Spring World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Bonus Journal

Volume 29, Issue 5

Full Contents Now Available!

Industry Hot News

Industry Hot News (6817)

Business continuity often inspires a feeling of ‘disaster averted’. In other words, the perception is that spending money on business continuity is really an insurance policy, and as such brings no positive benefit, but helps to avoid negative outcomes. It’s true that this is an essential role. As its name suggests, the avoidance of business discontinuity or interruption is inherent in the pursuit of business continuity. However, business continuity can and should have a net positive effect as well.



In an unexpected twist, Big Data is driving adoption of data archiving, according to Gartner.

When people first started talking about Big Data technology, some said it would eliminate the need to worry so much about archiving or, at least, Hadoop clusters would take on that role. Ironically, it’s the increased adoption of Hadoop that is now forcing organizations to look at data archiving, CMS Wire reports.  Growth of structured data is particularly a concern as organizations try to separate out useful from non-essential data, the article notes.

Don’t worry, it’s expected to come full circle. The article notes that Gartner’s latest report, the Magic Quadrant for Structured Data Archiving and Application Retirement, predicts that the archiving needs will be so robust by 2017, 75 percent of structured data archiving applications will have to incorporate Big Data analytics.



Tuesday, 24 June 2014 16:26

Could BYOD Increase Insider Threats?

A new study commissioned by Raytheon and conducted by the Ponemon Institute provides a fresh look at the insider threat. In a nutshell, we can expect the insider threat to increase. According to FierceMobileIT:

Focusing on 'the human factor,' the survey report, "Privileged User Abuse & The Insider Threat" finds that many individuals with the highest levels of network access in organizations are often granted access to data and areas of the network not necessary for their roles and responsibilities. The report reveals that 65 percent of survey respondents indicated that curiosity – not job necessity – drives these same individuals to access sensitive or confidential data.



It’s only a matter of time before a catastrophic earthquake hits the Pacific Northwest, but what happens after the shaking subsides?

Aging buildings across the area would likely collapse, causing scores if not hundreds of deaths and injuries. Roads could become impassable, and many businesses throughout the region would likely cease to offer services for some time — completely changing the face of our region and the communities within as we know them.

The scenario is real, and that’s what brought engineers, emergency managers, public officials and interested citizens from across the Northwest to Centralia College on Thursday. The second day of the Construction and Best Practices Summit hosted by the college and the Pacific Northwest Center of Excellence for Clean Energy focused on how to best prepare for and recover from an earthquake along the Cascadia Subduction Zone, a 1,000-kilometer fault stretching from Vancouver Island to Cape Mendocino, Calif.



It seems that the march to private cloud infrastructure is finally under way in earnest, with both the technology and the business case for its deployment at a sufficient level of maturity for large numbers of enterprises to pull the trigger.

This does not mean all questions have been answered, however. In fact, if the private cloud has anything in common with legacy infrastructure, it’s that the tweaking and fine-tuning will likely continue well into the future.

One of the first dilemmas in fact, is the selection of a platform. To date, VMware has captured the lead in enterprise cloud deployments, according to database service provider Tesora, although OpenStack is rapidly closing the gap. In the company’s latest survey of North American developers, VMware owns about 15 percent of the market, compared to OpenStack’s 11 percent. Top applications for both public and private clouds are database processing for SQL, MySQL and other platforms, followed by web services and quality assurance. Interestingly, only about 9 percent indicated compatibility with Amazon Web Services as a top priority in designing a private cloud.



CIO — We know in our gut that data has value. No company can run without it. But what is it really worth? As CEOs realize that data is an asset that can be exploited as a new source of revenue, they will start to ask CIOs about its financial potential. Responding with a shrug and a shot in the dark won't exactly enhance your own value in the CEO's eyes.

Patents, trademarks and other forms of intellectual property have long been accounted for as intangible assets in a company's financial reports. But those numbers are only estimates that may or may not include more mundane kinds of information, such as customer profiles. That's partly because no standard method or accounting procedure exists for putting a dollar value on data.

"It's frustrating that companies have a better sense of the value of their office furniture than their information assets," says Doug Laney, a Gartner analyst who studies information economics. "CIOs are so busy with apps and infrastructure and resourcing that very few of them have cycles to think about it."



There’s allot of talk of organization’s becoming resilient and how they need to be resilient if they are to compete successfully and respond accordingly to the ever increasing disasters of the world – both man-made and natural in causation. But that begs the question: Can organizations be resilient? In this practitioner’s opinion, yes, they can though it takes more than a single aspect to become resilient.

Many would have you believe that you can buy resiliency off a shelf; a service or product purchased from a firm touting that they can make your organization resilient, as though the procurement of a ‘product’ will make an organization resilient. Well, unless they are a pseudo-psychologist or have a background in leadership psychology, they can’t; at least not completely. Sure, it’s fine to say that Business Continuity Plans (BCP) and Technology Recovery Plans (TRP) et al will make an organization resilient but that’s just not the complete picture. It’s only part of the overall picture of what will make an organization resilient.

It’s just not a simple concept – though it would be great it if was. What will make an organization resilient? Is there some sort of magic ingredient that will suddenly ensure that an organization will bounce back from any adverse situation? Well, yes and no. It’s not one single ingredient, it’s multiple ingredients that when combined just so, will help any organization get through difficult situations.



Officials are using this time as an opportunity to tweak disaster plans, practice emergency drills and brace for potentially devastating storms later in the summer.

Ken Kaye, McClatchy News | June 20, 2014

Hurricane season so far has been business as usual for most of us, with the tropics nice and calm.

But for emergency managers, this slow stage is an opportunity to tweak disaster plans, practice emergency drills and brace for potentially devastating storms later in the summer.

"This is time of season when we're putting final touches on training, exercising and making sure we're ready," said Bill Johnson, Palm Beach County's emergency management director.



The news: It's Ebola.

The largest outbreak ever of the hemorrhagic fever is spreading "totally out of control" in West Africa, according to a senior official with Doctors Without Borders. The World Health Organization reports that some 330 deaths are now considered linked to the deadly virus in Guinea, Sierra Leone and Liberia.

"The reality is clear that the epidemic is now in a second wave," Doctors Without Borders operations director Bart Janssens told the AP. "And, for me, it is totally out of control."

German specialists previously said that the epidemic killing people across West Africa was caused by anew strain of the Zaire ebolavirus, which killed 88% of its victims in the first known outbreak in 1976. Doctors have managed to keep the fatality rate lower than previous epidemics, but the current outbreak is killing approximately 64% of its victims. 



Following Continuity Central’s recent survey into business continuity software usage we asked some of the key suppliers of business continuity software to answer a standard set of questions about trends in the business continuity software market. The responses can be read below:

More entries will be posted as they become available.

Software suppliers: if you would like to have your responses listed above please contact This email address is being protected from spambots. You need JavaScript enabled to view it.

Friday, 20 June 2014 15:28

Lessons Learned from Heartbleed

By Russ Spitler

Without question, Heartbleed is one of the most catastrophic events from an Internet security standpoint over the past ten years, arguably ever. It had IT and security teams frantic to fix the vulnerability and the media frenzied. As the dust settles after the initial Heartbleed crisis response, what lessons are starting to emerge?

A quick recap

Heartbleed is a vulnerability in OpenSSL that permits attackers to access random blocks of memory from servers running OpenSSL. OpenSSL is used to establish encrypted communication channels between different places, and therefore the servers running this software hold some significant secrets: explicitly the encryption keys. Simply explained, the process used for setting up OpenSSL encryption uses a key-pair: a private key and a public key. These two keys are bound and you cannot replace one without also modifying the other. Then money is paid, fancy algorithms are applied and an SSL Certificate is obtained which is used to affirm identities when establishing a secure connection.



BC Management’s latest annual survey of compensation levels in the business continuity and related sectors has discovered that UK-based business continuity consultants / independent contractors make more than twice as much money as their US-counterparts, and more than three times as much as Canadian business continuity consultants.

The online study was launched in December 2013 and remained open through to March 2014. A total of 1,520 respondents from over 30 countries took part, with 116 independent contractors providing compensation information.

Independent contractors are defined as ‘professionals classified as performing contract work to another entity under terms specified in an agreement. Unlike an employee, an independent contractor does not work regularly for an employer, but works when and as required.’

The survey found that the 2013 average total compensation for independent contractors in $USD was:

UK: $303,278
Europe: $248,545
USA: $140,601
Asia Pacific: $130,311
Canada: $83,982

There was an average increase in total compensation for independent contractors, with earnings increasing 8.8 percent internationally and 6.3 percent for USA based professionals.


Luxury goods companies believe that they face greater reputational risk than those in other industries, according to a report published by ACE Group in Europe. Following a survey with a concentrated sample of 45 European luxury goods firms and a series of in-depth expert interviews, the report also concludes that environmental, business travel and directors and officers liability (D&O) are three emerging risks for the industry to watch.

Some 75 percent of senior risk executives from the industry sample state that reputation is their company’s greatest asset and 80 percent agree that reputational risk is the most difficult individual risk category to manage.

Almost six in ten respondents report that globalisation has increased the interdependency of risks they face and rank lack of risk management tools and processes, insufficient budget and lack of management time as well as human resources and skills as the greatest barriers to effective management of reputational risk.



Sometimes, the business doesn’t care about data quality. It’s a hard thing to hear, but someone has to be honest with you about it, and Capgemini’s Big Data and Analytics expert Steve Jones is stepping up to do it.

Actually, Jones is talking about master data management (MDM). It’s often confused as a data quality project, he writes, but the primary goal of MDM isn’t data quality these days. It’s really collaboration.

If that sounds like a major departure from what you’ve read in the past, you’re right. Data quality, along with data governance, has long been heralded as key components to finding success with MDM.



Thursday, 19 June 2014 16:22

Responding to global risks

Business leaders are not doing enough to prepare for the risks that arise from our increasingly inter-connected world, such as government debt crises, extreme weather events and social instability, claims the Institute of Directors in a new report, Responding to Global Risks: A practical guide for business leaders.

This is a concern highlighted in the 2013 BCI Supply Chain Resilience Report which identified that, as supply chains become ever more complex, organizations find it difficult to manage them effectively. In the survey that led to the report, 75% of respondents admitted to not having full visibility of their supply chain disruption levels and 42% had experienced a disruption below their immediate supplier the previous year.

Charles Beresford-Davies, Managing Director and UK Risk Management Practice Leader at Marsh, said: “No company operates in isolation. Every business, no matter how large or small, is part of a complex global network of suppliers, outsourcers and customers, all of which are subject to resiliency risk.”



If we have learned any lessons from the last few years, it is that data breaches present a significant business risk to organizations, often resulting in high financial cost and impact on public opinion. According to a recent study, the average cost of a data breach incident is approximately $3.5 million. With reputation management and a complex regulatory landscape as additive organizational concerns, security and risk professionals face the tough task of ensuring their companies successfully manage the aftermath of a data breach.

A crucial aspect to data breach preparedness is having a strong understanding of the legislative and regulatory framework around data breach notification. However, set against a patchwork of 47 existing laws from nearly every U.S. state, risk and compliance professionals are challenged with understanding and communicating rights for their business and customers. The recent mega breaches experienced by several large companies in the United States has resulted in heightened consumer, media and policymaker awareness and concern, making the potential for new requirements and legislation a hot topic.



Today, we’re adding metadata to the list of issues that will need to be addressed before data lakes are a useful, realistic concept.

Recently, I’ve been sharing the key concerns and barriers around data lakes. Data lakes, at least in theory, are what you get when you pull Big Data sets, including unstructured data, together. The idea is that data lakes will replace or at least supplement data marts for accessing enterprise-wide information.

Vendors have been hyping up data lakes, but many experts are questioning how realistic data lakes are right now. The challenge isn’t so much creating them as it is managing the data in a useful way, experts say.



Thursday, 19 June 2014 16:20

Maintaining Data Protection in the Cloud

Enterprises of all types and sizes are quickly ramping up their cloud presences, despite the fact that key questions regarding their reliability and efficacy remain.

A leading source of worry is data protection. Once data leaves the safety of the firewall, ensuring both its security and availability becomes largely a matter of trust.

Many organizations, in fact, are already struggling with the shift from an infrastructure-based protection scheme to a federated or virtual/application-layer solution, even without the cloud. As HP’s Duncan Campbell points out, the increase in data load and the already largely distributed nature of many enterprise data environments, not to mention the introduction of mobile communications, are forcing a rethink when it comes to maintaining access and availability. If you are looking at 20 to 25 percent data growth per year, how much longer will you be able to maintain local protection and security solutions at every remote site and branch office? At some point, the need for an integrated solution that cuts across geographic and infrastructure boundaries becomes evident, which is why the company developed the StoreOnce Backup solution with tools like federated deduplication, autonomic hardware restart and secure erase.



Six years after Hurricane Dolly struck a $1.35 billion blow to the South Texas coast, federally funded reconstruction efforts are just now getting under way for hundreds of Lower Rio Grande Valley residents whose homes were destroyed or badly damaged by the storm.

Nick Mitchell-Bennett, executive director of the Community Development Corporation of Brownsville, blames the situation on a “long and outrageously convoluted” federal, state and local process for getting help to storm-ravaged poor families.



After severe weather hit the state of Georgia earlier this year, Gov. Nathan Deal called for an improved emergency app, and on June 16, that app was released.

The upgraded Ready Georgia app maintains old features and adds several new features, including geo-targeted severe weather and emergency alerts that notify users based on their locations before an event, such as severe weather, occurs. Users can access live traffic maps and incident reports directly from the Georgia Department of Transportation, as well as obtain a map of local American Red Cross and approved Good Samaritan shelters, along with directions to those shelters from their location. 



CSO - A data breach like the one recently reported by AT&T demonstrates that security policies alone are only a paper tiger without the technological teeth to make sure they are enforced, experts say.

AT&T reported last week that unauthorized employees of one of its service providers accessed the personal information of AT&T wireless customers. The exposed data included social security numbers and call records.

AT&T did not say how many records were accessed, but the number was high enough that the carrier had to report the breach to California regulators.

While there was no indication of criminal intent, the service provider's employees "violated our strict privacy and security guidelines," AT&T said.



Multiple outbreaks of severe weather led to a costly month for insurers in the United States in May, as thunderstorm events continued to dominate the catastrophe record.

According to the latest Global Catastrophe Recap report by Aon Benfield’s Impact Forecasting, no fewer than four stretches of severe weather affected the U.S. during the month of May.

Aggregate insured losses exceeded $2.2 billion and overall economic losses were at least $3.5 billion, with large hail and damaging winds the primary driver of the thunderstorm-related costs, Impact Forecasting reports.

The costliest stretch occurred during a five-day period (May 18-23) which saw damage incurred in parts of the Midwest, Plains, Rockies, Mid-Atlantic and the Northeast, including the major metropolitan areas of Chicago, IL and Denver, CO.



Multiple outbreaks of severe weather led to a costly month for insurers in the United States in May, as thunderstorm events continued to dominate the catastrophe record.

According to the latest Global Catastrophe Recap report by Aon Benfield’s Impact Forecasting, no fewer than four stretches of severe weather affected the U.S. during the month of May.

Aggregate insured losses exceeded $2.2 billion and overall economic losses were at least $3.5 billion, with large hail and damaging winds the primary driver of the thunderstorm-related costs, Impact Forecasting reports.



ASIS has released a standard that provides guidance for establishing and managing an audit program, as well as conducting individual audits consistent with the ISO 19011 and ISO/IEC 17021 standards.

The latest in the five part series of ASIS resilience standards that offer a holistic, business friendly approach to risk and resilience management, the Auditing Management Systems: Risk, Resilience, Security, and Continuity - Guidance for Application American National Standard (SPC 2) will help practitioners evaluate risk and resilience-based management systems, establish and manage an audit program, conduct individual audits, and identify competence criteria for auditors who conduct conformity assessments of management risk and reliance-based management systems.

More details.

UK employees are potentially putting their companies at risk of cyber-attack when using mobile devices for work purposes while on holiday or on a short break, new research has found.

The ‘Beach to Breach’ research commissioned by Sourcefire, now part of Cisco, found that 77 percent of UK workers surveyed usually take their work devices with them on holiday, with 72 percent choosing to spend up to one or two hours per day keeping up with what’s going on in the office. Over 80 percent of directors, mid-managers and senior level employees admitted to taking their work device on holiday, and even the most junior employees are also keen to stay connected while away with 50 percent unwilling to leave their work device at home.



I don’t think anyone really thought that Hadoop and other Big Data technologies would liberate us from the basics of data, such as integration and governance. It was just so easy to ignore those issues in the heady first years of Big Data hype and pilot projects. Now, it’s time to do the hard work of figuring out how to make all this data useful.

And, frankly, the to-do list just keeps growing.

Data integration expert David Linthicum added his concerns about data integration tools in a recent Informatica blog post. Linthicum is piggy-backing on an idea proposed by analytics expert Tom Davenport. After interviewing data scientists for his research, Davenport concluded that the only way to support the demand for Big Data analytics is to provide the data scientists with better tools.



Computerworld UK — Companies that want to engage customers with wearables, but are worried about privacy issues, should run pilots with their employees first, a Forrester analyst has said.

Highlighting the success Virgin Atlantic has had with its Upper Class Wing Google Glasses pilot in Heathrow Terminal Three, Forrester analyst JP Gownder advised that arming customer-facing employees with wearables is the first step enterprises should be taking.

Virgin Atlantic's pilot saw business club lounge staff in Heathrow wearing devices to assist members with flight connection information, destination weather forecasts and restaurant suggestions.



The biggest threat to public sector data comes from employees, a new report suggest. Some 83% of the 141 senior public sector managers and other staff polled said they were most concerned about internal loss or misuse, with just 10% worried about the external threat posed by hackers.

Despite this, only 18% use a secure managed offsite records facility, with 41% storing data on-site and 21% relying on staff to dispose of documents using general waste, recycling bins and office-based shredding machines.

“Physical records stored within public sector buildings are extremely vulnerable to being lost or misplaced by employees,” says Anthony Pearlgood, managing director, PHS Data Solutions, which commissioned the research.



At a gathering of the UK’s risk managers today, Mike McGavick, CEO of XL Group, told risk managers “it’s a great time to be in your jobs, there is great opportunity for you to lead your organisations’ thinking about risk.”

Speaking on a panel debate focused on The State of the Insurance Market, at this year’s Airmic Conference, McGavick said: “Excess capital, the low interest rate environment and the mutation of risk means insurers have to dig deep, working harder to find differentiating solutions and services.”

“This environment provides risk managers with the opportunity to ask, what are we getting from you? And these searching questions are challenging insurers to innovate and stay relevant.



Wednesday, 18 June 2014 14:52

A New Data Center for a New Age

That the data center will have to evolve in order to keep up with changing application and data workloads is a given at this point. Static, silo-based architectures simply lack the flexibility that knowledge workers need to compete in a dynamic data economy.

But exactly how will this change be implemented? And when all is said and done, what sort of data center will we have?

According to a company called Mesosphere, the data center will become the new computer. The firm provides management software that helps hyperscale clients like Google and Twitter coordinate and pool resources across diverse application loads. By offering compute cluster, command line and API access to developers, the Apache-based platform enables broad deployment and scalability without the need for direct IT involvement. As well, it allows numerous low-level support tasks to be automated, essentially allowing users to call up applications or save data in the data center the way they do on a PC: Click the icon and let the system figure out the best way to handle it.



When you hear “public health,” you may think of flu shots. That’s one visible — and briefly painful — side of public health services. But if you’ve enjoyed tobacco-smoke-free air, thought twice about ordering a cheeseburger after seeing its calorie count on a menu, or not worried about tuberculosis in your community, you’ve also “used” public health services. These services are essential, ubiquitous and usually unnoticed.

They’ve also been hit hard by the recession. Since 2008 about 17 percent of the state public health workforce and 22 percent of the local public health workforce have been eliminated, according to a 2011 report from the Association of State and Territorial Health Officials. Several reports have enumerated how, as a result of these cuts, we’re more vulnerable to communicable diseases, water-borne infections and other health concerns.



Wednesday, 18 June 2014 14:49

The Many Paths to a Career in Risk

Over the years, I’ve had no shortage of people ask me how they can get my job as a senior risk leader. They see the possibilities and get a strong sense that risk management just might be a pretty interesting career track. Oftentimes these folks are sitting in some insurance related sub-function within the broader industry, anything from claims to loss control to underwriting and brokerage. Interestingly, many people who have had this experience (who are essentially developing specialists in these sub-functions) have frequently found that skill transferability from these specialized areas, to their “profession,” was often fraught with hurdles.

I have seen a parallel mind-set throughout much of my career in various industries in which I sought alternate employment. Most commonly it was in the manufacturing or health care sectors that insisted that any leader in their ranks, most especially a risk manager, needed to come from within their industry. They were the true believers and were typically inflexible about this minimum requirement.  They believed their industries were just too specialized and unique for a risk manager from another industry to succeed. They would argue that they didn’t want to invest in allowing the development of the full skill-sets or that their world could or should be learned by those coming from other industries, especially for a mid- to senior-level manager.



Wednesday, 18 June 2014 14:48

Lessons from Target’s Security Breach

There are times when major trends intersect. Sometimes they reinforce each other; other times they cancel each other out. In the case of Target’s security problems, there seems to have been a fair amount of interference (to read my earlier Advisor on the Target security breach, see “Cyber Security: Inside and Out“). The FireEye software that was supposed to warn of the kind of exposure that did Target in reacted as it was supposed to: the basic problem was flagged and diagnosed immediately, and a warning message was included in one of the security logs and highlighted by analysts at Target’s Bangalore security center. Unfortunately, the critical message was not deemed worthy of immediate action by the central security staff in Minneapolis.

As it turned out, there were multiple reasons that Target’s central security group didn’t follow up on the suspicious activity flagged by FireEye and the Bangalore team. One reason given for not acting was that the central team wanted to manually review all the critical flags. A second reason was that there was such an enormous number of flagged items on all different security logs that it was difficult to follow up on any but the most important ones in a reasonable time frame. (An interesting insight here is that the FireEye security monitoring software had the capability to automatically act upon finding specific problems, but again, the central team wanted to review this kind of problem. It may also have had something to do with the fact that the original breach was through a HVAC system, which may have seemed unlikely to cause widespread problems.)



A new handbook on Cyber Risk Oversight, designed to provide corporate directors with expert guidelines to improve their cybersecurity oversight, has been published by the American International Group (AIG), the National Association of Corporate Directors (NACD), and the Internet Security Alliance (ISA). The handbook is the latest issue in NACD’s Director’s Handbook Series.

The cyber threat is very real concern for business continuity professionals as identified in the 2014 BCI Horizon Scan Report with cyber attack and data breach featuring second and third respectively as the biggest threats to organizations. 73% of respondents to the survey expressed either concern or extreme concern at both these threats materialising. Such is the nature of the threat that it was the main topic of conversation in the launch edition of the BCI's Working Paper Series.



CSO — The pace of change for Information Technology is challenging established notions of "What is IT?" and "What is Information Security in the modern age?" For one example, the "new" data center technologies such as virtualization, Software-Defined Networking (SDN), service-oriented delivery models, and cloud computing have radically changed the typical IT infrastructure from a defined set of assets owned and controlled by the organization to a constantly fluctuating roster of resources that can come and go from IT department visibility and control.

As this has occurred, we have witnessed the equivalent of a Cambrian Explosion of new Internet-connected life forms--mobile devices, tablets, sensors, actuators, home appliances, monitoring systems, content access devices, and wireless terminals. Applications running on these devices range from recreation to services critical to the functioning of our social and economic infrastructure. Put it all together, and we expect that world population of Internet-connected devices will grow from today's 10 billion to over 50 billion by the year 2020.

From a security point of view, these IT changes, including the expansion of Internet-connected devices, lead to a corresponding increase in attack surface. Instead of the mission of protecting a reasonably known and enclosed IT perimeter, we now must be ready to secure any connected device humans can make against any threat a hacker can innovate. Clearly, using established security practices, except on a larger scale, will not suffice.



Despite growing levels of awareness and understanding of cyber risk among large and medium-sized corporations across the UK and Ireland, board-level ownership of the issue remains comparatively low with many firms relying on their IT departments for the strategic direction of their cyber risk strategies.

According to the Marsh Risk Management Research, UK & Ireland 2014 Cyber Risk Survey Report, cyber risk now features prominently on the corporate risk registers of organizations across the UK and Ireland, with one quarter (24 percent) of respondents placing it in the top five risks they face and over half (56 percent) placing it in their top ten.

However, Marsh’s research found that cyber risk is managed and reviewed at board level in just 20 percent of respondents’ organizations with 57 percent of respondents stating that the overall responsibility for the assessment and management of cyber risk lies with their IT departments.



Officials at the US National Institute of Standards and Technology (NIST) have announced plans to establish a new research Center of Excellence to work with academia and industry on disaster resilience.

NIST Centers of Excellence are meant to provide multidisciplinary research centers where experts from academia, industry and NIST can work together on specific high-priority research topics. The agency established its first such center, dedicated to advanced materials research, in December 2013.

The disaster resilience Center of Excellence will focus on tools to support community disaster resilience; and will work on developing integrated, systems-based computational models to assess community infrastructure resilience and guide community-level resilience investment decisions. It will also develop a data management infrastructure that allows for public access to disaster data, as well as tools and best practices to improve the collection of disaster and resilience data.


Only half of employees believe their workplaces are prepared for a severe emergency, according to the third annual workplace safety survey by Staples, Inc. Nearly two-thirds of those polled said recent natural disasters have not led to their employers reassessing company safety plans. The survey also reveals that in the past six months nearly half of businesses have closed due to severe weather, costing the economy nearly $50 billion in lost productivity.

Small business employees feel more at risk to emergencies and disasters than employees at larger companies. The survey found that workers at businesses with fewer than 50 people are less aware or less sure who is in charge of emergency planning than employees at larger companies. Employees from smaller companies report having less emergency equipment or plans in place, are less likely to do safety reviews or drills, and are less prepared for severe emergencies than their counterparts at bigger organizations.

About the survey
Staples conducted an online survey of more than 400 office workers and 400 decision makers at organizations of all sizes across the US. The survey, conducted in May 2014, asked a series of questions about general office safety.


Social media is increasingly being looked to as a tool for emergency management. It has a number of attractive characteristics, including cloud-based resiliency and being well-known and understood by a large portion of the public and professionals alike. The problem that many organisations face is in knowing how to prepare their use of social media. Trying to test the social media component of an emergency management plan is a delicate matter. Simply prefacing social media messages with ‘This is a test’ is optimistic at best.



Strange are the ways of the technology market gods. While technology itself follows a fairly predictable bell curve of hype, the terms seem to come and go in spurts.

Several years ago, experts and vendors, such as those in this Forbes piece, would often talk about “data lakes” as a way of explaining Big Data’s capabilities. Big Data was going to change everything: No more silos, no more separation of structured and unstructured data, and no more need for data marts.

It was more of a metaphor for the capabilities than anything specific, as I recall.



MEXICO CITY — The past two months have brought an unusual succession of earth tremors to the Mexican capital — and a business opportunity for Andres Meira.

Meira, a 39-year-old architect and social entrepreneur, started a company that produces a small earthquake alert that wails before a potentially destructive earthquake hits the capital.

For sale for about $54, Meira’s device costs a fraction of his competitors’.

That there is a market at all for such a receiver casts light on a quirk of Mexico’s pioneering seismic alert system, considered one of the most advanced in the world, and the unusual geologic conditions that cause Mexico City to shake even from distant quakes.



Computerworld UK — Software licenses for mobile users are a "grey area" legally, opening enterprises up to mounting costs unless a compromise with vendors is made, Forrester has warned.

Although software vendors have forecast that their spoils from maintenance support will grow, the reality is that companies are seeing diminishing maintenance budgets against increasing demands for technology to improve customer service. Therefore CIOs "must better align spending", analyst Duncan Jones said at the Forrester Forum for Technology Management Leaders in London this week.

Increasing mobile users are blurring the definition of what constitutes a separate user license, as software vendors like Oracle and SAP attempt to capture revenue from businesses' new mobile projects.



In this day and age of data center efficiency, just about every IT manager is familiar with the concept of hot aisles and cold aisles.  By directing proper air flow in and around racks of humming equipment, the enterprise is able to reduce operating expenses even as it increases utilization, and therefore heat generation, of key equipment.

What may not be widely known, however, is that there are numerous options when it comes to hot/cold designs, and what works for one facility may not be optimal, or even desirable, for another.

For example, some argue that the cold aisle containment portion of the equation may in fact be more crucial than hot aisle containment. According to Mark Hirst, head of T4 data center solutions at rack and cabinet designer Cannon Technologies, the difference comes down to the most effective use of cooling resources. Do you want cold air to go specifically toward data equipment, or do you want it to dissipate hot air in the room at large? Neither approach is wrong per se, although cold aisle containment does provide for faster cooling response in the event of sudden data spikes.



When it comes to helping a victim of cardiac arrest, it's all about speed. PulsePoint, a life-saving mobile app, may not necessarily increase the speed at which first responders arrive, but it adds more legs to the race.

Santa Clara County, Calif., agencies began using the PulsePoint app earlier this year with the goal of mobilizing CPR-trained residents and bystanders into becoming first responders.

The free app uses location-based technology to alert CPR-trained citizens if someone in their immediate area is experiencing sudden cardiac arrest. The alerted citizen can then choose to spring into action, find the victim and begin resuscitation until official emergency responders arrive.



If a strong hurricane were to pass through the Gulf of Mexico the overall effect on U.S. oil and natural gas supply would not be as severe as in past years, due to declining production in the region, according to a report from the U.S. Energy Information Administration (EIA).

However, Artemis blog warns that this won’t change the potential impact to insurers and reinsurers, particularly with the removal and decommissioning of rigs also being insured.

In its post, Artemis notes that the reinsurance and insurance-linked securities (ILS) market in recent years has been placing an increasing focus on gaining access to underwriting energy risks, particularly physical damage risks due to storms and earthquakes.



Risk managers’ focus on the seemingly unlimited array of cyber threats to their organizations is steadily growing. The 2014 BDO Technology RiskFactor Report, for instance, which analyzes SEC 10-K filings and other data from the largest publicly traded U.S. technology companies, found that “breaches of technology security or privacy” ranks at number seven in the top 25 risk factors cited by these 100 companies. Ninety-one percent of companies cited the risk this year, compared to 57 percent in 2011.

No doubt, those sorts of numbers won’t really surprise anyone, but they do raise questions. In particular, what will be done about these concerns? Tracking the trends surrounding the attitudes of risk managers, those cybersecurity risks, and other major risks, has been the goal of the Emerging Risks Survey for the last seven years. It’s produced by The Casualty Actuarial Society, Canadian Institute of Actuaries, and the Society of Actuaries' Joint Risk Management Section, and after the 2014 results were released, I asked the report’s author, Max Rudolph, about some of the results around cybersecurity risks and what risk managers plan to do about them.



CSO — A majority of IT security pros believe that continuous monitoring of the database network is the best approach to prevent large-scale breaches like the ones that occurred at retailers Target, Michaels and Neiman Marcus, a study showed.

Nearly two thirds of the 595 U.S. experts polled by the Ponemon Institute cited monitoring as the best form of database protection, a position other security experts challenged.

"Continuous monitoring, looking for unusual or anomalous type of behavior, becomes very important," Larry Ponemon, chairman of the Ponemon Institute, said. "The more you monitor, the more things you can see and the more things you can stop."



Business disruptions can happen at any time and have an almost limitless number of causes. Among the biggest disrupters, of course, are big storms with names (a.k.a. hurricanes). The start last week of the Atlantic hurricane season makes this a good time to see what the business continuity/disaster recovery (BC/DR) landscape looks like.

Continuity Central this week posted results from a survey that took a deep dive into the worldwide use of BC software. One-third of the respondents were from the U.S., but a variety of verticals and company sizes were represented.

The results show that just over half (53.3 percent) use specialized BC software and that most who do (88.05 percent) use only one type. The survey revealed that 11 types of BC software are used by respondents. The most common types include software to write and develop BC plans (89.87 percent) and to manage and update BC plans (89.24 percent). Software aimed at carrying out benchmarking activities brought up the rear at 29.11 percent.



Emergency management is officially a profession — defined as having a core body of knowledge, an ethical framework, standards and university programs offering education and degrees. It is no longer a question about whether degrees are an important part of this field. Employers are requiring a college degree to start, and for those already in the field, it is getting harder to advance without a master’s degree.

When considering where and how to get that degree, the question of delivery platforms becomes sticky. In other words, what about online degree? Is an emergency management degree obtained over the Internet worth as much as the same one from a brick-and-mortar school?



Continuity Central recently conducted a wide-ranging survey into business continuity software usage. 377 people responded and the results will be published in two parts.

Respondents’ profile

Survey respondents came from all around the world, with the largest groups being from the United States (33 percent), the United Kingdom (20 percent), Australia (6 percent) and Canada (6 percent).

The majority of respondents were from large organizations, with 71 percent being employed by organizations with more than 1000 employees. 14 percent were from medium sized organizations (200 to 999 employees); 10 percent were from small organizations (10 to 199 employees) and 5 percent were from micro organizations (under 10 employees).

27 percent of organizations represented were multinationals with 50 or more locations; and 23 percent were multinationals with less than 50 locations.



ClearView Continuity is a UK based supplier of specialist business continuity software. Re-launched in 2010, it has seen rapid global growth with collaborators and clients in all parts of the world, from Australia to South Africa, South East Asia, Russia, the Middle East, Europe and the US. The global network of collaborators enables ClearView to provide 24/7 global support for its clients, who range from the largest global financials to more modest single-country organizations. Clearview does not place restrictions on user numbers or functionality which means that all clients benefit from the same powerful functionality.

The success of Clearview has been underlined at the CIR Magazine Annual Business Continuity Awards, with ClearView Continuity being presented with the Business Continuity Management Planning Software of the Year Award in 2012, 2013 and 2014.

Given the company’s wide experience of the global business continuity software market, Continuity Central asked ClearView’s chief executive, Charles Boffin, to give his view on changes and challenges in the business continuity software market:



Is the aim of recovering to a minimum business continuity objective acceptable? Tim Dunger argues that it isn’t…

Many of you have recovery time objectives within your business continuity and disaster recovery plans. It’s the desired time for which you will be deemed to have been ‘recovered’. But following a conversation with peers just recently, I have discovered that the point at which an IT system is seen as ‘recovered’ is rarely agreed between them.

To just over 50 percent of the people who joined in the debate, recovery time is the time it takes to get a system up to a ‘minimum business continuity objective’. So, surprisingly, this means that less than 50 percent of people take recovery time to be a state where the business is operating to the same level, and as profitable as it was, prior to the disaster in question.



The 2014 FM Global Resilience Index, released this week, finds that Norway, Switzerland and Canada top the list of nations most resilient to supply chain disruption, one of the leading causes of business volatility.

The first-of-its-kind Index, commissioned by FM Global, is an online, data-driven tool and repository ranking the business resilience of 130 countries. More than a year in development, the Index is designed to help executives better assess and manage supply chain risk.

The Index finds Kyrgyzstan, Venezuela and the Dominican Republic as the nations that are least resilient to supply chain disruption.



Friday, 13 June 2014 13:57

The top causes of data disasters…

HDD crashes prevail as the most common cause of data loss according to a recent global survey by Kroll Ontrack. 72 percent of those surveyed noted that their most recent data loss came from a desktop or laptop hard drive, followed by SSD (15 percent) and RAID/virtual services (13 percent), showing that data loss impacts every type of storage from the individual user up to the enterprise level.

When asked about the cause of their most recent data loss, 66 percent (compared to 29 percent in 2010) of the 1,066 surveyed across North America, Europe and Asia Pacific, cited a hardware crash or failure, followed by 14 percent claiming human error (compared to 27 percent in 2010). Software failure ranked as the third most common cause of data loss with 6 percent.

Looking at individual response segments, laptop and PC crashes prevailed as the leading cause of data loss among both businesses (71 percent) and home users (72 percent) respectively and SSD device loss ranked second, accounting for 18 percent of data loss cases for home users and 10 percent for businesses.

Among businesses, 27 percent said their most recent loss disrupted a business process, such as prohibiting them or their company from actually providing a product or service to their customers. A further 15 percent admit to losing personal data from their business machine contrasted with 7 percent whom acknowledged losing business-related data from their home machine.

Kroll Ontrack surveyed 1066 recent data recovery customers from 10 countries across North America, Europe and Asia Pacific. Forty-eight percent were businesses, 32 percent were home users, 13 percent were partners and 3 percent were government entities.


Cybercrime costs the global economy about $445 billion every year, though the damage may be up to $575 billion, according to a new report from the Center for Strategic and International Studies and software company McAfee. Further, the damage to businesses exceeds the $160 billion loss to individuals.

“Cyber crime is a tax on innovation and slows the pace of global innovation by reducing the rate of return to innovators and investors,” said Jim Lewis of CSIS. “For developed countries, cyber crime has serious implications for employment.”

Indeed, the biggest economies have suffered the most – the losses in the United States, China, Japan and Germany totaled at least $200 billion.



When it comes to deciding how best to manage information, organizations on both sides of the Atlantic seem more comfortable following conventional risk-avoidance strategies than translating that information into insight and competitive advantage. That’s one of the key findings of the 2014 Information Maturity Risk Index, a new study published by storage and information management company Iron Mountain Incorporated and PwC UK that examines how sophisticated organizations are when it comes to not only protecting information from risk but also realizing the promise of data analytics.



CIO — WASHINGTON -- Many CIOs in the federal government have been loosening their policies to allow employees greater freedom in the devices that they use for work, though the extent to which BYOD will become the norm in the public sector remains very much in question.

Concerns around security, privacy and the open question of whether workers are willing to couple their professional and personal lives on a single device linger, experts said this week at a conference on mobility in the government hosted by Citrix.

But BYOD is gaining momentum, and, gradually, the feds are rewriting the rules for tech usage to accommodate more consumer-oriented smartphones and tablets that employees use in their personal lives.

"Mobile is the future," declared James Miller, associate CIO at the Federal Communications Commission.



Risk management software identifies the risk associated with different assets. It then communicates this information to the enterprise concerned, for example through business dashboards displayed on screens. While risk is a factor for every organisation, some are bound by regulations to practice and demonstrate good risk management. Banks are a case in point: they must have enough cash in reserve to cover expenses if issues such as IT failure or fraud affect them. Consequently, many software vendors have produced risk management software or integrated it into their product lines. But does that mean that enterprises are obliged to use such software?



Thursday, 12 June 2014 15:12

Be Prepared; Have a Family Emergency Plan

Montgomery, Ala. – Severe weather can happen any time of the year. The best way to prepare for it is with a family emergency plan. If you don’t have one, develop one. If you have an emergency plan, review and update it, then go over it with your family at least once a year.

An emergency plan should include how everyone will contact each other, where to go, how you will get back together and what to do in different situations. A good place to begin is Ready.Gov, the disaster preparedness website managed by the Department of Homeland Security and the Federal Emergency Management Agency.

Forms are available at that site for contact information on each family member, phone numbers of out-of-town contacts, work locations and other important phone numbers.

Also inquire about emergency plans in places where your family spends time, such as work, school and daycare. Incorporate this information into your plan.

Identify an out-of-town friend or relative as a contact person for your family members. During an emergency each member of the family will call the contact and let them know they are safe. An out-of-town contact may be in a better position to communicate among separated family members.

Decide where to go in an emergency. Plan for different scenarios, such as where to go if there is a fire. Where in the home is the safest place if a tornado hits? If you live in an area susceptible to hurricanes, decide whether to evacuate or stay. Plan several evacuation routes, if possible, in case some roads become impassable. Identify where you will stay until it is safe to return home. If you have pets, find, in advance, places to board them or hotels and shelters that are pet friendly.

During a wide-scale disaster, such as tornado or hurricane, prepare for power outages. Keep fresh batteries for flashlights, keep cell phones fully charged. If you don’t have one, consider purchasing a cell phone charger for your vehicle. Also, keep your gas tank full.

During hurricane season, keep a basic disaster supply kit of nonperishable food, water, first aid supplies, medicines, disposable diapers, formula and baby food (if necessary), plus extra food and water for pets. Don’t forget a manual can opener. Keep these items in a waterproof container and include enough food and water for several days.

A battery-operated weather radio will be invaluable in an emergency. These radios can be programmed to your local weather service office and will provide information on approaching severe weather in your area. Heed their advice if you are directed to evacuate.

Keep enough cash on hand to get through several days. Banks will likely be closed and ATMs won’t function during a power outage.

Several government agencies work together to help you and your family stay safe. If you would like additional information, try these links:

The 2014 FM Global Resilience Index places Norway, Switzerland, Canada and Australia at the top of the list of nations most resilient to supply chain disruption, a major cause of business volatility as highlighted in the recent BCI Horizon Scan Report which revealed that 42% of respondents to the survey expressed concern or extreme concern about the possibility of this threat materialising. This level of concern is no surprise given that the 2013 BCI Supply Chain Resilience Report revealed that three quarters of respondents do not have full visibility of their supply chain disruption levels and three quarters have experienced at least one incident in the preceding 12 months.

Commissioned by FM Global, the Index is an online, data-driven tool and repository that ranks the business resilience of 130 countries. More than a year in development, the Index is designed to help executives better assess and manage supply chain risk.



Kids growing up in Tornado Alley are used to bright, splotchy radar patterns moving across a television screen, and most know the difference between a tornado watch and warning. But do they understand how to read and predict the weather based on radar images and forecasts?

Students at the University of Oklahoma’s College of Engineering wanted to remove the mystery around weather forecasting by speaking to kids in a language they could better understand — gaming. Collaborating with the School of Meteorology, OU students created an app that teaches kids about weather patterns by putting them in the pilot seat to navigate a plane during weather events. The game encourages kids to see meteorology as a problem-solving tool rather than just a segment of the evening news.

With funding from a more than $600,000 National Science Foundation grant, Amy McGovern, OU associate professor of computer science and adjunct associate professor of meteorology, and engineering students Andrea Balfour, David Harrison and Marissa Beene created Storm Evader, an iPad app aimed at elementary and middle school students. The app challenges players to route airplanes from one U.S. airport to another while avoiding pitfalls like difficult weather patterns and long routes that waste fuel.



Wednesday, 11 June 2014 15:49

World’s most resilient nations revealed

The nations most resilient to supply chain disruption, one of the leading causes of business volatility, have been revealed by an index developed by FM Global. More than a year in development, the data-driven tool and repository ranks the business resilience of 130 countries via an online, interactive tool that displays data on country-by-country susceptibility to supply chain disruption. The 2014 FM Global Resilience Index finds Norway, Switzerland and Canada top the list of nations most resilient to supply chain disruption. At the other end of the scale, Kyrgyzstan, Venezuela and the Dominican Republic were found to be the least resilient.

“Natural disasters, political unrest and a lack of global uniformity in safety codes and standards all can have an impact on business continuity, competitiveness and reputation,” said Jonathan Hall, executive vice president, FM Global. “As supply chains become more global, complex and interdependent, it is essential for decision makers to have concrete facts and intelligence about where their facilities and their suppliers’ facilities are located. The Resilience Index is a dynamic resource to better understand unknown risk in order to strategically prioritise supply chain risk management and investment efforts.”



Earlier this year, results were released from the seventh Emerging Risks Survey conducted by the Joint Risk Management Section, a collaboration of the Casualty Actuarial Society, Canadian Institute of Actuaries, and Society of Actuaries. In the series of annual surveys, the researchers strive to “track the thoughts of risk managers about emerging risks across time.” These trends, they explain, “are as important as absolute responses, helping risk managers contemplate individual risks, combinations of risks, and unintended consequences of actions." For instance, the researchers point out that we are at a crossroads in regard to risk management: Five years of intense management and regulatory activities around financial emergencies are giving over to other emerging risks that could span longer periods. Cyber risk is one of these emerging risks.

IT Business Edge’s Kachina Shaw asked Max Rudolph, author of the survey report, Society of Actuaries member, and founder of Rudolph Financial Consulting, about some of the survey’s results around cyber risk and risk management.



Local health departments across the country are working to mitigate the re-emergence of measles in the United States. Just this year, 334 cases have been reported from Jan. 1 to May 30, 2014. According to the CDC, this number marks a 20-year high five months into the calendar year. Measles is typically brought to the United States from other countries by unvaccinated U.S. travelers. Outbreaks can occur when the virus is transmitted from travelers to other exposed unvaccinated individuals. This year’s rise in cases can be attributed to what is happening at the global level. Of the cases reported this year in which the origin could be traced, nearly half were linked to travel to the Philippines. The CDC recognizes the ongoing outbreak in the Philippines — where about 40,000 cases have been reported this year — as one of the leading factors in the increase of cases in the United States.

In the United States, Ohio and California have seen the largest numbers of cases, with a majority linked to travel to the Philippines. In Ohio, the largest outbreak occurred among the Amish community near Knox County and contiguous counties, where travelers returning from a mission trip spread measles to unvaccinated members of the community. Local health departments in both states have been actively responding to these outbreaks to control and prevent further transmission.



Business needs and requirements demand expertise and coordination for privacy programs and practices. As a result, chief privacy officers, data protection officers, and other designated privacy professionals like privacy analysts are a fast growing presence within the enterprise today. The International Association of Privacy Professionals (IAPP) is 16,000 members strong today (compared to 7,500 back in 2010) and growing!    

In many organizations, a dedicated privacy professional (e.g., a full-time employee who focuses on privacy and not someone who has privacy responsibilities attached to another role) is a new role. Privacy professionals come from a variety of backgrounds from legal to IT, and the details of their role and focus can vary depending on the organization and the size of the privacy team. Yet they all have one thing in common: they must work together with multiple privacy stakeholders – IT, security, legal, HR, marketing, and more! – across the enterprise. And honestly, it’s not always easy. Like any relationship, there are ups and downs.



Facebook and Twitter are already used to disseminate information about breakdowns and crises. Public service organisations have begun to use them to as part of their PR strategy for good crisis management.  Now there’s a move to use social networks, Twitter in particular, for communication in the opposite direction. In the UK, the London Fire Brigade announced Twitter as an acceptable channel for reporting fires.  This is a bold move as well as a potentially lifesaving one. It’s bold because it opens up the challenge of sorting out relevant messages from irrelevant ones that could include hoaxes. Is there a companion solution to separate the grain from the chaff?



Those dire warnings that worldwide warming was having an incendiary effect on hurricanes and that ever-more powerful, deadly, and costly tropical storms were inevitable were part of the legacy of Katrina's almost unimaginable devastation.

But what followed was shocking for other reasons: After that 2005 season, not a single major hurricane struck U.S. shores, constituting a period of record quiet. Technically, Sandy, as bad as it was, was not a hurricane at landfall.

If forecasters can be believed — and last year they whiffed badly — this could be yet another relatively tranquil season in the Atlantic basin, which includes the Caribbean Sea and Gulf of Mexico.



In Washington, D.C., officials tried, but were nearly helpless in stopping the deterioration of the Lincoln Memorial. Rather than address the damage with costly repairs, they instead traced the concern back to a root cause. Deterioration was caused by the high powered hoses needed to clean the building—which were necessary because the building was an attractive home for birds. Birds were drawn to a very dense population of insects, which were attracted to the bright lights of the memorial.

So how do you stop the Lincoln Memorial from deteriorating? You dim the lights.

The root cause methodology provides clarity by identifying and evaluating the origin of the risk rather than the symptoms. Unveiling the triggers behind high level risk and loss events point to the foundation of where an organization is vulnerable.

Uncovering, identifying and linking risk back to the root causes from which they stem allows organizations to gather meaningful feedback, and move forward with accurate, targeted mitigation plans.



PC World — When a eBay suffered a massive data breach a few weeks ago, most of the attention revolved around the compromise of passwords and the vulnerabilities in the sites security. While those are legitimate concerns, they obscure the most glaringly weak link in the security chain: people.

Indeed, it was not a sophisticated exploit that facilitated the eBay breach, but an old-fashioned con. Its been determined that as many as 100 eBay employees were likely victims of a social engineering scheme: an attack where the perpetrators arm themselves with enough information to pass themselves off as a known and trusted individual or organization and convince the victim to reveal valuable personal informationin the case of the eBay employees, their logins.

Thats actually not surprising. When I recently asked a number of security experts to weigh in on innovative new attacks we should look out for, I was told the most concerning trend couldnt be remedied by patching and updating applications or thwarted by your security software.



In light of the mass shooting near the University of California at Santa Barbara on May 23, officials from local colleges in New York said Tuesday that they consider themselves prepared for such an event, should it ever arise.

"If the unforeseen happens, we want to be prepared to ensure the safety of our students, maintain the security of our campus, and work with emergency responders to address whatever challenge confronts us," said Hal Legg, director of communications at the State University of New York College at Oneonta.

Legg said SUNY Oneonta has been conducting emergency simulations annually for several years, including simulated power failures, heat waves, suicides and terrorist acts. Last year, the University Police Department partnered with the Oneonta Public Transit to simulate a bus accident on campus, Legg said.



Bertha, Dolly, Fay and Hanna could be on the way now that the Atlantic hurricane season started Sunday. And recent research suggests it's time to give the Atlantic storms with feminine names a bit more respect.

According to a study released Monday by University of Illinois researchers, hurricanes with women's names are likely to cause significantly more deaths than those with masculine names -- not because the feminine-named storms are stronger, but because they are perceived as less threatening and so people are less prepared.

People in the path of severe storms with a feminine name may take fewer protective measures, leaving them more vulnerable to harm, according to the article published in the "Proceedings of the National Academy of Sciences." It was written by Kiju Jung, a doctoral student in marketing at the university, and marketing professor Sharon Shavitt.



Earlier this year, the Office of Inspector General (OIG) put smaller life sciences companies on notice that they should put in place a risk assessment process as part of their corporate compliance program.  In its corporate integrity agreement (CIA) with EndoGastric Solutions, Inc. (EGS), the OIG required EGS to establish a risk assessment process to allow the company to:

  • Identify and assess risks associated with the sale, marketing, detailing, advertising and promotion of products reimbursed by government health care programs
  • Devise and implement specific measures to mitigate identified risks

The risk assessment requirement in the EGS CIA is one more example of the OIG clearly signaling that its expectations with respect to smaller company corporate compliance programs are not significantly different than its expectations of Big Pharma compliance programs.



Middle East Respiratory Syndrome (MERS) has been on the U.S. Centers for Disease Control and Prevention’s radar since it first appeared in Saudi Arabia in 2012. The World Health Organization called the MERS virus a “threat to the world,” because of the unknowns surrounding it, most notably how it spreads. But nothing made the threat more real than when the first case of MERS was confirmed in the U.S. on May 2, 2014.

MERS is a viral respiratory illness caused by a coronavirus called MERS-CoV. MERS has killed at least 175 people worldwide and sickened hundreds in the Middle East. It has spread from ill people to others through close contact, such as caring for or living with an infected person. People infected with MERS commonly experience fever, shortness of breath and coughing. About 30 percent of those infected with the virus die.

Given today’s interconnected world, communicable diseases are truly just a plane ride away. Therefore the potential for MERS-CoV to spread further and cause more cases globally and in the U.S. is significant. Now that MERS has officially reached U.S. soil, what should public health departments and emergency managers be doing to prepare?



Weather forecasters predict a less active than normal 2014 Atlantic hurricane season, but it only takes one bad storm to cause immense destruction. To prepare for that possibility, one coastal community, Belmar, N.J., is now relying on social media to alert, interact and stay in touch with its residents.

Belmar realized the effectiveness of social media as an emergency communications channel during Hurricane Sandy, which battered the community of nearly 6,000 residents in October 2012. According to a new analysis in a new Frost & Sullivan report, ‘Using Social Media in Disaster Planning and Response’, the effective engagement of social media during the hurricane generated nearly $750,000 in donations and supplies for the community.

During Hurricane Sandy, social media filled the gaps when residents could not get through on other channels and allowed residents to engage with officials. Belmar, in particular, utilizes social media to warn and inform residents about both smaller and larger disruptive events such as, such as ice and snow storms, thunderstorms and downed power lines.



Organizations around the world lose an estimated 5 percent of their annual revenues to occupational fraud, according to a survey of Certified Fraud Examiners (CFEs) who investigated cases between January 2012 and December 2013. Applied to the estimated 2013 Gross World Product, this figure translates to a potential total fraud loss of more than USD 3.7 trillion.

Based upon the findings in its 2014 Report to the Nations on Occupational Fraud & Abuse, the Association of Certified Fraud Examiners (ACFE) presents five of the top lessons business owners, directors and managers should heed to be better protected from the risk of fraud:



When disaster strikes, keep calm and march on!! Sometimes it’s not always that easy and in a real situation you really do need to carry on; if you don’t, you’re done! Over! Caput! Even with the numerous disasters occurring in the world – some man-made some natural in nature – there are still many organizations that would rather take their chances with fate than invest in a Disaster Response / Emergency Response / Business Continuity Management program. When disaster does strike, these organizations are left empty handed. With no plans or processes in place to respond to the situation they must ‘wing it’ if they’re to continue staying in business – or attempt to stay in business.

So what should organizations consider and focus on if they are caught in a serious situation and they don’t have a BCM/DR program in place?

What do they need to do to try to get some level of coordination in response, restoration, recovery and resumption efforts? Below are some tips for how leaders need to view the predicament they find themselves in; a disaster/crisis with no BCM/DR program or plan in place.



If you don’t have to implement master data management (MDM), then don’t. That’s the surprising advice given by Forrester MDM and data expert, Michele Goetz.

I’ll be honest, I can’t recall anyone having said that previously. In fact, the general assumption, from vendors to analysts to authors, has been that if you have master data, you need MDM.

If you’re unfamiliar, MDM is a discipline and a technology that sets in a separate layer from your data storage and applications. As a discipline, MDM requires you to establish rules about things like which data to overwrite and which to accept as the “golden copy.” That’s the role of MDM: to establish a trusted version of your master data, to which other systems can defer.



CIO — The desire to make better decisions faster is one of the fundamental drivers of new big data analytics technologies and a general push toward data-driven decision-making. But the relationship between data and intuition — the old 'gut feeling' — is a complicated one, says Peter Swabey, senior editor, technology at the Economist Intelligence Unit (EIU), the research and analysis division of The Economist Group.

"They both play a role," Swabey says. "The process of developing data is the process of trying to identify what the true state is. In identifying that, your intuition could be a useful guide."

In an effort to better understand how business decisions are made, predictive analytics firm Applied Predictive Technologies (APT) asked the EIU to conduct a study, resulting in a report released this week: Decisive action: How businesses make decisions and how they could do it better.



I wrote in a previous post about a data center survey that found that CEOs, not CIOs, are the ones who most frequently make data center-related purchasing decisions. I noted that I wasn’t particularly surprised by that finding, but there was another finding in the same survey that did surprise me: A whopping 61 percent of the companies surveyed don’t measure their power usage effectiveness, or PUE.

I discussed that finding with Matt Miszewski, senior vice president of sales and marketing at Digital Realty, the data center operations services provider that commissioned the survey. I recognize that measuring PUE isn’t the be-all and end-all of advancing green data center operations, but the number of companies that don’t bother to measure it still seemed awfully high to me. I asked Miszewski if he was surprised by the finding, and to what he attributes the lack of focus in this area. His response:



With June 1 signaling the official start of the 2014 Atlantic Hurricane Season, all eyes are on the North Atlantic Ocean, Caribbean Sea and the Gulf of Mexico for the development of tropical storms. Fortunately, conditions for a cyclone are currently unfavorable and there’s no sign of imminent risk. But, that may not be the case for long.

In its 2014 Atlantic Hurricane Season outlook issued May 22, the National Oceanic and Atmospheric Administration’s (NOAA) Climate Prediction Center forecasted near-normal or below-normal activity with 8-13 named storms, 3-6 actual hurricanes, and 1-2 major hurricanes. Most will not take place until the peak of the season, which for the Atlantic Basin, runs from August through October. The greatest risk of cyclone development typically comes in early to mid-September.



Department of Business, Innovation & Skills Minister, Right Hon David Willetts MP, has announced the certification framework for Cyber Essentials, the governments new initiative aimed at creating a minimum expected capability for cyber security.  

The Cyber Essentials Scheme (CES), announced in April, helps businesses  by clearly detailing five basic cyber controls that can be cost effectively implemented in most businesses and demonstrate the minimum that should be in place to combat crime and disruption.  

David Willets said “The recent GOZeuS and CryptoLocker attacks, as well as the Ebay hack, shows how far cyber-criminals will go to steal people’s financial details, and we absolutely cannot afford to be complacent.”



With the start of the World Cup less than a week away, employers are being urged to update business continuity plans ahead of football fever – particularly where they relate to staff absences.

Staff absences are more prone to rise during large sporting events, which has are more significant impact on employers whose staff are working shifts.

Jo Eccles, business adviser at the Forum of Private Business, says: “Sporting events such as the World Cup can bring a real feel good factor and many people will want to watch and get behind England. While the majority of matches may be in the evening out of office hours for most of us, the final fixture will be towards the end of the working day and employers may want to arrange plans to allow staff to be able to watch what could be the big decider for Hodgson and his team.”



Many organizations responded to the Heartbleed Bug by conducting the appropriate risk assessments and vulnerability scanning to determine whether they were running vulnerable versions of Linux containing the affected OpenSSL versions (1.0.1 through 1.0.1f). If the vulnerability was found, they quickly moved to close it, but many organizations determined that the servers or systems they were running weren’t at risk.

The simple fact is that for hundreds of thousands of sites that ran the vulnerable OpenSSL code – which was in distribution for a year – we will probably never know whether the vulnerability was exploited, or exactly what data may have been compromised as a result of Heartbleed’s memory scraping.



The US-based Transportation Research Board has issued a new report entitled ‘A Guide for Public Transportation Pandemic Planning and Response.’

The report is designed to assist transportation organizations as they prepare for pandemics and other infectious diseases, such as seasonal flu. It outlines broad guidance on dealing with pandemic preparedness planning and provides information, tools, tips, and guidance on where to find up-to-date recommendations from federal agencies and other resources, prior to and during a pandemic.

Read the report here (PDF).

Continuity Software has published the results of its latest Service Availability Benchmark Survey, designed to enable IT infrastructure, business continuity and disaster recovery professionals to compare their organization's performance and practices to that of their peers.

The key findings of the report, based on responses from 155 IT professionals across a wide range of industries and geographies, are:

  • Over half of the companies (59 percent) had an outage in the past three months and 28 percent had an outage in the past month;
  • 41 percent of the organization surveyed missed their service availability goal for mission critical systems in 2013;
  • 66 percent of the respondents have initiatives for improving service availability management in 2014;
  • Proactive identification of risks is the top challenge 20 percent of the respondents face in ensuring service availability;
  • The most common and most effective strategy for ensuring service availability is virtualization HA, used by 72 percent of the respondents this year compared to 63 percent in 2013.

"It is discouraging to see that such a high percentage of organizations continue to miss their service availability goals, despite the tremendous effort and investment made across the infrastructure," said Doron Pinhas, CTO, Continuity Software. "IT teams are finding themselves in a never-ending chase to keep up with the pace of change across the IT landscape. As the survey results show, IT organizations are increasingly recognizing that a proactive approach to risk identification is more effective for outage prevention than playing catchup."

Read the full report, registration required.

Avalution designed the BCM 101 videos below to provide an overview of business continuity planning concepts and processes and answer the most common questions we receive, including: What is Business Continuity? Click any video below to start learning about business continuity right now.

Avalution is the leading provider of business continuity management consulting services in the U.S. and an expert at getting business continuity programs off the ground. We would love to have a conversation to discuss your business continuity and disaster recovery challenges. If you're ready to get started, contact us today.

- See more at: http://www.avalution.com/bcm-101#sthash.VkhLjwZS.dpuf

BCM 101 - An Introduction to Business Continuity Planning & Management

Whether you're an executive that's just been handed responsibility of developing/maintaining a business continuity program or a practitioner brand new to the profession, you've come to the right place to learn about business continuity!

Avalution designed the BCM 101 videos below to provide an overview of business continuity planning concepts and processes and answer the most common questions we receive, including: What is Business Continuity? Click any video below to start learning about business continuity right now.

Avalution is the leading provider of business continuity management consulting services in the U.S. and an expert at getting business continuity programs off the ground. We would love to have a conversation to discuss your business continuity and disaster recovery challenges. If you're ready to get started, contact us today.

- See more at: http://www.avalution.com/bcm-101#sthash.VkhLjwZS.dpuf

CIO — WASHINGTON — In many ways, the challenges of improving healthcare through technology revolve around data.

It's a boom time for health IT startups that have been developing mobile devices and tools to collect more data about patients' adherence to treatment plans, monitor anything from chronic conditions to caloric intake, and any number of other applications.

At their core, those businesses launched with the vision that more data can address public health issues, reduce the costs of care, improve patient outcomes — or all of the above.



Have business intelligence and analytics “jumped the shark” with CIOs?

Gartner analyst Andrew White thinks so. In a recent post, White said he thinks the popularity of BI and analytics is “about to play out its course.”

It’s a bold statement, but perhaps not as daring as it may at first seem. White points out that BI/analytics has been a top priority for CIOs for several years. This year, however, it ranked fourth when Gartner asked top leaders to name the “most important technology-enabled capability investment over the next five years.”



Airmic and insurance information specialists, Axco, have launched a database of regulatory requirements designed to address one of the most pressing problems facing risk managers – confirming that their insurance programmes are compliant globally. Insight Risk Manager provides crucial intelligence on local compliance and regulatory insurance requirements, policy conditions and premium payment terms.

“Insight Risk Manager is more than just a valuable tool – it’s a potential game-changer,” said Airmic chair-elect Helen Pope. “Compliance for global insurance programmes will probably never be easy, but the new database will provide risk managers with access to a single, authoritative source they can consult whenever they want.”



A paper, published today by the European School of Management and Technology in Berlin and Sungard Availability Services, reveals the unique opportunity that digitisation has provided for chief information officers to elevate their position and to drive the wider business agenda within their organisations.

Digital Dynamics in the C-Suite: Accelerating Digitisation with the Right Conversations, written by Joe Peppard, professor of management at the European School of Management and Technology in Berlin, outlines how customer interactions and experiences are increasingly shaped by technology. It also identifies major shifts whereby the role of technology in business can be truly transformative and offers CIOs guidance to help them evolve, if not accelerate, their organisations’ digital agendas through digital cross-collaboration.



Planning for business continuity includes identifying real risks and evaluating their impact on business activities and objectives. The risks to be included are the ones that could reasonably be held to apply to an organisation. Of course, each entity needs to make its own list, because many risks are situation-specific. For example, an enterprise in the middle of the desert is unlikely to include the risk of a plane crashing on its premises. On the other hand, for a company located next to an airport, the risk is more relevant. But what part should large-scale political or environmental shocks play in business continuity planning?



eBRP conducted its first in the series of  Incident Readiness: Plan Today. Test Today.  webinars on May 29th.  Measuring the impact of an online webinar is a bit subjective, but we were gratified by the number of attendees – and especially the large percentage stayed until the end (even when the Q&A period ran long beyond the state hour-long objective).  Here’s is a sampling of email feedback we received:



Charlie Maclean-Bristol provides some practical advice for business continuity managers who are preparing for an ISO 22301 certification audit.

Recently I was in Fremont, California, supporting a business through an ISO 22301 audit. My company had been working with the business in question for a year to get it ready for the audit and we had already taken part of the organization (the part based in Sweden) to ISO 22301 certification, so we were fairly confident that we would pass this audit. However, a different auditor is always an unknown entity. This meant that the audit was, as always, approached with a little apprehension.

The following are 15 points I learned from this particular audit:



A survey by Ipswitch has found that fear of reputational damage is the biggest driver for business professionals to comply with data security laws. Yet the majority are still failing to secure the transfer of critical files.

The survey, conducted at the end of April 2014, asked 415 business professionals working across the EU about attitudes, practices and technologies relating to data security and protection. The results also show that the UK is seen as having tighter data protection laws than Germany or France. However, the vast majority think the UK’s data protection laws need to be even stricter.



Computerworld — Ever since we learned that last autumn's massive Target data breach was accomplished with the use of access credentials stolen from a third-party vendor, I've been concerned about similar threats at my company. We use lots of vendors, many of which have access to our network. I've spent a lot of money, time and energy fortifying my network and its perimeter. But what if one of the vendors gets compromised? Could hackers sneak into my network through the side door, posing as a legitimate service employee?

Of course, this is really nothing new. I've written a few columns in the past about problem vendors and some of the things I've done to deal with the consequences of business managers signing contracts with third parties without involving my team. I've also mentioned in the past that I try to review third-party SSAE16 (previously SAS70) reports on our vendors that audit firms have produced, and I hope those reports are accurate and unbiased.



James O’Donnell pulls no punches. “The sea level is going to rise, that’s for sure,” said the professor of marine sciences at the University of Connecticut. “It has been rising for 10,000 years; it’s just accelerated recently. The biggest danger is that we don’t do anything.”

But Connecticut is doing something. Officials in the state, which has been bruised and battered in the past few years by storms both named — Sandy and Irene — and unnamed, announced the creation of the Institute for Community Resiliency and Climate Adaptation in January.

It’s a collaborative effort among UConn, the state Department of Energy and Environmental Protection and the National Oceanic and Atmospheric Administration, and its goal is to create real-world solutions for the growing risks to both life and property that are being posed by climate change.



According to a study recently released by Forrester Consulting, data center related purchasing decisions in companies of all sizes are more likely to be made by the CEO than by the CIO, or by any other IT executive.

I recently had the opportunity to discuss that finding with Matt Miszewski, senior vice president of sales and marketing at Digital Realty, a data center operations services provider in San Francisco, and the company that commissioned the survey. Don’t let that sales and marketing title put you off—Miszewski has solid CIO credentials as the former CIO of the state of Wisconsin. So you’ll be happy to know that he doesn’t talk like a sales and marketing guy.

For starters, I asked Miszewski, based on his experience, whether the fact that CEOs most frequently call the data center shots is a relatively new phenomenon, or the way it’s always been. He responded wearing his former CIO hat:



Combined efforts to guard against the threat of malware are laudable, but the threat posed by cyber criminals remains. Commenting on news this week that computer users are being urged to protect their machines from malware which could allow hackers to steal financial data, Stephen Bonner, a partner in KPMG's cyber security practice, says this "fantastic effort...has cut the head of the hydra of the control networks that steal banking access and encrypt data for ransom".

These actions not only cut off the flow of money to the perpetrators and help unmask their identities, but also means current infections cannot be updated with new versions. Bonner stresses, however, that the threat remains: “Like any hydra, the heads will grow back and organised crime will return, but this event presents a unique opportunity to clean up our systems while the criminals cannot update their infections.



Often our staff tries to avoid a “re-inventing the wheel” approach when addressing inquiries from our readers.  To that point and answering several inquiries of “how do I?” organize an Emergency Management or Disaster Preparedness guide for where I work, and for where I live …our staff reviewed its inventory of past articles and disaster recovery materials and decided to focus on a recent project completed in the Santa Rosa County in the state of Florida.

Knowing that emergencies and disasters can happen anywhere and anytime, the Santa Rosa County Board of Commissioners supported and created their Emergency Management/Disaster Preparedness Guide.  This guide was put together to provide its residents, visitors and businesses with valuable information in order to help them better plan and prepare for man-made and natural disasters.  This guide might well be a basis for and perhaps an integral part of your own preparedness plans in your community, where you work and especially in your personal preparedness plan.

MONTGOMERY, Ala. – Alabama emergency managers kept one eye on the destruction occurring in Mississippi as they prepared for supercell storm systems to enter their state during the afternoon and early evening of April 28.

Alabamians heeded meteorologists’ dire warnings that this system appeared to be “a particularly dangerous situation” by closing schools and government offices in the early afternoon. Gov. Robert Bentley issued a state of emergency for all 67 counties because of the threat.

Storms Enter the State at 1 p.m.

All the ingredients for tornado development were parked over Alabama as the storms rolled into the northwest region of the state at about 1 p.m. When the outbreak subsided at 6:30 p.m., 29 tornadoes were recorded, homes and buildings were destroyed by high winds of up to 88 mph and hail the size of baseballs damaged roofs and vehicles.

The damage was widespread with roads impassable, trees and electrical wires down and several reports of people trapped in their homes. Five people died, 16 were injured.

In the southern part of the state, flooding was a major problem with 23.67 inches of rain recorded in Mobile. Search and rescue teams were dispatched for door-to-door searches to find trapped survivors throughout the state.

At the height of the storm, more than 126,000 power outages were reported by the state. The American Red Cross opened five shelters in hardest-hit counties. Some 65 community safe rooms were utilized, saving countless lives.

Later, meteorologists pronounced that the April 28th storms spawned the fourth highest number of tornadoes in a single event. According to the National Weather Service, the outbreak left a swath of damage almost 200 miles long across the state. The weather service also confirmed four EF-3 tornadoes (the Fujita Scale of tornado strength ranges from EF-0 to EF-5), severe storms, straight-line winds and flooding affecting 31 counties.

At the state Emergency Operations Center (EOC) in Clanton, staff compiled and analyzed reports coming in from the counties. With more than $6.7 million in damages and knowing that amount surpassed the state’s ability to absorb, State Emergency Manager Art Faulkner reported to Gov. Bentley that he should seek federal assistance.

The governor asked for the help of the Federal Emergency Management Agency. President Obama expedited a major disaster declaration on May 2, opening the doors for federal aid.

Initially, four counties were declared for Individual Assistance and five counties for Public Assistance. Following a declaration amendment on May 8, another five counties were added for Individual Assistance, which provides grants for individuals and households.

On May 12, 13 counties were added for Public Assistance, which includes emergency reimbursements for protective measures, repairs to roads and bridges, public buildings and infrastructure as well as debris removal.

Counties designated for Individual Assistance include: Baldwin, Blount, DeKalb, Etowah, Jefferson, Lee, Limestone, Mobile and Tuscaloosa.

Counties designated for Public Assistance include: including Baldwin, Butler, Covington, Crenshaw, Dale, DeKalb, Etowah, Franklin, Geneva, Jefferson, Lamar, Lee, Limestone, Mobile, Perry, Pickens and Tuscaloosa.

Recovery Begins

FEMA, one of Alabama’s federal partners, prepositioned a mobile command center at the Alabama EOC to assist in the response effort.

Within 24 hours of the declaration, preliminary damage assessments for Public Assistance had been completed for Baldwin, Jefferson and Limestone counties. Individual Assistance preliminary damage assessments were started in Blount, DeKalb, Etowah, Mobile and Tuscaloosa counties.

Meanwhile, FEMA staff worked to prepare for and deploy equipment for three Disaster Recovery Centers – two in Jefferson and one in Lee counties, while teams of Disaster Survivor Assistance specialists traveled to the state EOC. These teams would fan out across the state to assess, inform and report the situation in communities, as well as going door-to-door to provide on-the-spot FEMA registration for survivors.

The U.S. Small Business Administration, another federal partner, dispatched its staff to Alabama to assist in the outreach to survivors and offer low-interest rate loans to individuals and businesses.

Registration was underway. By close of business May 6, more than 1,800 registrations had been received via the FEMA call center, online and mobile registration. Twenty-six inspectors were in the field, with 1,195 damage inspections completed.

FEMA Grants Help Bring Relief to Survivors

By May 20, more than 300 FEMA and state employees were working in the Montgomery Joint Field Office to bring a sense of normalcy back to the lives of those affected by the storms.

Three weeks after the storm, FEMA had approved more than $11 million in Individual Assistance grants, another federal partner, the SBA, had approved $1.6 million in  low-interest, long-term loans. Millions more in Public Assistance dollars will help with the impact to municipalities and government services.

At peak operations, 11 Disaster Recovery Centers were operating in affected counties. More than 3,100 visits to the centers had been made to register for FEMA assistance, ask questions of state and federal officials and learn what programs were available.

At the busiest period, 52 FEMA housing inspectors were in the field, resulting in 95 percent of home damage inspections completed within two days – a rate that remains one month from the date of the disaster.

Also one month after the disaster, federal aid for Alabama tops $20 million with $15 million approved through FEMA’s Individuals and Households Program and another $5 million through approved SBA low-interest disaster loans.

With 38 FEMA housing inspectors now in the field, 95 percent of home damage inspections are being completed within two days.

As of Monday, June 2, six Disaster Recovery Centers remain open: two centers in Baldwin, two in Jefferson, and one center in each Limestone and Mobile counties. The SBA is operating a Disaster Loan Outreach center in Tuscaloosa, which also will have FEMA registration information available.

The deadline for FEMA registration is July 1.

Survivors can register at the recovery centers from 9 a.m. to 6 p.m., Monday through Saturday; by phone, call 800-621-3362 (FEMA) from 7 a.m. to 10 p.m. local time, multilingual operators are available; TTY is 800-462-7585; by computer, go online to www.DisasterAssistance.gov; or by smartphone and tablet, use m.fema.gov.

In a recent blog, I discussed the results of a report by Brother on how small businesses believed that investing in new technology provided a better ROI than investing in new employees. Another statistic from that report showed that 64 percent of the respondents felt “overwhelmed” by new technology. This response isn’t surprising if you consider that another report by Parks Associates identified that small businesses spend less than $1,000 per year on technical support services. If you couple those two percentages with the fact that technology advancements are on the rise in every market including BYOD, the Internet of Things, social networking and the cloud, running a small business in the digital age can be downright daunting.

New technology being implemented by SMBs is opening new doors for tech support service providers to grow. Jim O’Neill, research analyst for Parks Associates, paints a positive picture for service partners that provide help desk support:



A lot of buzz surrounds how to become a digital business right now, but precious little about what the term actually means.

Several pieces use some variation of this explanation from Gartner Fellow Ken McGee:

“Digital business is not synonymous with IT. It is about revenue, value, markets and customers. It is outward-focused. It is a metaphorical combination of front office, top line and downstage compared with back office, bottom line and backstage. True, information and technology help to build the capabilities for digital businesses, but they are only part of a complex picture."



PENSACOLA, Fla. – The State/FEMA disaster recovery center located at the Milton campus of Pensacola State College is transitioning Monday, June 2, to a U.S. Small Business Administration disaster loan outreach center.

SBA customer service representatives will be on hand at the loan outreach center to answer questions about SBA’s disaster loan program and explain the application process. Survivors can get help applying for or closing out low-interest disaster loans. The center is located at:

Pensacola State College

Milton Campus

Building 4000

5988 Highway 90

Milton, FL 32583

The disaster recovery center will be open from 8 a.m. to 7 p.m. on Friday and Saturday, and 11 a.m. to 7 p.m. on Sunday, June 1.

Beginning Monday, June 2, the SBA disaster loan outreach center will be open on weekdays from 9 a.m. to 6 p.m., until further notice.

The Milton disaster recovery center opened May 10 to help survivors who sustained damage during the severe storms, tornadoes and flooding from April 28 through May 6. The center has received more than 300 visits in nearly three weeks.

It is not necessary to visit a disaster recovery center to register with FEMA. Disaster survivors can continue to register online at DisasterAssistance.gov, via smartphone at m.fema.gov or by phone at 800-621-3362. Survivors who are deaf, hard of hearing or have a speech disability can call (TTY) 800-462-7585.

To apply for an SBA low-interest disaster loan, survivors can find the electronic loan application on SBA’s secure website at disasterloan.sba.gov/ela. Questions can be answered by calling the SBA disaster customer service center at 800-659-2955/(TTY) 800-877-8339 or visiting www.sba.gov.

For more information on Florida disaster recovery, click fema.gov/disaster/4177, visit the Florida Division of Emergency Management website at FloridaDisaster.org or the Facebook page at facebook.com/FloridaSERT.

# # #

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-FEMA (3362). For TTY call 800-462-7585.

FEMA’s temporary housing assistance and grants for childcare, medical, dental expenses and/or funeral expenses do not require individuals to apply for an SBA loan. However, those who receive SBA loan applications must submit them to SBA to be eligible for assistance that covers personal property, transportation, vehicle repair or replacement, and moving and storage expenses.

JACKSON, Miss. – As Mississippi disaster survivors receive FEMA checks or direct deposits to help them recover from the severe storms, tornadoes and flooding of April 28 through May 3, it is important to understand that there are limits on how the money can be spent.

Use of the money for other than eligible expenses could result in having to return funds back to FEMA.

FEMA does not provide survivors with an itemized list of eligible expenses tailored to their specific situation. But it does provide an important booklet, “Help After a Disaster,” that spells out the kinds of expenses authorized in the Individuals and Households Program.

The grant covers only repair or replacement of items that were damaged as a direct result of the disaster and were not covered by insurance. Repairs and rebuilding may not improve a home above its pre-disaster condition unless such improvements are required by current building codes.

Use of the money is limited to repairing the home so that it is safe and sanitary so survivors can live there. It will not be enough to return the home to its condition before the disaster.

The money can be spent to repair structural parts of the home such as foundation, outside walls and roof.

Survivors also may use FEMA assistance provided for housing needs to repair:

  • Windows, doors, floors, walls, ceilings and cabinetry.
  • Septic or sewage systems.
  • Wells or other water system.
  • Heating, ventilating and air conditioning.
  • Utilities (electrical, plumbing and gas.)
  • Entrance and exit ways, including privately-owned access roads.
  • Blocking, leveling and anchoring of a mobile home and reconnecting or resetting its sewer, water, electrical and fuel lines and tanks.

Survivors also may receive money for “Other than Housing Needs.” This money is provided to repair damaged personal property or to pay for disaster-related expenses and serious needs, limited to items or services that help prevent or overcome a disaster-related hardship, injury or adverse condition. It does not pay to return or replace personal property to its condition before the disaster.

Examples of allowable Other than Housing Needs are disaster-related medical and dental costs, funeral and burial expenses, clothing, household items, heating fuel, disaster-specific clean-up items, a vehicle damaged by the disaster and moving and storage expenses.

Survivors should keep bills and receipts for three years to show how all of the FEMA grant money was spent. FEMA is authorized to do an audit.

Disaster survivors in Itawamba, Jones, Leake, Lee, Lowndes, Madison, Montgomery, Rankin, Simpson, Warren, Wayne and Winston counties may be eligible for FEMA’s Individual Assistance program. The deadline to register is June 30, 2014.

Individuals and households in those counties can register for FEMA Individual Assistance online at DisasterAssistance.gov, via smartphone or tablet at m.FEMA.gov or by calling the FEMA helpline at 800-621-FEMA (3362.) People who are deaf, hard of hearing or have a speech disability and use a TTY should call 800-462-7585. Lines are open 7 a.m. to 10 p.m. (central time) and assistance is available in multiple languages.

For more information on Mississippi disaster recovery, go to FEMA.gov/Disaster/4175. Visit the MEMA site at msema.org or on Facebook at facebook.com/msemaorg.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. 

Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-FEMA (3362). If you have a speech disability or hearing loss and use a TTY, call 800-462-7585 directly; if you use 711 or Video Relay Service (VRS), call 800-621-3362.

FEMA’s temporary housing assistance and grants for public transportation expenses, medical and dental expenses, and funeral and burial expenses do not require individuals to apply for an SBA loan. However, applicants who receive SBA loan applications must submit them to SBA loan officers to be eligible for assistance that covers personal property, vehicle repair or replacement, and moving and storage expenses.


Related Content: 
Last Updated: 
June 3, 2014 - 12:28
State/Tribal Government or Region: 

IDG News Service (New York Bureau) — As it preps Oracle Enterprise Manager to run private clouds, Oracle has released an update to the management software that offers the ability for organizations to offer production-ready databases as a service.

Oracle Enterprise Manager 12c release 4 is the first version of the software to "offer enterprise-grade databases as a service with high availability and disaster recovery," said Dan Koloski, senior director of product management for the Oracle Enterprise Manager line of software. "We want our customers consume their databases in an agile environment."

The new release also offers advancements in managing middleware and in access control.



The Institute of Directors has authored a guide to outline the practical lessons for organizations from the World Economic Forum Global Risk 2014 report.

‘Responding to Global Risks: a practical guide for business leaders’ has been developed in conjunction with Airmic, PWC, Marsh and Zurich .

The publication aims to offer a practical guide to risk management and insurance solutions in response to the top global macro financial, societal, economic and environmental risks.

Read the document (PDF).

The Software Engineering Institute's (SEI) CERT Division had published a technical note which describes the Mission Risk Diagnostic for Incident Management Capabilities ((MRD-IMC), a risk-based way to assess an organization's information security incident management function.

The document’s abstract reads as follows:

“An incident management (IM) function is responsible for performing the broad range of activities associated with managing computer security events and incidents. For many years, the Software Engineering Institute's (SEI) CERT Division has developed practices for building and sustaining IM functions in government and industry organizations worldwide. Based on their field experiences over the years, CERT researchers identified a community need for a time-efficient means of assessing an IM function. The Mission Risk Diagnostic for Incident Management Capabilities (MRD-IMC) is designed to address this need. The MRD-IMC is a risk-based approach for assessing the extent to which an IM function is in position to achieve its mission and objectives. Analysts applying the MRD-IMC evaluate a set of systemic risk factors (called drivers) to aggregate decision-making data and provide decision makers with a benchmark of an IM function's current state. The resulting gap between the current and desired states points to specific areas where additional investment is warranted. The MRD-IMC can be viewed as a first-pass screening (i.e., a "health check") or high-level diagnosis of conditions that enable and impede the successful completion of the IM function's mission and objectives. This technical note provides an overview of the MRD-IMC method.

Author(s): Christopher J. Alberts, Audrey J. Dorofee, Robin Ruefle, Mark Zajicek

Read the document

Computerworld — The White House plan to cut carbon dioxide pollution by 30% seeks to meet its goals, in part, through efficiency improvements. This could put further pressure on data centers to improve efficiency, many of which are powering servers that are doing very little work or none at all.

For instance, a recent Uptime Institute survey asked enterprise data professionals: "What percentage of your servers are likely comatose?" About 60% of respondents said the number of comatose servers was under 5%. But nearly 25% put at least 10% of their servers were into that category.

The problem may be bigger than the Uptime survey indicates.

"Most data center operators can't even tell you how many servers they have never mind their utilization, so caution in interpreting those numbers is indicated," said Jonathan Koomey, a research fellow Steyer-Taylor Center for Energy Policy and Finance at Stanford University. "The percentages for comatose servers are likely much bigger."



Is another pandemic on the way? The generic coronavirus is common everywhere, but this one – Middle East respiratory syndrome coronavirus, or MERS-CoV – is a particularly virulent strain. It’s also on the move. The World Health Organization published information on May 1st about serious infection of a hospital patient in Egypt who had returned to the country after a stay in Riyadh, Saudi Arabia. On May 2nd, the first U.S. case of MERS was identified in a traveller arriving from Saudi Arabia. Recent similar illnesses include the SARS outbreak in 2003. What precautions are necessary this time?



It didn’t take long after the tragedy of the Oso, Wash., March mudslide for everyone to wonder: Should local officials have done more to prevent people from building in harm’s way?

The local emergency management director, John Pennington, was grief-stricken. “We did everything we could,” he told reporters. He added, “Sometimes big events just happen. Sometimes large events that nobody sees happen. And this just happened.”

A retired architect who had a weekend home in the path of the slide — and who lost many of his neighbors — told The Seattle Times, “We are not a bunch of stupid people ignoring warnings.” He explained, “We all make risk assessments every day of our lives. But you cannot make a risk assessment on information you do not have.”



CIO — Last month, the White House released its 90-day review of big data and privacy, renewing the call for a Consumer Privacy Bill of Rights along with a number of other policy recommendations.

With the administration and legislators (and regulatory bodies like the Federal Trade Commission) now considering issues of data collection and privacy, how should CIOs advise their organizations about going forward with big data initiatives?

"My advice is people should move very, very aggressively into this area of big data," says Lanny Cohen, global CTO of technology consulting firm Capgemini. "I think, at the end of the day, this is going to become one of the biggest sources of competitive advantage that an enterprise can have. Those enterprises that really have, as a core competency, the ability to gather data, analyze it and act on it are going to have a major advantage."




PwC has just released their 2014 US State of Cybercrime report. Key findings reveal that while the number of cybercrime incidents and the monetary losses associated with them continue to rise, most US organisations’ cybersecurity capabilities do not rival the persistence and technological skills of their cyber adversaries. According to the report, only 38% of companies have a methodology to prioritise security investments based on risk and impact to business strategy.

The survey finds that most organisations do not take a strategic approach to cyber security spending. It also found that, worryingly, organisations do not assess security capabilities of third-party providers.

In general, the survey found that supply chain risks are not understood or adequately assessed, and that security for mobile devices is inadequate and has elevated risks.



JACKSON, MS. — Survivors may not know about disaster help from the U.S. Small Business Administration that could lead to a smarter, faster recovery for businesses, homeowners, renters or private nonprofits.

Economic Injury Disaster Loan

SBA offers a working capital loan to relieve the economic injury caused by the disaster. A disaster loan is available to eligible businesses as well as private nonprofits even if property was not damaged by the severe storms, tornadoes and flooding that occurred April 28 thru May 3, 2014. 

These loans are for small businesses, small agricultural cooperatives, small businesses engaged in aquaculture and certain private, nonprofit organizations of all sizes to cover unpaid bills and lost business due to the disaster. Economic Injury Disaster Loans are also given in amounts up to $2 million, but the total of both physical damage and economic injury loans cannot exceed $2 million. Economic Injury Disaster Loan assistance is available regardless of whether the business suffered any physical property damage.

There are 45 Mississippi counties eligible for Economic Injury Disaster Loans. The first 12 counties are those designated by the presidential disaster declaration for FEMA Individual Assistance.  Those counties are Itawamba, Jones, Leake, Lee, Lowndes, Madison, Montgomery, Rankin, Simpson, Warren, Wayne and Winston. 

Thirty-three other counties are eligible because each shares a border with one of the 12 disaster-designated counties. These additional counties eligible only for an Economic Injury Disaster Loan are Attala, Carroll, Chickasaw, Choctaw, Claiborne, Clarke, Clay, Copiah, Covington, Forrest, Greene, Grenada, Hinds, Holmes, Issaquena, Jasper, Jefferson Davis, Kemper, Lawrence, Monroe, Neshoba, Newton, Noxubee, Oktibbeha, Perry, Pontotoc, Prentiss, Scott, Smith, Tishomingo, Union, Webster and Yazoo in Mississippi. 

Physical Damage Disaster Loans

Businesses and private non-profit organizations of any size may borrow up to $2 million to repair or replace disaster damaged or destroyed real estate, machinery and equipment, inventory and other business assets. The SBA may increase a loan up to 20 percent of the total amount of disaster damage to real estate and/or leasehold improvements, as verified by SBA, to make improvements that lessen the risk of property damage by future disasters of the same kind. 

Interest rates are as low as 4 percent for businesses, 2.625 percent for non-profit organizations and
2.188 percent for homeowners and renters with terms up to 30 years. Loan amounts and terms are set by the SBA and are based on each applicant’s financial condition. 

Deferred Disaster Loan Payments

The first payment for a disaster loan is due five months from the date of the SBA Note.

The deadline to apply for an SBA Physical damage loan is June 30, 2014, and for Economic Injury Disaster Loans the deadline is January 30, 2015. 

A simple and fast way to complete the application is online, using the SBA’s electronic loan application.  Go to https://DisasterLoan.SBA.gov/ELA. Plus, you can receive a status of your application by calling 800-659-2955 or TTY 800-877-8339, emailing This email address is being protected from spambots. You need JavaScript enabled to view it. or visiting sba.gov/disaster. SBA customer service representatives are available at ALL disaster recovery centers. Disaster recovery center locations can be found online at FEMA.gov/DRCLocator or by calling      800-621-3362 (TTY 462-7585.)                          

Do not wait on an insurance settlement before returning an application. Insurance may not pay for all of the disaster-related damage. Survivors can begin their recovery immediately with an SBA disaster loan. The loan balance will be reduced by the insurance settlement.

For more information on Mississippi disaster recovery, click fema.gov/disaster/4175. Visit the MEMA site at msema.org or on Facebook at facebook.com/msemaorg.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-FEMA (3362). For TTY call 800-462-7585.

FEMA’s temporary housing assistance and grants for public transportation expenses, medical and dental expenses, and funeral and burial expenses do not require individuals to apply for an SBA loan. However, applicants who receive SBA home loan applications must submit them to SBA loan officers to be eligible for assistance that covers personal property, vehicle repair or replacement, and moving and storage expenses.

In the digital version of “physician, heal thyself,” it seems that some large data organizations are utilizing Big Data and other advanced functions for their own purposes, namely, driving greater efficiency and performance in the data center.

It only makes sense, after all, that a construct as complicated as a virtual, dynamic data environment would need all the help it can get to not only provide an accurate picture of what is going on amid myriad boxes and wires, but also tell how best to improve things.

Google, for example, is turning toward advanced machine intelligence at some of its largest facilities with an eye toward fulfilling the twin goals of greater performance and less energy consumption. Through the use of neural networks and advanced analytics, the company says it is well on the way to the kind of predictive functionality that absorbs everything from IT loads, pump speeds, cooling metrics and hundreds of other data points. With advanced modeling, the company says it can calculate the expected PUE of a properly equipped facility with 99.6 percent accuracy.



IBM launched a new cloud-based service program this week to help companies jump-start Big Data analytics, called IBM Cloud Business Solutions.

The first batch includes 12 subscription-based managed services, which basically means it couples consulting services with pre-built IBM assets, including advanced analytics and cloud infrastructure.

Eventually, IBM will have 20 cloud-based business solutions available. The first dozen address high-demand areas such as customer analytics, customer data, marketing management and industry-specific mobile tools.

IBM ranked as one of Information Week’s top 16 Big Data Analytics Platforms earlier this year, but this is its first foray into a cloud-based service for Big Data. Other companies do offer cloud-based Big Data analytics, including two pure-plays, 010data and Amazon Web Services (AWS).



Monday, 02 June 2014 14:33

Insuring Against Third-Party Cyberrisk

The tremendous growth in cyber insurance is being fueled in part by the desire of companies to cede some of the risk of a cyber breach to insurers.  In many cases insurers are eager to take on this risk—provided they can objectively quantify and understand the risks they are underwriting.

However, is it enough to only look at the cyber risk of the insured?  Increasingly companies are being attacked through their third-party vendor networks; one study by the Ponemon Institute reported 23% of data breaches are attributable to third party vendors. As companies share critical customer information with vendors, they expose themselves to a breach through these extended networks. Criminals have even started to target small to medium sized companies as a way to access the sensitive information of the larger firms they serve.



Yesterday, Institutional Shareholder Services (ISS), a third-party advisor to Target Corp. investors, recommended ousting Target’s Audit Committee because they failed to do appropriate risk management, resulting in a breach of customer data. According to Twin Cities Business Magazine, ISS stated that “… in light of the company’s significant exposure to customer credit card information and online retailing, these committees should have been aware of, and more closely monitoring, the possibility of theft of sensitive information, especially since it involves shoppers and the communities in which the company operates, as well as the overall impact on brand reputation and brand value.”  This suggests a fundamental lack of understanding of both the nature of the breach and who should be held responsible for the outcome.

First, let's understand what really happened here: Target updated their point of sale (POS) systems before the holiday season. There was a known vulnerability in those POS systems that let credit card data travel between the POS system and the register before it was encrypted and sent off to the clearinghouse for approval. Target’s technology team was warned of the vulnerability and DECIDED that the risk was worth accepting – not the board, not the auditors; it was the people involved in the project who accepted the risk of losing 70 million records. When departments accept that level of risk, they in essence, end the conversation.  The audit committee and board of directors would be none the wiser. When was the last time you notified your board about how you were disposing of hard drives?



Previously, I shared how some executives are skeptical about Big Data analytics and its ability to match their own business intuition.

This made me wonder: How do some leaders find that Big Data analytics actually enlightens their business behavior? To help you find the path, I’ve compiled five expert tips that may illuminate your Big Data analytics projects.

Tip 1: New analytics often requires new behaviors. Michael Schrage, a research fellow at MIT Sloan School’s Center for Digital Business, says in his discussions with companies, those who struggle or achieve only moderate outcomes tend to use Big Data analytics primarily for decision support. By contrast, Big Data achievers leverage Big Data to change their conversations.



CSO - Signal-to-noise ratios are hard to manage. As a security professional, you want the threat data, you want the attack notifications and alerts, and you need intelligence. But, when there's too much coming in, those alerts and notifications fall to the wayside. They're easily dismissed and ignored.

After all, if a device is generating 60 alerts a day - and for the first few weeks none of them amount to anything - as new alerts from that device arrive, they're eventually going to be dismissed.

This happens because the IT / InfoSec department has other things to worry about, and there isn't enough time (or people) to deal with a flood of alerts. It's possible the device generating the alerts will be properly tuned and configured later, but that depends on the staff's workload.



In its 2014 “Business Risk Index,” Travelers surveyed more than 1,100 businesses on the top risks they perceive and how ready they are to mitigate those threats. Overall, respondents clearly see an increasingly risky world around them, but feel notably unprepared  to handle the risks. The top seven threats, in order of reported concern, are: medical cost inflation, increasing employee benefit costs, legal liability, broad economic uncertainty, cyberrisk, complying with laws, and attracting and retaining talent.

Check out this infographic for more of the study’s insights:



Rather than simply changing the location where a particular piece of technology is deployed and moving it into someone else’s data center, many organizations are looking for something that actually behaves more like a turnkey service.

With that issue in mind, IBM today announced that it plans to make available 20 different cloud services this year that range from customer analytics as a service to mobile as a service.

Collectively part of a suite of services known as IBM Cloud Business Solutions, Sanjay Rishi, managing partner for cloud consulting services for IBM Global Business Services, says the goal is to give customers a more turnkey approach to cloud computing that more easily scales.



Massive security breaches, like the Target breach last December, and the infamous TJX breach in 2007, have something conspicuously in common: The data that would have enabled the companies to detect those breaches existed in their environments, and proper data analysis would have found them. The reason companies aren’t finding such breaches earlier is that they lack the data analytics talent necessary to do so.

I came away with that understanding from a recent interview with Alex Moss, a veteran IT security expert and managing partner at Conventus, an information security consulting firm in Chicago. The next generation of IT security pros, Moss says, will be data analysts.

Moss encapsulated the crux of the situation this way:



PwC Japan has published a detailed report following a survey of Japanese IT organizations.

‘IT-BCP Survey 2014 Report’ is based on a survey PwC Japan conducted between 2nd September 2013 and 13th October 2013.

The survey identified a wide gap between perceptions of the potential for disruption and the amount of continuity planning conducted.

Key findings included:

  • 42 percent of respondents experienced information system failure in the previous 12 months; and 30 percent of these experienced downtime of more than six hours.
  • 58 percent of respondents stated that their organizations had IT continuity measures in place, a reduction from a similar survey in 2012 which found that 69 percent had IT continuity measures in place.
  • Only 26 percent of respondents have identified all the important information systems that must be recovered immediately to resume business activities; and only 20 percent have decided on recovery priorities for information systems.
  • 41 percent of respondents have not conducted hands-on drills and exercises.
  • 90 percent of respondents reported that the upper management team had not participated in training and exercises in the past 12 months.

Read the full survey report as a PDF.

Just think how exciting the world of disaster recovery has become. What used to be exclusively tape storage has branched out into all kinds of disk storage, virtual snapshots, deduplication and cloud object storage. That’s great for DR managers, right? Not so fast. One of the central elements of disaster recovery is risk mitigation, which has its counterpart in job security – as in ‘I don’t want to get fired because I lost data using a new technology that failed’. The Chinese have an ancient curse that reflects this situation: ‘May you live in interesting times’. Are new disaster recovery solutions a curse for the busy DR manager or a chance to reduce stress while increasing resilience?



JACKSON, Miss. – It was April 28 when tornadoes swept from west to east across Mississippi, the beginning of five days of severe storms that also brought rain and flooding. The National Weather Service confirmed 23 tornadoes in the state and 14 deaths. More than 1,200 homes and 90 businesses were destroyed or sustained major damage. Approximately 2,000 homes and 200 businesses were damaged in some way. Two days into the event, Governor Phil Bryant’s request for a federal disaster declaration was granted by President Obama.

A dozen counties were so badly damaged they soon qualified for federal Individual Assistance to help individuals and households. Public Assistance was also included to help local governments, and certain private nonprofits in 10 counties.

The American Red Cross quickly opened shelters for those displaced by the tornadoes and eventually operated six shelters which provided 678 overnights stays, 21,512 meals and 25,721 snacks by the time they closed. The Salvation Army opened eight mobile kitchens (“Canteens”) and three fixed feeding sites. They served 10,256 meals, 13,547 beverages and 7,328 snacks.



The health care industry has had its share of cybersecurity breakdowns over the years. The vast majority of health care organizations have suffered at least one data breach within the last two years, according to a Doctor’s Lounge article, but the article goes on to say that the number of organizations with five or more breaches has decreased. That’s good news, I guess, but you have to wonder why these health care companies are having so many breaches.

Earlier this year, the Identity Theft Resource Center revealed that the health care industry suffered 43 percent of all the breaches that occurred in 2013. It’s not hard to figure out why health care is targeted so often. These organizations hold massive amounts of intensely personal data.

As Jason Fredrickson, senior director of enterprise application development at Guidance Software, said to me during a conversation we had last week, the personally identifiable information (PII) is only one part of the data breach equation. It is the one that tends to get all of the attention, and to be honest, the majority of data breaches involving health care involve patient records. However, Fredrickson said there is a much bigger and scarier security breach looming within the health care industry:



Network World — Generally thought of as having up to 500 employees, small businesses constitute the vast majority of companies in the United States, making them a critical part of the economy. Their customers naturally expect personal and financial data to be kept secure, and a data breach is a painful and expensive ordeal. Like the larger enterprises, small businesses that accept payment cards have to follow Payment Card Industry rules. It can be daunting for a small business that may not even have an IT department to think about how to tackle network security.



Continuity Central is currently conducting a wide-ranging survey into business continuity software usage. There has been a good response so far and, with two weeks to go until the survey closes, here is a taste of the trends that are emerging:

Business continuity software usage is not ubiquitous

51 percent of survey respondents use specialist business continuity software to build, review or manage any aspect of their business continuity plan or business continuity management system. 49 percent do not.

Individual software packages are the order of the day

83 percent of respondents who use specialist business continuity software use only one business continuity software package. 17 percent use more than one.

Most users use business continuity software for BIAs and for business continuity plans

The survey asked respondents to identify the different areas within a business continuity management system where they use specialist business continuity software. The results so far show that usage is focussed on BIAs and on business continuity plan writing and updating.

The figures below gives a usage breakdown:

Question: If you use business continuity software in your organization, which of the following do you use it for?

  • Manage and update business continuity plans: 82.61%
  • Write and develop business continuity plans: 80.43%
  • Carry out BIAs: 80.43%
  • Conduct tests and exercises: 63.04%
  • Audit business continuity management systems: 58.70%
  • Conduct risk assessments: 58.70%
  • Manage and co-ordinate your incident / crisis management response: 58.70%
  • Carry our post-incident reviews: 41.30%
  • Raise awareness of business continuity within the wider organization: 32.61%
  • Train business continuity personnel: 30.43%
  • Carry out benchmarking activities: 28.26%

Market analysis

The full survey results, published after the survey closes on 13th June, will provide an analysis of the different business continuity software packages being used by respondents. Overall, most users seem to be reasonably satisfied with their business continuity software: with the highest satisfaction scores being in the areas of 'customer care and support' and 'value for money'. 'Ease of use' is the area where users seem to be the least satisfied.

Take part

To take part in the survey go to https://www.surveymonkey.com/s/bcsoftware

Wednesday, 28 May 2014 14:36

Crisis communications and the CEO

By Jim Preen

These days, CEOs have to be visible in an emergency. If the media feels they’re hiding, questions will be asked. Why’s she not taking responsibility? What’s he got to hide?

Part of the problem for a CEO is the huge switch that happens to their lives in a crisis: a switch that goes to the very heart of what it means to be a boss.

Over the years a chief executive rises to the top of the corporate ladder, is well remunerated, but saddled with heavy responsibilities. Naturally their staff and others treat them with a great deal of deference and respect, but outside their own sector they are often unknown to the general public. They are high profile to their staff, but remain, in most cases, private citizens.



By Joel Dolisy

Last year, some of the largest and most well-known brands across the globe, including Google, Facebook and Twitter, experienced interruptions to their services due to network outages. Whether these organizations experienced downtime due to internal network errors or full blown [Distributed] Denial of Service [D]DoS attacks, the costs to their reputations and, is some cases, their revenues, proved significant.

Which is the greater threat?

While media reports tend to hype-up the presence of hackers, the reality is that most outages are caused by an organization’s own network. A recent Gartner study projected that by 2015, 80 percent of outages impacting mission-critical services will be caused by people and process issues, and more than 50 percent of those outages will be caused by change/configuration/release integration and hand-off issues. In fact, both Xbox LIVE and Facebook recently suffered network outages from configuration errors during routine maintenance, and while the state of China blamed its outage on hackers, some independent watchers believe it was actually due to an internal configuration error in the firewall.



During a recent TechTarget podcast, THINKstrategies founder Jeff Kaplan shared a funny little encounter he had at a conference. Let’s see if this sounds familiar to any of you.

He asked some veteran IT workers why they were attending a SaaS-related event. They smiled and responded: “They’ve come back.”

Of course that begged the question, “Who came back?” The intrepid IT vets explained that the business leaders who had so cavalierly signed up with SaaS solutions a few years ago have now realized they forgot a few things — like, oh, data integration. And so, these leaders have “come back” to IT for help with their SaaS problems.



CSO — There is no shame in being breached by a cyber attack -- security experts are unanimous about that. Prevention, while a worthy part of a risk management strategy, will never be 100% successful, given the sophistication and overwhelming volume of attacks.

But there is room for improvement -- vast improvement -- in the detection of breaches. A large majority of enterprises fail to detect breaches on their own -- they find out about them from somebody else, as a couple of recent reports show.

The security firm Mandiant, now part of FireEye, reported recently that while the average time it took to detect breaches declined slightly from 2012 to 2013, from 243A to 229 days (more than seven months), the number of firms that detected their own breaches actually dropped, from 37% to 33%.



The increasingly crucial nature of building engaging relationships with customers is also changing the relationship between CIOs and chief marketing officers. The role of the latter has become so core to the business that it might well make sense for the CIO to report to him.

That was one of the takeaways from a recent interview with Larry Weber, CEO of online marketing services agency Racepoint Global, who is also the founder of  Weber Shandwick, the granddaddy of tech PR firms. I wrote about Weber earlier this month in the context of the Alibaba IPO filing; here, I want to share what he had to say about the evolution of the CIO’s role in a business world that’s being transformed by social media.

I asked Weber for his thoughts on the changing relationship between today’s CIO and CMO. He said CIOs may not like his answer:



A staggering 822 million records were exposed by data breaches in 2013, according to research from Risk Based Security. The frequency and risk of data breaches compels companies to look at their network infrastructure and security processes and take appropriate actions to guard against inadvertent data leaks.

An often overlooked area vulnerable to unintentional data leaks is through the use of free online file sharing and syncing solutions. While most employees never consider using a non-corporate sponsored email system, those same employees would readily collaborate through a free file-sharing tool, because it is easier to use than what is available from their employer. Another risky situation arises when a group collaborates by sharing documents and files over email. Version control quickly spins out of control as the volume of email exchanges skyrockets due to the complexity and volume of the edits and to the number of people involved. Project groups then turn to free, ad-hoc file-sharing and collaboration services, which can lead to serious data leakage problems as content is copied onto non-secure public cloud servers.



The latest business continuity related standard is now available from bsi.BS 11200:2014 ‘Crisis management - Guidance and good practice’ sets out good practice for the provision of an effective crisis management response.

The new standard aims to help organizations:

  • Understand the context and challenges of crisis management
  • Develop crisis management planning and training
  • Recognize the complexities facing a crisis team in action
  • Communicate successfully during a crisis.

More details.

The Software Engineering Institute has published version two of its ‘A Taxonomy of Operational Cyber Security Risks’ report. This updates a document first published in 2010, presenting a taxonomy of operational cyber security risks.

A Taxonomy of Operational Cyber Security Risks attempts to identify and organize the sources of operational cyber security risk into four classes:

(1) Actions of people,
(2) Systems and technology failures,
(3) Failed internal processes, and
(4) External events.

It discusses the harmonization of the taxonomy with other risk and security activities, particularly those described by the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST) Special Publications, and the CERT Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®) method.

Obtain A Taxonomy of Operational Cyber Security Risks.

CIO — CAMBRIDGE, Mass. — The debate about technology in the enterprise used to focus on hope vs. fear. Now it's fear vs. fear — specifically, the fear of becoming the next Target vs. the fear that technology will eat your lunch, says Narinder Singh, president of [topcoder] and chief strategy officer at Appirio.

Just as we recognized that MIT Sloan CIO Symposium also suggest that digitization drives innovation. As one example, Peter Weill, chairman of the MIT Center for Information Systems Research, points to Orange Money, which lets Orange mobile phone customers in rural, developing nations access previously off-limits financial services.



Computerworld — IT departments need to watch out for business units or even individual workers going rogue and bypassing IT to go straight to the cloud.

Theres a tug-of-war tension in the enterprise right now, said Gartner analyst Lydia Leong. IT administrators very rarely voluntarily want to go with the public cloud. I call this the turkeys dont vote for thanksgiving theory. The people who are pushing for these services are not IT operations people but business people.

When marketing, events or other corporate business units conclude that IT is dragging its feet on the way to the cloud, the contract for the services themselves. IT often doesn't discover the move until oit shows up in the tech expenses papers.



Hands up all those in favour of a cost centre. Nobody – just as we thought! Now, hands up all those who’d like a new profit centre. Ah, much better! With the trend to define business operations in terms of the net profit they generate, instead of the expense to be funded, your next clear contributor to a healthy bottom line could be business continuity management. The general benefits have always been there, for example, better risk management and enhanced organisational reputation. However, it’s not always been easy to put a figure on their effect. The factors below open up new possibilities.



I’ve always felt a little fuzzy about the difference between analytics, business intelligence and business analytics.

It seems there’s good reason for that: You’ll discover quite a bit of variance in how they’re defined, as a recent InformIT post shows.

The piece is actually a chapter from “Business Analytics Principles, Concepts and Applications: What, Why and How,” by Marc J. Schniederjans, Dara G. Schniederjans and Christopher M. Starkey. The chapter sets out definitions for each of these terms, starting with the more general term, analytics.



S&P 500 companies are seeing climate change related risks increase in urgency, likelihood and frequency, with many describing significant impacts already affecting their business operations, according to a new report from CDP, which collects environmental performance information on behalf of investors.

Reported risks affect companies in all economic sectors and include damage to facilities, reduced product demand, lost productivity and necessitated write-offs, often with price tags reaching millions of dollars.

Forty five percent of the risks S&P 500 companies face from extreme weather and climate changes are current, or expected to fall within the next one-to-five years, up from 26 percent just three years ago.

The S&P 500 companies also indicate that 50 percent of these risks range from “more likely than not” to “virtually certain” up from 34 percent three years ago.

"Dealing with climate change is now a cost of doing business" says Tom Carnac, President of CDP in North America. "Making investments in climate change related resilience planning both in their own operations and in the supply chain has become crucial for all corporations to manage this increasing risk".

Around 60 companies describe the current and potential future risks and their associated costs in the research, which highlights excerpts from the companies’ disclosures to their investors between 2011 and 2013.

The report is available at https://www.cdp.net/CDPResults/review-2011-2013-USA-disclosures.pdf

Traditional approaches to cybersecurity are no longer working and organizations that fail to update their strategies run the risk of significant financial and reputational damage. This was the major insight from the inaugural IT Leaders’ Roundtable events hosted by Protiviti and Robert Half Technology, which were attended by chief information security officers (CISOs) from a range of private and public sector organizations.

The main challenge lies in communication between CISOs/IT and the board, reported attendees. While boards of directors are aware of the risks associated with cyber crime, partly because of recent high profile attacks in the news and partly because of guidance from GCHQ and other government bodies, they tend to view expenditure on measures to tackle cyber crime as overheads, rather than risk mitigation.



Organizations seeking to improve the security and management of their data now have access to a new blueprint for successful information governance, a framework for organizations looking to define the roles, policies, processes and metrics required to properly manage the lifecycle of information, including creation, storage, access, and disposal.

Developed by a group of records and information management professionals in the financial services industry and published by Iron Mountain Incorporated, ‘A Practical Guide to Information Governance’ provides organizations with advice for creating and implementing the policies and processes needed to manage information risk and satisfy compliance requirements.

A Practical Guide to Information Governance focuses on several key areas for building information governance programs, including:



Tuesday, 27 May 2014 15:24

Information - friend or foe?

Information is both a risk and a resource when thinking about organisational resilience, including business continuity. There are plenty of examples of information losses that have caused major embarrassment, cost a considerable amount of money to resolve and resulted in a loss of trust as well as clients. These have included hacking and cyber attack problems, lost memory devices, leaving files on the train or selling off filing cabinets with records still in them. They even involve being photographed on the way to an important meeting carrying a document the content of which can be easily read from the photographs. Organisations involved have ranged from small business to multi-nationals and public sector bodies. The nature of information as a risk is well publicised, as a result, even if after the fact of its loss. The assessment and treatment of information risks is perhaps less well understood in practice as such losses continue to occur. How well thought through is your information risk strategy? Do you fully understand the nature of this risk and have you treated it properly? No one wants to see his or her organisation’s reputation in the gutter due to the loss of sensitive information, be it commercial or personal.



All BCM program components must be validated prior to any disaster ever occurring; the more validation performed, meaning the more tests with varying situations and scenarios are performed, the better the overall Crisis Management plan and strategy will achieve. The problem is that all too often an organization will draft a crisis management strategy (contained within the crisis management plan) and believe that it will work as documented. This isn’t always the case and in too many instances, it can prove to be detrimental to an organization when it’s experiencing a major business interruption – regardless of the trigger.
There are many indicators to show an organization that what it’s doing isn’t working and that the strategy they are currently working with needs an immediate change.

Disasters and crises can present many challenges for organization and an organization should no compound their own problems by not being alert to early signals that they might be heading down the wrong road.

Below are just a few of those early warning signs that can help an organization amend its crisis communication strategy (the plan) to ensure it doesn’t end up losing control of the overall situation.



ISO27001, the standard for information security, has recently had a face-lift. It is claimed that ISO27001 is the second largest selling management systems standard in the world and one might assume that this means there has been a significant uptake in its global implementation. The numbers of standards sold is not too surprising. It has been around since 2007 and was essentially derived from BS7799 (1995) and ISO17799 (2000), so information security professionals have had two decades to get used to it. How influential it has been in changing attitudes to security is less clear, some see it as the most important landmark in getting to topic on the management agenda; others see it as too inflexible and procedure based to help counter the real threats posed today by cyber criminality.




Some of the most senior and experienced people in the business continuity industry got together in Amsterdam on the 21st and 22nd May for the annual BCI Executive Forum, a networking and thought leadership event that addressed the future challenges to the industry. The theme for the Executive Forum was resilience and the need business continuity to become a part of the strategic direction of the organization to ensure that it is able to respond and adapt to a changing envoronment.

On day one of the Forum, renowned futurologist – Dr James Bellini – took delegates through his vision of what the world may look like in 5, 10 or perhaps even 15 years and what this could mean for organizations and those charged with managing them. These visions looked at the changing demographics and economies of the world and the development of technology:

  • Issues of an urban world – as populations are rapidly moving away from rural areas and into cities, and as these cities therefore become larger, what does this mean for their infrastructure and the socio-economic culture that develops within that city.
  • Smart cities – Technology is developing at a dramatic rate with more and more of our environment becoming digitally connected. Placing such reliance on this technology clearly has its benefits, but it also comes with risks.
  • Implications of western renaissance – as the BRIC economies expand as well as those of developing countries, it perhaps no longer makes them the cheaper option for outsourcing. Complex supply chains could be drawn back into the traditional economies, changing the dynamics of that region.

Day two of the conference looked at specific industries with the financial sector, public sector and manufacturing and retail all featuring. Experts in these fields talked through what the challenges were and how they overcame them and this was followed by a discussion on what the wider implications could be of a changing world and deciding upon some actions that the industry needs to take.

The key discussions and action points that came out of the Executive Forum will be published in a report towards the end of June and this will be available free of charge to Statutory Members of the BCI, or it can be purchased from the BCI Shop. The report will be supported by a webinar that can be registered for by clicking here.

CIO — Technology today, particularly big data and analytics, is disrupting roles throughout the enterprise, whether it's the CIO that needs to seek new ways to be a strategic partner to the business or the CMO constantly faced with decisions about technology that can make the marketing function more data-driven and efficient. Even the CFO role is not immune.

"The CFO doesn't really have to be a technologist, but they have to understand how the power of technology can help them do their job," says Nicole Anasenes, CFO of enterprise software solutions specialist Infor. "The pressures on the CFO are not terribly different than they've always been, but the interconnectedness of the world and the rate of change adds to it. They need to react to change quickly with speed and flexibility."

Anasenes was a panelist at the Bloomberg CFO Summit this week on the topic: "Dealing with New Technology and Building a Business Case for It."



IDG News Service (Boston Bureau) — A printer that connects to the Web may pose as great a risk to enterprise security as an OS vulnerability, but yet companies worry about the latter and too often ignore the former, said a CTO during a discussion at MIT.

With more devices gaining Web connectivity as part of the Internet of Things movement, hackers have greater opportunities to exploit weaknesses, said Patrick Gilmore, CTO of data-center and telecommunications service provider the Markley Group. The people who write software for printers may not be worried about security, he said.

"No one talks about what if your printer is hacked and every document your CEO printed is posted to a blog," he said.



You may not think about information governance as a cost-saving measure, but it turns out, it can potentially save you millions.

That’s because most companies are so worried about regulatory compliance, they overshoot on data retention, according to a recent CIO.com column by Actiance Vice President Doug Kaminski.

More than 70 percent of data stored in discovery collections has no business, legal or regulatory value, Kaminski writes, citing findings by the Compliance, Governance and Oversight Council (CGOC).



El Niño expected to develop and suppress the number and intensity of
tropical cyclones

2014 Atlantic Hurricane Outlook graphic

2014 Atlantic hurricane outlook.

Download here (Credit:NOAA)

In its 2014 Atlantic hurricane season outlook issued today, NOAA’s Climate Prediction Center is forecasting a near-normal or below-normal season.

The main driver of this year’s outlook is the anticipated development of El Niño this summer. El Niño causes stronger wind shear, which reduces the number and intensity of tropical storms and hurricanes. El Niño can also strengthen the trade winds and increase the atmospheric stability across the tropical Atlantic, making it more difficult for cloud systems coming off of Africa to intensify into tropical storms.

The outlook calls for a 50 percent chance of a below-normal season, a 40 percent chance of a near-normal season, and only a 10 percent chance of an above-normal season.  For the six-month hurricane season, which begins June 1, NOAA predicts a 70 percent likelihood of 8 to 13 named storms (winds of 39 mph or higher), of which 3 to 6 could become hurricanes (winds of 74 mph or higher), including 1 to 2 major hurricanes (Category 3, 4 or 5; winds of 111 mph or higher).

These numbers are near or below the seasonal averages of 12 named storms, six hurricanes and three major hurricanes, based on the average from 1981 to 2010. The Atlantic hurricane region includes the North Atlantic Ocean, Caribbean Sea and Gulf of Mexico.

“Thanks to the environmental intelligence from NOAA’s network of earth observations, our scientists and meteorologists can provide life-saving products like our new storm surge threat map and our hurricane forecasts,” said Kathryn Sullivan, Ph.D., NOAA administrator. “And even though we expect El Niño to suppress the number of storms this season, it’s important to remember it takes only one land falling storm to cause a disaster.”

Satellite view of Humberto, the first of only two Atlantic hurricanes in 2013.

Humberto was the first of only two Atlantic hurricanes in 2013. It reached peak intensity, with top winds of 90 mph, in the far eastern Atlantic.

Download here (Credit:NOAA)

Gerry Bell, Ph.D., lead seasonal hurricane forecaster with NOAA’s Climate Prediction Center, said the Atlantic – which has seen above-normal seasons in 12 of the last 20 years – has been in an era of high activity for hurricanes since 1995. However, this high-activity pattern is expected to be offset in 2014 by the impacts of El Niño, and by cooler Atlantic Ocean temperatures than we’ve seen in recent years.

“Atmospheric and oceanic conditions across the tropical Pacific are already taking on some El Niño characteristics. Also, we are currently seeing strong trade winds and wind shear over the tropical Atlantic, and NOAA’s climate models predict these conditions will persist, in part because of El Niño,” Bell said. “The expectation of near-average Atlantic Ocean temperatures this season, rather than the above-average temperatures seen since 1995, also suggests fewer Atlantic hurricanes.”

NOAA is rolling out new tools at the National Hurricane Center this year. An experimental mapping tool will be used to show communities their storm surge flood threat. The map will be issued for coastal areas when a hurricane or tropical storm watch is first issued, or approximately 48 hours before the anticipated onset of tropical storm force winds. The map will show land areas where storm surge could occur and how high above ground the water could reach in those areas.

Early testing on continued improvements to NOAA’s Hurricane Weather Research and Forecasting model (HWRF) shows a 10 percent improvement in this year's model compared to last year. Hurricane forecasters use the HWRF along with other models to produce forecasts and issue warnings.  The HWRF model is being adopted by a number of Western Pacific and Indian Ocean rim nations.

 NOAA’s seasonal hurricane outlook is not a hurricane landfall forecast; it does not predict how many storms will hit land or where a storm will strike. Forecasts for individual storms and their impacts will be provided throughout the season by NOAA’s National Hurricane Center.

"It only takes one hurricane or tropical storm making landfall to have disastrous impacts on our communities," said Joe Nimmich, FEMA associate administrator for Response and Recovery. "Just last month, Pensacola, Florida saw five inches of rain in 45 minutes – without a tropical storm or hurricane. We need you to be ready. Know your risk for hurricanes and severe weather, take action now to be prepared and be an example for others in your office, school or community. Learn more about how to prepare for hurricanes at www.ready.gov/hurricanes."

Next week, May 25-31, is National Hurricane Preparedness Week. To help those living in hurricane-prone areas prepare, NOAA offers hurricane preparedness tips, along with video and audio public service announcements in both English and Spanish, featuring NOAA hurricane experts and the FEMA Administrator at www.hurricanes.gov/prepare.

NOAA’s outlook for the Eastern Pacific basin is for a near-normal or above-normal hurricane season, and the Central Pacific basin is also expected to have a near-normal or above-normal season. NOAA will issue an updated outlook for the Atlantic hurricane season in early August, just prior to the historical peak of the season.

NOAA’s mission is to understand and predict changes in the Earth's environment, from the depths of the ocean to the surface of the sun, and to conserve and manage our coastal and marine resources. Join us on FacebookTwitter and our other social media channels.

Friday, 23 May 2014 14:58

BCI European Awards


The 2014 BCI European Awards took place on Wednesday 21st May at a Gala Dinner to coincide with the Executive Forum in Amsterdam. The BCI European Awards are held each year to recognise the outstanding contribution of business continuity professionals and organizations living in or operating in Europe.

The Winners of the Awards were:

Business Continuity Consultant of the Year
Bill Crichton FBCI

Public Sector Business Continuity Manager of the Year
James McAlister MBCI

Business Continuity Manager of the Year
Werner Verlinden FBCI

Business Continuity Innovation of the Year
Pinbellcom Limited

Business Continuity Provider of the Year (Product)

Business Continuity Service of the Year (Service)
Continuity Shop

Business Continuity Team of the Year
Marks & Spencer

Most Effective Recovery of the Year
EDP Distribucao

Industry Personality of the Year
Andy Tomkinson MBCI

Congratulations to all the winners and well done to all those who were nominated. As always the standard of entries was high and the judges had some difficult decisions to make.

All winners from the BCI European Awards 2014 will be automatically entered into the BCI Global Awards 2014 which take place in November during the BCI World Conference and Exhibition 2014.


Over 100 industry leaders and experts in the field of business continuity and its related disciplines got together to share ideas, vision and take home best practices that will help build organizational resilience at the first ever BCI Middle East Conference and Exhibition held at The Address, Dubai Marina. The event was organized by the Middle East Member Firm Protiviti, a global consulting firm.

The two day event titled 'Business Continuity: Building a Resilient Middle East' saw practitioners brainstorm on various aspects of business continuity and risk management that are of relevance in today’s challenging business environment. Putting its business continuity expertise to use, Protiviti designed the sessions to focus on tackling the industry pain points by discussing the specifics within each sector, which was supplemented by success stories for others to emulate.

One of the highlights of the event was the keynote speech by Abdul Mohsin Ibrahim Younes, Chief Executive Officer, Strategy and Corporate Governance, Roads and Transport Authority (RTA), Dubai. He shared RTA’s vision around 'Safe and smooth transport for all' and elaborated the measures in place to execute the plan.

Speaking about the event, Lorraine Darke, Executive Director at the Business Continuity Institute, said: “The commitment that Protiviti put into making this event a success is recognized and truly appreciated. The event provided delegates with valuable learning experience, which we are sure will help drive critical organizational change in the region.”

Senthil Kumar, Protiviti’s Managing Director, said: “The first Middle East conference aimed to give business continuity practitioners some real insight into solutions, latest researches, techniques and best practices. We are glad we achieved it with much success. We would like to thank each and every delegate, sponsor and exhibitor who made this possible.”

Heartbleed and the OAuth and OpenID vulnerabilities have created a lot of questions about open source security. And Zack Whittaker writes in this article in ZDNet that these vulnerabilities aren’t out of the norm:

Many millions of Java-based and other open source applications are vulnerable to flaws that have been around for, in some cases, years. And even up to today, they are being downloaded.

But in an InformationWeek commentary, Michele Chubirka writes that open source isn’t any worse than commercial or closed source software:



Thursday, 22 May 2014 18:23

Risk: A Game of Thrones

HBO, the producer of ”made for TV” award-winning shows, is renowned for its high-quality programming, documentaries and event TV.  One of HBO’s hit shows, A Game of Thrones, is based on the A Song of Ice and Fire series of fictional novels by George R.R. Martin, the first installment of which was published in 1996.  The title of the show comes from a proverb that the Queen Cersei quotes in the novel: “When you play the game of thrones, you win or you die.  There is no middle ground.”

The series has more plot twists than a murder mystery and captures the imagination.  There is no shortage of drama, intrigue and, of course, obligatory gratuitous sex.  But what does this have to do with risk management?

A Game of Thrones is a great metaphor for how human behavior can radically change the course of events, including the downfall of empires (oops, I meant to say corporations).  Fiction is a reflection of real human behavior.  In fact, “conduct risk” may be the hardest risk to manage simply because it permeates every aspect of business life.  Conduct risk is the manifestation of every decision an employee of a firm makes to either act ethically or take advantage of opportunities for self-indulgence.  Given the temptations of wealth, power and access to resources only available to senior executives, it should not be surprising that fraud occurs.  Yet each time it happens, we sit back in awe and judgment, condemning bad behavior.  Seldom is this behavior condemned, though, before it causes catastrophic failure.



Money alone can’t buy happiness, and technology by itself can’t buy disaster recovery – but they can both help significantly! IT disaster recovery management needs thought, planning and training of personnel; being aware of what technology has to offer is an important part of this. Check our handy ten-point list below to see if you’re making the most of what’s available.

Archiving systems. Use these to store data no longer needed on a daily basis, but which must still be kept. Archiving is complementary to backup, but not the same....


Like most companies, small to midsize businesses (SMBs) are on the lookout to save money and simplify complexities of day-to-day tasks. Many SMBs already have a small (or non-existent) IT staff, so creating efficiencies in workflows and access to information for employees is often not top of mind. However, the increasing role of desktop virtualization in the enterprise is spreading to include those smaller businesses and can help with efforts toward increased efficiency.

Today, client virtualization company NComputing announced that it will provide a new desktop as a service (DaaS) solution to select service providers around the U.S. and other countries. In fact, the first provider to offer the DaaS solution to SMBs is So-net Corporation, a member of the Sony group, which is located in Japan.



Thursday, 22 May 2014 18:19

Warning: Big Data Road Bump Ahead

My friend and I have a running joke. We’ve decided we liked 35 so much, we’re going to stick with it for a decade or so.

Okay, it’s not particularly clever, but to us, it was worth a quick laugh. It probably wouldn’t be so funny if I handled data quality at Paytronix, a company that manages customer loyalty programs for restaurant chains.

When Paytronix analyzed its data quality, it found that approximately 10 percent of customers lie about their age. Another 18 percent leave it blank. Couple that with about 25 percent of restaurants that don’t even ask, and you’ve got a real problem with a significant demographic identifier.



Thursday, 22 May 2014 17:17

Turning Big Data into Big Knowledge

Big Data is not just the latest fad to hit the enterprise, it’s an obsession. On the one hand is the fear of constructing the infrastructure capable of handling massive volumes, and on the other is the anticipation of all the advantages to be gained by mining and analyzing that data.

New research from QuinStreet Enterprise reveals that more than three quarters of all organizations consider Big Data a top priority in the coming year, citing the need to foster speed and accuracy in the decision-making process as a key driver. Interestingly, it seems that Big Data is not just the province of the Big Enterprise either. More than 70 percent of mid-sized companies are also planning Big Data initiatives.



Thursday, 22 May 2014 17:16

Piracy Incidents Down

Steps taken by the international maritime community have paid off, reducing the threat of piracy in the Arabian Sea’s Gulf of Aden, according to the Allianz Global Corporate & Specialty Safety and Shipping Review 2014. The number of ships seized and hostages taken was down significantly in 2013. According to the International Maritime Bureau (IMB), piracy at sea is at the lowest level in six years—264 attacks were recorded worldwide in 2013, a 40%drop since Somali piracy peaked in 2011. There were 15 incidents reported off Somalia in 2013, including Gulf of Aden and Red Sea incidents—down from 75 in 2012, and 237 in 2011 (including attacks attributed to Somali pirates in the Gulf of Aden, Red Sea and Oman).

But while the number of incidents in this region has gone down, piracy attacks in other areas have increased in frequency, notably Indonesia and off the west coast of Africa. While most of these Indonesian attacks remain local, low level opportunistic thefts carried out by small bands of individuals, a third of the incidents in these waters were reported in the last quarter of 2013, meaning there is potential for such attacks to escalate into a more organized piracy model unless they are controlled.



Following the occurrence of a disruptive incident to your organization, what is your perception of how prepared your organization is to properly respond to that event and to provide a repeatable approach to minimize downtime resulting from that event? Do you believe that disaster preparedness is present in the planning capability or culture of your organization?
Unfortunately, observed results of organizations reactions to disasters in many organizations, indicate that a “business continuity management” “BCMS) awareness is often not given enough attention.

Once your organization is able to address this component as one it’s growing requirements in maintaining a “keeping the doors open” approach to running its business, then, hopefully “planning” will begin to be recognized as a necessary discipline to implement into its own corporate culture.


LINCROFT, N.J. -- The New York and New Jersey Sandy Recovery field offices are supporting a national initiative to maximize resilience and minimize risk. FEMA is encouraging those rebuilding from Hurricane Sandy to join the agency in its recognition of the 34th annual Building Safety Month (BSM) to promote the importance of high building standards, protecting the environment and saving energy.

BSM is a public awareness campaign established by the International Code Council (ICC). The global campaign focuses on public outreach and education to increase the overall safety and sustainability of buildings through the adoption of model building codes and promotion of code enforcement—elements for New York and New Jersey to consider as the area rebuilds after the storm.

Those in the affected states—and nationwide—can avail themselves of FEMA’s Building Science Department online and print information about various natural and man-made disasters and how they affect building safety. The agency introduces basic concepts used to design new or retrofitted buildings. Also offered are measures to increase resilience against future disasters while retaining or elevating efficiency—a two-pronged approach in dealing with climate change.

For the fourth consecutive year, President Obama has proclaimed May as National Building Safety Month to underscore the role that safe building codes and standards play in decreasing the effects of disasters and making the nation resilient. Building codes protect citizens from disasters like fires, flooding and weather-related events like Hurricane Sandy and structural collapse.

The overarching theme of BSM is Building Safety: Maximizing resilience, minimizing risks with sub-themes for each of its respective four weeks: fire, weather, yard and outdoor safety, and for the final week of the campaign, Building a brighter, more efficient tomorrow.   

For more information, on FEMA’s Building Science Branch, visit www.fema.gov/building-science. More information on Building Safety Month is at: www.buildingsafetymonth.org and www.iccsafe.org.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Wednesday, 21 May 2014 14:35

BCI India Awards


The 2014 BCI India Awards took place on Monday 19th May at a Gala Dinner to coincide with the second Business and IT Resilience Summit in Mumbai. The BCI India Awards are held each year to recognise the outstanding contribution of business continuity professionals and organizations living in or operating in India.

The Winners of the Awards were:

Business Continuity Manager of the Year
Dhirendra Kumar MBCI 

Business Continuity Consultant of the Year
Saurabh Agarwal 

Business Continuity Team of the Year
Reliance Life Insurance

Business Continuity Innovation of the Year

Business Continuity Provider of the Year (Service)
Sungard Availability Services

Business Continuity Provider of the Year (Product)
Sungard Availability Services

Industry Personality of the Year
Chittarajan Kajwadkar MBCI

Congratulations to all the winners and well done to all those who were nominated. As always the standard of entries was high and the judges had some difficult decisions to make.

All winners from the BCI India Awards 2014 will be automatically entered into the BCI Global Awards 2014 which take place in November during the BCI World Conference and Exhibition 2014.

In this age of Big Data, mobile communications and the Internet of Things, virtually everyone in the IT industry is aware of the need for scale. But even with dynamic cloud architectures at the ready, is there such a thing as too much scale? And are there right ways and wrong ways to implement scalability across data center infrastructure?

To hear infrastructure vendors tell it, scalability should be the top priority for enterprises across the board. And indeed, as Apcon CEO Richard Rauch told CIOL recently, with increased traffic soon to be coming from virtually everything we touch, data center infrastructure will have to scale in order to meet the availability and reliability levels that we have come to expect. For a networking company like Apcon, this means advanced switching capabilities that support non-blocking connectivity and heavy traffic flows, along with the visibility tools needed to keep an eye on things.



DENVER – A year ago Tuesday, on May 20, an EF5 tornado struck Moore, Oklahoma, killing 24 and leaving a 17-mile trail of destruction.

The anniversary is a poignant reminder of the importance of preparing for tornadoes, point out emergency managers from the Federal Emergency Management Agency (FEMA). The United States gets 75 percent of the world’s tornadoes, on average more than 1,100 per year.

FEMA’s Ready.gov website (http://www.ready.gov/) provides these suggestions for what to do before, during and after a tornado:


  • Build an emergency kit and make a family communications plan.
  • Listen to electronic media for the latest information. In any emergency, always listen to the instructions given by local emergency management officials.
  • Be alert to changing weather conditions. Look for approaching storms.
  • Look for the danger signs: a dark, often greenish sky; large hail; a large, dark, low-lying cloud (particularly if rotating); and a loud roar, similar to a freight train.
  • If you see approaching storms or any of the danger signs, be prepared to take shelter immediately.


If you are under a tornado warning, seek shelter immediately!  Most injuries associated with high winds are from flying debris, so remember to protect your head.

If you are in a building, go to a pre-designated area such as a safe room, basement, storm cellar, or the lowest building level. If there is no basement, go to the center of a small interior room on the lowest level (closet, interior hallway) away from corners, windows, doors, and outside walls. Put as many walls as possible between you and the outside. Get under a sturdy table and use your arms to protect your head and neck. In a high-rise building, go to a small interior room or hallway on the lowest floor possible. Do not open windows.

If you are in a manufactured home or office, get out immediately and go to a pre-identified location such as the lowest floor of a sturdy, nearby building or a storm shelter. Mobile homes, even if tied down, offer little protection from tornadoes.

If you are outside with no shelter, there is no single research-based recommendation for what last-resort action to take because many factors can affect your decision. Possible actions include:

  • Immediately get into a vehicle, buckle your seat belt and try to drive to the closest sturdy shelter. If your vehicle is hit by flying debris while you are driving, pull over and park.
  • Take cover in a stationary vehicle. Put the seat belt on and cover your head with your arms and a blanket, coat or other cushion if possible.
  • Lie in an area noticeably lower than the level of the roadway and cover your head with your arms and a blanket, coat or other cushion if possible.
  • Do not get under an overpass or bridge. You are safer in a low, flat location.
  • Never try to outrun a tornado in urban or congested areas in a car or truck. Instead, leave the vehicle immediately for safe shelter.
  • Watch out for flying debris. Flying debris from tornadoes causes most fatalities and injuries.


  • Check for injuries. Do not attempt to move seriously injured people unless they are in immediate danger of further injury. Get medical assistance immediately. If someone has stopped breathing, begin CPR if you are trained to do so. Stop a bleeding injury by applying direct pressure to the wound. Have any puncture wound evaluated by a physician. If you are trapped, try to attract attention to your location.
  • A study of tornado damage in Marion, Illinois, showed half of all tornado-related injuries came after the tornado, from rescue attempts, clean up, and so forth. Almost a third of the injuries came from stepping on nails.
  • Wear sturdy shoes or boots, long sleeves and gloves when handling or walking on or near debris.
  • Be very careful when entering any damaged structure, and use battery-powered light if possible rather than candles to minimize the danger of fire or explosions.
  • Be alert to the danger of fire, electrocution or explosions from damaged power and gas lines.
  • Continue to monitor your battery-powered radio or television for emergency information.
  • Never use any gasoline, propane, natural gas or charcoal-burning devices inside your home, basement, garage or camper, or even outside near an open window, door or vent. Carbon monoxide – an odorless, colorless gas that can cause sudden illness and death if you breathe it –can build up inside any enclose space and poison the people and animals inside. Seek prompt medical attention if you suspect CO poisoning and are feeling dizzy, light-headed or nauseated.

Research shows that most people wait until bad news is confirmed by a second source before taking action. With tornadoes, act first, emergency officials warn. Take shelter yourself, then be the second source that confirms the emergency for others by phone or social media.

A timeline of some of the most significant tornadoes to affect the six-state region covered by FEMA’s Denver regional office, with links for more information, is available at http://www.fema.gov/fema-region-8-tornado-timeline.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

The BCM program in many progressive enterprises focuses on Incident Readiness.  Integrating critical aspects of Planning, Incident Response and Incident Management, an Incident Readiness program aims to assure an organization is truly prepared to respond to any disruption of its day-to-day operations.  Incident Readiness may not be the right prescription for every BCM program; for some, BCM programs may simply be traditional ’3-ring binder’ Plans and table-top tests.  But for most, Incident Readiness may be the key to a successful BCM future.

In our two earlier blogs we defined Incident Readiness, and examined the requirements to implement it.  Finally, let’s look at the benefits: the tangible advantages of an Incident Ready BCM program:



By Deborah Ritchie

A majority of UK businesses expect to increase their dependency on exports, despite being unaware of the associated risks. More than two-thirds (69%) of UK businesses expect to increase their dependency on exports over the next five years but many are ill-prepared to protect themselves against the risks they will encounter, according to a report by AIG, Trade & Export Finance and the Institute of Export.

Findings show that risk related to non-payment of goods and services is UK exporters’ biggest concern, cited by 42% of respondents. However, only 37% of companies purchase trade credit insurance (down from 40% in 2013 and 53% in 2012), while 49% of all companies rely on open account payment, according to the International Trade Survey 2014, the largest independent survey of its kind which captures the views of over 2,800 companies.



Tuesday, 20 May 2014 17:31

Preparing for Hurricane Season

With less than two weeks weeks until the official start of the Atlantic hurricane season on June 1, organizations and homeowners alike are hoping that this year’s season mirrors that of 2013, which was one of the quietest in 30 years. So far, most experts are predicting another relatively calm year.

Philip Klotzbach and William Gray from Colorado State University’s Tropical Meteorology Project predicted below-average hurricane activity, with nine named stroms, three of which would be hurricance and only 1 would be a major hurricane (Category 3 or higher). According to their research, there is only a 35% chance of a major hurricane making landfall in the United States. the average for the last century has been 52%.



We recently published part 1 of a new series designed to help organizations build resiliency against targeted attacks. In the spirit of Maslow, we designed our Targeted-Attack Hierarchy Of Needs. One factor that significantly drove the tone and direction of this research was Forrester client inquiries and consulting. Many organizations were looking for a malware sandbox to check off their targeted attack/advanced persistent threat/advanced threat protection/insert buzzword needs. Malware analysis has a role in enterprise defense, but focusing exclusively on it is a myopic approach to addressing the problem.  

Part 1 of the research is designed to help organizations broaden their perspective and lay the foundation for a resilient security program. Part 2 (currently writing at a non George R.R. Martin pace) will move beyond the basics and address strategies for detecting and responding to advanced adversaries. Here is a preview of the research and the six needs we identified:



If most problems are due to human error, the next metric for understanding risk and business impact might just be the stupidity index. It’s a somewhat tricky concept in a business sense, because stupidity is often context-dependent. The Peter Principle points this out, by stating that in organisations, people are promoted to their highest level of incompetence. Carlo Maria Cipolla also researched the matter to come up with a number of ‘laws of stupidity’. One of these laws in particular is relevant to business continuity management: “Non-stupid people always underestimate harmful potential of stupid people.”



DENVER – A year ago Tuesday, on May 20, an EF5 tornado struck Moore, Oklahoma, killing 24 and leaving a 17-mile trail of destruction.

A month later, June 20, will be the anniversary of the 1957 EF5 tornado in Fargo that killed 10 and was part of a family of five tornadoes that wreaked havoc for almost 70 miles, from Buffalo, North Dakota, to Dale, Minnesota. The tornado and its damage were studied extensively by T. Theodore Fujita of the University of Chicago, which led to his later development of the 1-5 F-Scale for ranking tornadoes. (The Fargo tornado was ranked in retrospect.) 

Both anniversaries are a poignant reminder of the importance of preparing for tornadoes, point out emergency managers from the North Dakota Division of Emergency Management and from the Federal Emergency Management Agency (FEMA). North Dakota gets an average of 23 reported tornadoes per year, mostly in June, July and August.

The state’s website (http://www.nd.gov/des/uploads/resources/150/tornadotips.pdf) provides these suggestions for what to do during a tornado:

  • In a house with a basement: Avoid windows. Get in the basement and under some kind of sturdy protection (heavy table or work bench), or cover yourself with a mattress or sleeping bag. Know where very heavy objects rest on the floor above (pianos, refrigerators, waterbeds, etc.) and do not go under them. They may fall down through a weakened floor and crush you.
  • In a house with no basement, a dorm, or an apartment: Avoid windows. Go to the lowest floor, small center room (like a bathroom or closet), under a stairwell, or in an interior hallway with no windows. Crouch as low as possible to the floor, facing down, and cover your head with your hands. A bath tub may offer a shell of partial protection. Even in an interior room, you should cover yourself with some sort of thick padding (mattress, blankets, etc.), to protect against falling debris in case the roof and ceiling fail.
  • In an office building, hospital, or nursing home: Go directly to an enclosed, windowless area in the center of the building -- away from glass. Crouch down and cover your head. Interior stairwells are usually good places to take shelter, and if not crowded, allow you to get to a lower level quickly. Stay off the elevators; you could be trapped in them if the power is lost.
  • In a mobile home: Get out! Even if your home is tied down, you are probably safer outside, even if the only alternative is to seek shelter out in the open. Most tornadoes can destroy even tied-down mobile homes; and it is best not to play the low odds that yours will make it. If there is a sturdy permanent building within easy running distance, seek shelter there. Otherwise, lie flat on low ground away from your home, protecting your head. If possible, use open ground away from trees and cars, which can be blown onto you. The only fatality in the Northwood tornado remained in his home.
  • At school: Follow the drill! Go to the interior hall or room in an orderly way as you are told. Crouch low, head down, and protect the back of your head with your arms. Stay away from windows and large open rooms like gyms and auditoriums.
  • In a car or truck: Vehicles are extremely dangerous in a tornado. If the tornado is visible, far away, and the traffic is light, you may be able to drive out of its path by moving at right angles to the tornado. Otherwise, park the car as quickly and safely as possible -- out of the traffic lanes. Get out and seek shelter in a sturdy building. If in the open country, run to low ground away from any cars which could roll over onto you. Lie flat and face-down, protecting the back of your head with your arms. Avoid seeking shelter under bridges, which can create deadly traffic hazards while offering little protection against flying debris.
  • Outside: If possible, seek shelter in a sturdy building. If not, lie flat and face-down on low ground, protecting the back of your head with your arms. Get as far away from trees and cars as you can.
  • In a shopping mall or large store: Do not panic. Watch for others. Move as quickly as possible to an interior bathroom, storage room or other small enclosed area, away from windows.
  • In a church or theater: Do not panic. If possible, move quickly but orderly to an interior bathroom or hallway, away from windows. Crouch face-down and protect your head with your arms. If there is no time to do that, get under the seats or pews, protecting your head with your arms or hands.

Research shows that most people wait until bad news is confirmed by a second source before taking action. With tornadoes, act first, emergency officials warn. Take shelter yourself, then be the second source that confirms the emergency for others by phone or social media.

FEMA’s Ready.gov website cites a study of tornado damage in Marion, Illinois, that showed half of all tornado-related injuries came after the tornado, from rescue attempts, clean up, and so forth. Almost a third of the injuries came from stepping on nails. Be very careful when entering any damaged structure, and use battery-powered light if possible rather than candles to minimize the danger of fire or explosions.

A timeline of some of the most significant tornadoes to affect the six-state region covered by FEMA’s Denver regional office, with links for more information, is available at http://www.fema.gov/fema-region-8-tornado-timeline.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Shahid N. Shah, an expert on EMR/EHR systems, says health care organizations are spinning their wheels with interoperability when they should be learning something from the past 50 years of enterprise technology integration.

Sigh. I had hoped health care would be able to learn from the past 50 years of enterprise technology when it came to handling data.

“The need for and attention to interoperability in health care is palpable—more and more vendors talk about, and even more customers complain about, how it's missing from products,” Shah writes in a recent iHealth Beat column. “Service vendors are struggling to make it happen and even the government is joining the chorus to help.”



Computerworld — It's a familiar complaint: Executives from a business department learn about a new, often cloud-based product and they want to try it. Only they can't, because IT has decreed that this wonderful new product creates too much risk. The frustrated business execs gripe that IT is standing in the way of progress. As one business executive said, IT is "where dreams go to die."

The problem might not lie in some stubborn dislike by technology professionals for innovative new products. The problem, CIOs and other experts agree, is that most organizations don't have a realistic, balanced or mature system for evaluating and making decisions about technology risk. Especially the risk that always comes with implementing something new.

"Somebody, typically in a line of business, has some SaaS product they want to use, and they provide a business case for it: 'Here's all the good stuff that can result from the use of this. It'll make my numbers. I can access it from anywhere,'" says Jay Heiser, an analyst at Gartner.



By Deborah Ritchie

Technology is changing the way insurers and buyers of insurance interact. This is according to a Swiss Re whose analysis into digital distribution in insurance shows how the internet and mobile devices are empowering consumers everywhere. Despite this development, digital transformation does not spell the end of intermediaries, the report’s authors say.

Today, people can search, review and purchase insurance policies without relying solely on the services of intermediaries. At the same time, developments in Big Data are facilitating access to a rich source of data about customers, which insurers can use to enhance sales and marketing strategies. Digital transformation overall can help insurers become more consumer-centric.



By Wayne Rigby, chairman, Alarm

As the UK emerges from winter into spring, the hopes of better weather will be front of mind for many people. Despite the recent extreme weather, temperatures have been relatively mild for the time of year. Remember 2013, when we saw snow fall and temperatures plummet in the middle of May? A repeat of this will be unwelcome by most I’m sure. At the time of writing this column, it is estimated that insurers face a bill of at least £800m due to the recent storms and floods, with the figure set to rise as flood water subsides and the full extent of damage is revealed. In addition to this, public sector organisations, which already face challenges in maintaining vital services for their communities due to the level of public sector funding cuts, will be counting the cost of damage within their own areas.



Last week, we introduced the latest findings from studies of the RIMS Risk Maturity Model. In an effort to explain the model and results of the study more fully, it’s beneficial to break the RMM into each of its attributes. Here we’ll examine the first two attributes of an effective ERM program, ERM Based Approach and ERM Process Management.



Compliance risks are an inherent component of global business in the 21st century; many risks are familiar and some are new, but all can inflict potentially critical damage on an enterprise. At the same time, there are nascent signs that the ethics and compliance (E&C) discipline is maturing in many respects, and that many E&C programs, in the words of one expert, “occupy a moment of great opportunity.”

The 2014 Risk Forecast Report from the LRN Ethics and Compliance Alliance (ECA) finds E&C leaders confronting continued pressure—from lawmakers, regulators and corporate management—to demonstrate that their programs effectively address a broad range of very specific organizational risks. As many manage with tightened budgets, they are increasingly challenged to integrate their efforts ever more closely with the core day-to-day business functions of their organizations.




A survey by eHosting DataFort (eHDF) in partnership with the Business Continuity Institute (BCI) and Continuity and Resilience (CORE) has revealed an increased take up of IT Disaster Recovery in the Middle East over the last two years demonstrating that organizations are starting to take the threat more seriously.

The 2014 Middle East Business Continuity Management Survey, the third of its kind, showed that 73% of respondents had IT Disaster Recovery in place and 22% were considering implementation. The increased take up is compared to the 2012 survey which showed that nearly 63% of the respondents stated their organization did not have a dedicated IT Disaster Recovery or BCM team, and that Business Continuity Management was being driven by Information Security Unit, Quality Management, IT and Operational and Overall Risk teams.

While this is positive, there is still a long way to go as 56% of the respondents rated their organization’s IT DR readiness as average or below average.

A huge shift is already underway in the way organizations look at BCM. This year’s survey highlighted that 59% had a budgets greater than US$100,000 in order to implement and sustain their BCM program, while 32% allocated budgets in excess of US$250,000. Large organizations such as those in the banking, oil and gas, telecoms, government and e-commerce sectors, accounted for 11% of organizations that had set aside BCM budgets of more than US$1 million.

Yasser Zeineldin, CEO at eHosting DataFort, said, “The results are indicative of how the industry and business environment is evolving. Everything is driven by technology and it is imperative that organizations look closely at what is ‘crucial data’ and how it can be safeguarded in the instance of downtime caused either by a natural disaster or simply because of an IT outage.”

“eHDF has been at the forefront of stressing on the importance of Disaster Recovery and BCM, and this year’s survey shows that our efforts have reaped dividends. The increase in the number of organizations, both large corporations and SMEs, investing in disaster recovery and making contingency plans by adopting business continuity management programs look encouraging. We have seen a huge uptake for Disaster recovery services and have implemented high end DR projects for a number of organisations over the last year.”

Lyndon Bird, Technical Director at the BCI, commented: “The Business Continuity Institute’s  annual Horizon Scan survey showed just how seriously BC professionals take the cyber threat so it is encouraging to see that this is now being recognised at the Board level. Organizations are beginning to realise the value of having an effective business continuity management programme and the return on investment this can provide.”

The results from the survey show that 47% of BCM budgets in the region are being spent on IT disaster recovery infrastructure, seats, software and licensing. This can be further reduced by working with specialized service providers who can implement IT disaster recovery at a fraction of the cost of doing it in-house. In fact, 30% of the survey respondents have indicated that they plan to outsource the enhancement of IT DR plans to specialist external service providers.

Lack of a robust business continuity plan can result in financial loss that may have a negative impact on bottom line profits of an organization. 30% of the respondents who have indicated the financial impact of disruptions as per their Business Impact Analysis (BIA) estimate that a two-day disruption could set the organization back by US$3 million and more.

66% of the respondents reported at least one significant business disruption in the last year and the top three causes for disruptions in the Middle East have been identified as applications and network infrastructure failure, power outage and human error. Businesses today are vulnerable to diverse natural or man-made disasters such as fire, earthquakes, cyclones, cyber threats, as well as network and power failures. Implementation of robust BCM planning can help enterprises effectively respond to challenges without defaulting on commitments towards retaining the trust, faith and confidence of key customers and stakeholders.

eHDF had released the first such survey in 2009, seeking to analyze DR and BCM trends and raise BCM awareness for organizations in the Middle East.


You’re flipping through the channels on your car radio and you hear the tail end of story about something called MERS.  You think you’ve heard the phrase before – it’s got something to do with the Middle East, right?  You’re correct – but there is more you need to know.

Setting the Stage

So, let’s talk about MERS – what it stands for, what kind of disease it is, what we know about the disease, what we still have to learn, and what we recommend at this time to protect yourself.

MERS stands for Middle East Respiratory Syndrome (MERS).  It is a viral respiratory illness that was first reported in Saudi Arabia in 2012. It is caused by a coronavirus, a common type of virus infecting humans and animals, known as MERS-CoV (the long version is Middle East Respiratory Syndrome Conornavirus).

Since April 2012, there have been over 500 laboratory-confirmed cases of MERS reported to the World Health Organization (WHO).  Countries are reporting their cases and case information (like age and sex) to WHO, and you can find the latest case count hereExternal Web Site Icon.  All of the cases thus far have been linked to seven countries in the Arabian Peninsula (Jordan, Saudi Arabia, Kuwait, Qatar, the United Arab Emirates, Oman, and Yemen).  This means that either the patient got sick and tested positive in one of those countries, or lives in or visited one of those countries, got sick, and tested positive elsewhere.

Countries With Lab-Confirmed MERS Cases

Countries in or near the Arabian Peninsula with cases:

  • Saudi Arabia
  • United Arab Emirates (UAE)
  • Qatar
  • Oman
  • Jordan
  • Kuwait
  • Yemen
  • Lebanon

Countries with travel-associated cases:

  • United Kingdom
  • France
  • Tunisia
  • Italy
  • Malaysia
  • Turkey
  • Greece
  • Egypt
  • United States of America
  • Netherlands

Currently, we know this virus has spread from ill people to others through close contact, such as caring for or living with an infected person. However, there is no evidence of sustained person-to-person spreading in a community setting. Most people who have been confirmed as having MER-CoV infection have showed signs of severe respiratory illnesses, including fever, cough, and shortness of breath.  More than 30% of those who have been infected have died. 

At this time, we are unsure of the source or host that MERS-CoV comes from. It’s likely an animal host, and while MERS-CoV has been found in camels in Qatar, Egypt and Saudi Arabia, it has also been found in a bat in Saudi Arabia. Camels in a few other countries have also tested positive for antibodies to MERS-CoV, meaning that they were previously infected with MERS-CoV or a closely related virus. When we and others look at the virus in the lab, the virus infecting humans has similarities to the virus infecting camels.

What’s Happening in the United States

On May 2nd, CDC announced the first imported case of MERS in the US, a health care worker who also traveled from Saudi Arabia to Indiana.  CDC sent a team of experts to Indiana to help assist with the investigation.  The patient from Indiana has since recovered and was released from the hospital. On May 12, CDC confirmed the second imported case of MERS in the U.S. – a health care worker who lives in and traveled from Saudi Arabia to Florida.  CDC and the Florida Department of Health are currently working on a contract tracking – in which we work with the airlines to identify and notify the people who were on the planes that the patient traveled on (the patient traveled from Jeddah, Saudi Arabia to London, England to Boston, Massachusetts to Atlanta, Georgia to Orlando, Florida). 

These two cases represent very low risk to the general public.  You can always help protect yourself by washing your hands often, avoiding close contact with people who are sick, avoiding touching your eyes, nose, and mouth with unwashed hands, and disinfecting frequently touched surfaces.  

At this time, we don’t recommend that you change your travel plans to the Arabian Peninsula.  However, if you are traveling to countries in or near the Arabian Peninsula, we recommend you pay attention to your health during and after your trip. Call a doctor right away if you develop fever and symptoms of respiratory illness and let your doctor know of your recent travel.

CDC continues to closely monitor the MERS situation globally and work with partners to better understand the risks of this virus, including the source, how it spreads, and how infections might be prevented. CDC recognizes the potential for MERS-CoV to spread further and cause more cases globally and in the U.S.  

For the latest information from CDC on MERS, visit the MERS website.

Computerworld - The Federal Communications Commission (FCC) continues to warn the public not to rely on text messages to reach 911 in emergencies because the technology is only available to 59 of the more than 6,000 emergency communications centers nationwide.

On its official website, the FCC notes that "the ability to contact 911 using text is only available on a limited basis in a few markets. For this reason, you should not rely on text to reach 911."

The agency instead urges calling 911 in an emergency, "even where text-to-911 is available."



Monday, 19 May 2014 15:19

Weekly Disaster Update

Fires in Southern California:

In response to the multiple fires in San Diego County, American Red Cross disaster workers are continuing shelter operations at Mission Hills High School as a shelter site (1 Mission Hills Ct., San Marcos 92069). The Temporary Evacuation Point at Escondido High School (1535 N Broadway, Escondido, CA 92026) is now being transitioned into a shelter. The shelter at La Costa Canyon High School located at 1 Maverick Way in Carlsbad also remains open. All shelters will remain open until there is no longer a need.

Since Tuesday, May 13, the Red Cross has provided approximately:
- 3,400 meals
- More 2,000 snacks
- More than 275 overnight shelter stays, and expected to increase this evening
- More than a dozen canteen operations, supporting various Temporary
Evacuation Points, as well as providing snacks and hydration to first responders
at several Incident Command Posts.

For more information about this incident please visit the San Diego/Imperial Counties Chapter’s Website

Friday, 16 May 2014 16:58

One Word Too Many

A short article here: http://www.continuitycentral.com/news07205.html reports on a recent conference in the UK, where ‘Cyber Security is being superseded by Cyber Resilience’.  I think that a little care and sense is required here, mainly to avoid adding another sub-discipline and piece of jargon to an already crowded world of (deliberately?) confusing terminology.

My reading of the sense of the article is that it makes sense in terms of what is necessary.  Purely protective security – putting up barriers to stop an attack impacting on an organisation – is not enough.  However, that is not just true for cyber risks.



OAKLAND, Calif. — The U.S. Department of Homeland Security’s Federal Emergency Management Agency (FEMA) has authorized the use of federal funds to assist the state of California combat the Cocos Fire burning in San Diego County, in the San Marcos community.

On May 14, 2014, the State of California submitted a request for a fire management assistance declaration for the Cocos Fire.  The authorization makes FEMA funding available to reimburse up to 75 percent of the eligible firefighting costs under an approved grant for managing, mitigating and controlling the fire.

At the time of the request, the fire was threatening 1,500 homes in and around the community of San Marcos with a population of 86,752.  Mandatory evacuations due to the Cocos fire are in effect for approximately 6,000 people. The fire started on May 14, 2014 and has burned in excess of 200 acres of state and private land.

The President’s Disaster Relief Fund provides funding for federal fire management grants made available by FEMA to assist in fighting fires that threaten to cause a major disaster. Eligible costs covered by the grant can include expenses for field camps; equipment use, repair and replacement; tools, materials and supplies; and mobilization and demobilization activities.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

If you have implemented or used either application wrapping or containerization technologies, please COMPLETE THIS SURVEY.

Application wrapping versus containerization: Which technology provides better security to an enterprise mobile deployment? What are the use cases for each technology, and which technology has a longer shelf life when it comes to being the de facto standard for enterprise mobile security? Are there times when containerization provides a better user experience than application wrapping? And more simply speaking . . . what the heck is the difference between these two technologies, and which one should you purchase?



Friday, 16 May 2014 16:55

California Wildfire Risk

Images of wildfires burning in suburban neighborhoods in Southern California are a reminder of the risk faced by many homeowners.

Nearly 2 million, or 14.5 percent, of the 13.7 million homes in California face severe wildfire risk, according to the most recent FireLine State Risk Report by Verisk Underwriting Solutions.

Some 417,500 of these high-risk homes are located in Los Angeles County, while 239,400 are located in San Diego County.

Check out this snapshot from the Verisk report illustrating California’s wildfire risk:



Thursday, 15 May 2014 16:29

Taking control of your cloud

Organizations need to know where their cloud services are hosted for disaster recovery and data protection purposes.


Cloud computing services are increasingly being adopted as a mainstream IT strategy and many industry analysts are saying that cloud will become a major platform for growth for organizations; and especially for mid-market businesses. This is because, previously, if an organization wanted to get a new idea off the ground, they would often have had to make a significant upfront investment in IT before they even knew if their business idea was going to work. The cloud, however, levels the playing field.

When done right, cloud takes away barriers to entry and makes technology available to all organizations regardless of size. From day one, a business can ramp up very quickly and easily without having to make serious upfront capital investment. The move to the cloud is seamless. Costs are predicable. There are no big step changes or spikes in costs for maintenance or renewal requirements. Remote working and disaster recovery can also be built in.

However, because of this rapid growth and evolution, it could be argued that the definition of cloud has become somewhat unclear. Today, the term is used for everything from physical hosting ‘elsewhere,’ to Gmail, to almost anything imaginable in between. It seems that the meaning of cloud is different to different organizations depending on how cloud services are being used.



Thursday, 15 May 2014 16:27

Back to basics…

Security breaches are on the rise. Yet as security experts face ever more complex and challenging threats, is there a risk some of the basic components of IT security are being overlooked?


Security breaches are on the rise. Indeed, Experian's 2014 Data Breach Industry Forecast (1) predicts that new security threats and transparency regulations will make 2014 a ‘critical year’ for data breaches and warns that organizations need to be better prepared. So what’s going wrong?
IT security is certainly a tough job. From the relentless introduction of new threats, to the escalating impact of any breach in a 24x7, joined-up economy, those tasked with protecting business-critical data have the challenge of juggling routine, day to day protection requirements with the need to prevent ever more innovative hacking attempts.

Sadly, however, recent high profile breaches would suggest that the routine, tried, trusted and proven security activity is being overlooked.



If you’ve been following the news of any kind recently, you may well have seen articles about Heartbleed. This is the vulnerability in the OpenSSL network protocol that theoretically allowed hackers to invisibly copy sensitive data from a web server. A sign of the times, Heartbleed even made front page news in the tabloid press in the UK, an extraordinary feat for such a technical subject. Soon after the threat was discovered, a new version of OpenSSL was made available so that servers could be updated and protected once again. But there are business continuity lessons to be learned.



OAKLAND, Calif. — The U.S. Department of Homeland Security’s Federal Emergency Management Agency (FEMA) has authorized the use of federal funds to assist the state of California combat the Poinsettia Fire currently burning in Carlsbad, Calif.

On May 14, 2014, the State of California submitted a request for a fire management assistance declaration for the Poinsettia Fire.  The authorization makes FEMA funding available to reimburse up to 75 percent of the eligible firefighting costs under an approved grant for managing, mitigating and controlling the fire.

At the time of the request, the fire was threatening 2,500 homes in and around the community of Carlsbad, Calif., with a combined population of 105,000. All of the threatened homes are primary residences; none are secondary residences. Mandatory and voluntary evacuations are taking place for approximately 15,000 people.  The fire started on May 14, 2014 and has burned in excess of 100 acres of State and private land. There are 5 other large fires burning uncontrolled within the State. 

The President’s Disaster Relief Fund provides funding for federal fire management grants made available by FEMA to assist in fighting fires that threaten to cause a major disaster. Eligible costs covered by the grant can include expenses for field camps; equipment use, repair and replacement; tools, materials and supplies; and mobilization and demobilization activities.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Integration remains a major concern for those hesitant to adopt SaaS, but a recent vendor survey shows a new top barrier: data privacy.

SnapLogic, which provides a cloud-based integration solution, engaged in a joint survey with TechValidate, a third-party research organization. We’ve seen a lot of vendor surveys on cloud and SaaS recently, but what sets this apart is that it targeted 100 U.S. companies with revenues exceeding $500 million.

Seventy-two percent of the organizations responding said they already have an active cloud application or data integration project. So, for the majority, SaaS is already in play as a viable option.



PEARL, Miss. – In the aftermath of a disaster, misconceptions about disaster assistance can often prevent survivors from applying for help from the Federal Emergency Management Agency and the U.S. Small Business Administration. A good rule of thumb: register, even if you’re unsure whether you’ll be eligible for assistance.

Registering with FEMA is simple. You can apply online at DisasterAssistance.gov or with a smartphone or tablet by downloading the FEMA app or by visiting m.fema.gov. You can also register over the phone by calling FEMA’s helpline, 800-621-FEMA (3362). Survivors who are deaf or hard of hearing and use a TTY can call 800-462-7585. The toll-free telephone numbers operate from 7 a.m. to 10 p.m. (local time) seven days a week until further notice.

Clarification on some common misunderstandings:

  • MYTH: FEMA assistance could affect my Social Security benefits, taxes, food stamps or Medicaid.
    FACT: FEMA assistance does not affect benefits from other federal programs and is not considered taxable income.
  • MYTH: I have insurance. I don’t need to apply for federal disaster assistance.
    FACT: You should register for federal disaster assistance even if you have insurance. While FEMA cannot duplicate insurance payments, under-insured applicants may receive help after their insurance claims have been settled.
  • MYTH: I've already cleaned up the damage to my home and had the repairs made. Isn’t it too late to register once the work is done?
    FACT: You may be eligible for reimbursement of your clean up and repair costs, even if repairs are complete.
  • MYTH: I didn’t apply for help because I don’t want a loan.

FACT: FEMA only provides grants that do not have to be paid back. The grants may cover expenses for temporary housing, home repairs, replacement of damaged personal property and other disaster-related needs such as medical, dental or transportation costs not covered by insurance or other programs.

The U.S. Small Business Administration provides low-interest disaster loans to renters, homeowners and businesses of all sizes. Some applicants may be contacted by SBA after registering with FEMA. You are not obligated to take out a loan, but you need to complete the application to continue the federal disaster assistance process. By completing the application, you may become eligible for additional grant assistance from FEMA.

You can apply with SBA online using the Electronic Loan Application (ELA) via SBA's secure website at https://disasterloan.sba.gov/ela. For more information on SBA’s Disaster Loan Program, visit SBA.gov/Disaster, call the SBA Customer Service Center at 800-659-2955 (TTY 800-877-8339 for the deaf and hard-of-hearing) or send an email to This email address is being protected from spambots. You need JavaScript enabled to view it..

  • MYTH: I don’t want to apply for help because others had more damage; they need the help more than I do.
    FACT: FEMA has enough funding to assist all eligible survivors with their disaster-related needs. 
  • MYTH: I'm a renter. I thought FEMA assistance was only for homeowners for home repairs.
    FACT: FEMA assistance is not just for homeowners. FEMA may provide assistance to help renters who lost personal property or who were displaced.
  • MYTH: Registration involves a lot of red tape and paperwork. I don’t have time to register.
    FACT: There is no paperwork to register with FEMA. The process is very easy and normally takes between 15 and 20 minutes.
  • MYTH: Since I received disaster assistance last year, I’m sure I can’t get it again this year.
    FACT: Assistance may be available if you suffered damage from a new federally-declared disaster.
  • MYTH: My income is probably too high for me to qualify for FEMA disaster assistance.
    FACT: Income is not a consideration for FEMA grant assistance. However you will be asked financial questions during registration to help determine eligibility for SBA low-interest disaster loans.

For more information on Mississippi disaster recovery, click fema.gov/disaster/4175. Visit the MEMA site at msema.org or on Facebook at facebook.com/msemaorg.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-FEMA (3362). For TTY call 800-462-7585.

FEMA’s temporary housing assistance and grants for public transportation expenses, medical and dental expenses, and funeral and burial expenses do not require individuals to apply for an SBA loan. However, applicants who receive SBA loan applications must submit them to SBA loan officers to be eligible for assistance that covers personal property, vehicle repair or replacement, and moving and storage expenses.

If you ask IT executives about shifting the entire data infrastructure to the cloud, the most common reaction is something like: “Possible in theory, but not practical in real-world environments.”

But that perspective may be changing.

According to Network World, AMAG Pharmaceuticals, a Massachusetts firm that reported $81 million in revenues last year, has moved to a data center-free footprint by shifting its entire data environment to the cloud and BYOD. CIO Nathan McBride says this has halved his annual data center budget to about $1.4 million and reduced the IT staff to four: himself, a project manager, a Scrum/PMP developer and a “data center master.” At the same time, he says the company has been able to successfully replicate the five key pillars of IT in the cloud: backup, email, file servers, security and service.



Thursday, 15 May 2014 15:52

An Unpredictable Spring


Be Prepared Header

“In the spring I have counted one hundred and thirty-six kinds of weather inside of four and twenty hours.” – Mark Twain

While spring officially sprung in late March, it’s only been in the last few weeks that we’ve seen the characteristically unpredictable weather that ushers in the fun-in-the-sun summer. During spring, temperatures can swing back and forth between balmy (high 80s in Georgia this week) and frigid (in the 40s in Wyoming). Sunny days may be followed by a week of stormy weather; sometimes extreme weather changes can occur even within the same day.

Below are the most common types of severe spring weather:

Be Ready for Tornadoes Infographic

  • Thunderstorms cause most of the severe spring weather. They can bring lightning, tornadoes and flooding. Whenever warm, moist air collides with cool, dry air, thunderstorms can occur. For much of the world, this happens in spring and summer.
  • Tornadoes, often called twisters, are rapidly rotating columns of air that are connected to both the ground and the cloud.  Tornado Alley – the Great Plains region of the United States – is most active this time of year.  Already in 2014, there have been more than 30 deathsExternal Web Site Icon due to tornadoes.
  • Flooding, which is most common in and near mountainous areas due to snow melt, is another condition of spring.  As are mudslides, like the one in Oso, Washington, in late March.  Mudslides happen when heavy rainfall, snowmelt, or high amounts of ground water cause soil to be uprooted.   
  • Wildfires are most common in the Western United States and wildfire season usually starts in May and runs through August.  According to the National Interagency Fire Center, this year’s wildfire season could be dangerousExternal Web Site Icon.

Because spring weather can be so unpredictable, you may be unprepared when severe weather hits—especially if you live in a region that does not often experience these types of events. And when severe weather hits unexpectedly, the risk of injury and death increases. So planning ahead makes sense; prepare for storms, floods, and tornadoes as if you know in advance they are coming, because in the spring, they very likely will.

Advance planning for thunderstorms, lightning, tornadoes and floods requires specific safety precautions. Still, you can follow many of the same steps for all extreme weather events. You should have on hand:

  • A battery-operated flashlight, a battery-operated NOAA Weather Radio, and extra batteries for both
  • An emergency evacuation plan, including a map of your home and, for every type of severe weather emergency, routes to safety from each room
  • A list of important personal information, including
    • telephone numbers of neighbors, family and friends
    • insurance and property information
    • telephone numbers of utility companies
    • medical information
  • A first aid kit may include:
    • non-latex gloves
    • assortment of adhesive bandages
    • antibiotic ointment
    • sterile gauze pads in assorted sizes
    • absorbent compress dressings
    • tweezers
    • scissors
    • adhesive cloth tape
    • aspirin packets (81 mg each)
    • First aid instruction booklet
  • A 3–5 day supply of bottled water and nonperishable food
  • Personal hygiene items
  • Blankets or sleeping bags
  • An emergency kit in your car

Remember to help prepare your family members and neighbors for the possibility of severe weather too. Tell them where they can find appropriate shelter as soon as they are aware of an approaching storm. Make sure to run through your emergency plans for every type of severe weather. Show family members where emergency supplies are stored, and make sure they know how to turn off the water, gas, and electricity in your home.

Unfortunately, few of us get much advance notice of a severe weather event. Often times when we become aware of an approaching storm, we have little time to prepare for it.  But, we know what season it is, and even if this spring doesn’t bring any severe weather to your area, being prepared can help you at any time of the year.

Are there any stories of your own spring preparedness that you want to share with us?

Wednesday, 14 May 2014 16:27

The World’s Most Resilient Cities

How do you invest, source and expand responsibly?

Picking the right place to do so may make or break your efforts. At least, that’s the theory of London-based property company Grosvenor. With that in mind, the company analyzed 160 data sets to assess the vulnerability and adaptive capacity of the world’s “50 most important cities” to determine which are the most resilient, with resilience defined as “the ability of cities to continue to function as centers of production, human habitation, and cultural development despite the challenges posed by climate change, population growth, declining resource supply, and other paradigm shifts.”



Traditional cyber security is now inadequate for today’s threat landscape and must be superseded by ‘cyber resilience’, demanding more vigorous action from company boardrooms.

This was the main message of a panel of industry experts at the international cyber summit hosted by IT Governance in London on 8th May.

The event, ‘New Standards in the Global Cyber War’ included speakers from the Department for Business, Innovation and Skills, British Standards Institution (BSI), international professional organization ISACA, and AXELOS, a joint venture between the Cabinet Office and services group Capita plc that runs the Best Management Practice portfolio.



A recent survey among 250 UK CIOs and IT leaders has revealed that nearly half of respondents are plagued by regular IT performance and availability issues. 48 percent of respondents experience availability and outage issues at least once a week; and 21 percent of these experience downtime every day.

ControlCircle, UK provider of managed and cloud-based services, commissioned the ‘IT Growth and Transformation’ survey with Vanson Bourne, to explore IT budget alignment and how CIOs are managing IT as well as innovation.

Overall, smaller organizations (employing between 251-500 employees) report a higher level of service excellence across the board. Even in this group, only 46 percent claim excellence in quality of service, regardless of budget. Among larger enterprises, only 20 percent of respondents believed they were achieving ‘best effort’ in quality of service, regardless of cost control.



Rogue employees continue to be the biggest threat to information security, according to 37 percent of IT professionals polled at Infosecurity Europe 2014. The poll conducted by BSI, the business standards company, investigated perceived threats to information security and how businesses are responding.

The poll found that despite taking measures to combat the risks, 37 percent of businesses still see employees as biggest threat to information security, ranking the insider threat, higher than cyber-attacks (19 percent) and bring your own device (BYOD) (15 percent).

In order to reduce the risk to their business, over half (52 percent) have implemented an internal information security policy, 47 percent have provided staff training and 63 percent are either certified (29 percent) or operating in compliance (34 percent) with ISO 27001, the international Information Security Management System Standard. A further 23 percent indicated they were looking to certify in the immediate future.

However, confidence in security measures to protect against risks is relatively low with under half (46 percent) stating they are confident in the measures their firm has taken. One in ten are not confident at all, yet unsurprisingly in organizations that are certified to ISO 27001 the levels of confidence in security measures rise to 78 percent.

“It’s no surprise to see insider threats as the biggest risk to information security as employees will always be the one thing that cannot be controlled,” said Suzanne Fribbins, Risk Management Expert at BSI. “Employees don't necessarily have to be malicious to put a company at risk; they may just not understand the possible risks associated with their actions. Research has shown that effective staff training can halve the number of insider breaches, by ensuring employees understand the importance of information security and their role in protecting businesses critical information.”

Commitment from senior management is essential if an organization is to manage information security effectively. Encouragingly, 73 percent of respondents believe senior management is dedicated to information security. But 54 percent do not feel the necessary resources are allocated to it, despite this being one of the key ways in which top management can demonstrate its commitment to protecting the confidentiality, integrity and availability of information.

The poll also found that over three quarters (77 percent) of organizations are increasingly being asked for ISO 27001 as a customer requirement when bidding for new business.


Computerworld — When the White House issued its big-data privacy report on May 1, it recommended the passage of federal breach legislation "to replace a confusing patchwork of state standards." Although that may have sounded like good news to the development community -- the folk who generally bear the brunt of complying with such security requirements -- it's only a step in the right direction if your goal is falling off of a cliff.

Having one federal standard rather than a large number of state standards is an unquestionably good thing. I'm not arguing against that. But the exceptions spelled out in the report and one rather obvious omission make the whole effort rather pointless. (Let's leave aside the question of whether putting any nuanced business problem in the hands of Congress and expecting them to figure out a realistic solution is akin to administering an astrophysics final to your pet rock. No need to belabor the obvious.)

Let's start with what the report recommends. In discussing big data, it makes a reasonable point: "Amalgamating so much information about consumers makes data breaches more con-sequential, highlighting the need for federal data breach legislation to replace a confusing patchwork of state standards. The sheer number of participants in this new, inter-connected ecosystem of data collection, storage, aggregation, transfer, and sale can disadvantage consumers."



Computerworld — In an Internet of Things (IoT) world, smart buildings with web-enabled technologies for managing heat, lighting, ventilation, elevators and other systems pose a more immediate security risk for enterprises than consumer technologies.

The increasing focus on making buildings more energy efficient, secure and responsive to changing conditions is resulting in a plethora of web-enabled technologies. Building management systems are not only more tightly integrated with each other, they are also integrated with systems outside the building, like the smart grid.

The threat that such systems pose is two-fold, analysts said. Many of the web-enabled intelligent devices embedded in modern buildings have little security built into them, making them vulnerable to attacks that could disrupt building operations and pose safety risks.



The purpose of an Incident Readiness Program is to enhance the ability to respond effectively to any business disruption and restore those assets (Business Processes, facilities, technology, suppliers and people) that are critical to the delivery of that organization’s Products & Services.

The Planning Phase of the program enables the organization to identify the critical assets at risk, prioritize the resumption of business processes, map dependencies necessary for effective response & recovery, and develop actionable plans. Testing and exercises should be designed to find the gaps in recovering those critical assets – both strategic and operational. The Incident Management component of the program establishes the organizational structures and tools for command, control and communication during a disruptive incident.



LINCROFT, N.J. -- As Deputy Coordinator of the Oceanport, N.J. Office of Emergency Management, Chris Baggot has weathered a lot of storms.

But nothing so profoundly altered the landscape of his community like Hurricane Sandy.

The 3.7 square mile town on the Shrewsbury River was devastated by the storm. Five hundred of the 2000 homes in this close-knit community were substantially damaged or destroyed. Oceanport also lost its police station, its borough hall, its ambulance squad building, its library and its courthouse.

Some 18 months after the Oct. 29, 2012 hurricane, 71 families were still unable to return home.

The Baggot family is among them. The Baggots have been renting a one-bedroom apartment in the nearby community of Eatontown while they await the demolition and reconstruction of their home on Blackberry Bay.

While they were approved for an RREM grant of $150,000 to underwrite the rebuilding, a rough winter delayed the start of construction on their replacement home. Once the weather improves and contractors break ground, it will be another six to nine months before Chris, his wife, Wendy, and college-age son, Zachary, will be able to enjoy life in Oceanport once again.

“I’m a Sandy survivor. We don’t use the word ‘victim,’’’ he says.

He carries A picture of Chris BaggottChris Baggot: From Sandy Survivor to Sandy Recovery Coordinatorthat perspective into his role at the Federal Emergency Management Agency’s New Jersey Sandy Recovery Office, where he recently became a CORE employee after joining FEMA as a Local Hire in December of 2012.

It was his second time assisting his fellow New Jerseyans as a FEMA employee:  Baggot was also recruited as a Local Hire in the aftermath of Hurricane Irene in 2011.

Hired initially as a project specialist for Public Assistance, Baggot moved on to become a Cost Estimating Format reviewer, Quality Assurance lead, Operations task force lead and finally, CORE Operations Task Force Lead.

In that capacity, he explains, “I oversee the life cycle of a Public Assistance project from the writing stage all the way through to obligation.”

Baggot’s personal experience with the devastating effects of Hurricane Sandy has underlined his understanding of the importance of the FEMA mission in helping communities rebuild and become more resilient.

“It sure is nice when people say to you, ‘Look, we need this; we need that,’ and you can give it to them in a reasonable way,” says Baggot, “and it’s nice when you can manage expectations when people ask for the moon and stars. That’s not really what we’re there to provide. We’re there to get them back to pre-disaster conditions.”

He has plenty of praise for his colleagues at FEMA, who came here in the immediate aftermath of the storm to help the hard-hit residents of New Jersey get back on their feet.

“The FEMA people that I’ve had the opportunity to work with have really been great.” He’s also enjoyed observing their surprise at how different New Jersey is from its “What exit?” stereotype.

“They talk about how beautiful it is – they thought it was all blacktop,” Baggot says with a laugh.


FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at www.fema.gov/blog, www.twitter.com/fema, www.facebook.com/fema, and www.youtube.com/fema. Also, follow Administrator Craig Fugate's activities at www.twitter.com/craigatfema.

Fast Rollout of Digital Lifestyle Services in the Tera Era with Allot Service Gateway Tera

WOKING, Surrey – Wick Hill is now shipping Allot Service Gateway Tera, a high-performance DPI-based platform built to power the deployment of Digital Lifestyle Services in fixed and mobile data networks on the path to software-defined networking (SDN) and cloud-based network services (NFV).

Ed Kidson, product sales manager at Wick Hill, commented: “This is an exciting opportunity for the channel to deliver a smooth migration path towards SDN and virtualisation, at the same time as minimising capital investment.” 

Allot Service Gateway Tera has already received multimillion dollar orders from four different mobile and fixed line operators worldwide, including a $4M deal announced earlier this year and a $5M dollar deal announced earlier this month.

Allot Service Gateway Tera provides a unified framework for both physical and virtual service deployment across any access network, serving as a single point of integration for network- and cloud-based services. The new offering includes real-time traffic management, video optimization, policy enforcement, application-based charging, and security services such as Parental Control and Anti-DDoS. 

Allot Service Gateway Tera supports Service Chaining to value-added services, with high-density 100GE and 10GE connectivity. The platform is built to manage 15 million active subscribers and provides up to 2Tbps in a Tera-cluster.

Allot Service Gateway Tera also supports breakthrough network analytics, allowing operators to collect a variety of data sets from their networks and analyze them according to application, subscriber, device, topology and context. It works with Allot ClearSee Analytics solution to turn big data into valuable business insights needed to drive service profitability and customer satisfaction.

About Wick Hill

Established in 1976, value added distributor Wick Hill specialises in secure IP infrastructure solutions. The company sources and delivers best-of-breed, easy-to-use solutions through its channel partners, with a portfolio that covers security, performance, access, networking, convergence, storage and hosted solutions.

Wick Hill is part of the Wick Hill Group, based in Woking, Surrey with sister offices in Hamburg. Wick Hill is particularly focused on providing a wide range of value added support for its channel partners. This includes a strong lead generation and conversion programme, technical and consultancy support for reseller partners in every stage of the sales process, and extensive training facilities. For more information about Wick Hill, please visit http://www.wickhill.com/company/company-profile or www.twitter.com/wickhill

About Allot Communications

Allot Communications Ltd. (NASDAQ, TASE: ALLT) is a leading global provider of intelligent broadband solutions that put mobile, fixed and enterprise networks at the center of the digital lifestyle and workstyle. Allot’s DPI-based solutions identify and leverage the business intelligence in data networks, empowering operators to analyze, protect, improve and enrich the digital lifestyle services they deliver. Allot’s unique blend of innovative technology, proven know-how and collaborative approach to industry standards and partnerships enables network operators worldwide to elevate their role in the digital lifestyle ecosystem and to open the door to a wealth of new business opportunities. For more information, please visit www.allot.com.  

Forward Looking Statement

This release may contain forward-looking statements, which express the current beliefs and expectations of Company management. Such statements involve a number of known and unknown risks and uncertainties that could cause our future results, performance or achievements to differ significantly from the results, performance or achievements expressed or implied by such forward-looking statements. Important factors that could cause or contribute to such differences include risks relating to: our ability to compete successfully with other companies offering competing technologies; the loss of one or more significant customers; consolidation of, and strategic alliances by, our competitors, government regulation; lower demand for key value-added services; our ability to keep pace with advances in technology and to add new features and value-added services; managing lengthy sales cycles; operational risks associated with large projects; our dependence on third party channel partners for a material portion of our revenues; and other factors discussed under the heading "Risk Factors" in the Company's annual report on Form 20-F filed with the Securities and Exchange Commission. Forward-looking statements in this release are made pursuant to the safe harbor provisions contained in the Private Securities Litigation Reform Act of 1995. These forward-looking statements are made only as of the date hereof, and the company undertakes no obligation to update or revise the forward-looking statements, whether as a result of new information, future events or otherwise.

Trademark Notice

Allot Communications, Allot Service Gateway Tera and Allot ClearSee Analytics are trademarks of Allot Communications. All other trademarks are the property of their respective owners.

Tuesday, 13 May 2014 14:57

Improving Compliance with Data Science

The days when organizations talked about data in terms of megabytes and gigabytes are long gone. Today, they talk about data in terms of petabytes and zettabytes — big data with massive potential, if they know what to do with it.

Increased access to powerful analytics, combined with the maturing capabilities of open architecture, cloud computing and predictive analytics are helping more organizations get better with data. Yet, in many cases, organizations are moving too slowly to keep up, and they may not be considering all of the risks.



CIO — Organizations are increasingly focusing on building enterprise data applications on top of their Hadoop and NoSQL infrastructure. But even as that's happening, Hadoop itself is becoming much more diverse and complex. That's a potential headache for developers seeking to build applications on top of that data infrastructure, but data application platform specialist Concurrent, primary sponsor of the open source Cascading application framework, sees it as an opportunity.

While Apache Hadoop began as a combination of Hadoop Distributed File System (HDFS) for file storage and MapReduce for compute, there are now a growing number of options for compute in Hadoop, including Apache Tez (a framework for near real-time big data processing), and the soon-to-be-released Apache Spark (a framework for in-memory cluster computing) and Apache Storm (a distributed computation framework for stream processing). Hadoop distribution vendor MapR even offers an alternative to HDFS in its distribution.



As organisations evolve, they need to re-evaluate their degree of preparedness in the different business continuity management disciplines. In the networked partner model that has become common today, risk management, governance over recovery, crisis communications and talent management all need updating, compared how things used to be in the vertically integrated enterprise. Changes made in the way an organisation approaches these items then need to be mapped into the appropriate BCM documents. But is this as simple as it sounds?