Spring World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Bonus Journal

Volume 29, Issue 5

Full Contents Now Available!

Industry Hot News

Industry Hot News (6930)

Tuesday, 21 February 2017 17:38

Hospitals, EMS Collaborate to 'Save Lives'

(TNS) - Every minute matters. That is the stance area hospitals and paramedics have taken when it comes to quickly diagnosing and treating patients suffering from heart attacks or strokes.

This is the third year of a regional collaborative led by the University of Kansas Medical Center that seeks to improve rural health care for those patients and reduce death rates and health-care costs.

“There is a chain of survival, and everybody’s got their part to play in that,” said Lillian Slater, assistant director of Ellis County EMS. “We always say strengthening one link will not make the chain any stronger. You have to get all the different parts working.”

The collaborative consists of 14 northwest Kansas hospitals, including Hays Medical Center, which has worked closely with KU Med in collecting data and administering the program, said Carol Groen, manager for clinical certifications and special projects at HaysMed.

The Kansas Heart and Stroke Collaborative, launched with a three-year, $12.5 million grant, seeks to reduce cardiac-related deaths in rural communities by 20 percent. Another goal is to cut health-care costs by $13.8 million, according to the program’s website.



It should be upsetting to realize that if an intruder is active in a network, most organizations simply would not know. It’s possible that an outsider gained access to the network and quietly began to explore it and expand their area of control.

In the first few days, the attacker has been able to find and take control of other privileged network credentials using Windows exploits or other tools.  Then, over the next few weeks, the attacker used the credentials and gained access to a domain controller that proved to be a pivot point in reaching and taking control of other network segments and servers.  Finally, over the next few months, the attacker gained access to all the servers in the data center and began looking for files and data that might have value. Getting to the email server turned out to provide a goldmine of material fit for extortion or other purposes. So many companies conduct the core of their business through email. If confidential emails become public or are provided to competitors, investors or other interested parties, the damage could be catastrophic.

In the scenario I’m relating, the attacker has not yet done anything with the assets that might eventually tip off the company or some third party that a network attack has occurred. For now, the attacker is lingering, choosing the right time to capitalize on their position.



Tuesday, 21 February 2017 17:37

Business Continuity and the Knock-On Blackouts

Power blackouts in business can range from a minor inconvenience to a major threat. Diggers slicing through power cables, extreme weather conditions bringing down power lines, or other local failures can all interrupt the supply of electricity.

So can failure at the power generating station. Although power grids are among the most protected and reliable structures anywhere, changes in the industry and the environment could make blackouts on the provider side increasingly likely.

The following list of factors influencing the future of power grid continuity may incite you to take another look at your own power backup solutions.



The Business Continuity Institute

Cyber attack is once again the top threat perceived by businesses, according to the latest Horizon Scan Report, published by the Business Continuity Institute (BCI) in association with BSI (British Standards Institution). 88% of organizations are either ‘extremely concerned’ or ‘concerned’ about the possibility of a cyber attack. The threat of a data breach remains in second place (81%), while unplanned IT and telecom outage stays in third place (80%).

For the first time in the study’s six-year history, the threat of uncertainty around the introduction of new laws and regulations has entered the list of top ten business continuity concerns in the Horizon Scan Report.

These external events underscore the interconnected nature of risks and demonstrate the need for businesses to take them into account and plan accordingly.

This year’s global top ten threats to business continuity are:

  1. Cyber attack – static
  2. Data breach – static
  3. Unplanned IT and telecom outages – static
  4. Security incident – up 1
  5. Adverse weather – up 3
  6. Interruption to utility supply – static
  7. Act of terrorism – down 3
  8. Supply chain disruption – down 1
  9. Availability of key skills – static
  10. New laws or regulations – new entry

For the first time, the survey also asked which disruptions respondents had experienced during the previous year in order to understand what lies behind the worry. The results showed that nine of the top ten concerns also appeared in the top ten list of disruptions, with transport network disruption appearing at the expense of act of terrorism. Unplanned IT and telecom outages came in at number one, followed by interruption to utility supply and then cyber attack. Data breach came in at eighth place.

With the top four threats all showing an increasing in level of concern, it is worrying that 14% of respondents will experience business continuity budget cuts over the next year, making them less likely to be able to respond effectively to these threats.

Despite growing fears over the resilience of their organizations, the report records another fall in the use of long-term trend analysis to assess and understand threats, down 1% to 69% this year. Of those carrying out trend analysis, around a third of organizations (32%) do not use the results to inform their business continuity management programmes.

David Thorp, Executive Director at the Business Continuity Institute, commented: “Given the diversity of the threats out there, it is absolutely essential to adopt agile and dynamic responses. Planning to recover from a data breach is very different from planning for the aftermath of a terrorist attack, and, as this year’s report highlights, the risk spectrum can be very broad. Malicious internet actors, political shake-ups, and climate change are all amongst the main worries for societies around the world. As always, the key takeaway should be that with challenges come opportunities. Change does not have to mean less favourable environments, but the landscape may be different. As organizations venture into uncharted territory now is the time to identify and undertake the measures that will increase resilience within your organization by ensuring that effective business continuity planning is in place.

Howard Kerr, Chief Executive at BSI, commented: “2016 continued to see high profile businesses affected by cyber attack and disruption, so it’s not surprising to see it remains as the top threat to business. However, we remain concerned to see that businesses are still not fully utilizing the information available to them to identify and remedy weaknesses in their organizational resilience. Ultimately, organizations must recognize that, while there is risk, and plenty of it, there is also opportunity. Taking advantage of this means that leaders can steer their businesses to not just survive, but thrive.”

Globally there were some variations to the top three threats: In Belgium, act of terrorism was in third; in Central and Latin America, new laws or regulations featured in third place; and in Sub Saharan Africa, exchange rate volatility was third.

There was more variation when it came to actual disruptions with adverse weather appearing in second place throughout North America, Asia and Australasia; while the loss of key employee featured in the top three throughout the Middle East and North Africa, Central and Latin America and the United Kingdom.

Defined as “a set of processes operated by a third party vendor to help your business develop and deploy a disaster recovery (DR) plan,” DRaaS is a trending topic on the minds of many IT professionals. The solutions you recommend and implement depend largely on the RPO (recovery point objective), your RTO (recovery time objective) and what can be done to minimize the time between the disaster and RTO.

What is your ideal RPO and RTO?

Of course, there are different types of disaster that could apply to any business, but some have more catastrophic implications than others. For instance, a website that contains mostly static information that is sporadically updated can afford a longer RPO as not much, if anything, will have changed. In this case, a self-service recovery DRaaS may be your best choice.

On the other hand, a global finance company or a major online retailer losing even seconds of business continuity can have far-reaching financial implications. In the latter case, the RPO needs to be as close as possible to the actual disaster in order not to lose transactions.

What to look for in a DRaaS solution

Of the vendors who offer DRaaS, many market themselves as a stand-alone, all-in-one solution, and some are designed specifically to pair with Microsoft Exchange or SQL Server. Others still offer complete cloud-based data centre and server restoration. The more options offered generally equal a higher cost, but deciding what your BC is worth to you is critical.

The DRaaS solution you choose should tick the following boxes:

  1. Backup all of your systems, data, platforms and applications

  2. Fast recovery

  3. Flexibility: restore a single application or the whole system

  4. A billing structure that fits your budget

  5. Flexible backup target options: local, cloud-based

  6. File size management to minimize storage needs

  7. Support all of your applications, databases and operating systems

Other things to consider include the complexity of the recovery process and whether you have the appropriate IT staff or consultancy to manage it. You should also be concerned with how long it will take to return your systems to a live state from a backup. Some DRaaS place a time limit on how long they will host the recovery environment, and if so, there may be financial implications to consider. Consider the DRaaS reported failback time and the number of VMs that the solution will allow.

DRaaS providers

Your choice of DRaaS providers will depend largely on the size of the systems in question, taking into consideration the potential losses you may experience if BC is not restored quickly.

Here are some of the highest-rated and most popular DRaaS systems available today:

Datto Sirius

Considered a visionary in the DRaaS realm, Datto Sirius is their flagship total data protection platform, offering a 6-second recovery from either the local interface or from the cloud. One key strength is that you can be instantly connected to one of their engineers, 24/7 with no after-hours surcharges.


Though relatively new to the DRaaS landscape, many enterprises who run a Microsoft environment may find it advantageous to stay with what they know. Operating on the Microsoft Azure platform, some of its strengths include supports for more than 50 languages, plus pricing that is based on the number of instances protected. Though it has won high praise for its simplicity and cost-effectiveness, it is largely a self-service option at the moment. It also lacks the hybrid management capabilities of its closest competitors.

Carbonite (EVault)

Carbonite is a highly customizable DRaaS that can be either fully managed or provider-managed. Features include a guaranteed one-hour RTO and 5 minute RPO, but there are several tiers with numbers that should suit most needs.


A fully managed DRaaS dedicated to enterprise, iland boasts 100% uptime availability and a guaranteed 15-minute or less response time to all customer questions and incident reports. Failover and failback can be tested without restriction, and they receive a high customer satisfaction rating for the quality of their support, services and feature innovation.

While this is by no means a complete list, it should give you an idea of some of the top players currently in the DRaaS market.

Alex Viall is founder and managing director of Mustard IT Support, a London-based boutique IT company. With 18 years of industry experience, he is always actively studying, and is currently looking at the hybrid cloud identity / Microsoft Azure.

Monday, 20 February 2017 15:47

Zero One: States Woo Cybersecurity Pros

SAN FRANCISCO -- On Valentine’s Day, Virginia Gov. Terry McAuliffe, speaking at RSA Conference 2017 in San Francisco, courted cybersecurity pros to live and work in the state known for lovers. His overtures, though, belie a serious problem. State governments lack enough cybersecurity pros to battle hackers who’ve put states in their crosshairs.

“My whole initiative as chairman of the [National Governors Association] is cybersecurity, because we at the state level collectively have more data than the federal government,” McAuliffe said.

State governments store a bounty of valuable data, such as state tax returns, healthcare records and driver’s license information. Add to this Virginia’s vast military installations – The Pentagon in Arlington, CIA in Langley, FBI Academy in Quantico, Naval Air Station Oceana in Virginia Beach – and it’s no surprise Virginia faced some 86 million cyberattacks last year, averaging three every second.



According to the results of a recent survey [PDF] of 250 IT professionals, 34 percent of companies in the U.S. were breached in the past year, and 74 percent of the victims don't know how it happened.

The survey, conducted by iSense Solutions for Bitdefender, also found that two thirds of companies would pay an average of $124,000 to avoid public shaming after a breach, while 14 percent would pay more than $500,000.

One third of CIOs say their job has become more important in their company's hierarchy, and another third say their job has been completely transformed in the past few years.



The Federal Emergency Management Agency (FEMA) is requesting that qualified individuals who are interested in serving on the FEMA National Advisory Council (NAC) submit an application to be considered for appointment.

The NAC is a Federal advisory committee established to ensure effective and ongoing coordination of Federal preparedness, protection, response, recovery, and mitigation for natural and man-made disasters, including acts of terrorism. The NAC is a geographically diverse mix of officials, emergency managers, and emergency response providers from state, tribal, and local governments, the private sector, and nongovernmental organizations who advise the FEMA Administrator on all aspects of emergency management.

FEMA is accepting applications for open positions in the following discipline areas:

  • Elected Tribal Government Executive (one representative appointment)
  • Non-elected Tribal Government Official (one representative appointment)
  • Emergency Management Field (one representative appointment)
  • Emergency Response Providers, which includes fire, law enforcement, hazardous materials response, emergency medical services, and organizations representing emergency response providers (one representative appointment)
  • Standards Setting and Accrediting Organizations, which includes the voluntary consensus codes and standards development community (one representative appointment)
  • Individuals with Disabilities (one representative appointment)
  • Health Scientist (one Special Government Employee (SGE) appointment)
  • Infrastructure Protection Expert (one SGE appointment)
  • Administrator Selections (up to five SGE appointments)

The FEMA Administrator may also appoint additional candidates to represent emerging leaders in emergency management.

All appointments are for 3-year terms beginning in September of 2017. All applications must be received by the close of business on March 15, 2017.

Detailed instructions on how to apply can be found at: http://www.fema.gov/membership-applications and in the Federal Register Notice.

SAN FRANCISCO—As hacking collectives target both the public and private sectors with a wide range of motivations, one thing is clear: Destructive attacks where hackers destroy critical business systems, leak confidential data and hold companies for ransom are on the rise. In a presentation here at the RSA Conference, the nation’s largest cybersecurity summit, Charles Carmakal and Robert Wallace, vice president and director, respectively, of cybersecurity firm Mandiant, shared an overview of some of the biggest findings about disruptive attacks from the company’s breach response, threat research and forensic investigations work.

In their Thursday morning session, the duo profiled specific hacking groups and the varied motivations and tactics that characterize their attacks. Putting isolated incidents into this broader context, they said, helps companies not only understand the true nature of the risk hackers can pose even in breaches that do not immediately appear to target private industry.

One group, for example, has waged “unsophisticated but disruptive and destructive” against a number of mining and casino enterprises in Canada. The hackers broke into enterprise systems, stole several gigabytes of sensitive data and published it online, created scheduled tasks to delete system data, issued ransom requests, and even emailed executives and board members directly to taunt them about the data exposed and increase the pressure to pay. Further increasing that pressure, the group is known to contact journalists in an attempt to publicize the exposed data. Victims have endured outages for days while trying to recover data from backups, and some have paid the ransoms, typically requested in the range of $50,000 to $500,000 in bitcoin.



BATON ROUGE, La. — State and federal emergency management officials encourage survivors of the Feb. 7 tornadoes to begin repairs as soon as they can.

Storm survivors do not need to wait for a visit from FEMA or their insurance company to clean up and make repairs. FEMA inspectors and insurance claims adjusters will be able to verify damage.

It’s important for survivors to take photographs of damage and keep recovery-related receipts. Insurance companies may need both items, while FEMA may need receipts.

Survivors should check for structural damage before entering their homes.
Emergency management officials encourage survivors to register for FEMA help as soon as they can. They only need to register once and only one registration is allowed per household.

FEMA assistance may help eligible homeowners and renters pay for a temporary place to stay, make repairs or replace certain damaged contents.
Survivors can register online at DisasterAssistance.gov or by calling 800-621-3362 from 7 a.m. to 10 p.m. daily. Multilingual operators are available. Survivors who use a TTY may call 800-462-7585. Survivors who use 711 or Video Relay Service may call 800-621-3362.

FEMA assistance is not taxable, doesn’t need to be repaid and doesn’t affect other government benefits.

Those who are referred to the U.S. Small Business Administration should complete and return the application for a low-interest disaster loan. It is not required to accept a loan offer, but returning a completed application is necessary for FEMA to consider survivors for certain forms of disaster assistance.

Friday, 17 February 2017 17:14

Pricing Strategies For SaaS Providers

Most leaders of SaaS providers understand the importance of minimizing Churn and maximizing account enrichment, but few fully appreciate how vital to those goals is a good pricing and licensing strategy. My newly published report Pricing Strategies For Software-As-A-Service  is a must read for any business software company that sells or is thinking of selling via a subscription model. Here is a quick overview for anyone who isn't yet a Forrester client. 

Some industry experts talk about the "magic ratio" of lifetime customer value to acquisition cost. Aligning the price you charge each customer more closely with the value they are likely to receive from your product is vital to increasing the former and reducing the latter. Simplistic pricing undermines lifetime value by undercharging those customers who get the most benefit from your product. Don't think you can fix this error later if you get it wrong at the start - I've seen many start-up vendors limit their growth potential in this way. Flat rate pricing helped them get traction early on, but then when they wanted to accelerate revenue growth they found it impossible to persuade those early adopters to switch to a variable pricing structure. 

Perpetual license sellers can get away with mis-selling and over-charging because they've banked enough lifetime customer value before the customer realizes its mistake. SaaS providers can't do that. This article from billing vendor Chargify explains how over-selling to the wrong customers can seriously damage a vendor's health, not only from higher churn, but also from customer complaints and misguided efforts to save doomed accounts. Therefore, sound analysis of how your product delivers real, measurable business value - and alignment of your pricing strategy with that analysis - is vital for long term success. My report explains how to optimize the three key elements of that strategy:



Friday, 17 February 2017 17:13

Why Compliance Officers Need Independence

I recently read a great blog post by Tom Fox on why compliance officers need independence.  And former federal prosecutor Michael Volkov, who completely understands the CCO’s hard job, has reiterated the value of independence here, although this is mostly old news to any CCO who has been in the trenches.  With the feedback we are seeing to the launch of the Compliance 2.0 Infographic, this is probably a good time to discuss the independence issue.

Why is independence so critical to the establishment of a strong compliance program that works?  The CCOs in my networks know the answer, and they have the scars on their backs to prove it.  I’ve said that the CCO’s role is an incredibly hard job – maybe the hardest one in the company.  I use a single slide to summarize why this is so.

Here are some ways independence helps CCOs do their job well:



(TNS) - The critical document that determines how much space should be left in Lake Oroville for flood control during the rainy season hasn’t been updated since 1970, and it uses climatological data and runoff projections so old they don’t account for two of the biggest floods ever to strike the region.

Independent experts familiar with the flood-control manual at Oroville Dam said Wednesday there’s no indication the 47-year-old document contributed to the ongoing crisis involving the dam’s ailing spillways. The current troubles stem from structural failures, not how the lake’s flood-storage space was being managed.

But the experts say Oroville’s manual does point to larger operational issues that affect most of California’s primary flood-control dams. Like the dams, most of the manuals were designed decades ago by engineers using slide rules instead of computers. Many of the documents and licenses that govern dam operations don’t account for advances in hydrology, meteorology and engineering, or for a changing climate.



Take a seat in a crowded coffee shop and try to find a person who is not digitally connected – Easier said than done.  Today’s consumer is constantly flooded by streams of information that influence behaviors and provide the ability to instantaneously connect and interact with people, brands, and technologies.  We are living in a digital world expected to grow 40% year over year, with data levels reaching 40 zettabytes (ZB) by 2020.  This equates to nearly 5200 GB of data for every person on Earth.  Let’s put that in perspective.  Today the average household creates enough data each year to fill 65 (32gB) iPhones, but by 2020 that number will increase to over 318!  This overwhelming access to data is driving a shift in the way brands connect with their customers and is challenging businesses to increase the pace at which they operate.

Organizations are making significant investments in technology to support digital transformation, but the changing technology landscape is only one element contributing to the overall value that can be delivered.  An organization’s digital business transformation, along with a resulting competitive advantage, hinges on the business evolving in tandem with technology.  Striking this balance maximizes profitability, improves overall customer experience, and increases speed to market.  However, the cultural shift required to enable this balance is extremely difficult to achieve within most organizations.

Consider the changing retail landscape.  Consumers now have access to products through multiple channels, same day shipping options, and the ability to comparison shop multiple retail outlets within seconds.  In response, retailers are challenged with compressing product development cycles and streamlining their supply chains, while continuing to cut costs, optimize inventory, and offer an outstanding consumer experience.  So how does the business need to respond?



If you suffered damages as a result of the tornadoes that hit south Mississippi in January, the Mississippi Emergency Management Agency and Federal Emergency Management Agency both recommend you contact FEMA to see if you qualify for disaster assistance.

You can register online at DisasterAssistance.gov or by telephone by calling the FEMA Helpline at 800-621-3362 or TTY 800-462-7585.  But you may find that you need to speak to a representative of the state or federal government in person.  If so, visit one of the two MEMA/FEMA Disaster Recovery Centers open in Forrest County.

A Disaster Recovery Center (DRC) is a readily accessible facility where you may go for information about federal, state and other disaster assistance programs, and to ask questions related to your situation.

You can meet face-to-face with representatives from MEMA, FEMA, the U.S. Small Business Administration, volunteer groups and other agencies at the centers to get answers to your questions about disaster assistance.

Some of the services offered at a DRC may include:

  • Guidance about disaster recovery and how you may qualify for assistance.
  • Assistance in applying with FEMA and SBA.
  • Checking on the status of the application you already have submitted.
  • Help in understanding any written correspondence you’ve received.
    • It’s very important that you read any letter you receive from FEMA carefully to understand what you may need to do next, if anything.
    • For example, you may need to submit documents in order for FEMA to process your application. Or, you may need to include an insurance settlement letter, proof of residence, proof of ownership of the damaged property, and/or proof that the damaged property was your primary residence at the time of the disaster.
  • Housing assistance and information about rental properties that may be available and that you may not know are available.
  • Referrals to other agencies and state programs that may provide further assistance.
  • Information about disaster-related funeral and other needs assistance.
  • Information about low-interest disaster loans.

All disaster recovery centers offer communication assistance, including captioned phones, iPads with video remote interpreting, assistive listening devices, magnifiers and onsite American Sign Language (ASL) interpreters upon request. Both Braille and Large Print FEMA documents also are available. If you require a reasonable accommodation (ASL interpreting, etc.) while visiting a DRC, please call the FEMA helpline before you go.

MEMA/FEMA DRCs are open in Forrest County at the C. E. Roy Community Center, 300 E. 5th Street, in Hattiesburg and the Petal Civic Center, 712A South Main Street in Petal. Hours are 9 a.m. to 6 p.m. Monday through Friday and 10 a.m. to 5 p.m. Saturday.

For more information on Mississippi’s tornado recovery, go to fema.gov/disaster/4295 or visit the      MEMA site at msema.org. Follow MEMA on Facebook facebook.com/msemaorg and on Twitter @msema.org.


FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

All FEMA disaster assistance will be provided without discrimination on the grounds of race, color, sex (including sexual harassment), religion, national origin, age, disability, limited English proficiency, economic status, or retaliation. If you believe your civil rights are being violated, call 800-621-3362 or 800-462-7585(TTY/TDD).

How Connected is Your Company?

When we talk about teamwork, collaboration, and office culture, we’d like to think we all work well together. Truth is, today’s workforce is highly mobile and often dispersed. Having everyone together under one roof is nearly impossible. How do you keep the small company feel, with the ideal flow of communication and sharing of knowledge, while still growing? You need software to bring people onto the same page.

We often pigeonhole mass notification software under a single umbrella of emergencies. Sure, it is the ideal solution to reach a segment of the entire population of employees in your organization before, during, and after an emergency, but what else can this software do to bring people together when it matters most?

If we break down mass notification software, it really does one thing really well – connect people. It doesn’t matter if it’s an emergency or a company announcement, no matter what is going on in your organization, the software is perfect for reaching the most people on the most channels they most use. No other single solution, such as email, is as effective. Why? Because your employees are on multiple devices in various geographical locations throughout the day. Believing one mode of communication is still the most effective way of reaching them, particularly in an emergency, is near-sighted.

If you want to be sure you can keep your employees informed, safe, and connected, you have to think bigger than email or phone. You have to think beyond emergencies. You don’t have to look any further than mass notification software.



Data storage is changing. What was true five years ago about the way you managed databases and storage systems may not hold true anymore.

Keep reading for a primer on data storage today.

Once upon a time, data storage was pretty simple. From the early 1990s through the 2000s, most data lived in simple relational databases, like MySQL and PostgreSQL.

They were hosted on traditional servers using magnetic disks.

Each type of relational database had its special nuances.



The Maine Emergency Management Agency (MEMA) bears a heavy burden when it comes to cyber. It’s responsible for the digital security of state and local government, and also works to ensure the cybersafety of the private sector. MEMA broadcasts a daily, color-coded cyberthreat update and is an integral partner in the state fusion center, the Maine Information and Analysis Center (MIAC).

All this is more than the agency can handle on its own. “I was fortunate to be able to create a new position a year ago — a cybersecurity coordinator — but he is also my continuity of operations officer. He’s responsible for business continuity and for disaster recovery planning,” said MEMA Director Bruce Fitzgerald. “There is absolutely no way he can do it all.”

The agency has found a way to lighten the load in recent months by teaming up with students from Thomas College. The Waterville, Maine, school has offered a degree in cyber since 2012 and was looking for a place where students could hone their skills in a practical environment.



IT has no shortage of four-letter words. It’s not clear what the latest variations on the “BYO” or “bring your own” theme add.

Bring your own device (BYOD), bring your own technology (BYOT), bring your own catastrophe (BYOC) for the more pessimistic – the more people invent different flavours of these acronyms, the more they risk to miss the point.

And the point is that users simply using something that is not controlled by the IT department to access and process enterprise information.

This in turn is part of a larger phenomenon in which IT departments must face the fact that their previous iron grip on enterprise data is no longer possible, not just in terms of mobile computing devices. What else is sliding out of the IT department’s control?

There are at least three areas, where a change of tactics is likely to be needed for the IT department:



Thursday, 16 February 2017 17:10

How to develop a cybersecurity program

Your business is unique and your program should be too. Make the most of your unique business assets and the similarity of the controls in your chosen framework (see previous posts) to build a program that meets your business objectives and needs.

Following is one example of a program overview; consider these areas for your plan:



After any disaster, the public’s interest begins to fade until it is just a faint memory.  The famous 2011 Japanese earthquake for most of the world is a great example of that.  Massive tsunamis and incredible destruction, and of course there was the now infamous Fukushima nuclear power plant.  Radiation levels inside the Fukushima nuclear reactor are at their highest levels since the plant suffered a triple meltdown almost six years ago.

The facility’s operator, Tokyo Electric Power (Tepco), said atmospheric readings as high as 530 sieverts an hour had been recorded inside the containment vessel of reactor No 2, one of three reactors that experienced a meltdown when the plant was crippled by a huge tsunami that struck the north-east coast of Japan in March 2011.

The extraordinary radiation readings highlight the scale of the task confronting thousands of workers, as pressure builds on Tepco to begin decommissioning the plant – a process that is expected to take about four decades. You read that correctly….40 years!



I was working with a long-term colleague at a national organization who informed me of his leadership was deciding to build a Business Continuity/Disaster Recovery (BC/DR) solution themselves.  He asked “Should I buy a ready-made solution or do you think it’s feasible that we build our own solution?” This gave me pause before I formulated him my response, which is rare for me.

The questions were more of a self-assessment and reflection on the organization. Does your staff have the time and skill set to design a BC/DR compliant software solution, and can they map needs into the functional components of such a solution? Even if you answer is “yes,” there are still other critical points to consider, which are:



At least 47 of 62 new crypto ransomware families discovered by Kaspersky Lab researchers in 2016 were developed by Russian-speaking cybercriminals.

More than 1,445,000 users were hit by ransomware in 2016, Kaspersky reports.

According to Kaspersky, a flexible and user-friendly ransomware ecosystem is enabling small groups with limited financial resources and technical capabilities to develop into large criminal enterprises.

The researchers say there are three essential levels of criminal involvement in ransomware -- the development and updating of new ransomware families, the creation and support of affiliate programs distributing the malware, and the participation in those affiliate programs as a partner.



Wednesday, 15 February 2017 18:12

Cyber Security Planning

In today’s digital business climate, it’s critical to stay up to date with cyber security. In 2012, FEMA released a presentation “designed to increase understanding of cyber threat alerts, warning, and information sharing across sectors, and to test and evaluate government-private sector coordinating structures, processes, and capabilities regarding cyber event response and recovery.” Emerging technologies from the past five years call for an update of these recommendations, specifically:



Finding the Right System

An emergency notification system is all you need to protect your employees, right? That can be easier said than done. If you’ve been relying on email or phones to inform and alert your employees, you have a little homework to do before you can choose the best emergency notification software for your company. There are many providers out there offering all kinds of features, capabilities, pricing, integrations, and promises, but which ones best fit your requirements?

It’s not easy finding the right technology, but that doesn’t seem to be stopping many organizations. Gartner estimates IT spending will grow 2.7 percent in 2017 and continue at this rate until at least 2020. Where is all of this IT spend going? The majority is spent on communications services, followed by IT services, devices, software, and data center systems, respectively. Nearly $4 trillion dollars have been dedicated to such investments since 2014.



Wednesday, 15 February 2017 18:10

Artificial Intelligence and Data Storage

"My God. It's Full of Data" - Bowman (My apologies to 2001: A Space Odyssey)

Just in case you weren't sure, there is a huge revolution happening. The revolution is around using data. Rather than developers writing explicit code to perform some computation, machine learning applications, including supervised learning reinforcement learning and statistical classification applications can use the data to create models. Within these categories there are a number of approaches, including deep learning, artificial neural networks, support vector machines, cluster analysis, Bayesian networks and learning classifier systems. These tools create a higher level of abstraction of the data, which, in effect, is learning, as defined by Tom Mitchell (taken from Wikipedia):

"A computer program is said to learn from experience E with respect to some class of tasks T and performance measure P if its performance at tasks in T, as measured by P, improves with experience E."

After learning, these tools can make predictions based on new input data. Rather than create code with sets of rules and conditions to model a problem or a situation, these algorithms utilize only the data to form their own rules and models.



As measures are taken to repair a damaged spillway at the Oroville Dam in Northern California, weather forecasters are calling for rain later this week. Almost 200,000 people were evacuated from their homes below the dam, the largest in the country, on Feb. 12 as erosion of the dam’s emergency spillway threatened to flood the towns below.

While the situation was said to have stabilized on Sunday morning, conditions worsened and evacuation orders were issued. Roads in the area quickly backed up as a result, according to reports.

The dam’s main spillway was damaged after a winter season of record rains and snows following years of drought in the state.



When natural disaster strikes, how do you effectively lead a community’s recovery efforts? Mark Riley, Louisiana’s Deputy Director of Disaster Recovery, discusses the importance of trust, teamwork and temperament.

“Trust is indispensable in our business.”



There are hacks and hacks. Some hacks are bad news, especially when they target IT security and jeopardize business continuity, but others – the other kind of hack – could save the day in certain circumstances.

Yes, we’re talking about the business continuity hacks in the sense of a workaround, an ad hoc or temporary solution, while something better is put in place.

Now, it’s tempting to think that anything that helps the organisation avoid business interruptions and weather storms is good, or at least not all bad. But hacks and workarounds can bring their problems, especially if you do not know what to look out for.



BATON ROUGE, La. — Part of the road to recovery has been mapped with the help of FEMA’s Geospatial Information Unit.

Graphics produced by the Geospatial Information Unit have given emergency managers a more complete picture of the August flood so they know where to use resources to advance recovery. Since the beginning of the disaster, the unit has provided daily updates to identify everything from where to deliver food to survivors to where available housing is.

FEMA shares graphics and data with local and state government entities so they have more resources to develop long-term recovery plans. Local, state and federal partners helped the unit create the following graphics:

  • The Civil Air Patrol and the National Oceanic and Atmospheric Administration provide aerial imagery to determine locations and the extent of damaged structures — many times in inaccessible places.
  • Satellite imagery supplied by the National Geospatial-Intelligence Agency determines flood locations and scope of damage.
  • The U.S. Geological Survey provides high water marks to model flood depths.
  • FEMA personnel provide information on structural damage and road closures.

Graphics produced by the Geospatial Information Unit also help create a more resilient Louisiana. The unit is assisting with the ongoing watershed study to develop ways to manage areas where rivers drain — watersheds — so communities can prevent or reduce infrastructure damage.

Monday, 13 February 2017 16:47

Can Risk Management Even Be Effective?

Lately, everyone – from the government agencies to regulators to corporate board members – seems to be talking about the need for better, more effective risk management. The challenging part is that, despite the guidance provided in ISO 31000:2009, the concept of risk management effectiveness still remains vague. This article attempts to summarize the basic components of effective risk management, which should help risk managers to respond to the challenges set by regulators and shareholders.

The team at the Institute for Strategic Risk Analysis in Decision Making (ISAR) and www.risk-academy.ru has been studying risk management for more than 15 years, and we firmly believe that effective risk management is only possible when all four criteria below are met. These criteria are based on ISO 31000:2009, the most widely used risk management standard in the world (translated and officially adopted in 44 of the 50 biggest countries based on the GDP).



Monday, 13 February 2017 16:45

A Hogwarts For Cyber Protection?

How the UK is minting a new generation of cybersecurity wizards.

Never let it be said that the British don't do things with style. In the years leading to World War II, they recognized the need to break enemy codes, and ran crossword puzzle contests to find recruits for their ultra-secret Government Code & Cipher School—also known as GC&CS, or Bletchley Park.

The resultant genius of codebreakers such as Alan Turing is believed to have shortened the war by two to four years, and to have assured its outcome. Surely the mystique of Bletchley Park led to the archetypal smooth, sophisticated 007 spy-hero archetype—as many of Bletchley Park’s cryptanalysts came from Oxford and Cambridge.  

Now there is a new war underway, and the British have been among the first to recognize it: they’ve taken the threat of cybercrime and online infringements seriously, and began a government-supported campaign to protect online rights of normal citizens while America was still revelling in the unbridled, wild west freedom of the Internet. The British have a National Museum of Computing and, modern-day equivalent of the crossword puzzle contest, a set of competitions called Cyber Security Challenge UK that presumably function as high-level testing and recruitment tools.



HATTIESBURG, Miss. – In the aftermath of a disaster, misconceptions about disaster assistance can often prevent survivors from applying for help from the Federal Emergency Management Agency and the U.S. Small Business Administration. A good rule of thumb: register, even if you’re unsure whether you’ll be eligible for assistance.

Registering with FEMA is simple. You can apply online at DisasterAssistance.gov or by calling FEMA’s helpline 800-621-FEMA (3362) or TTY 800-462-7585. The toll-free telephone numbers operate from 7 a.m. to 10 p.m. (local time) seven days a week until further notice.

Clarification on some common misunderstandings:

  • MYTH: FEMA assistance could affect my Social Security benefits, taxes, food stamps or Medicaid.
    FACT: FEMA assistance does not affect benefits from other federal programs and is not considered taxable income.
  • MYTH: I have insurance. I don’t need to apply for federal disaster assistance.
    FACT: You should register for federal disaster assistance even if you have insurance. While FEMA cannot duplicate insurance payments, under-insured applicants may receive help after their insurance claims have been settled. Be sure to provide FEMA with any updated information and documentation once your claim has been settled.
  • MYTH: It’s too late to register with FEMA if I’ve already filed a claim with my insurance company.

    FACT: Many of those with tornado damage have already filed claims through their insurance carriers. Recovery officials suggest they register with FEMA even while waiting for an insurance settlement.

  • MYTH: I've already cleaned up the damage to my home and had the repairs made. Isn’t it too late to register once the work is done?
    FACT: You may be eligible for reimbursement of your clean up and repair costs, even if repairs are complete.
  • MYTH: I didn’t apply for help because I don’t want a loan.
  • FACT: FEMA only provides grants that do not have to be paid back. The grants may cover expenses for temporary housing, home repairs, replacement of damaged personal property and other disaster-related needs such as medical, dental or transportation costs not covered by insurance or other programs.

The U.S. Small Business Administration provides low-interest disaster loans to renters, homeowners and businesses of all sizes. Some applicants may be contacted by SBA after registering with FEMA. You are not obligated to take out a loan, but you need to complete the application to continue the federal disaster assistance process. By completing the application, you may become eligible for additional grant assistance from FEMA if you do not qualify for the SBA loan.

You can apply with SBA online using the Electronic Loan Application (ELA) via SBA's secure website at https://disasterloan.sba.gov/ela. For more information on SBA’s Disaster Loan Program, visit SBA.gov/Disaster, call the SBA Customer Service Center at 800-659-2955 (TTY 800-877-8339 for the deaf and hard-of-hearing) or send an email to This email address is being protected from spambots. You need JavaScript enabled to view it..

  • MYTH: I don’t want to apply for help because others had more damage; they need the help more than I do.
    FACT: FEMA has enough funding to assist all eligible survivors with their disaster-related needs. 
  • MYTH: I'm a renter. I thought FEMA assistance was only for homeowners for home repairs.
    FACT: FEMA assistance is not just for homeowners. FEMA may provide assistance to help renters who lost personal property or who were displaced.
  • MYTH: Registration involves a lot of red tape and paperwork. I don’t have time to register.
    FACT: There is no paperwork to register with FEMA. The process is very easy and normally takes between 15 and 20 minutes.
  • MYTH: Since I received disaster assistance last year, I’m sure I can’t get it again this year.
    FACT: Assistance may be available if you suffered damage from a new federally-declared disaster.
  • MYTH: My income is probably too high for me to qualify for FEMA disaster assistance.
    FACT: Income is not a consideration for FEMA grant assistance. However you will be asked financial questions during registration to help determine eligibility for SBA low-interest disaster loans.

For more information on Mississippi disaster recovery, click fema.gov/disaster/4295. Visit the MEMA site at msema.org or on Facebook at facebook.com/msemaorg.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-FEMA (3362). For TTY call 800-462-7585.

FEMA’s temporary housing assistance and grants for public transportation expenses, medical and dental expenses, and funeral and burial expenses do not require individuals to apply for an SBA loan. However, applicants who receive SBA loan applications must submit them to SBA loan officers to be eligible for assistance that covers personal property, vehicle repair or replacement, and moving and storage expenses.

Friday, 10 February 2017 16:16

How To Launch Customer Obsession

Since 2010, you've heard Forrester beating our customer obsessed drum.  It is our idea that in The Age of the Customer, your relationship with your customers are your primary competitive differentiator.  We've written a lot about how to put the customer at the center of your total operating model.  But a total customer-obsessed transformation can be daunting because of the completeness it requires.  So many companies we talk to get overwhelmed at the idea of having to change every single part of their business, so they do nothing instead.  How could we offer a wedge into the customer obsessed transformation?  Could companies start toward customer obsession more easily if they understood where they are starting from?

We believed yes.  So we created The Customer Obsession Assessment, a large quantitiative survey, which included myriad statements related to customer service, customer experience, customer relationships, supporting technologies and sent it out to just over 1000 global executives.  Then we applied factor analysis and regression analysis to determine which statements most closely correlated with customer obsession.  From this effort we created: 1) An assessment that companies could take to determine their customer obsession maturity; 2) A segmentation of the execs who took our study so that we could identify best practices and pitfalls common at each stage in maturity. 

A few findings from the research:



About one in five organizations within the banking and insurance industry feel confident they can detect a data breach, yet, the vast majority of their customers, 83 percent, trust these same companies to have high standards for cybersecurity practices, according to a survey by Capgemini. Capgemini Global Cyber Security Chief Operating Officer Mike Turner was quoted in eSecurity Planet, stating:

Consumers implicitly trust banks with their money and data, but this faith is rooted in a mistaken belief their provider can be 100 percent secure. While banks are evolving to combat the sophisticated threat cyber criminals pose, public understanding of the threats and challenges remains low.

If I’m a bank or insurance executive, I’m sighing with relief that my customers trust me and my security efforts so much. It means that they trust the company’s brand, and according to a recent Ponemon Institute study, in partnership with RiskVision, the majority of companies actually fear the loss of brand reputation over data breaches due to lack of risk management strategies.



Once you have your executives on board (see the previous post) the next step is to define the scope of your program and define your inventory of assets.

Your scope will encompass the entire company at some level, but you may have one scope for internal resources, a scope for customer resources, another scope for third-party resources, and other scope projects as well. Scope may be defined in terms of technology or business, application or process, people or buildings. Your executive sponsor can help define the scope of each program, the cybersecurity professional must help the executive sponsor understand the depth and breadth of the scope requirements.

Inventories may be tracked in simple excel spreadsheets, maintained by accounting, or tracked in sophisticated asset-management software applications that include automated discovery and tracking mechanisms. Regardless if the starting inventory is simply hard assets (desk or desktop) or soft assets (operating systems or data), this inventory is a fundamental requirement for your cybersecurity program. Without it you don’t know what needs to be protected.



The Business Continuity Institute

Through working both as a consultant and as a full time organizational business continuity resource, a common theme of exercising keeps becoming apparent. Each year we hope to amaze and terrify our BC exercise participants with our well thought out, taxing and relevant BC exercise scenario by keeping it secret.

We ensure that each scenario has a multifaceted extra dimension to it, so that each representative on the team has ‘something to do’. The surprise caused by the scenario hopefully causing a slight air of uncomfortableness and mild simulation of crisis management.

However are we doing this wrong? Most, if not all, exercises have objectives linked to learning and training for participants, if this is the case why are we keeping the scenario secret? Who would tell a Broadway performance that “we will not give you the script until you turn up for a full dress rehearsal”? We wouldn’t welcome trainees to a training course, but not let them know if it is relevant to their position or that they didn’t have the prerequisites to attend.

I propose that we should start doing things differently and I am aware that this will not be for all organizations. However if you have a mature business continuity programme in place, chances are that there are team members, or coordinators, with varying levels of exposure to business continuity or indeed exercising. So how about doing different exercises at different levels on known scenarios?

Therefore staff could come prepared, taking the 'deer in headlights' element away, but also picking the exercise that they feel will give them the most return on investment. For example a human resources representative choosing to do a pandemic exercise over say a cyber attack.

Now I know some of you will say it is important to do one exercise to evaluate the team as a whole. But given the multi-dimensional workloads that our senior teams have, an actual incident occurring when they are all available is highly unlikely. We all know how hard it is to get all the right people in the same room at the right time. Even when the stars are aligned you always end up exercising with someone who is deputy of a deputy, nominated last week.

If you stated you must attend one per year and here are three exercise dates throughout the year, not even the most elusive of representatives can engineer to be on holiday for every session. This means you can have deputies exercised as well as the first call. Learning and improvements for the incident teams can be constant rather than via an annual review. Engagement between the senior representatives would also be increased, for example “I did the cyber exercise and we struggled with client expectations”, “really that was the best part of our pandemic exercise” etc.

Now I said that the proposed solution wouldn’t work for everyone, but I can’t even think of a good reason that a large scale single exercise again should be a surprise. It would negate the dreaded refusal to exercise, i.e. “that’s a silly scenario it would never happen”. Also as has previously happened to me “we can’t do that scenario as we are currently dealing with it” followed by mild panic of me changing the scenario to fit with the clients expectations and utilising the relevant ‘something to do’s’ from the unused exercise scenario.

I am really struggling with the need for the scenario to be a secret and if you can think of a relevant reason please let me know. Or perhaps you could incorporate this into your 2017 exercise schedule.

Otherwise are we not expecting people to complete the bridge crossing in Monty Python’s Holy Grail? Essentially expecting our exercise participants to fail or even worse, ourselves being thrown into the ‘I don’t know that’ chasm!

I would appreciate your feedback on this matter; will you still be keeping your scenario secret? Or have I convinced you to share it with your participants?

James Halpin MBCI is the UK Business Continuity Coordinator at Cigna.

Don’t take this title too literally. Ransomware, the malware that extorts money from victims to prevent a disaster, will surely continue to be active, at least in the short term.

However, IT security experts have already mooted the possibility of a step up the malware evolutionary ladder to the ransomworm. This malware nasty combines the extortion of ransomware with the propagation of the computer worm.

After infecting one victim, the ransomware would then copy itself systematically to every other machine on the same local network. But why do experts put such a high probability on the ransomworm making its appearance?



You may think that IT security applies to you only if you delivered managed security services. But in fact, security is something every MSP needs to worry about in the managed IT services business. Here's why.

Once upon a time, cybersecurity was a relatively distinct discipline. It could be handled well enough by vendors who specialized in providing security services. MSPs who delivered other types of services left it to the security folks to worry about keeping data and networks safe from attacks.



The Business Continuity Institute

2017 may be well underway, but I wanted to take the time to reflect on the past, and look ahead to predict the way in which our business continuity profession will continue to mature over the coming year and beyond. In many ways, this 'top five' list is aspirational – that being my hopes for our profession as we solve some entrenched challenges and work to add more value to the organizations we serve.

1. 'Simplicity is the ultimate sophistication'

It was Leonardo di Vinci who delivered this impressive quote.

I’ve seen a tremendous amount of energy around the idea that our approach as business continuity professionals needs to resonate better in our organizations, doing so in a manner that is easier to digest. In other words, pulling back on jargon, stale methodology, and unnecessary complexity. The goal should be to use approaches that are easier to connect to and participate in (from the perspective of the audience that we’re working to protect).

Some 'simplicity' opportunities include:

  • Business impact analysis processes that get to realistic business continuity requirements without endless analysis;
  • Actionable, 'skinny' plans that describe how to recover and clarify how to operate differently until a return to normal; and
  • Training and awareness activities that focus on how to respond to a disruption rather than how to participate in business continuity methodology.

We are going to become much more aware of how our organizations use our tools, processes, and outcomes, and we will become more open-minded and look for ways to make working with us easier and more effective.

2. Meaningful coordination across disciplines

Organizational resilience. Enterprise risk management. Governance, risk, and compliance. These umbrella efforts all involve a broad range of disciplines to enable the organization to manage risk and achieve its objectives. Involving ourselves in these efforts necessitates the needs to coordinate, share information, and prioritize where to spend limited resources.

But, what does this coordination look like – and with whom? Some of the most innovative companies are exploring this question and achieving success, which often involves a shared understanding of:

  • The most important products and services (today and into the future)
  • Organizational strategy and priorities (again, today and into the future)
  • Risk appetite (tolerance)
  • The organizational structure and resources necessary to deliver products and services
  • The best way to engage senior leadership in prioritizing and decision-making

Putting aside the topic of where business continuity does or should report to, different disciplines that can and should work together to solve organizational risk issues include physical security, information security, product/marketing, credit risk, legal/regulatory compliance, public relations/communications, information technology, operational risk, and business continuity.

As business continuity professionals, do we need information and engagement such as this? Absolutely! Would it be beneficial to work with others to develop such an understanding and an engagement model, sharing resources and knowledge? No doubt!

I see less of a focus on the disciplines that contribute to managing risk, and more of a focus on the realization of efficient, prioritized outcomes.

3. A focus on outcomes rather than methodology

The business impact analysis, risk assessment, plans, and exercises are all a means to an end. The actual end that we need to be laser-focused on achieving is helping our organizations become more resilient and prepared for a disruption.

“What would I do if…?”

“How would I do X if I lost Y?”

“Is it possible to meet Customer Z’s expectations when…?”

Having answers to these common questions that worry our senior leadership teams is the key to adding value. Whether a for-profit private sector company or a governmental entity, your organization provides something of value to a customer or citizen.

Protect the processes and resources that deliver value and do so in the most efficient manner possible.

I predict that a growing percentage of business continuity professionals will learn to focus more on outcomes than methodology and terminology.

4. Flexibly - include rather than exclude

That’s not what business continuity is, so no, we don’t do that.” I think we’re all guilty at times of saying something like this. Perhaps we should approach all requests for help with an open mind and determine how we can contribute to a solution. Even if the organization’s issue isn’t traditional business continuity – or maybe it’s not even close – why not reflect on what we can contribute? Is it a detailed understanding of the processes, activities, and resources and can our value be volunteering that information as part of a team to solve the issue?

I don’t see the need for business continuity profession going away, but I do believe we will see more flexible, nimble professionals that will be less focused on drawing boundaries around their responsibilities and more focused on solving organizational barriers to achieving objectives. This solutioning will take place by working with other disciplines to share knowledge and manage risk appropriately.

5. Affecting culture (versus focusing on plan documentation)

Building on number 3 above, here’s another quote that really tells a lot about an organization’s business continuity maturity:

Before we make this decision and go down this path, have we thought about the business continuity implications of this approach? Are we more or less at risk if we do this?

Imagine an organization that no longer focuses on bolting on business continuity solutions to high risk strategy but instead proactively takes into account disruption-related risk when making choices. That’s a mature organization and one that I predict will become more and more common in the years ahead.

Before concluding, I would be remiss if I didn’t offer a challenge to all business continuity professionals – mainly because, if successful, it will be an enabler of success. Get to know your customers and how the business intends to make them happy. Get to know your sales teams and the promises they’ve made to your customers. Get to know your leadership teams and what they think will make the organization successful today, tomorrow, next quarter, next year, and beyond. This knowledge will help you not only speak the language of your key stakeholders, but it will also offer you the focus needed to apply your limited time to what’s most important.

Brian Zawada FBCI is Director of Consulting Services at Avalution Consulting and President of the US Chapter of the BCI.

Michael Berkowitz is the president of 100 Resilient Cities, the Rockefeller Foundation program that facilitates the adoption and incorporation of resilience in cities to shocks, such as earthquakes, fires and floods, and stresses like poverty and other social issues. The 100 cities chosen include 23 in the U.S. and represent 48 countries across six continents.

Berkowitz was previously the global head of Operational Risk Management for Deutsche Bank, and from 1998 to 2005 was deputy commissioner for the New York City Office of Emergency Management.



Apparently for the past 30 years, government leaders in Washington have done the same thing over and over regarding the Seattle earthquake.  Order a big study, ignore the findings and then repeat.

That was the message of a recent special report by the Seattle Times which looked back on the past 30 years of arm flailing and chest pounding and yet no action. The government has created a subcabinet but it has no budget, staff or regulatory authority — and simply creating the entity took more than three years with nothing to show for it. Ouch!

The Seattle Times reported that state elected officials for the past three decades have repeatedly directed seismic-safety experts to produce reports, all of which have called for action to reduce threats to public safety and the state’s economy. And time and time again, state politicians have largely ignored recommendations that require money or legislation to see them through to completion.



In Risk Management, preparation and information are our best tools. One of my mantras is “Hope is not a strategy.” This mantra is particularly the case for security issues. Other than people, data is the most valuable asset for most organizations, and data thieves recognize that fact. In today’s blog, we will focus on data and network security. As a risk manager or business continuity professional, do you understand your organization’s data security strategy and how it integrates into your plans? You don’t need to be a certified network engineer or security analyst to understand that a proper approach and set of tools should be in place to protect your environment from unwanted attacks or access.

The following are items to review and consider as you work with your IT team.



For businesses, cloud-based backup and recovery has become common these days. If backup is fast enough to fit within a backup window, and if recovery times hit recovery time objective (RTO) and recovery point objective (RPO) service levels, you’re golden.

After that, it gets complicated. Backup and recovery are critical components of disaster recovery (DR), but alone they can’t assure that application processing continues uninterrupted. Many enterprises have built their DR plans around remote sites because they already own multiple data centers, or they have the budget for secondary hot sites. However, unless they have an extra data center hanging around — or can afford to lease a secondary hot site — midsized and small businesses were out of luck for remote DR.

In response, many cloud service providers and disaster recovery vendors took the cloud-based backup and recovery model to its logical next step: failing-over applications to the cloud.



Of all the lasting effects of Edward Snowden’s leaks, there’s one photo that leaves a particularly strong mark. In it, U.S. federal employees in T-shirts and blue jeans are seen intercepting network equipment from Cisco Systems Inc. at a shipping facility. The feds in the photo, their faces obscured, were reprogramming the machines to spy on people’s activities.

The image captured a deeply held paranoia within Silicon Valley’s biggest internet companies: In an era of increasingly sophisticated nation-state hacking, how can we trust that network infrastructure isn’t compromised before it’s dropped off at the company loading docks?

This fear has created a sense of urgency for Apple Inc., Google, Facebook Inc. and other technology giants that have been devising their own alternatives to Cisco, which controls more than half of the market for network equipment. After the photo was published, Cisco filed a public complaint with the White House, arguing that spying by the National Security Agency was hurting U.S. companies. Cisco told Bloomberg it doesn’t work with governments on backdoors for its products and maintains tight checks on its processes and supply chain to assure customers of their security.



Wednesday, 08 February 2017 16:23

Defining Resilience: If I Were FEMA Administrator

Resilience” is a word that has been tossed around a lot in recent years. It is the newest term to enter the emergency management lexicon and you find it across the spectrum of thinking about personal resilience, organizational resilience, and I’m sure someone has potentially written about spiritual resilience. All of the above have this sense of being able to avoid a crushing blow, and being able to weather the storms of life or business.

Resilience immediately brings to mind the idea of “springing back” from a state where an organization has been distorted by an event. The ability to quickly recover to its previous status and functionality.

In emergency management terms, many think of resilience as something that kicks in during a post-disaster recovery effort. A community that is resilient is one that rapidly recovers from a disaster.



Wednesday, 08 February 2017 16:22

Introducing Avalution’s Values

When my business partner Brian and I started Avalution in a Starbucks 11 years ago, we didn’t spend much time agonizing over what we wanted this firm to be about. It was a quick conversation – and it didn’t really focus on business continuity! We envisioned a firm of great problem solvers. We were both most comfortable with business continuity, so we considered that a great place to start. Throughout the years, we’ve had many quick conversations to determine the path forward for Avalution.

Since then, we’ve grown on average 20% per year to now nearly 30 people all over the US. As we’ve grown, we’ve also learned a lot. Over the last 6 months, we’ve been focusing on more clearly defining the ‘unmovable core’ of our company. We’ve spent time discussing and reflecting on how all of our team members can be aligned for us to move forward. For us, this became essential around 15 employees – we found that we could no longer have quick conversation to get everyone on the same page. As we add more people we need clarity on what is expected from everyone at Avalution.



Wednesday, 08 February 2017 16:15

Turn Supply chain analytics is your Moneyball

I watched Moneyball over the weekend for the first time, and I really enjoyed it. As a nerd, I love all movies that demonstrate the power of mathematics and analytics (On top of that, Brad Pitt did a fine job).

But while everyone loves the of using statistical insight to overturn old ideas and revolutionize baseball, but why are supply chain managers reluctant to apply similar winning concepts? According to a Forrester Business Technographics Survey, only 27% of supply chain management professionals and 22% of logistics and distribution professionals are using or plan to use big data analytics or plan to. At Forrester, I frequently discuss supply chain analytics with clients and how to leverage supply chain insights to drive business growth or improve operation efficiency. Everyone knows analytics is important, but there are still plenty of myths related to what to measure, what tools to use, and what types of analytics to apply. I’d like to briefly summarize my thoughts on these three topics:



Machine learning, if you have not already met it, is the capability of a machine (a software application) to modify its rules and algorithms according to new data.

In other words, the machine that learns is one that independently adapts to changes to produce reliable decisions and results now and into the future.

Machine learning is not as new as some other advances in computing, but is coming to the fore, now that technology is available to process very large amounts of varied data (big data) very fast.



In the past two weeks, we’ve seen Uber’s CEO respond to public criticism by stepping down from President Trump’s advisory council; Starbucks garner public support and condemnation after promising to hire 10,000 refugees; and tech giants including Google, Apple, Facebook, and Microsoft rally together to oppose the President’s recent immigration ban. In the past month, we also saw SeaWorld finally curtail its killer whale shows in California after prolonged public pressure, and artificial intelligence experts continue the contentious debate on driverless car morality.  

Executives are making very complicated moral decisions in the face of increasingly difficult situations in order to protect themselves, their stakeholders, and their brands. For anyone involved in business ethics, corporate behavior, risk management, and compliance, the world is getting more challenging and more fascinating all the time.

In our latest governance, risk, and compliance report, GRC Vision 2017-2022: Customer Demands Escalate As Regulators Falter, we examine the most critical trends that will transform risk and compliance roles over the next five years, many of which are playing out in the public eye every day:



According to the results of a recent Capgemini survey of 7,600 consumers and 183 senior data privacy and security professionals at banking and insurance firms worldwide, just 21 percent of banking executives are highly confident in their ability to detect a cyber security breach.

At the same time, 83 percent of consumers say they trust banks and insurance firms to maintain strong cyber security, compared to 28 percent of consumers who trust e-commerce firms and 13 percent who trust telcos and retailers.

"Consumers implicitly trust banks with their money and data, but this faith is rooted in a mistaken belief their provider can be 100 percent secure," Capgemini global cyber security chief operating officer Mike Turner said in a statement. "While banks are evolving to combat the sophisticated threat cyber criminals pose, public understanding of the threats and challenges remains low."



Imagine if this was your company and as part of the court’s judgement against you, you were ordered to take out ads to proclaim your guilt. That is exactly what just happened in the judge’s verdict on the San Bruno explosion, the 2010 natural gas pipeline blast that killed eight people.

PG&E was ordered take out TV and newspaper advertisements announcing that the company was found guilty of violating safety standards. Full page ads must be placed in the San Francisco Chronicle and the Wall Street Journal explaining its offenses and what it’s doing to prevent future wrongdoing. In addition, it will spend almost $3 million to advertise on TV, which the company said amounts to about 12,500 60-second spots. This is like asking the company to walk around town with a sandwich board on its back proclaiming its guilt.

In addition, the judge directed “high-level personnel” to do 2,000 hours of monitored community service and sentenced the company to a maximum-allowed fine of $3 million, nothing that the crimes were “very serious and pose great risk to the public safety.” In addition to the community service requirement for high-level employees, the company must perform another 8,000 hours of service.



HATTIESBURG, Miss. — If you register with the Federal Emergency Management Agency following the January storms and tornadoes and are referred to the U.S. Small Business Administration, it’s important to submit an SBA disaster loan application to ensure that the federal disaster recovery process continues.

When SBA determines a homeowner or renter cannot afford a loan, they may be considered for FEMA’s other needs assistance program, which provides grants for disaster-related medical and dental care, funeral costs and vehicle repairs. They may also be eligible for assistance from other organizations. If you are referred to SBA, you must apply for the loan to be considered for other needs assistance.

There is no cost to apply for an SBA disaster loan, and you are not required to accept a loan if one is offered. 

Next to insurance, SBA is the primary source of funds for real estate property repairs and replacing lost contents following a disaster. Renters and homeowners alike may borrow up to $40,000 to repair or replace clothing, furniture, cars or appliances damaged or destroyed in the disaster. Homeowners may be eligible for low-interest loans up to $200,000 for primary residence structural repairs or rebuilding.

SBA loans are very affordable. For homeowners and renters interest rates are as low as 1.5 percent; for businesses rates are as low as 3.125 percent. Loan terms can be for as long as 30 years, keeping payments as low as possible.

March 27, 2017 is the last day to register with FEMA and apply for SBA disaster loans for physical damage.

Loan applications may be submitted online at https://disasterloan.sba.gov/ela/ or mailed to:

U.S. Small Business Administration
Processing and Disbursement Center
14925 Kingsport Rd.
Ft. Worth, TX 76155-2243

For additional information, contact the SBA Disaster Assistance Customer Service Center at 800-659-2955 or TTY 800-877-8339 or email This email address is being protected from spambots. You need JavaScript enabled to view it..

Register with FEMA online at DisasterAssistance.gov or call the FEMA helpline at 800-621-3362 or TTY 800-877-8339. The toll-free lines are open 7 a.m. to 10 p.m. seven days a week. Multilingual operators are available.

For more information on Mississippi’s tornado recovery, go to fema.gov/disaster/4295 or visit the MEMA site at msema.org. Follow MEMA on Facebook facebook.com/msemaorg and on Twitter @msema.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-3362 (voice, 711 or video relay service). TTY users can call 800-462-7585.

The U.S. Small Business Administration is the federal government’s primary source of money to help business of all sizes, private non-profit organizations, homeowners and renters rebuild and recover after a disaster. SBA low interest disaster loans repair and replace property losses not fully compensated by insurance and do not duplicate benefits of other agencies or organizations.

Friday, 03 February 2017 16:34

BCI: Why do we not listen?

The Business Continuity Institute

I am not obsessed with President Trump by any means, but at the moment, he is highly visible and there are lots of lessons to be learned from the situations he is creating.

Between winning the election and his inauguration, the news has been full of speculation about what sort of President he would be, and what his policies would be.

During his first two weeks as President we have found out exactly what his policies are: he has appointed Scott Pruitt, a climate change sceptic, to be in charge of USA Environmental Protection Agency; he has given the go ahead to two stalled oil pipelines; he has stopped visitors travelling from a number of predominately Muslim countries and he has signed the executive order to build 'the wall'.

All of these policies should come as no surprise to anyone, as they were all themes of his campaign and were repeated over and over, that this is what he was going to do. So why were we surprised when he went ahead and did exactly what he said he was going to do?

I think as a society we construct in our minds a consensus model of the world and we struggle with events or incidents which challenge our model, and don’t conform to how we think the world should behave.

Our consensus model is arranged around a number of beliefs:

  • Climate change is real and we should do something about it
  • Globalisation and free trade create wealth and is good for all of us
  • Building walls are bad
  • Banning travel by certain groups, especially Muslims, is self-defeating and probably puts us more at risk
  • Politicians spin, but they do not tell outright untruths
  • What politicians say when campaigning and what they actually do when in power is substantially different as they realise the realities and difficulties in implementing their rhetoric
  • Alliances and closer economic, political and social integration are good
  • The world is getting better

Although this is not the consensus of all, it is a vision shared by many of those in power, and many of the middle and upper classes, worldwide.

When someone like Donald Trump comes along and challenges our orthodoxy, we think he is just ‘saying this’, he won’t actually do it, as we see his actions as contradicting our preconceived ideas of how the world behaves. We are then shocked and surprised to find that the world is changing and our views are no longer valid. We also find that there are large sections of society who reject and disagree with our consensus on the world, and vote for outcomes such as Trump or Brexit, which to us seem plain wrong.

So, what does this all mean to us in our business continuity role? In the words of the master and teacher in many a martial arts films, we have to “open our mind” and see the world as it is, rather than how we think it should be, especially from the view of our own preconceived ideas. I think the secret is to listen to what people are saying.

If a politician or leader says they are going to take what you see as extreme actions, don’t think that they will never do it, but make your plans as if they enact their plans. If you have a whistleblower or a member of the organization being vocal about a potential accident, flaw in the system or issue they have identified, listen to what they have to say and insist that they are given a hearing, and investigate the validity of what they are saying. It is very rare whenever there is an incident, to find that there was absolutely no warning at all. Most often, a number of people flagged it up as an issue, but they were not listened to. It is perhaps worth investigating ten non-events, than to miss one major event which could have been prevented.

The world is constantly changing and consensus come and go, but as business continuity people we must listen, listen, listen all the time. We need to bring to the attention of top management, the issues, risks and items which could potentially impact our organizations, which they have dismissed or not heard in the past.

Charlie Maclean-Bristol is a Fellow of the Business Continuity Institute, Director at PlanB Consulting and Director of Training at Business Continuity Training.

Container technologies allow enterprises to create highly differentiated apps and services faster, with better quality and geographic reach, to create compelling customer experiences. They have quickly become an important element of digital business transformation for EA pros because they promise faster software delivery, tremendous scale, higher resiliency, greater flexibility, and broader implementation options. Everything about enterprise app infrastructures, development styles, and architectures is changing, and containers play a key role in each area.

However, Forrester’s TechRadar™ for business technology infrastructure found that containers and container management technologies are still in the Creation stage, meaning that some container components and management tools are immature and changing quickly. Companies must navigate a complex landscape of technology components to build, package, and deploy containers. To help tech management pros accelerate cloud evolution, I’ve recently published a report with Dave Bartoletti focusing on the software landscape for each layer in a typical container management software architecture. Some of the key takeaways:



It’s Groundhog’s Day, when a sleepy landpig emerges from his little mancave and entertains questions from the press about astronomical phenomena!
As good a day as any to share a few content trends where we at Forrester expect to see considerable acceleration this year.

Here are your 6 content trends and one wannabe-trend that won’t trend in 2017.



In the days of old, not very long ago, release cycles were measured in years —organizations were using “on-time” and “on-budget" as the mantra for project efficacy. Business today is compelled to deliver business technology in cycles of hours, or days. Faster cycles render not only tradition “waterfall” processes and silo based IT obsolete, it also renders traditional metrics ineffective! These arcane metrics no longer deliver the visibility and granularity tech pros need to fine-tune their delivery capability. The mission has transitioned to rapidly deliver high quality, high value solutions. For all, this is a significant shift from the past, when the main points of focus were schedule, cost, and efficiency. Modern software metrics — speed, quality, and value — are based on continuous feedback from business partners and customers.

To transition the business, organizations are transitioning to Agile and DevOps practices. Organizations including Capital One[1], Target[2], and KeyBank[3] – to name a few – are leveraging DevOps practices to transition their businesses. Each shared their journey to high velocity at the DevOps Enterprise Summit in San Francisco last November and all remarked on the transitioning of metrics from what were traditional metrics. Diego Lo Giudiceand I share insight into these evolving metrics in our report, “Build The Right Software Better And Faster With Agile And DevOps Metrics.” It addresses the practices and tools that help organizations collect, report, and respond to them. In my research on the subject, I found three key takeaways, listed and briefly described below.



Thursday, 02 February 2017 15:11

ITSM and DevOps – A Win-Lose Situation?

Do the formalism of IT service management and the agility of DevOps mean that one can only succeed if the other fails?

The main goals of ITSM are to help achieve business objectives and increase IT efficiency. DevOps on the other hand puts the priority on speed and iteration of development and deployment activities.

When the two approaches are compared, ITSM may be seen as requiring more investment and more time to achieve significant results.



Developing a framework for your cybersecurity program is important. Fortunately, depending on the industry your organization belongs to and type of data you need to protect, your framework could already be set by outside standards. For instance, if you accept credit cards you must comply with PCI. If yours is a financial institution, FFIEC is your ruling standard. If your organization handles medical information, HIPAA will provide a set of standards and oversight.

If you don’t already follow a regulatory standard, choose a general security framework like one of the following:

  • ISO – Well-known international set of standards
  • NIST – Established US standards that are required by federal agencies
  • AICPA – Familiar auditing standards for service organizations
  • CSA – Standard directed to cloud service organizations



Thursday, 02 February 2017 15:09

Tapping the Real Benefits of the Cloud

The enterprise shows no signs of slowing the migration of data and applications from legacy infrastructure to the cloud.

But while much of this activity is aimed at reducing the cost of IT, particularly in the capital budget, it turns out there are many side benefits to cloud computing – at least, for the right applications in the right circumstances.

According to Smart Communications CEO George Wright, the cloud produces a number of hidden benefits that don’t emerge until well after the enterprise has committed itself to the new paradigm. Leading the list is the way in which cloud-based resources produce faster, more efficient processes for core enterprise functions, such as banking and legal services. Indeed, start-ups like MetroBank and LegalZoom are routinely beating long-standing businesses at their own games by providing more convenience and cheaper service to customers. Back-office functions often benefit from the cloud as well, particularly when it comes to automated data exchange between firms that lease infrastructure from the same provider.



Thursday, 02 February 2017 15:08

What Would a Reformed FEMA Look Like?

Disaster response used to be a state and local responsibility, with perhaps a sprinkling of federal assistance thrown in for good measure. These days, some will argue, the equation has been reversed, with national government in the form of FEMA increasingly stepping in to remedy what used to be local situations.

“We have federalized natural disasters over the last 25 years,” said Matt Mayer, a visiting fellow at the American Enterprise Institute, a public policy think tank. “If we look at the history of FEMA declarations, the federal authorities are taking on routine disasters that historically were dealt with by state and local government, with no federal assistance.”

Mayer’s not alone in making the case. Small-government advocates as well as many in the emergency management community have being saying there are systemic flaws in the way FEMA is organized and how disasters are funded. Calls for reform take many shapes. Some say the formula of the Stafford Act, which sets the threshold for federal disasters, needs to be revised. Some point to problems with the National Flood Insurance Program, while others say FEMA is suffocating in the shadow of the Department of Homeland Security.



Thursday, 02 February 2017 15:07

Illinois Lists Flu Cases 'Widespread'

(TNS) - November saw just two cases of flu at HSHS Good Shepherd Hospital in Shelbyville, but in January there were 18 cases. Health experts are preparing for a surge in coming months. The Illinois Department of Public Health lists influenza as "widespread" geographically in the state.

Hospitals, long-term care facilities and others are stepping up their education programs as the virus could begin to travel through the area on the coughs, sneezes and hands of residents.

The basic precautions are standard: Cough or sneeze into an elbow; wash or sanitize hands regularly; stay at home while symptoms persist.



Thursday, 02 February 2017 15:06

The Unicorn Explosion Continues

Last Spring, we predicted that we'd see carnage among tech unicorns, particularly in consumer markets. (How many food service companies and "Uber for X" companies do we really need?) We didn't (nor would we), however, predict when the carnage would come.

(Timing markets has never been in my golden gut; anticipating technology relevance is. Watches and body cameras, for example, will never be mainstream, nor will drones or curved TVs. Ping me and I'll explain why. Or do this cosmo quiz to make your own prediction for consumer technology.)

As reported (and powerfully visualized by CB Insights), Unicorns are crowding the market. Look at the density of Unicorn logos starting in February 2014, three short years ago. It's astounding. Why this proliferation? Why now? Why so dramatic?



ERP cloud offerings are growing in demand because they enable companies to reduce upfront development costs, scale systems up and down easily and speed up deployment times. Unlike traditional ERP systems, which are installed on dedicated servers located on a company’s premises, cloud-based ERP systems are installed on third-party servers and software and accessed via the Internet. While businesses can run their ERP in public Software-as-a-Service (SaaS) models or as private self-managed ERP cloud installations, we are seeing an increasing trend toward a hybrid cloud computing model where core ERP processes are being deployed in the cloud while some best-of-breed solutions are still hosted on-premise in the company data center.

Companies are faced with the challenge of deciding which ERP cloud computing model gives them the right balance between agility and control, and then managing all the ERP data in a consistent and efficient way while having the flexibility to evolve with rapidly changing business needs.



You often hear phrases like “return on investment” (ROI) or “value proposition” when groups or organizations attempt to demonstrate the value of a particular activity. “Is it good for us?” “Is it worth the investment?” and “Should we continue to fund the endeavor?” are all valid and important questions.

The challenge, then, for business continuity professionals is to deeply ask the question, “What is the ROI of business continuity?” In the “olden days,” colleagues would point to their business impact analysis (BIA), with pie charts and bar graphs showing the cost of business downtime. They’d sit back and say, “See? We provide ROI!” Not so fast… Is that really the best that continuity professionals can do?

This talk peels back the question of ROI and attempts to answer the value proposition question of business continuity. The goal is to broaden the conversation. Instead of talking about how much money business continuity efforts will save the company, we will focus on why the Bad Thing happened. By clearly understanding the whys of business continuity, you can make your organization more resilient and truly demonstrate value.



Wednesday, 01 February 2017 15:44

Common Business Continuity Disasters

We should always be performing risk analysis, even if it is ad hoc or a thought exercise. As the new year is now well underway, we have forgotten about our New Year’s resolutions, and are back into projects and issues. As you begin the review of risks and plan updates, with what type of events should you be concerned?  In a recent blog, we talked about a couple of events that demonstrated our potential lack of functional recovery. This week, we will expand that list to include many of the business continuity disasters that we have see in the last few years.



Wednesday, 01 February 2017 15:43

How to Stop Ransomware

The internet is fraught with peril these days, but nothing strikes more fear into the hearts of users and IT security pros than the prospect of ransomware. Here, then, is a comprehensive look at ransomware, both how to prevent it and what to do if you become one of its unfortunate victims.

What is ransomware?

The ransomware concept is relatively simple: Malware is installed covertly on a system, after which it executes a cryptovirology attack that silently encrypts valuable files on the system. It may also spread around a corporate network, infecting servers and other endpoints that it finds. It then demands that a ransom be paid promptly, usually in Bitcoins, to access the key needed to decrypt the files. Often the ransom price goes up after an initial period (usually 72 hours), and there is no guarantee that the key will be supplied if the ransom is paid.

Ransomware often frequently contains extraction capabilities that can steal critical information like user names and password, so stopping ransomware is serious business.

You'll know you've become a ransomware victim if your desktop has been taken over by a message like this:


"!!! IMPORTANT INFORMATION !!!  All of your files are encrypted with RSA-2048 and AES-128 ciphers."



Emergencies Aren’t The Time to Plan

We don’t often think of emergency response until there is an actual emergency which is the absolute worst time to figure it out. When you’re in a crisis, you and your co-workers are less likely to think as clearly as when you aren’t. An emergency “plan” is just that, a plan. It’s your guide to getting you and your employees out of harm’s way and keep the business up and running as best as possible. The more steps you can remove from the process through automation, the better off everyone will be.

While many organizations say they have an emergency procedure  in place, there are a few problems with many plans:



Wednesday, 01 February 2017 15:32

Ransomware: Is Cyber Insurance On Your Radar?

Hotel guests locked out of their rooms at a four-star hotel in the Austrian Alps? Washington DC’s CCTV system disrupted days before Donald Trump’s inauguration? Libraries in St Louis brought to a standstill? Eight years of digital evidence lost by a Texas police department?

Ransomware is not just grabbing headlines, it’s now the favorite method of cyberattack used against businesses, particularly in North America and Europe, according to this Malwarebytes report.

In the fourth quarter of 2016 alone, Malawarebytes catalogued nearly 400 variants of ransomware, and 81 percent of ransomware detected in corporate environments occurred in North America.



The Business Continuity Institute

This news item contains embedded media. Open the news item in your browser to see the content.

Have you watched (or even been forced to watch) a business continuity management (BCM) video? Perhaps it was during your training, or as the business continuity manager when you tried to convince the organization to invest in BC capabilities?

Whatever the reason was, the question is, just how much did it actually inspire you, let alone those we needed to convince? Did it change perceptions of BC as an excellent valuable capability, would it inspire others to want to have it? Was it made for all types of businesses? Inclusive or exclusive?

The chances are, it was one of those videos which have become so typically synonymous with the profession. An expensive looking film, staged in a corporate world with lots of glass, suits, ties and a presenter that speaks in an ultra serious, monotone fashion. I don't blame the actors of course, they're just being directed to play the part.

BCM is not dull, but our methods of showcasing it can be

I have just checked the calendar and it really is 2017! Yet today, we still pin our hopes on the same format of media to 'sell' BCM to new professionals and organizations. We appear to want to stay with tradition - the corporate world of 'entertainment' - which only serves to entertain the corporate markets. Perhaps because such videos are generally commissioned by the corporate resilience providers, who are attracted only to that type of market. Bigger fish to fry, so to speak.

But I am a realist; a relator who empathizes with all businesses, regardless of their size and complexity. We want to take BCM to all businesses, make them understand, relate to and want business resilience. Of course, 100% BCM is a serious, strong and resilient (excuse the pun) subject, but in order for it to reach and appeal to a much wider audience, my intuition tells me we need to be more 'today,' to make it happen.

Yesterday has gone, so embrace today

We need to make and utilise, great content that has more 'life' about it, because resilience is about life. We need to document more personality, character and realism if our content is to resonate fully with all people and their businesses, especially those who may want and need some form of BCM.

The connection between business and personal resilience is so underestimated

I love music and I love BCM

I love spinning, walking, sport, eating chocolate and ironing! But I am not boring. I have a personality, and so too do the people in the BC profession. So let's look to, and use, our strengths and opportunities, rather than our inherent weaknesses and threats, and show the world that BCM is not boring!

Focus on our strengths and opportunities, not our traditional weaknesses and threats

2017 really can be an amazing year for business resilience if we really want to make it happen. But our actions have to match our ambitions. Actions speak louder than words!

My instinct says that if I can go and do this 60 second clip below, just by using my iPhone without looking like a standard BCM video, then surely we, as a profession, who annually bestow 'personality of the year' awards, can actually go and show a bit more personality and character (actions that match our ambitions), and make it happen like it's 2017!

Inspire others to want to know what BCM is

We are embracing 'today' to entertain, educate and engage with people in relation to business resilience. We want to document our journey and make resilience more mainstream and accessible for all businesses and we have changed our approach.

Make it happen, make it real.

Paul Kudray AMBCI is a Fellow of the EPC and a Fellow of the Institute of Civil Protection and Emergency Management. In addition, he is a Lead Auditor of ISO 22301 for Business Continuity Management Systems (BCMS). Paul has over 35 years’ experience of Emergency Management and BCM. In 2014 he founded his own consultancy and now works with clients across the world. He is an excellent forward thinking resilience innovator and blogger.

A recent survey of 1,100 senior IT security executives at large enterprises worldwide found that 26 percent of respondents experienced a breach in the past year, and 30 percent classified their organizations as "very vulnerable" or "extremely vulnerable" to cyber attacks.

The 2017 Thales Data Threat Report also found that 73 percent of respondents increased IT security spending in 2017. The top two spending priorities are network protection (62 percent) and endpoint protection (56 percent), while spending on data-at-rest solutions comes last at 46 percent.

"Organizations keep spending on the same solutions that worked for them in the past but aren't necessarily the most effective at stopping modern breaches," 451 Research senior analyst and report author Garrett Bekker said in a statement. "Data protection tactics need to evolve to match today's threats. It stands to reason that if security strategies aren't equally as dynamic in this fast-changing threat environment, the rate of breaches will continue to increase."



BATON ROUGE, La. — Following Louisiana’s August flood, more than 625,000 people have received information to help their recovery as a result of collaboration between nearly 300 private sector entities and FEMA.

The private sector is essential to move recovery forward because of its ability to connect with communities efficiently to provide helpful recovery information. Louisiana private entities that have helped survivors after the August flood included businesses, chambers of commerce, business and trade associations, universities, nonprofits and utility companies.

During the recovery missions for both the March and August Louisiana floods, the Director of Operations of the LA Business Emergency Operation Center (LA BEOC) embedded with FEMA’s Private Sector Division at the Joint Field Office. The collaborative effort of this endeavor enabled rapid and efficient coordination with local and state partners in resolving issues and trends affecting the private sector.

Below are examples of private entities helping Louisiana recovery following the August floods: 

  • Home improvement stores hosted FEMA mitigation specialists at 31 locations. They provided information on how to repair and rebuild safer, stronger and smarter to more than 31,600 homeowners and independent contractors. Stores included 84 Lumber, Albertsons, Home Depot, Lowe’s, Price Building, Stine Lumber, Sullivan’s Hardware and Wal-Mart.
  • Companies displayed messages on digital billboards in affected communities to encourage survivors to register for FEMA assistance. Electronic messages are delivered quickly and seen by thousands of people who may need help. Examples included the Outdoor Advertising Association of America’s 10 digital billboards and Walgreen’s digital reader boards at 62 store locations.
  • Utility companies added FEMA help information on 79,650 bill statements for City of Rayne, Jeff Davis Electric Co-Op, Jeff Davis Water District, Lafayette Utilities System, South Rayne Water Corp., and Wards Three Avoyelles Water customers.
  • The Louisiana Emergency Preparedness Association hosted the first Louisiana Affordable Housing Solutions Expo at the Celtic Media Centre. Other expo sponsors included, the Governor’s Office of Homeland Security and Emergency Preparedness, the Louisiana Business Emergency Operation Center, and the Louisiana Housing Corporation.

To learn more about FEMA’s Private Sector Division initiatives, visit www.fema.gov/private-sector.

In today's world, customers decide how customer-centric a company is. Good customer service should capture the fundamentals of a great experience: ease, effectiveness, and emotion

Looking ahead, Forrester sees 10 trends for 2017 that customer service professionals should take into account as they move the needle on the quality of service that they deliver: Here are six of them:

Customer service organizations address a smaller volume of simple voice-based customer contacts as they mature their self-service, automated engagement, and digital operations.



Tuesday, 31 January 2017 17:04

Going Beyond IT Security to Cybersecurity

Does your MSP offer IT security, or does it truly provide cybersecurity services?

Often seen as a difference without distinction, one cybersecurity expert argues that the approaches to security need to be looked upon as separate concepts.


A well-known IT security solution vendor recently published a white paper about planning for business continuity, and listed typewriters as examples of equipment that should be safeguarded to prevent interruptions to an enterprise’s activities.

You remember, typewriters were those stone age machines that recorded text directly onto paper.

So, who on earth would use a typewriter today, given the choice of PCs, tablets, and other vastly more intelligent devices? It turns out, however, that there are at least two good reasons for a business continuity manager to keep the typewriter in mind, when making BC plans for the organisation.

The first reason is that some business or professional people and organisations still use them. “The Transcription People” company cites the US police department, funeral homes in some American states, and prisons in the US as still using typewriters.



Towards the end of last year, Forrester published four tightly connected Wave evaluations. These assessed the 18 most significant providers of public cloud platforms, looking globally, in Australia and New Zealand, in Europe, and in China. Now we’ve published a fifth document, which digs into the trends we observe across all four regions. More on that in a moment.

Almost a year ago, I was in Forrester’s San Francisco office. It was my first visit to that office, and I was still learning how Forrester works. During the visit, John Rymer invited me to contribute to a Forrester Wave with a difference. Instead of producing one Wave for the whole market, John argued, we should do several. They would share a premise, they would share a methodology, and they would share almost all of the same questions and scores. But… they would reflect real — and very different — requirements on the ground in various geographies around the world.

Cue terror. Waves, I had been led to believe, were big, scary, important things. Waves, I had assumed, were hard enough without complicating things further.



Tuesday, 31 January 2017 17:00

Tales from the Ransomware Wars

Ransomware is becoming a part of everyday life. This is illustrated by startling examples of the insidious malware that have occurred in just the past few weeks.

Ransomware occurs when a user executes malware that locks up his or her device. The malware gets into the machine either because the user is tricked into doing so or via a contaminated download. The ransom generally is paid by bitcoins.


The Washington Post reports that 123 of the 187 network video recorders that are part of the Washington, DC, police department’s closed circuit video service were offline between January 12 and January 15. Each of these devices stores video shot by as many as four cameras. Donald Trump was inaugurated on January 20, which points to the potential danger the attack represented.



Take a moment to think about your security budget. Has it increased over the past few years? If it has, has your security system done a better job at preventing or mitigating potential threats? Or does it feel like you are tossing money into a giant pit because no matter what you do or how much you spend, you just can’t get a good handle on cybersecurity protection?

The 2017 Thales Data Threat Report, conducted in conjunction with 451 Research, found that 73 percent of organizations increased their cybersecurity spending this year. Perhaps that’s not too surprising, since 68 percent said they experienced a breach. So it seems that while they are spending money on security, organizations continue to struggle with stopping incidents.

The reasons why and where companies spend their security budgets are as varied as the organizations themselves, the report found. However, they do share a common denominator: compliance. Nearly half (44 percent) said they focus their spending on compliance issues, while best practices and brand reputation follow close behind. But this could backfire, as Andy Kicklighter pointed out in a blog post about the Thales report, stating that too much focus on compliance in security spending is one of the reasons that many organizations are seeing a disconnect between security spending and the prevention of security incidents, adding:



Tuesday, 31 January 2017 16:58

A Refocus on Disaster Recovery

The script seems distressingly familiar: A disaster — a hurricane, a flood, a tornado, an earthquake — causes billions of dollars in damage. After arguments about fairness and federal responsibility, the federal government comes up with money to help the affected communities recover.

“When huge amounts of infrastructure get wrecked, the only place that can pay for it is the feds — but increasingly, the feds are swamped,” said Claire Rubin, an independent researcher and consultant with a focus on emergency management.

The cycle is not sustainable.



It’s Chinese New Year and a concern is circulating amongst the global health community. After an increase in the number of H7N9 bird flu deaths in China, WHO has warned all countries to watch for outbreaks in poultry flocks and to promptly report any human cases.

Several strains of avian flu (bird flu) are spreading in Europe and Asia this winter, but the most worrisome at present is an H7N9 strain that has circulated in China every winter since 2013. China has reported over 225 human cases since September – a higher than normal number. As the Lunar New Year vacation, has begun, live poultry shipments have increased, and holiday travelers often spread the flu.

WHO announced last week that China had had more than 1,000 cases of H7N9 bird flu in the last four years and 39 percent of those cases were fatal.



The Business Continuity Institute

Organizations need to do more work to ensure compliance with the European Union's General Data Protection Regulations (GDPR) which are due to come into force in May 2018. While organizations are largely aware of their upcoming obligations, levels of maturity to meet the new standards are still low. Overall organizations are only complaint with less than 40% of the principles laid out in the GDPR.

DLA Piper's Global Data Privacy Snapshot 2017 notes that some industries are progressing towards compliance better than others. The hospitality and banking sectors are ahead of the rest with 48% and 43% compliance respectively, compared to the average of around 37%. Healthcare and manufacturing were at the bottom end of the scale with 34% and 35% compliance.

Data breaches are already the second greatest concern for business continuity professionals according to the latest Horizon Scan Report published by the Business Continuity Institute. Unless organizations become compliant by the time GDPR comes into force then a breach could become even more disruptive to organizations.

Patrick Van Eecke, Partner and Global Co-Chair of DLA Piper's Data Protection practice, said: "The responses show that many organizations still have work to do on their data protection procedures. Any organizations operating in Europe will need to see major improvements in their score by May 2018 if they are to avoid potentially heavy financial penalties under the GDPR, not to mention serious reputational damage as people become more and more aware of their rights in this area.

"With more and more organizations putting data at centre stage, data protection will become an increasingly prominent issue. It is vital that organizations invest now in the strategy and processes needed to help them to meet their obligations."

Jim Halpert, the US Co-Chair of DLA Piper's Global Data Protection practice, said: "As privacy requirements, such as privacy by design, data portability and extensively documenting a privacy program, become more complex, compliance demands significant operational work that takes time. In this sense, the results are not surprising. However, the time step up compliance efforts is this year, not next.

The GDPR will apply to processing carried out by organizations operating within the EU and to organisations outside the EU that offer goods or services to individuals in the EU. The UK government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. Organizations failing to comply with the GDPR after its implementation in May 2018 could face fines as high as 4% of global annual turnover.

Companies are increasingly turning to emerging markets for new growth opportunities as developed markets become saturated. When we hear the term emerging markets, we typically think of the BRIC countries – Brazil, Russia, India and China – but other countries, such as South Korea, Mexico, Indonesia, Turkey, Saudi Arabia and Iran may also qualify. The economies in these countries are growing, but are not yet as large, liquid or accessible as those in more mature markets.

Although emerging markets present the potential of high reward, it comes with a high risk of corruption. Emerging markets may be particularly risky due to a variety of factors: high levels of government interaction for companies wishing to do business there (e.g., licenses), lack of government transparency, poor civil rights records or failure to enforce anti-bribery laws. For example, Brazil presents a higher risk of corruption because of a high level of government interaction, while China has a higher risk due to considerations such as poor government transparency and restricted freedom of the press.

This means a company planning to do business in an emerging market should do its homework before beginning operations in order to identify and then mitigate areas of risk. The company should strive to understand not only the legal framework, but also the culture of the country. A country’s laws can contribute to an increased risk of bribery, for example, by requiring use of a local agent to bid on projects, but language and cultural differences can also present barriers. Policies and training should be translated into the local language so that local employees and third parties are able to understand the content. In addition, these materials may also need to be localized. For example, the commonly used due diligence term “red flag” won’t resonate in China, where it has a totally different connotation. It is also important to know whether the company’s policies banning certain actions are contrary to engrained local customs so that appropriate compliance measures can be directed at those touch points. Once a company has identified the bribery risk in a particular emerging market, it will be able to take actions tailored to mitigate that risk.



For the most part, the BCM industry states that reviews of Business Impact Analysis (BIA) findings and results are to be done on an annual basis; however, I propose that this thinking change.  It is difficult of companies of all sizes and industries, to set aside time every year to review BIA’s, let along set time and resources aside to participate in various BCM tests and plans & process reviews.  It takes allot out of a departments schedule, where they need to focus on other initiatives.

As I wrote in “BIA Organization Integration”, if an organization has been successful in integrating the BIA into existing company procedures, especially when it comes to changes and impact identified through Program and Project Management practices, then the annual BIA review might be a thing of the past.

As projects and programs are identified and now that the BIA is incorporated into business practices, then the BIA is proactively identifying potential changes and impacts to BCM plans and processes on an on-going basis, rather than at a single point of time; the scheduled annual review.  These project reviews and updated may be done on multiple occasions throughout the year because there are multiple projects in various phases of the project management life cycle.  This means a greater level of review and input to the BCM program, not the usual once a year.



The latest research on the enterprise storage industry has it pretty much on the same track that has been laid out over the past few years: increased cloud consumption, growing Flash deployment at the expense of magnetic media, and the steady decline of large, distributed arrays.

But a quick peek under the headlines suggests that the evolution of storage may not be as cut and dried as many experts think – that perhaps even today’s disruptive technologies may themselves become disrupted by the end of the decade.

Some of the latest numbers on the storage industry come from India’s Markets Report World, which has the sector growing by 15.87 percent annually between now and 2020. The key drivers are familiar by now: increased demand for cloud-based resources, rising concerns over data availability and security, and demand for higher performance and more streamlined architectures through increasingly software-defined solutions. This largely jibes with assessments from IDC, Gartner and other research houses, as well as leading storage vendors like EMC-Dell and HPE.



What’s The Big Deal?

Employee engagement. This term has been popping up everywhere for quite a while, yet organizations are still struggling to define it, execute it, and measure it. Here are some of the stats we keep seeing:

  • 70% of U.S. workers are not engaged at work
  • 60% of millennials are open to a different job opportunity
  • Disengaged employees are estimated to cost the U.S. up to $550 billion



A total of 4,149 reported data breaches last year exposed more than 4.2 billion records, according to Risk Based Security's 2016 Data Breach QuickView Report.

Ninety-four of those breaches exposed one million or more records each.

"While the number of data breaches actually remained relatively flat from last year, the big story coming out of 2016 is obviously the massive increase in the number of records exposed," Risk Based Security executive vice president Inga Goddijn said in a statement.



Monday, 30 January 2017 15:59

Disaster Planning

Preparing for a disaster means starting earlier than when you see the flood water creeping up your street or see smoke in the distance. You need to have certain steps accomplished before the first raindrop even lands on your roof. With experience in restoring homes and businesses after a disaster, most restoration companies can also help in planning for one as well. No matter if it is a flood or tornado that hits your home, a professional disaster recovery company can get you ready.

Know What You Are Going To Face

Living in a floodplain means having a very different disaster plan than residing near an earthquake fault. If you have a home near a forested area, then a plan to deal with a wildfire is something you need to have at hand.



The Business Continuity Institute

Over the past few years, the scale of distributed denial of service (DDoS) attacks has become steadily larger, and defences have grown commensurately. Cyber security has become a game of cat and mouse in which neither side has become too powerful, but this might be about to change. Deloitte predicts that in 2017, DDoS attacks will become larger in scale, harder to mitigate and more frequent.

The Technology, Media and Telecommunications Predictions Report indicated that there is expected to be on a average a 1 TBps attack every month during the year, over ten million attacks in total and an average attack size of between 1.25 and 1.5 GBps of junk data being sent. The report also noted that an unmitigated 1 GBps attack would be sufficient to take many organizations offline. As a point of reference, the largest attacks in 2013-2015 were respectively 300, 400 and 500 GBps, while 2016 witnessed the first two 1 TBps attacks.

The anticipated escalation in the DDoS threat is primarily down to three concurrent trends. There is an increasing number of Internet of Things devices that are usually easier to incorporate into botnets than better protected PCs, tablets and smartphones. There is an increasing availability of malware technologies that allow relatively unskilled attackers to launch attacks. Finally the availability of even higher bandwidth speeds means that each compromised botnet can now send a lot more junk data than ever before.

With websites being of such vital importance to many organizations, losing that website, even for a short period of time, can be severely damaging and could result in lost business. It is perhaps no surprise that business continuity professionals consider cyber attack to be their number one concern according to the latest Horizon Scan Report published by the Business Continuity Institute.

Phill Everson, Deloitte UK’s head of cyber risk services, said: “A distributed denial of service (DDoS) attack aims to make a website or connected device inaccessible. DDoS attacks are the equivalent of hundreds of thousands of fake customers converging on a traditional shop at the same time. The shop struggles to identify genuine customers and quickly becomes overwhelmed. The consequence could see an online commerce site temporarily unable to transact, or a government site not able to process tax returns, for example.

Businesses of all sizes should acknowledge the growing DDoS threat and consider how best to handle attacks of these magnitudes.

Just after a few months since the European Parliament approved the final version of the new General Data Protection Regulation (GDPR), the European Commission is working on updating yet another set of privacy rules. The European Commission published a new text  that, when approved, will replace the current ePrivacy Directive: the EU law that ensures confidentiality of communication and the protection of personal data in the electronic communications sector.

While the Commission plans to complete the reform process quickly enough to allow the new law to come into force in May 2018 together with the GDPR, the road ahead is long and tortuous. In fact, both the EU Councils of Ministers and the EU Parliament must agree and approve the final text.

While EU policy makers aspire to finalize a new version of the ePrivacy Directive that goes hand-in-hand with the GDPR, it’s a task for all companies to update their processes, technology, workforce's expertise, and oversight mechaninsms to comply with both sets of rules. To meet compliance requirements consistently and without redundancies, it’s crucial that firms understand what’s changing and how ahead of time. According to the proposed text, the new ePrivacy law will:



Friday, 27 January 2017 15:34

Getting on Board with Privacy

The spate of unprecedented cases of accounting fraud at the turn of the century left heads of industry like Enron, Tyco International and WorldCom egg-faced and Congress in reckoning.  These last-straw scandals shed light on the inadequacies of the regulatory framework of the time and how members of the American corporate landscape were uncommitted to its obligations.  In reaction, Congress took a firmer hand on financial reporting and bore Sarbanes-Oxley (SOX) in 2002 to intensify disclosure requirements.  Of the many new SOX mandates, financial experts were required to be members of audit committees and participate in board decisions, given that the investigations of the aforementioned scandals showed that board members were not exercising their responsibilities and did not have the expertise to understand the complexities of their own businesses.

More than 14 years later, professionals in the privacy sphere are starting to develop similar sentiments about the lack of privacy expertise at the top of most businesses.  With the scarily increasing numbers of data breaches and records being exposed, combined with a backdrop of general mistrust by the public, it really seems to be time to bring privacy experts to the board table.

The cybersecurity and privacy landscape is intricate.  Organizations are being attacked on all sides, both externally and internally, resulting in historic amounts of personal data being mishandled.  The latest Identity Theft Resource Center Breach report for the United States shows that there was a total of 269 breached organizations with over 11 million records exposed in 2016 (and this number could be much larger, as many organizations do not reveal breach details and numbers).  The endemic nature of data loss and privacy exposure demands subject matter expertise to navigate the threats of our time. It would be grossly imperceptive to see privacy as simply having a privacy policy on your corporate website or an opt-in/opt-out check box next to a marketing request. Privacy has a wide reach.  It not only impacts your customers, it also affects your employees, vendors, partners and your overall contribution to upholding the fundamental rights of individuals. And ensuring an organization is privacy conscious takes top-down investment and education.



When computers ran on punched cards and information was stored and communicated using paper, suspicious individuals could sometimes be seen loitering close to the large rubbish bins or dumpsters used for corporate refuse.

The idea was to fish discarded documents out of the bin to glean information useful for hacking the enterprise that had thrown them out.

Even if documents considered as highly confidential might have been shredded, company phone books, business correspondence, and similar items might still be found intact. Today’s equivalent to the dumpster may be the data lake. If so, what should you do about it?



BLOOMINGTON, Minn. – As the FEMA registration deadline of Jan. 30 nears, Minnesotans affected by the September 2016 severe storms and flooding who have not registered for FEMA assistance need to call 800-621-3362 or register online at disasterassistance.gov.

Residents of Blue Earth, Freeborn, Hennepin, Le Sueur, Rice, Steele and Waseca counties who suffered damage during the September storms may be eligible for assistance but must register by the deadline.

Recovering from a disaster can be overwhelming. FEMA assistance is only one part of recovery efforts. Voluntary agencies, state and local officials, federal agencies and non-profit organizations all are instrumental in ensuring a community fully recovers.

Long-term recovery committees play an important role working with residents to solve their issues, concerns and needs. Lutheran Social Service of Minnesota is currently working in Waseca and Freeborn Counties to assist residents impacted by the flood get connected to long-term recovery committees. If you live in Waseca County, please call 507-308-4336. If you live in Freeborn County, please call 507-473-2718. If you need assistance with long-term recovery outside of those two counties, please call Lutheran Social Service of Minnesota at 651-969-2313.


FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

It seems like we are constantly talking about data breaches, but as a couple of recent studies show, we may be under-reporting their frequency and severity. The 2016 Data Breach Trends report released by Risk Based Security said 4,149 breaches were reported, compromising more than 4 billion records. That’s 3 billion more than exposed in 2013, the highest total before last year (and higher even than the so-called Year of the Data Breach in 2014).

Also, a study conducted by the Identity Theft Resource Center (ITRC) and CyberScout found that there were 1,093 reported breaches in the United States last year, another all-time high. However, according to eSecurity Planet, there may be a reason for these high breach numbers:

ITRC president and CEO Eva Velasquez said it's not clear whether the increase is due an actual surge in breaches or simply due to more states making the information available.



Each year at the end of summer, several members of Forrester’s Security & Risk research team look back at publicly reported breach events and data privacy violations of the previous 12 months to spot trends and identify cases to feature where we feel there are lessons learned for S&R pros. In 2016, this was a joint effort alongside my colleague Fatemeh Khatibloo from Forrester’s Customer Insights research team. Leading up to Data Privacy Day, I’d like to share some lessons learned from one of the five key trends we saw in our 2016 analysis.

The intersection of privacy and customer experience reminds us of the importance of collecting and managing consent, whether that involves collecting data to personalize an experience or marketing or another initiative we aim to pursue. We saw notable examples (Verizon Wireless! InMobi!) of how FCC and FTC actions in 2015 and 2016 converged on issues of consumer privacy and consent. In both cases, firms used tracking information to deliver targeted ads.



Imagine if you will a 48 hour DDoS attack at your organization.  How would you cope? How would you continue your business and service your customers? Ask Lloyds bank!

Lloyds Banking Group suffered 48-hour online attack this month as cybercriminals attempted to block access to 20m UK accounts. The denial of service attack ran for two days from Wednesday 11 January to Friday 13 January, as Lloyds, Halifax and Bank of Scotland were bombarded with millions of fake requests, designed to grind the group’s systems to a halt. Usually in a denial of service (DOS) attack the criminals demand a large ransom, to be paid in bitcoins, to end the onslaught.

However, no accounts were hacked or compromised during the attack, and Lloyds did not pay a ransom.



Thursday, 26 January 2017 17:30

Secrets revealed: implementing an EMNS

Turn on CNN, pick up a newspaper, or spend anything more than two minutes on the Internet and you’ll see—there’s not a day that goes by without some kind of threat to business as usual.

Severe weather events. Terrorist activity. Wildfires, earthquakes, and other natural disasters. Cybercrime. Power outages and widespread blackouts. School or workplace violence.

Most of these events arrive without warning. Even those you can plan for can be devastating, and their effects can be widespread.



Thursday, 26 January 2017 17:29

The Making of a Profession

Looking back 20 years, there were fewer people with emergency management titles and less clearly defined emergency management organizational structures. There were also fewer certification and training programs for emergency managers.

The profession has evolved along with people’s understanding that crisis management and the need to prepare for disasters is critical, said California Office of Emergency Services Director Mark Ghilarducci. The public, elected officials and private-sector CEOs started to grasp that it was a necessity to understand what risks exist and the challenges a region could face and develop a plan to move forward, he added.

Events such as the 9/11 attacks and Hurricane Katrina served as exclamation points. “Here in California, we recognized it long before the rest of the nation,” Ghilarducci stressed. “We had the Loma Prieta earthquake, the L.A. riots and the Oakland Hills fire — all catastrophic events that forced us to build a standardized emergency management infrastructure that talked about standards and resource coordination.” To get legislation passed and get the capability put in place, legislators and others had to have a good understanding of how important emergency management was, he said.



We spend time preparing for major data center or facility outages. We perform a risk analysis and write plans; we put in technologies to keep the business running and perform various tests. We report that we are ready. We feel confident our business can continue to run. But much of that could be considered what I call “Resiliency Theater” – because those activities do not prevent or address the most common or most probable events that may impact the organization.

Two very recent events demonstrate the concept of Resiliency Theater quite effectively.



(TNS) - Threats to the United States are sometimes made in people’s bathtubs or basements, according to members of the FBI who were in town Tuesday to educate the region’s emergency responders about how to identify potential dangers.

“The training assists first responders to identify hazards they may find during their usual duties,” Capt. Alexander Wild, medical operations officer for the 11th Weapons of Mass Destruction Civil Support Team in Waterville, said during a break in the two-day training at Eastern Maine Community College.

Areas of focus include “biological threats, explosive and toxic chemicals, drug lab identification, the emerging threat of agri-terrorism and lessons learned from the Boston bombing,” said Susan Faloon, spokeswoman for the Maine Emergency Management Agency, which hosted the event with the Maine Guard.



We included 11 vendors in the CRM Forrester Wave™ for midsize organizations. These 11 vendors reported a total of about 200,000 midsize customers. Compared to CRM vendors tackling the enterprise space, these vendors typically offer more streamlined - and sometimes simpler - capabilities. We saw some similar - and some strikingly different trends in this market segment. Midmarket customer demand:

  • Great user experiences that are affordable. These two factors are paramount for midsize organizations who don’t have large budgets, yet require the power of CRM. CRM must also be simple: simple to learn, simple use, simple to configure.
  • Single platform. Midsize organizations do not have the breadth and depth of IT and administrator resources that enterprise organizations have. They expect unified business and administrator tooling for their CRM. 
  • Cloud CRM. Midmarket organizations demand cloud as their primary deployment model. We expect that newer cloud solutions will replace most on-premises installations in the next five years.
  • Prescriptive advice over raw analytics. Midsize organizations manage large volumes of data. CRM users - whether in sales, marketing or customer service - all struggle to take the right next best step for the customer - for example to pinpoint optimal offers, discount levels, product bundles, and next conversation for better customer outcomes. Midsize organizations are increasingly using prepackaged analytics within CRM to prescribe advice in the flow of their work. 
  • Vertical editions. Midsize organizations demand vertical CRM editions with industry-best practices baked into them. They want industry specific templates, common process flows, data model extensions, and UI labels. Vendors are responding. In our Wave, we found that all vendors either offer a broad range of vertical solutions or have invested in deep domain expertise and a vertical go-to-market approach.
  • Packaged front- and back-office integration. Midsize organizations demand pre-integrated front- and back-office solutions from a single vendor to help with time-to-value and help manage the 360 degree view of the customer.

Have a look at the full CRM Suites For Midmarket Organizations, Q4, 2016 for more information about our research and analysis of midmarket CRM vendors. 


Thursday, 26 January 2017 17:25

Devastation Lies in the Wake of Sunday Tornado

(TNS) - Search and rescue workers continued the grisly task Monday of searching for victims of a deadly tornado that struck east Albany, Ga.,Sunday, leaving at least four dead and several neighborhoods in shambles.

Dougherty County Coroner Michael Fowler released the names of two of the victims late Monday afternoon.

“We have a positive identification of two victims so far that we have released to the funeral home,” Fowler said at a news conference in his office. “Oscar Reyna, 39, was killed in Paradise Village trailer park, and Paul Freeman, 82, lived on Newcomb Road in a brick home. The cause of death for both victims was multiple blunt force traumas because of multiple impact injuries caused by debris and structural collapse.”



Thursday, 26 January 2017 17:22

Understanding FEMA Verified Loss

BATON ROUGE, La. — Applicants without an insurance policy may be eligible for FEMA help to restore a home to a safe, sanitary and secure condition following a disaster.

FEMA assistance is not the same as insurance. Assistance only provides the basic needs for a home to be habitable, including toilets, a roof, critical utilities and doors. Examples of ineligible items may include cabinets and garage doors.

Home damage must be disaster-related. A home inspection is required to calculate the FEMA verified loss. Calculations are based on the general depreciation amount for items of average quality, size and capacity.

Safe, sanitary and secure homes meet the following conditions:

  • The exterior is structurally sound, including the doors, roof and windows.
  • The interior’s habitable areas are structurally sound, including the ceiling and floors.
  • The electricity, gas, heat, plumbing, and sewer and septic systems function properly.
  • The home is capable of operating for its intended purpose.

Safe, Sanitary and Secure Examples

Appliances: FEMA may assist in the replacement or repairs to disaster-damaged furnaces and hot waters heaters. Non-essential items like dish washers and home entertainment equipment will not be covered.

Ceiling and Roof damage: FEMA may assist to repair disaster-related leaks in a roof that damage ceilings and threaten electrical components, like overhead lights, but not stains from roof leaks.

Floors: FEMA may assist to repair a disaster-damaged subfloor in occupied parts of the home but not floor covering like tile or carpet.

Windows: FEMA may assist with disaster-related broken windows but not blinds and drapes.

FEMA verified loss calculations vary because every applicant’s situation is different. Expenses for repairs that exceed the conditions to make a home safe, sanitary and secure are ineligible.

Flood insurance coverage is more extensive. Policyholders may receive up to $250,000 for home damage and $100,000 for contents depending on the type and amount of coverage they bought. National Flood Insurance Program (NFIP) payments are not dependent on state or federal disaster declarations. The average annual cost of flood insurance is about $700.

Visit www.floodsmart.gov to learn more about any property’s flood risk, estimate an NFIP premium or locate an insurance agent who sells flood insurance.

For questions regarding FEMA verified loss please call 800-621-FEMA (3362).

We think of tornadoes as a spring and summer phenomena but all it takes is instability…weather instability that is and that is what winter tornadoes are all about.

Tornadoes form in unusually violent thunderstorms when there is sufficient (1) instability and (2) wind shear present in the lower atmosphere. Instability refers to unusually warm and humid conditions in the lower atmosphere, and possibly cooler than usual conditions in the upper atmosphere.

This past week, a massive storm system spawned dozens of tornadoes and caused extensive damage across a swath of the southern United States, from Texas to Florida. At least 19 deaths have been blamed on the storms so far, as emergency crews and first responders are still searching through wreckage for survivors.



According to a new report from the Identity Theft Resource Center (ITRC) and CyberScout, 2016 saw an all-time high of 1,093 reported data breaches, a 40 percent increase over the previous year's total of 780.

ITRC president and CEO Eva Velasquez said it's not clear whether the increase is due an actual surge in breaches or simply due to more states making the information available.

"For the 10 years, the ITRC has been aware of the under-reporting of data breach incidents on the national level and the need for more state or federal agencies to make breach notifications more publicly available," Velasquez said in a statement. "This year we have seen a number of states take this step by making data breach notifications public on their websites."



It’s increasingly challenging for marketers to earn loyalty as empowered consumers become entitled customers with more options than ever before. My latest report, Case Study: Max Factor China Rejuvenates Customers’ Loyalty With Social CRM, tells marketers how to leverage social CRM to define an effective loyalty strategy that spans the entire customer life cycle, across channels.

The US cosmetics brand Max Factor has been growing its business steadily since it entered the Chinese market in 2009. However, Max Factor has faced growing challenges in recent years:



Investors and financial institutions like to correlate business continuity risk with business continuity reward. If risk is greater in an investment, then the potential reward should be greater too.

Stock market investments are perceived to be riskier than bond investments, but are expected to give higher returns. However, some riskier investments are capped in their potential for reward, offering no more than less risky investments.

Similarly, spending more money to protect the business continuity of an organisation does not automatically guarantee a reduction in the level of risk. So why would organisations persist in thinking otherwise?



ATLANTA – The Federal Emergency Management Agency’s regional office in Atlanta, Georgia has activated its Regional Response Coordination Center to monitor the ongoing threat of severe weather, and gather damage reports from earlier storms in Mississippi, Alabama and Georgia. This center is open around the clock to maintain close coordination with state and tribal officials across the southeast. FEMA also has Liaison Officers at State Emergency Operations Centers in Alabama, Mississippi, Georgia, and Florida to provide support if requested. Additional teams are on alert for possible deployment if needed.

The National Weather Service Storm Prediction Center is reporting a high risk for severe thunderstorm and tornado outbreaks today across northern Florida and southern Georgia, with the significant severe threat expected to extend southward into central Florida and northeastward into South Carolina this evening.

According to the SPC, this is only the third High Risk threat, and the first in January, issued since 2000 that includes the state of Florida, and the first High Risk threat issued anywhere in the United States since April 28, 2014.

There is a threat for strong, long-tracked tornadoes across portions of south Georgia and north Florida. Large hail and damaging winds up to 75mph are possible as these storms move through.

FEMA urges residents to monitor weather conditions and follow the directions of their state, tribal, and local officials, and to download the FEMA mobile app. The app provides weather alerts, and safety tips, in English and in Spanish. Individuals can also use the app to customize a checklist of emergency supplies and weather alerts from the National Weather Service.

Now is the time to prepare for a tornado and plan where you will go if a tornado watch is issued in your community:

  • Storm cellars or basements provide the best protection.

  • If underground shelter is not available, go to an interior room or hallway on the lowest floor of a sturdy building.

  • Put as many walls as possible between you and the outside. Most injuries associated with high winds are from flying debris, so remember to protect your head.

  • Vehicles, trailers and mobile homes are not good locations to ride out a tornado. Plan to go quickly to a building with a strong foundation, if possible.

  • Plan to stay in the shelter location until the danger has passed.

Additional information on tornado preparedness is available at: Ready.gov/tornadoes


FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain and improve our capability to prepare for, protect against, respond to, recover from and mitigate all hazards.

Download the FEMA mobile app for disaster resources, weather alerts, and safety tips.

Rumors had been flying for some time about SimpliVity needing additional funding, and that HPE had made an offer that was unacceptably low at $650 Million. Clearly, these were more than casually well-informed rumors, since HPE announced on January 17 that it would be acquiring SimpliVity for $650 Million in cash. Was this a fair price? That is hard to say. Since I’m not really an equity analyst, I will spend no more time on this other than to say that it is far short of the kinds of valuations that the industry was expecting. Competitor Nutanix’s current market capitalization is slightly over $4B, which is more than a bit rich for such a company. Despite its high growth rates, it has yet to turn a profit.

But pricing aside, was it a smart move for HPE? Absolutely. It’s , and certainly one that helps shatter the perception that HPE always overpays for its acquisitions, even when they are strategically sound. SimpliVity was essentially tied for first place in our recent Forrester’s recent Wave™ report on Hyperconverged Infrastructure Solutions, coming in substantially stronger than HPE’s own HC380 product.

The fit with HPE for SimpliVity’s solution is impressive because:



There has been ongoing talk since 2002 that high power density data centers would replace low power density data centers. The theory is that a higher density will increase efficiency while reducing energy bills, however, with these benefits also comes the risk of cooling failures. Today, a data center where each cabinet consumes more than 10 kW is considered high power density. The density can also be measured by the amount of energy consumed per square foot, which is why many high power density data centers are built up rather than out. As rack densities continue to grow, data center manufacturers and designers are having to come up with more efficient cooling solutions to offset energy consumption.

The traditional data center design is unable to cool these higher density data centers, which has led to the development of cooling solutions, such as: CRAC units; racks featuring water-chilled, rear-door cooling units; and aisle containment structures. Unfortunately, more often than not, simply expanding an infrastructure and adding CRAC units (large computer room air conditioners), is not enough. Rear-door, cooling units and hot and cold aisle containment structures are the most popular and efficient cooling solutions.

Effective airflow management is a successful solution that prevents a data center from overheating, while also being cost-efficient. A rear-door, cooling unit utilizes liquid cooling technology to exchange hot air for cold air. The rear door holds cold water in a closed loop system, which offsets the heat generated by higher density racks. Basically, it is an air exchanger that requires no fans or moving parts.



(TNS) - A feared second round of severe weather did not appear in Middle Georgia early Sunday, but a watch remains for the afternoon.

Much of the area is under a severe weather watch from 1-6 p.m. Sunday, said Jimmy Williams, emergency management director for Houston County. He said most of the midstate is listed as having a moderate risk of severe weather during that period, including possible tornadoes, while the most southern part of the area has a high risk.

He said there was no weather damage in Houston early Sunday morning and emergency dispatchers in other area counties reported the same.



Data breaches and other information security threats are on the rise, and the cyber security skills gap is widening.

Many organizations, faced with limited in-house resources, are choosing to partner with managed security service providers (MSSPs) to handle all or specific areas of their information security needs.

Hiring an MSSP allows organizations to focus on their core competencies while benefitting from the expertise of skilled security experts who monitor the system around the clock, usually at a lower cost than hiring security analysts in-house.



Monday, 23 January 2017 15:26

Looking for Employment? FEMA is Hiring

SEVIERVILLE, Tenn. — Tennessee residents looking for temporary work following the wildfires in Sevier County have an opportunity to learn firsthand about the recovery process.

Workforce Tennessee, in conjunction with FEMA, is advertising open temporary positions in Sevier County.

Interested applicants can visit the Workforce Tennessee website at jobs4TN.gov. To find the available jobs, fill in the boxes under the section marked “Search for a Job,” being sure to enter your job title for “Keyword,” FEMA for “Employer Name” and Sevierville for “Location.” Leave the ZIP code box blank.

Positions being advertised are:

  • Human Resources Office Clerk
  • Travel Specialist
  • Logistics Specialist
  • Mitigation Office Clerk
  • Public Assistance Project Specialist
  • Photographer

More positions may be posted on the website as disaster recovery continues.

Candidates must be U.S. citizens 18 years of age or older. They must have a valid government identification card such as a driver’s license or military ID. Before hiring, selected candidates will be subject to a complete background investigation.

FEMA is committed to employing a highly qualified workforce that reflects the diversity of our nation. The federal government is an Equal Opportunity Employer. All applicants will receive consideration without regard to race, color, national origin, sex, age, political affiliation, sexual orientation, non-disqualifying physical handicap and any other non-merit factor.

Federal disaster assistance is available to eligible individuals and households who were affected by the Nov. 28 to Dec. 9 wildfires in Sevier County.

For updates on Tennessee’s wildfire response and recovery, follow @FEMARegion4 on Twitter and visit TNEMA.org/, MountainTough.org/ and fema.gov/disaster/4293.

# # #

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

The Business Continuity Institute

Far too many of the United Kingdom’s small and medium-sized enterprises (SMEs) are ill-prepared for the effects of bad weather and the disruption it could bring. Two-thirds (66%) of SMEs reported lost revenue, and almost a third (31%) have suffered weather-related property damage as a result of bad weather during the last five years, yet nearly half (44%) have no business continuity plan in place to ensure they can continue operating, while over two-thirds (69%) do not have any insurance cover to protect them.

The research conducted by Towergate found that SMEs were hit hardest by employees being delayed or prevented from reaching work (24%). Reduced demand for goods and services (16%) and disruption to their supply chain (15%) were also common problems caused by bad weather. Furthermore, on average, SME’s estimated that £523,934 of property and related assets could be at risk of damage caused by bad weather.

Overall, SMEs reported an average of 14.7 hours lost a year due to the weather, however some sectors lost much more. Engineering and building (20.8 hours), manufacturing and utilities (19.6 hours), and unsurprisingly transport (19.7 hours) lose around half a week each year due to bad weather.

Adverse weather has consistently appeared in the top ten list of threats featured in the Business Continuity Institute's Horizon Scan Report. The latest version put it in eighth place with more than half (55%) of respondents to a global survey expressing concern about the possibility of a disruption caused by adverse weather.

Commenting on the findings, Joe Thelwell from Towergate, said: “The UK’s economy depends on small and medium sized businesses. But far too many firms have left themselves exposed to the unpredictable and at times damaging British weather. The majority of SMEs do not have appropriate contingency plans or insurance to protect them against lost business and unexpected bills resulting from the havoc our weather can wreak.

With millions of people’s livelihoods depending on SMEs, it is crucial that these businesses take steps to better prepare for bad weather so they can get up and running as soon as possible. Practically, that could include backing-up computer systems and records, identifying contingency premises or taking out specific policies.

Rather than working to cure the IT security disease, too many companies are focused simply on treating the symptoms by adding layer after layer of security complexity. To get to the root of the malady, what they need to be focused on instead are data analytics, machine learning, and an understanding of individuals’ roles.

That was my key takeaway from a recent interview with Stan Black, chief security officer at Citrix Systems, who said that conclusion had been reinforced by the findings of a newly released IT security survey, commissioned by Citrix and conducted by the Ponemon Institute. Black addressed the layering phenomenon in the context of what he sees as the role of public cloud:



Months ahead of the 2017 presidential inauguration, security officials have been in high gear and pulling out all the stops to make the event a safe one. No other presidential inauguration has garnered so much debate, spurring officials to take this year’s inauguration to another level when it comes to security.

Among the precautions taken are what the Washington Post calls, “A virtual fortress of roadblocks, fences and armed police.” What does this entail?



Crowd safety is important to understand before heading out to a large public event.  This weekend there will be many events and marches.  Before you head out to any of them, know a bit about crowd safety before you go. First some basic concepts about crowds:

  • Reaching critical crowd density is a main characteristic of crowd disaster and is approached when the floor space per (standing) person is reduced to about 1.5 square feet or less.
  • At 5 sq. ft. per person, the maximum capacity of a corridor or walkway is attained, (i.e. exiting a stadium or theatre); at approximately 3 sq. ft. per person, involuntary contact and brushing against others occurs.
    • This is a behavioral threshold generally avoided by the public, except in crowded elevators and buses.
    • Below 2 sq. ft. per person, potentially dangerous crowd forces and psychological pressures may to develop.



The Business Continuity Institute

Two-thirds (66%) of financial executives in the US say their organization has been harmed by equipment failure during the last five years, 6 out of ten (60%) have been impaired by data breaches or cyber attacks, while more than half (52%) have had their operations affected by natural disasters. Yet the majority (54%) say their organizations have not developed or tested any formal loss recovery plans. This is according to a new study commissioned by FM Global.

Finance’s role in operational risk management: CFO research on building a resilient company also revealed a low level of preparedness for operational risk events as only a third (34%) of financial executives believe their organization was very well prepared to recover from an equipment failure. Just a third (33%) felt they were very well prepared to recover from a natural disaster, while merely a quarter (24%) were very well prepared to recover from a data breach/cyber attack.

It’s surprising the number of companies that have been harmed by operational risk events, coupled with the relatively low number of companies that feel they are very well prepared for a disruption event,” said Eric Jones, operations vice president and global manager of business risk consulting, FM Global. “The findings reveal the opportunity for financial executives to implement stronger plans with increased data, to help move resilience forward within their organizations.

There is also an increasing perception of risk as over two-thirds (70%) of financial executives are concerned that their revenues or earnings will become more vulnerable to operational risk over the next two years, and nearly 6 out of ten (60%) say the need to manage operational risks will make it more difficult to meet revenue and earnings targets over the next two years.

Some of these findings echo the results of the latest Horizon Scan Report published by the Business Continuity Institute which features cyber attacks, data breaches and IT/telecommunications failures as the top three concerns for business continuity professionals. Adverse weather features high on the list in eighth place, although other natural disasters such as earthquakes and tsunamis are not quite as concerning.

Overall, the study found a need for improved resiliency with 86% of respondents say their companies will need to be more resilient in the future.

Thursday, 19 January 2017 17:27

Too Many Amber Alerts?

DRJ LogoThe emergency community in Michigan may have fewer Amber Alerts to respond to this year, as the state implements new measures intended to pare back use of the emergency child-abduction notification system.

Michigan recently redefined its criteria for Amber Alerts to fix definitions that law enforcement officials say were drawn too broadly. The new guidelines fall more closely in line with U.S. Department of Justice guidelines and more closely fit the system’s original intent.

“If we adhered strictly to the old criteria, we could have put out an Amber Alert every single day in Michigan,” said Detective Sgt. Sarah C. Krebs, who heads Amber Alerts for the Michigan Department of State Police Missing Persons Coordination Unit.



DRJ LogoHyperscale cloud providers are sucking more and more customer workloads away from data center providers, while gobbling up more and more data center capacity to host those workloads, changing in a big way the dynamics in the global colocation data center market.

One big result is that growth in retail colocation is slowing, while growth in the wholesale data center market is accelerating, according to the latest report by Structure Research. The analysts project a growth rate of 14.3 percent for retail colocation from 2016 to 2017 and 17.9 percent for wholesale; retail colocation services currently have 75 percent market share, with wholesale responsible for the rest.

The global colocation market size reached $33.59 billion in 2016, including both retail and wholesale services, Structure estimates. The firm expects it to grow 15.2 percent this year.

Here’s how total colocation data center market revenue is split among regions (chart courtesy of Structure Research):



DRJ LogoNot long ago, European customers of the global public cloud vendors relied upon a single data centre ‘region’ for all their cloud computing needs. From Lisbon to Lviv, Kiruna to Kalamata, customers of Amazon Web Services (AWS) and Microsoft Azure sent everything to Ireland, and customers of the Google Cloud Platform (GCP) sent everything to Belgium. And, mostly, public cloud’s early adopters in Europe just got on with it.

For the majority of public cloud workloads, storing and processing data somewhere in the European Economic Area (EEA) really was — and is — good enough. Network latency was mostly low enough not to be a problem, and European regulations covered the main use cases well enough to appease all but the most cautious lawyers.

But connections can always be faster, and there are still use cases in regulated industries and government where keeping personal data inside specific geographic borders is either essential or encouraged. And, more and more often these days, customers just seem to feel happier when their data doesn’t leave the country. Mostly, no law requires it, and no regulation recommends it. But it’s still happening. We should all be pushing back against this odd trend towards data balkanisation, much harder than we are.



FEMA LogoDURHAM, N.C. –Edgecombe County area homeowners, renters and business owners whose properties were damaged by Hurricane Matthew flooding can find information and guidance on their next steps toward recovery at the Disaster Recovery Resource Fair in Tarboro.

The resource fair will be held from 10 a.m. to 3 p.m. Saturday, Jan. 21 at the Edgecombe County Administrative Building, 201 St. Andrews Street, Tarboro, NC 27886.

Bilingual interpreters and American Sign Language interpreters will be on hand.

Do you have a particular recovery issue that puzzles you? Specialists in disaster recovery will be available for one-on-one discussions and to answer your questions. Topics include:

  • Housing resources

  • Sheltering at home

  • Flood insurance

  • Foreclosure prevention

  • Housing counseling

  • Title issues/successions
  • Legal services

  • Disaster tax relief

  • Various types of loans and more.

Disaster Recovery Resource Fair Provides Advice on Hurricane Recovery

Participants include: North Carolina Emergency Management, North Carolina Legal Aid, U.S. Department of Agriculture, U.S. Department of Housing and Urban Development, U.S. Department of the Interior, U.S. Small Business Administration, American Red Cross, FEMA, National Flood Insurance Program and others.

For more information or directions, call 336-851-8058.

For more information on North Carolina’s recovery, visit fema.gov/disaster/4285 and readync.org. Follow FEMA on Twitter at @femaregion4 and North Carolina Emergency Management @NCEmergency.


Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-3362 or TTY at 800-462-7585.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. Follow FEMA on twitter at @femaregion4. Download the FEMA app with tools and tips to keep you safe before, during, and after disasters.

Dial 2-1-1 or 888-892-1162 to speak with a trained call specialist about questions you have regarding Hurricane Matthew; the service is free, confidential and available in any language. They can help direct you to resources. Call 5-1-1 or 877-511-4662 for the latest road conditions or check the ReadyNC mobile app, which also has real-time shelter and evacuation information. For updates on Hurricane Matthew impacts and relief efforts, go to ReadyNC.org or follow N.C. Emergency Management on Twitter and Facebook. People or organizations that want to help ensure North Carolina recovers can visit NCdisasterrelief.org or text NCRecovers to 30306.

The U.S. Small Business Administration (SBA) is the federal government’s primary source of money for the long-term rebuilding of disaster-damaged private property. SBA helps homeowners, renters, businesses of all sizes, and private non-profit organizations fund repairs or rebuilding efforts and cover the cost of replacing lost or disaster-damaged personal property. These disaster loans cover losses not fully compensated by insurance or other recoveries and do not duplicate benefits of other agencies or organizations. For more information, applicants may contact SBA’s Customer Service Center by calling (800) 659-2955, emailing This email address is being protected from spambots. You need JavaScript enabled to view it., or visiting SBA’s Web site at www.sba.gov/disaster. Deaf and hard-of-hearing individuals may call (800) 877-8339.

Thursday, 19 January 2017 17:21

Fraud Incidents Rise in 2016, Kroll Finds

DRJ LogoReports of fraud have risen in the past year. In fact, incidences of every type of fraud have reached double-digit levels, according to the Kroll Global Fraud & Risk Report 2016/2017. Overall, 82% of executives reported falling victim to at least one instance of fraud in the past year, up from 75% in 2015.

Theft of physical assets remained the most prevalent type of fraud in the last year, reported by 29% of respondents, up 7 percentage points from 22% of respondents in the last survey. Kroll reported that vendor, supplier, or procurement fraud (26%) and information theft, loss, or attack (24%) were the next two most common types of fraud cited, each up 9 percentage points year-over-year.

Kroll found that most threats come from within an organization, with current and ex-employees being the most frequently cited perpetrators of fraud, cyber, and security incidents over the past 12 months. External parties were also identified as active perpetrators.



FEMA LogoSEVIERVILLE, Tenn. — Survivors who registered for disaster assistance after the Sevier County wildfires are encouraged to stay in touch with FEMA to resolve issues, get updates on their applications or provide new information.

Survivors can call the FEMA helpline at 800-621-3362 for status updates on their applications or to check whether they submitted the correct documents. Applicants changing addresses, phone numbers or banking information should notify FEMA. Missing or erroneous information could result in delays in receiving assistance.

Callers to the helpline should refer to the nine-digit number they were issued at registration. This number is on all correspondence applicants receive from FEMA and is a key identifier in tracking assistance requests.

Survivors can also call the helpline to:

  • update insurance information
  • receive information on the home inspection process
  • add or remove the name of a person designated to speak for the applicant
  • find out if FEMA needs more information about their claim
  • update FEMA on the applicant’s housing situation
  • learn how to appeal an eligibility determination
  • get answers to other questions about their applications

Applicants may update their information the following ways:

  • Online at DisasterAssistance.gov (also in Spanish).
  • Download the FEMA mobile app (also in Spanish).
  • Call the FEMA Helpline at 800-621-3362 (FEMA). Persons who are deaf, hard of hearing or have a speech disability and use a TTY may call 800-462-7585. Toll-free numbers are open daily from 7 a.m. to 10 p.m. Help is available in many languages.

Monday, Feb. 13 is the deadline to register with FEMA for disaster assistance for the

Nov. 28 to Dec. 9 wildfires in Sevier County.

For updates on Tennessee’s wildfire response and recovery, follow @FEMARegion4 on Twitter and visit TNEMA.org/, MountainTough.org/ and fema.gov/disaster/4293.

# # #

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

DRJ LogoCostly Weather Disasters and Near Record Heat in 2016. It was the second hottest year in the U.S. as Alaska warmed dramatically and nighttime temperatures set a record.

The National Oceanic and Atmospheric Administration annual report noted that the U.S. also notched its second highest number of weather disasters that cost at least $1 billion in damage: 15 separate ones together caused $46 billion in damage and 138 deaths.

The regular tally of the nation’s weather year shows that even on a smaller scale — the U.S. is only 2 percent of the Earth’s area — climate change is becoming more noticeable even amid the natural variations that play such a large role in day to day weather.



BCI LogoThe Business Continuity Institute

30% of NHS Trusts in the UK have experienced a ransomware attack, potentially placing patient data and lives at risk. One Trust – Imperial College Healthcare NHS Trust – admitted to being attacked 19 times in just 12 months. These were the findings of a Freedom of Information request submitted by SentinelOne.

The Ransomware Research Data Summary explained that SentinelOne made FOI requests to 129 NHS Trusts, of which 94 responded. Three Trusts refused to answer, claiming their response could damage commercial interests. All but two Trusts – Surrey and Sussex, and University College London Hospitals have invested in anti-virus security software on their endpoint devices to protect them from malware and, despite installing a McAfee solution, Leeds Teaching Hospital had suffered five attacks in the past year. No Trusts reported paying a ransom or informed law enforcement of the attacks, all preferred to deal with the attacks internally.

Ransomware which encrypts data and demands a ransom to decrypt it, has been affecting US hospitals for a while now. The Hollywood Presbyterian Medical Center in Los Angeles notoriously paid cyber criminals £12,000 last February after being infected by Locky, one of the most prolific ransomware variants.

With the infected computers or networks becoming unusable until a ransom has been paid* or the data has been recovered, it is clear to see why these types of attack can be a concern for business continuity professionals with the latest Horizon Scan Report published by the Business Continuity Institute highlighting cyber attacks as the number one concern. A very good reason why cyber resilience has been chosen as the theme for Business Continuity Awareness Week.

These results are far from surprising,” said Tony Rowan, Chief Security Consultant at SentinelOne. “Public sector organizations make a soft target for fraudsters because budget and resource shortages frequently leave hospitals short changed when it comes to security basics like regular software patching. The results highlight the fact that old school AV technology is powerless to halt virulent, mutating forms of malware like ransomware and a new more dynamic approach to endpoint protection is needed. In the past NHS Trusts have been singled out by the ICO for their poor record on data breaches and with the growth of connected devices like kidney dialysis machines and heart monitors there is even a chance that poor security practices could put lives at risk.

*Note that the data isn't always recovered, even after a ransom has been paid.

Wednesday, 18 January 2017 16:24

Getting Hired as an Emergency Manager

DRJ LogoWhat does it take to become an emergency manager? First, emergency management is a white-collar, professional job. The days of the retired firefighter turned emergency manager are fading quickly, replaced by a new breed of highly credentialed, educated professionals whose main career field is emergency management or something very close to it. This is happening because of a combination of governments requiring certain education and experience levels for positions of responsibility, and an industry push toward a greater focus on standards and education.

What that means to the prospective emergency management job seeker is that the core competencies of an emergency manager are only slightly different from that of an engineer, an accountant or an attorney (so much so that many emergency managers started out as engineers, accountants and attorneys). Skills such as clear writing, oral communication, critical thinking, problem solving and project management are highly transferable and form the basis of a professional career. Conversely, if a candidate’s writing skills are poor or they can’t demonstrate the ability to brief a project plan during an interview, the odds of them being hired are marginal at best.

Writing, thinking and communication skills are inseparably linked to presentation, presence and attitude. These are skills and characteristics that should be perfected well in advance of submitting a resume or attending an interview. What do quality presentation, presence and attitude look like? Any decent job-seeking site will just call them the basics of a good interview. This includes showing up on time dressed in a suit and tie, shaking the hand of the person with whom you are interviewing, acting respectfully yet presenting your own ideas, and having a positive attitude about starting the job. Candidates need to look and act the part if they wish their future employer to take them seriously, especially if this is their first job.



Wednesday, 18 January 2017 16:23

Who Leased the Most Data Center Space in 2016?

DRJ LogoThe short answer is Microsoft. The second-largest cloud service provider signed six of last year’s largest wholesale data center leases with five landlords in five markets, according to the latest market report by the commercial real estate firm North American Data Centers.

Microsoft and to a lesser extent Oracle together were responsible for a 25-percent increase in leasing activity from 2015. According to NADC, that increase represents a “historical high.”

Cloud providers and other tech companies with hyperscale internet platforms have completely changed the dynamics of the data center services market in recent years in the US and beyond. As they race to expand capacity, the likes of Microsoft, Amazon Web Services, Uber, and Oracle have created supply shortages in top US markets, driving unprecedented growth in the wholesale data center business. Wholesale market growth now outpaces growth in retail colocation, according to a recent report by Structure Research.



  • DRJ Logo82 percent of executives surveyed worldwide experienced a fraud incident in the past year, compared to 75 percent in 2015, according to the Kroll Annual Global Fraud and Risk Report
  • 85 percent of executives reported at least one cyber incident and over two-thirds reported security incidents
  • Current and former employees were the most common perpetrators

Fraud, cyber and security incidents are now the “new normal” for companies across the world, according to the executives surveyed for the 2016/17 Kroll Annual Global Fraud and Risk Report1. The proportion of executives that reported their companies fell victim to fraud in the past year rose significantly to 82 percent, from 75 percent in 2015 and 70 percent in 2013, highlighting the escalating threat to corporate reputation and regulatory compliance.

Cyber incidents were even more commonplace, with 85 percent of executives surveyed saying their company has suffered a cyber incident over the past 12 months. Over two-thirds (68 percent) reported the occurrence of at least one security incident over the course of the year.



Wednesday, 18 January 2017 16:12

Determine your cybersecurity scope and assets

MIR3 LogoOnce you have your executives on board (see the previous post) the next step is to define the scope of your program and define your inventory of assets.

Your scope will encompass the entire company at some level, but you may have one scope for internal resources, a scope for customer resources, another scope for third-party resources, and other scope projects as well. Scope may be defined in terms of technology or business, application or process, people or buildings. Your executive sponsor can help define the scope of each program, the cybersecurity professional must help the executive sponsor understand the depth and breadth of the scope requirements.

Inventories may be tracked in simple Excel spreadsheets, maintained by accounting, or tracked in sophisticated asset-management software applications that include automated discovery and tracking mechanisms. Regardless if the starting inventory is simply hard assets (desk or desktop) or soft assets (operating systems or data), this inventory is a fundamental requirement for your cybersecurity program. Without it you don’t know what needs to be protected.



BCI LogoThe Business Continuity Institute

There have been several studies recently that have shown, or at least suggested, that cyber security incidents are often the result of human error, and we have been told again and again that one of the best ways to improve our cyber security is to use strong passwords. However, a study of 2016’s most common passwords found that nearly 17% of users were safeguarding their accounts with ‘123456’.

Keeper Security‘s study of 10 million passwords which had become public through data breaches that occurred during 2016 found that the list of most frequently used passwords had changed little over the last few years. This perhaps suggests that user education has its limits. While it is important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them.

Four of the top 10 passwords, and seven of the top 15, were six characters or shorter. This is stunning given that today’s brute-force cracking software and hardware can unscramble those passwords in seconds. The presence of passwords like ‘1q2w3e4r’ and ‘123qwe’ indicates that some users attempt to use unpredictable patterns to secure passwords, but their efforts are weak at best. Password crackers know to look for sequential key variations and, at best, this will only set them back a few seconds.

Cyber security is a hot topic for business continuity professionals at the moment with cyber attacks and data breaches yet again featuring as their top two concerns according to the Business Continuity Institute's latest Horizon Scan Report. It is with this in mind that cyber resilience was chosen as the theme for Business Continuity Awareness Week 2017 which has a particular focus on the actions that individuals can take to play their part in an organization's cyber security, and this includes effective password control.

Tuesday, 17 January 2017 21:33

Making Shadow IT Work for the Enterprise

DRJ LogoWhen it comes to shadow IT, the enterprise has three choices: It can accept it, fight it or ignore it. All too often, however, organizations choose the third option, which in most cases not only fails to satisfy individual or organizational needs but can place systems and data at risk.

Fortunately, new practices and new technologies are making it easier to accommodate shadow IT, and even use it to gain an advantage in today’s digital economy.

According to a recent report by cloud security expert Netskope, shadow IT can creep into the enterprise even when service deployment and usage policies are in place to prevent it. In its latest quarterly assessment, the company reports that half of all Box and Dropbox users maintain personal instances on these platforms along with the sanctioned presences established by their employer. This makes it extremely difficult to detect and mitigate practices like data exfiltration and file sharing between the enterprise and private instances. At the same time, the company says that upwards of 95 percent of services employed in the cloud are not enterprise-ready, with particular deficiencies when it comes to compliance with government mandates like the EU’s General Data Protection Regulation.



DRJ LogoWordfence researchers are warning of a new and unusually effective phishing scam designed to steal login credentials from Gmail users, though it's also been seen targeting users of other services (h/t The Register).

An email is sent to a target's Gmail account, often from someone they know whose account has been hacked using the same technique, including an image of an attachment the recipient will likely recognize from the sender.

"You click on the image, expecting Gmail to give you a preview of the attachment," Wordfence CEO Mark Maunder explains in a blog post describing the attack. "You glance at the location bar and see you accounts.google.com in there."



DRJ LogoDo you know how to actually execute a recovery using your defined disaster recovery strategy, or will your team have to figure it out? We’ve discussed developing a disaster recovery strategy at length, but what happens when it’s time to execute your strategy?

In his poem, To a Mouse, Robert Burns provides a well-known and insightful thought, “the best-laid plans of mice and men sometimes go awry.” We’ve seen how true this can be when we must perform an actual recovery that doesn’t go as smoothly as we might have hoped, even with all of our planning and document development.

Here are some ideas on providing training and validation of the execution of your DR strategy and plans.



SBCP LogoBuying a system that provides built-in intelligence reduces both deployment time and total cost of ownership. This results in a program that aligns with proven best practices, industry standards, and governing regulations to exceed your program’s resiliency goals.

Why try to reinvent the wheel? Why spend your time building an untested, unproven solution? The smart answer is to embrace the built-in intelligence of a tested software product. Spend your valuable time elevating your Business Continuity/Disaster Recovery (BCDR) program instead. Unlike software that you build from scratch with your vendor over the course of months or years, ResilienceONE® from Strategic BCP® provides a Business Continuity Management (BCM) solution that is ready right out of the box and instantly provides users with the following:



DRJ LogoFully 95 percent of cloud services in use in the average enterprise aren't enterprise-ready, according to the January 2017 Netskope Cloud Report.

Specifically, 82 percent of cloud services don't encrypt data at rest, 66 percent don't specify in their terms of service that the customer owns the data, and 42 percent don't allow admins to enforce password controls.

An average of 1,031 cloud services are now in use per enterprise, up from 977 in the previous quarter.



Monday, 16 January 2017 16:29

Gamification in Risk Management

DRJ LogoIn 2014, I collaborated with EY to develop Russia’s first risk management business game. It was great fun, and as a result, we created a pretty sophisticated business simulation.

Participants were split into teams of 10, each person receiving a game card that describes their role (CEO, CFO, risk manager, internal auditor, etc.). At the start of the game, teams must choose one of four industry sectors (telecom, oil and gas, energy or retail) and name their company. The game consists of four rounds, and in each round, teams must make risk-based decisions. Each decision has a cost associated with it and a number of possible outcomes. Teams must analyze and document the risks inherent in each decision they make. The riskier the decision, the higher the probability of adverse outcome. At the end of each round, computer simulation model chooses a scenario and the outcome is announced to each team. Each decision has consequences, and the outcome may either make money for the business or lose money.

The aim of the game is to increase the company valuation by properly weighing risks and making balanced business decisions. The winning team is the one that increases its company’s value the most after four rounds.



Monday, 16 January 2017 16:26

Weighing the Options for Disaster Recovery

DRJ LogoDespite the redundancy and resilience the enterprise has gained from virtualization and cloud computing, disaster recovery remains one of the most overlooked functions on the IT to-do list.

In many cases, organizations have established backup and recovery services for their primary applications, but without constant care and attention to the processes behind B&R, and the way they are affected by constantly evolving data loads and architectures, the reliability of these services is questionable at best. In the digital economy, it’s not enough to recover – you must recover quickly and thoroughly.

According to recent research from cloud recovery specialist Asigra, the typical enterprise recovers less than 5 percent of its data during the restore process, most of it from file systems. Most data recovery requests are the result of ransomware attacks and losses from cloud-based platforms like Office 365 and Salesforce, and more than half of all requests across multiple industry verticals are for previous generations of data. Only about 13 percent of recovered data was lost due to user error or accidental deletion. What this shows is that while only a small portion of data is typically needed to get applications and services up and running, many organizations still pay a premium for 100 percent backup of their online data.



Monday, 16 January 2017 16:25

Cloud-based Security Emerges

BC In the Cloud LogoCloud-based security continues to emerge as a key growth area. The main reasons for this growth is due to the overall ease of deployment and strong expertise of cloud security teams, and the reduction in investment in hardware/infrastructure required to support the business.  Businesses are no longer required to maintain equipment onsite that need a specialist to operate and maintain.

Cloud-based security solutions lower the operating cost because there is less need for upgrading software, monitoring and documenting software security activities. The cost of hardware and software is increasing dramatically which makes cloud-based security an attractive option for companies of all sizes.

According to PWC’s Key findings from The Global State of Information Security® Survey 2016, 79% said they use cloud-based cybersecurity services like real-time monitoring and analytics, advanced authentication, identity and access management. This survey included input from more than 10,000 IT professionals from around the globe.



AlertMedia LogoWith 2017 already underway, it’s a good time to look at what we think will be major drivers in the mass notification system market. One recent report estimates this market is to grow from $4.16 billion in 2016 to more than $9 billion by 2021. It appears the focus will be on business continuity strategies and IP-based notification devices. Let’s break those down a bit.

Business Continuity

When an emergency happens, its ripple effect can extend beyond the initial incident to produce plenty of collateral damage. Any interruption in service and/or operations will directly impact the bottom line as well as customer satisfaction, brand reputation, and other less concrete but equally important metrics. Companies can spend millions of dollars to recover and continue operating as quickly as possible, from repairs and rebuilding to marketing and PR strategies.

As more companies fear the worst, which would be prolonged or complete organizational shutdowns, they are getting smarter about their emergency response plans. In today’s 24×7 news and social media, one misstep can lead to irreparable damage. Consumers expect a rapid response, one that balances the potential personal loss of its key stakeholders (employees/customer/supplier/partner base) and community with recovery strategies to get the business up and running. Consumers’ patience is fragile.



Monday, 16 January 2017 16:22

6 Shocking Statistics on Disaster Recovery

RES Q LogoAccording to most experts, 2.5 quintillion bytes of data are being created each day, and 90% of the data that exists in the world today has been created in the last two years alone. By the year 2020, it is estimated that 1.7 megabytes of new information will be created every second for every human being on the planet.

More data brings more opportunities to businesses, but it brings new challenges with it, too. A specific challenge that many organizations are facing is safely storing and backing up the unprecedented amounts of data that they are finding themselves in charge of. Research shows that 60% of companies that improperly manage their data and lose it to a disaster will shut down within six months of the event. The importance of a proper disaster recovery plan is more critical than it ever has been before.

Here are six shocking statistics you may not know about Disaster Recovery. They might make you rethink the necessity of having a proven, tested plan in place should something go wrong.



DRJ Logo2016 Cyber breach: likely the greatest threat of our lifetime. Kaspersky Lab has released a summary of the major incidents of 2016 and has looked forward into 2017 as to what may happen.

In 2016, the world’s biggest cyber threats were related to three things:

  • Money
  • Information
  • Desire to disrupt.

The notable threats included the underground trade of tens of thousands of compromised server credentials, hijacked ATM systems, ransomware and mobile banking malware – as well as targeted cyber-espionage attacks and the hacking and dumping of sensitive data. These trends, their impact and the supporting data are covered in the annual Kaspersky Security Bulletin Review and Statistics reports.



DRJ-LogoA survey of more than 1,200 risk managers and corporate insurance experts in over 50 countries identified business interruption as the top concern for 2017. According to the sixth annual Allianz Risk Barometer of top business risks, this is the fifth successive year that business interruption has been seen as the biggest risk.



MIR3-LogoTo build any cybersecurity program, you need buy-in at the highest levels. Your C-suite and the board of directors all need to be on board for a successful cyber-program initiative. But how do you get their attention?

The key to getting and keeping the attention of those at the highest levels is to provide just the right amount of information in a clear, concise, educational format that ties directly to the business objectives.

Before asking for funding for your program, it’s important you show your executives the risk to the organization of not providing the funding. What damage to reputation or brand will occur if the company’s name is in the headlines due to a data breach? The old adage, “all publicity is good publicity,” is no longer true in the era of hacking, malware, ransomware and other cybersecurity threats.



BCI-LogoThe Business Continuity Institute

As companies embrace digitalization and increasingly interlink their equipment, processes and supply chain – the so-called ‘Internet of Things’ – the risk of financial losses rises exponentially, making cyber security and related issues fast emerging as the biggest risk for organizations, according to Allianz Global Corporate & Specialty SE.

The 6th annual Allianz Risk Barometer notes that the cyber threat now goes far beyond hacking and privacy, and data breaches and new data protection regulations will exacerbate the fallout from these for businesses. Time is running out for businesses to prepare for the implementation of the new General Data Protection Regulation across Europe in 2018. The cost of compliance will be high, and so could be related penalties.

In addition, inter-connectivity and increasing sophistication of cyber attacks pose risk for companies not only directly, but also indirectly through exposed critical infrastructure such as IT, water or power supply. Then there is the threat posed by technical failure or human error, which could lead to prolonged and wider business interruption. In today’s ‘Industry 4.0’ environment, failure to submit or interpret data correctly could stop production.

Worldwide, cyber concerns ranked third in the list of top risks, but second in Europe and the United States. Especially worried were respondents in the trade and information and communication technology industries. The report shows that smaller organizations may be underestimating their cyber risk, as those with revenue of less than €250 million rank cyber incidents as the sixth biggest risk. However, the impact of a serious incident could be much more damaging for such firms.

Business interruption remained the top fear globally for the fifth straight year, with multiple new triggers emerging, including non-physical damage disruptions caused by political violence, strikes and terror attacks.

Organizations are also facing potential financial losses as the changing political landscape - Brexit, US elections outcome and the upcoming polls in the EU, among others - raises fears of increasing protectionism and anti-globalization trends. Since 2014, there have been around 600 to 700 new trade barriers introduced globally every year.

Companies worldwide are bracing for a year of uncertainty,” says Chris Fischer Hirs, the CEO of AGCS. “Unpredictable changes in the legal, geopolitical and market environment around the world are constant items on the agenda of risk managers and the top management. A range of new risks are emerging beyond the perennial perils of fire and natural catastrophes which require re-thinking of current monitoring and risk management tools.

DRJ-LogoSometimes it is a good exercise to step back and review some basics. I was at a high school basketball game recently and the teams were running a pro-style offense. The difference, however, was one team was fundamentally sound – on target passing, effective ball movement and basic concepts – while the other team was not. You can guess the outcome of the game.

Similarly, we should be looking at the basics in our business continuity programs to ensure we are fundamentally sound. Today’s blog is related to the very basic and fundamental concept and requirements of Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Before you close this window or go somewhere else, take  two minutes to finish this short blog, then take another two minutes to consider the state of the RTOs and RPOs in your business continuity program. These provide the basic, and arguably most important, requirements in developing technical and business recovery strategies.



Emergency Notifications in the Healthcare Industry

AlertMedia-LogoOur blogs typically highlight the use of emergency mass notifications for companies, such as service organizations, manufacturing, and typical private-sector businesses with a medium to large and/or dispersed workforce. While this has been our focus, we believe it is critical for any organization across every industry to have an emergency plan in place, practiced, and periodically updated to include the latest technology. The plan must include, at its core, a sound emergency communications strategy and solution.

I stumbled upon a recent article talking about mass notifications in an industry we haven’t written much about, namely healthcare. We’ve mentioned how a mass communication system can be used in the healthcare industry for scheduling the many shifts involved in most healthcare organizations, but we haven’t touched upon the need for mass communications in the event of an emergency in a hospital or other patient care facility. Until now.



FEMA LogoVIRGINIA BEACH, Va. – It has been over two months since disaster assistance personnel from the Federal Emergency Management Agency (FEMA) deployed to Virginia in response to President Obama’s major disaster declaration of Nov. 2, 2016. The president’s signature on the decree made federal assistance available to eligible survivors affected by Hurricane Matthew in seven independent cities for individual assistance.

Although the deadline for registering for individual financial assistance from FEMA has passed, the recovery continues. Survivors affected by Hurricane Matthew, who have registered for FEMA assistance, still have access to the agency for information about temporary housing, help with insurance claims, questions about filing an appeal, and other disaster services and resources.

Registered individuals have access to FEMA’s toll-free Helpline, seven days a week, 7 a.m. to 10 p.m. EDT. Call 800-621-3362 (TTY users should call 800-462-7585). Multilingual operators are available.

Applicants receiving temporary rental assistance and who have a need for continuing housing assistance must apply to FEMA for approval. FEMA will evaluate the information to determine if the applicant qualifies for ongoing federal rental assistance, based on financial need. Contact the FEMA Helpline for information on how to apply.

FEMA urges registered individuals to “keep in touch” and notify FEMA of address or phone number changes, initiate appeals or reschedule inspection appointments. It is important to keep all contact information current to avoid delays in getting assistance.

As of the Jan. 3 deadline, 5576 Virginia homeowners and renters have applied to FEMA for disaster assistance. To date more than $7.4 million in individual housing assistance grants and nearly $1.6 million in other needs assistance have been approved for residents of the 7 designated cities: Chesapeake, Hampton, Newport News, Norfolk, Portsmouth, Suffolk and Virginia Beach.

Since the Nov. 2 disaster declaration, the U.S. Small Business Administration (SBA), one of FEMA’s partners in disaster recovery, has approved 399 low-interest disaster loans totaling nearly $13.4 million. SBA offers low-interest disaster loans to homeowners and renters who have applied for FEMA assistance, as well as to businesses of all sizes and private nonprofit organizations. SBA disaster loans may cover the cost of repairing, rebuilding or replacing lost or disaster-damaged real estate and personal property.

For more information about SBA loans, call SBA’s Disaster Assistance Customer Service Center at 800-659-2955. (TTY users should call 800-877-8339). Individuals and businesses may also email This email address is being protected from spambots. You need JavaScript enabled to view it., or visit http://www.sba.gov/disaster.

In addition to the FEMA grants, and SBA loans, the National Flood Insurance Program (NFIP) has paid out $46.8 million to 2263 claimants to settle Flood Insurance Claims. Several of the claims were outside of the Special Flood Hazard Area (SFHA) proving to be a good investment for homeowners who suffered flooding damages. Homeowners and renters who purchased insurance through NFIP were able to find affordable Preferred Risk Policies that cover homes not located in a SFHA. Flood insurance continues to be the best tool for recovering financially from a flooding disaster for both homeowners and renters.

The Commonwealth’s and FEMA’s 6 Disaster Recovery Centers (DRCs) served 3,051 visitors between Nov. 7 and Jan. 3, while FEMA-contracted housing inspectors have completed more than 4,052 inspections of disaster-damaged properties to verify damage.

The Public Assistance Program, which aids local governments and certain nonprofits was also approved for this disaster. Eligible projects are reimbursed not less than 75 percent of their costs for uninsured damages to infrastructure and certain emergency response costs. The eligible cities are Chesapeake, Franklin, Norfolk, Portsmouth, Suffolk, Virginia Beach, Hampton, and the counties of Isle of Wight and Southampton. The Virginia Department of Emergency Management is working closely with FEMA to develop costs for the eligible reimbursements. Applicants have six months from the date of the declaration to identify all projects for reimbursement consideration.


FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-3362 (voice, 711 or video relay service). TTY users can call 800-462-7585.

The SBA is the federal government’s primary source of money for the long-term rebuilding and recovery. SBA helps businesses of all sizes, private non-profit organizations, homeowners and renters fund repairs or rebuilding efforts and can cover the cost of replacing losses of disaster-damaged real estate and personal property. These disaster loans cover losses not fully compensated by insurance or other recoveries and do not duplicate benefits of other agencies or organizations.

DRJ-LogoForrester's clients frequently ask us how to build the business case for customer journey mapping, particularly for digital experiences and digital products. We have proven that better customer experiences drive revenue in industries with low switching costs. But what about investments in customer journey mapping?

Now that I've taken on Forrester's digital business and transformation playbook, I've been thinking a lot about the benefits of journey mapping, which I believe is the front end to any transformation initiative. I don't have a wealth of evidence yet to justify your investments in journey mapping (though my CX colleagues have a lot more to share for Forrester clients). But I have been developing a framework to measure the impact of better customer experiences. These metrics range from hard to squishy:



BCI-LogoThe Business Continuity Institute

This news item contains embedded media. Open the news item in your browser to see the content.

Economic inequality, societal polarization and intensifying environmental dangers are the top three trends that will shape global developments over the next 10 years, the  World Economic Forum’s Global Risks Report 2017 found. Collaborative action by world leaders will be urgently needed to avert further hardship and volatility in the coming decade.

While the world can point to significant progress in the area of climate change in 2016, with a number of countries, including the US and China, ratifying the Paris Agreement, political change in Europe and North America puts this progress at risk. It also highlights the difficulty that leaders will face to agree on a course of action at the international level to tackle the most pressing economic and societal risks.

Urgent action is needed among leaders to identify ways to overcome political or ideological differences and work together to solve critical challenges. The momentum of 2016 towards addressing climate change shows this is possible, and offers hope that collective action at the international level aimed at resetting other risks could also be achieved,” said Margareta Drzeniek-Hanouz, Head of Global Competitiveness and Risks, World Economic Forum.

The complex transitions that the world is currently going through, from preparing for a low-carbon future and unprecedented technological change to adjusting to new global economic and geopolitical realities, places even greater emphasis on leaders to practice long-term thinking, investment and international cooperation.

We live in disruptive times where technological progress also creates challenges. Without proper governance and re-skilling of workers, technology will eliminate jobs faster than it creates them. Governments can no longer provide historical levels of social protection and an anti-establishment narrative has gained traction, with new political leaders blaming globalisation for society’s challenges, creating a vicious cycle in which lower economic growth will only amplify inequality. Cooperation is essential to avoid the further deterioration of government finances and the exacerbation of social unrest,” said Cecilia Reyes, Chief Risk Officer of Zurich Insurance Group.

The propensity of the Fourth Industrial Revolution to exacerbate global risks also came under scrutiny in the Report’s Global Risks Perception Survey. Basing their analysis on 12 distinct emerging technologies, experts clearly identified artificial intelligence and robotics as having both the highest potential for negative consequences and also the greatest need for better governance. Notwithstanding its potential to drive economic growth and solve complex challenges, experts also named it as the top driver of economic, geopolitical and technological risks among the 12 technologies.

John Drzik, President of Global Risk & Specialties, Marsh said: “ Artificial intelligence will enable us to address some of the great issues of our age, such as climate change and population growth, much more effectively. With investment into AI now ten times higher than it was five years ago, rapid advances are already being made. However, increased reliance on AI will dramatically exacerbate existing risks, such as cyber, making the development of mitigation measures just as crucial.

BCI-LogoThe Business Continuity Institute

Global organizations are more confident than ever that they can predict and resist a sophisticated cyber attack, but are falling short of investments and plans to recover from a breach in today's expanding threat landscape. This is according to a new study conducted by EY.

The annual Global Information Security Survey (GISS) - Path to cyber resilience: Sense, resist, react - showed that half (50%) of those surveyed said they could detect a sophisticated cyber attack – the highest level of confidence since 2013 – due to investments in cyber threat intelligence to predict what they can expect from an attack, continuous monitoring mechanisms, security operations centres (SOCs) and active defence mechanisms. However, despite these investments, 86% of those surveyed say their cyber security function does not fully meet their organization's needs.

Business continuity professionals are well aware of the threat the cyber world poses to their organizations, as identified in the Business Continuity Institute's latest Horizon Scan Report. In this report cyber attack and data breach were ranked as the top two threats with the vast majority of respondents to a global survey (85% and 80% respectively) expressing concern about the prospect of them materialising.

Despite the report noting that business continuity and disaster recovery – which is at the heart of an organization's ability to react to an attack – was rated by respondents as their top priority (57%), along with data leakage and data loss prevention (57%), only 39% plan to spend more on business continuity and disaster recovery.

Paul van Kessel, EY Global Advisory Cyber Security Leader says: "Organizations have come a long way in preparing for a cyber breach, but as fast as they improve, cyber attackers come up with new tricks. Organizations therefore need to sharpen their senses and upgrade their resistance to attacks. They also need to think beyond just protection and security to 'cyber resilience' – an organization-wide response that helps them prepare for and fully address these inevitable cyber security incidents. In the event of an attack they need to have a plan and be prepared to repair the damage quickly and get the organization back on its feet. If not, they put their customers, employees, vendors and ultimately their own future, at risk."

This year's survey also shows that respondents continue to cite the same key areas of concern for their cyber security, such as the increased risks from the actions of careless or unaware employees (55% compared with 44% in 2015) and unauthorized access to data (54% compared with 32% in 2015). Meanwhile obstacles to their information security function are virtually unchanged from last year, including:

  • Budget constraints (61% compared with 62% in 2015)
  • Lack of skilled resources (56% compared with 57% in 2015)
  • Lack of executive awareness or support (32%, the same as in 2015)

Despite the connected nature of today's digital ecosystem, the survey found that 62% of global organizations said it was unlikely they would increase their cyber security spending after a breach that did not appear to do any harm to their operations. Also, 58% said it was unlikely they would increase their information security spending if a competitor was attacked, while 68% said it was unlikely they would increase their information security spending if a supplier was attacked. In the event of an attack that definitely compromised data almost half of the respondents (48%) would not notify customers who had been impacted within the first week. Overall, 42% of respondents do not have an agreed communications strategy or plan in place in the event of a significant attack.

When it comes to devices, organizations are struggling with the number of devices that are continuously being added to their digital ecosystem. Almost three-quarters (73%) of organizations surveyed are concerned about poor user awareness and behavior around mobile devices, such as laptops, tablets and smartphones. Half (50%) cited the loss of a smart device as a top risk associated with the growing use of mobile devices because they encompass both information and identity loss.

DRJ-LogoForrester’s business insights research team has had a busy 2016! We have been busy helping our business and technology clients lead their organization to become insights-driven - one of the key operating principles of customer-obsessed firms.

Our research in 2016 helped clients:

  • Organize And Operate As An Insights-Driven Business.  Insights-driven businesses harness and apply data and analytics at every opportunity to differentiate its products and customer experiences and they operate differently. For customer insights teams in particular, this means understanding the right organizational models to effectively turn insights into action.
  • Scale And Innovate With Data.  Business users want real-time trusted data to make accurate business decisions, while technology management wants to simplify administration and lower costs. Our big data fabric research helps organizations accelerate their big data initiatives, monetize big data sources, and ultimately create a data vision to make data relevant, timely, and impactful.



Tuesday, 10 January 2017 00:00

Ransomware Will Get Worse This Year

DRJ-LogoRansomware made a lot of (bad) news in 2016, and the year ahead is expected bring more of the same.

The security sector is reeling as the year begins. Rick Orloff, the vice president, chief security officer and chief privacy officer at Code42, began a column by reciting the numbers and pointing out that it “has caused absolute terror in nearly every industry.”

That has been written in different ways many times during the past year. Orloff adds to the total picture on ransomware by pointing out that one of the reasons that ransomware is popular among the darker forces is that the industry has done an admirable job of protecting itself against other kinds of attacks. Security forces in essence are victims of their own success:



DRJ-LogoPublic cloud is a good thing only when an appropriate strategy is applied to leverage it to the benefit of the business. While is can be less expensive for some workloads, it can be more expensive for others — without a thoughtful, strategic approach, it can destroy value rather than create it. In other words, “Public cloud doesn’t fix stupid.”

That’s the conclusion drawn by Jason Anderson, chief architect at Datalink, a cloud services provider in Eden Prairie, Minnesota, based on the findings of a recent IT optimization survey of U.S. IT executives that was commissioned by Datalink. In a recent interview, Anderson discussed the survey, and what Datalink gleaned from it, at some length. I asked him if the survey results prompted Datalink to change anything it had been doing in order to better serve its customers. He said the company has, in fact, changed its focus:

What we had been talking to customers about for quite a while was that they need to get a handle on their cloud strategy, and make sure that if you’re an IT executive, you want to be at the center of the cloud conversation, and be a broker of IT services. That had been our message. It’s not that we think that that is wrong, or was wrong. But what we learned from the survey was that a lot of IT executives get that message already, so we really don’t have to pound on that. Instead, we need to get them better armed with the how to do that. So we shifted our focus to really saying, “OK, the how is to focus on your workloads, and embrace the fact that you’re going to have multiple platforms.” What was clarified for us in the survey was that we really need to take a very workload-focused view of the world. Know going into it that, except for some very small organizations, or ones that are so specialized they only have a handful of applications, they’re going to have multiple platforms, and that both on-prem[ises] and public cloud are going to be a part of the mix.



DRJ-LogoThe Business Continuity Institute

A number of devastating earthquakes and powerful storms made 2016 the costliest twelve months for natural catastrophe losses in the last four years. This is according to a study by Munich RE which showed that losses totalling US$175bn, a good two-thirds more than in the previous year, and very nearly as high as the figure for 2012 (US$180bn). The share of uninsured losses – the so-called protection or insurance gap – remained substantial at around 70%.

The high number of flood events, including river flooding and flash floods, was exceptional and accounted for 34% of overall losses, compared with an average of 21% over the past ten years. Taking very small events out of the equation, 750 relevant loss events such as earthquakes, storms, floods, droughts and heatwaves were recorded in the Munich Re NatCatSERVICE database, and this is significantly above the ten-year average of 590.

After three years of relatively low nat cat losses, the figures for 2016 are back in the mid-range, where they are expected to be. Losses in a single year are obviously random and cannot be seen as a trend”, said member of the Board of Management Torsten Jeworrek. “The high percentage of uninsured losses, especially in emerging markets and developing countries, remains a concern.

While the digital threats may be seen as the greatest concern to business continuity professionals, according to the Business Continuity Institute’s latest Horizon Scan Report, that's not to say that threats of a more physical nature don't exist. Adverse weather featured as a top ten threat with more than half of respondents (55%) to a global survey expressing concern about the prospect of this threat materialising, while a quarter expressed concern about the possibility of an earthquake/tsunami.

Earthquake in Japan most expensive natural catastrophe of 2016

The costliest natural catastrophes of the year occurred in Asia where there were two earthquakes on the southern Japanese island of Kyushu close to the city of Kumamoto in April (overall losses US$31bn; proportion of insured losses just under 20%), and devastating floods in China in June and July (overall losses US$20bn; only some 2% of which were insured).

North America was hit by more loss occurrences in 2016 than in any other year since 1980, with 160 events recorded. The year’s most serious event here was Hurricane Matthew which had its greatest impact on the Caribbean island nation of Haiti, which was still struggling to recover from the 2010 earthquake. Matthew killed around 550 people in Haiti, and also caused serious damage on the east coast of the USA. Overall losses totalled US$10.2bn, with over a third of this figure insured.

Series of storms in Europe, wildfires in Canada

North America was also impacted by other extreme weather hazards, including wildfires in the Canadian town of Fort McMurray in May, and major floods in the southern US states in the summer. In Canada, the mild winter with less snow than usual, and the spring heatwaves and droughts which followed, were the principal causes of the devastating wildfires that hit the provine of Alberta, generating overall losses of US$4bn. More than two-thirds of this figure was insured. In August, floods in Louisiana and other US states following persistent rain triggered losses totalling US$10bn, only around a quarter of which was insured.

There was a series of storms in Europe in late May and early June and torrential rain triggered numerous flash floods, particularly in Germany, and there was major flooding on the River Seine in and around Paris. Overall losses totalled some US$6bn, around half of which was insured.

A look at the weather-related catastrophes of 2016 shows the potential effects of unchecked climate change. Of course, individual events themselves can never be attributed directly to climate change. But there are now many indications that certain events – such as persistent weather systems or storms bringing torrential rain and hail – are more likely to occur in certain regions as a result of climate change”, explained Peter Höppe, Head of Munich Re’s Geo Risks Research Unit.

The findings of this study, and the costly impact of natural catastrophes that it highlights, shows just how important it is for organizations to practice effective business continuity management. This won't negate the likelihood or consequence of such an event, but it will ensure that, should one occur, plans and processes are in place to enable the organization to manage through it, limit the impact and make sure that at least the priority activities can be carried out.

DRJ-LogoAccording to the results of a recent Osterman Research survey of 187 IT and/or HR decision makers, fully 69 percent of respondents have suffered significant data loss resulting from employees who left.

While 96 percent of respondents disable access to employees' mailboxes when they depart, 49 percent don't monitor access to every application and source of data the departing employee used, 47 percent don't delete data used by the departing employee, and 28 don't wipe corporate data from employee-owned devices when they leave the company.

"Whether it's premeditated or simply in error, many employees leave their employers with a wide variety of data types that can include confidential or sensitive financial data, customer information and/or product, sales and marketing roadmaps, as well as other business critical intellectual property," Osterman Research CEO and founder Michael Osterman said in a statement.



Monday, 09 January 2017 00:00

How Real Is the Multi-Cloud Environment?

DRJ-LogoEnterprises that have migrated workloads to the cloud are quickly coming to realize that even virtualized, third-party infrastructure does not in itself provide the flexibility needed to meet emerging data requirements. This is particularly true in single-cloud environments in which resources and configuration options are limited to what the cloud provider has developed for generalized consumption.

This is why multi-cloud architectures are expected to make a big play in the coming year. By distributing data and applications across varied infrastructure, the enterprise can better tailor resources to the appropriate workload and reduce the risk of stranding workloads in cloud-based silos.

The challenge, of course, comes in managing the multi-cloud environment. Hybrid clouds, by nature, are designed to provide portability and federation across disperse resource sets, but how advanced is this technology really? And does it provide the kind of seamless level of operation to truly propel data productivity to a new level?



Monday, 09 January 2017 00:00

BCI: Salary benchmarking survey

BCI-LogoThe Business Continuity Institute

Are you being paid what you deserve? Do you think others may be getting paid more than you despite having the same level of qualifications or experience?

It may be that for some people the job itself is reward enough. Most of us however, work for the salary we receive as without it we would struggle to survive. You may or may not agree that money makes the world go round, but you can't deny it is important.

We all like to feel we are being rewarded fairly for our endeavours, and this means being able to compare what we are paid with what somebody else in a similar position is paid, not to mention all the other benefits that you (or they) receive. It's also helpful to know what skills, experience or certifications could lead to a higher salary.

To help you with this, the Business Continuity Institute has just launched its annual Salary Benchmarking Survey, in order to develop a better understanding from those people working in the business continuity and resilience industry what the typical rewards are.

Please do complete the short survey (it will only take five minutes) and all respondents will be in with a chance of winning a £100 Amazon gift card (or the equivalent value in another currency).

DRJ-LogoServerless computing can make your cloud-based apps much more efficient. Wondering what serverless computing means, what the advantages and drawbacks are and how you can go serverless? Keep reading for a primer on serverless computing solutions.

Before diving into the details, let’s get one thing straight: Serverless computing does not mean computing without servers. In a serverless computing environment, you still host your apps on servers.



DRJ-LogoA recent survey of 4,000 representatives of businesses in 25 countries found that 16 percent of respondents are not protected from DDoS attacks at all, and 39 percent admit that they're unclear on how best to combat DDoS attacks.

The 2016 Kaspersky Lab Corporate IT Security Risks survey also found that 49 percent of respondents rely on built-in hardware for protection from DDoS attacks, and 40 percent assume that their ISP will provide protection from DDoS attacks.

Twelve percent of respondents believe a small amount of downtime due to a DDoS attack would not cause a major issue for their company.



DRJ-LogoYesterday, I noted that AT&T’s 2017 roadmap includes fixed wireless 5G trials. Such trials and early rollouts of 5G likely will lean heavily of fixed wireless, since it’s easier to hit a stationary target. The hard stuff, such as delivering 5G to a device speeding along the highway, can be saved for later.

That doesn’t mean that fixed wireless is not already out in the field and, in some cases, making money and serving real subscribers. The great attractions of the technique are those of wireless in general: No streets need to be dug up. The economics of fixed wireless improve as the coverage area’s footprint becomes less dense.

Today, WirelessWeek reported that U.S. Cellular is moving on non-5G fixed wireless; CEO Kenneth Meyers said at an investor conference that it will continue fixed wireless testing that it began last year with Nokia. A comment from Meyers indicates that the sweet spot for the service may be in rural areas where “the cable footprint stops.”

Despite the fact that both AT&T and U.S. Cellular are in test mode regarding fixed wireless, it’s already a very much proven technology. Starry and Rise Broadband are two good examples.



FEMA LogoCOLUMBIA, S.C. — In nearly every major disaster, as recovery efforts move into their final stages, rumors and misinformation find their way onto social networks and elsewhere. Hurricane Matthew is no different. Survivors with questions about the recovery in South Carolina should be wary of what they may read or hear. Always ask for clarification from official sources.

Straight answers and plain facts are available from Federal Emergency Management Agency experts on FEMA's Help Line. Call 800 621-3362 (voice, 711, video services) or 800-462-7585 (TTY). Or visit DisasterAssistance.gov.

Here are some common rumors you may have already heard:

RUMOR: If survivors receive FEMA assistance, it could reduce their Social Security benefits.

FACT: Disaster assistance does not count as income. FEMA assistance will not affect Social Security, Medicare or other federal and state benefits.

RUMOR: If you receive money from FEMA you have to pay it back.
FACT: FEMA grants do not have to be repaid.

RUMOR: Receiving a letter from FEMA stating the applicant is not eligible means the person will not get any assistance.
FACT: Receiving such a letter does not necessarily mean an applicant is not eligible for disaster aid, even when the letter states "ineligible" or "incomplete." It can be an indication that further information is needed, or that the applicant's insurance claim needs to be settled before disaster aid can be granted.

RUMOR: If you take FEMA assistance, they take your property.
FACT: FEMA has no authority to take property of any kind from anyone.
Appealing FEMA's Decision

RUMOR: Once FEMA determines that you are not eligible for assistance there is nothing you can do.

FACT: Every homeowner and renter has the right to appeal FEMA's determination decision. The first step in appealing the decision is reading your determination letter carefully. Sometimes FEMA just needs additional information. There may be issues with your application that can be resolved quickly and easily, enabling you to receive assistance.

RUMOR: You cannot get help from FEMA if your determination letter says that you are not eligible because you have insurance.
FACT: If your insurance coverage is insufficient to make essential home repairs, provide a place to stay or replace certain contents, FEMA can reconsider you. But you must provide documents from your insurance company that detail your settlement. Contact your insurance company if you need settlement documents and then provide that information to FEMA.

RUMOR: If you inherited your home and have lived there for years, but do not have the deed, you cannot receive assistance.
FACT: There are other documents besides a deed you can submit to prove home ownership, including mortgage, insurance documents or tax receipts. If you do not have a deed handy, speak to your local officials about obtaining a copy.

How to file an appeal

If you decide to appeal FEMA's decision, your appeal must be in writing and must be received within 60 days of the date on your FEMA determination letter. You may file your appeal documents by fax at 800-827-8112, or by mail to: FEMA National Processing Service Center, P.O. Box 10055, Hyattsville, MD 20782-7055.


RUMOR: People can donate money or items to FEMA to help flood victims.
FACT: Not true. FEMA does not accept donations of any kind. However, many legitimate organizations need donations. In South Carolina, the "One SC Fund" supports and directs funds to nonprofit organizations providing disaster relief and recovery assistance. For more information, visit yourfoundation.org/community-impact/one-sc-fund-sc-flood-relief/.

Survivors continuing to need help recovering from Hurricane Matthew, or are in need of food or clothing, should call 2-1-1 for assistance.

U.S. Small Business Administration (SBA)

RUMOR: Only businesses can get low-interest disaster loans from SBA.

FACT: SBA low-interest disaster loans are available to homeowners and renters, as well as businesses of all sizes (including landlords) and private nonprofit organizations, for disaster damages not fully covered by insurance or other compensation.

RUMOR: If you complete an SBA loan application, you have to take out a loan.
FACT: You are not obligated to accept a loan if you do not want one. However, if you are referred to SBA for a disaster loan application you should complete and return it. If the SBA is unable to approve a home loan, you may be referred back to FEMA for other needs assistance. You may be eligible for assistance that covers personal property, vehicle repair or replacement, and moving and storage

expenses. SBA low-interest disaster loans are available to homeowners and renters, as well as businesses of all sizes (including landlords) and private nonprofit organizations, for disaster damages not fully covered by insurance or other compensation.

Hurricane Matthew survivors should visit fema.gov/disaster/4286 or the South Carolina Emergency Management Division at scemd.org/recovery-section/ia to learn about

FEMA assistance and other useful recovery information. You may get information about the recovery from friends, neighbors, family members, or others that is wrong. Help yourself and others by checking it out on the website.


All FEMA disaster assistance will be provided without discrimination on the grounds of race, color, sex (including sexual harassment), religion, national origin, age, disability, limited English proficiency, economic status, or retaliation. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-FEMA (3362). If you have a speech disability or hearing loss and use a TTY, call 800-462-7585 directly; if you use 711 or Video Relay Service (VRS), call 800-621-3362.

FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. Follow us on Twitter at https://twitter.com/femaregion4 and the FEMA Blog at http://blog.fema.gov.

The SBA is the federal government's primary source of money for the long-term rebuilding of disaster- damaged private property. SBA helps businesses of all sizes, private non-profit organizations, homeowners and renters fund repairs or rebuilding efforts and cover the cost of replacing lost or disaster-damaged personal property. These disaster loans cover losses not fully compensated by insurance or other recoveries and do not duplicate benefits of other agencies or organizations. For more information, applicants may contact SBA's Disaster Assistance Customer Service Center by calling 800-659-2955, emailing This email address is being protected from spambots. You need JavaScript enabled to view it., or visiting SBA's website at www.sba.gov/disaster. Deaf and hard-of-hearing individuals may call 800-877-8339.

Thursday, 05 January 2017 00:00

Standardize your notifications and alerts

Why standardize messages?

By thinking beforehand about how you want messages to appear—each and every time you send one out—you can build a comprehensive set of notification templates that can be used by everyone who needs to create message content.

Building this kind of template is important. Without one in place, the haphazardness of your messages may dull their impact. But with one in use, you’ll give your initiators one less thing to think about in a crisis.

Here are factors to consider when standardizing your messages:



More than one-third of AT&T’s customer-facing network is now virtualized, which means the company can provision services for that portion of the network as simply as downloading them from an app store instead of buying and installing hardware appliances.

That’s according to John Donovan, AT&T’s chief strategy officer and group president, who reported on progress of the telco’s multi-year network virtualization project while speaking at an industry conference in Las Vegas in December, FierceTelecom reports.


“To hit 34 percent of our network functions in software really bodes well for us for 2017 to get the things done that we want to do,” he said.



Thursday, 05 January 2017 00:00

Making the Most of Bare Metal in the Cloud

DRJ-LogoVirtualization and the cloud were the dominant trends in IT infrastructure over the past decade, and there is no reason to think they won’t support a significant chunk of the enterprise workload going forward. But alternate solutions are starting to take hold as well, including that old stand-by: bare-metal servers.

In many cases, enterprises are pursuing mixed infrastructure solutions in order to maintain the diversity required of increasingly complex application and data loads. Bare metal in the data center, for instance, will likely hold out as long as the enterprise employs traditional productivity apps – which experts agree should be for quite some time. Alternatively, organizations are starting to see the benefits of bare-metal cloud solutions for critical workloads, even as the popularity of shared, virtual resources gains for nearly everything else.



Thursday, 05 January 2017 00:00

FEMA: Resolve to be Ready in 2017

By Nancy Dragani

FEMA LogoAs 2016 winds down, it is natural to reflect on what we’ve accomplished in the past and where we are headed in the future.  This year reinforced the threat of wildfires in the Great Plains and Rocky Mountains, brought severe storms and flooding to some of our communities and reminded us once again that winter can be a formidable foe.  Yet despite these threats to our communities, one of our strengths as Americans is our ability to face misfortune and challenges, pick ourselves up, dust ourselves off and get back to the business of living our lives.

While natural hazards are by their very nature unpredictable, that doesn’t mean we can’t learn from past experience.  It is how we know to be ready for subzero temperatures and snow storms in January and February, storms and flooding in the spring and summer, and wildfires potentially all year long.

For those living in this part of the country, the values of self-reliance and looking out for your neighbors have been instilled for generations. Today, they also serve as a cornerstone to building a culture of preparedness and readiness that serves all of our communities.  That culture starts in the home and community. At home, simple things such as family fire drills or assembling a home preparedness kit can make your family better prepared for any disaster.  Community events during National Preparedness Month in September brought communities big and small together to highlight actions that make us more resilient.  Next April will bring another National Day of Action to culminate America’s PrepareAthon.  You can learn more about these events and see how you can participate at community.fema.gov.

You can also become more prepared by ensuring that you and your family are aware of the hazards that can impact your home.  Start by checking that smoke, radon and carbon monoxide detectors in your home are functioning properly. Consider purchasing a NOAA weather radio or adding the FEMA app to your smartphone to keep you notified of severe weather in your area. Put together a personal disaster plan, assemble a supply kit and create a family communication plan.  If you are so inclined, join a Community Emergency Response Team or volunteer with an agency of your choosing. For more information on volunteer and training opportunities, contact your local or state emergency management agency.

We can’t prevent every disaster.  But we can be better prepared when disaster strikes.  Now is the time to make sure you and your community are ready.

Nancy Dragani serves as the Acting Administrator for FEMA Region 8, serving the states of Colorado, Montana, North Dakota, South Dakota, Utah and Wyoming.

BCI-LogoThe Business Continuity Institute



2016 was another busy year for the Business Continuity Institute, beginning with the announcement of our exciting new  partnership with Regus, a partnership that increases the value we offer our members by providing even greater benefits such as improved access to their worldwide facilities.

The first of many research reports to be published throughout the year was our annual Horizon Scan Report, a report that highlighted just how significant the digital threat can be as cyber attacks and data breaches filled the top two spots yet again. It also revealed that physical threats like terrorism are a growing concern, a concern that is unlikely to go away any time soon.

Demonstrating the truly global nature of the Institute, the BCI launched a new Chapter in February when the India Chapter was formed after much hard work by the Forums we already had in India. This brings the total number of Chapters to ten, not to mention over 60 Regional Forums that exist across the world.

With so much discussion being on organizational resilience in recent years, debate has focused on how it relates to the established business continuity management discipline. The BCI therefore decided to release a position statement noting that business continuity provides principles and practices that are an essential contributor for any organization seeking to develop and enhance its resilience capabilities.

During the first half of the year, much of the media was filled with stories about Brexit and the inconceivable possibility that the United Kingdom could vote to leave the European Union. Before the referendum took place, the BCI hosted a discussion forum where experts in the field of economics, human resources, supply chain and crisis management offered their views on the potential implications. An edition of the Working Papers Series was also published on horizon scanning post-Brexit. In the end the vote was in favour of leaving the EU so it will be very interesting to see what the challenges of Brexit will be from a business continuity perspective over the next few years.

In May we hosted our annual awareness week which was themed on return on investment and was designed to demonstrate the value of business continuity, and not just the obvious benefits that business continuity has in the event of a disruption. The report we produced highlighted that effective business continuity can result in savings and efficiencies within an organization, it can lead to reduced insurance premiums and can support contract negotiations. In 2017 (15th to 19th May) the theme for Business Continuity Awareness Week is cyber resilience so make sure you get involved and play yourpart in raising awareness of your industry.

While BCAW demonstrated the return on investment of business continuity, we also used the opportunity to demonstrate the return on investment of business continuity certification when we launched our first ever Salary Benchmarking Report, a report which revealed that those who had achieved one of the world’s leading credentials in business continuity earned more than their non-certified colleagues by up to 30%. A good a reason as any to study for your CBCI!

Partnering with Regus in order to improve the benefits we offer our members wasn’t the only partnership we announced during the year. In July we formed a new partnership with the Disaster Recovery Information Exchange that will improve access to networking opportunities to members across Canada.

Among a number of new research reports we published during the year was our Cyber Resilience Report, a topic that is clearly of great importance to business continuity professionals given the findings of our Horizon Scan Report. This report revealed that two thirds of organizations had experienced at least one cyber security incident during the previous year, and that 15% had experienced at least ten.

Our BCI World Conference in November was another great success with many visitors exploring the exhibition hall while delegates were captivated by Michele Wucker’s grey rhinos, Lewis Dartnell’s experiments and former New York Senator Michael Balboni’s insight into the US Presidential Election, an event that could also pose challenges to organizations over the coming years from a business continuity perspective.

BCI World wasn’t the only conference hosted by the Institute during the year. Following on from the inaugural BCI Middle East Conference in 2015, the BCI hosted a Netherlands and Belgium Conferencein May and an Africa Conference in September, not to mention the Australasian Chapter’s hugely successful Australasia Summit.

At BCI World we published our annual Supply Chain Resilience Report, which showed that one in three organizations had experienced cumulative losses of over €1 million during the previous year as a result of supply chain disruptions. We also published our first ever Workplace Recovery Report which revealed a disconnect between business continuity professionals and end users when it comes to workplace recovery. It is a busy time of year for our research department as this was followed soon after by our Emergency Communications Report which demonstrated why it is important to have arrangements in place to communicate with staff, particularly when those staff are geographically dispersed and often in high-risk countries.

In addition to all the research reports published during the year our research department had been busy with other projects such as the Working Paper Series which has seen four new editions on digital business continuityBrexitpandemic transmission speeds and desktop exercises. The research department has also been supporting the 20/20 Think Tank in its publications with papers on responding to the resilience challenge and the changing resilience landscape.

Throughout the year there has been lots to celebrate with eight award ceremonies taking place in North AmericaMiddle EastEuropeAsiaAfricaAustralasia and India before culminating in the final ceremony for the Global Awards held at a Gala Dinner following day one of the BCI World Conference. Congratulations once again to all those who won an award during the year, it was truly a tremendous achievement.

At the end of the year we said farewell to our outgoing Executive Director – Lorraine Darke – who had been at the Institute for 12 years, and in recognition of her achievements at the BCI she was awarded an Honorary Masters degree by Bucks New University. As a result of Lorraine’s departure, we welcomed in our new Executive Director – David Thorp – who joins the BCI from the Security Institute.

We also said farewell to David James-Brown FBCI whose two years as Chairman of the Institute came to an end. Of course it wasn’t a complete farewell as David will still have a very active role within the Institute. James McAlister FBCI became the new Chairman of the Institute, and Tim Janes Hon. FBCI was elected by his fellow members of the Global Membership Council to be the new Vice Chair.

As the above has shown, it was a very busy year for the BCI with plenty going on, but 2017 is destined to be busier still. With a new Executive Director and a new Chairman in place, both keen to make their mark, we can expect even more output from the BCI in order to better serve our members and the entire business continuity and resilience community.

Avalution-LogoThis perspective provides an overview of the Business Continuity Institute’s Professional Practice 6 (PP6) – Validation, which is the professional practice that “confirms that the Business Continuity Management (BCM) program meets the objectives set in the Business Continuity Policy and that the organization’s BCM program is fit for purpose”. Business continuity practitioners should perform validation activities after documenting response and recovery plans for their organizations (for more on planning, read our perspective on PP5 – Implementation). 


PP6 addresses three activities specific to the validation of BCM program assumptions. First, PP6 provides guidance regarding the development and execution of an exercise program, which validates the business continuity requirements gathered during the business impact analysis (BIA) and the strategies documented in the organization’s business continuity plans. Second and third, PP6 covers the principles and techniques necessary for performing both program maintenance activities and program reviews to identify improvement opportunities and increase organizational resilience. Let’s take a closer look at each activity.



Wednesday, 04 January 2017 00:00

Digital Insurance Success Demands New Metrics

DRJ-LogoDigital technologies are transforming the entire value chain of insurance, not only opening up new distribution opportunities, but also altering how insurers can assess, price, and manage risks, and creating new distribution and business models. At Forrester, we have done extensive research over the past year that involved speaking to incumbent insurers and insurance technology providers, as well as leveraging our consumer technographics data for our digital insurance strategy playbook. The playbook provides guidance that digital business strategy professionals need to formulate and hone their digital insurance strategy in the age of the customer.

We have recently published the executive overview, landscape, processes, assessment, and benchmark chapters.

For the performance management chapter specifically, we found that although digital insurance strategy executives depend on measurement to justify digital initiatives, many insurers fail to effectively and meaningfully measure the impact of digital insurance on wider business objectives. For example, while it's important to measure sales driven by individual digital touchpoints such as web and mobile, mobile-only and web-only sales metrics alone fail to demonstrate the value of customers who research insurance online but then buy through an agent, or vice versa. Futhermore, a focus on simple sales metrics ignores the importance of digital touchpoints in providing services that savvy customers value, such as being able to track the status of a claim.



SBCP LogoStrategic BCP’s innovative ResilienceONE business continuity management (BCM) software now offers new, pinpointed screens and clean navigation to complement its powerful and flexible functionality. It’s called Version 8.0 and its becoming the most simplified user experience in the Business Continuity and Disaster Recovery industry.

Version 8.0 includes:

IMPROVED PLAN DEVELOPMENT: With just one click, users can easily access their tasks, generate consistent plans, and route them through approval workflows—with no setup required. ResilienceONE’s new user interface makes things easy.

NEW DYNAMIC TASK WIZARDS: As tasks are assigned to users, customized planning workflow navigation is automatically created that takes users step-by-step through completing tasks. Administrators can easily customize the workflows with specific instructions that accompany each task.



Wednesday, 04 January 2017 00:00

Data Visualization 101: What, Why, How?

DRJ-Logo“A picture is worth a thousand words.” This old, English idiom could not ring more true than in today’s fast-paced, digital age – the big data age. At a time when we are creating 2.5 quintillion bytes (or 2.5 million terabytes) of data each day, executives and decision-makers across the globe are looking for ways to turn complex and voluminous data into comprehendible and comprehensive, actionable insights. Enter, data visualization.

What is Data Visualization?

The visualization of data for purposes of analysis is not a new concept. Finding their roots in Descartes’ Cartesian coordinate system, several graphical diagrams such as the line, area and bar chart were invented in the late 18th century by Scottish engineer and political economist, William Playfair. He was also the inventor of the once widely-popular, yet more recently denounced, pie chart.

Data Visualization sits atop the Big Data Analytics pyramid (Figure 1) and is often the only layer that is visible to executives and other decision-makers. Thus, the success or failure of a Big Data analytics program often depends on the success of the visualization layer. A company may have the most advanced data capture, storage, and transformation technology (and use the most complex algorithms and statistical models to analyze that data), but if the information isn’t displayed clearly, accurately and efficiently, the whole point of leveraging Big Data is lost.



DRJ-LogoHappy New Year to all! We at MHA wish you all a successful and happy year. We have been reviewing what we accomplished last year both personally and professionally and have identified goals for this year.

We’re continuing our efforts to reduce risk and prepare our organizations for potential issues in the new year. To that end, we’re providing a list of business continuity planning resources you may not have used before. You’re probably already familiar with some of these, but you might find it beneficial to review them again as you update strategies, perform risk assessments, or identify where to focus your business continuity program.



DRJ-LogoThe CRM market serving the large enterprise is mature. The market has consolidated in the past five years. For example, Oracle has built its customer experience portfolio primarily by acquisition. SAP, like Oracle, aims to support end-to-end customer experiences and has made acquisitions — notably, Hybris in 2013 — to bolster its capabilities. Salesforce made a series of moves to strengthen the Service Cloud. It used this same tactic to broaden its CRM footprint with the acquisition of Demandware for eCommerce in 2016.

These acquisitions broaden and deepen the footprints of large vendors, but these vendors must spend time integrating acquired products, offering common user experiences as well as common business analyst and administrator tooling — priorities that can conflict with core feature development.

What this means is that these CRM vendors increasingly offer broader and deeper capabilities which bloat their footprint and increase their complexity with features that many users can't leverage. At the same time, new point solution vendors are popping up at an unprecedented rate and are delivering modern interfaces and mobile-first strategies that address specific business problems such as sales performance management, lead to revenue management, and digital customer experience.



DRJ-LogoInfrastructure throughout the United States is in real trouble.  It is a regular occurrence to read about road collapses, bridge failures and sinkholes openings.  This massive sinkhole outside of Detroit is quite a hole indeed.

Last week residents were awakened about 6 a.m. by the sounds of crackling and cracking that kept getting louder and louder. People woke up and literally saw the ceiling splitting. Think about that for a moment.

The noise turned out to be the beginnings of a massive sinkhole opening up. It is 60 feet deep and has since spread to nearly the length of a football field prompting the evacuation of residents from 22 homes.

This could have just as easily been your business.



As the transition to a new Presidential administration unfolds, uncertainty abounds. Predictions made about the regulatory landscape made before November may not ring as true, as Republicans look to make good on promises about smaller government and regulatory reform, particularly in banking and finance. Likewise, the potential repeal of the Affordable Care Act and significant changes to Medicare will make waves in health care regulation. In times characterized by dramatic change and unpredictability, it’s important to refocus on what you know, what you can control and how you can create a more resilient business.

It’s important not to lose perspective: while many federal agencies (and their mandates) will be reshaped by new leadership or directed to change their priorities, state and industry regulations may not shift – or may react in opposition. Enterprise risk profiles and existing threat conditions may not be markedly affected by changes at the federal level. Organized cybercrime syndicates, for example, probably don’t care much about who’s in the White House.

Organizations that have been working to strengthen their cybersecurity stance, manage risk and protect customer data and privacy have no reason to pull back on those efforts; in fact, they should work to optimize their governance, risk and compliance programs as organized defense against threats to their goals and trusted status.



DRJ-LogoIf you believed everything you read, nothing would be correct.  The cloud, we’ve been told, will absorb resources and investment from enterprises, leading to smaller and fewer enterprise data centers.  Indeed, entire businesses will cease to exist as a result of a tremendous force of enterprise absorption, as predicted by former Cisco CEO John Chambers in 2015.

The cloud, we’re told, will rejuvenate enterprises and restore their faith in their ability to own and maintain their own infrastructure.  Indeed, entirely new businesses will bloom and prosper, as predicted by the contributors to the OpenStack Foundation, one of which is Cisco.

So what does the evidence tell us?  Last June, we reported the findings of the latest Uptime Institute survey for 2016.  Fewer respondents said their firms were building new data centers within the previous 12 months — which was fewer than the year before.  This would appear to have disproven a 451 Research report the previous year, which predicted that nine of 10 data center operators planned to build a new facility.



DRJ-LogoAfter we ran the list of the most popular stories that appeared on Data Center Knowledge this year, we couldn’t help pondering the reasons those stories resonated with so many people. The most obvious reason that applies to all of them is that they illustrate some of the biggest changes the data center industry is undergoing.

Here are our thoughts on what those changes are and how some of our stories illustrate those macro-level trends.

The Days of Cloud Doubt are Gone

In February, a short blog post by Yuri Izrailevsky, who oversees cloud and platform engineering at Netflix, notified whoever cared that the online movie streaming pioneer had completed its migration from own (or leased) data centers onto AWS. As it turned out, a lot of people cared. This was hands-down the most widely read story we ran this year.



Wednesday, 04 January 2017 00:00

Cyber Threats and Mass Communications Systems

Disaster Recovery and Business Continuity

AlertMedia-LogoA recent Ernst & Young survey of 1,735 C-level executives and IT professionals found 57 percent of them said they consider disaster recovery and business continuity as their top priority but only 39 percent plan to invest in improvement efforts. This is surprising since 42 percent said they do not have an agreed communications strategy or plan in place in the event of a significant cyber attack.

When we think of mass communications and emergency notification systems, we often think of weather-related events, power outages, fires, and other workplace emergencies. We don’t always jump to cyber security. Yet, cyber security is a big deal. It is estimated that cyber attacks cost businesses as much as $400 billion a year and is expected to reach $2 trillion by 2019.

Most of us have been victims of cyber security through the places we shop and banking systems we use. We all remember Home Depot, Target and more recently, Yahoo all being hacked. I personally received emails from all three of these companies warning me that my personal data may have been compromised.



DRJ-LogoA new way to get insider information…hack it! The WSJ reported this week that three Chinese hackers (traders) earned more than $4 million in illegal profits after they hacked into the computer systems of prominent U.S. law firms and stole nonpublic information on mergers and acquisitions. These hacks should be a loud wake up call for law firms, which have long been considered vulnerable to cyberattacks.

The traders bought shares of at least five publicly traded companies, including drug and chip makers, before the firms announced the deals, according to an indictment from the Manhattan U.S. attorney’s office. The traders learned about the deals by gaining access to email accounts of law-firm partners working on the transactions. The hackers reportedly took millions of documents from two law firms’ servers between April 2014 to late 2015.

Federal investigators were probing hacks of Cravath, Swaine & Moore LLP and Weil, Gotshal & Manges LLP, which represent Wall Street banks and Fortune 500 companies in matters including lawsuits and multibillion-dollar merger negotiations. The traders were arrested in Hong Kong on Sunday, and law-enforcement officials are seeking to have them extradited to the U.S. Manhattan U.S. Attorney Preet Bharara noted that his incident “should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals.”



Wednesday, 04 January 2017 00:00

Avoid Common Disaster Recovery Plan Pitfalls

DRJ-LogoDisaster Recovery planning can be painstaking.  There are so many nuanced areas of focus that it is easy to miss key information that could hinder or block restoring systems and data within the time frames required by the organization.  Exercising plans is essential to help illuminate these hidden risks.  Here are some items we frequently find missing even in very mature disaster recovery plans.



Wednesday, 04 January 2017 00:00

Disaster Recovery Trends for 2017

DRJ-LogoAs we begin a new year, many will review where they would like to improve or change. Fitness clubs will be full and we will try to eat better in January. And then the clubs will be back to normal, and I will be eating ice cream and cookies for dessert in February. As we look at our business continuity and disaster recovery programs, what areas need improvement or change? As you consider those areas, there are some trends and items we see for 2017. We hope this list will assist in your program and recovery planning.



BCI-LogoThe Business Continuity Institute

At the Disaster Recovery Journal Fall World Conference in September 2016, the Business Continuity Institute’s US Chapter and the US 20/20 Group had the opportunity and responsibility to organize and participate in the DRJ Advanced Track, specifically designed for the most seasoned attendees. The 20/20 Group's role in defining the agenda, securing the speakers and overseeing the DRJ Advanced Track underscores their role in providing leadership at the conference.

The session was largely focussed on the changing face of the professional in the business continuity industry. In the context of an ever-increasing focus on resilience and the engagement of multiple disciplines, what is the business continuity professional’s role? Do they take overall ownership for the response, recovery and resumption, coordinating the activities of others? Are they a facilitator, ensuring that the right people take the lead? Or are they simply a participant, bringing their business continuity skills with them, but taking their lead from someone else?

The discussion also looked at the top ten threats that featured in the BCI’s latest Horizon Scan Report and considered what role the business continuity professional may play in the response to each of those threats materialising.

From all this discussion, a new paper was published which suggested three major points that underscore the need to reposition the business continuity professional in the future:

  • Threats are real and expanding, leading to increased business risk.
  • These changes are leading to changes in our profession.
  • Our success will be based on our knowledge of the organization and its business environment, including customers and their expectations.

Patrick Alcantara DBCI, Senior Research Associate at the BCI, commented: “The movement towards resilience offers opportunities to business continuity professionals to upgrade their skills, engage with related management disciplines, and create more impact within the organization. This paper from the BCI US 20/20 Group affirms the contributions made by business continuity professionals and proposes a way forward with building resilient organizations as a goal. I would like to thank the BCI US 20/20 Group, Chaired by John Jackson FBCI, for distilling the latest thinking into a timely piece which contributes to our collective understanding of resilience.

Download your free copy of The changing face of the business continuity professional today in order to develop your understanding of the future of the profession.

BCI-LogoThe Business Continuity Institute

Despite the perception that hackers are an organization’s biggest cyber security threat, insiders, including careless or naive employees, are now viewed as an equally important problem, according to new research conducted by Dimensional Research on behalf of Preempt.

The growing security threat from insiders report found that 49% of IT security professionals surveyed were more concerned about internal threats than external threats, with the majority (87%) most concerned about naive individuals or employees who bend the rules to get their job done. Only 13% were more concerned about malicious insiders who intend to do harm.

Malware unintentionally installed by employees ranked as the top internal security concern with 73% of respondents claiming they were worried about it, ahead of stolen or compromised credentials (66%), snatched data (65%) and abuse of admin privileges (63%).

Internal threats are emerging as equally as important as external threats, according to respondents. This means that an employee cutting corners to get their job done more efficiently is viewed as potentially just as dangerous as a malicious external hacker,” said Diane Hagglund, founder and principal of Dimensional Research. “Yet these views aren’t reflected in the allocation of security budgets, which is traditionally focused on perimeter security.

In addition to concerns about insider threats, the report also analysed cyber security training and end user engagement programmes. While nearly all of the organizations surveyed (95%) provide end user security training, very few (10%) believe the training is very effective.

Cyber security is also a major concern for business continuity professionals, with cyber attacks and data breaches featuring as the top two threats yet again in the Business Continuity institute's latest Horizon Scan Report. It is perhaps for this reason that it was chosen as the theme for Business Continuity Awareness Week 2017 with the intention of improving an organization's overall resilience by improving cyber resilience, and recognising that people are key to achieving this

Intentional or not, insider threats are real,” says Ajit Sancheti, co-founder and CEO of Preempt. “From Snowden to the FDIC, headlines continue to emerge and we need to take a new approach to get ahead of insider threats. Without real-time prevention solutions and improved employee engagement, these threats will not only increase, but find more sophisticated ways to infiltrate and navigate a network. The future of security practices rely on the ability to not only understand users and anticipate attacks, but also how to mitigate threats as quickly as possible.

BCI-LogoThe Business Continuity Institute

We have recently been informed that Yahoo! has been hacked and has possibly lost up to 1 billion customer records. They have admitted that the information was lost in August 2013, but they are only informing their customers now. The impact and fallout of this incident is just starting. What can the business continuity manager do to stop this happening within their organization and secondly, how can we prepare for a similar event?

Yahoo! is on the slide, once synonymous with the internet and email, it is a shadow of its former self. For me they are a bit like a virus, using underhand tactics to infect your computer with their search engine. Only in certain circumstances do I get a Yahoo! to search for me and can’t work how to stop this happening. When you have to use these tactics to get in front of your potential customers, it does not show a company that is at ease with its brand and marketing.

The company is shrinking as they are losing customers through information security breaches. This cycle repeats itself with every breach and draws increasing attention to their non-vigilance in this highly sensitive area. There has been some talk in the papers about whether parts of the organization knew about the data loss but were reluctant to pass the information up to senior managers. When you have this type of culture going on within your organization, it is a struggle to manage an incident successfully. We all know that it’s not the initial incident that gets you, but the cover up.

So, what can the business continuity manager do? I think the first piece of advice I would give them, is if your organization is dysfunctional, on the slide, and does not take crisis management, resilience or business continuity seriously, your best option is to find yourself a new job! If you are knowledgeable and ambitious there are plenty of companies out there who would like to make use of your skills.

I have said time after time in my bulletins that one of the roles of the business continuity manager is to horizon scan and be aware of new threats which are not being sufficiently addressed. Senior managers may decide not to do anything to address the threat which is their prerogative, but yours is just to make them aware, qualify the impact and suggest appropriate mitigation measures.

With cyber events being in the news every week it is hard for any CEO to have missed the threat. What they may not know is their organization’s level of preparation and possible impacts. As the business continuity manager, you could suggest an independent audit against ISO 27001 perhaps, to determine your level of vulnerability.

Where I think you can add value is making sure your organization is prepared to respond to a cyber incident. Do you have a plan in place and has that plan been exercised? The techie guys, perhaps with outside help, will sort out the technical side of the response but the senior managers need to respond to the potential reputational damage an incident can cause. Possible scenarios can be played out in advance of difficult questions so those in the crisis team understand the implications of their actions. These could include whether to cut off connection to the outside world or pay a ransom.

The last area the business continuity manager can help in is ensuring appropriate responses are in place. Does the company have a contractor on standby or cyber insurance to ensure that experts can assist your own IT staff in responding to a hack? Do you have pre-formatted communications which you can send out to customers or staff, informing them of what they can do to protect themselves if their data is lost by your company?

Most business continuity managers are not experts in the technical aspects of a cyber response but we should be able to ensure that or organization is ready to manage a cyber-attack if it was to happen.

Charlie Maclean-Bristol is a Fellow of the Business Continuity Institute, Director at PlanB Consulting and Director of Training at Business Continuity Training.

MIR3-LogoCommunication is key to managing any kind of crisis, and a cyber event is no exception. As in so many business cases, an automated emergency notification system (EMNS) can ensure that the right message is delivered to the right people at the right time. A notification system should not be seen as an afterthought, but an integral piece of any comprehensive cybersecurity program.

As you work through a cyber event, communication is happening rapidly, both internally and externally. As we’ve mentioned in the past, notification of every person touched by a cyber event is often legally mandated and can be very specific. When choosing an automated a system, look for one that allows you to fulfill your legal communication obligations and to track and report all messages and responses.

As well as all your internal communications, your communication to outside counsel, forensics, other security experts and law enforcement should be fully integrated. After the event some industry agencies or regulatory bodies (and likely your cyber-security insurance provider) may require copies of the post-incident report—a good system will have those reports at your fingertips for you.



DRJ-LogoA new report demonstrates that the United States is still struggling with public health emergency preparedness. The report found that the nation is often caught off guard when a new threat arises, such a Zika or the Ebola outbreak or bioterrorist threat, which then requires diverting attention and resources away from other priorities. In Ready or Not? Protecting the Public from Diseases, Disasters and Bioterrorism, the report identifies ten key indicators of public health preparedness.

  • 26 states and Washington, D.C. scored a six or lower on 10 key indicators of public health preparedness.
  • In the report, Alaska and Idaho scored lowest at 3 out of 10, and Massachusetts scored the highest at 10 out of 10, with North Carolina and Washington State scoring 9’s.



Thursday, 22 December 2016 00:00

Emergency Alert Systems Both Then and Now

The Government’s Take on Alerts

AlertMedia-LogoI was surprised to learn that the federal Emergency Alert System (EAS) was only used at the local level until November 9, 2011 at 2 pm eastern. This date marked the first time FEMA ever tested the EAS nationwide. All of the television and radio test sirens you have ever heard were initiated by your local authorities.

The EAS was actually put in place in 1997 to replace the Emergency Broadcast System (EBS). Both were designed to give the President clear, uninterrupted access to thousands of television stations and broadcast radio stations across the U.S. and U.S. territories in the event of a national emergency. In essence, it ensures the President can address the nation quickly with real-time information. According to FEMA, “The EAS test plays a key role in ensuring our nation is prepared for all hazards and people within its borders are able to receive critical and vital information, should it ever be needed.”



Wednesday, 21 December 2016 00:00

Is Our Risk Management Mature?

DRJ-LogoWhenever there is a discussion about improving risk management, the subject of risk management maturity is often raised. The presumption is that the more mature a process is, the more effective it is. This article explores what that really means in the risk management realm.

Effective enterprise risk management (ERM) enables timely responses to the risks that matter. There are six elements of risk management infrastructure: (1) policies, (2) processes, (3) people and organization, (4) reports, (5) methodologies and assumptions and (6) systems and data. An effective risk response considers all of these elements. Once the six elements are in place for a given risk (or for a group of related risks), they pave the way for advancing the maturity of risk management.



Wednesday, 21 December 2016 00:00

How Cloudy is the Data Center’s Future?

DRJ-LogoThose of us who have been active in the IT industry for a while will recall when, in the early 1990s, a respected pundit opined that the last mainframe would be unplugged by the end of the first quarter of 1996.

The last time I looked – 20 years after that supposed termination – the great unplugging hasn’t yet come to pass.

Despite similar predictions of its impending supersession by cloud computing, the on-premise data center continues to show similar durability

At first blush, the persistence of the data center seems something of a conundrum, given the enticements of lower capital expenses and fast, flexible, on-demand access to IT capacity that the cloud delivers.



DRJ-LogoDuring a crisis is the worst time to find out that there are flaws in the communications portion of your disaster recovery/business continuity plan.

You’ve done everything right. You have an emergency notification provider that you will use to send out a message and ensure delivery to your recipients. And, of course, your employee contact information is all uploaded into the system. That’s great. But, have you really done everything?

We’ve seen the scenarios before.



DRJ-LogoWe are happy to share with you the results of our 2016 survey on the state of incident management we conducted among 152 IT professionals. It measures how often significant outages occur, how quickly their organizations can respond, and how much IT downtime costs their organizations.

It’s an eye opener to see that while companies have implemented service management for the most part (more than 90% of companies reporting that they have an IT Service Management system (ITSM), only 11% of companies stated that they have automated the process for organizing their response to IT outages and incidents.

This finding is significant because 47% of the companies reported having a major IT incident at least 6 times a year, the average cost of downtime is $8,662 per minute, and companies take 27 minutes on average to assemble an IT response team.



BCI-LogoThe Business Continuity Institute

Information security practitioners almost universally agree that human behaviour is their largest security threat, with 97% of security executives surveyed agreeing it was their organization's greatest vulnerability. This is according to a study by global technology company Nuix.

To counter the threat posed by human behaviour however, businesses are becoming less likely to use fear to convey important security ideas. Only 24% of this year’s respondents tried to scare people into improving security, compared to 39% last year. Instead, security leaders are using policies, awareness, and training to help people become part of the solution.

The Defending Data Report 2016 noted that while businesses were investing to develop broad and mature cyber security capabilities, many survey respondents were uncertain about the most effective technologies and capabilities to focus on. Nearly four in five respondents (79%) said they had increased spending on data breach detection in the past year, while 72% said they planned to do so next year. However, a majority of respondents (52%) said preventing data breaches was their top spending priority, while 42% said detection was their primary focus.

Cyber security is also a significant concern for business continuity professionals, with cyber attacks and data breaches featuring as the top two threats yet again in the Business Continuity institute's latest Horizon Scan Report. It is perhaps for this reason that it was chosen as the theme for Business Continuity Awareness Week 2017 with the intention of improving an organization's overall resilience by improving cyber resilience, and recognising that people are key to achieving this

Where this breaks down is that a large proportion of people, even after they’ve had security awareness training, will still put their organizations at risk by opening malicious attachments and visiting suspect websites,” said Dr Jim Kent, Global Head of Security and Intelligence at Nuix. “While the policies and training are crucial, we need to get better at ‘idiot-proofing’ our technology so that even if people do the wrong thing, the malware doesn’t run or doesn’t achieve its goals.

DRJ-LogoThe Asia-Pacific data center market is extremely diverse, and regional and country-level differentiation is one of its defining characteristics. Today, as more and more American and European data center and cloud providers and their customers are looking east, it is important to be aware of several nuances that define the competitive landscape and put the various outlooks for specific markets into context.

First, let’s identify the region’s sub-markets. Singapore, Australia, Hong Kong and Japan are properly considered mature markets, and this distinguishes them from other Asia-Pacific markets that are still emerging. It is also interesting that Singapore and Hong Kong are really just single-city markets, while Australia and Japan are each home to multiple markets of meaningful sizes. The area can also be thought of in terms of sub-regions. There is Southeast Asia, ANZ (Australia and New Zealand), South Asia, and East Asia, while China, Japan, and Korea all exhibit characteristics that make them perhaps best understood as standalone markets.



Tuesday, 20 December 2016 00:00

CDC: Looking Back: 5 Big Lessons from 2016

Looking through the rearview mirror while driving in the planes

Dr. Stephen Redd, Director, Office of Public Health Preparedness and Response

Dr. Stephen Redd, Director, Office of Public Health Preparedness and Response

CDC is always there – before, during, and after emergencies – and 2016 was no exception. Through it all, we’ve brought you the best and latest science-based information on being prepared and staying safe. Here’s a look back at 5 big lessons from a very eventful year. Follow the links to discover the full stories!

1. Expect the unexpected

Emergencies can devastate a single area, as we saw with Hurricane Matthew, or span the globe, like Zika virus. This year has shown us, once again, that we can’t predict the next disaster.

Zika virus was one of the top public health stories of 2016, and will continue to make headlines in 2017. CDC has worked hard since the start of the outbreak to make sure that people know how Zika is spread and how to protect themselves and their neighbors from the virus, including how to control mosquitos inside and outside the home.

This year, our Strategic National Stockpile was called on to locate and purchase the products to assemble ~25,000 Zika Prevention Kits for pregnant women in the U.S. territories. CDC also issued 180 Zika virus import permits so scientists could conduct research to develop better diagnostic tests, vaccine, and medicines. In any developing crisis, our mission is always to “conduct critical science to inform and communicate health information that protects our nation” against public health threats.

2. A health threat anywhere is a threat everywhere

Diseases like SARS and Ebola – and now Zika – compel us to focus on stopping outbreaks early and close to the source. As part of the Global Health Security Agenda, teams of international experts travel to countries, including the U.S., to report on how well their public health systems are working to prevent, detect, and respond to outbreaks. This assessment process is called the Joint External Evaluation.

In 2016, we worked at home and around the world to use the law to prepare for global health emergencies, train leaders from 25 countries in public health emergency management, and protect the health of those affected by humanitarian crises.

3. Kids and communities matter

Fred in bathtub

There’s a saying in emergency management that goes something like, “emergencies begin and end locally.” Truer words were never spoken. The minutes, hours, and days immediately following a disaster are the most critical for saving lives, and local communities are our first responders. Every community needs to be resilient and prepared to handle the unexpected.

Prepared communities look like the Georgia Department of Public Health, which conducted a statewide exercise to practice their response to a bioterrorist attack of plague, and New York City, which used lessons learned from West Nile virus to prepare for Zika.

Children are a particularly vulnerable part of our communities, and they have different needs than adults. Children need to be included and involved in planning and preparing for emergencies.

Fred the Preparedness Dog sets a great example by visiting schools across Kansas to teach kids to get a kit, make a plan, and be informed. Parents should also take steps to prepare themselves and their child in case they get separated during or after an emergency.

4. Words save lives

7 Things to Consider When Communicating About Health

In an emergency, the right message at the right time from the right person can save lives. When a crisis hits, communicators need to quickly and clearly inform people about health and safety threats. Communication is especially critical when disaster strikes suddenly and people need to take action right away, as in a flood or hurricane, or when we may not yet have all the answers, as happened with Zika virus.

To make sure people know what to do to protect their health, our trained communicators learn how to put themselves in others’ shoes: Who are the people receiving the message, what do they need to know, and how do they get information? We apply the principles of Crisis and Emergency Risk Communication in every emergency response.

5. Preparedness starts with you


Get a flu shotWash your handsMake a kit. Be careful in winter weather. Prepare for your holidays. Be aware of natural disasters or circulating illnesses that may affect you or those you care about.

There are many ways to prepare, and in 2016 we provided the latest science and information to empower every one of us to take action. Whether we talked about how to clean mold from a flooded home, how to wash your hands the right way, or how to use your brain in emergencies, our timely tips and advice put the power of preparedness in your hands. What you do with it is up to you. Our hope is that you’ll resolve to be better prepared in 2017.

Posted on December 19, 2016 by Dr. Stephen Redd, Director, Office of Public Health Preparedness and Response

Tuesday, 20 December 2016 00:00

Take Three Actions to Fight Flu

DRJ-LogoInfluenza (flu) is a contagious disease that can be serious. Every year, millions of people get sick, hundreds of thousands are hospitalized, and thousands to tens of thousands of people die from flu. CDC urges you to take the following actions to protect yourself and others and fight flu!



Tuesday, 20 December 2016 00:00

How Smartphones Can Save Lives

A Lifeline for Remote Workers

AlertMedia-LogoWhen we think of a company’s workforce, we often envision an office building full of cubicles or a factory of workers. Today’s workforce, however, is often dispersed across multiple locations, driving a fleet of trucks, or traveling much of their workday. This mobility can create challenges with communication, particularly when there is an accident, an emergency, or an urgent event.

The United States isn’t the only country struggling to keep up with the rapidly changing workforce ecosystem. The United Kingdom is facing similar issues. Lone worker safety is a serious consideration. In 2015/2016, the country reported 43 fatal injuries to construction workers. A recent UK article highlights the concern of construction organizations with ensuring the health and safety of lone workers. “While prevention is the ultimate goal, there must also be tools in place to provide rapid help when accidents occur. This means providing a means of consistent, reliable communication with management, team members, and emergency services.”



BCI-LogoThe Business Continuity Institute


For those who celebrate Christmas it can be a season of joy, happiness and goodwill to all, a season of festivities and living slightly to excess, but as the popular Band Aid song reminds us:

There’s a world outside our window
And it’s a world of dread and fear

For many people across the world, the devastation that 2016 has brought means that there will be no Christmas celebration this year. There won't be any celebrations. Their world has been turned upside down through no fault of their own, and their only thoughts now are on survival.

Haiti is one such place, a place that over the years has had more than its fair share of natural disasters, and earlier this year suffered the ravages of Hurricane Matthew. Back in October the Category 4 storm made landfall with wind speeds of up to 145 miles per hour, bringing with it torrential rain of up to 40 inches in some places.

It doesn't matter where in the world you are, or whether you're in a developed or developing country, the threat of natural disasters is everywhere. Italy and Tanzania are two other countries that experienced the sheer power of nature when earthquakes caused mass devastation and severe disruption.

It has been a long time since the Business Continuity Institute last sent out Christmas Cards, instead we prefer to use the money to support organizations that are in need. This year we have split the fund three-ways with a third each going to projects supporting the relief efforts in HaitiItaly, and Tanzania.

The donations to these projects will be made through Global Giving, the first and largest global crowdfunding community that connects non-profits, donors, and companies in nearly every country around the world. Though Global Giving, it possible for non-profits from Afghanistan to Zimbabwe to access the tools, training, and support they need to be more effective and make our world a better place.

So as you enjoy all the festivities that this time of year brings, remember to be thankful for everything you have, and spare a thought for those less fortunate.

The BCI wishes all our Chapter Leaders, Forum Leaders, the BCI Board, Global Membership Council and fellow business continuity and resilience professionals around the world, Seasons' Greetings and a healthy 2017.

Note that the BCI Central Office will be closed on the 26th and 27th December and the 2nd January 2017, re-opening on Tuesday 3rd January 2017. On the 28th, 29th and 30th December, the office will be staffed between 10am and 3pm only (GMT).

Monday, 19 December 2016 00:00

Enhancing Board Oversight of Cyber Risk

DRJ-LogoFollowing a presidential campaign dominated by talk of hacked email and unsecured servers, businesses are emphatically reminded of the potential cybersecurity danger no matter the business or industry.  Threats come from all directions.  Criminals and foreign hackers have grabbed headlines with personal financial data thefts from Target and Home Depot.  Yet a 2016 IBM-sponsored study concluded that 60 percent of all attacks come from internal sources, with the majority carried out with malicious intent and a quarter of the breaches resulting from error.  Compounding the problem, the damages caused by cyber breaches are skyrocketing: the average cost of a data breach is more than $4 million and growing annually, according to the IBM study.

As the risk grows, the board of directors role in identifying and managing the risk becomes more imperative.  The obligation to protect the business is the same as with other business risks, but in this case is overlaid with the obligation to ensure the business’s legal compliance.  The intersection highlights the opportunity – cybersecurity risk cuts across a business and requires oversight from a similarly multifaceted perspective.  The National Association of Corporate Directors’ Cyber Risk Oversight Handbook, published in 2014, identifies “enterprise-wide risk management” as an indispensable component of cybersecurity.  Boards must echo this viewpoint with a specific focus on the cyber risk management program.



DRJ-LogoI have a hunch that your to-do list is growing by the hour as we head into 2017, and I have an even stronger hunch that reviewing and updating the employee handbook hasn’t made it to the list. As much as I hate to say it, you’d be well-advised to add it.

I drew that conclusion after a recent interview with Rob Wilson, president of Employco USA, a human resources outsourcing firm in Westmont, Illinois. Wilson makes a compelling argument around the importance of the executive team — including the CIO — taking the time to ensure that the employee handbook is everything it needs to be. Wilson highlighted the areas that IT execs need to focus on as they carry out this exercise:

For the CIOs, one of the bigger areas for them would be electronic use — what your policy is on social media usage, as well as computer technology usage in the workplace. All of that has to be spelled out: Is it okay for people to be streaming movies at their desks? What’s your cell phone usage policy? Are they company phones or are they individual phones, and what’s the protocol for usage of each? In some companies, people use their own cell phones, and in other cases, you’re supplying them. There is a big difference between the two, and how you use them, and what the rules should be.



BCI-LogoThe Business Continuity Institute

The Business Continuity Institute's Good Practice Guidelines emphasize the importance of validating business continuity plans through exercising, maintenance and review. In fact, such is its important that the entire theme of Business Continuity Awareness Week 2014 was based on testing and exercising. It confirms whether a plan is fit for purpose, and it's far better to find out that it isn’t fit for purpose during an exercise rather than a live incident.

In the latest edition of the BCI's Working Paper Series, Luke Bird MBCI focuses on improving desktop exercises, and poses numerous challenges to business continuity practitioners, suggesting concrete, actionable recommendations to enable organizations to obtain more value out of these exercises. His paper contributes to practice as it focuses on the delivery of desktop exercises, enabling fellow practitioners to consider their own arrangements and introduce improvements.

In the paper, Luke notes that for many organizations, it could be argued that there is an unhealthy focus on the event itself and less so on the required planning, metrics and outputs. This begs the question: are we actually clear on how to get the most value out of these events? The paper explores some of the associated challenges with delivering the desktop exercise, including the absence of sector-specific methodology, data capture techniques, participation issues and exploring the culture of fear.

The paper concludes that there is certainly some scope for improvement in how to deliver a desktop exercise. Unfortunately, professionals in the industry are very limited with the available guidance because it is either cross-sector (too generic), niche (too specific) or not widely shared. There is also little in the way of available literature which helps to describe what ‘good’ is. As such, how can the exercise be truly benchmarked to assess improvement over time?

Download your free copy of 'The desktop exercise - a wasted opportunity?' to understand more about desktop exercises and the role they play in the validation phase of your business continuity programme.

It’s always an editorial dilemma – Do we start with the event with the biggest business continuity impact? The event that was the most unbelievable? For 2016, we have some difficult choices, including the massive cyberattack of the toasters, the most powerful man in the world (soon) trying to carve up the Internet, and a smartphone threatening the health of a national economy.

As you’ve probably already noticed, the common factor is technology. 2016 was rather quieter on the natural disaster front, but let’s go through the things that caught our attention over the last 11 or 12 months.



Friday, 16 December 2016 00:00

Yahoo Breach Redux

DRJ-LogoYou’ve probably heard this already, but the Yahoo breach is back in the news, and not in a good way. The original breach involved 500 million users. Now comes news of a separate breach that involved more than a billion accounts. This breach happened in August 2013. Let that sink in a moment. If you have an account with Yahoo servers, your information has likely been floating out there for more than three years without you knowing.

And there’s more, eSecurity Planet reported:

"Separately, Yahoo previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password," the company stated. "Based on the ongoing investigation, the company believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies."



MIR3-LogoYou’ve followed all the necessary steps to complete your cyber-response plan, and the call comes in that a breach has occurred … what do you do? It’s showtime!


Your security operation team will move into action as soon as an event is detected.


When an event is detected, it must always be recorded. Events do not always lead to incidents, and incidents do not always lead to breaches, but all breaches start with an event. Use your human intelligence; report who saw what, and when. The type of event will determine who is needed to take action and what action to take; this could range from a quick review to a much longer investigation.



DRJ-LogoThis series is dedicated to providing direction for applying Project Management principles to starting a Business Continuity or Disaster Recovery (BC/DR) Program.  This is the first installment of a multi-part series.  In this installment we will focus on the Project Initiation phase.  Subsequent segments will be aimed at additional phases of starting a BC/DR Program, on improving an existing BC/DR Program, and on elevating a mature program to a new level of efficiency and effectiveness.

Starting a Business Continuity Program

Launching a BC/DRBC/DR Program requires its own plan.  This is not a plan as in a recovery or response plan, but a plan in the sense of a project plan.  Starting a BC/DR is no different than starting any project, and success essentially hinges on your project management skills.  You may want to reach out to the Project Management Office (PMO) if you are fortunate enough to be part of an organization that has one.  The PMO may be able to provide an experienced project manager who can assist by applying current project management theory and techniques to the initiative.  If your organization does not have a PMO, or a resource is not available, then gaining a basic understanding of project management is the starting point.

There are many available information sources for project management principles.  The Project Management Institute (PMI) http://www.pmi.org/ is the leading authority in the field.  The PMI offers training and certification and most community colleges and universities offer courses in project management.



Page 1 of 34