and more companies and consumers continue to search for whom to hold accountable for cybersecurity failures, and the message is becoming clearer: executives need to get serious or watch out.

...

http://www.riskmanagementmonitor.com/holding-executives-accountable-for-cybersecurity-failures/

(TNS) - A severe weather event during Burlington Steamboat Days was used Tuesday afternoon as a situational example for Des Moines County to discuss how they would respond in an emergency.

If tornadoes, flooding and power outrages were to occur during a major community event - how would county agencies work together to mitigate the disaster?

The almost 80 business leaders, public officials and safety officers participating in the Federal Emergency Management Agency's training course worked through how their different agencies would respond when faced with infrastructure damage and personal injury across the county.

...

http://www.emergencymgmt.com/training/Steamboat-Days-serves-as-real-world-example-in-disaster-prep-for-FEMA-group.html

Symantec makes security software for the enterprise market. They also sell a line of products for the consumer market under their Norton brand. All of their anti-virus products use the same core engine and that engine has been found to have high level and potentially devastating security vulnerabilities. Symantec SYMC +1.18% has patched these vulnerabilities and if you are using a Symantec or Norton anti-virus product you should make sure your software is upgraded right now.

The vulnerabilities in Symantec’s core engine were uncovered by a team at Google's GOOGL +0.27% Project Zero and made public in a blog post by Tavis Ormandy. According to Ormandy

These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.

...

http://www.forbes.com/sites/kevinmurnane/2016/06/29/if-you-are-using-security-software-from-symantec-or-norton-you-should-upgrade-immediately/

COMMUNICATIONS PLANS AND SCHEDULES

Regina Phelps recently joined forces with Everbridge and recorded a webinar that explores in-depth strategies for improving your disaster and crisis management. Previously in part four of this five part series, Regina discussed what a governance document and a communication matrix are, and what their content should be. If you missed part four, you can access it here

In this installment of the series, Regina discusses communications plans, as well as why and how to build a communications schedule.

...

http://www.everbridge.com/improving-disaster-and-crisis-management-with-timely-communication-and-response-part-5/

(TNS) - The people handling security for the nation’s busiest malls and amusement parks are no longer retired cops. They are a 24-year veteran of the FBI, a former CIA operative and the onetime chief of counterterrorism for Scotland Yard.

The theme-park industry’s annual security bill, already roughly $250 million a year, is expected to grow by more than $100 million over the next few years, according to one consultant. Disneyland, Universal Studios Hollywood and SeaWorld all installed metal detectors outside their gates for the first time in December.

“Lone wolf” shootings, including those at the Pulse nightclub in Orlando, Fla., this month, and in San Bernardino in December, have forced businesses to shoulder more of the cost and responsibility of securing America against terrorism.

...

http://www.emergencymgmt.com/safety/Cost-of-keeping-America-safe-from-lone-wolf-shootings-shifts-to-business.html

Government and technology are far apart as cultures. Government is deliberate. A wise leader does not subject his roads, power grid and economy to whimsy. He plans everything. Technology is experimental. Technology is Leonardo da Vinci taking a half-dozen naps each day. Technology is making things work now and worrying about the consequences later. Government creates lists, policies and protocols to ensure the bathrooms are stocked with the correct number and type of shampoo, towels and soap. Technology doesn’t like taking showers. Technology is Steve Jobs wearing the same thing every day and only eating fruit. Technology wears an unruly beard. Government wears a tie that’s approved by a policy that was written by a committee following six years of research.

But, alongside society, government’s conservative ways are relenting. Once fearful of inviting criticism, a nudge from the economy has left government willing to ask the public for help. And most importantly, the popularization of technology means the public can help and people are empowered by digital tools. The result is that civic tech — the place where government interests intersect with community-minded activists who are ready to donate their time and talents — is the public sector’s fastest-moving innovation inlet.

People are collaborating across institutional boundaries. The markets and organizations that support civic tech are growing wiser and better organized. Government is opening its doors and converting opponents into allies. Technology itself is exciting — there are scores of new inventions each day — but the civic tech movement, in its immaturity, leaves untouched even more territory, more potential to realize its simple directive of making the nation’s cities, counties and states better places to live.

...

http://www.govtech.com/How-Civic-Interests-Are-Helping-Shape-Government-Innovation.html

It might sound like something that lurks in damp soil, but process ROT is actually becoming a widespread problem for many organizations.

Process ROT occurs when established business processes become hampered by redundant, obsolete and trivial (ROT) information. It’s something that’s happening within large numbers of organizations, yet many are not aware that it is occurring, nor are they aware of the potential risk and compliance implications.

ROT becomes a business problem because humans tend to be natural information-hoarders. Throughout organizations, people tend to collect and store large volumes of documents and other materials and are very reluctant to ever delete them.

...

http://corporatecomplianceinsights.com/does-your-organization-suffer-from-process-rot/

A series of cyber fraud attacks targeting financial institutions through the SWIFT global messaging system has prompted an industrywide review of IT security measures and has highlighted the rising risk of cyber fraud against financial institutions in Southeast Asia and beyond. SWIFT has responded with a five-part customer security program to reinforce the security of the global banking platform, yet its CEO has warned “there will be more attacks.”

Cyber fraud risk is heightened in developing countries that often lack the technological resources to detect and thwart such attacks, while geopolitical dynamics also play into the risk equation. In light of these factors, Access Asia views Southeast Asia as a region of heightened risk for cyber fraud targeting financial institutions due to socioeconomic conditions, proximity to suspected centers of cyber fraud operations in North Korea and China and the existence of strong transnational criminal networks.

Indeed, one of the most recent cases to come to light involves an attempted attack on Vietnam’s Tien Phong Bank (TP Bank), while the money trail of an $81 million cyber heist from the State Bank of Bangladesh’s account at the New York Federal Reserve in February has been traced to the Philippines. Hong Kong (which lies on the periphery of Southeast Asia) is the reported end of the money trail for a US$2 million cyber theft on an Ecuadorian bank in early 2015, while the Philippines was also the target of an earlier attack in October 2015.

...

http://corporatecomplianceinsights.com/cyber-fraud-on-the-rise-in-southeast-asia/

Despite the many potential benefits of big data analytics, the unrestrained creation and retention of data has the potential to bury organizations under a mountain of legal, regulatory and operational challenges. According to IDC, by the year 2020, about 1.7 megabytes of new information will be created every second for every human on the planet. Meanwhile, MIT Technology review estimated that only 0.5 percent of all the data we’re creating is ever analyzed. While most organizations would benefit by increasing this percentage, it’s clear that “dark data” – the information organizations collect and store, but fail to use for other purposes – is mostly debris that serves only to increase infrastructure costs and expose organizations to risk and liability, especially when this data flows beyond the firewall.

Organizations of all sizes and types now typically share information via unified communications, including instant messages, social media channels and text messages, and they rely on third-party information vendors to host and manage their data in the cloud. Unfortunately, such activities can expose organizations to the risk of significant fines and reputational damage because today’s evolving legal and regulatory environment makes organizations potentially responsible for information exposed by third parties. In fact, regulations such as SOX and BCBSS 239, along with evolving privacy laws, have now made compliance departments equally responsible with legal departments for the health of their organizations.

The symbiotic relationship is clear: Compliance investigations can quickly become legal issues and vice versa. This is especially true when it comes to data hosted, managed or controlled by third parties. For example, if an employee posts information about an employer on social media sites and that information falsely influences or encourages an action by a consumer that causes damage, the employer can be held liable. In addition, if a retailer receives data from a market research firm that did not follow EU privacy regulations in gathering that data, the retailer can be sanctioned for any use or retention of that data.

...

http://corporatecomplianceinsights.com/saga-continues-data-creation-data-consumption-data-exposure/

Data security and information governance are critical responsibilities of an IT team, especially when it comes to business intelligence (BI) and analytics strategies. But IT’s goals, needs and objectives as it relates to big data usage are at a stark contrast to their business user counterparts, who, thanks to the self-service movement, require agility and open access.

Business users tasked with analyzing big data to help their companies make timely and more meaningful decisions require immediate access to a wide variety of sources, including multi-structured, semi-structured and unstructured repositories. But IT professionals, who are the ones with their feet to the fire when it comes to data governance and protection, would rather make information available on an as-needed basis.

IT’s concerns around data security and governance are perfectly understandable given that much of the data needed for analysis contains unprotected personally identifiable data (e.g., Social Security numbers), sensitive personal data (e.g., medical records) and commercially sensitive data. And recent research by the Association of Corporate Counsel found that a significant number of corporate data breaches (30 percent) are due to employee error. With the insider threat so prominent in organizations across industries, making information widely available to business users can be a frightening concept.

...

http://corporatecomplianceinsights.com/simple-mask-data-becomes-governance-superhero/

Page 1 of 1011