Fall World 2016

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 29, Issue 3

Full Contents Now Available!

Industry Hot News

Industry Hot News (6244)

Thursday, 20 June 2013 15:19

Fears of Vanishing Terror Insurance Grow

With the Terrorism Risk Insurance Act (TRIA) set to expire at the end of 2014, corporate risk managers are worrying aloud about what would happen if there’s no property, casualty or workers’ compensation coverage available in connection with a terrorist act.

The anxieties include the possible unraveling of funding for future construction projects, as financiers get cold feet contemplating the total loss that could transpire in the event of an attack. For existing multi-year projects, the risk managers fear that loan covenants could break apart if their companies can’t provide proof of coverage.

Such occurrences are more likely in the real estate industry and in densely populated urban areas. In the wake of the Boston Marathon bombings, however, the sports and entertainment industries are now seen to be at risk. The transportation and petrochemical industries have long been considered vulnerable to attack.



While the bombings at the Boston Marathon reminded responders and emergency managers about the importance to continue to train and plan for natural and man-made disasters, Cleveland and Cuyahoga County, Ohio, had already been planning a full-scale exercise with the city’s Major League Baseball team. Approached by representatives from the Cleveland Indians about testing their ability to respond to a terrorist attack during a major game at Progressive Field, such as a playoff game, the city reached out to Cuyahoga County to help develop the full-scale exercise.

"The Department of Homeland Security recommends preparation as the No. 1 priority in dealing with emergency situations,” said Bob DiBiasio, the Indians’ senior vice president of public affairs, in a statement. “While our safety and security policies and procedures always have maintained the highest standards, we know it is very important to be well prepared in the event of any major emergency situation."



A recent study conducted by Ipsos Reid on behalf of Toronto-based information security company Shred-it revealed that small businesses do not fully comprehend the impact of a data security breach and, as a result, are not safeguarding sensitive information thoroughly. 
An independent survey conducted by Ipsos Reid and commissioned by Shred-it was conducted April 16-23, 2013, with two distinct sample groups: small business owners in the United States (1,008), which have fewer than 100 employees, and C-suite executives in the United States (100), who have executives that work for companies with a minimum of 500 employees in the United States.
The 2013 Shred-it Information Security Tracker indicates that an alarming number of small businesses (69 percent) are not aware of or don’t believe lost or stolen data would result in financial impact and harm to their businesses credibility.

Protecting a company's critical information is a value proposition. Trade secrets, confidential business plans, and operational security depend on it. Losing that kind of information can mean a plunge in stock price and market share. So who's responsible for information security in your company?

To find out, I like to ask questions. But when I put the question to top management, well, they're busy — not their problem, that's for sure — and they refer me to the chief information officer or the chief technology officer. So I knock on their doors and put the same question to them. Our job, they say, is making stuff work. If the stuff doesn't work, that's our fault. But security? They refer me to the chief information security officer, but she works for the CIO, who doesn't much like to hear what's wrong with the system he built. Besides, she says, I have nothing to do with who gets access to the system. I don't write the rules. And (she looks around nervously: you won't quote me on this, will you?) my budget is a joke.



Wednesday, 19 June 2013 20:19

Security ROI: 5 Practices Analyzed

Traditionally, enterprise data security has relied on a "fortress defense" approach: keep all assets within a corporate castle and build towering walls to keep out the enemy. However, with an evolving threat landscape that includes targeted attacks, social engineering and spear phishing, the model leaves plenty of vulnerable attack points.

With increasing employee mobility, IT professionals are challenged to expand their security practices to "armor" employees individually in addition to the fortress. As a result, IT budgets are stretched thinner, resulting in the need to examine the return of investment of popular security practices. In the battle against data breaches, which practices - "fortress defense" or "armored defense" – provide the greatest ROI?



The federal government spends six times more on disaster recovery than helping communities become resilient to extreme weather that’s predicted to become more intense and frequent in a warming world, a new study shows.

The analysis by the Center for American Progress (CAP), a prominent liberal think tank, labels the approach “pound foolish” and calls for a dedicated fund for “community resilience” fed by higher levies on fossil fuel production.

“We must help communities enhance their ability to withstand the high winds, flood waters, scorching heat, searing wild fires, and parched earth from extreme weather,” states the CAP analysis released Wednesday, which alleges the federal government “woefully underfunds” such efforts.

Wednesday, 19 June 2013 20:16

Is Your Business Prepared For Disaster?

Most organizations understand the importance of keeping critical data safe from both manual and natural disasters. It is surprising, however, to hear just how many companies are not prepared for the day their system goes down and data is lost. And yes, the day will come that data is lost, usually due to a manual user error. Beyond the compromised data, the loss of productivity can immobilize an entire business for hours or even days. Even with the best-laid plans, disaster can strike. Those who are prepared suffer the least.

The current backup and disaster recovery environment is leaning toward solutions that offer integrated and simplified next-generation approaches. These include faster recovery times, easier rebuilds, hardware-independent recovery, bootable backups and bare-metal restore. Successful solutions will require integration with legacy and current data, scale to handle big data, span virtualized and cloud environments, and implement automation while integrating the functions of backup protection and disaster recovery. As priority grows for these solutions, so should IT budgets.



Wednesday, 19 June 2013 20:15

Warning – Not all data is created equal

IT organizations can drive up the cost of storage unnecessarily by treating all data the same and storing it all on the same media. Let’s face the fact: my resume is not as important as the payroll database or even the email database. So, why are you using the same storage policy for both?

Stop using one policy to rule all of your data. It might be simple, but it is killing your bottom line. When looking for a data protection solution, find one that allows you to use policies to treat data differently.

Important data should be prioritized as tier one data that gets backed up most often and most quickly. Perhaps that data can stay on disk for fast restore.



Wednesday, 19 June 2013 20:14

15 great crisis management songs

When you're in the midst of the next crisis, imagine a movie soundtrack playing while you deal with the incident.

What songs would play?

Members of the Crisis Communications LinkedIn group came up with a clever list of more than 30 songs. Below are the top 15 songs from that list.

Play some of these songs in your crisis command center and you might elicit much-needed smiles in the midst of a serious situation:



CIO — Despite the challenges of the budget sequestration that went into effect on March 1, federal agencies are pressing forward with big data initiatives, hoping to squeeze big savings out of more efficient use of their data.

In fact, based on the federal government's FY12 budget actual expenditures of $3.538 trillion, federal IT managers could potentially recognize nearly $500 billion in savings across the federal government via big data initiatives, according to a new study by MeriTalk. MeriTalk is a community network for government IT developed as a partnership by the Federal Business Council, Federal Employee Defense Services, Federal Managers Association, GovLoop, National Treasury Employees Union, USO and WTOP/WFED radio.

MeriTalk surveyed 150 federal IT executives for the report, Smarter Uncle Sam: The Big Data Forecast. Forty-eight percent of the respondents were from the U.S. Department of Defense. The remaining 52 percent were from civilian agencies.



Sacramento, Calif., Mayor Kevin Johnson helped launch the Resilient Communities for America campaign this week offering a pledge, along with 44 other mayors, to create a movement to develop communities resilient to extreme weather, faltering infrastructure and other hazards.

Johnson, on the steps of Sacramento’s City Hall, said a goal is to get 200 mayors to sign a pledge by the end of this year and then a thousand by 2015. He said it’s critical for mayors to leverage their numbers to secure federal and state funding to support local initiatives for infrastructure and energy security and economic uncertainty.



I reconnected with Mark Challender, a former employee back in my business magazine publishing days, and discovered his passion for amateur radio, particularly in supporting emergency management. I confessed to him I didn't see that much of a role for it given all the other options. He soundly corrected me and I asked him to inform the rest of you as he did me. Thanks Mark! Here is his guest post:

Is Use of Amateur Radio in an Emergency Still Valid?

The answer is YES, amateur radio can make your communications better during a crisis when “normal” modes of communication have failed.



Wednesday, 19 June 2013 20:08

Coping with Disasters

Storm Damage - tree down in the road

Whether you live in tornado alley or in a hurricane-prone coastal region, it’s important to include emotional wellness activities in your diaster plan. Severe weather and evacuations can cause emotional distress such as anxiety, worry, and fear in both adults and children. Although no one can plan for a disaster, you can practice healthy coping skills by following these tips.

Practice Preparedness!
By developing an emergency plan ahead of time you are more likely to feel calm and in control during a storm. Visit http://www.ready.gov for a variety of plans to fit your specific needs. Preparedness is a year-round activity that everyone in the family can participate in, including kids. Involving children and teens in preparedness activities may help them feel less anxious during an emergency and provide reassurance.

Limit Exposure to Media
It’s important to be aware of weather forecasts and local news, but tuning in around- the-clock can trigger additional panic and anxiety. Limit your media exposure, whether that’s watching television, listening to the radio, reading newspapers, or using social media. It’s especially important to limit news coverage when you have children Familyat home because distressing images and sensationalized headlines can cause more confusion, fear and stress. Find a healthy balance that works for you and your family.

Be a Positive Role Model
Children look up to parents and caregivers for guidance during emergencies and stressful situations. Encourage your kids to ask questions about things they see or hear on the news. Answering their questions honestly can help minimize additional confusion and decrease their anxiety. During severe weather forecasts or after a disaster, younger children might need extra attention and may have trouble processing certain emotions. If your child or teen is acting out or seems withdrawn after a disaster, this may be a sign that you need to reach out to a licensed mental health professional for additional assistance. 

Help Others Prepare
A great way to help neighbors, family and friends cope with severe weather is to help them create an emergency plan. Show an older adult or family member how to text their emergency contact or use social media to check in with loved ones. A simple “I’m OK” message can go a long way in easing additional anxiety and stress. Adults with special needs may be particularly vulnerable to feelings of isolation, anxiety and other depression during severe weather. Try to check in on people who may be vulnerable after a disaster or major storm.

Maintain Normal Routines and Practice Self-Care
Even during chaotic or stressful times, it’s important to try to maintain your normal routine. In the face of severe weather, you may need to stay indoors. Avoid “cabin fever” by cooking a favorite meal, playing a board game with the family, or watching a funny movie. This is also an opportunity to do some self-care activities you might not normally have time for, such as meditation, yoga, relaxation techniques, or breathing exercises. Maintaining normal routines is especially important if you have children. It can help ease any anxiety that they may have about the unpredictable nature of severe weather.

Know When to Reach Out for Help

Even after you’ve tried these tips for coping, you may still find yourself struggling with difficult emotions, and that’s common- you’re not alone. After experiencing a severe weather event or a disaster, it may take time to bounce back. With time and support you can continue to move forward and resume every day routines. Learn more about common distress symptoms and what signs to look for so you can help yourself and loved ones better cope. If you need immediate emotional support or want to talk to a caring counselor about what you’re feeling, you can always call the Disaster Distress Helpline at 1-800-985-5990 (TTY 1-800-846-8517) or SMS (text “TalkWithUs” to 66746) anytime, day or night.

Distress Line LogoThe Disaster Distress Helpline is a program of SAMHSA administered by Link2Health Solutions, Inc. and is the first national hotline dedicated to providing year-round crisis counseling for anyone in distress before, during or after natural or human-caused disasters. This toll-free, multilingual, crisis support service is available 24/7 via telephone (1-800-985-5990) and SMS (text ‘TalkWithUs’ to 66746; Spanish-speakers text ‘Hablanos’ to 66746) to residents in the U.S. and territories. Calls and texts are answered by trained, caring counselors from a network of crisis call centers across the country.


John F. Kennedy once said, "There are risks and costs to a programme of action, but they are far less than the long-range risks and costs of comfortable inaction".

When making any business decision, there are risks that must be measured. Risk management is a key element for any successful business. It starts with identifying, assessing and quantifying business risks, then taking measures to control or reduce them. The risks are then reassessed and business decisions are made based on the remaining risk vs. reward. Having a clear understanding of all risks allows an organisation to measure and prioritise them, then take the appropriate actions to reduce losses. The same also stands true for government departments, small businesses and individuals.



There are more viable offshore outsourcing destinations than ever before -- a great boon for IT leaders seeking new sources of talent, language capabilities, nearshore support, and risk diversification. But IT organizations can no longer afford to take traditional view of outsourcing location assessment.

"The maturity of global delivery models also continues to increase, and given the demands of increasingly global businesses, this trend will only continue," says Charles Green, an analyst in the sourcing and vendor management practice of Forrester Research. "However while a geographically diverse portfolio of suppliers brings benefits it also requires clients to diligently manage the increased risk of such a portfolio."



It's 2am on Christmas Day. You are woken by a phone call informing you that a police raid in central London has uncovered documentation suggesting that your company has been targeted by a group with links to terrorist and state organisations. These groups are renowned for attacking commercial organisations. What would you do?

Sadly, in my experience this is when most companies realise they are ill-prepared to deal with a cyber-attack. I have seen companies struggle to come to terms with the loss of intellectual property (IP), funds, a fall in share value, and their reputation damaged by information that now finds itself on the web.

So how prepared are you to deal with a cyber-attack? Lets start by simplifying this subject. The risk around cyber is simply an issue of information security, the way a company values and protects the precious data it is entrusted with. Too often, information security is viewed as an impediment to a company's operations, and if it is too prohibitive, can indeed damage its effectiveness. It has to be proportionate. We can't remove risk, but we can manage it.



Today, many government agencies – civilian and defense – find themselves in a technology quandary: the volume of data that must be stored is growing rapidly, while shrinking budgets are limiting capital expenditures (i.e. – servers, storage devices, etc.) required to store all of this data.

Government agencies are not only eyeing existing storage demands, but anticipated storage requirements as well. Gartner estimates the external controller based (ECB) disk storage market will grow from $22.2 billion in 2012 to $31.1 billion in 2016 (a compound annual growth rate of 7.9 percent).

As a result, storage optimization becomes critical for agencies seeking to boost IT performance while improving utilization and infrastructure efficiency. For agency decision makers seeking to improve storage efficiency as a way to address growing data volumes and shrinking budgets, there are a handful of key strategies to consider.



In 2012, according to the Symantec Internet Security Threat Report 2013, there was a 42 percent increase in targeted attacks on the internet, and 31 percent of those attacks were aimed at businesses with fewer than 250 employees. In short, security risks are continuing to grow at incredible rates, and the standard MSP customer is certainly not immune to the threat. For many small businesses, the initial cost and complexity of acquiring the necessary tools to provide security services can seem daunting. As such, selling security services can be a key part of the managed service provider’s portfolio. So, it’s important to take a look at some of the strategies and opportunities for MSPs to boost revenue and build lasting client relationships through security offerings.



There are more viable offshore outsourcing destinations than ever before -- a great boon for IT leaders seeking new sources of talent, language capabilities, nearshore support, and risk diversification. But IT organizations can no longer afford to take traditional view of outsourcing location assessment.

"The maturity of global delivery models also continues to increase, and given the demands of increasingly global businesses, this trend will only continue," says Charles Green, an analyst in the sourcing and vendor management practice of Forrester Research. "However while a geographically diverse portfolio of suppliers brings benefits it also requires clients to diligently manage the increased risk of such a portfolio."



A new report named ‘Disaster Unpreparedness’ has been published by MeriTalk which is an online community and go-to resource for government IT. The report which was underwritten by NetApp and SwishData details how confident IT professionals working for federal agencies are with their current data backup and disaster recovery solutions.

In December 2012, MeriTalk surveyed 150 Federal Department of Defence and civilian IT professionals to see how confident they are with their current disaster recovery strategy, how resilient they deem their strategy to be and how often they test their strategy.

The federal IT professionals who participated in the survey scored themselves very highly for their data backup and disaster recovery preparedness with 70% giving their agency a grade of ‘A’ or ‘B’. Despite the IT professionals awarding their agency such high marks for their data backup and disaster recovery preparedness, only 8% believed that they would be able to recover all the data in the event of a natural or man-made incident.



Tuesday, 18 June 2013 15:59

A new approach to risk management

The role of risk management changes at each level of an organisation in the mining industry. The criteria used to evaluate results will therefore be extremely varied. Corporate management will be interested in risks that are vastly different to those that keep general managers at minesites awake at night. But what effective corporate and minesite risk management has in common is that it should primarily be concerned about removing surprises.

Everyone in the business should be focused on the following simple questions:

  • What are the real, material risks?
  • What are we doing about them?
  • Is it actually working?



The Centers for Disease Control and Prevention’s free app, Solve the Outbreak, may help public health officials educate Americans about massive sickness and treatment.

The app is an interactive, question-and-answer game that educates players about how medical professionals identify mysterious illnesses that strike large populations. Though Solve the Outbreak doesn’t have much replay value, it’s still an informative experience.

People play as disease detectives in three missions and investigate clues to discover what’s happened to make people sick in scenario. Each clue offers information about the outbreak and asks players what to do next.



Tuesday, 18 June 2013 15:57

Creating a workable plan before a crisis

This article is the first in a four-part series addressing the four fundmental principles of crisis management: creating a workable plan, preparing for a crisis, managing the occurance of a crisis and how to successfully regain business continuity and traction after a crisis strikes.

The tragic events that have taken place over the last few months, including natural disasters and terrorist attacks, should serve as a reminder that we can never be sure when or where a crisis may next occur. As business leaders, it is our responsibility to ensure our people and properties are protected as much as possible.

The first principle in crisis management is to establish a plan. If you already have one, now is a great time to dust it off and re-evalutate it. A well-designed crisis-management plan will be the end result of three steps. First, you will want to identify probable risks. Second, you must determine procedures and protocols to follow in the event of each scenario. Lastly, you must assemble the plan in an organized fashion and make it accessible to all of your associates.



Each calendar year can be easily associated with a “tech meme.” 2011’s Cloud gave way to 2012’s Big Data. 2013 is nearly halfway over and it’s clear that this year’s meme is “Software-Defined”—specifically in my line of work, the “Software-Defined” Data Center.

I’m not suggesting that these secular trends aren’t / weren’t valid. Nor am I saying that these are not transformational forces that will radically alter the way we conceive, design, build, and run IT for the next several decades. They’ve already started to have a significant impact in companies large and small.



Crisis management required after predictably polarizing article published

We never seem to run dry examples of easily preventable crises. Last week, an article on Home and Garden TV’s website discussing Fourth of July table settings suggested that an American flag be used as a “bright and festive table runner.” Whoops…

As you probably guessed, flocks of military vets and their families, along citizens from just about every walk of life, descended on HGTV’s social media sites to rip the network a new one for its misuse of the flag.

To HGTV’s credit, it quickly deleted the article and posted an apology, but to its detriment the apology was a weak one.



Crisis management required after predictably polarizing article published

We never seem to run dry examples of easily preventable crises. Last week, an article on Home and Garden TV’s website discussing Fourth of July table settings suggested that an American flag be used as a “bright and festive table runner.” Whoops…

As you probably guessed, flocks of military vets and their families, along citizens from just about every walk of life, descended on HGTV’s social media sites to rip the network a new one for its misuse of the flag.

To HGTV’s credit, it quickly deleted the article and posted an apology, but to its detriment the apology was a weak one.

- See more at: http://managementhelp.org/blogs/crisis-management/2013/06/17/hgtvs-floundering-crisis-response-for-flag-folly/#sthash.6E8ZvSt2.dpuf

Crisis management required after predictably polarizing article published

We never seem to run dry examples of easily preventable crises. Last week, an article on Home and Garden TV’s website discussing Fourth of July table settings suggested that an American flag be used as a “bright and festive table runner.” Whoops…

As you probably guessed, flocks of military vets and their families, along citizens from just about every walk of life, descended on HGTV’s social media sites to rip the network a new one for its misuse of the flag.

To HGTV’s credit, it quickly deleted the article and posted an apology, but to its detriment the apology was a weak one.

- See more at: http://managementhelp.org/blogs/crisis-management/2013/06/17/hgtvs-floundering-crisis-response-for-flag-folly/#sthash.6E8ZvSt2.dpuf

Crisis management required after predictably polarizing article published

We never seem to run dry examples of easily preventable crises. Last week, an article on Home and Garden TV’s website discussing Fourth of July table settings suggested that an American flag be used as a “bright and festive table runner.” Whoops…

As you probably guessed, flocks of military vets and their families, along citizens from just about every walk of life, descended on HGTV’s social media sites to rip the network a new one for its misuse of the flag.

To HGTV’s credit, it quickly deleted the article and posted an apology, but to its detriment the apology was a weak one.

- See more at: http://managementhelp.org/blogs/crisis-management/2013/06/17/hgtvs-floundering-crisis-response-for-flag-folly/#sthash.6E8ZvSt2.dpuf

Go ahead and ask CSOs from the nation's largest banks about the myriad distributed denial-of-service (DDoS) attacks they've experienced in recent months. They're not going to tell you anything.

Security execs have never been comfortable talking about these attacks because they don't want to draw more attention to their companies. They worry that offering even the basic details of their defensive strategy will inspire attackers to find the holes.



Monday, 17 June 2013 15:49

Cyber crime: Is it on your radar?

ACCORDING TO the government's 2013 Information Security Breaches Survey, an unprecedented number of cyber attacks are experienced by UK businesses. A staggering 93% of large organisations (employing 250 or more), and 87% of small businesses (under 50 staff) have fallen victim to cyber crime over the past year. 

While the proportion of large organisations reporting security breaches remains consistent with 2012, 11% more small businesses appear to have suffered third-party hacking. The increasing number of businesses failing to protect their data is a concern, as is the spiralling number of breaches each will experience.

The survey advises 50% more breaches, on average, have occurred. For large businesses, the median figure is 113, for their smaller counterparts it's 17; up from 71 and 11 a year ago. The associated costs are rising too - large companies can expect to pay between £450,000 - £850,000 for their security lapses; smaller companies face a £35,000 - £60,000 bill.



Cloud, cloud, cloud. If you’re in enterprise you probably hear the word ‘cloud’ multiple times every day. Most of the time, it doesn’t really mean much other than a datacenter that isn’t yours, but it does make you feel safe knowing that someone has your data in hand.

Unfortunately, even in the cloud, disaster recovery is still a necessary evil. Cloud companies that host your data still have outages. Things still break. Disasters do happen. Many companies think that the cloud provider will have their data covered, but they don’t stop to think that perhaps it’s better to consider a world where the cloud provider isn’t able to provide a service after a disaster. Not only that, but how does your business keep going when your local data and premises are gone? That’s often not even factored into the disaster recovery plan.



Monday, 17 June 2013 15:47

Updating Emergency Response Procedures

Question: We have employees working in an area of the country that has experienced a lot of natural disasters over the last couple of years; from earthquakes to flooding to snow storms. As a result, we are updating our company's emergency response procedures. We have some employees who are visibly disabled and others who we believe may have some medical disabilities they have not disclosed to the company. Are we legally permitted to ask our employees to disclose their medical information in order for us to assess what if any special emergency response accommodations we need to have at the ready for disabled employees (both those with visible disabilities and those without)?



South Africans have been hard at work for six years and are now putting the finishing touches on the first comprehensive data protection laws, aligned closely with those currently under debate in Europe.

The proposed European laws give online consumers the right to withhold personal information while using websites – which presents a challenge to the businesses who have based their revenue model on garnering exactly this kind of data.

These laws, if introduced in South Africa, could have far reaching implications for both individuals and businesses.

JJ Milner, founder and chief cloud architect at Global Micro, shares his answers to the burning questions about the implications for South Africa.



Computerworld — Internet pioneer Vinton Cerf is concerned that we're at risk of losing much of the data we've been creating in the digital age he helped usher in.

Speaking at the Computerworld Honors awards program earlier this month, the co-designer of the Internet's TCP/IP protocol said he's concerned that digital items we use today -- spreadsheets, documents and scientific data -- will one day be lost, perhaps one day soon.

To support his point, Cerf noted that the Microsoft Office 2011 software on his Macintosh computer can't read a 1997 PowerPoint file. "It doesn't know what it is," he said.



It is essential that all professional firms - however large or small - develop a disaster recovery plan. A disaster such as a flood, fire or computer virus attack can cripple your operations, meaning that your business’ resources could be limited for a significant period of time. During this time, projects can be delayed and the quality of work may suffer, which can lead to strained client relationships.

Without an effective disaster recovery plan in place, a short-term problem can rapidly evolve into a long-term financial disaster for your firm.

In spite of this, few companies take the time to put together an all-encompassing disaster recovery plan. The key is to have a tried and tested plan in place that will stop the disaster causing further issues for your firm. Here are five tips to develop a disaster recovery plan.



For the early history of computing, data tended to be kept locked down within isolated, local systems for security reasons. With the advent of the cloud however, the idea of accessing data from anywhere, using cost-effective on-demand services is now thoroughly mainstream. Indeed, the future of IT is the cloud.

As cloud computing continues its triumphant spread, one issue that has continued to get undeservedly little attention, though, is the geographical location of data. The ongoing NSA scandal is finally bringing to light just one aspect of how critically important the physical location of digital data has become.



Monday, 17 June 2013 15:41

Taking cover to protect your business

It is the stuff of nightmares for every small business owner: wake up one morning and the enterprise has been destroyed by fire. Or watch, powerless, as flood ruins a lifetime of work.

But there is a way to protect your business from disaster - business interruption insurance. With so many natural catastrophes happening in Australia in recent years, it's essential for small businesses to consider business interruption insurance, whether this means checking levels of cover or acquiring cover where none exists.

Mark Searles, chief executive of insurance broking business Austbrokers, says any business interruption could be a major setback that threatens the very survival of a business, particularly when margins are already tight, as is often the case these days.

''Research has shown that one in four small businesses would not recover if forced to close the doors for three months,'' he says.


Leadership in Resilience was the theme of this year's well-attended Executive Forum and the whole programme was set up to ensure a lively debate around resilience and how BC professionals can take the initiative and lead on this hot issue.   These two-days in Brussels made real progress in clearing the fog and providing some specific examples of where BC professionals can make a difference.  For me the five key learning points were:

1. The growth of the term Resilience in job titles is much more widespread than I had expected. In some cases BC Manager has been changed to Head of Business Resilience without any change of responsibilities. This change is not universally popular among those with the new title because "business continuity" is a strong, meaningful "internal brand" whereas "business resilience" is non-specific and aspirational.



What is disaster recovery?

In simple terms ‘disaster recovery’ is the process by which you resume business after a disruptive event, this can range from; power failures, IT system crashes, theft, fire or flood.   Protecting your Business Systems plays a large part in your ‘Disaster Recovery Plan’.

The implications of not having a ‘Disaster recovery plan’

Many businesses I see are unaware of the importance of a tried and tested plan because they see a potential disaster as an unlikely event but the implications are huge. Just imagine losing all your data for 24 hours, how would you manage to recreate your data to cover the work lost and how much revenue would you lose?



Monday, 17 June 2013 15:38

Taking cover to protect your business

It is the stuff of nightmares for every small business owner: wake up one morning and the enterprise has been destroyed by fire. Or watch, powerless, as flood ruins a lifetime of work.

But there is a way to protect your business from disaster - business interruption insurance. With so many natural catastrophes happening in Australia in recent years, it's essential for small businesses to consider business interruption insurance, whether this means checking levels of cover or acquiring cover where none exists.

Mark Searles, chief executive of insurance broking business Austbrokers, says any business interruption could be a major setback that threatens the very survival of a business, particularly when margins are already tight, as is often the case these days.

''Research has shown that one in four small businesses would not recover if forced to close the doors for three months,'' he says.

Monday, 17 June 2013 15:37

Natural disasters prove costly

The latest annual risk survey by global insurance brokerage Aon has shown a sharp rise in concerns over business grinding to a halt due to a natural disaster.

Indeed, the concern over business interruption has climbed two places to be the fourth most significant risk ranked by businesses this year.

Aon Australia says the change can be attributed to the floods and fires of recent years, with many businesses still feeling the effects of the disaster.

Events such as Queensland and NSW floods ''have left many organisations contemplating business interruption exposure from a vertical or supply chain perspective, due to the consequent impact on their customer base,'' Aon said in its latest Australasian Risk Survey.

The World Health Organization has published new interim guidance to replace the 2009 Pandemic Influenza Preparedness and Response advice. 'Pandemic Influenza Risk Management' includes the following:

  • Focus upon risk assessment at national level to guide national level actions
  • Revised approach to global phases
  • Flexibility through uncoupling of national actions from global phases
    Inclusion of principles of emergency risk management for health
  • New and updated annexes on planning assumptions, ethical considerations, whole-of-society approach, business continuity planning, representative parameters for core severity indicators, and containment measures.

Business continuity annex

Pandemic Influenza Risk Management includes a checklist of action items that should be contained in a business continuity plan in order to cover pandemic risks. These items are:

  • Identify the critical functions that need to be sustained.
  • Identify the personnel, supplies and equipment vital to maintain critical functions.
  • Consider how to deal with staff absenteeism to minimize its impact on critical functions.
  • Provide clear command structures, delegations of authority and orders of succession.
  • Assess the need to stockpile strategic reserves of supplies, material and equipment.
  • Identify units, departments or services that could be downsized or closed.
  • Assign and train alternative staff for critical posts.
  • Establish guidelines for priority of access to essential services.
  • Train staff in workplace infection prevention and control and communicate essential safety messages.
  • Consider and test ways of reducing social mixing (e.g. telecommuting or working from home and reducing the number of physical meetings and travel).
  • Consider the need for family and childcare support for essential workers.
  • Consider the need for psychosocial support services to help workers to remain effective.
  • Consider and plan for the recovery phase.

Read the document (PDF)

Last month, powerful tornadoes ripped through Oklahoma over a 12-day period, leveling buildings and killing more than 40 people in the process. Among the victims were 10 children, seven of whom were killed when a twister stuck an elementary school in the Oklahoma City suburb of Moore.  Last fall, Superstorm Sandy struck the northeastern U.S., destroying numerous homes and businesses. The storm also knocked out power and communications for thousands of residents in the region.

The damage left behind in the aftermath of these acts of nature reinforces the need for organizations to incorporate comprehensive natural disaster management policies and procedures in their business continuity plans.  Often times, however, security managers become so bogged down in the minutiae of every day operations that their enterprise risk management plans are neglected, rarely ever being updated of practiced.



New York City is currently on pace to meet all of the long-term climate change and sustainability goals set by the mayor’s office back in 2007, Mayor Michael Bloomberg announced Tuesday. The city is simultaneously launching a $20 billion effort to prepare for the adverse effects of climate change.

The new plan incorporates more than 250 recommendations to improve the city's readiness for another storm like Hurricane Sandy, which caused $19 billion in damages and economic loss. New projections from city scientists also anticipate faster rising seas, hotter summers and more heavy rains, making it imperative that the city take action now, Bloomberg said in a speech announcing the new initiatives.



IT executives are growing more concerned with the potential of data outages from natural disasters. More companies are taking a proactive approach to data security as part of their disaster recovery planning, according to AT&T's annual Business Continuity Study. 

Recent natural disasters such as Superstorm Sandy and the tornado in Oklahoma have highlighted the risk of data security breaches. Eighty-eight percent of the IT executives surveyed understood the growing importance of data security, and most included wireless network capabilities in their disaster preparedness business solutions.



Despite the devastation caused by Superstorm Sandy and other recent natural disasters, small businesses aren’t getting the message. A new survey finds 70 percent don’t expect to experience a similar disaster and nearly half have no plan to ensure business continuity.

The survey of 200 small businesses, sponsored by FedEx and the American Red Cross, found that Superstorm Sandy inspired only 10 percent of respondents to take new steps to prepare for disasters, according to a press release on MarketWatch.com.

“Developing an emergency preparedness plan is one of the most important strategic decisions a small business owner will make,” says Tom Heneghan, manager of preparedness for the Red Cross. And yet SMBs are more likely to rely on the bare minimum of disaster planning, hoping they’ll never have to use it. “People know they should do it, but it’s not always at the top of the list,” Heneghan says.



Thursday, 13 June 2013 13:06

10 Hot Big Data Startups to Watch

CIO — The Big Data market is heating up, and unlike some overhyped trends (social media), it's pretty easy to pinpoint ROI with these tools.

When we put out calls for nominees through the Story Source Newsletter, HARO, Twitter, and other channels, we received more than 100 recommendations. Usually, when we get that many, a good chunk of them can be dismissed out of hand. Some are clearly science projects; others have zero funding, no management pedigree and a dubious value proposition, while a few are clearly the product of malarial hallucinations.

Not so this time. Very few of the startups we looked at were whacky long shots. Most were decent ideas, backed by real VC money and seasoned management teams.



Thursday, 13 June 2013 13:05

Email Morphs into Corporate Espionage

An email just dropped into my electronic in-box with the subject “Should You Archive Email to the Cloud?

I suppose it’s a good question and I can think of many reasons to keep my emails “closer to home.”

But the query did trigger an off-the-wall thought, my forte’ it seems.

What about vendor security – all vendors, not just in the cloud.

When a person or organization signs up with a vendor, the vendor asks for, usually justifiably, a great deal of information. Granted, most of the information can be acquired from public resources, public records. But maybe not all, and some of the “not all” should be, at a minimum, “confidential.”



We regularly ask heads of Enterprise Risk Management (ERM) what stops them from having an impact on strategic decisions in their organization. The most common response we get is “we do not have a seat at the table.” In our recently conducted State of ERM survey, we asked heads of ERM about their team’s involvement and effectiveness in the strategic planning process. While 50% of ERM teams were involved in some capacity, only 20% thought they were highly effective. So, if it’s not about a seat at the table, what is at the root of the problem? Why are ERM teams not able to effectively partner in the planning process? Moreover, are you completely sure how your ERM team can add value if you had a seat at the table?



Wednesday, 12 June 2013 14:01

Lessons in Disaster Recovery

The EF-5 tornado that ripped through Moore, Oklahoma, left 24 fatalities, nine of them children. An estimated 12,000 homes and many businesses were destroyed or damaged along the estimated 17-mile-long, 1.3-mile-wide tornado path. It’s hard to get your head around that kind of devastation.

While the immediate concern is response and recovery, the residents of Moore will soon have to turn to the task of rebuilding. But among the first steps toward emotionally healing from the storm is removing the debris—that is, the physical vestiges of the storm. And that step needs to be taken quickly. 

The longer it takes to rebuild and reopen businesses, the less likely it is that communities will fully recover. Social scientists have been studying what has helped or hindered community recovery in the hopes that future communities—like Moore—can recover more rapidly and comprehensively.

Wednesday, 12 June 2013 13:59

Big Data: The future of info security?

According to IBM, 90 percent of the data in the world today has been created in the last two years. From social media, mobile devices and digital sensors to e-mails, images and videos, these vast sources of data create a potential goldmine of valuable information about people and their activities. 

Whilst the promise of actionable insight from data is not new — business intelligence and other analysis capabilities have long been present in many organizations — what is new is the rate at which the data is growing, the way the data is changing and the demands being placed upon it.



After 10 years of managing an IT audit function for an international energy company, I had the opportunity to head up their IT Strategy group that was charged with creating Organizational IT Security and Risk profiles and plans.

The charge of this function was to annually evaluate organization-wide internal and external risk as it relates to IT, and to communicate this information back to the CISO, CIO and CFO. To carry out the evaluation of organizational IT risk required not just working with IT personnel, but also business personnel all the way up the C-level business unit leaders.

The information gleaned from these annual assessments drove plans to improve and bolster our overall security posture based upon where we were at a point in time and where we anticipated being in the next several years. Ultimately this was a dynamic view of risk versus a point in time tactical view.



Wednesday, 12 June 2013 13:53

Supply Chain Complexity Expands Risk

Everyone talks about risk in the supply chain, but the increasing complexity of it makes identifying and mitigating risks difficult.

In fact, almost half of executives are afraid that their supply chain risk management is only somewhat effective or has no impact at all, according to a recent survey from Deloitte. Said Kelly Marchese, principal at Deloitte Consulting LLP, in a press release:

Supply chains are increasingly complex and their interlinked, global nature makes them vulnerable to a range of risks. This increased complexity, coupled with a greater frequency of disruptive events such as geopolitical events and natural disasters, presents a precarious situation for companies without solid risk management programs in place.

Decisions around risk mitigation in the supply chain can make the difference between success and failure, and organizations know it. In counting the costs of risk events, 71 percent of those surveyed for Deloitte's research said that supply chain is an important part of strategic decisions. Poor decisions are likely to erode already thin margins or make suppliers unable to address sudden changes in demand.



The power was out for 2 million electric customers in New York. Hospitals and nursing homes were evacuating patients and shutting down. Thousands of people were stranded in high-rise buildings, needing food and water. In Queens, houses were burning to the ground. Water rescues were taking place in New York City and on Long Island.

These events didn’t take place on different days. They all happened simultaneously when Hurricane Sandy struck New York on Oct. 29, 2012. They illustrate three key distinguishing aspects of a Type 1 disaster: scope and scale, velocity and ambiguity of information. Emergency managers responding to Hurricane Sandy in New York experienced all of these challenges.



Implementation of cloud services and mobile applications would assist in preparation for potential disasters.

Majority of organisations are adopting proactive approach to security by improving their business continuity and disaster recovery plans by incorporating adoption of wireless network capabilities, cloud services and mobile applications, a new report has found.

AT&T's Business Continuity Study revealed that 63% of executives surveyed believed the looming threat of security breaches was the main security concern for 2013.



Wednesday, 12 June 2013 13:35

Social Media Crisis Management Musts

Like it or not, social media is all but guaranteed to play a role in your next crisis.

Sure, you could bury your head in the sand and pretend it doesn’t exist, but not having a Twitter or Facebook account won’t prevent your stakeholders from venting about, or attempting to reach you via those services. At best you’re missing out on the most popular communications platforms, hosting the largest communities, currently in existence, and at worst you’re creating further ill-will by not having a presence because people can’t get in touch, a troll is hard at work trashing your name, or any number of other potential ugly situations.

To make things easier, here’s a list of social media crisis management “musts” to get you started on the right track:



Sure, you could bury your head in the sand and pretend it doesn’t exist, but not having a Twitter or Facebook account won’t prevent your stakeholders from venting about, or attempting to reach you via those services. At best you’re missing out on the most popular communications platforms, hosting the largest communities, currently in existence, and at worst you’re creating further ill-will by not having a presence because people can’t get in touch, a troll is hard at work trashing your name, or any number of other potential ugly situations.

To make things easier, here’s a list of social media crisis management “musts” to get you started on the right track:

- See more at: http://managementhelp.org/blogs/crisis-management/2013/06/11/social-media-crisis-management-musts/#sthash.Da9l1nx8.dpuf

Like it or not, social media is all but guaranteed to play a role in your next crisis.

Sure, you could bury your head in the sand and pretend it doesn’t exist, but not having a Twitter or Facebook account won’t prevent your stakeholders from venting about, or attempting to reach you via those services. At best you’re missing out on the most popular communications platforms, hosting the largest communities, currently in existence, and at worst you’re creating further ill-will by not having a presence because people can’t get in touch, a troll is hard at work trashing your name, or any number of other potential ugly situations.

To make things easier, here’s a list of social media crisis management “musts” to get you started on the right track:

- See more at: http://managementhelp.org/blogs/crisis-management/2013/06/11/social-media-crisis-management-musts/#sthash.Da9l1nx8.dpuf

Like it or not, social media is all but guaranteed to play a role in your next crisis.

Sure, you could bury your head in the sand and pretend it doesn’t exist, but not having a Twitter or Facebook account won’t prevent your stakeholders from venting about, or attempting to reach you via those services. At best you’re missing out on the most popular communications platforms, hosting the largest communities, currently in existence, and at worst you’re creating further ill-will by not having a presence because people can’t get in touch, a troll is hard at work trashing your name, or any number of other potential ugly situations.

To make things easier, here’s a list of social media crisis management “musts” to get you started on the right track:

- See more at: http://managementhelp.org/blogs/crisis-management/2013/06/11/social-media-crisis-management-musts/#sthash.Da9l1nx8.dpuf
Tuesday, 11 June 2013 14:15

How businesses prepare for disasters

With fears of potential security breaches and natural disasters like Superstorm Sandy and the recent Oklahoma tornado weighing heavily on IT executives, businesses nationwide have continued to grow and advance their business continuity and disaster recovery plans to incorporate the adoption of wireless network capabilities, cloud services and mobile applications.

The annual AT&T Business Continuity Study found that:

  • More than half of executives surveyed (63%) cite the looming threat of security breaches as their most important security concern for 2013.
  • 84 percent of executives are concerned about the use of mobile networks and devices and its impact on security threats.
  • 88 percent of those surveyed understand the increasing importance of security and indicate that their companies have a proactive strategy in place.
  • Nearly two-thirds (64%) of companies include their wireless network capabilities as part of their business continuity plan.
  • 87 percent of executives indicate their organizations have a business continuity plan in place in case of a disaster or threat – a slight uptick from last year (86%).



The scandal surrounding the National Security Agency's Prism data-gathering programme will impact all businesses that rely heavily on the processing and analysis of customer information, according to experts.

Technology giants including Apple, Facebook and Google have denied that they have participated in Prism and have said that they have not enabled the US government to access their systems through a "backdoor".

Tuesday, 11 June 2013 14:13

Big Data: Book review

There's a logical fallacy that mathematicians are fond of quoting when humans exercise their considerable built-in pattern-recognition abilities to draw conclusions that could just be coincidence: correlation does not imply causality. But, as Kenneth Cukier and Viktor Mayer-Schönberger argue in Big Data: A Revolution That Will Transform How We Live, Work, and Think, what Big Data brings with it is a profound shift in our attempts to understand How the World Works. In their view, correlation may now be good enough all by itself.




For centuries we have focused on causation as a way of deriving general principles from specific cases. For example, once we understood that plants grew in response to ready supplies of sunlight, water and nutrients in the soil, we were able to apply this knowledge to promote more rapid and reliable growth. What's happening now is that by churning through huge masses of data we can find patterns that would not be trustworthy in smaller samples, and derive value from them whether or not we understand the underlying causality.



Tuesday, 11 June 2013 14:12

How to Keep your Data Safe

In the wake of the recent collapse of data centre provider, 2E2 (the company ran out of cash and asked clients including the NHS and numerous businesses to stump up extra money to avoid losing their data), it’s more important than ever that companies take the right precautions and ask the right questions to ensure their data is safe and that they have peace of mind. The amount of data being collected, transferred and processed across all businesses is increasing exponentially and storing it is now a key element of business operations, as is keeping it secure.

Like any business partnership, the first and perhaps most important consideration for a prospective client should be the people that will look after their data on a day-to-day basis i.e. the employees of the firm they are evaluating. Around 70% of instances of data being compromised are down to human error; so you need a team you can trust.



My recent blog assessed how 'disasters' fared in the U.N. Secretary General’s High Level Panel report on post-2015 development goals. This time, I consider the report’s implications for setting priorities for the successor to the Hyogo Framework for Action (HFA), the global agreement on reducing disaster risk. The HFA, like the Millennium Development Goals, is also due for renewal in 2015. Here are some preliminary points.

The next HFA should:

1. Ensure ‘tacking vulnerability and its causes’ is the dominant message. Here, very clear links need to be made to the post-2015 development goals that help to underscore the critical intersection of disaster risk and the causes of vulnerability and poverty. If backed by a disasters target in a poverty goal, as suggested by the high level panel, the successor to the HFA can then become a vision, operational plan and implementation guide for governments and the global development community. This will take equal recognition of the small (‘silent’) disasters, as well as the headliners, and therefore place ‘development’-oriented policy responses at the core of the next agreement.



Hurricane Sandy, the recent, deadly tornadoes in Oklahoma and the Boston Marathon bombing are stark reminders that businesses and commercial and industrial properties are susceptible to a wide variety of emergencies.  Hurricanes, extensive flooding, blizzards, ice storms, fires and utility disruptions are just some of the emergencies that can impact a business’ operations, bringing fresh urgency to the need for business preparedness and resiliency efforts.

Such emergencies and disasters have the potential to cripple or even destroy businesses – of all sizes and scope – that are unprepared for such events; studies show that 40% of businesses that do not have emergency plans in place do not re-open after a major incident.

Having businesses that are resilient to emergencies ultimately helps local communities and citizens recover from disasters faster – which is why business resilience is so important to FEMA.   Engaging an entire community in disaster preparedness, response and recovery activities is a main responsibility of FEMA’s Private Sector Liaisons, who work in all ten FEMA regions across the country.  As the Private Sector Liaison for FEMA Region I (which covers six states and 10 Indian Tribes in New England), I arranged for our regional office to participate in the “Weathering the Storm: How Properties Can Prepare and Respond” event that NAIOP Massachusetts, The Commercial Real Estate Development Association, hosted on May 31, 2013.



Recent news of widespread phone and internet surveillance by the National Security Agency (NSA) has raised serious questions over the ethical and legal obligations private companies face to protect the privacy of individuals. To what extent is it ethically acceptable for companies to assist in legal surveillance of innocent individuals?

Telecommunications companies are caught between the rights of individuals to protect personal data about themselves and governmental demands for personal information under the guise of national security. The fundamental problem is that individuals place trust in companies to protect their privacy, while companies are legally required to pass this data on at the request of the government under increasingly broad interpretations of laws permitting surveillance.



GENEVA – Amid human infections from H7N9 and MERS-CoV, the World Health Organization (WHO) on Monday released an updated guidance to help coordinate national and international pandemic preparedness and response.

The "Pandemic Influenza Risk Management: WHO Interim Guidance," incorporating lessons learned from the Influenza A (H1N1) 2009 pandemic and other relevant developments, replaces the "2009 Pandemic Influenza Preparedness and Response: a WHO Guidance Document."

Following recommendations by a review committee on Pandemic (H1N1) 2009, the new influenza guidance simplifies the pandemic phases structure, emphasizes the risk assessment and risk-based approach, and increases the flexibility of member states to take actions.



Tuesday, 11 June 2013 14:05

The art and science of risk management

Computers, networks, and information security seem to fall comfortably under the heading of science, but science alone is not enough. Security system developer Tripwire recently conducted a survey in cooperation with the Ponemon Institute to find out whether IT professionals consider risk management to be “science” or “art."

Ponemon surveyed 1,320 respondents across the United States and the United Kingdom: IT professionals working in information security, risk management, IT operations, business operations, and compliance. Participants were asked, “In your opinion, is information security risk management an ‘art’ or ‘science’?”


Ponemon defined the two concepts for the purposes of the survey. “Science” means basing decisions on objective, quantifiable metrics and data. “Art” refers to analysis and decisions that are based on intuition, expertise, and a holistic view of the organization.



Can summer heat cause as big a disaster as a hurricane or tornado?  We turned to backup and disaster recovery specialist and MSP Strata Information Technology, Inc  to find out. President Pete Robbins follows three simple procedures to keep customers in check during the summer heat. We'll reveal the scoop in this MSPmentor exclusive.

Robbins suggested to MSPmentor that even MSPs located in an area that is less likely to be hit by a natural disaster, it's still important to stay focused and energized.



Today’s virtualized systems provide a sound platform for business continuity because the platforms and networking are stronger and more agile than they were even a few years ago.

One of the key benefits of the cloud model—and all cloud systems are virtualized—is how virtual machine-driven systems can help to ensure business continuity and speed disaster recovery. Companies of all sizes are always looking for affordable ways to deliver quality IT services reliably and continuously to customers and employees. Cloud computing using virtual machines presents a low-cost disaster recovery and business continuity solution for small and midsize businesses and a more cost-effective alternative to cost-conscious larger corporations.



Tuesday, 11 June 2013 14:02

No performance checks?

Once again the Y-12 Tennessee nuclear arms facility's security has been breached.

This time by a little old lady who apparently was got lost.

According to an article on the KnoxNews Website (http://tinyurl.com/ksj8x6f), The security breach occurred less than a year after three protesters cut through a series of security fences and walked to the innermost sanctum of Y-12, the country’s largest repository of weapons-grade uranium.

“I’m not aware of any circumstances quite like this,” said Steven Wyatt, spokesman for the National Nuclear Security Administration and Y-12. He called Thursday’s incident a “security lapse.”



Opening day for baseball season was March 31, coinciding with the monthly commencement of tornado season. Although teams train and are prepared for baseball season, many businesses are not prepared for tornadoes, which we've already felt, unfortunately, or even hurricane season, which launched June 1.

Disasters arrive in three forms — natural, manmade and technological — and, based on their continual emergence, have been labeled the new normal. Natural disasters have increased 40 percent since the early 1990s, and manmade disasters have amplified exponentially since 9/11. The recent 3/11 Japanese earthquake and tsunami crippled automakers and their supply chains. And who would have guessed two hurricanes would cruise the Northeast?



Federal agencies can recovery from disaster quickly with client virtualization


When it comes to business continuity (BC) and disaster recovery (DR), client virtualization is a two-sided coin: There’s what client virtualization offers in terms of continuity and DR preparedness, and what it requires.

Of all the reasons to consider client virtualization, BC and DR may be the most compelling. For example, if a sensitive government agency can never afford a massive virus outbreak in its desktop environment, client virtualization can help it ensure uptime.

Or, as another example, if a company happens to locate its headquarters where earthquakes, tornadoes or hurricanes are common, and losing days or weeks to a natural disaster would cripple operations, then client virtualization presents a compelling, mission-critical investment.



A penny saved is a penny earned. We all know this saying, and most of us try to live by it. Whether you’re the type of person who can’t see a penny on the sidewalk without picking it up, or someone who visits the Frist Center only on the days when admission is free, we all do what we can to save a buck.

In business, finding ways to save money can make a big impact on your bottom line. It’s generally good business practice to keep your capital and operational costs low.

You can do this in several ways, from conducting extensive research before purchasing new equipment and negotiating down supplier contracts, to powering down workstations at night and making do without free soda in the break room.



Hurricane Sandy put many companies to the test: Could they withstand a storm that could shut down business for days, or even weeks?

With no Internet, phone or power and therefore, no way to communicate with employees or customers, workers were unsure whether to go to work, and customers had no way to contact businesses to find out when they’d reopen, what to do in an emergency and if their various appointments would be kept.

How a business responds to emergency situations reveals much about the company’s management skills and disaster preparedness.

Creating a business continuity plan to stay in touch with both employees and customers in the case of a natural disaster, can save companies the suffering from a storm’s scars — which can often be as harsh as putting a company out of business permanently.



Tuesday, 11 June 2013 13:25

Risk Management: Art or Science?

Is risk-based security management an art or science? That’s one key question posed to more than 1,200 IT professionals in a recent survey by Tripwire Inc. and  Ponemon Research. The report, “The State of Risk Based Security 2013,” asked: “In your opinion, is information security risk management an ‘art’ or ‘science’?” For the purposes of the survey, “art” was defined as analysis and decision-making based on intuition, expertise and a holistic view of the organization. “Science” refers to risk analysis and decision-making based on objective, quantitative measures. They found:

  • In the U.S., 49% of respondents said “art” and 51% said “science”
  • In the UK, 58% of respondents said “science” and 42% said “art”
  • 66% of enterprise risk managers and 62% of business operations respondents say  risk based security management is “art”
  • 62% of IT security and 56% of IT operations said “science”



CIO - When Carly Simon sang the words "...they were clouds in my coffee" in her 1972 megahit, "You're So Vain," the notion of industrialized cloud-based computing was several decades in the future. Steve Jobs, speaking at Apple's Worldwide Developers Conference in 1997, alluded to the fact that the concept had actually germinated some 10 years earlier.

But Jobs' vision was prescient relative to what we now think of as cloud computing. He was arguably the first to see the huge promise and seismic shift brought on by the advent of device-independent data accessible from anywhere, at any time, on any type of technology, be it an iPhone, iPad, PC or other smart device. This is common today for personal effects such as music, video and financial services-but only recently has this capability begun making its way into the fundamentals of supply chain management.



U.S. Magistrate Judge Andrew Peck’s declaration that computer-assisted review is “acceptable in appropriate cases” may have helped change the electronic discovery landscape forever. Prior to Judge Peck’s 2012 order in Da Silva Moore v. Publicis Groupe, there were no known cases specifically addressing the use of computer-assisted review (aka predictive coding technology). Since then, at least seven different courts have taken up the issue of predictive coding technology and when viewed collectively, the cases signify a trend toward continued judicial interest. For example, in October 2012, a Delaware Chancery Court Judge stunned many in the legal community with what appeared to be a sua sponte order in EORHB, Inc., et al v. HOA Holdings, LLC, when he asked the parties to show cause as to why they should not use predictive coding technology:

“I would like you all, if you do not want to use predictive coding, to show cause why this is not a case where predictive coding is the way to go.”



Hurricane Sandy, the recent, deadly tornados in Oklahoma and the Boston Marathon bombing are stark reminders that businesses and commercial and industrial properties are susceptible to a wide variety of emergencies.  Hurricanes, extensive flooding, blizzards, ice storms, fires and utility disruptions are just some of the emergencies that can impact a business’ operations, bringing fresh urgency to the need for business preparedness and resiliency efforts.

Such emergencies and disasters have the potential to cripple or even destroy businesses – of all sizes and scope – that are unprepared for such events; studies show that 40% of businesses that do not have emergency plans in place do not re-open after a major incident.



Tuesday, 11 June 2013 12:57

In the Name of Public Safety, Part II

New York University hosted its annual Global Risk Forum last week, with presentations from experts on critical infrastructure protection, hacktivism from groups like Anonymous, and bio-threats like the MERS coronavirus; and a general discussion by participants of top risks on the radar screen.  A second day for participants involved a construction site tour of World Trade Center One (Freedom Tower) and the 911 Memorial Museum, courtesy of the Port Authority.  I don’t think any of us who took the tour will ever forget standing in the clouds on the 90th floor of the unfinished building.  Thanks to Rich Cooper for use of his photo.

In the media and in government agencies, things have heated up since I wrote my earlier column on terrorism.  We have real world examples that test the parameters of both the first and fourth amendments to the U.S. Constitution, focused primarily around national intelligence collection.  It’s too soon to believe that we have all the facts of the matter.  Attorney General Eric Holder said recently that “the department's goal in investigating leak cases is to identify and prosecute government officials who jeopardize national security by violating their oaths, not to target members of the press or discourage them from carrying out their vital work.”1  His remarks occurred in response to press reports that “authorities had secretly obtained telephone records for 20 lines used by Associated Press journalists as part of an ongoing criminal investigation into the source of information for an article about a foiled terrorist plot in Yemen.”2



Symantec Corp and the Ponemon Institute recently released the 2013 Cost of Data Breach Study: Global Analysis which reveals human errors and system problems caused two-thirds of global data breaches and three-fourths of data breaches in India in 2012, pushing the global average to INR 7,360 per record[1]. Issues included employee mishandling of confidential data, lack of system controls, and violations of industry and government regulations. Heavily regulated fields including healthcare, finance and pharmaceutical incurred breach costs 70 percent higher than other industries.  

Following the global pattern, the cost per record for Indian organizations increased over the previous year, with Indian organizations incurring INR 2,271 per compromised record in 2012. However, organizations that appointed a chief information security officer (CISO) with enterprise-wide responsibilities, comprehensive incident response plans, and stronger overall security programs, experienced reduced costs globally and in India.



With the Philippine economy losing hundreds of billions of pesos every year because of disasters, the business sector should play a more “visible” role in disaster risk-reduction (DRR) efforts, the chairman of the Senate Committee on Climate Change said.

Sen. Loren Legarda made the statement in a privileged speech at the closing session of the 15th Congress before the weekend.

She shared some important findings of the 2013 Global Assessment Report on Disaster Risk Reduction of the United Nations International Strategy for Disaster Reduction (UNISDR).



With today’s high customer expectations for service and the need for organizations to secure business continuity, businesses must develop a collaborative approach to supply chain management. Your business must be able to orchestrate suppliers, assemblers, and distributors, creating a singular view of goods and services among all entities that touch the supply chain. 

From Insularity to Integration

Until recently, companies were driven to closing off and protecting their supply chains. Now the drive is for collaboration. Indeed, in a recently supply chain trend analysis, Gartner has focused on “co-opetition,” in which partnering with potential competitors can be a transformational differentiator.



CIO — When Carly Simon sang the words "…they were clouds in my coffee" in her 1972 megahit, "You're So Vain," the notion of industrialized cloud-based computing was several decades in the future. Steve Jobs, speaking at Apple's Worldwide Developers Conference in 1997, alluded to the fact that the concept had actually germinated some 10 years earlier.

But Jobs' vision was prescient relative to what we now think of as cloud computing. He was arguably the first to see the huge promise and seismic shift brought on by the advent of device-independent data accessible from anywhere, at any time, on any type of technology, be it an iPhone, iPad, PC or other smart device. This is common today for personal effects such as music, video and financial services—but only recently has this capability begun making its way into the fundamentals of supply chain management.



Technology can be a wonderful thing, can’t it? It wasn’t too long ago that having any kind of off-site disaster recovery solution in your company meant that you were a member of the Fortune 500. Well that’s not true any longer. In fact, this technology is so affordable now that virtually any size company can implement one of several possible disaster recovery solutions and protect themselves from catastrophe. So why is that? Three key things… the widespread acceptance of server virtualization, the availability of inexpensive high-speed internet connectivity, and new low-cost disaster recovery software solutions tailored to the virtual world.

Let’s take a look into the past and review where we have come from. There have been three phases in the evolution of this function:



Hurricane season is upon us, and forecasters have predicted an above-normal number of storms this year.

Already one named tropical storm roared through Virginia on Friday.

And as many as 20 named storms and six hurricanes of Category 3 severity or higher are expected during this hurricane season, which runs from June 1 to Nov. 30, according to forecasts by the National Oceanic and Atmospheric Administration.



Self-preservation is the primary law of nature… and may I add – business. Business continuity plans are an essential part of business, it is the ‘self-preservation’ aspect.

To create a business continuity plan, we have to identify internal and external threats to both hard and soft assets of the company – but who can really prepare for an earthquake, violent storms, tsunamis or tornadoes? Who can be ready when such calamities strike? These may not have been immediate concerns before, but we’ve seen Mother Nature strike one too many times to ignore a contingency plan.



Business continuity has become a high priority for companies, and one of the most significant recent trends in BC planning and practices is the emergence of cloud computing as a key component.

"The cloud has fundamentally changed business continuity," says Rich Cocchiara, distinguished engineer and CTO for Business Continuity & Resilience Services at IBM. "Capabilities previously only available to larger companies, such as remote failover, are now within reach of many small and medium size businesses."



How do you handle understanding the enterprise risks in a corporation where all of the risk management functions are dispersed in differential line management — General Counsel, Finance, Technology, Facilities? How do you define the participating functions? Yes, the ideal situation is having these groups housed under a Chief Risk Officer or Head of Operational Risk, but in the absence of organization structural shifts, here are some tips for you.

Be a Leader in bilateral conversations of risk partners
The most successful global security teams that I have been a part of were always leaders in collaboration and outreach to risk partners to pave the way for information sharing. Yes, there was the risk of the information flow being one way, and this is usually the case at the beginning, but as the interaction continues over time, the information flow gradually becomes two ways. For example, you may start with a monthly global meeting with Facilities, Business Continuity and quarterly meeting with Information Security and Compliance.



Hands up how many people were surprised to learn that US security authorities have access to the phone records and the server traffic of the biggest telecom and internet companies in the world?

The “revelations” in the Washington Post and Guardian this week that the National Security Agency is trawling data relating to non-US citizens on the systems of giants like Microsoft, Google, YouTube and others may have made for strong headlines.

But in reality, it’s likely that many people would be more surprised to learn that the type of trawling carried out by operation PRISM was not going on. Following 9/11, the rules of engagement of counter-terrorism in the US changed utterly. Law enforcement officials secured significant new formal powers, and it is certainly fair to assume that levels of unofficial monitoring of internet and phone based chatter and records jumped too.



IT managers believe that the fragmentation of corporate data across their IT infrastructure and an emerging ‘Shadow IT’ network of user devices or consumer cloud services outside their control, are putting their organizations at risk.

New research from Freeform Dynamics shows over 80 percent of respondents believe effective business decision making is hampered by data availability and inconsistency issues. 83 percent are concerned about the security of their corporate data as it is increasingly dispersed across their network and outside. Getting the situation under control is also proving difficult with 93 percent saying that tracking and managing critical corporate data is now a big challenge, with the associated costs highlighted by 84 percent as being a further concern.

The survey report ‘Storage Anywhere and Everywhere – dealing with the challenges of data fragmentation’ is the result of interviews with 300 IT professionals in mid-sized organizations across the US and UK completed in April 2013. The independent report was sponsored by Mimecast. An infographic best practice guide and the full report can be found at www.mimecast.com/datafragmentation



As individuals get better access to the technology that enables their participation in the information age, so privacy has to be considered and regulation applied to raise standards to those that are acceptable across that society. It was interesting, therefore, to note the cultural recoil that occurred in response to the NSA’s recently discovered, and rather widespread, caller record collection (not to mention other 'PRISM' related data!) - it’s clear that this has crossed a boundary of acceptability.

This isn’t however, just a US problem. A news story recently broke in India highlighting that local law enforcement agencies had, over the past six months, compelled mobile phone companies to hand over call detail records for almost 100,000 subscribers. The requisitions originated from different sources and levels within the police force and their targets included many senior police officers and bureaucrats.



Friday, 07 June 2013 14:51

Humans cause data breaches. Fact.

Human errors and system problems caused two-thirds of data breaches during 2012, with employee behaviour one of the most alarming issues facing companies today.

A recent study by Symantec and the Ponemon Institute claims issues included employee mishandling of confidential data, lack of system controls and violations of industry and government regulations.

Heavily regulated fields – including healthcare, finance and pharmaceutical – incurred breach costs 70% higher than other industries according to the report.



The image of someone having their computer hacked is often of a grandmother who has had her identity stolen or a family that has had its bank accounts fraudulently accessed online. However, for criminals who carry out these cyber attacks, businesses are often their preferred targets.

2012 was a banner year for cyber criminals who steal data from businesses. Numerous large corporations suffered high-profile data breaches, but many smaller firms experienced devastating data breaches as well.



Recovering from a flood or fire is hard for a business. But dealing with problems caused by a lack of business continuity plans or inadequate insurance can make it worse.

“The better you can plan for how to deal with an incident, the better off you’ll be,” says Lawrence J. Newell, CISA, CBRM, QSA, CBRM, manager of Risk Advisory Services at Brown Smith Wallace. “I say ‘incident’ because it could be something not always thought about in typical disaster terms, such as a breach of credit card information.”

Smart Business spoke with Newell and William M. Goddard, CPCU, a principal in the firm’s Insurance Advisory Services, about developing business recovery plans and the insurance options available to reduce risk.



Friday, 07 June 2013 14:48

3 Roles For Tape In The Cloud

Questions about the usefulness of tape come up often in conversations with users and vendors. The general theory, especially by cloud storage vendors, is that tape has outlived its usefulness.

The reality is that it has not; in fact, I often make the case that tape is actually more useful than it has ever been, especially in the cloud.

Here are three uses for tape in the cloud today.

1. Cloud Seeding.

Tape is an ideal way to "seed" a cloud. Seeding is getting the initial data to the cloud storage facility. Instead of transferring data across an Internet connection for days or weeks, it can be copied to tape and sent to the cloud provider via an overnight truck. If it will take you longer than 24 hours to seed a cloud via WAN transfer, then tape should be considered.



When the Ontario Volunteer Emergency Response Team (OVERT) was started about 20 years ago, it focused on providing a traditional search-and-rescue team to aid operations in the greater Toronto area. The group of unpaid professionals embraced its mission of providing well trained searchers to assist law enforcement looking for lost or missing persons. But then the severe acute respiratory syndrome (SARS) epidemic hit Canada in 2003 — 800 people were killed worldwide including 44 in Canada — marking the first big community incident that OVERT was involved in.

“Our public health department found themselves without the manpower or resources to deal with a lot of the problems,” said OVERT Coordinator Glen Turpin. “And it was solving basic issues, things such as delivering food to quarantined homes and assisting with triage at hospitals.”



When terrorist suspects Tamerlan and Dzhokhar Tsarnaev set off two bombs near the finish line of the Boston Marathon in April, those immersed in the science of homeland security pondered a handful of obvious questions: What had authorities done to secure the route, and was securing all 26.2 miles of the course even possible? Had local law enforcement picked up any chatter related to a possible attack in advance of the incident? And were the brothers homegrown terrorists or connected with some foreign group?

Those are the kinds of questions that routinely get examined though an extensive intelligence infrastructure in place in the form of nationwide “fusion centers.” They were set up by the Department of Homeland Security (DHS) after the Sept. 11, 2001, terror attacks as a way to improve information gathering and intelligence surveillance among the country’s various law enforcement agencies.



WASHINGTON - Recent twisters in Oklahoma are a reminder that preparation is critical, because bad weather can strike just about anywhere.

Hurricane season also is officially here, and Tropical Storm Andrea has prompted a warning for a swath of the East Coast, all the way to Cape Charles Light in Virginia.

To help you prepare for the possibility of bad weather, WTOP's David Burd recently sat down with Seamus Mooney, director of the Department of Emergency Preparedness for Frederick County, Md.



A business had no excuse for not being prepared for hurricanes a decade ago. After Hurricane Katrina and Hurricane (and then Superstorm) Sandy, there is even less rationale to not take the necessary steps, especially if the business is located in the area most likely to be pounded. Unfortunately, that area seems to be getting bigger.

Last Saturday was the beginning of hurricane season, and May 26 to June 1 was National Hurricane Preparedness Week. Unlike some crises, such as fires and power outages, hurricanes and other weather-related challenges are vaguely predictable. That’s a good thing. The other good news is that a tremendous amount of information is available on hurricane preparedness and, more generally, on business continuity/disaster recovery.



As part of my ongoing research into data privacy laws in Asia Pacific (AP), I spoke with chief information security officers (CISOs), consultants, lawyers, and governance, risk, and compliance (GRC) professionals. This is critical to gauge key decision-makers’ awareness and understanding of the ever-evolving data privacy regulations and policies across 15 different jurisdictions in the region.

Some senior people have admitted to me that their organizations have not traditionally taken data privacy issues terribly seriously within their AP operations. However, in a clear sign that this is beginning to change, GRC practitioners are starting to see increased demand for their compliance-related services from both government and business sectors, particularly since late 2012. Regardless of where you stand on this spectrum, the reality is that the awareness levels of data-related regulations – and the level of compliance required to abide by these regulations – varies widely across the region.



Thursday, 06 June 2013 14:24

5 Disaster Recovery Misconceptions

Do you know how your business technology would fare if a true disaster were to hit? With the rate technology and your applications change and evolve, your DR plan may need a dusting off and updating. If your plan is outdated or relies on older assumptions, you may have gaps in your protection.

Don’t leave your infrastructure vulnerable. Assess your plan for the most common misconceptions of disaster recovery.

Misconception #1: Backup-as-a-Service and Recovery-as-a-Service are the same.

A good DR plan is not about backups, but rather it’s about getting back up and running as quickly and efficiently as possible. The placement of that one space makes a big difference.

Thursday, 06 June 2013 14:22

Determining a Tornado's Path-Width, etc.

The following is from an email sharing how the National Weather Service (NWS) measures a tornado's direction, path, width, etc.

For the most part tornado path width is determined by the measurable damage observed during the storm survey. Our WFOs will integrated into that assessment any additional evidence they can get (e.g., video, photos, radar data, survivor accounts) to make their best determination. That goes for all the characteristics of the tornado - path length, path width, EF-Scale rating, etc - that they report. Here is our Norman WFO's El Reno event web page - http://www.srh.noaa.gov/oun/?n=events-20130531

Below is the NWS policy guidance for our storm survey teams to utilize with regard to determining tornado path length and width. The full NWS Storm Data policy can be accessed here: http://www.nws.noaa.gov/directives/sym/pd01016005curr.pdf



Thursday, 06 June 2013 14:21

Practitioner’s Requirements

Selecting a candidate to protect the organization

The perennial question is once again causing clutter in the ether. The question:

Must a practitioner be an IT expert?

In a word: No.

Perhaps the practitioner should be an MBA to handle the business side? Is a degree even necessary?

Maybe an SPHR to understand the human relations concerns?

How about a CompTIA Security+ certification for security issues?

Is a PMI or Six Sigma black belt necessary to manage the project or program?

Same answer. No, No, No, and No again.

So what qualifications should a practitioner possess?



Most companies would describe responding to e-Discovery requests as time-consuming, expensive and something they would rather avoid altogether if at all possible. But if that’s not enough to make it a leading cause of indigestion among corporate executives, there are potential compliance risks that can result from responding to e-Discovery requests that are potentially as great or greater than the risk of mishandling the e-Discovery obligations themselves.

Executives cannot address the risk without first understanding the key ingredients in this recipe:



Wednesday, 05 June 2013 15:33

IT Basics 5: Business continuity

How to keep your IT systems working when the worst happens, by IT consultant John Dryden


IT is the life blood of any modern charity, linking its head, heart and essential organs. If it stops flowing, things will instantly seize up.

This is especially true for international charities, for whom email is the most practical way to communicate with far-flung colleagues. Where staff are operating in different time zones and remote locations across the developing world, it can sometimes be the only way to communicate regularly.

For example, an international medical charity we work with has 1,400 staff spread across the globe. On an average day its London-based team send and receive more than 11,000 emails – some of them involving life-or-death medical decisions.



Most small and medium-sized enterprises (SMEs) are experiencing difficulties with data backup and recovery, a study has shown.

A poll of 500 SMEs in Europe and the US shows that 85% are experiencing cost-related challenges with backup and recovery, 83% with lack of capabilities and 80% with complexity.

Other problems include high ongoing management costs (51%), expensive licensing models (48%) and backups either requiring or using too much storage (44%).

This means there is a maximum of 15% of SMEs that currently have no issues with data protection, said backup, replication and virtualisation management firm Veeam Software, which commissioned the survey.



Preliminary results from a joint CII, London School of Economics and University of Plymouth research project on how financial organisations approach risk culture, revealed that firms were becoming increasingly conservative and it could damage their profitability.

The research project was designed to deliver practical guidance for firms to improve the cultures and behaviours associated with risk-taking and control activities.

Interviews were carried out at nine financial institutions with risk management professionals and the study also included the findings from a survey of 2258 CII members.



As the security industry continues to grapple with a shortage in skilled professionals, particularly within very specific niches like application security, the state of security professional development continues to keep the industry locked up in a number of hotly contested debates. Beyond the most obvious argument over the value of security certifications, some security pundits have stepped up to argue about a more fundamental impediment to rising the tide for all boats in the industry: the cost of paid training.

"Mathematically it's easily demonstrable that organizations can't afford to send all of their employees to a class when you're talking classes that typically are around $1,000 a day," says Xeno Kovah, lead infosec engineer at The Mitre Corporation. "It's just not possible to take a group of 50 people out of your company, if you have a large one, and pay the amounts of money that are being asked to sufficiently bootstrap your employees."



Dozens of government agencies have no idea whether their websites or public kiosks are a security risk.

The widespread failing has been revealed in a review of 70 government departments and ministries that was able to identify 12 systems at risk because of insecure passwords, potential access by unauthorised users or being connected to internal networks. However, there was no evidence of privacy breaches.


KPMG investigated 215 publicly accessible computer systems and found 73% lacked formal security standards and had no formal risk management processes.

The offenders included the Ministries of Social Development, Education and Justice, as well as the Earthquake Commission and the MidCentral District Health Board.



Why would you need a Policy once you have Business impact analysis, Business continuity strategy and Business continuity plan? This is probably a question many experienced business continuity/disaster recovery practitioners are asking themselves, so here’s why ISO 22301 (a leading business continuity management standard) says it’s mandatory.

Main purpose

The main purpose of Business continuity policy is that the top management defines what it wants to achieve with business continuity. Now why would that be important? Because in many cases the executives have no idea how business continuity can help their organization, which means they won’t be particularly interested in supporting the business continuity effort in their company.



Wednesday, 05 June 2013 15:19

The Time is Right for an 'IT Petting Zoo'

Computerworld — SAN FRANCISCO - Bringing consumer technology into the enterprise doesn't mean corporate data will be at risk or that money spent on failed projects was wasted. Just ask NASA, which regularly brings shiny toys into its "IT petting zoo" to play with and test, many of which have gone on to be venerated products.

Tom Soderstrom, CTO of IT at NASA's Jet Propulsion Laboratory, regularly brings consumer tech into his shop to see if it will result in an increase in productivity and innovation.

"I'm often called chief toy officer ... and I'm proud of that title," Soderstrom told an audience at the CITE Conference and Expo here. "Ideas come from everywhere. Productize them and dare to fail. The ones that make sense go into pilot mode and then become products and typically last for years."



Federal agencies are grappling with an unprecedented growth in data at the same time that backup solutions are nearing capacity, a situation that could hamper efforts to recover data in the event of an emergency.

Moreover, agency officials are not testing their disaster recovery solutions as often as they should, raising questions about their preparedness for a natural disaster or man-made incident, according to a survey of 150 federal defense and civilian IT managers in a new MeriTalk report.



Reducing data at the source is the smart way to do backup. That is the conclusion I came to in my last post, If files were bricks, you'd change your backup strategy.  But I also left off by saying “there are technologically different ways to do this, which have their own smart and dumb aspects.” Let’s take a look at them. 

There are two common ways of reducing data at the host (as I mentioned last time, I am only considering traditional backup from servers, not disk-array snapshots). Since terminology can be used in different ways, I’ll define the terms as I use them.



Wednesday, 05 June 2013 15:15

Disaster Recovery: Test, Invest and Educate

Amidst internal and external security threats, natural disasters, hacking attempts and technological changes, banks and service providers today are constantly faced with the possibilities of data loss, security breaches and breaks in business continuity. These institutions are being asked more frequently than ever what plans they have in place for speedy recovery should systems be compromised. Following a number of hard-hitting storms in the United States, including Hurricane Sandy and the devastation wrought on the Midwest following recent tornadoes, attention is focused on preparing for a recovery after natural disasters. Though preparing for natural impact is important, it becomes easy to forget there is just as much, if not more, potential for malicious manmade threats from a security and technology perspective.

All disaster recovery efforts, whether they are for natural disasters or security threats, must ultimately be tested for efficiency and reliability. While banks across the board conduct regular tests, the way in which these tests are conducted is crucial to determining a bank’s true ability to recover in the event of a disaster. In most instances, testing can be considered either static or dynamic. Most disaster recovery tests currently conducted are static in nature, meaning they are crafted to be sterile and built for success, to allow banks to ‘prove’ they have the ability and tools needed to succeed in the event of disruption. In these instances, banks and service providers are able to conduct tests and prove they have a perfect fail-over recovery system in place. The issue here is that these tests are rarely built to actually mimic any real disaster.



I can’t stop thinking about the Oklahoma tornado tragedy and the families who suffered from loss of life and property. The images of the wreckage have been burned into my brain and I feel that I need to do something about it. Which is why I want to talk about safe rooms, and why it is important to have a disaster recovery planning checklist for those people and organizations who are located in tornado zones (or flood zones, or hurricane zones, or earthquake zones, or…).

If you live in an area with extreme weather conditions, I recommend that you look into building a safe room, which could include a properly designed and equipped storm cellar.



An industrial plant explodes in Texas. Bombs shut down the city of Boston. A hurricane floods the east coast with water. A tornado hits Oklahoma.

All those recent disasters caused tremendous human suffering. All of them, too, brought devastation to businesses large and small. From damaged buildings to wrecked inventory to disrupted supply lines, natural and man made disasters can tear a huge hole through profitability. In many cases businesses close their doors for good.

Plan for recovery

What lessons can we learn from all this? Here’s one: Business owners must design and implement disaster recovery plans designed to mitigate harm when bad things happen. With that in mind, now would be a good time to revisit your own recovery plans with a fresh look. Are you taking the right actions to minimize damage if you are hit with a wind storm, a lightning strike, a flood or a power outage?



Wednesday, 05 June 2013 14:23

Active Shooter and Mass Casualty Incidents

An active shooter is an individual actively engaged in killing or attempting to kill people in a confined and populated area.

Overview of the FBI’s Role

When an active shooter incident takes place, local and state law enforcement are always the first on the scene. The FBI, however, has played a role in supporting the response to virtually every major incident in recent years and has much to offer in terms of expertise and resources.

Shortly after the tragic shootings at Sandy Hook Elementary School in Newtown, Connecticut in December 2012, the FBI sought ways its personnel could better assist its law enforcement partners. Two actions enhanced these efforts.

First, the Investigative Assistance for Violent Crimes Act of 2012, signed into law by the President in January 2013, permits the U.S. attorney general—at the request of appropriate state or local law enforcement personnel—to provide federal assistance after active shooter incidents and mass killings (defined by the law as three or more people) in public places. The attorney general delegated this responsibility to the FBI.



PC sales continue to decline, mobile sales continue to climb, people work at home, and the notion of strict work/life separation for equipment is on its way out for many information workers. Yet most IT organizations and security vendors insist on applying legacy thinking for information security that simply cannot work in the modern world of heterogeneous, anywhere, and mixed personal/business computing. They keep trying to build mobile prisons, extending perimeter defenses across the digital world or creating satellite fortresses on every device. No one willingly enters a prison, and the gulag and straitjacket approaches favored by IT and security vendors simply will be bypassed by business users, who've been doing so for years on the desktop.

It's time to stop the madness and protect what really matters: the information that moves among all the devices. To do so, the industry needs to stop trying to turn smartphones into fortresses that people can't use and forcing the use of proprietary app containers that can't scale a heterogeneous, interconnected digital environment or that provide read-only access (what's the point, then, of having the file?). Instead, it's time we focus on protection at the information level, essentially using the notion of digital rights management (DRM) that travels with the data itself. The only way to make that work is through an industry standard.



Tuesday, 04 June 2013 16:15

BYOD: Banks Need to Stay Ahead of Risk

The evolving mobile landscape, including the bring-your-own-device trend, is requiring banking institutions to be mindful of emerging risks, says Jim Pitts, who oversees mobile financial services and vendor management for BITS, the technology policy division of The Financial Services Roundtable. Pitts says financial institutions are more at risk when it comes to mobile services and practices than many other sectors because of the types of transactions and sensitive information they manage.

When it comes to their BYOD policies, banks must address data loss prevention, application security and exposure liability management, he says in an interview with Information Security Media Group [transcript below].



Cybercrime has become a national crisis, said South African Centre for Information Security CEO Beza Belayneh on Tuesday, equating the scale to that of South Africa’s prevalent HIV/Aids pandemic.

Speaking at a Neotel/Mail & Guardian business breakfast, he said that South Africa had ranked the third-most “fished” country in the world, and was open to attack in a well-connected society.

“Cybercrime is no longer a criminality, it is a national crisis,” he said, adding that this was an event that should bring together all the Cabinet Ministers, banks and consultants, besides others.

“Governments are hacked, police websites are hacked, banks are losing millions – the statistics are that South Africa loses R1-billion a year, and it now threatens human life,” he said.



The survey also indicated feds are facing unprecedented data growth and must address backup solutions nearing capacity.

Just 8 percent of federal IT executives are completely confident that their agency could recover 100 percent of its data in the event of a disaster, according to a report from MeriTalk, an online community and go-to resource for government IT. The study also revealed that while agencies might feel prepared, they are not testing their systems as often as they should and face challenges with data growth, mobile devices and on-site backup. Only one in four federal workers give their agency an "A" in data resilience and disaster recovery (DR2) preparedness.



Tuesday, 04 June 2013 16:10


On Monday the Wall Street Journal ran a story on hacking back titled, “Support Grows to Let Cybertheft Victims Hack Back.”  The article describes a growing desire to permit the private sector to retaliate against attackers. Being proactive is one thing, but the notion of enterprises retaliating against attackers is ludicrous. I honestly cannot understand why this topic is still in the public discourse. I thought debating this was so 2012.  Legality is an issue, but so is the ability of companies to successfully conduct these types of operations without blowback.



Don Schmidt is CEO of risk consulting company Preparedness LLC and a 20-year member and chair of the technical committee that writes the National Fire Protection Association (NFPA) 1600 standard. He also is the editor of the handbook Implementing NFPA 1600 National Preparedness Standards, which was published in 2007. NFPA 1600 was updated this year, and the U.S. Department of Homeland Security adopted it as a voluntary consensus standard for preparedness.

In this Q&A, Schmidt reflects on the evolution of standards in emergency management and business continuity.

Question: What is the background on the creation of the NFPA 1600 standard? How did it become established?



As illustrated by the devastation of Hurricane Sandy in 2012 when countless businesses were without power and data centers went down, it’s becoming increasingly important to have a well-conceived business continuity and disaster recovery (BC/DR) program in place.

Remember, there is a difference between a BC/DR program and a BC/DR plan. A program is a set of policies, practices and responsibilities that provide the structure for management, governance and sustainability to accomplish the goals. A plan is a documented set of action-oriented tasks and procedures to be followed when a disruptive event occurs or is imminent. In this article, we are going to discuss the key success factors of a successful BC/DR program.

There are four key components that stand out. A successful BC/DR program should be:



Computerworld — I recently misinterpreted some CEO cost-speak. The enormous gap between what I thought I was hearing and what the CEOs were actually saying is tremendously illustrative and well worth looking at.

I was involved, albeit tangentially, in a dozen executive searches for new CIOs. All of these searches were being led by CEOs of global, brand-name, Fortune 300 companies. In fact, nine of the companies were in the Fortune 100. In my experience, such leaders are enlightened and appreciative of the value of IT.

That's why I was surprised -- shocked, actually -- to find that every one of these CEOs ranked IT cost management among the top three capabilities they were looking for in their next CIO. I couldn't understand it. How could that be when just about everything one reads in the business press and from subscription research firms claims that growth is the primary focus for top companies' leaders? What was going on?



Threat intelligence is emerging as a topic of both interest and debate within the infosec community. The fact that there's interest probably isn't hard to understand in light of the growing volume of security related information organizations receive.

For the average security practitioner, information about threats arrives in a nearly constant stream via a hodgepodge of formats and channels -- emails from vendors, bulletins from a variety of sources, word of mouth from colleagues, news updates from the industry press and so on. The information supplied via these various updates covers a number of disparate topics, from specific vulnerability information to attacker tools and techniques to information about who's been attacked most recently.



In the good old days, protecting your assets was all about making sure you have a big enough lock or thick enough walls. Today however the locks are digital and firewalls have replaced concrete as businesses seek to protect data from the prying eyes of cyber-criminals around the world.

Data is the new gold, as cyber-criminals look to steal everything from your identity to your credit card information. But they are not going after you directly, they are looking to pilfer this information from the companies you deal with online and who hold huge hoards of such information, all of which can potentially be accessed from anywhere in the world, simply by clicking a few buttons.



In seven years the information security industry will see more cloud delivery and no central IT.

According to recent predictions by Forrester on ‘The CIO's World in 2020', 90 per cent of the 325-strong audience said that central IT would not exist in the future, as IT will be directly embedded in business units such as marketing, product development and customer service.

The audience also said that most technology would be delivered via the public cloud, according to 85 per cent, who agreed that companies will architect and deploy business solutions from a growing pool of external as-a-service resources, with IT playing the role of orchestrator.



Monday, 03 June 2013 17:16

When Big Data Doesn’t Work

With few exceptions, articles about Big Data start off with promises to be smarter, run more efficiently, or make more money.  As proof, each article cites standard examples of how data analytics and robotics have transformed warehouse operations, IBM’s Watson’s mastery over Jeopardy, the game show, and how firms will make decisions more effectively.

Examples of success may be far fewer than we realize given the context of a future state as opposed to the few actual case studies cited above.  Real or not we may learn more from stories of failure to gauge how much progress we have yet to achieve.



Monday, 03 June 2013 17:15

The Demise Of The Player/Manager CISO

The role of the CISO is changing.

For years we have talked about the requirement to make the top security and risk (S&R) role increasingly business-facing, and this is now turning into a reality. Surprisingly, however, we see an increasing number of non-IT security folk stepping up to take the CISO role, often ahead of experienced IT professionals.

These "next-gen" CISOs are commonly savvy business professionals, experienced at implementing change and evolving processes, and adept at dealing with strategies, resource plans and board-level discussions. Their placement into these S&R roles often comes as an unwelcome surprise to those that have been working within the IT security teams; however, we have to recognise that this new breed are simply filling a gap. Unfortunately, although we have talked about the professionalization of the role and the need for greater business engagement, many S&R professionals are still not ready for the leap, and this opens up an opportunity for others to steal their way in.



Monday, 03 June 2013 17:13

Big Data: The future of info security?

According to IBM, 90 percent of the data in the world today has been created in the last two years. From social media, mobile devices and digital sensors to e-mails, images and videos, these vast sources of data create a potential goldmine of valuable information about people and their activities. 

Whilst the promise of actionable insight from data is not new — business intelligence and other analysis capabilities have long been present in many organizations — what is new is the rate at which the data is growing, the way the data is changing and the demands being placed upon it.



The Oklahoma tornado and start of hurricane season are throwing up red flags for business owners.

And while Mother Nature often acts as a reminder for creating business continuity plans, it’s the downtime when businesses should be preparing.

“It’s the time when there’s nothing happening that they should be thinking about this,” said Gail Moraton, business resiliency manager for the Insurance Institute for Business & Home Safety based in Tampa.

The Oklahoma tornado hit Moore, Okla., on May 20 as an EF5 storm causing destruction along a 17-mile path. In addition, the National Oceanic and Atmospheric Administration said there’s a 70 percent likelihood of 13 to 20 named storms this hurricane season — with the possibility of seven to 11 becoming hurricanes.



June 1 is the official beginning of hurricane season in the U.S. There are steps you can take now to protect your business and your employees should a natural disaster hit.

The Atlantic coastline of the U.S. is expected to have an above-average level of hurricane activity in 2013, according to Gerry Bell, the lead scientist of the National Oceanic and Atmospheric Administration long-range hurricane outlook team. Many states in the Northeast are still struggling to recover from Hurricane Sandy, which hit seven months ago. This week, President Obama visited the Jersey Shore where he assessed the damage and pledging continued support to the region.

“If there’s one thing that we learned last year, it’s that when a storm hits, we’ve got to be ready. Education, preparation -- that's what makes a difference. That's what saves lives,” Obama said Tuesday. “Make a plan. It’s never too early,” he said, encouraging people to visit Ready.gov, a federal web site with instructions and plans on how to prepare for a hurricane.



Recovering from a flood or fire is hard for a business. But dealing with problems caused by a lack of business continuity plans or inadequate insurance can make it worse.

“The better you can plan for how to deal with an incident, the better off you’ll be,” says Lawrence J. Newell, CISA, CBRM, QSA, CBRM, manager of Risk Advisory Services at Brown Smith Wallace. “I say ‘incident’ because it could be something not always thought about in typical disaster terms, such as a breach of credit card information.”

Smart Business spoke with Newell and William M. Goddard, CPCU, a principal in the firm’s Insurance Advisory Services, about developing business recovery plans and the insurance options available to reduce risk.



A quarter of UK small to medium-sized businesses (SMEs) are risking significant data loss by storing data on-site instead of embracing cloud technology.

The findings are revealed in a new survey by Onyx Group which shows that although most businesses understand the cost effectiveness, resilience, scalability and flexibility of cloud, nearly 40 per cent have no plans to adopt cloud as part of their IT management.

The survey, which questioned SME IT managers, also revealed that many businesses are still using and relying on traditional methods of data backup despite research showing that 50 per cent of all tape backups fail to restore.*



MONSON, Mass. — Two years ago Saturday, a tornado wreaked havoc on a 39-mile stretch of western and central Massachusetts — destroying buildings, toppling trees, and causing injury and death. A full 24 months later, recovery efforts are still ongoing.

Driving along the wooded roads into Monson, you would never guess a tornado hit here two years ago. Then you come to the center of town, and the destruction is abundantly clear. On a hill overlooking new houses and a few damaged buildings is a wide swath of treeless land.

Owners of the First Church of Monson -- seen here in 2011 after the tornado hit -- are still working to replace the toppled steeple. (Robin Lubbock/WBUR)

Owners of the First Church of Monson — seen here in 2011 after the tornado hit — are still working to replace the toppled steeple. (Robin Lubbock/WBUR)

“If you notice driving through downtown that pretty much all the roofs on all the buildings are brand new,” says Dan LaRoche, Monson’s disaster recovery manager.



Monday, 03 June 2013 17:00

DIY Risk Management

I recently saw a report on consultant compensation for business continuity practitioners.

According to a post on LinkedIn’s BC-COOP group, Cheyene Marling, founder of BC Management, reports that

BC Management’s 11th Annual BCM Study assesses not only compensations for those who are permanently employed, but also for those who work as independent contractors.

The attached data graph highlights the average low and high billing rates for independent contractors. The data was collected in BC Management's 11th Annual BCM Study between July - December 2012. All currencies were converted to United States Dollar (USD) for comparison purposes. The study received over 2,200 participants with 100 noting “independent contractor”.



The 2013 National Preparedness Report (NPR), released May 30, outlined areas of “national strength” in the United States’ progress toward delivering the 31 core capabilities outlined in the National Preparedness Goal, part of Presidential Policy Directive 8.

Planning, operational coordination, intelligence and information sharing and operational communications were highlighted as strengths, while infrastructure systems and public-private partnerships were areas tabbed as needing national improvement.



Recognizing the world needs less space for retail and more to store data, Sears (SHLD) plans to turn some of Sears and Kmart locations into data centers and disaster recovery spaces.

A new Sears subsidiary will be tasked with converting some of the more than 2,500 Sears and Kmart properties to data storage facilities equipped with servers, chillers and backup generators. It also plans to top many of its buildings with telecommunications towers.



No matter how safe, secure, and well-equipped  your office and laboratory is, unexpected events can still cause costly setbacks. Major storms, utility work, or problems at your facility can cause your  operations to come to a halt..  And as you can imagine these kinds of events can cause damaging impact to meeting milestones and deadlines. Disasters come in many forms, but some of the most common and consequential ways that they affect startup biotech companies is in the area of information technology. From short brown outs in your buildings power, a small fire that causes damage or sets off sprinkler systems, water main breaks can leak water into your office and labs or extended power events and complete building disasters can cause real problems. Even problems with your IT equipment can cause these issues even if you have proper support on them. I have seen instances when the hardware vendor cannot get you a replacement part on time causing hours or even days of downtime. When power is lost or internet connections fail, the IT systems that your experiments and business communications rely on can become completely ineffective. Every biotech startup business needs to have a plan in place for when the unexpected happens. Being prepared for any possible contingency is the most reliable way to ensure that you are meeting all of the goals that you have established in your business plan. Developing a backup and disaster recovery (BDR) along with a Recovery Time Objective (RTO) plan with your expert IT service provider can help you keep your company running at near or full capacity, no matter what is going on around you.



Monday, 03 June 2013 15:19

What We're Watching: 5/31/13

fema administrator fugate at podium Miami, Fla., May 31, 2013 -- FEMA Administrator Craig Fugate speaks at NOAA's annual Atlantic Hurricane press event discussing the upcoming hurricane season.

Kicking off the Atlantic hurricane season
We are coming to the end of National Hurricane Preparedness Week, which means the official start of the Atlantic hurricane season (June 1) is almost here. All week long we’ve been sharing hurricane safety tips on our website, Facebook and Twitter accounts.  There are lots of ways you can get prepared for hurricane season at Ready.gov/hurricanes – especially important if you live in a coastal area – but I will share two things you can do in the next five minutes to make sure your phone is ready for the start of hurricane season:



Monday, 03 June 2013 15:17

Rethinking business continuity

Business continuity and disaster recovery need to become “Facebook easy”.

So says Steve Kokol, VP of international sales at SunGard Availability Services. “You never had to go to a class or a three-day course to learn how to use Facebook,” says Kokol, adding that businesses need to incorporate this usability into their continuity and disaster recovery strategies.

In an interview with ITWeb, Kokol noted that making the recovery planning process simple is becoming more and more important as business continuity and disaster recovery are extended, encompassing more individuals in an organisation. “What this is highlighting is that business is acknowledging that, at the end of the day, it is the people who sit at the coalface who need to be in charge of business continuity and disaster recovery. In short, the people who are responsible for building these plans need to be in the field themselves.”



Saturday, June 1, marks the beginning of the 2013 Atlantic hurricane season. Forecasters from Colorado State University predict 18 named storms for the 2013 season, with nine of those forecasted to become hurricanes and four expected to be major hurricanes. The National Oceanic and Atmospheric Administration’s Climate Prediction Center warns there could be even more storms to hit the Sunshine State — up to 20, in fact, compared to the average of 12. If these and other predictions are right, Florida will see its share of storms this season.



By Jacque Rupert

One of the most common question questions asked by business continuity managers is “How can my organization increase coordination between different groups performing preparedness activities, specifically ‘the business’ and IT?”

In my consulting activities I have seen many organizations’ business and IT teams struggle to come to an agreement on common requirements, such as application recovery time objectives (RTOs) and data loss tolerances (RPOs). The business tends to complain that IT does not listen to their recovery requirements, while IT tends to complain that the business is far too aggressive and unrealistic on recovery requirements.

This article seeks to address these issues, providing five tips to bridge the business – IT gap.



A combination of replication and erasure coding is the future for data protection in cloud storage and big data systems says Paul Carpentier.

In the course of IT history, many schemes have been devised and deployed to protect data against storage system failure, especially disk drive hardware. These protection mechanisms have nearly always been variants on two themes: duplication of files or objects (backup, archiving, synchronization, remote replication come to mind); or parity-based schemes at disk level (RAID) or at object level (erasure coding, often also referred to as Reed-Solomon coding). Regardless of implementation details, the latter always consists of the computation and storage of parity information over a number of data entities (whether disks, blocks or objects). Many different parity schemes exist, offering a wide range of protection trade-offs between capacity overhead and protection level - hence their interest.



The potential for collaboration took a huge step forwards with the rise of BYOD; but the reality of secure collaboration took a huge step backwards. A new State of the Enterprise Information Landscape report shows a ticking time bomb in the enterprise.

Staff get paid to do their job, and they do that as efficiently as they can. Security is something often seen as a hindrance to efficiency; so it is frequently ignored. A new survey by Huddle shows the extent to which security is often bypassed for simplicity in the name of personal efficiency.



Computerworld - If the question about tornadoes comes up at his Oklahoma City data center, as it sometimes does, Todd Currie, vice president of operations and general manager at Perimeter Technology, has answers. He even has a cutout sample of his roof to show how it is built.

Perimeter's data center was constructed to withstand an EF3 tornado, or winds up to 165 miles per hour on the Enhanced Fujita scale.

To protect against an EF3, Perimeter surrounded the raised floor portion of the data center with 8.5-in. concrete, reinforced walls. The data center is in the middle of the building, and around it are offices protected by another 8.5-in. exterior wall.



Friday, 31 May 2013 14:55

Before the Flood

Batteries, flashlights, bottled water. Now more jumbo-mortgage borrowers will be required to add another item to their storm-preparedness checklist: flood insurance.

The Federal Emergency Management Administration is currently re-evaluating flood maps, requiring more jumbo-mortgage holders with homes in high-hazard areas to buy flood insurance. Also, changes to federal law enacted in July are expected to jack up premiums.



The devastation caused by the multiple global crises over the last three decades has exposed the fragility of modern-day risk management practices. The Wall Street crash of 1987, the Asian financial crisis of 1997 and the banking sector collapse of 2007 left several global companies in a state of disarray.

Similarly, the safety-system failures at Japan's Fukushima Daiichi nuclear plant, structural compromise of the New Orleans leevees and the Mumbai terror attacks led to unprecedented economic losses for many organizations. In retrospect, while each of the above events - referred to as Black Swans by some observers - was possible, none was adequately anticipated. These events highlight the shortcomings of our knowledge, perspectives and risk models.



Friday, 31 May 2013 14:52

Getting outside expertise

No practitioner is an island

Enterprise risk management should be what the name clearly states:

  • Enterprise: Covers the enterprise
  • Risk: Considers all risks/threats to the enterprise
  • Management: Deals with risk avoidance/mitigation and dealing with risks if they occur, both during the crisis stage and the following recovery stages.

Most organizations have some insurance coverage, if only Property and Casualty (P&C). Many have Directors and Officers insurance and some have Business Interruption insurance.

These coverages are only the tip of the proverbial ice berg.

The problem is, insurance also is a risk.



Operator: Welcome.  I'd like to thank you all for holding.  An inform you that your lines are in listen-only for the conference until the question-and-answer session.  After that you will press star-1 on your touch tone phone.  I would like to turn to tom skinner. 

Tom Skinner: Thank you, Ed.  Thank you all for joining us today for this update on influenza a H3N2 variant virus.  We're having this telebriefing today, because as many of you know, we've had a rise in the number of cases that are -- that have been reported to CDC.  These are -- this increase is the result, and a change somewhat in what constitutes a positive case of H3N2 for surveillance purposes.  And Dr. Joseph Bresee from the CDC is here to help put this into perspective and context for you.  He'll also go over some things we talked about last week in regards to preventive steps people can take to protect themselves, especially those who will be and are attending agricultural fairs.  I've got Dr. Bresee to speak for three to five minutes.  And then we'll open it up for your questions and answers.  So Dr. Bresee. 



A 2010 American Red Cross survey found that an alarming 75 percent of 1,058 respondents expected help to arrive within an hour if they posted a request on a social media site. Hold that thought.

The public, and by that I mean the average Joe and Sally, doesn’t know that much about emergency and disaster response, and even less about disaster recovery and what is involved with getting federal assistance. What little they do know often comes from disaster movies.

There was a made-for-TV movie, 10.5, which had the FEMA director being lowered into a hole to personally set off an atomic bomb to stop a devastating series of earthquakes from continuing. I could think of a couple of past FEMA directors who I’d volunteer for the task — and no, not Craig Fugate, the current one.



No one at the Credit Union of New Jersey remembers when local device networking cables were first connected to a telephone junction block in the data center. Nor did anyone know how the tangled mess grew to span two such boxes and eight feet of wall space before finally reaching CUNJ’s core networking switches at its Trenton offices.

Fortunately, thanks to a recent remediation project, the crisscrossing thicket is no more.

Let’s face it: Many data centers could use some form of spring cleanup. Whether it’s cable management, consolidation, virtualization or just making better use of an existing footprint, initiatives that transform cluttered server rooms into efficient spaces can pay big dividends.



We've all seen enough news stories to know what can happen when a business doesn't get compliance right or falls foul of data protection legislation.

No organisation wants the negative exposure that results – exposure that reduces public trust, puts brand and reputation at risk, incurs financial penalties and invites customer churn. However, it's not just the fear of negative exposure and financial loss that is putting organisations under pressure – it is the changing nature of the laws and regulations surrounding data protection.

Critical changes are in the works to certification requirements for the Payment Card Industry Data Security Standard (PCI DSS), to legal compliance with the European Data Protection Regulation and to enforcement of data protection requirements from the UK Information Commissioner's Office (ICO).



A large US supermarket chain has implemented an innovative endpoint security technology to secure point of sales systems running legacy applications to save additional development or patching costs.

Bromium’s vSentry endpoint security software applies virtualisation expertise to isolate and secure every untrusted network task within its own tiny virtual machine or microVM.

According to Bromium, it is impossible to detect all the possible attacks or monitor all the possible forms of suspicious behaviour.

However, the firm maintains it is possible to protect endpoints using highly granular virtualisation in combination with hardware-enforced isolation.



“Why should we have a critical communications business continuity and disaster recovery plan?” It’s one of the most common questions asked in our business. The answer is simple for companies in certain industries. Often a variety of laws and regulations require or imply the need for a recovery plan to protect critical communications. Healthcare, financial, utility and government are just a few.

The answer for others is less defined. Common objections include cost, having a second facility with backup capabilities or outsourcing of print-to-mail operations. But the consequences of not having a proven recovery plan in place can be severe. They can range from loss of revenue and critical cash flow to service level penalties and fines or corporate image issues. Consider these five reasons your company should have a business continuity and disaster recovery plan in place:



Social sign-in has become a powerful force for marketers and consumers, validating the notion of federated identity in consumer-facing contexts. (Ironic that consumerization of IT is successfully tackling even the single sign-on problem that has bedeviled IT, showing how identity for the top line of the business can overcome resistance in ways that business-to-employee scenarios typically can't.)

But not all consumer-facing federated SSO is social. When I was with PayPal, our team worked on the underpinnings of what eventually turned into Log In with PayPal, which is strictly about federated identity flows for commercial purposes. And today Amazon has come out with Login with Amazon, a powerful statement of Amazon-as-identity-provider. They've been testing this with their own web properties Zappos and Woot; now they're enabling third-party merchants and other sites to use Amazon for authentication of people who already have active Amazon accounts, along with learning a few selected user attributes: name, email, and optionally the zip code of the default shipping addresses. No huge social graphs here, just data that partner eCommerce sites need to function (and make money).



CIO — Companies with strong relationships between the CIO and other C-suite executives are four times as likely as less-collaborative teams to achieve business results such as revenue growth and high profit margins, according to PricewaterhouseCoopers' fifth annual Digital IQ study.

PwC polled 1,108 business and technology leaders globally and split their responses into two groups: the 13 percent of respondents who rated themselves as "strong collaborators" in the C-suite, and the rest who didn't.

The study found a big correlation between strong C-suite collaboration and top business performers, which PwC defined as companies reporting revenue growth of 5 percent or more in the previous year and high levels of profitability, revenue and innovation.



Computerworld - Despite the growing threat of state-sponsored cyberattacks launched from China and other countries, U.S companies should not be allowed to fight back on their own, security experts say.

Such corporate counterstrikes would undermine U.S.-led efforts to develop international cyberspace standards and norms while exposing U.S. companies to retaliatory strikes.

"This is a remarkably bad idea." said James Lewis, senior fellow and director of the technology and public policy program at the Center for Strategic and International Studies in Washington. "It would harm the national interest."



The United Nations cautioned global businesses that economic losses due to natural disasters are at a high level, and the threat of profit loss will rise until risk assessment procedures become a core component of company strategies. 

"We have carried out a thorough review of disaster losses at a national level, and it is clear that direct losses from floods, earthquakes and drought have been underestimated by at least 50 percent," said Ban Ki-moon, secretary general of the UN. "So far this century, direct losses from disasters are in the range of $2.5 trillion." He added that risk management should receive more focus in business schools.



Thursday, 30 May 2013 18:05

Hurricane Sandy: What Have We Learned?

Categories: General, Natural Disasters, Preparedness

Image of structures destroyed following Hurricane SandyBy Maggie Silver

Superstorm Sandy

Long Beach is your typical northeastern city nestled on Long Island. A mix of apartments, homes and buildings set on the water with an idyllic boardwalk that draws in plenty of tourists during the summer months. And like many other cities in the tri-state area, it was hit hard by Superstorm Sandy.

As we gear up for the 2013 hurricane season, which starts June 1, we thought it would be practical tospeak with some of the people who survived the biggest storm of last year and one of the most devastating to ever hit the area. That’s how we landed in Long Beach, talking to Alex Feygis about his experience and the lessons he learned about preparedness. 

Alex and his wife were living in a fourth floor apartment overlooking the water last October when Sandy hit. When the weather reports started predicting the storm that would eventual shatter the east coast, Alex, along with many others, thought it would be nothing more than what Irene had brought that previous summer. A few flooded streets and maybe some scattered, but short lived power outages.

So when the police drove down their street Sunday evening ordering a mandatory evacuation, Alex understandably found the situation, “a bit unnerving.”

Car damaged during Hurricane SandyTime to Evacuate

Alex and his wife moved their cars to what they thought was higher ground, packed a few days worth of clothes and headed to his in-laws that lived nearby in Oceanside. Unfortunately their in-laws’ one-story ranch was quickly overwhelmed with flood waters once Sandy hit. Relocating for the second time wasn’t that easy though, power was out across the city and cell service was spotty at best, not to mention battery life was draining quickly.

“I hadn’t considered communication being a problem; I guess I’m just so used to always having a cell phone.” Alex and Farrah had to stay put for the next 24 hours until they could communicate with his parents who lived farther in-land and the whole clan packed up and moved in…for three weeks! That’s how long it took for things to start to resemble normalcy.

A Slow Recovery

Although Alex’s actual apartment hadn’t flooded on the 4th floor, the lobby was under 5 feet of water and the plumbing and electrical system was totally shot. That was the case for the entire city of Long Beach who had no clean water for two weeks thanks to the sewage plant flooding. Even after potable water was restored, the apartment building had to replace boilers and electrical systems.

Needless to say, Alex and Farrah’s two day supply of clothes and necessities ran out quickly and they had to make a trip back to their apartment amid all the wreckage to re-up on supplies. When they returned, they realized their cars had been totaled due to the flood waters, which posed a whole new set of problems for them. It wasn’t an option to buy a car so they had to try and rent one to get to and from work (oh yeah, just because Sandy wreaks havoc on your life doesn’t mean you get a free pass from work). So Alex, along with hundreds of other newly car-less residents tried to rent a car. A shortage of vehicles wasn’t the only problem the couple faced though; the gas shortage also compounded things.

“It made returning to normal that much harder,” Alex recalls “Even the smallest trips made you think, is it worth wasting the gas on?”

On the plus side, Alex and Farrah had a strong family network they could lean on. Alex’s parents lived far enough inland that they had power restored quickly in their temporary home and there was access to grocery stores and other supplies. Although his in-laws sustained significant damage to their house and had to rebuild, they were properly insured and the money to rebuild has been slowly trickling in. 

Damage outside of an apartment building following Hurricane Sandy
Did we learn anything?



After talking to Alex though, I began wondering, did we learn anything from this event? Was it so catastrophic that people will go back to their complacency and assume nothing that big will ever happen again? It seems to be a common theme I hear when talking to people who lived through this. But even if another Superstorm doesn’t hit, aren’t there things learned from Sandy we can apply to even the more “mundane” storms.

Take for instance the gas shortage, sure chances of a massive run on gasoline that lasts for days isn’t that likely to happen again, but what if you had to evacuate and you had trouble finding gas for just that one day? Wouldn’t you give yourself a pat on the back for having the foresight to have tucked away an extra gallon in the garage, or stopped by the gas station on your way home from work when you heard the weather report?

Same goes for having an evacuation plan. Where would you go if you were told to leave your house and what would you bring with you? This doesn’t cost any money, all you have to do is sit down and think about what your plan would be and what you would take with you (think: important documents like birth certificates, passports, and deeds).

This is not to say that Alex didn’t learn anything from his experience. His first thought was reconsidering his evacuation plan. They’d make his parent’s house or a hotel even further inland their first choice for evacuation instead of the in-laws. They’d also have a few more supplies on hand and keep their phones well charged if an impending storm was approaching.

New Year Resolutions

As this year’s hurricane season approaches I hope you’ll take a moment to consider what you would do, not just in the extreme situations of Superstorm Sandy, but even in the more common thunderstorm or one of the possible 20 named storms that are predicted for this year. They may not be as extreme as Sandy but they can still bring with them destruction, flooding, evacuations, and any number of interruptions to everyday life.

Thursday, 30 May 2013 18:04

Social Media: Who Are You Dealing With?

Know thy audience, young crisis managers

Social media crisis management can be confusing to navigate, especially if you’re not sure which stakeholder groups you’re dealing with. Although each comment obviously comes from an individual, there are discernible groups that you see emerge again and again to join in online debates and dramatics.

In a post discussing online issues management tactics, social media pro Chris Syme defined four of the most common:



The Business Continuity Institute

Professionals in Shanghai Gain “BCM Awareness” at the BCI China Conference 2013

About 100 professionals in Shanghai and other parts of Asia are now more knowledgeable in Business Continuity Management (BCM) for having participated in the successfully held BCI China Conference 2013 from 16-17 May.

The two-day event, which was most appropriately themed “International Standard and BCM Practice in China,” provided the venue for various industry representatives to gain valuable information on relevant topics such as Risk Management, the new international BCM standard ISO22301 and Social Media Crisis from some of the most accomplished BCM experts today.

Highlights of the event include presentations made by Steve Mellish, Chairman of the Business Continuity Institute (BCI), on the latest industry trend “Horizon Scanning.” Also, BCI Vice Chairman David James-Brown presented on the very interesting “Managing Crisis of a Case Study from Australia, Brisbane Flooding Crisis.” BCI Asia Regional Director Henry Ee provided information on the BCI certification and membership system which served as an “interactive survey” with event participants.

Another important part of the event was when the Director of the China National Institute of Standardization announced that China’s “National BCM Standard” will be ready by fourth quarter of this year.

A very educational “Interactive BCM Simulation” was also conducted during the event which allowed participants to gain awareness on various BCM principles and concepts. The said activity was well-received by participants as it was based on realistic scenarios relevant to a pandemic crisis.

The BCI China Conference 2013 was co-organized by BCI and Business Continuity Planning Asia Pte Ltd (BCP Asia).

Based in Caversham, United Kingdom, the Business Continuity Institute (BCI) was established in 1994 to promote the art and science of business continuity worldwide and to assist organizations in preparing for and surviving minor and large-scale man-made and natural disasters.  The Institute enables members to obtain guidance and support from their fellow practitioners and offers professional training and certification programmes to disseminate and validate the highest standards of competence and ethics.  It has circa 8,000 members in more than 100 countries, who are active in an estimated 3,000 organizations in private, public and third sectors.

For more information go to: www.thebci.org

Wednesday, 29 May 2013 14:41

PCI Compliance: What You Need to Know

If your business accepts credit cards of any type, then you are automatically responsible for complying with the Payment Card Industry Data Security Standard (PCI DSS). This standard was developed by the five major credit card brands in order to create and maintain a consistent information security standard for all credit card processors  The ultimate goals is to prevent credit card fraud that occurs when cardholder data is left unsecured.

If your business isn’t PCI compliant, not only are you at risk of incurring fines and penalties from your merchant account provider – you’re also more likely to become a victim of credit card fraud.



CIO — CAMBRIDGE, Mass.—The role of the CIO is constantly in flux, but the rapid emergence of big data, analytics and cloud technology--and the accompanying proliferation of data itself--has further strained IT innovation and added complexity. All this comes at a time when companies expect IT to do more with less and the balance of IT services spending is poised to tilt away from the CIO.

With that at stake, the leading CIOs and CEOs who spoke at last week's MIT Sloan CIO Symposium gave the senior IT and business executives in the audience food for thought about how to use data analytics and cloud technologies to improve businesses processes without putting additional strain on IT resources.



Considering the critical role of depositories in the functioning of contemporary capital markets and more so as custodian of public investments, attention to security and reliability of its operations have been an essential area for all such organisations alike world-wide. Safeguarding the data and IT resiliency at CDC has always been an integral part of its IT operations since inception.

However, after enhancing its role deeper into the industry and diversification of its services portfolio, the specific need for business continuity planning became more sensitive for CDC. Recognising the importance of ensuring its ability to continue its critical business processes even in worst of situations, CDC being a key infrastructure company decided to plan its course on international standards. CDC in consultation with IBM embarked its journey on Business Continuity Management System (BCMS) in 2006. CDC developed and implemented action plan to deal with changing circumstances that may interrupt its services to clients as early as 1998. However, the plan continued to mature and the understanding kept sinking in the organisation over time. Over the last year, the organisation decided to give a final touch to its Business Continuity program following the international best practices.



With hurricane season just around the corner, now is the optimal time to put all your ducks in a row when it comes to securing your client’s data, mitigating downtime and keeping their business afloat in the wake or aftermath of a disaster. According to the United States government, one in four businesses do not survive a disaster, which makes your commitment to protecting your client even more important. But times are changing and so too is disaster recovery, thanks in part to the cloud.

Historically, traditional disaster recovery methods have been costly, time-consuming and prone to blunders. In the past, businesses would backup their data on tapes, which have a 40 percent chance of failing when read from different drives and can take weeks to recover. Now with advances in cloud technology, the face of disaster recovery is changing – which can only mean great things for businesses and managed service providers (MSPs) alike.



Wednesday, 29 May 2013 14:25

When Disaster Strikes

It happened during Super Storm Sandy. It happened during the recent tornadoes in Oklahoma. It happens to someone every day. Disasters happen with alarming regularity, but they don't have to be catastrophic natural disasters to be disasters for your business. A fire, a broken water main, a burglary, or even just a minor power surge can take your branch office off-line in a matter of seconds. We all have disaster recovery plans in place to deal with such unexpected events, but really, if it happens, how much down-time are you willing to live with?

If you've still got local servers and storage in your branch office, you could be looking at significant down-time in the event of a disaster. There's the initial response time, and then there's the rebuilding. The rebuilding of servers, of operating systems, of applications, and the recovery from backup of local branch office data. Even with the best disaster recovery plans in place the downtime can be a few days before all the branch office servers and services are back up and running. 



Last week, an oversized truck traveling on a bridge over the Skagit River north of Seattle in Washington state reportedly hit an overhead girder, causing the bridge to collapse into the rushing waters below. Fortunately, neither the truck driver nor anyone else died in the accident.

But now the locals need to come up with a solution, both temporary and long term, to fix the throughway so that the area can resume commerce and travel as normal. They have a plan for short-term fix, according to Washington Governor  Jay Inslee in a press conference. “We’re going to get this project done as fast as humanly possible,” said Inslee. “There’s no more important issue right now, to the economy, to the state of Washington frankly, than getting this bridge up and running.”

This may not have just been some freak accident, however.



Craig Fugate took over as FEMA’s administrator in May 2009, and has instituted many approaches to emergency management that have taken hold and helped push the U.S. to become better able to respond to and mitigate hazards. We talked with Fugate about those efforts and where improvements need to be made to develop more resilient communities.

Question: What are some of the biggest leaps that FEMA has made since you have been the administrator?

Answer: If anything, when I arrived at FEMA, we were still very much reactive to issues and not being proactive. My approach is that it doesn’t get better with time. I would rather get the bad news out first and let people know where they are and move forward. It was almost as if our culture was that we didn’t want to give people bad news so we oftentimes would delay answers. I would say, “Look, we owe people honest answers, and if the answer is yes, tell them yes. If the answer is no, tell them no, [and] if the answer is maybe, let’s get to the right answer quickly — speed not haste.”



Oceanic and atmospheric conditions in the Atlantic basin are expected to produce more and stronger hurricanes during the 2013 Atlantic hurricane season which starts this Saturday June 1 and lasts until November 30, according to the National Oceanic and Atmospheric Administration (NOAA).

In its 2013 Atlantic hurricane season outlook, NOAA’s Climate Prediction Center is forecasting an active or extremely active season this year.

This means there is a 70 percent chance of 13 to 20 named storms (winds of 39 mph or higher), of which 7 to 11 could become hurricanes (winds of 74 mph or higher), including three to six major hurricanes (Category 3, 4 or 5; winds of 111 mph or higher).



Tuesday, 28 May 2013 19:05

NOAA issues hurricane season forecasts

NOAA has issued its forecasts for the 2013 hurricane season. It is predicting an active or extremely active Atlantic season, with a below-normal season being predicted in other areas. Forecast summaries are below:

Atlantic hurricane season

For the six-month hurricane season, which begins June 1, NOAA’s Atlantic Hurricane Season Outlook says there is a 70 percent likelihood of 13 to 20 named storms (winds of 39 mph or higher), of which 7 to 11 could become hurricanes (winds of 74 mph or higher), including 3 to 6 major hurricanes (Category 3, 4 or 5; winds of 111 mph or higher).

These ranges are well above the seasonal average of 12 named storms, 6 hurricanes and 3 major hurricanes.



Just over one in every ten dollars spent on dealing with disasters is spent on preparing for and preventing them according to new research from the Overseas Development Institute (ODI) and the Global Facility for Disaster Reduction and Recovery.

Over the past 10 years, disasters and disaster risk has attracted much attention, with the international community experiencing some of the largest impacts ever seen (Haiti Earthquake 2010, Asian-Indian Tsunami of 2004, Cyclone Nargis in 2008). However, global commitment to supporting developing countries in managing their disaster risk has barely increased.

Despite increased rhetoric about disaster risk over recent years, financing for disaster prevention and preparedness remains low.



This week, we’re kicking off National Hurricane Preparedness Week! Once again, we’ve teamed up with our partners at the National Oceanic and Atmospheric Administration (NOAA) to encourage all Americans to prepare for the upcoming hurricane season, which officially starts this Saturday, June 1 and lasts until November 30. Above all, hurricanes are powerful forces of nature that not only cause damage to coastlines, but also hundreds of miles inland as well because of flooding.



CIO — The phrase "all roads lead to Rome" describes the importance of a city at the heart of an empire. When it comes to modern litigation, all roads lead to the CIO's desk, because information is the lifeblood of litigation.

Just as CIOs should have contingency plans for a network crash, they need a litigation-readiness plan for responding to legal requests for electronically stored information, a process called ediscovery.

Timeliness is critical. Responding inefficiently after notice of a triggering event often results in the loss of data, which can lead to legal sanctions against the company and avoidable costs.



With 24x7 connectivity and business demanding constant availability of data wherever and whenever needed, today the banking sector faces new challenges, even as customers have come to expect that their information and money are accessible at the click of a button. Going forward, these demands for instant access are only going to intensify. Meeting these ever-growing requirements can become impossible in the event of a disaster, unless a well-considered disaster recovery (DR) plan, based on flexible and highly-responsive infrastructure, is put in place.

The primary objective of a disaster recovery plan for a bank is to recover from disruptions and to return to a normal operating state as quickly as possible. A sound DR plan will minimize the length of disruption and its impact on business operations. In most organizations, all data is not created equal. So the prioritization and restoration of data and service availability are key components to a successful DR plan.



Tuesday, 28 May 2013 18:56

Avoiding the Next Disaster

As we pick up the pieces after the Moore, Oklahoma, tornado -- and honor the deceased -- we're getting figures now that this tornado, while not the most powerful recorded, may possibly be the most expensive in U.S. history. We at Architecture for Humanity, like many, pause and wonder at how much damage could have been prevented -- a consideration that is becoming more relevant to more cities as our climate continues to change.

There's nothing we can do to stop tornadoes, hurricanes and earthquakes from happening. They are natural events. What makes them natural "disasters" is the effect they have on our homes, lives and communities. That's something we can affect -- and work is already underway.



"The rapidly changing healthcare landscape demands a disciplined approach to risk assessment," said Matt Weekley, leader of the national healthcare industry practice at Plante Moran, during a May 23 webinar hosted by the accounting and consulting firm.

During the webinar, panelists Mr. Weekley and Plante Moran Partner Anthony V. Colarossi, along with moderator and Plante Moran Partner Betsy Rust, explained that hospitals need quantitative risk assessment to prepare for coming changes in the industry, such as the move to value-based purchasing and the impending insurance exchanges.

The panelists agreed that having a risk assessment plan in place aids in the development of a strategic plan, is effective in creating mitigation or contingency plans, encourages outside-of-the-box thinking and, most importantly, turns risk management into a proactive rather than reactive activity.



When companies perform qualitative risk assessments, they often fail to consider the potential disruption from a sophisticated cyberattack. The frequency and complexity of cyberattacks is increasing, and hackers are more able to breach a company's security detection system, according to a recent study from Frost & Sullivan. Next-generation intrusion prevention systems (NGIPS) are becoming more widely adopted to mitigate the risk of a cyberattack.

Organizations have experienced a rise in long-term, targeted advanced persistent threats, which indicates hackers are better organized and more skilled. Many enterprises continue to install intrusion prevention systems to detect traditional malware, but some are upgrading protection measures as the threats to data security increase. However, the high cost of software upgrades can deter some businesses from investing in new systems.



The CISO's today need to manage risks instead of locking down things, said Bharti Airtel's Senior Vice President and Chief Information Security Officer, Felix Mohan, while delivering a keynote at the recently held India Computer Security Officer at Kovalum, Kerala.

During the keynote Felix highlighted that CISOs need to evolve from the traditional role that they had been entrusted till date, because today the Nexus of Forces is pushing the CISOs to step up as business enablers who are accountable to the company’s profitability. Elaborating on this he said, “For the enterprises to obtain competitive advantage from these disruptive forces, the businesses today needs that their CISOs upgrade their mental attitude from locking down thing to managing risks. Business wants the CISOs to say yes to the Nexus of forces and facilitate the adoption of these by solving the security puzzle, so that the business can benefit from it.”



TULSA, Oklahoma – The video of two Moore elementary schools ravaged by Monday's tornadoes brings a powerful reaction from parents: What if that were my child's school? How would rescuers know where to find my child? Would they have the resources to get to them quickly when every second counts?

It turns out lawmakers acted on those fears after the 2003 tornado that hit Moore and Southeast Oklahoma City, with the Oklahoma Emergency Management Act of 2003.

Part of that law requires all schools to write up a disaster and emergency preparedness plan and keep it on file with their local emergency management office, and update it each year.



It’s great to have many continuity plans and strategies to prepare for and respond to, disasters. However, if they aren’t validated they don’t carry any weight and there’s no way of knowing if they would be any good – useful – when a real situation occurs.

BCM practitioners may make the case for exercising plans but sometimes management may not want to provide the resources – physical & financial – available to validate the plans. There are a few questions that can be posed to executive management to possibly allow for the right kind of commitment and support to validate continuity strategies and plans.



Friday, 24 May 2013 13:35

Stress Testing and Data Collection

In the wake of the most recent financial crisis, considerable emphasis has been placed on financial institutions performing reasonable stress testing procedures as part of their risk management and capital planning processes. While the focus primarily has been on the largest financial institutions with measures like the introduction of the Supervisory Capital Assessment Program, or SCAP, in early 2009, additional and more recent guidance seems to indicate that this will be something that all financial institutions, regardless of size, will be asked to do.

Sourcing and updating adequate data is one of the most crucial aspects of developing and maintaining a reliable stress testing process. The ability to incorporate updated and relevant data for the stress tests will provide financial institutions, regardless of size, with significant benefits as they strive to identify and mitigate potential risks in their loan portfolio over time.



Friday, 24 May 2013 13:33

Give job to best person

I’m a fan of the comics.

Dilbert for May 23, 2013 triggered the thought that a risk management practitioner needs to try to match personnel to processes as an organization (a) tries to maintain a minimum level of service and (b) restore the operation to “business as usual.”

Politics and egos can make this a difficult task, but when it can be accomplished, the results are worthwhile.

There are those people, including practitioners, who are excellent workers under normal conditions. These same people may fall apart under event and post-event demands. On the other side of the coin, there are those who “get by” when everything is proceeding normally but shine when the pressure is greatest.



Even for an epidemiologist who works in public health preparedness and response, being asked to explain to the public what we do at CDC can be difficult.  

That said, sometimes opportunities to talk about public health drop into your lap.   A few months ago I was catching up with my friend Austin, an engineer for a large corporation.  It turned out that while on long-term assignments he and his team had recently taken to playing the board game, “PandemicExternal Web Site Icon.”   One might think that an infectious disease would make for a strange game premise, but to my surprise it’s been gaining a loyal fan base. Of note, the game has recently profiled by Wil Wheaton on his “Geeks and Sundry” tabletop videocastExternal Web Site Icon seen by more than 350,000 viewers and positively reviewed on many board game sites.



Even if some of your business solutions are ‘cloud based’ such as Salesforce.com or Hubspot, you still likely have other servers in your office(s) that are used for other business critical functions like email, accounting, manufacturing, collaboration, file storage and the like.

Because of this, virtually all (sane) businesses have some type of backup solution.  Whether it be tapes, hard drives, or even with a cloud service like Carbonite or Mozy.  However, what many people don’t realize is that backup solutions are designed to allow you to retrieve you data in the event of a data loss, not to actually minimize your down time in anyway.

There are two types of backup models.  Files based, and image based.



Housing associations are braced for reform. Legislation, from housing benefit direct to tenants to the bedroom tax, is being driven through but scant consideration has been given to data security. Changing how and where data is held, accessed and transmitted can have profound implications and could see some housing associations breach regulations.

Securing personal data on the wide range of tenants which housing associations provide for is vitally important to protect their identities and to protect them from harm. Current data management is often out of date and incoming legislation threatens to disrupt processes further.

Housing associations can avoid falling foul of legislation and take the necessary steps to ensure future compliance by following a five-point action plan:



“Tone at the top” is an often-used term to describe how an organization’s leadership creates an environment that fosters ethical and responsible business behavior. While tone at the top is important and a vital foundation, is it enough?

The reality is that when leaders communicate the organization’s vision, mission, core values and commitment to appropriate ethical behavior, what really drives the culture and resonates with the organization’s employees is what they see and hear every day from the managers to whom they report. If the behavior of middle managers contradicts the messaging and values conveyed from the top, it won’t take long for lower-level employees to notice. Because the top-down emphasis on ethical and responsible business behavior in an organization is only as strong as its weakest link, it is vital that the organization’s tone at the top be translated into an effective tone in the middle before it can reach the rest of the organization.



Housing associations are braced for reform. Legislation, from housing benefit direct to tenants to the bedroom tax, is being driven through but scant consideration has been given to data security. Changing how and where data is held, accessed and transmitted can have profound implications and could see some housing associations breach regulations.

Securing personal data on the wide range of tenants which housing associations provide for is vitally important to protect their identities and to protect them from harm. Current data management is often out of date and incoming legislation threatens to disrupt processes further.



Wealth management firms process, consume, and produce massive amounts of digital data on a daily basis. Many types of wealth management firms are looking at Big Data solutions, including banks, full service and self-directed brokers, and RIAs. Celent believes banks and full service brokers are more likely to use Big Data solutions in the near term as they work to establish better consolidated or 360° views of their customers.

Celent defines Big Data on three dimensions (volume, velocity, and variety), and the process includes capturing and gathering data, analytics, and visualization. This has caught the attention of financial service firms because Big Data can help firms capture and combine diverse sets of internal and external data to improve their analytics. New Big Data analytics help firms process analyst queries and experiments faster, which improves analyst productivity and provides a competitive advantage. Improved visualization tools help in the exploration and presentation of data and analytics.



Thursday, 23 May 2013 14:46

Measuring Community Resilience

"Community resilience" is one of those things that we all agree is important but can't agree on just what it means, a situation not uncommon in emergency management. In very broad terms it is the ability of a community to survive and recovery from a significant event. But how do we measure resilience?

Jorn Birkmann's book Measuring Vulnerability to Natural Hazards: Towards Disaster Resilient Societies offers a number of perspectives on the difficulty in such measurements and the complexity involved. It also demonstrates that much of the data needed by current assessment models are either hard to obtain or non-existent, requiring the use of proxy data. This makes many of these research tools of limited utility to the emergency manager.



The storm that destroyed large swaths of Oklahoma was unfathomably destructive. It’s vast size was frightening, its energy enormous, its tragedy permanently unforgettable. Even with all the tornadoes to ravage the U.S. landscape in recent years, this one is uniquely disturbing. The images of flattened neighborhoods full of shattered-toothpick homes and mangled cars look make believe.

With at least 24 dead and more than 200 injured, the human toll has been massive.

In this video, Moore, Oklahoma, Mayor Glenn Lewis discusses the devastation.



The pricing of a backup and disaster recovery (BDR) offering can make or break the solution's profitability for managed services providers (MSP). To avoid beginner mistakes with BDR pricing, we did a little research and discovered five pricing tips that can help MSPs keep their head above water. Take a look at what we uncovered in this MSPmentor exclusive.

BlackPoint IT Services Managed Services Vice President Chris Butler told MSPmentor that his pricing practices have worked well for his company. His pricing strategy has been "developed over the past three years by listening to client feedback and what would be their ideal backup as a service solution."



The growing threat of cyber attacks has moved disaster recovery planning up the agenda for many law firms determined to protect their client’s data. But why pay every year for something you are never likely to use?

Secure data
Every business should have an IT disaster recovery plan, with step-by-step procedures for recovering disrupted systems. The plan identifies critical IT systems and networks, assess the required recovery time, whilst establishing the steps to restarting, reconfiguring and recovering them.
Certain businesses are required by law or regulation to have such plans in place, with some required to keep all data secure and retrievable regardless of what happens to the business.
Instead of outsourcing the entire responsibility for disaster recovery to external service providers, it’s possible for smaller firms to plan for the worst, protect their business and only pay if disaster strikes.



Making sure that people have access to the Internet in the wake of disasters has become crucially important since it gives disaster victims the ability to communicate and learn important information that could help save lives. But what happens if an ISP’s basic infrastructure in a given area gets completely wiped out by a hurricane without any hope of being rebuilt for months? In AT&T’s case, that’s when it’s time to start rolling out its fleet of network equipment trailers that are capable of replicating the functions of a 10-story office building in the space of a small parking lot.

BGR travelled to Hartford, Connecticut last week to get a first-hand look at how AT&T prepares its Network Disaster Recovery trailer fleet for situations where the carrier’s entire central infrastructure has been completely demolished. What makes the entire exercise so impressive is the fact that AT&T goes into an area assuming it will have no ability to connect to the Internet. At first the company will often roll in a satellite truck that will give its makeshift trailer park access to the Internet, albeit with limited bandwidth. From there, the carrier’s team of engineers works to replicate a fiber core capable of ideally providing service to an affected area within a day or two of arriving.



Forrester research has always identified security as a major impediment to broad scale implementation for cloud, regardless of the model, SaaS, PaaS, IaaS, the adoption rate has been slowed by security concerns. Cloud providers recognize this is an impediment to selling cloud services and in response are strengthening their security controls. In Forrester’s Forrsights® research program we interview over 2000 security decision makers on a variety of security issues and topics. Cloud security tops the list of concerns regarding cloud deployments.

The appetite on the buy-side is very real for secure IT cloud infrastructures. Our research shows a lot of very strong interest in the deployment of private cloud platforms because of the elasticity, reduced cost and cycle times required to deploy solutions in these environments.

This week Amazon Web Services (AWS) announced that AWS GovCloud (U.S.) and all U.S. AWS Regions have received an Agency Authority to Operate (ATO) from the U.S. Department of Health and Human Services (HHS) under the Federal Risk and Authorization Management Program (FedRAMP) requirements.



Albert Ashwood, Oklahoma’s director of emergency management, was surveying last weekend’s tornado damage with Gov. Mary Fallin on Monday morning, when he told her they had to leave immediately. The weather, he said, was getting worse, and the two of them needed to get to the command center.

Two hours later, a tornado with winds reaching 190 mph cut a 17-mile swath through the metropolitan Oklahoma City area, leveling hundreds of homes and leaving dozens dead.



By Carol Laufer, ACE Excess Casualty, and Lori Brassell-Cicchini, ESIS Catastrophe Services

Business continuity is not just about protecting the supply chain. When a disaster strikes, how a company responds, and how the public perceives that response, can have a significant and lasting impact on its business. A poorly handled response can seriously damage a company’s reputation, lead to lost customers and sales and even spur new regulations. An effective response will help mitigate those very real threats to revenue and reputation. Planning makes all the difference.

A company that develops and tests a robust catastrophe management plan ahead of time can focus on executing the plan, helping the public and its customers through the crisis, while managing the media and government scrutiny. A disaster poses a serious challenge for any business while it is taking place, but an effective response can enhance the company’s reputation for the long term.



Thursday, 23 May 2013 14:37

When IT & Security Worlds Collide

No one involved in security today has failed to notice the rise of the term "converged security." There have been a number of articles published on this very forum about the worlds of physical security and IT coming together.

Typically, converged security marries physical, logical, and information security with risk management, business continuity, and disaster recovery on a common network enabled by IT on the IP network. As security professionals, whether we like it or not, this trend is not only here to stay but destined to grow -- and rightly so, if we are honest.

Cisco's Guido Jouret wrote in September 2012: "Analysts estimate that by 2013, more than 50 percent of all video surveillance deployments will be managed by IT on the IP network." There's no doubt this growth is being aided by society's adoption of the Internet, which has been faster than the adoption of any previous technology. A clear example easily associated with our industry is telecommunications, which has undergone a revolution since the emergence of the first VoIP solutions in 1992.



Engineering students at Oklahoma State University designed drones that may someday collect new data about tornadoes, helping public safety agencies more accurately predict and plan for disaster. A giant tornado, at least one mile wide, wiped out neighborhoods as it moved through Oklahoma on Monday, May 20. While the student designs are only in the preliminary planning stage, with no firm schedule to move forward, the university’s Department of Mechanical and Aerospace Engineering is negotiating with its partners to settle on a possible multi-year project that could change tornado science and ultimately save lives.

The project, whose partners include the University of Colorado at Boulder, the University of Kentucky, Virginia Tech and the University of Oklahoma, now has several active drone projects in addition to the tornado project. A lot of their drone research is funded by the Department of Defense, said Oklahoma State University Professor Jamey Jacob, but there are a lot of applications for the use of drones in civilian airspace, too.



When the main US federal emergency agency arrives at the scene of a disaster-hit area, one of the first places it turns to is the local Waffle House – and not just for its officials to grab a quick bite.

Craig Fugate, the head of the Federal Emergency Management Agency, came up with the idea of the "Waffle House index" as an informal way of measuring the impact of a disaster. The chain, which has a large number of branches in tornado-prone areas, has a robust emergency management plan.

The index has three levels. If the local Waffle House is up and running, serving a full menu, a disaster is classed as green. If it is running with an emergency generator and serving only a limited menu, it is a yellow. If it is closed, badly damaged or totally destroyed, as during hurricane Katrina, it is a red.



Wednesday, 22 May 2013 16:58

When IT & Security Worlds Collide

No one involved in security today has failed to notice the rise of the term "converged security." There have been a number of articles published on this very forum about the worlds of physical security and IT coming together.

Typically, converged security marries physical, logical, and information security with risk management, business continuity, and disaster recovery on a common network enabled by IT on the IP network. As security professionals, whether we like it or not, this trend is not only here to stay but destined to grow -- and rightly so, if we are honest.



The American Red Cross is urging residents in Nebraska and Iowa to make sure households, schools and business are prepared for possible severe weather including rain, strong winds and possible tornados.

"Listen to weather alerts and designate a safe space where people can gather for the duration of the storm," said Tina Labellarte, Region CEO. "The area should be a basement, storm cellar or an interior room on the lowest floor away from windows."

The American Red Cross Tornado App is available in English or Spanish and gives iPhone, iPad and Android smart phone and tablet users instant access to local and real-time information, so they know what to do before, during and after a tornado.



It’s a little ironic that in the weeks preceding the devastating May 20, 2013 Moore, Oklahoma tornado, there were numerous reports of how 2013 tornado activity was at a record low.

Unfortunately, these headlines may give the mistaken impression that the United States is in a period of lower risk for tornadoes, and/or that the costs from such events are declining.

Yet as we have seen repeatedly during hurricane, tornado and wildfire seasons, it only takes one storm, or event, to remind us of the dangers and ongoing risks.



How much do you know cloud-based disaster recovery? 

Recovery-as-a-Service, commonly referred to as RaaS, enables organizations to recover critical IT resources with increased efficiencies and complete effectiveness when an adverse situation strikes.  Cloud-based RaaS is nothing like traditional disaster recovery (DR) solutions of the past. Cloud-based RaaS users are able to install one piece of software (not an agent) which includes a control VM as well as an appliance on all participating VMware hosts. This increases self-service, testing and reliability of complete application protection. 

Even with all the changes in technology that have happened lately, there are still a lot of myths circulating that may have you confused about disaster recovery. Test your knowledge of what is fact and what is fiction with this short quiz, below.



Wednesday, 22 May 2013 16:54

Finding the time for cyber security

Possibly the most disturbing feature to emerge from the Federation of Small Businesses' (FSB) new cyber security report is that making computer systems secure can be a complex and time consuming process that a lot of small firms can't manage.

Cyber Security and Fraud: the impact on small business, makes it clear that too many companies are falling foul of online crime, with about three in 10 of its 2,667 survey respondents suffering from attacks over the past year, and the average annual cost coming in a just below £4,000.

But there's an acknowledgement that despite a growing awareness of the threats, small firms are not always taking preventative action if it's a complex process.



It is easy to think that your startup is too small or too new to face threats to your data security. But the simple fact is that in the current competitive climate of the biotech industry, when many companies of all sizes are rushing to develop innovations, the security of your data is more important than ever.

The best way to ensure that your data is secure from threats that come from both inside and outside of your company is to partner with an IT provider with expertise in both security and the unique needs of biotech startups. Such a partner can assist you in putting together the right mix of solutions now while thinking of where you company is going in the future so these solutions can be built on and used as your company grows. It is much simpler and cost effective to start with the right mentality around information security then trying to change these systems and procedures while your company is in growth mode. When developing the IT infrastructure for your biotech startup business, be sure that you keep the following security concerns in mind.



To rebuild or not to rebuild?

As recovery slowly begins after deadly tornadoes flattened subdivisions in Moore, Okla., and tore through nearby areas, the complex question has come up again for the disaster-prone region that sits within Tornado Alley.

Moore, a 55,000-resident city south of Oklahoma City, is no stranger to destruction. A 1999 tornado that wreaked havoc upon Moore had winds topping 300 miles per hour, and it was slammed by smaller tornadoes in 1998, 2003 and 2010. But each time, like dozens of other American communities prone to natural disaster, it has rebuilt.

Disaster recovery and urban planning experts say the tendency to rebuild American cities that have experienced tornadoes, hurricanes, earthquakes and flooding -- and are likely to see such trauma again -- can be attributed to a mixture of economics, politics, nationalism and spiritual views that often sets the U.S. apart from other nations.



Many of the small businesses battered by Hurricane Sandy are still waiting for U.S. government assistance, raising concerns among some about Midwest businesses hit by devastating tornadoes.

The U.S. Small Business Administration has approved loans to one out of every four business owners who applied for assistance after Sandy hammered the East Coast in October, according to analysis of data the agency submitted to Congress.

In addition to the low approval rate, which included employers who submitted but eventually withdrew their applications, the agency has been slower to process applications and disburse funds than in the aftermath of hurricanes Ike in 2008 and Irene in 2011. Rep. Nydia M. Velázquez (D-N.Y.) noted the comparison in a letter sent to the U.S. Government Accountability Office asking for further examination of the disaster loan program.