Spring World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 29, Issue 4

Full Contents Now Available!

Industry Hot News

Industry Hot News (6531)

Those of us who spend our business lives immersed in the Business Continuity industry swim through a sea of acronyms.  Meanwhile, we are constantly seeking the support and cooperation of colleagues who are often confused by those same acronyms.

We can make understanding easier simply by using real terms instead of acronyms.  But unless we can clearly define those fundamental Business Continuity terms, we still risk confusing our potential supporters and partners.

There are two common terms that are too often used (or confused) interchangeably:  Incident Management and Crisis Management.  They are not the same.  They are related – but have differences in purpose and objectives that ought to make their definitions clear:



close up image of a school bus with handicap sign

By Georgina Peacock

When Hurricane Katrina hit, Julie thought she was ready.  She always had an emergency kit prepared because her son Zac needs medical supplies and equipment to keep him happy and healthy. Zac has spina bifida, a major birth defect of the spine; hydrocephalus, which means he has extra fluid in and around the brain; and, a number of food and drug allergies. He has sensitivities to changes in temperature and barometric pressure. Therefore, she always made sure they had a week’s worth of supplies and medicine ready when it was time to evacuate. “There is a very delicate medical balance,” she said.  “When he has an issue, the dominos tend to fall quickly.”

As communities around the Gulf braced for Katrina, Julie’s family left New Orleans for Baton Rouge with their one week reserve of Zac’s medical supplies including catheters, feeding tubes, and special medications. But like most families facing the devastation of this hurricane, they ended up being gone for much longer.  “It was a very challenging time for so many people, but especially for families of children with special health care needs, like ours,” said Julie. “Zac is a unique guy who needs a lot of support.” 

Zac posing in his wheel chair for his baseball team photo“Now, we always keep a one month supply of Zac’s supplies in our emergency kit,” she said. “It’s critical. It’s life and death for us.” Her insurance pays for this stockpile of emergency supplies. She also keeps a document of Zac’s daily needs and medical history in print and electronic format.  This vital document includes:

  • Daily plan of care
  • How to use his medical equipment
  • Recipe for formula
  • Catheterization schedule
  • Allergy information: food and medication allergies, type of reaction, and what to do if he has a reaction
  • Surgeries
  • Diagnoses by body system
  • List of his doctors with contact information
  • Equipment providers
  • Pharmacist
  • Medications and supplies including stock numbers and basic descriptions of products for comparable substitutions
  • Allergy information
  • Insurance information
  • Case manager for his Medicaid waiver
  • Since he is over 18 – legal documentation of  “continuing tutorship” which allows parents to make medical decisions for him.
  • Biographical sketch including his likes/dislikes; hobbies/interests; and triggers-things that will disturb him.

Julie urges families with children who have special needs to know what emergencies are likely in their area. For Julie’s family, they know the areas that flood and prepare for hurricanes and tornados. Also they live in an area that is home to many chemical factories and a nuclear plant, so they prepare for plant explosions, nuclear reactor accidents, and fires.  “Preparing and planning can give you peace of mind,” she said. “Get a kit. Make a plan. Be informed. It applies to everyone, especially to those of us who care for children with special needs.”

Children with Special Healthcare Needs in Emergencies

Children with special healthcare needs may be more vulnerable during an emergency.  They may have difficulty moving from one location to another, urgent or persistent medical needs, difficulty communicating or have trouble with transitioning to different situations. A disaster can present all these difficulties at once. Knowing what to do can help maintain calm in your family and keep them safe.

Please visit the following sites for more resources:

Leave a Comment

Does someone in your family have unique needs? How do you prepare? How have you addressed these needs during an emergency? Share your experiences and tips below.

Georgina Peacock, MD, MPH is a medical officer and developmental-behavioral pediatrician with the Prevention Research Branch in the Centers for Disease Control and Prevention’s National Center on Birth Defects and Developmental Disabilities.  Follow her on Twitter @DrPeacockCDC


Further illustrating how important reputation can be to a business enterprise, Paula Deen’s rapidly crumbling empire took another hit this week when Ballantine Books announced that it was cancelling the publication of the celebrity chef’s latest cookbook, Paula Deen’s New Testament: 250 Favorite Recipes, All Lightened Up, which was scheduled to be released in October as the first in a five-book deal signed last year. Even more surprising, was that based on pre-orders alone the book was already Amazon’s number-one best seller (Interestingly enough, the book was replaced at the top spot by another Paula Deen cookbook, Paula Deen’s Southern Cooking Bible.)

The book cancellation brought the total of business deals killed by Deen’s admission that she had used racial slurs in the past to 12. According to the Consumerist, the tally includes:



Business Continuity Management (BCM), like most corporate programs, is often plagued by common mistakes; these common mistakes also apply to the Business Impact Analysis (BIA. The following are some common mistakes that need to be addressed to ensure that the BIA is effective:

1. Minimal Management Support – Senior management must buy in to the need for continued maintenance of the BCP program. The program requires on-going resources to ensure that the program is funded and there are dedicated resources assigned across the organization. The people who head up the BCP program must have the requisite training, as well as the skills to provide leadership, prioritize tasks, communicate with stakeholders, and manage the program.



CHICAGO--When Hurricane Katrina struck the states near the Gulf of Mexico in August 2005, human resources at Target Brands Inc. was right in the middle of handling the crisis for the well-known retailer.

The company managed to get the cash registers up and running in a very short time, but it was left with the question of who would run them, Terri Howard, who worked for Target then and is now senior director of FEI Behavioral Health in Milwaukee, recalled.

In a crisis, “HR's role is strategic. It is to make sure that your folks are taken care of,” Howard said June 19 at the Society for Human Resource Management's Annual Conference & Exposition.

That has numerous ramifications, she said. In the aftermath of Hurricane Katrina, banks were closed and ATMs weren't working due to power failures, so “we had to fly in cash to pay people, which had implications for compensation,” Howard said. There also were questions about employees with health insurance going to health care providers who were out of network temporarily, she said, and whether the employees would be charged copays.



Tuesday, 02 July 2013 11:44

Data outside the data centre

The data centre gets the spotlight when organisations look to improve their management and storage of data, but a growing proportion of the information in the average enterprise is found at its branch offices and on end-user devices.

Security vendor Symantec, for example, estimates that around 46% of the data in most enterprises is found outside their data centres. The volume of data outside the safe perimeter of the data centre is growing at a rapid rate, thanks to the rise of mobility and cloud computing.

In addition, many companies still maintain Windows file servers and low-end storage arrays in branch offices, so users can access applications and data without having network bottlenecks slow them down. This exposes companies to both data storage risks and inefficiencies.



Mobile devices such as smartphones, laptops and thumb drives are becoming increasingly vital to productivity, but your organization’s data could be at risk if one of these devices is lost or stolen. The amount of protected health information (PHI) that is transported through mobile environments is staggering and healthcare organizations have a responsibility to investigate security incidents and report PHI exposures. To protect the organization and its patients, it is crucial that IT staffs and privacy and security officers know what to do if a breach is suspected.

Having even a simple incident response plan in place that focuses on rapid identification and a coordinated response gives healthcare organizations important advantages in the fight against cyber crime. First, a plan allows IT to greatly reduce the time between the discovery of a possible exposure and the identification of any data that was compromised. Reduced response time can keep the data loss to a minimum and assists the organization in providing mandatory notification within the time frame allowed. In addition, a formal process gives IT the ability to quickly limit unauthorized access to the network and sensitive data, thus limiting the amount of information that may be exposed.



Disaster can strike in an instant. Whether it is weather-related, man-made or due to some other cause,disasters often occur with little or no warning. That's why creating and implementing an emergency-preparedness plan could mean the difference between saving your business and losing it all.

At the heart of every successful plan is clear communication. Mobile devices such as smartphones andtablets can help ag retailers and their employees connect with each other and authorities, spreading critical information in a time of crisis. Helping to keep the lines of communication open are dozens of mobile appsspecifically designed for emergency preparedness. I’ve researched the most commonly used ones and compiled them in this handy list (in no particular order):



The year 2013 will be a turning point in how governments around the world view the threat of floods in a new age of extreme weather events.

India, Nepal, Canada and many countries in Europe have experienced huge losses over the last two months due to intense precipitation that has triggered extreme flooding affecting millions of people’s well-being and livelihoods.

The shocking loss of life in India underlines how vitally important it is that we start planning for future scenarios far removed from anything that we may have experienced in the past.

When we look at the worldwide escalation in economic losses from disasters over the last five years, it is clear that our exposure to extreme events is growing and this trend needs to be addressed through better land use and more resilient infrastructure as we seek to cope with population growth and rapid urbanisation.



Kylie Fowler got controversial when she spoke last month to an audience of asset management and configuration management professionals at the BCS CMSG Conference in London about the five constants she always encounters in her 10-plus years of working as an IT asset management consultant.

While these constants may always hold true, and her advice on how to deal with them held some surprises.

She counselled the audience always to listen to their data - “your data has a huge amount to tell you if you use it correctly,” she said.



Monday, 01 July 2013 14:45

HP Secures Data Migration To The Cloud

With the explosion of data in the enterprise and the ability to use as-a-service storage models, important security-level practices are undermined and organisations lose sight of potential threats. In the absence of these standards, IT teams are struggling to identify and assess potential risks, opening their organisations to catastrophic security breaches.

The new HP Cloud Security Risk and Controls Advisory Services, part of the HP Converged Cloud Professional Services Suite, deliver choice, confidence and consistency to customers by combining expertise from across HP, supporting the management of data risk, identification of vulnerabilities and maintenance of compliance with IT governance. This provides clients with solutions that protect their information before it migrates to or from the cloud, whether it is a public cloud, private cloud or hybrid deployment. As a result, organisations can reassign IT resources from spending time on manual tasks to focusing on innovation.



No business today is immune from the ravages of storms and power outages – not to mention earthquakes, fires or other unforeseen disasters that can strike in a minute.

Although all companies need a disaster recovery plan, insurance agents have an even greater obligation to put one in place to enable them to operate after a catastrophe to handle the claims of hard-hit clients.

Here are five tips to keep in mind when developing a plan for confronting disaster and for keeping your agency operating through tough times.



Disaster Recovery as a Service (DRaaS) backs up the whole environment, not just the data.

"Most of the providers I spoke with also offer a cloud-based environment to spin up the applications and data to when you declare a disaster," says Karyn Price, Industry Analyst, Cloud Computing Services, Frost & Sullivan. This enables enterprises to keep applications available.

Vendors offer DRaaS to increase their market share and revenues. Enterprises, especially small businesses are interested in the inexpensive yet comprehensive DR solution DRaaS offers. There are cautionary notes and considerations too that demand the smart businesss attention before and after buying into DRaaS.



Yesterday I was interviewed by NPR for a program airing this weekend about PR and reputation problems caused by racism. It’s always good for someone who helps others prepare for media interviews to do a real one themselves to bring some lessons home. I wasn’t too happy with the interview despite having prepared by thinking through key messages.

In case you catch the story, and some of what I said is included, here is how I intended to answer the question.

1. It’s always about credibility.

While there isn’t a denial, or he said/she said in this case, people are still looking at Paula closely to see if she is to be believed. No doubt trust and respect for at least some has been shaken by revelation of her past attitudes and behavior. Now they are looking to see if she is telling the truth and can rebuild trust. Sincerity is everything. Sadly, I think Paula is very much lacking in this right now with bungled apology, standing up the Today Show, a rocky performance there, and as far as I know, no real action taken–just words. Sincerity and credibility, like all things trust related, are judged more by actions than words.



Federal chief information security officers (CISOs) know that it isn’t a matter of whether their agency will be subject to a cyber-attack; it is a question of how frequently the attacks will occur. 

But, the real concern that keeps CISOs awake at night is wondering when one of the attacks succeeds -- and they know one eventually will -- whether it will successfully compromise the network and disrupt operations, or even worse, result in stolen sensitive, classified or personally identifiable information (PII). 

The traditional approach to addressing common system and network vulnerabilities, which includes placing the problem in silos based on the particular type of attack or its target, is no longer enough to meet the challenges posed by today’s hackers and cyber criminals. Instead, the federal cyber-security landscape requires that agencies take an enterprise approach to cyber risk management, and to do so, CISOs must be able to understand and visualize the human and technology interactions that impact the agency in cyberspace. That’s where analytics can help.



With the operational complexities and regulations businesses face today, basic computer services and support may not be enough to allow them to keep pace with their competition. Myriad regulations and a multitude of other activities make it difficult for any contemporary organization to survive (let alone thrive) without people who can design and implement increasingly specialized systems…and keep them up and running. Of course, before the first piece of that IT infrastructure has even been identified, someone has to determine the company’s goals and build the guidelines that will help achieve those objectives.

Those are several of the roles solution providers should be involved in. Businesses need someone to be their architect; not just for system design but also to develop the policies and programs that must be in place to automate their processes. For example, before customer-related information and business-critical data can be safely and securely stored using a cloud backup solution, someone has to determine which files, records and other details need to be saved.



Any cyber attack can bring unprecedented damage to a company, but can these damages be quantified in financial terms? This year, experts at B2B International calculated the damages stemming from cyber-attacks based on the results of a survey of companies around the world.

The survey titled, 2013 Global Corporate IT Security Risks survey, found that the average cost incurred by large companies in the wake of a cyber attack is a whopping $649,000. To arrive at the most accurate picture of costs, B2B included only incidents that had occurred in the previous 12 months. Additionally, the assessment was based on information about losses sustained as a direct result of security incidents.



From the smallest business decisions to the largest ones, risk influences all that we do. But taking a risk is not exactly like spinning a roulette wheel, where luck is the primary ingredient for success. With use of the right tools, risks can carefully be calculated, controlled and managed, greatly reducing the variable of bad luck.

Many successful CFOs today are accounting for the impact of outside forces – from regulatory changes, interest rates, supply chain and other operational events to natural disasters and even consumer sentiment – to inform, shape and govern their corporate strategies.

While the nature of the finance function has historically been to analyze past performance, risk is inherently forward-looking. CFOs must move beyond their traditional domain and use performance indicators and risk to predict the future. By discovering hidden patterns of risk rooted within their ledgers and spreadsheets – and integrating risk with financial management – CFOs can provide critical linkages between strategy and execution and stay ahead of the curve.



A quarter of European insurers say it’s hard to find knowledgeable, qualified risk management staff, compared to 16% of their US counterparts.


European insurers are becoming increasing troubled by the lack of knowledgeable, qualified risk managers in the talent pool, according to research from State Street.

According to its survey, carried out by the Economist Intelligence Unit in April, 25% of European insurers said they found it difficult to find the right sort of risk manager, compared to 16% of US insurers.

The dearth of suitable talent is concerning, given 89% of insurance executives said improving the assessment and pricing of risk was a challenge.

In addition, 80% of respondents globally viewed balancing liquidity and reserve adequacy as a challenge, and almost a third (29%) said their companies have divested lines of business since the start of the financial crisis due to new capital requirements or risk management considerations.



CSO — Securing important corporate or personal information has never been more challenging. Every day, new vulnerabilities are discovered, more breaches are reported and we all become less secure. Just look at the headlines, whether it is Anonymous latest attack, state sponsored Cyber espionage or warfare, criminal activity or just someone being exploited by five year old malicious code that still finds victims, the picture metaphor is of a snowball rolling downhill and getting bigger and bigger as it rolls.

Currently, we have a broken model and the state of security continues to spiral downwards. The main root of the issue is that the economics aren't aligned correctly to ensure accountability and responsibility. As a result, we have less security, higher costs, and greater pressure to opt for convenience over security and a fundamental failure to provide proper alignment and transparency to either company or government information security. Without making fundamental changes we are destined to have an ongoing erosion of our security which also translates into an erosion of our privacy and national security.



CALGARY — The flood crisis is a wake-up call for Calgary companies to adopt flexible work arrangements.

With the city in disarray this past week and the downtown closed for business, many companies may find this a spark to put in place telework programs that can prove invaluable not only during crises, but on a more regular basis, said Dr. Laura Hambley, Calgary-based industrial/organizational psychologist with The Leadership Store.

“Having employees well practiced and equipped to work from home, or telework, is an excellent business continuity strategy. In fact, it should be a key component of such plans whenever possible,” she said.

Companies who already have a flexible work policy in place, seamlessly work through natural disasters without losing productivity while keeping safe in their homes, she said.


A series of violent storms put Aaron Titus, disaster coordinator for the New Jersey branch of Mormon Helping Hands, through his paces last summer. He coordinated the dispatching of several hundred volunteers to about 300 locations to help remove damaged trees. The effort was so taxing that he doubted one person would be able to successfully coordinate large-scale disaster mitigation smoothly in all cases.

“I realized, if you try to do it as a single individual, you’re never going to be able to,” Titus said.

In response, he developed an early version of Crisis Cleanup, a free open source mapping tool that allows disaster relief organizations to coordinate cleanup and rebuilding efforts after catastrophes. The system’s undergone successive modifications since, and today members of volunteer disaster relief organizations logon to the tool and input data into an assessment form about a resident who needs help. This data includes the resident’s address and the type of incident, like flooding, tree removal or food delivery. That information then generates icons on a dynamic map alongside the assessment form.



In the May issue of Risk Management, Emily Holbrook reported on the prevalence of food fraud in restaurants and supermarkets around the world. Characterized by counterfeit or purposely mislabeled foods used by unscrupulous producers looking to make a quick buck, food fraud manifests itself in many ways. Sometimes its as unsettling as pig rectum in place of calamari or horse meat for hamburger, while other times its farm-raised fish sold as “fresh-caught.” Regardless of the nature of the deception, customers are put at risk. Not only are they conned into buying more expensive items, but they can also be exposed to pathogens or toxins that they would have no reason to expect in their food.

The New York Times recently reported about instances of fake vodka laced with bleach to lighten its color or olive oil contaminated with engine oil to extend the supply and increase profits. It turns out that food fraud is more widespread than most people realize.



Granted, the drop hedcq is bad grammar, but it works for the military and it could – most likely would – work for any organization.

The military is very big on roll calls and knowing who is present and who is absent – in the latter case, also why the person is absent.

The military roll call is done in reverse pyramid fashion.

On the bottom is the squad. This can be maybe 4 to 10 people.

Next is the platoon. A platoon is composed of several squads.

Moving on up there are companies, each having several platoons; then – well, the graphic shows it all.



Friday, 28 June 2013 16:41

Tips For Surviving A Mega-Disaster

The U.S. is ready for tornadoes, but not tsunamis.

That's the conclusion of a panel of scientists who spoke this week on "mega-disasters" at the American Geophysical Union's science policy meeting in Washington, D.C.

The nation has done a good job preparing for natural disasters like hurricanes and tornadoes, which occur frequently but usually produce limited damage and relatively few casualties, the panelists said. But government officials are just beginning to develop plans for events like a major tsunami or a large asteroid hurtling toward a populated area.

The difference between a disaster and a mega-disaster is scope, the scientists say. For example, Hurricane Sandy was defined as a disaster because it caused significant flooding in New York and New Jersey last year, says of the U.S. Geological Survey. But the flooding was nothing like what happened to California in the winter of 1861 and 1862, she says.

"It rained for 45 days straight," Jones says, creating a lake in the state's central valleys that stretched for 300 miles. The flooding "bankrupted the state, destroyed the ranching industry, drowned 200,000 head of cattle [and] changed California from a ranching economy to a farming economy," she says.



Enterprises need to assess the risks of cloud computing and have clarity on data protection and security responsibilities when contracting cloud services to avoid another “2e2 disaster”, a cloud lawyer has said.

Cloud is not a magical solution that will fix all of IT’s problems and customers must understand that the service they get depends on what they pay for, Frank Jennings, cloud lawyer at DMH Stallard told Computer Weekly at the annual Cloud World Forum 2013 event.

“If you are a big blue chip company paying more for the cloud service, you may get a higher level of protection, but if you are a small enterprise, your contract doesn’t provide enough value to the cloud service provider,” Jennings said.



Thursday, 27 June 2013 15:07

The three key stages to managing risk

Risk arises because of uncertainty about the future. It could involve the possibility of economic or social loss, or incur damage or delay. Risk management provides a structured way of assessing and dealing with future uncertainty. This leads to more efficient and effective decisions, greater certainty about the future and reduced risk exposure.

In every procurement transaction a degree of risk is involved, although most of the time it is not recognised and expressed as such. This is true for simple purchases, for example, ordering a meal or a bottle of wine in a restaurant. It is especially true when ordering complex goods or services, where the specification is not pre-determined, the outcomes are unsure, and the provider unknown.



Thursday, 27 June 2013 15:06

Hurricane watch? There's an app for that

Emergency preparedness applications are a growing trend in smart phone technology.

It’s hurricane season in Louisiana, and that means people will keep a watchful eye on the Gulf of Mexico. Preparing should go farther than that, however. Local, state and national disaster relief organizations flood their websites with emergency information. Smart phones allow the information to be more accessible with the development of emergency-related mobile apps.

The American Red Cross last year launched six mobile apps — Tornado, Hurricane, Shelter Finder, First Aid, Earthquake and Wildfire.

The Red Cross of Central Louisiana used the hurricane app for the first time when Hurricane Isaac threatened Central Louisiana. The app monitors local conditions, and aids in storm preparations. One feature allows users to find help or let others know they are safe.



Thursday, 27 June 2013 15:04

Eight Tips for Implementing a DR Program

Unlike Dorothy in The Wizard of Oz, IT doesn’t have to worry about “lions and tigers and bears, oh my!” Tornados, however, are a shared problem, not to mention hurricanes, earthquakes, blackouts and blizzards. When disaster strikes, it may be tempting to close your eyes and repeat “there’s no place like home,” but unless you have a pair of ruby slippers, the following are better tips to get you safely back to Kansas.

#1 – Distance Matters

Select a disaster recovery location that is far enough away that it won’t be affected by whatever brings your own systems offline.

Florida Hospital, a member of the Adventist Health System, is the nation’s largest privately-owned hospital with 17,600 employees and 2,230 physicians working at 22 campuses. The hospital has its own disaster recovery (DR) site just a few miles from its primary data center in Orlando, but since its primary concern is hurricanes, it also selected a managed SunGard DR site that is 1000 miles up the coast in a location that won’t likely be hit by the same storms.



A seeming innocuous phrase that sounds as if it could be the name given to a downtown district of a sprawling metropolis or a local sports team, “Five Nines” actually refers to a desired level of system availability.

Ever since man began to create and use more complex machines and tools he has been locked in an eternal battle to keep them working and to improve their performance. But the emergence of cloud computing has freed many companies from the daily tussle between hardware, software, random events and erratic connectivity.

The idea of Five Nines is a classic case of an essentially contested concept, and the debates that whirl across the internet over its validity as a concern of modern businesses demonstrate that it cuts to the very heart of the direction that cloud services are heading in.

But can such a contentious subject be of any use to you and your business?



Thursday, 27 June 2013 15:01

Benefits of cloud-based disaster recovery

An effective business disaster recovery plan is like building or travel insurance - you don't realise how important it is until adversity strikes.

Unexpected events that disrupt normal business activity can have a major impact on operations, staff and customers. Having in place a comprehensive plan to deal with such events is a vital part of effective management.

When it comes to their IT systems, many large companies tackle disaster recovery (DR) by establishing an offsite facility that can support business systems should a catastrophe strike. Critical applications and data is replicated in this facility and kept in a state of readiness at all times.

Smaller companies, however, often find they cannot readily afford such an approach. The overheads associated with purchasing and maintaining duplicate hardware and applications that may never be used make it a very expensive option. Add the extra IT management requirements and this approach to DR moves even further out of reach.


Often the employees at a small to mid-size business feel they already have their hands full just running day to day operations. But what if a worst case scenario were to strike?

It’s not pleasant to think about, but necessary to do so. Consider the small businesses that have seen their offices washed away in the recent Alberta floods, or seen their employees stranded and displaced – or worse. How will the business pull together and survive the disaster, while communicating a plan of action to its employees?

When it comes for disaster planning there are few organizations in the world that have as much experience as the U.S. Federal Emergency Management Association (FEMA), an agency under the department of Homeland Security. So we’re looking to Robert Jensen, the principal deputy assistant secretary for public affairs at Homeland Security, for some strategies for disaster recovery communications planning.



I think that small and mid-size businesses are the most underserved in the information security market today. These companies have not paid the necessary attention to information security, and the data indicates they will pay a steep price for not doing more.

Robert Plant, writing for the Harvard Business Review on June 4, 2013, spoke very plainly and clearly on the need for the CSO in companies today. Mr. Plant in his blog writes:

“First off, if the company doesn't have a CSO and the chief executive thinks the "S" has something to do with sustainability, just fire him. If it does have a CSO and the CEO chooses to eliminate that position, do the same thing, because it's the wrong answer. While you're firing him, inform the CEO that data security is the number one critical need for U.S. corporations today, and that the CSO is kind of like the chairman of the Joint Chiefs of Staff. You wouldn't get rid of the chairman of the joint chiefs in wartime.”[1]



Business leaders and IT professionals don't often like to think about contingency plans. It seems like the more a company plans for a disaster, the more it expects one to occur. This attitude doesn't necessarily cause arrogance or ignorance, but what it can result in is too little attention paid to business continuity plans, of which disaster recovery is a significant component. Denying the problem doesn't make it any less likely to occur, but it can mean taking a harder hit to business-critical functionality if it does. These businesses, in addition to those that do seek out extensive disaster recovery plans, should be aware of the strengths of enterprise cloud computing.

Part of what will drive security and business continuity improvement in enterprise clouds is the oversight inherent in the cloud computing model, according to the Jacksonville Business Journal. Cloud service providers and adopters enter into agreements in which CSPs are responsible for protecting another business' resources, be it data, infrastructure or IT. Further developments in cloud partner programs will only increase the number of businesses that are directly responsible for upholding the integrity of another's networked resources.



Techworld — Dutch water experts have teamed up with IBM to launch a new initiative called Digital Delta, which will investigate how to use Big Data to prevent flooding.

The Netherlands is a very flat country with almost a quarter of its land at or below sea level, and 55 percent of the Dutch population is located in areas prone to flooding. The government already spends over 7 billion in water management every year, and this is expected to increase 1-2 billion by 2020 unless urgent action is taken.

While large amounts of data are already collected, relevant data can be difficult to find, data quality can be uncertain and with data in many different formats, this creates costly integration issues for water managing authorities, according to IBM.



Wednesday, 26 June 2013 18:03

DDoS: A 'Perfect Weapon' for Attackers

Distributed-denial-of-service attacks are the perfect weapons for cybercriminals and political adversaries. And Prolexic CEO Scott Hammack says any organization with an online presence should brace itself for attacks.

"As the world becomes more chaotic - which I do believe it will be - there will be more and more disenfranchised countries or people," Hammack says during an interview with Information Security Media Group [transcript below]. "This is a perfect weapon," he says.

And as the attacks get more sophisticated, defending against them gets more challenging, Hammack says. Today's attacks are increasingly using standard Internet security mechanisms, such as secure sockets layer protocol, to defeat online-outage defenses, he says.



Wednesday, 26 June 2013 18:02

An Executive's Guide To Security Risks

The following guest post is by Dwayne Melancon, CISA, chief technology officer, Tripwire, an IT security software company.

The SEC is getting pretty explicit about information security risk. You have to identify it, you have to declare it, and you have to manage it.  The problem is, a lot of the CEOs I talk with have no clue what they are accepting when they sign off on information security risk.

Sometimes, they blindly accept the cryptic recommendations from their chief information security officers (a.k.a., CISO).  Sometimes, their guts tell them there may be a problem, but they don’t know which questions to ask to figure out what’s really going on.  In both cases, I think it’s a problem that senior business managers are accepting risks they don’t fully understand.  How can this represent the best interests of your stakeholders?



Wednesday, 26 June 2013 17:58

Resilience Lessons from Hurricane Sandy

Yesterday I spent the day with a number of people from across the nation looking at what lessons can be learned from the Hurricane Sandy Experience.  The key person putting this event together was Steven Flynn.  Because he was able to get grant funding to support the work he could sponsor the travel for a variety of people to attend.  Generally he drew on people from other major metropolitan areas that have been doing catastrophic planning and also have significant risks.  I liked the mix of attendees.  Due to the significant business interruptions to the NY/NJ ports there was a number of other port authority representatives in attendance.  

The first panel of the day was a federal one that spoke to what they learned from the Hurricane Sandy Experience.  See my notes below.  Please note that this is what I could capture, certainly not a verbatim record for what was said.



When it comes to compliance risk, board members know the drill all too well. Every six months or so, they receive a new report indicating that everything is mostly under control.  So it’s no wonder they’re surprised when a compliance issue blows up – and it’s no wonder they’re asking tougher questions of compliance executives with every passing quarter.

As regulatory oversight continues to grow, the challenge of dealing with compliance risk will only become more pressing.  It’s not just an item on the agenda – compliance is its own agenda these days.  Given the pace and scale of change, both compliance executives and boards are increasingly concerned that old, reactive ways of managing compliance may cause them to fall behind the competition — or leave them exposed to new regulatory and reputational risks.

If your organization is looking to increase its Risk Intelligence quotient through full-spectrum compliance, three broad areas will command your attention:  Environment, execution, and evaluation.



Wednesday, 26 June 2013 16:50

Wading through a PR crisis

So, what do you do when the sky caves in, as it has in the last week for Savannah culinary personality Paula Deen? What do you do when the past comes knocking in a most unfavorable way? What are the steps for digging out from under a public relations disaster?

Without speaking directly to the still-unfolding Deen contretemps, Jennifer Abshire, of the Savannah public relations firm that bears her name, said there are three basic rules for dealing your way out of any PR crisis.

“If you’re looking at a crisis, I think dealing with it directly is extremely important,” Abshire said Monday. “I do, however, believe that a simple statement is sufficient. And I think the most important thing for anyone who has dealt in crisis PR is to immediately get as much good news out as possible of the wonderful things the client or person has done to help the community.”



This was only an exercise.

Police, firefighters and medical technicians swarmed onto the grounds of Canopy Oaks Elementary on a cloudy Friday morning.

They lined up stretchers and plastic kiddie pools in the parking lot behind the school. They set up washing stations to rinse hazardous chemicals off the 15 high school students who spilled into the breezeway in the middle of the school grounds, and doused the students with fire hoses.

Sheriff's deputies interviewed the students one at a time, and one of them admitted there was a bomb in a car parked out front.

The Big Bend Regional Bomb Squad arrived and deployed remote-control robots with mechanical arms that shattered windows and ripped doors off a beat-up Dodge Stratus parked out front.

Friday’s “chemical chaos” drill involved 10 agencies — from Leon County Schools to the Florida Department of Law Enforcement and the hazardous materials unit of the Tallahassee Fire Department. Evaluators followed them every step of the way, taking notes and film that will help them analyze their performance and look for ways they could respond better in the event of a real disaster.



LAFAYETTE — Sussex County amateur radio operators recently concluded a 24-hour emergency preparedness drill that saw them contact more than 2,600 other operators throughout North America and overseas.

The annual exercise, conducted this past weekend in Lafayette, afforded members of the Sussex County Amateur Radio Club an opportunity to showcase their craft to the public and, just as importantly, contributed to the group's ongoing partnership with the Sussex County Office of Emergency Management.

"We want the community to know that in the event of an emergency, we will be ready to assist in any way we can," said John Santillo, the group's president. "While people often think that cell phones or other communications technologies have replaced ham radio, we can provide vital communications in an emergency that others can't."



The day you need business continuity planning isn’t the day to start thinking about implementing a program.

In the wake of devastating flood waters that hit Calgary and parts of southern Alberta, many organizations in Wild Rose Country have had to flip the switch on their continuity plans to ensure operations continue on as close to normal as possible.

That’s not easy, given the scope of the damage. How bad is the flooding? One need look no further than the city’s iconic Saddledome, home of the Calgary Flames, which filled with water like a giant bathtub up to row 10.

According to estimates from the Calgary Chamber of Commerce, somewhere between 150,000 and 180,000 people work in the city’s downtown core, and the city has a $120-million a day economy. That’s a huge number of displaced employees with a giant price tag, and Calgary Mayor Naheed Nenshi says it will likely be mid-week before most employees can return downtown. It’s hard to imagine the city returning to business as usual this week at all.

- See more at: http://www.hrreporter.com/blog/Editor/archive/2013/06/25/dont-have-a-business-continuity-plan-start-working-on-it-today#sthash.ozTfxrRt.dpuf


In my career as an asset manager, and as a manager of financial risk, I have learned that all good risk management is done upfront, before the first purchase is made or product is sold.  Secondarily, good risk management relies on the concept of feedback, i. e., are the results expected at inception happening?  If not, are they happening in a way that makes us doubt the margin of safety that we thought we had?



Technology problems at the state level last Thursday prevented effective town participation in the 2013 Statewide Severe Weather Exercise, which was executed over two days last week.

The Department of Emergency Services & Public Protection (DESPP) simulated a severe ice storm affecting the west and northwest portion of the state, Region 5 of the Division of Emergency Management and Homeland Security (DEMHS). This was the second year for the drill, which was enacted as part of Governor Dannel P. Malloy’s emergency preparedness and planning initiatives after the severe storms that impacted the region during the previous year.

Towns could elect to participate either Thursday, June 20 or Saturday, June 22.

According to a notice provided to the towns by DESPP, the simulation was supposed to give the region, “an opportunity to exercise DEMHS Region 5’s Regional Emergency Support Plan with the other 4 DEMHS Regions participating in support roles.”



To control costs and optimize insurance availability an overwhelming number of risk managers feel their organization must conduct deeper research into their risk to reap the full benefits of analytics, according to an online survey taken by insurance broker Marsh.

Nearly 80 percent of risk managers attending a Marsh webinar, "Using Data and Analytics for Optimal Risk Management," says their companies need to take a closer examination of risk-related data.

Of companies employing a risk manager, close to 44 percent say they do not have a set dollar-amount threshold for unexpected losses and 29 percent do not know if their company is aware of how much risk they can take on—about the same number that do quantify and share risk information with their insurance managers.



When I left off last time, I mentioned that the 60/40 principle is an effective one for business continuity and disaster recovery planning. First, I set out an ambitious goal of a comprehensive, organization-wide program built around industry standards and best practices, leveraging the right automation tools and the right vendors and suppliers…and that would also be able to kill any audit. And then I took 40% off the top and made that our end-goal. Then, a funny thing happened…



Aligning to strategic objectives and assessment of BCMS performance

London - June 19, 2013 - Attenda Limited, the Business Critical IT company, today announced that it has been accredited with the new ISO 22301 International Standard for Business Continuity Management.

Published in 2012, the new ISO 22301 standard replaces the equivalent British Standard, BS 25999; introducing important changes including the role of top management in Business Continuity, the alignment to the strategic objectives of the organisation and the assessment of performance of the Business Continuity Management System (BCMS).

Attenda has been working for the past twelve months to align its business to the ISO 22301 standard, carrying out detailed assessments of the organisation and technology elements and processes, including a number of scenario based exercises with the Crisis Management Team.

As Matt Gordon-Smith, Director of Security, Attenda says, "We have a well-developed and mature approach to crisis management; the intention being to reduce the risk of an incident affecting our ability to do business and to allow faster recovery in the event that something does happen."

The ISO 22301 accreditation is an important component in Attenda's managed services and cloud delivery, further endorsing its business critical IT capability. All Attenda Clients will benefit from the assurance provided by this certification; and additionally, they will be able to access a range of Business Continuity and Disaster Recovery Consulting Services from Attenda, based upon this standard.

Dave Austin, Director, Operational Resilience (Oprel), who has led the international team developing the new standard and has acted as an advisor to Attenda, comments "Attenda has not only ensured that it has stringent measures in place for disaster recovery, but it has also given detailed consideration to the key information that could prevent access to the primary information sources during and after a crisis, to ensure that it can recover faster and more effectively."

In addition to ISO 22301, Attenda has been working closely with BSI on an on-going basis, to attain re-accreditation of all of its other ISO certifications including ISO 9001, ISO 27001 and ISO 20000.

Matt Gordon-Smith adds, "As an integral part of our Business Critical IT approach, we understand that Business Continuity reaches into all parts of the organisation, and must be embedded into our culture. The addition of this new ISO standard to our portfolio of accreditations reinforces our commitment to delivering Peace of Mind for our clients."

- See more at: http://www.attenda.net/news/prdetails.aspx?prid=128#sthash.iy1iHPtO.dpuf

Aligning to strategic objectives and assessment of BCMS performance

London - June 19, 2013 - Attenda Limited, the Business Critical IT company, today announced that it has been accredited with the new ISO 22301 International Standard for Business Continuity Management.

Published in 2012, the new ISO 22301 standard replaces the equivalent British Standard, BS 25999; introducing important changes including the role of top management in Business Continuity, the alignment to the strategic objectives of the organisation and the assessment of performance of the Business Continuity Management System (BCMS).

Attenda has been working for the past twelve months to align its business to the ISO 22301 standard, carrying out detailed assessments of the organisation and technology elements and processes, including a number of scenario based exercises with the Crisis Management Team.

As Matt Gordon-Smith, Director of Security, Attenda says, "We have a well-developed and mature approach to crisis management; the intention being to reduce the risk of an incident affecting our ability to do business and to allow faster recovery in the event that something does happen."

The ISO 22301 accreditation is an important component in Attenda's managed services and cloud delivery, further endorsing its business critical IT capability. All Attenda Clients will benefit from the assurance provided by this certification; and additionally, they will be able to access a range of Business Continuity and Disaster Recovery Consulting Services from Attenda, based upon this standard.

Dave Austin, Director, Operational Resilience (Oprel), who has led the international team developing the new standard and has acted as an advisor to Attenda, comments "Attenda has not only ensured that it has stringent measures in place for disaster recovery, but it has also given detailed consideration to the key information that could prevent access to the primary information sources during and after a crisis, to ensure that it can recover faster and more effectively."

In addition to ISO 22301, Attenda has been working closely with BSI on an on-going basis, to attain re-accreditation of all of its other ISO certifications including ISO 9001, ISO 27001 and ISO 20000.

Matt Gordon-Smith adds, "As an integral part of our Business Critical IT approach, we understand that Business Continuity reaches into all parts of the organisation, and must be embedded into our culture. The addition of this new ISO standard to our portfolio of accreditations reinforces our commitment to delivering Peace of Mind for our clients."

- See more at: http://www.attenda.net/news/prdetails.aspx?prid=128#sthash.iy1iHPtO.dpuf

Sgt. Jesus M. Villahermosa Jr. has been a deputy sheriff with the Pierce County, Wash., Sheriff’s Department since 1981. Villahermosa served 15 months as the director of campus safety at Pacific Lutheran University in a contract partnership where he worked on all security aspects related to staff and student safety. He has been on the Pierce County Sheriff’s SWAT Team since 1983, and he currently serves as the point man on the entry team.

In 1986, Villahermosa began his own consulting business, Crisis Reality Training. He has primarily focused on the issues of school and workplace violence.

In this Q&A, Villahermosa addresses how schools can be better prepared and secure for an active shooter emergency.



IDG News Service - The French government's accounts payable system, Chorus, is back online after a four-day outage, the French State Financial Computing Agency (AIFE) said Monday.

An accident at a data center operated by French servers and services company Bull on Wednesday affected Chorus's storage systems hosted there. That incident took the core of Chorus, an SAP system with 25,000 users, offline, although another application, Chorus forms, continued to serve its 30,000 users.

The server room's fire extinguishing system was accidentally triggered following an error by one of Bull's subcontractors, resulting in simultaneous damage to several major components of a storage bay holding Chorus data, the agency said.

Bull had little to say about the accident.



The Editor interviews Troy Dahlberg, Douglas Farrow and Ginger Menown, Advisory Services Forensic Partners with KPMG LLP.

Mr. Dahlberg is a Partner in New York with the firm’s Forensic Practice. Troy has more than 30 years of experience providing accounting, auditing and consulting services to companies in many industries. 

Mr. Farrow is a Partner in the firm’s Forensic Practice and has over 25 years of experience assisting corporations, attorneys and their clients with a wide spectrum of financial, economic and accounting matters.

Ms. Menown is a Partner in Houston with the firm’s Forensic Practice. She has over 20 years of experience providing services in dispute resolution, investigations, mergers and acquisitions, valuation, financial advisory and auditing.

Editor: Please give us an overview of disaster situations that you have helped clients manage.

Dahlberg: We have assisted clients affected by the 9/11 terrorist attack, Oklahoma bombing, Japanese earthquake, Hurricane Irene and more recently Superstorm Sandy. Our work primarily involves economic accounting or other financial assistance to the companies that have been impacted by the disaster.

Farrow: For instance, we are currently assisting organizations of a wide range of sizes and industries that have suffered losses and/or incurred extra costs as a result of Superstorm Sandy. We are coordinating claim programs with management’s recovery plan, compiling cost data and assisting with quantifying economic and financial losses that companies have sustained as a result of the storm. In the past, we have worked on insurance claims in the tens and hundreds of millions of dollars for companies in diversified industries as a result of natural disasters such as earthquakes, floods and hurricanes.



The European Commission is seeking leading lights in the arena of cloud services to help sketch out a contract framework so that customers don't get tied into murky deals.

At least, this is the principle that Steelie Neelie Kroes, vice president of the EC outlined in a blog today, ahead of the European Cloud Partnership Steering board in Estonia next month.

"One of the big barriers to using cloud computing is a lack of trust," she said. "People don't always understand what they're paying for, and what they can expect."

"I think you should be able to know what you're getting and what it means - and it should be easy to ensure that the terms in your contract are reasonable: open, transparent, safe and fair."



Here, we are going to talk about with regards to the fact that business interruption insurance and exactly why every business ought to be ready for this surprising.

Business interruption insurance must be a crucial part of any enterprise owner’s strategy. Business interruption insurance behaves as a assisting technique for your organization when it is closed down resulting from unpredicted situations like rental destruction, accidents or maybe just about any unanticipated challenges.

Business interruption insurance provides satisfactory insurance plan whenever your customers are certainly not for action and definitely will help you spend on-going costs. Like this, you’ll get some time throughout fixing your organization. Smaller businesses that don’t invest in the following insurance might endure closure in the near future because spending regarding growing is past their own fiscal total capacity.



Monday, 24 June 2013 16:05

The Supply Chain After the Disaster

When disaster planning for the supply chain, people rarely talk about what happens when parts and devices are damaged but not ruined. However, in the aftermath of the Japanese earthquake and tsunami, the Thailand floods, and the hurricanes and tornadoes in the US, it's high time for this conversation to start happening in a big way.

Reverse logistics and repair are crucial parts of disaster recovery efforts. Fortune 500 electronics manufacturers will have to rebuild production equipment. Individual consumers will want their under-warranty cars, laptops, and phone replaced. Third-party vendors will be salvaging and reselling scrapped parts.

Let's take Hurricane Sandy, just because it's still fresh in many people's minds. In February, the National Insurance Crime Bureau raised its estimate for the number of vehicles damaged by the storm to 250,500. That number is still based on preliminary figures and could change as more insurance claims are processed. Many of those cars have been cleaned up and may be back on the market under the "good but previously damaged" label. Many others have turned up without such a label.



The result is included in a recent survey of more than 3,000 employers by Zywave, a provider of software as a service technology solutions for the insurance and financial services industry. It was conducted during the first quarter of 2013.

The survey showed 53 percent of employers are very or somewhat concerned about post-accident cost control while 50 percent are concerned about risk control in the form of accident prevention. However, when asked for the most effective measure they take to control workers' comp costs, having a safety-minded culture was mentioned by 69 percent of respondents, although only 26 percent rank safety incentives as effective or highly effective. Also, 34 percent say they do not have a written safety manual.



Monday, 24 June 2013 16:00

Keeping in step with regulation

The arrival of outcomes-focused regulation in October 2011 was greeted with howls of concern by the solicitors’ profession as a whole. A new and uncertain regulatory landscape lay ahead of a profession that has a strong desire for certainty and clarity at the very heart of its culture, training and service offerings. Commentators at the time noted that the new regime offered plenty of negatives and few positives. Eighteen months on, though, the landscape feels very different. Those that have embraced the changes can feel empowered by them and are able to drive risk management into their business as a key part of the business process, rather than simply a compliance burden.

There are things that firms need to be aware of, principally that the change in regulatory structure has moved responsibility away from the regulator to the regulated, with a consequent need to apply sufficient resource to risk-management activities. But there are also opportunities to be exploited. Not opportunities to play fast and loose in the face of broader, less prescriptive, regulatory rules, but instead opportunities to focus on making regulatory, compliance and risk management a more central part of any business and to construct it in a way that fits with your business needs rather than regulatory strictures.



So you need to do some Business Continuity/Disaster Recovery (BC/DR) Planning, but aren’t sure how to start? Depending on the size of the task and the level of prior focus on BC/DR planning within your organization, this could involve anything from simply sprucing up your existing BC/DR plans to the overwhelming feat of creating new plan designs and implementations. If the latter is your situation, don’t feel alone. There are many data center managers, IT executives, and application owners that feel like they’re behind the 8-ball on their business continuity and disaster planning efforts. Rest easy and know that with the right steps, you can get things moving forward in the right direction.

Business Continuity and Disaster Recovery Planning: The 60/40 Rule

One of my best mentors was an extremely successful leader in risk and resilience programming in both the federal government and commercial industry sector. He taught me early on (much to my initial chagrin) that the best programs start out with the 60/40 rule, meaning that you should start out and “sell” goals and objectives that are only 60% of where you would ideally wish to see the end-state. The “60/40 rule”??? As a devoted and overly ambitious “Business Continuity Professional,” I could conceivably accept the classic 80/20 Perato Principle, but 60/40 was difficult to swallow. But he was “the Boss,” so I figured I might as well go with the flow, accept his guidance, and ensure that all my programs targeted getting “60% there.” So how would this work?



The word “disaster” can be used to describe a broad range of events, such as violent weather, a catastrophic accident, or a natural event that causes great damage or loss of life. Disaster recovery is an equally broad term that encompasses both the planning and preparation prior to a catastrophic event, as well as the recovery and recuperation of those affected.


A seminal moment in disaster recovery occurred in 1988 when a fire destroyed a central office operated by Illinois Bell in the suburbs of Chicago. The Hinsdale Central Office handled 40,000 local phone lines, which supported the O’Hare International Airport and numerous businesses. Service wasn’t restored for weeks and, one by one, thriving businesses failed and were liquidated. Network planners and architects came to realize that there are a multitude of things that can negatively impact network operations in addition to natural disasters.

While disaster recovery and business continuity are similar in many ways and share many overlapping concerns, they are different subjects. Disaster recovery deals with the aftermath of a catastrophic event that affects an area or region. Business continuity involves the safeguarding of critical business functions.



Monday, 24 June 2013 15:54

3 Business Safety Tips for Summertime

Whether you operate a seasonal business or sales pick up during the summer months, summertime can be full of risks for small business owners.

From on the job injuries to extreme weather, there’s a host of things that can go wrong to hurt sales or worse yet derail the entire operation.

“Summer is a busy time for certain businesses, particularly those along the coasts,” says Judy Coblentz, VICe president and chief underwriting officer at Travelers. “In certain parts of the country the summer season brings more business and pretty big exposures for small businesses.”

To prevent your business from taking a hit this summer, Travelers put together a list of the biggest seasonal risks and ways to avoid them.


Monday, 24 June 2013 15:53

Big Data and GRC

The following is CCI Publisher Maurice Gilbert’s interview with John Verver, VP, Strategy at ACL. Mr. Verver is a Chartered Accountant, Certified Management Consultant, and Certified Information System Auditor, as well as a member of the Center for Continuous Auditing’s advisory board.

Big Data is a hot topic right now – how does it relate to GRC and the practical issues of risk management and compliance?

The term Big Data is used in a wide range of contexts, but it generally refers to the gathering and integration of data from various sources, both traditional and non-traditional, in order to obtain better insights into customers, prospects, market opportunities, and corporate performance. Although it is not often used in reference to risk management, controls, and compliance, it’s interesting to note that analysis of very large volumes of data from disparate sources has played a significant role in GRC for at least the past 10 years.



CSO — Richard Ramirez is remembered all across southern California for the terror he invoked during the early 80's. The serial killer, who died in prison earlier this month, was nicknamed the 'Night Stalker' and was known for the ease with which he entered his victim's homes. He did not break and enter, he didn't shatter windows or climb down the chimneys. For the most part, Richard 'walked' into homes either through screen doors left unlocked or windows left open. Many of his crimes I've been told, were committed close to freeway ramps to facilitate a fast getaway.

What was very interesting to note about Ramirez's victims is that even though the city was aware of a serial killer on the loose, people still left their windows open or the screen doors open. I know I would batten down the hatches and take extra precautions until I heard the killer had been caught. So what makes people be lax and laissez-faire, in the face of a known and omnipresent danger?



2012 was the second-worst year on record for extreme weather events, both in number and in cost, according to a tally released this morning by the National Oceanic and Atmospheric Administration. Eleven major events—including tornadoes, wildfires, droughts, and hurricanes—racked up a collective bill of over $110 billion, with cropland damage from drought in the Midwest ($17.36 billion in crop insurance payments alone) and Hurricane Sandy, with a $60 billion price tag, as the most expensive items.



More than half of mid-sized businesses across Europe would refuse to do business with an organisation which has suffered a data breach, despite the fact many see data loss as just another part of everyday business.

That is according to the second annual pan-European Information Risk Maturity Index by global information management firm Iron Mountain and professional services provider PwC, which examined how companies expect to respond to information risk.

It found that companies are experiencing up to a 50 per cent increase in data breaches per year. The report suggests European firms' approach to data management is marred by confusion, inconsistency and double standards.

The study reveals that despite the risks to business revenue and credibility associated with data loss, more than 60 per cent of organisations surveyed believe cutting costs is more important than investing in proper protection against the loss of data. Many of the businesses told Iron Mountain and PwC that they do not have a proper risk information strategy in place.



While knowing the latest IT security measures or top marketing strategies are important, they aren't the skills that are going to pay off in the long run for today's college graduates, new research shows.

A study by Kaplan University's College of Business and Technology discovered that critical thinking and written communications are the most important skills college graduates majoring in business or information technology programs will need to succeed in the work force.

"Technology becomes obsolete quite rapidly," said Kaplan University professor Lynne Williams. "Good communication skills remain with you throughout your working life."



Friday, 21 June 2013 15:36

Improving Security for USB Drives

A new inspector general report criticizing a government contractor's USB drive security practices is an important reminder of why all healthcare organizations need to control the use of mobile storage media and ports.

"Because USB devices connect directly into computers and can store large amounts of data, they can potentially cause serious harm to computers and networks or compromise sensitive data if their use is not properly controlled," says the report from the Department of Health and Human Services' Office of Inspector General.

Among the risks posed by USBs are the spread of malware and the inappropriate download, storage and removal of data by users, resulting in breaches or possible fraud.

Security weaknesses such as those identified by the OIG are common throughout healthcare and need to be addressed to help protect patient privacy, says independent IT security consultant Tom Walsh.



Friday, 21 June 2013 15:35

Powering backup and DR with cloud

Cloud came as blessing in disguise for back-up and disaster recovery services. Traditionally, we have depended on tapes and data centres for the both which required huge investments. The paradigm shift brought by the cloud has made it possible SMB sector to explore these services.

"It won't happen to me", is some kind of self-assuring myth which mostly people feel comfortable with. I was going through a document from Texas University which tells us that only six per cent of the smaller business survives the catastrophic data losses.

University of Minnesota found that "93 percent of business that lost their data centre for 10 days or more filed bankruptcy". If these facts are true, DR and backups acts as life line for our business as bad times cannot be completely avoided. Disasters just don't happen; they are chain of critical events. Not having a robust DR could be one of them.



Friday, 21 June 2013 15:31

Risk Management, Military Style

Especially in military operations, it's impossible to eliminate risk, but it can be minimized. Many of their risk-management techniques can apply to your flying.

No matter what we do in an aircraft, we cannot eliminate risk entirely. Instead, we can manage that risk and take positive steps to mitigate or reduce it; in rare cases, we may even be able to eliminate it. An example of the latter might be canceling a trip for poor weather, or because of a mechanical issue. But we should be mostly concerned with mitigating and reducing the risks our flying poses.

Of course, there are many ways to accomplish these goals. I believe most of us in general aviation have sat through a presentation or seminar discussing risk management. While serving in the U.S. Marine Corps, I sat through those classes as well as taught them, and I always came away with the same question, "How will this reduce the mishap rate?" Given the resources available, along with the missions, the military's way of managing risk can't be implemented by the average GA pilot. But it's worthwhile to examine the military's risk-management process. Using it as a template, then taking some simple steps and applying its techniques over time, on our own, can help reduce the GA mishap rate, before someone does it for us.



Good news for managed services providers (MSPs) offering backup and disaster recovery (BDR) solutions. Storage software revenue increased in the first quarter this year led by strength in data protection and recovery software, according to a report from International Data Corp. (IDC). Here are the details.

The worldwide storage software market grew by 3.2 percent during the first quarter of 2013 compared to the same quarter of 2012. Revenue during the quarter climbed to $3.6 billion.

Eric Sheppard, research director for storage software at IDC pulled out the key areas of strength in the market. "Demand was strongest for data protection and recovery software as well as storage and device management software. This was driven by a broad need for data resiliency, improvements to operational efficiencies, and better insights into installed data center infrastructure."



The overall purpose of business continuity planning is to ensure the continuity of essential functions during an event that causes damage or loss to critical infrastructure. A continually changing threat environment, including severe weather, accidents, fires, technological emergencies, and terrorist-related incidents, coupled with a tightly intertwined supply chain, have increased the need for business continuity efforts.

To ensure long-term viability, companies should develop, maintain, conduct, and document a business continuity testing, training, and exercise (TT&E) program. The business continuity plan should document these training components, processes, and requirements to support the continued performance of critical business functions. Training documentation should include dates, type of event(s), and name(s) of participants. Documentation also includes test results, feedback forms, participant questionnaires, and other documents resulting from the event.



Although each business disruption is unique and many decisions will have to be made as situations unfold, a business continuity plan provides a framework and preparation to guide these decisions, as well as a clear indication of who will make them. A successful business continuity plan includes the following elements.

Define a team structure

  • Develop a clear decision-making hierarchy, so that in an emergency, people don’t wonder who has the responsibility or authority to make a given decision
  • Create a core business continuity team with personnel from throughout the organization, including executive leaders, IT, facilities and real estate, as well as physical security, communications, human resources, finance and other service departments
  • Create supporting teams devoted to related functions such as emergency response, communications, campus response and business readiness



The effectiveness of data classification and retention policies can have strong ripple effects across an organization's entire IT risk management framework. After all, how data is classified can determine what risk management priorities are placed on it and the less data that is retained long-term, the less volume the organization has to sift through to determine appropriate protection levels.

"Risk management practices should be based on data or system classification. System classification is simply the 'high water mark' of data stored, processed or transmitted on the system," says Doug Landoll, CEO of Assero Security. "The required security controls for a system are based on the system classification. Risk management, as one of those controls, would be based on this as well."



How can you prioritize various backup and disaster recovery (BDR) issues? Smart managed services providers (MSPs) focus on four potential scenarios. The idea is to understand each scenario and its correlation with time to recovery.

Strata Information Technology Inc. President Pete Robbins, a BDR specialist, uses these four scenarios to properly assess each situation:



Friday, 21 June 2013 15:22

Risks within risk

For want of a nail

The Atlantic hurricane season arrived June 1. The Pacific typhoon season arrived a little earlier and promptly sent a typhoon across Mexico.

Many organizations have “hurricane” plans. To my mind, that’s foolish. Any “threat specific” plan is, in my opinion, foolish.

The problem with a “hurricane” plan is that it can overlook a risk within a risk.

Consider a hurricane’s main components.



Storm surge (flood).

Wind is, for the most part, harmless. True, it can blow the roof off a building and that can lead to other damages to a property. And true, it can bring down power lines.

A wind’s main threat potential is carrying missiles – anything it can pick up and hurl along at high velocity.



The constant parade of new hardware and software that necessarily comes into a data center makes for a lot of moving parts that can be extremely difficult for IT managers to integrate into a business continuity plan.

It's a big, diverse IT world out there.  In any given data center, you can walk down the aisles and see racks of servers or storage from literally dozens of different companies, all doing their jobs—but not necessarily always in exact harmony. The coordination of proprietary, open-source and open-standards software that can clash is often a sore point for IT managers—and those are often found within the same data center environment. This all affects business continuity big time, because all those diverse components have to work together in order for a system to recover after being hit by an outage.



LONDON (Reuters) - For European insurers frustrated that "cyber crime" policies have so far failed to find a ready market among skeptical companies, hope may be at hand.

Not only has a huge data loss by Sony Corp dramatically illustrated the risks of hacking raids on corporate data, but the European Union is working on regulatory requirements which threaten heftier fines on unprepared companies.

The net effect for the insurance sector is that its efforts to establish cyber cover as a lucrative business line alongside risks such as weather catastrophes may be about to bear fruit.

In the United States, cyber cover has grown to be a market worth more than $1 billion in annual premiums, but Europe has not yet followed suit, perhaps surprising given a run of high profile, and costly, hacking incidents.



Thursday, 20 June 2013 15:27

Pound Foolish

Seven months after the second most costly hurricane in history, Mayor Bloomberg proposed investing $19.5 billion to make his city much more resilient to future extreme weather events. More than one-quarter of these resources will come from federal funds included in the Disaster Relief Appropriations Act, which provides aid to New York, New Jersey, and other affected states to help them recover from Superstorm Sandy. New Jersey is also investing significant portions of its Superstorm Sandy federal aid in resilience efforts, particularly along the Jersey Shore. These investments will make New York and New Jersey homes, businesses, infrastructure, and coastal areas more resistant to damage from future storms, sea-level rise, and other climate-change impacts.

Unlike New York City and New Jersey, many communities lack the financial resources to become more resilient to future extreme weather events, and the federal government woefully underfunds such resilience needs. This CAP analysis estimates that the federal government spent a total of only $22 billion on general resilience efforts from fiscal year 2011 to fiscal year 2013. The Obama administration requested an additional $13 billion for mitigation efforts in Connecticut, New Jersey, and New York after Superstorm Sandy, but it is difficult to determine the actual mitigation spending from this sum. The federal government does not have a comprehensive tally of its spending for community resilience and other pre-disaster mitigation programs.



Thursday, 20 June 2013 15:27

#2: Tropical Storm Barry

As Tropical Storm Barry, the second named storm of the 2013 Atlantic hurricane season, formed yesterday in the southern Gulf of Mexico, ahead of landfall early today near the city of Veracruz, Mexico, we can’t help but wonder isn’t it a bit early?

Fortunately, one of our favorite blogs has some interesting facts and stats on early season tropical storms.

Dr. Jeff Masters’ Wunderblog tells us that Barry’s formation date of June 19 is a full six weeks earlier than the usual August 1 date of formation of the season’s second storm.



“The Europeans won’t let this go. They want to know clearly what has really been going on.”

Sitting in one of the State apartments in Dublin Castle, the EU vice president and commissioner for justice, fundamental rights and citizenship, Viviane Reding, is polite, but clearly, deeply frustrated. At a joint press conference with US attorney general Eric Holder held earlier in the day last Friday, Reding had stated that the fundamental privacy and data protection rights of Europeans were “non-negotiable”.

Waiting media were eager to hear what her response would be to recent revelations by former Booz Allen Hamilton contractor Edward Snowden, on the existence of two secret schemes run by the US national Security Agency (NSA) for gathering vast amounts of personal phone and online data. One took in millions of phone call records over many years from operator Verizon; the other, named Prism, involved as yet unclear arrangements whereby nine large US technology companies, such as Skype, Apple, Facebook and Google, supplied data on request.



NORMAN — Barely a month since their occurrence, the tornadic events of May have joined the ranks of high-profile school emergencies as a source of heightened scrutiny on schools’ emergency preparedness.

Events like the Columbine High School and Sandy Hook Elementary shootings, or the more local April 2012 tornado in Norman, have dramatically altered priorities in school design and district procedures, with May making certified storm shelters in schools a new concern.

“What gets put in school facilities is reflective of priorities at the time,” Superintendent Joe Siano said. “In 1990, I was the principal of a brand new school and it didn’t have a secured vestibule entry or storm shelters — it just wasn’t a priority to communities at that time. For a new school now, that would be unthinkable.”



The daily process of treating patients has been compared more than once to a military operation—and with good reason. After all, everything of real importance takes place on the front lines, at the point of patient contact. All else is purely support.

That analogy extends to the flow of data. Information has to make it to the front lines in order to be effective. Trouble is, that imperative also makes data—especially patient data—vulnerable to attack from multiple sources.

Since September 2009, the US Department of Health and Human Services has maintained a database of breaches in unsecured, protected health information affecting 500 or more individuals. Of these, more than 60 percent have involved some kind of endpoint computing device—desktop PCs and laptops as well as USB drives, tablets, smartphones and other portable electronic devices. Millions of individual records have been compromised from these endpoints due to unauthorized access or disclosure, theft, loss, hacking or other incident.



Google filed a request with the U.S. Foreign Intelligence Surveillance Court on Tuesday to remove the gag order that prohibited it — and other technology companies — from disclosing information about data requests from the U.S. National Security Agency. Google defended its request citing the First Amendment.

When whistleblower Edward Snowden leaked classified information about the NSA’s practice (in place since 2008) of collecting information about the phone calls of all U.S. citizens and emails and electronic communications of foreign nationals, Google denied that it had even given the NSA unfiltered access to its data. Google said it only provided a subset of data whenever a request was made, and wrote a public letter to head of the Federal Bureau of Investigation Robert Mueller and Attorney General Eric Holder on June 11, asking permission to publish numbers about the frequency and scope of those requests. Facebook, Apple and Microsoft followed, asking the government to allow them to do the same. A week later, Google filed a formal request with FISC.



Thursday, 20 June 2013 15:19

Fears of Vanishing Terror Insurance Grow

With the Terrorism Risk Insurance Act (TRIA) set to expire at the end of 2014, corporate risk managers are worrying aloud about what would happen if there’s no property, casualty or workers’ compensation coverage available in connection with a terrorist act.

The anxieties include the possible unraveling of funding for future construction projects, as financiers get cold feet contemplating the total loss that could transpire in the event of an attack. For existing multi-year projects, the risk managers fear that loan covenants could break apart if their companies can’t provide proof of coverage.

Such occurrences are more likely in the real estate industry and in densely populated urban areas. In the wake of the Boston Marathon bombings, however, the sports and entertainment industries are now seen to be at risk. The transportation and petrochemical industries have long been considered vulnerable to attack.



While the bombings at the Boston Marathon reminded responders and emergency managers about the importance to continue to train and plan for natural and man-made disasters, Cleveland and Cuyahoga County, Ohio, had already been planning a full-scale exercise with the city’s Major League Baseball team. Approached by representatives from the Cleveland Indians about testing their ability to respond to a terrorist attack during a major game at Progressive Field, such as a playoff game, the city reached out to Cuyahoga County to help develop the full-scale exercise.

"The Department of Homeland Security recommends preparation as the No. 1 priority in dealing with emergency situations,” said Bob DiBiasio, the Indians’ senior vice president of public affairs, in a statement. “While our safety and security policies and procedures always have maintained the highest standards, we know it is very important to be well prepared in the event of any major emergency situation."



A recent study conducted by Ipsos Reid on behalf of Toronto-based information security company Shred-it revealed that small businesses do not fully comprehend the impact of a data security breach and, as a result, are not safeguarding sensitive information thoroughly. 
An independent survey conducted by Ipsos Reid and commissioned by Shred-it was conducted April 16-23, 2013, with two distinct sample groups: small business owners in the United States (1,008), which have fewer than 100 employees, and C-suite executives in the United States (100), who have executives that work for companies with a minimum of 500 employees in the United States.
The 2013 Shred-it Information Security Tracker indicates that an alarming number of small businesses (69 percent) are not aware of or don’t believe lost or stolen data would result in financial impact and harm to their businesses credibility.

Protecting a company's critical information is a value proposition. Trade secrets, confidential business plans, and operational security depend on it. Losing that kind of information can mean a plunge in stock price and market share. So who's responsible for information security in your company?

To find out, I like to ask questions. But when I put the question to top management, well, they're busy — not their problem, that's for sure — and they refer me to the chief information officer or the chief technology officer. So I knock on their doors and put the same question to them. Our job, they say, is making stuff work. If the stuff doesn't work, that's our fault. But security? They refer me to the chief information security officer, but she works for the CIO, who doesn't much like to hear what's wrong with the system he built. Besides, she says, I have nothing to do with who gets access to the system. I don't write the rules. And (she looks around nervously: you won't quote me on this, will you?) my budget is a joke.



Wednesday, 19 June 2013 20:19

Security ROI: 5 Practices Analyzed

Traditionally, enterprise data security has relied on a "fortress defense" approach: keep all assets within a corporate castle and build towering walls to keep out the enemy. However, with an evolving threat landscape that includes targeted attacks, social engineering and spear phishing, the model leaves plenty of vulnerable attack points.

With increasing employee mobility, IT professionals are challenged to expand their security practices to "armor" employees individually in addition to the fortress. As a result, IT budgets are stretched thinner, resulting in the need to examine the return of investment of popular security practices. In the battle against data breaches, which practices - "fortress defense" or "armored defense" – provide the greatest ROI?



The federal government spends six times more on disaster recovery than helping communities become resilient to extreme weather that’s predicted to become more intense and frequent in a warming world, a new study shows.

The analysis by the Center for American Progress (CAP), a prominent liberal think tank, labels the approach “pound foolish” and calls for a dedicated fund for “community resilience” fed by higher levies on fossil fuel production.

“We must help communities enhance their ability to withstand the high winds, flood waters, scorching heat, searing wild fires, and parched earth from extreme weather,” states the CAP analysis released Wednesday, which alleges the federal government “woefully underfunds” such efforts.

Wednesday, 19 June 2013 20:16

Is Your Business Prepared For Disaster?

Most organizations understand the importance of keeping critical data safe from both manual and natural disasters. It is surprising, however, to hear just how many companies are not prepared for the day their system goes down and data is lost. And yes, the day will come that data is lost, usually due to a manual user error. Beyond the compromised data, the loss of productivity can immobilize an entire business for hours or even days. Even with the best-laid plans, disaster can strike. Those who are prepared suffer the least.

The current backup and disaster recovery environment is leaning toward solutions that offer integrated and simplified next-generation approaches. These include faster recovery times, easier rebuilds, hardware-independent recovery, bootable backups and bare-metal restore. Successful solutions will require integration with legacy and current data, scale to handle big data, span virtualized and cloud environments, and implement automation while integrating the functions of backup protection and disaster recovery. As priority grows for these solutions, so should IT budgets.



Wednesday, 19 June 2013 20:15

Warning – Not all data is created equal

IT organizations can drive up the cost of storage unnecessarily by treating all data the same and storing it all on the same media. Let’s face the fact: my resume is not as important as the payroll database or even the email database. So, why are you using the same storage policy for both?

Stop using one policy to rule all of your data. It might be simple, but it is killing your bottom line. When looking for a data protection solution, find one that allows you to use policies to treat data differently.

Important data should be prioritized as tier one data that gets backed up most often and most quickly. Perhaps that data can stay on disk for fast restore.



Wednesday, 19 June 2013 20:14

15 great crisis management songs

When you're in the midst of the next crisis, imagine a movie soundtrack playing while you deal with the incident.

What songs would play?

Members of the Crisis Communications LinkedIn group came up with a clever list of more than 30 songs. Below are the top 15 songs from that list.

Play some of these songs in your crisis command center and you might elicit much-needed smiles in the midst of a serious situation:



CIO — Despite the challenges of the budget sequestration that went into effect on March 1, federal agencies are pressing forward with big data initiatives, hoping to squeeze big savings out of more efficient use of their data.

In fact, based on the federal government's FY12 budget actual expenditures of $3.538 trillion, federal IT managers could potentially recognize nearly $500 billion in savings across the federal government via big data initiatives, according to a new study by MeriTalk. MeriTalk is a community network for government IT developed as a partnership by the Federal Business Council, Federal Employee Defense Services, Federal Managers Association, GovLoop, National Treasury Employees Union, USO and WTOP/WFED radio.

MeriTalk surveyed 150 federal IT executives for the report, Smarter Uncle Sam: The Big Data Forecast. Forty-eight percent of the respondents were from the U.S. Department of Defense. The remaining 52 percent were from civilian agencies.



Sacramento, Calif., Mayor Kevin Johnson helped launch the Resilient Communities for America campaign this week offering a pledge, along with 44 other mayors, to create a movement to develop communities resilient to extreme weather, faltering infrastructure and other hazards.

Johnson, on the steps of Sacramento’s City Hall, said a goal is to get 200 mayors to sign a pledge by the end of this year and then a thousand by 2015. He said it’s critical for mayors to leverage their numbers to secure federal and state funding to support local initiatives for infrastructure and energy security and economic uncertainty.



I reconnected with Mark Challender, a former employee back in my business magazine publishing days, and discovered his passion for amateur radio, particularly in supporting emergency management. I confessed to him I didn't see that much of a role for it given all the other options. He soundly corrected me and I asked him to inform the rest of you as he did me. Thanks Mark! Here is his guest post:

Is Use of Amateur Radio in an Emergency Still Valid?

The answer is YES, amateur radio can make your communications better during a crisis when “normal” modes of communication have failed.



Wednesday, 19 June 2013 20:08

Coping with Disasters

Storm Damage - tree down in the road

Whether you live in tornado alley or in a hurricane-prone coastal region, it’s important to include emotional wellness activities in your diaster plan. Severe weather and evacuations can cause emotional distress such as anxiety, worry, and fear in both adults and children. Although no one can plan for a disaster, you can practice healthy coping skills by following these tips.

Practice Preparedness!
By developing an emergency plan ahead of time you are more likely to feel calm and in control during a storm. Visit http://www.ready.gov for a variety of plans to fit your specific needs. Preparedness is a year-round activity that everyone in the family can participate in, including kids. Involving children and teens in preparedness activities may help them feel less anxious during an emergency and provide reassurance.

Limit Exposure to Media
It’s important to be aware of weather forecasts and local news, but tuning in around- the-clock can trigger additional panic and anxiety. Limit your media exposure, whether that’s watching television, listening to the radio, reading newspapers, or using social media. It’s especially important to limit news coverage when you have children Familyat home because distressing images and sensationalized headlines can cause more confusion, fear and stress. Find a healthy balance that works for you and your family.

Be a Positive Role Model
Children look up to parents and caregivers for guidance during emergencies and stressful situations. Encourage your kids to ask questions about things they see or hear on the news. Answering their questions honestly can help minimize additional confusion and decrease their anxiety. During severe weather forecasts or after a disaster, younger children might need extra attention and may have trouble processing certain emotions. If your child or teen is acting out or seems withdrawn after a disaster, this may be a sign that you need to reach out to a licensed mental health professional for additional assistance. 

Help Others Prepare
A great way to help neighbors, family and friends cope with severe weather is to help them create an emergency plan. Show an older adult or family member how to text their emergency contact or use social media to check in with loved ones. A simple “I’m OK” message can go a long way in easing additional anxiety and stress. Adults with special needs may be particularly vulnerable to feelings of isolation, anxiety and other depression during severe weather. Try to check in on people who may be vulnerable after a disaster or major storm.

Maintain Normal Routines and Practice Self-Care
Even during chaotic or stressful times, it’s important to try to maintain your normal routine. In the face of severe weather, you may need to stay indoors. Avoid “cabin fever” by cooking a favorite meal, playing a board game with the family, or watching a funny movie. This is also an opportunity to do some self-care activities you might not normally have time for, such as meditation, yoga, relaxation techniques, or breathing exercises. Maintaining normal routines is especially important if you have children. It can help ease any anxiety that they may have about the unpredictable nature of severe weather.

Know When to Reach Out for Help

Even after you’ve tried these tips for coping, you may still find yourself struggling with difficult emotions, and that’s common- you’re not alone. After experiencing a severe weather event or a disaster, it may take time to bounce back. With time and support you can continue to move forward and resume every day routines. Learn more about common distress symptoms and what signs to look for so you can help yourself and loved ones better cope. If you need immediate emotional support or want to talk to a caring counselor about what you’re feeling, you can always call the Disaster Distress Helpline at 1-800-985-5990 (TTY 1-800-846-8517) or SMS (text “TalkWithUs” to 66746) anytime, day or night.

Distress Line LogoThe Disaster Distress Helpline is a program of SAMHSA administered by Link2Health Solutions, Inc. and is the first national hotline dedicated to providing year-round crisis counseling for anyone in distress before, during or after natural or human-caused disasters. This toll-free, multilingual, crisis support service is available 24/7 via telephone (1-800-985-5990) and SMS (text ‘TalkWithUs’ to 66746; Spanish-speakers text ‘Hablanos’ to 66746) to residents in the U.S. and territories. Calls and texts are answered by trained, caring counselors from a network of crisis call centers across the country.


John F. Kennedy once said, "There are risks and costs to a programme of action, but they are far less than the long-range risks and costs of comfortable inaction".

When making any business decision, there are risks that must be measured. Risk management is a key element for any successful business. It starts with identifying, assessing and quantifying business risks, then taking measures to control or reduce them. The risks are then reassessed and business decisions are made based on the remaining risk vs. reward. Having a clear understanding of all risks allows an organisation to measure and prioritise them, then take the appropriate actions to reduce losses. The same also stands true for government departments, small businesses and individuals.



There are more viable offshore outsourcing destinations than ever before -- a great boon for IT leaders seeking new sources of talent, language capabilities, nearshore support, and risk diversification. But IT organizations can no longer afford to take traditional view of outsourcing location assessment.

"The maturity of global delivery models also continues to increase, and given the demands of increasingly global businesses, this trend will only continue," says Charles Green, an analyst in the sourcing and vendor management practice of Forrester Research. "However while a geographically diverse portfolio of suppliers brings benefits it also requires clients to diligently manage the increased risk of such a portfolio."



It's 2am on Christmas Day. You are woken by a phone call informing you that a police raid in central London has uncovered documentation suggesting that your company has been targeted by a group with links to terrorist and state organisations. These groups are renowned for attacking commercial organisations. What would you do?

Sadly, in my experience this is when most companies realise they are ill-prepared to deal with a cyber-attack. I have seen companies struggle to come to terms with the loss of intellectual property (IP), funds, a fall in share value, and their reputation damaged by information that now finds itself on the web.

So how prepared are you to deal with a cyber-attack? Lets start by simplifying this subject. The risk around cyber is simply an issue of information security, the way a company values and protects the precious data it is entrusted with. Too often, information security is viewed as an impediment to a company's operations, and if it is too prohibitive, can indeed damage its effectiveness. It has to be proportionate. We can't remove risk, but we can manage it.



Today, many government agencies – civilian and defense – find themselves in a technology quandary: the volume of data that must be stored is growing rapidly, while shrinking budgets are limiting capital expenditures (i.e. – servers, storage devices, etc.) required to store all of this data.

Government agencies are not only eyeing existing storage demands, but anticipated storage requirements as well. Gartner estimates the external controller based (ECB) disk storage market will grow from $22.2 billion in 2012 to $31.1 billion in 2016 (a compound annual growth rate of 7.9 percent).

As a result, storage optimization becomes critical for agencies seeking to boost IT performance while improving utilization and infrastructure efficiency. For agency decision makers seeking to improve storage efficiency as a way to address growing data volumes and shrinking budgets, there are a handful of key strategies to consider.



In 2012, according to the Symantec Internet Security Threat Report 2013, there was a 42 percent increase in targeted attacks on the internet, and 31 percent of those attacks were aimed at businesses with fewer than 250 employees. In short, security risks are continuing to grow at incredible rates, and the standard MSP customer is certainly not immune to the threat. For many small businesses, the initial cost and complexity of acquiring the necessary tools to provide security services can seem daunting. As such, selling security services can be a key part of the managed service provider’s portfolio. So, it’s important to take a look at some of the strategies and opportunities for MSPs to boost revenue and build lasting client relationships through security offerings.



There are more viable offshore outsourcing destinations than ever before -- a great boon for IT leaders seeking new sources of talent, language capabilities, nearshore support, and risk diversification. But IT organizations can no longer afford to take traditional view of outsourcing location assessment.

"The maturity of global delivery models also continues to increase, and given the demands of increasingly global businesses, this trend will only continue," says Charles Green, an analyst in the sourcing and vendor management practice of Forrester Research. "However while a geographically diverse portfolio of suppliers brings benefits it also requires clients to diligently manage the increased risk of such a portfolio."



A new report named ‘Disaster Unpreparedness’ has been published by MeriTalk which is an online community and go-to resource for government IT. The report which was underwritten by NetApp and SwishData details how confident IT professionals working for federal agencies are with their current data backup and disaster recovery solutions.

In December 2012, MeriTalk surveyed 150 Federal Department of Defence and civilian IT professionals to see how confident they are with their current disaster recovery strategy, how resilient they deem their strategy to be and how often they test their strategy.

The federal IT professionals who participated in the survey scored themselves very highly for their data backup and disaster recovery preparedness with 70% giving their agency a grade of ‘A’ or ‘B’. Despite the IT professionals awarding their agency such high marks for their data backup and disaster recovery preparedness, only 8% believed that they would be able to recover all the data in the event of a natural or man-made incident.



Tuesday, 18 June 2013 15:59

A new approach to risk management

The role of risk management changes at each level of an organisation in the mining industry. The criteria used to evaluate results will therefore be extremely varied. Corporate management will be interested in risks that are vastly different to those that keep general managers at minesites awake at night. But what effective corporate and minesite risk management has in common is that it should primarily be concerned about removing surprises.

Everyone in the business should be focused on the following simple questions:

  • What are the real, material risks?
  • What are we doing about them?
  • Is it actually working?



The Centers for Disease Control and Prevention’s free app, Solve the Outbreak, may help public health officials educate Americans about massive sickness and treatment.

The app is an interactive, question-and-answer game that educates players about how medical professionals identify mysterious illnesses that strike large populations. Though Solve the Outbreak doesn’t have much replay value, it’s still an informative experience.

People play as disease detectives in three missions and investigate clues to discover what’s happened to make people sick in scenario. Each clue offers information about the outbreak and asks players what to do next.



Tuesday, 18 June 2013 15:57

Creating a workable plan before a crisis

This article is the first in a four-part series addressing the four fundmental principles of crisis management: creating a workable plan, preparing for a crisis, managing the occurance of a crisis and how to successfully regain business continuity and traction after a crisis strikes.

The tragic events that have taken place over the last few months, including natural disasters and terrorist attacks, should serve as a reminder that we can never be sure when or where a crisis may next occur. As business leaders, it is our responsibility to ensure our people and properties are protected as much as possible.

The first principle in crisis management is to establish a plan. If you already have one, now is a great time to dust it off and re-evalutate it. A well-designed crisis-management plan will be the end result of three steps. First, you will want to identify probable risks. Second, you must determine procedures and protocols to follow in the event of each scenario. Lastly, you must assemble the plan in an organized fashion and make it accessible to all of your associates.



Each calendar year can be easily associated with a “tech meme.” 2011’s Cloud gave way to 2012’s Big Data. 2013 is nearly halfway over and it’s clear that this year’s meme is “Software-Defined”—specifically in my line of work, the “Software-Defined” Data Center.

I’m not suggesting that these secular trends aren’t / weren’t valid. Nor am I saying that these are not transformational forces that will radically alter the way we conceive, design, build, and run IT for the next several decades. They’ve already started to have a significant impact in companies large and small.



Crisis management required after predictably polarizing article published

We never seem to run dry examples of easily preventable crises. Last week, an article on Home and Garden TV’s website discussing Fourth of July table settings suggested that an American flag be used as a “bright and festive table runner.” Whoops…

As you probably guessed, flocks of military vets and their families, along citizens from just about every walk of life, descended on HGTV’s social media sites to rip the network a new one for its misuse of the flag.

To HGTV’s credit, it quickly deleted the article and posted an apology, but to its detriment the apology was a weak one.



Crisis management required after predictably polarizing article published

We never seem to run dry examples of easily preventable crises. Last week, an article on Home and Garden TV’s website discussing Fourth of July table settings suggested that an American flag be used as a “bright and festive table runner.” Whoops…

As you probably guessed, flocks of military vets and their families, along citizens from just about every walk of life, descended on HGTV’s social media sites to rip the network a new one for its misuse of the flag.

To HGTV’s credit, it quickly deleted the article and posted an apology, but to its detriment the apology was a weak one.

- See more at: http://managementhelp.org/blogs/crisis-management/2013/06/17/hgtvs-floundering-crisis-response-for-flag-folly/#sthash.6E8ZvSt2.dpuf

Crisis management required after predictably polarizing article published

We never seem to run dry examples of easily preventable crises. Last week, an article on Home and Garden TV’s website discussing Fourth of July table settings suggested that an American flag be used as a “bright and festive table runner.” Whoops…

As you probably guessed, flocks of military vets and their families, along citizens from just about every walk of life, descended on HGTV’s social media sites to rip the network a new one for its misuse of the flag.

To HGTV’s credit, it quickly deleted the article and posted an apology, but to its detriment the apology was a weak one.

- See more at: http://managementhelp.org/blogs/crisis-management/2013/06/17/hgtvs-floundering-crisis-response-for-flag-folly/#sthash.6E8ZvSt2.dpuf

Crisis management required after predictably polarizing article published

We never seem to run dry examples of easily preventable crises. Last week, an article on Home and Garden TV’s website discussing Fourth of July table settings suggested that an American flag be used as a “bright and festive table runner.” Whoops…

As you probably guessed, flocks of military vets and their families, along citizens from just about every walk of life, descended on HGTV’s social media sites to rip the network a new one for its misuse of the flag.

To HGTV’s credit, it quickly deleted the article and posted an apology, but to its detriment the apology was a weak one.

- See more at: http://managementhelp.org/blogs/crisis-management/2013/06/17/hgtvs-floundering-crisis-response-for-flag-folly/#sthash.6E8ZvSt2.dpuf

Go ahead and ask CSOs from the nation's largest banks about the myriad distributed denial-of-service (DDoS) attacks they've experienced in recent months. They're not going to tell you anything.

Security execs have never been comfortable talking about these attacks because they don't want to draw more attention to their companies. They worry that offering even the basic details of their defensive strategy will inspire attackers to find the holes.



Monday, 17 June 2013 15:49

Cyber crime: Is it on your radar?

ACCORDING TO the government's 2013 Information Security Breaches Survey, an unprecedented number of cyber attacks are experienced by UK businesses. A staggering 93% of large organisations (employing 250 or more), and 87% of small businesses (under 50 staff) have fallen victim to cyber crime over the past year. 

While the proportion of large organisations reporting security breaches remains consistent with 2012, 11% more small businesses appear to have suffered third-party hacking. The increasing number of businesses failing to protect their data is a concern, as is the spiralling number of breaches each will experience.

The survey advises 50% more breaches, on average, have occurred. For large businesses, the median figure is 113, for their smaller counterparts it's 17; up from 71 and 11 a year ago. The associated costs are rising too - large companies can expect to pay between £450,000 - £850,000 for their security lapses; smaller companies face a £35,000 - £60,000 bill.



Cloud, cloud, cloud. If you’re in enterprise you probably hear the word ‘cloud’ multiple times every day. Most of the time, it doesn’t really mean much other than a datacenter that isn’t yours, but it does make you feel safe knowing that someone has your data in hand.

Unfortunately, even in the cloud, disaster recovery is still a necessary evil. Cloud companies that host your data still have outages. Things still break. Disasters do happen. Many companies think that the cloud provider will have their data covered, but they don’t stop to think that perhaps it’s better to consider a world where the cloud provider isn’t able to provide a service after a disaster. Not only that, but how does your business keep going when your local data and premises are gone? That’s often not even factored into the disaster recovery plan.



Monday, 17 June 2013 15:47

Updating Emergency Response Procedures

Question: We have employees working in an area of the country that has experienced a lot of natural disasters over the last couple of years; from earthquakes to flooding to snow storms. As a result, we are updating our company's emergency response procedures. We have some employees who are visibly disabled and others who we believe may have some medical disabilities they have not disclosed to the company. Are we legally permitted to ask our employees to disclose their medical information in order for us to assess what if any special emergency response accommodations we need to have at the ready for disabled employees (both those with visible disabilities and those without)?



South Africans have been hard at work for six years and are now putting the finishing touches on the first comprehensive data protection laws, aligned closely with those currently under debate in Europe.

The proposed European laws give online consumers the right to withhold personal information while using websites – which presents a challenge to the businesses who have based their revenue model on garnering exactly this kind of data.

These laws, if introduced in South Africa, could have far reaching implications for both individuals and businesses.

JJ Milner, founder and chief cloud architect at Global Micro, shares his answers to the burning questions about the implications for South Africa.



Computerworld — Internet pioneer Vinton Cerf is concerned that we're at risk of losing much of the data we've been creating in the digital age he helped usher in.

Speaking at the Computerworld Honors awards program earlier this month, the co-designer of the Internet's TCP/IP protocol said he's concerned that digital items we use today -- spreadsheets, documents and scientific data -- will one day be lost, perhaps one day soon.

To support his point, Cerf noted that the Microsoft Office 2011 software on his Macintosh computer can't read a 1997 PowerPoint file. "It doesn't know what it is," he said.



It is essential that all professional firms - however large or small - develop a disaster recovery plan. A disaster such as a flood, fire or computer virus attack can cripple your operations, meaning that your business’ resources could be limited for a significant period of time. During this time, projects can be delayed and the quality of work may suffer, which can lead to strained client relationships.

Without an effective disaster recovery plan in place, a short-term problem can rapidly evolve into a long-term financial disaster for your firm.

In spite of this, few companies take the time to put together an all-encompassing disaster recovery plan. The key is to have a tried and tested plan in place that will stop the disaster causing further issues for your firm. Here are five tips to develop a disaster recovery plan.



For the early history of computing, data tended to be kept locked down within isolated, local systems for security reasons. With the advent of the cloud however, the idea of accessing data from anywhere, using cost-effective on-demand services is now thoroughly mainstream. Indeed, the future of IT is the cloud.

As cloud computing continues its triumphant spread, one issue that has continued to get undeservedly little attention, though, is the geographical location of data. The ongoing NSA scandal is finally bringing to light just one aspect of how critically important the physical location of digital data has become.



Monday, 17 June 2013 15:41

Taking cover to protect your business

It is the stuff of nightmares for every small business owner: wake up one morning and the enterprise has been destroyed by fire. Or watch, powerless, as flood ruins a lifetime of work.

But there is a way to protect your business from disaster - business interruption insurance. With so many natural catastrophes happening in Australia in recent years, it's essential for small businesses to consider business interruption insurance, whether this means checking levels of cover or acquiring cover where none exists.

Mark Searles, chief executive of insurance broking business Austbrokers, says any business interruption could be a major setback that threatens the very survival of a business, particularly when margins are already tight, as is often the case these days.

''Research has shown that one in four small businesses would not recover if forced to close the doors for three months,'' he says.


Leadership in Resilience was the theme of this year's well-attended Executive Forum and the whole programme was set up to ensure a lively debate around resilience and how BC professionals can take the initiative and lead on this hot issue.   These two-days in Brussels made real progress in clearing the fog and providing some specific examples of where BC professionals can make a difference.  For me the five key learning points were:

1. The growth of the term Resilience in job titles is much more widespread than I had expected. In some cases BC Manager has been changed to Head of Business Resilience without any change of responsibilities. This change is not universally popular among those with the new title because "business continuity" is a strong, meaningful "internal brand" whereas "business resilience" is non-specific and aspirational.



What is disaster recovery?

In simple terms ‘disaster recovery’ is the process by which you resume business after a disruptive event, this can range from; power failures, IT system crashes, theft, fire or flood.   Protecting your Business Systems plays a large part in your ‘Disaster Recovery Plan’.

The implications of not having a ‘Disaster recovery plan’

Many businesses I see are unaware of the importance of a tried and tested plan because they see a potential disaster as an unlikely event but the implications are huge. Just imagine losing all your data for 24 hours, how would you manage to recreate your data to cover the work lost and how much revenue would you lose?



Monday, 17 June 2013 15:38

Taking cover to protect your business

It is the stuff of nightmares for every small business owner: wake up one morning and the enterprise has been destroyed by fire. Or watch, powerless, as flood ruins a lifetime of work.

But there is a way to protect your business from disaster - business interruption insurance. With so many natural catastrophes happening in Australia in recent years, it's essential for small businesses to consider business interruption insurance, whether this means checking levels of cover or acquiring cover where none exists.

Mark Searles, chief executive of insurance broking business Austbrokers, says any business interruption could be a major setback that threatens the very survival of a business, particularly when margins are already tight, as is often the case these days.

''Research has shown that one in four small businesses would not recover if forced to close the doors for three months,'' he says.

Monday, 17 June 2013 15:37

Natural disasters prove costly

The latest annual risk survey by global insurance brokerage Aon has shown a sharp rise in concerns over business grinding to a halt due to a natural disaster.

Indeed, the concern over business interruption has climbed two places to be the fourth most significant risk ranked by businesses this year.

Aon Australia says the change can be attributed to the floods and fires of recent years, with many businesses still feeling the effects of the disaster.

Events such as Queensland and NSW floods ''have left many organisations contemplating business interruption exposure from a vertical or supply chain perspective, due to the consequent impact on their customer base,'' Aon said in its latest Australasian Risk Survey.

The World Health Organization has published new interim guidance to replace the 2009 Pandemic Influenza Preparedness and Response advice. 'Pandemic Influenza Risk Management' includes the following:

  • Focus upon risk assessment at national level to guide national level actions
  • Revised approach to global phases
  • Flexibility through uncoupling of national actions from global phases
    Inclusion of principles of emergency risk management for health
  • New and updated annexes on planning assumptions, ethical considerations, whole-of-society approach, business continuity planning, representative parameters for core severity indicators, and containment measures.

Business continuity annex

Pandemic Influenza Risk Management includes a checklist of action items that should be contained in a business continuity plan in order to cover pandemic risks. These items are:

  • Identify the critical functions that need to be sustained.
  • Identify the personnel, supplies and equipment vital to maintain critical functions.
  • Consider how to deal with staff absenteeism to minimize its impact on critical functions.
  • Provide clear command structures, delegations of authority and orders of succession.
  • Assess the need to stockpile strategic reserves of supplies, material and equipment.
  • Identify units, departments or services that could be downsized or closed.
  • Assign and train alternative staff for critical posts.
  • Establish guidelines for priority of access to essential services.
  • Train staff in workplace infection prevention and control and communicate essential safety messages.
  • Consider and test ways of reducing social mixing (e.g. telecommuting or working from home and reducing the number of physical meetings and travel).
  • Consider the need for family and childcare support for essential workers.
  • Consider the need for psychosocial support services to help workers to remain effective.
  • Consider and plan for the recovery phase.

Read the document (PDF)

Last month, powerful tornadoes ripped through Oklahoma over a 12-day period, leveling buildings and killing more than 40 people in the process. Among the victims were 10 children, seven of whom were killed when a twister stuck an elementary school in the Oklahoma City suburb of Moore.  Last fall, Superstorm Sandy struck the northeastern U.S., destroying numerous homes and businesses. The storm also knocked out power and communications for thousands of residents in the region.

The damage left behind in the aftermath of these acts of nature reinforces the need for organizations to incorporate comprehensive natural disaster management policies and procedures in their business continuity plans.  Often times, however, security managers become so bogged down in the minutiae of every day operations that their enterprise risk management plans are neglected, rarely ever being updated of practiced.



New York City is currently on pace to meet all of the long-term climate change and sustainability goals set by the mayor’s office back in 2007, Mayor Michael Bloomberg announced Tuesday. The city is simultaneously launching a $20 billion effort to prepare for the adverse effects of climate change.

The new plan incorporates more than 250 recommendations to improve the city's readiness for another storm like Hurricane Sandy, which caused $19 billion in damages and economic loss. New projections from city scientists also anticipate faster rising seas, hotter summers and more heavy rains, making it imperative that the city take action now, Bloomberg said in a speech announcing the new initiatives.



IT executives are growing more concerned with the potential of data outages from natural disasters. More companies are taking a proactive approach to data security as part of their disaster recovery planning, according to AT&T's annual Business Continuity Study. 

Recent natural disasters such as Superstorm Sandy and the tornado in Oklahoma have highlighted the risk of data security breaches. Eighty-eight percent of the IT executives surveyed understood the growing importance of data security, and most included wireless network capabilities in their disaster preparedness business solutions.



Despite the devastation caused by Superstorm Sandy and other recent natural disasters, small businesses aren’t getting the message. A new survey finds 70 percent don’t expect to experience a similar disaster and nearly half have no plan to ensure business continuity.

The survey of 200 small businesses, sponsored by FedEx and the American Red Cross, found that Superstorm Sandy inspired only 10 percent of respondents to take new steps to prepare for disasters, according to a press release on MarketWatch.com.

“Developing an emergency preparedness plan is one of the most important strategic decisions a small business owner will make,” says Tom Heneghan, manager of preparedness for the Red Cross. And yet SMBs are more likely to rely on the bare minimum of disaster planning, hoping they’ll never have to use it. “People know they should do it, but it’s not always at the top of the list,” Heneghan says.



Thursday, 13 June 2013 13:06

10 Hot Big Data Startups to Watch

CIO — The Big Data market is heating up, and unlike some overhyped trends (social media), it's pretty easy to pinpoint ROI with these tools.

When we put out calls for nominees through the Story Source Newsletter, HARO, Twitter, and other channels, we received more than 100 recommendations. Usually, when we get that many, a good chunk of them can be dismissed out of hand. Some are clearly science projects; others have zero funding, no management pedigree and a dubious value proposition, while a few are clearly the product of malarial hallucinations.

Not so this time. Very few of the startups we looked at were whacky long shots. Most were decent ideas, backed by real VC money and seasoned management teams.



Thursday, 13 June 2013 13:05

Email Morphs into Corporate Espionage

An email just dropped into my electronic in-box with the subject “Should You Archive Email to the Cloud?

I suppose it’s a good question and I can think of many reasons to keep my emails “closer to home.”

But the query did trigger an off-the-wall thought, my forte’ it seems.

What about vendor security – all vendors, not just in the cloud.

When a person or organization signs up with a vendor, the vendor asks for, usually justifiably, a great deal of information. Granted, most of the information can be acquired from public resources, public records. But maybe not all, and some of the “not all” should be, at a minimum, “confidential.”



We regularly ask heads of Enterprise Risk Management (ERM) what stops them from having an impact on strategic decisions in their organization. The most common response we get is “we do not have a seat at the table.” In our recently conducted State of ERM survey, we asked heads of ERM about their team’s involvement and effectiveness in the strategic planning process. While 50% of ERM teams were involved in some capacity, only 20% thought they were highly effective. So, if it’s not about a seat at the table, what is at the root of the problem? Why are ERM teams not able to effectively partner in the planning process? Moreover, are you completely sure how your ERM team can add value if you had a seat at the table?



Wednesday, 12 June 2013 14:01

Lessons in Disaster Recovery

The EF-5 tornado that ripped through Moore, Oklahoma, left 24 fatalities, nine of them children. An estimated 12,000 homes and many businesses were destroyed or damaged along the estimated 17-mile-long, 1.3-mile-wide tornado path. It’s hard to get your head around that kind of devastation.

While the immediate concern is response and recovery, the residents of Moore will soon have to turn to the task of rebuilding. But among the first steps toward emotionally healing from the storm is removing the debris—that is, the physical vestiges of the storm. And that step needs to be taken quickly. 

The longer it takes to rebuild and reopen businesses, the less likely it is that communities will fully recover. Social scientists have been studying what has helped or hindered community recovery in the hopes that future communities—like Moore—can recover more rapidly and comprehensively.

Wednesday, 12 June 2013 13:59

Big Data: The future of info security?

According to IBM, 90 percent of the data in the world today has been created in the last two years. From social media, mobile devices and digital sensors to e-mails, images and videos, these vast sources of data create a potential goldmine of valuable information about people and their activities. 

Whilst the promise of actionable insight from data is not new — business intelligence and other analysis capabilities have long been present in many organizations — what is new is the rate at which the data is growing, the way the data is changing and the demands being placed upon it.



After 10 years of managing an IT audit function for an international energy company, I had the opportunity to head up their IT Strategy group that was charged with creating Organizational IT Security and Risk profiles and plans.

The charge of this function was to annually evaluate organization-wide internal and external risk as it relates to IT, and to communicate this information back to the CISO, CIO and CFO. To carry out the evaluation of organizational IT risk required not just working with IT personnel, but also business personnel all the way up the C-level business unit leaders.

The information gleaned from these annual assessments drove plans to improve and bolster our overall security posture based upon where we were at a point in time and where we anticipated being in the next several years. Ultimately this was a dynamic view of risk versus a point in time tactical view.



Wednesday, 12 June 2013 13:53

Supply Chain Complexity Expands Risk

Everyone talks about risk in the supply chain, but the increasing complexity of it makes identifying and mitigating risks difficult.

In fact, almost half of executives are afraid that their supply chain risk management is only somewhat effective or has no impact at all, according to a recent survey from Deloitte. Said Kelly Marchese, principal at Deloitte Consulting LLP, in a press release:

Supply chains are increasingly complex and their interlinked, global nature makes them vulnerable to a range of risks. This increased complexity, coupled with a greater frequency of disruptive events such as geopolitical events and natural disasters, presents a precarious situation for companies without solid risk management programs in place.

Decisions around risk mitigation in the supply chain can make the difference between success and failure, and organizations know it. In counting the costs of risk events, 71 percent of those surveyed for Deloitte's research said that supply chain is an important part of strategic decisions. Poor decisions are likely to erode already thin margins or make suppliers unable to address sudden changes in demand.



The power was out for 2 million electric customers in New York. Hospitals and nursing homes were evacuating patients and shutting down. Thousands of people were stranded in high-rise buildings, needing food and water. In Queens, houses were burning to the ground. Water rescues were taking place in New York City and on Long Island.

These events didn’t take place on different days. They all happened simultaneously when Hurricane Sandy struck New York on Oct. 29, 2012. They illustrate three key distinguishing aspects of a Type 1 disaster: scope and scale, velocity and ambiguity of information. Emergency managers responding to Hurricane Sandy in New York experienced all of these challenges.



Implementation of cloud services and mobile applications would assist in preparation for potential disasters.

Majority of organisations are adopting proactive approach to security by improving their business continuity and disaster recovery plans by incorporating adoption of wireless network capabilities, cloud services and mobile applications, a new report has found.

AT&T's Business Continuity Study revealed that 63% of executives surveyed believed the looming threat of security breaches was the main security concern for 2013.



Wednesday, 12 June 2013 13:35

Social Media Crisis Management Musts

Like it or not, social media is all but guaranteed to play a role in your next crisis.

Sure, you could bury your head in the sand and pretend it doesn’t exist, but not having a Twitter or Facebook account won’t prevent your stakeholders from venting about, or attempting to reach you via those services. At best you’re missing out on the most popular communications platforms, hosting the largest communities, currently in existence, and at worst you’re creating further ill-will by not having a presence because people can’t get in touch, a troll is hard at work trashing your name, or any number of other potential ugly situations.

To make things easier, here’s a list of social media crisis management “musts” to get you started on the right track:



Sure, you could bury your head in the sand and pretend it doesn’t exist, but not having a Twitter or Facebook account won’t prevent your stakeholders from venting about, or attempting to reach you via those services. At best you’re missing out on the most popular communications platforms, hosting the largest communities, currently in existence, and at worst you’re creating further ill-will by not having a presence because people can’t get in touch, a troll is hard at work trashing your name, or any number of other potential ugly situations.

To make things easier, here’s a list of social media crisis management “musts” to get you started on the right track:

- See more at: http://managementhelp.org/blogs/crisis-management/2013/06/11/social-media-crisis-management-musts/#sthash.Da9l1nx8.dpuf

Like it or not, social media is all but guaranteed to play a role in your next crisis.

Sure, you could bury your head in the sand and pretend it doesn’t exist, but not having a Twitter or Facebook account won’t prevent your stakeholders from venting about, or attempting to reach you via those services. At best you’re missing out on the most popular communications platforms, hosting the largest communities, currently in existence, and at worst you’re creating further ill-will by not having a presence because people can’t get in touch, a troll is hard at work trashing your name, or any number of other potential ugly situations.

To make things easier, here’s a list of social media crisis management “musts” to get you started on the right track:

- See more at: http://managementhelp.org/blogs/crisis-management/2013/06/11/social-media-crisis-management-musts/#sthash.Da9l1nx8.dpuf

Like it or not, social media is all but guaranteed to play a role in your next crisis.

Sure, you could bury your head in the sand and pretend it doesn’t exist, but not having a Twitter or Facebook account won’t prevent your stakeholders from venting about, or attempting to reach you via those services. At best you’re missing out on the most popular communications platforms, hosting the largest communities, currently in existence, and at worst you’re creating further ill-will by not having a presence because people can’t get in touch, a troll is hard at work trashing your name, or any number of other potential ugly situations.

To make things easier, here’s a list of social media crisis management “musts” to get you started on the right track:

- See more at: http://managementhelp.org/blogs/crisis-management/2013/06/11/social-media-crisis-management-musts/#sthash.Da9l1nx8.dpuf
Tuesday, 11 June 2013 14:15

How businesses prepare for disasters

With fears of potential security breaches and natural disasters like Superstorm Sandy and the recent Oklahoma tornado weighing heavily on IT executives, businesses nationwide have continued to grow and advance their business continuity and disaster recovery plans to incorporate the adoption of wireless network capabilities, cloud services and mobile applications.

The annual AT&T Business Continuity Study found that:

  • More than half of executives surveyed (63%) cite the looming threat of security breaches as their most important security concern for 2013.
  • 84 percent of executives are concerned about the use of mobile networks and devices and its impact on security threats.
  • 88 percent of those surveyed understand the increasing importance of security and indicate that their companies have a proactive strategy in place.
  • Nearly two-thirds (64%) of companies include their wireless network capabilities as part of their business continuity plan.
  • 87 percent of executives indicate their organizations have a business continuity plan in place in case of a disaster or threat – a slight uptick from last year (86%).



The scandal surrounding the National Security Agency's Prism data-gathering programme will impact all businesses that rely heavily on the processing and analysis of customer information, according to experts.

Technology giants including Apple, Facebook and Google have denied that they have participated in Prism and have said that they have not enabled the US government to access their systems through a "backdoor".

Tuesday, 11 June 2013 14:13

Big Data: Book review

There's a logical fallacy that mathematicians are fond of quoting when humans exercise their considerable built-in pattern-recognition abilities to draw conclusions that could just be coincidence: correlation does not imply causality. But, as Kenneth Cukier and Viktor Mayer-Schönberger argue in Big Data: A Revolution That Will Transform How We Live, Work, and Think, what Big Data brings with it is a profound shift in our attempts to understand How the World Works. In their view, correlation may now be good enough all by itself.




For centuries we have focused on causation as a way of deriving general principles from specific cases. For example, once we understood that plants grew in response to ready supplies of sunlight, water and nutrients in the soil, we were able to apply this knowledge to promote more rapid and reliable growth. What's happening now is that by churning through huge masses of data we can find patterns that would not be trustworthy in smaller samples, and derive value from them whether or not we understand the underlying causality.



Tuesday, 11 June 2013 14:12

How to Keep your Data Safe

In the wake of the recent collapse of data centre provider, 2E2 (the company ran out of cash and asked clients including the NHS and numerous businesses to stump up extra money to avoid losing their data), it’s more important than ever that companies take the right precautions and ask the right questions to ensure their data is safe and that they have peace of mind. The amount of data being collected, transferred and processed across all businesses is increasing exponentially and storing it is now a key element of business operations, as is keeping it secure.

Like any business partnership, the first and perhaps most important consideration for a prospective client should be the people that will look after their data on a day-to-day basis i.e. the employees of the firm they are evaluating. Around 70% of instances of data being compromised are down to human error; so you need a team you can trust.



My recent blog assessed how 'disasters' fared in the U.N. Secretary General’s High Level Panel report on post-2015 development goals. This time, I consider the report’s implications for setting priorities for the successor to the Hyogo Framework for Action (HFA), the global agreement on reducing disaster risk. The HFA, like the Millennium Development Goals, is also due for renewal in 2015. Here are some preliminary points.

The next HFA should:

1. Ensure ‘tacking vulnerability and its causes’ is the dominant message. Here, very clear links need to be made to the post-2015 development goals that help to underscore the critical intersection of disaster risk and the causes of vulnerability and poverty. If backed by a disasters target in a poverty goal, as suggested by the high level panel, the successor to the HFA can then become a vision, operational plan and implementation guide for governments and the global development community. This will take equal recognition of the small (‘silent’) disasters, as well as the headliners, and therefore place ‘development’-oriented policy responses at the core of the next agreement.



Hurricane Sandy, the recent, deadly tornadoes in Oklahoma and the Boston Marathon bombing are stark reminders that businesses and commercial and industrial properties are susceptible to a wide variety of emergencies.  Hurricanes, extensive flooding, blizzards, ice storms, fires and utility disruptions are just some of the emergencies that can impact a business’ operations, bringing fresh urgency to the need for business preparedness and resiliency efforts.

Such emergencies and disasters have the potential to cripple or even destroy businesses – of all sizes and scope – that are unprepared for such events; studies show that 40% of businesses that do not have emergency plans in place do not re-open after a major incident.

Having businesses that are resilient to emergencies ultimately helps local communities and citizens recover from disasters faster – which is why business resilience is so important to FEMA.   Engaging an entire community in disaster preparedness, response and recovery activities is a main responsibility of FEMA’s Private Sector Liaisons, who work in all ten FEMA regions across the country.  As the Private Sector Liaison for FEMA Region I (which covers six states and 10 Indian Tribes in New England), I arranged for our regional office to participate in the “Weathering the Storm: How Properties Can Prepare and Respond” event that NAIOP Massachusetts, The Commercial Real Estate Development Association, hosted on May 31, 2013.



Recent news of widespread phone and internet surveillance by the National Security Agency (NSA) has raised serious questions over the ethical and legal obligations private companies face to protect the privacy of individuals. To what extent is it ethically acceptable for companies to assist in legal surveillance of innocent individuals?

Telecommunications companies are caught between the rights of individuals to protect personal data about themselves and governmental demands for personal information under the guise of national security. The fundamental problem is that individuals place trust in companies to protect their privacy, while companies are legally required to pass this data on at the request of the government under increasingly broad interpretations of laws permitting surveillance.



GENEVA – Amid human infections from H7N9 and MERS-CoV, the World Health Organization (WHO) on Monday released an updated guidance to help coordinate national and international pandemic preparedness and response.

The "Pandemic Influenza Risk Management: WHO Interim Guidance," incorporating lessons learned from the Influenza A (H1N1) 2009 pandemic and other relevant developments, replaces the "2009 Pandemic Influenza Preparedness and Response: a WHO Guidance Document."

Following recommendations by a review committee on Pandemic (H1N1) 2009, the new influenza guidance simplifies the pandemic phases structure, emphasizes the risk assessment and risk-based approach, and increases the flexibility of member states to take actions.



Tuesday, 11 June 2013 14:05

The art and science of risk management

Computers, networks, and information security seem to fall comfortably under the heading of science, but science alone is not enough. Security system developer Tripwire recently conducted a survey in cooperation with the Ponemon Institute to find out whether IT professionals consider risk management to be “science” or “art."

Ponemon surveyed 1,320 respondents across the United States and the United Kingdom: IT professionals working in information security, risk management, IT operations, business operations, and compliance. Participants were asked, “In your opinion, is information security risk management an ‘art’ or ‘science’?”


Ponemon defined the two concepts for the purposes of the survey. “Science” means basing decisions on objective, quantifiable metrics and data. “Art” refers to analysis and decisions that are based on intuition, expertise, and a holistic view of the organization.



Can summer heat cause as big a disaster as a hurricane or tornado?  We turned to backup and disaster recovery specialist and MSP Strata Information Technology, Inc  to find out. President Pete Robbins follows three simple procedures to keep customers in check during the summer heat. We'll reveal the scoop in this MSPmentor exclusive.

Robbins suggested to MSPmentor that even MSPs located in an area that is less likely to be hit by a natural disaster, it's still important to stay focused and energized.



Today’s virtualized systems provide a sound platform for business continuity because the platforms and networking are stronger and more agile than they were even a few years ago.

One of the key benefits of the cloud model—and all cloud systems are virtualized—is how virtual machine-driven systems can help to ensure business continuity and speed disaster recovery. Companies of all sizes are always looking for affordable ways to deliver quality IT services reliably and continuously to customers and employees. Cloud computing using virtual machines presents a low-cost disaster recovery and business continuity solution for small and midsize businesses and a more cost-effective alternative to cost-conscious larger corporations.



Tuesday, 11 June 2013 14:02

No performance checks?

Once again the Y-12 Tennessee nuclear arms facility's security has been breached.

This time by a little old lady who apparently was got lost.

According to an article on the KnoxNews Website (http://tinyurl.com/ksj8x6f), The security breach occurred less than a year after three protesters cut through a series of security fences and walked to the innermost sanctum of Y-12, the country’s largest repository of weapons-grade uranium.

“I’m not aware of any circumstances quite like this,” said Steven Wyatt, spokesman for the National Nuclear Security Administration and Y-12. He called Thursday’s incident a “security lapse.”



Opening day for baseball season was March 31, coinciding with the monthly commencement of tornado season. Although teams train and are prepared for baseball season, many businesses are not prepared for tornadoes, which we've already felt, unfortunately, or even hurricane season, which launched June 1.

Disasters arrive in three forms — natural, manmade and technological — and, based on their continual emergence, have been labeled the new normal. Natural disasters have increased 40 percent since the early 1990s, and manmade disasters have amplified exponentially since 9/11. The recent 3/11 Japanese earthquake and tsunami crippled automakers and their supply chains. And who would have guessed two hurricanes would cruise the Northeast?



Federal agencies can recovery from disaster quickly with client virtualization


When it comes to business continuity (BC) and disaster recovery (DR), client virtualization is a two-sided coin: There’s what client virtualization offers in terms of continuity and DR preparedness, and what it requires.

Of all the reasons to consider client virtualization, BC and DR may be the most compelling. For example, if a sensitive government agency can never afford a massive virus outbreak in its desktop environment, client virtualization can help it ensure uptime.

Or, as another example, if a company happens to locate its headquarters where earthquakes, tornadoes or hurricanes are common, and losing days or weeks to a natural disaster would cripple operations, then client virtualization presents a compelling, mission-critical investment.



A penny saved is a penny earned. We all know this saying, and most of us try to live by it. Whether you’re the type of person who can’t see a penny on the sidewalk without picking it up, or someone who visits the Frist Center only on the days when admission is free, we all do what we can to save a buck.

In business, finding ways to save money can make a big impact on your bottom line. It’s generally good business practice to keep your capital and operational costs low.

You can do this in several ways, from conducting extensive research before purchasing new equipment and negotiating down supplier contracts, to powering down workstations at night and making do without free soda in the break room.



Hurricane Sandy put many companies to the test: Could they withstand a storm that could shut down business for days, or even weeks?

With no Internet, phone or power and therefore, no way to communicate with employees or customers, workers were unsure whether to go to work, and customers had no way to contact businesses to find out when they’d reopen, what to do in an emergency and if their various appointments would be kept.

How a business responds to emergency situations reveals much about the company’s management skills and disaster preparedness.

Creating a business continuity plan to stay in touch with both employees and customers in the case of a natural disaster, can save companies the suffering from a storm’s scars — which can often be as harsh as putting a company out of business permanently.



Tuesday, 11 June 2013 13:25

Risk Management: Art or Science?

Is risk-based security management an art or science? That’s one key question posed to more than 1,200 IT professionals in a recent survey by Tripwire Inc. and  Ponemon Research. The report, “The State of Risk Based Security 2013,” asked: “In your opinion, is information security risk management an ‘art’ or ‘science’?” For the purposes of the survey, “art” was defined as analysis and decision-making based on intuition, expertise and a holistic view of the organization. “Science” refers to risk analysis and decision-making based on objective, quantitative measures. They found:

  • In the U.S., 49% of respondents said “art” and 51% said “science”
  • In the UK, 58% of respondents said “science” and 42% said “art”
  • 66% of enterprise risk managers and 62% of business operations respondents say  risk based security management is “art”
  • 62% of IT security and 56% of IT operations said “science”



CIO - When Carly Simon sang the words "...they were clouds in my coffee" in her 1972 megahit, "You're So Vain," the notion of industrialized cloud-based computing was several decades in the future. Steve Jobs, speaking at Apple's Worldwide Developers Conference in 1997, alluded to the fact that the concept had actually germinated some 10 years earlier.

But Jobs' vision was prescient relative to what we now think of as cloud computing. He was arguably the first to see the huge promise and seismic shift brought on by the advent of device-independent data accessible from anywhere, at any time, on any type of technology, be it an iPhone, iPad, PC or other smart device. This is common today for personal effects such as music, video and financial services-but only recently has this capability begun making its way into the fundamentals of supply chain management.



U.S. Magistrate Judge Andrew Peck’s declaration that computer-assisted review is “acceptable in appropriate cases” may have helped change the electronic discovery landscape forever. Prior to Judge Peck’s 2012 order in Da Silva Moore v. Publicis Groupe, there were no known cases specifically addressing the use of computer-assisted review (aka predictive coding technology). Since then, at least seven different courts have taken up the issue of predictive coding technology and when viewed collectively, the cases signify a trend toward continued judicial interest. For example, in October 2012, a Delaware Chancery Court Judge stunned many in the legal community with what appeared to be a sua sponte order in EORHB, Inc., et al v. HOA Holdings, LLC, when he asked the parties to show cause as to why they should not use predictive coding technology:

“I would like you all, if you do not want to use predictive coding, to show cause why this is not a case where predictive coding is the way to go.”



Hurricane Sandy, the recent, deadly tornados in Oklahoma and the Boston Marathon bombing are stark reminders that businesses and commercial and industrial properties are susceptible to a wide variety of emergencies.  Hurricanes, extensive flooding, blizzards, ice storms, fires and utility disruptions are just some of the emergencies that can impact a business’ operations, bringing fresh urgency to the need for business preparedness and resiliency efforts.

Such emergencies and disasters have the potential to cripple or even destroy businesses – of all sizes and scope – that are unprepared for such events; studies show that 40% of businesses that do not have emergency plans in place do not re-open after a major incident.



Tuesday, 11 June 2013 12:57

In the Name of Public Safety, Part II

New York University hosted its annual Global Risk Forum last week, with presentations from experts on critical infrastructure protection, hacktivism from groups like Anonymous, and bio-threats like the MERS coronavirus; and a general discussion by participants of top risks on the radar screen.  A second day for participants involved a construction site tour of World Trade Center One (Freedom Tower) and the 911 Memorial Museum, courtesy of the Port Authority.  I don’t think any of us who took the tour will ever forget standing in the clouds on the 90th floor of the unfinished building.  Thanks to Rich Cooper for use of his photo.

In the media and in government agencies, things have heated up since I wrote my earlier column on terrorism.  We have real world examples that test the parameters of both the first and fourth amendments to the U.S. Constitution, focused primarily around national intelligence collection.  It’s too soon to believe that we have all the facts of the matter.  Attorney General Eric Holder said recently that “the department's goal in investigating leak cases is to identify and prosecute government officials who jeopardize national security by violating their oaths, not to target members of the press or discourage them from carrying out their vital work.”1  His remarks occurred in response to press reports that “authorities had secretly obtained telephone records for 20 lines used by Associated Press journalists as part of an ongoing criminal investigation into the source of information for an article about a foiled terrorist plot in Yemen.”2



Symantec Corp and the Ponemon Institute recently released the 2013 Cost of Data Breach Study: Global Analysis which reveals human errors and system problems caused two-thirds of global data breaches and three-fourths of data breaches in India in 2012, pushing the global average to INR 7,360 per record[1]. Issues included employee mishandling of confidential data, lack of system controls, and violations of industry and government regulations. Heavily regulated fields including healthcare, finance and pharmaceutical incurred breach costs 70 percent higher than other industries.  

Following the global pattern, the cost per record for Indian organizations increased over the previous year, with Indian organizations incurring INR 2,271 per compromised record in 2012. However, organizations that appointed a chief information security officer (CISO) with enterprise-wide responsibilities, comprehensive incident response plans, and stronger overall security programs, experienced reduced costs globally and in India.



With the Philippine economy losing hundreds of billions of pesos every year because of disasters, the business sector should play a more “visible” role in disaster risk-reduction (DRR) efforts, the chairman of the Senate Committee on Climate Change said.

Sen. Loren Legarda made the statement in a privileged speech at the closing session of the 15th Congress before the weekend.

She shared some important findings of the 2013 Global Assessment Report on Disaster Risk Reduction of the United Nations International Strategy for Disaster Reduction (UNISDR).



With today’s high customer expectations for service and the need for organizations to secure business continuity, businesses must develop a collaborative approach to supply chain management. Your business must be able to orchestrate suppliers, assemblers, and distributors, creating a singular view of goods and services among all entities that touch the supply chain. 

From Insularity to Integration

Until recently, companies were driven to closing off and protecting their supply chains. Now the drive is for collaboration. Indeed, in a recently supply chain trend analysis, Gartner has focused on “co-opetition,” in which partnering with potential competitors can be a transformational differentiator.



CIO — When Carly Simon sang the words "…they were clouds in my coffee" in her 1972 megahit, "You're So Vain," the notion of industrialized cloud-based computing was several decades in the future. Steve Jobs, speaking at Apple's Worldwide Developers Conference in 1997, alluded to the fact that the concept had actually germinated some 10 years earlier.

But Jobs' vision was prescient relative to what we now think of as cloud computing. He was arguably the first to see the huge promise and seismic shift brought on by the advent of device-independent data accessible from anywhere, at any time, on any type of technology, be it an iPhone, iPad, PC or other smart device. This is common today for personal effects such as music, video and financial services—but only recently has this capability begun making its way into the fundamentals of supply chain management.



Technology can be a wonderful thing, can’t it? It wasn’t too long ago that having any kind of off-site disaster recovery solution in your company meant that you were a member of the Fortune 500. Well that’s not true any longer. In fact, this technology is so affordable now that virtually any size company can implement one of several possible disaster recovery solutions and protect themselves from catastrophe. So why is that? Three key things… the widespread acceptance of server virtualization, the availability of inexpensive high-speed internet connectivity, and new low-cost disaster recovery software solutions tailored to the virtual world.

Let’s take a look into the past and review where we have come from. There have been three phases in the evolution of this function:



Hurricane season is upon us, and forecasters have predicted an above-normal number of storms this year.

Already one named tropical storm roared through Virginia on Friday.

And as many as 20 named storms and six hurricanes of Category 3 severity or higher are expected during this hurricane season, which runs from June 1 to Nov. 30, according to forecasts by the National Oceanic and Atmospheric Administration.



Self-preservation is the primary law of nature… and may I add – business. Business continuity plans are an essential part of business, it is the ‘self-preservation’ aspect.

To create a business continuity plan, we have to identify internal and external threats to both hard and soft assets of the company – but who can really prepare for an earthquake, violent storms, tsunamis or tornadoes? Who can be ready when such calamities strike? These may not have been immediate concerns before, but we’ve seen Mother Nature strike one too many times to ignore a contingency plan.



Business continuity has become a high priority for companies, and one of the most significant recent trends in BC planning and practices is the emergence of cloud computing as a key component.

"The cloud has fundamentally changed business continuity," says Rich Cocchiara, distinguished engineer and CTO for Business Continuity & Resilience Services at IBM. "Capabilities previously only available to larger companies, such as remote failover, are now within reach of many small and medium size businesses."



How do you handle understanding the enterprise risks in a corporation where all of the risk management functions are dispersed in differential line management — General Counsel, Finance, Technology, Facilities? How do you define the participating functions? Yes, the ideal situation is having these groups housed under a Chief Risk Officer or Head of Operational Risk, but in the absence of organization structural shifts, here are some tips for you.

Be a Leader in bilateral conversations of risk partners
The most successful global security teams that I have been a part of were always leaders in collaboration and outreach to risk partners to pave the way for information sharing. Yes, there was the risk of the information flow being one way, and this is usually the case at the beginning, but as the interaction continues over time, the information flow gradually becomes two ways. For example, you may start with a monthly global meeting with Facilities, Business Continuity and quarterly meeting with Information Security and Compliance.



Hands up how many people were surprised to learn that US security authorities have access to the phone records and the server traffic of the biggest telecom and internet companies in the world?

The “revelations” in the Washington Post and Guardian this week that the National Security Agency is trawling data relating to non-US citizens on the systems of giants like Microsoft, Google, YouTube and others may have made for strong headlines.

But in reality, it’s likely that many people would be more surprised to learn that the type of trawling carried out by operation PRISM was not going on. Following 9/11, the rules of engagement of counter-terrorism in the US changed utterly. Law enforcement officials secured significant new formal powers, and it is certainly fair to assume that levels of unofficial monitoring of internet and phone based chatter and records jumped too.



IT managers believe that the fragmentation of corporate data across their IT infrastructure and an emerging ‘Shadow IT’ network of user devices or consumer cloud services outside their control, are putting their organizations at risk.

New research from Freeform Dynamics shows over 80 percent of respondents believe effective business decision making is hampered by data availability and inconsistency issues. 83 percent are concerned about the security of their corporate data as it is increasingly dispersed across their network and outside. Getting the situation under control is also proving difficult with 93 percent saying that tracking and managing critical corporate data is now a big challenge, with the associated costs highlighted by 84 percent as being a further concern.

The survey report ‘Storage Anywhere and Everywhere – dealing with the challenges of data fragmentation’ is the result of interviews with 300 IT professionals in mid-sized organizations across the US and UK completed in April 2013. The independent report was sponsored by Mimecast. An infographic best practice guide and the full report can be found at www.mimecast.com/datafragmentation



As individuals get better access to the technology that enables their participation in the information age, so privacy has to be considered and regulation applied to raise standards to those that are acceptable across that society. It was interesting, therefore, to note the cultural recoil that occurred in response to the NSA’s recently discovered, and rather widespread, caller record collection (not to mention other 'PRISM' related data!) - it’s clear that this has crossed a boundary of acceptability.

This isn’t however, just a US problem. A news story recently broke in India highlighting that local law enforcement agencies had, over the past six months, compelled mobile phone companies to hand over call detail records for almost 100,000 subscribers. The requisitions originated from different sources and levels within the police force and their targets included many senior police officers and bureaucrats.



Friday, 07 June 2013 14:51

Humans cause data breaches. Fact.

Human errors and system problems caused two-thirds of data breaches during 2012, with employee behaviour one of the most alarming issues facing companies today.

A recent study by Symantec and the Ponemon Institute claims issues included employee mishandling of confidential data, lack of system controls and violations of industry and government regulations.

Heavily regulated fields – including healthcare, finance and pharmaceutical – incurred breach costs 70% higher than other industries according to the report.



The image of someone having their computer hacked is often of a grandmother who has had her identity stolen or a family that has had its bank accounts fraudulently accessed online. However, for criminals who carry out these cyber attacks, businesses are often their preferred targets.

2012 was a banner year for cyber criminals who steal data from businesses. Numerous large corporations suffered high-profile data breaches, but many smaller firms experienced devastating data breaches as well.



Recovering from a flood or fire is hard for a business. But dealing with problems caused by a lack of business continuity plans or inadequate insurance can make it worse.

“The better you can plan for how to deal with an incident, the better off you’ll be,” says Lawrence J. Newell, CISA, CBRM, QSA, CBRM, manager of Risk Advisory Services at Brown Smith Wallace. “I say ‘incident’ because it could be something not always thought about in typical disaster terms, such as a breach of credit card information.”

Smart Business spoke with Newell and William M. Goddard, CPCU, a principal in the firm’s Insurance Advisory Services, about developing business recovery plans and the insurance options available to reduce risk.



Friday, 07 June 2013 14:48

3 Roles For Tape In The Cloud

Questions about the usefulness of tape come up often in conversations with users and vendors. The general theory, especially by cloud storage vendors, is that tape has outlived its usefulness.

The reality is that it has not; in fact, I often make the case that tape is actually more useful than it has ever been, especially in the cloud.

Here are three uses for tape in the cloud today.

1. Cloud Seeding.

Tape is an ideal way to "seed" a cloud. Seeding is getting the initial data to the cloud storage facility. Instead of transferring data across an Internet connection for days or weeks, it can be copied to tape and sent to the cloud provider via an overnight truck. If it will take you longer than 24 hours to seed a cloud via WAN transfer, then tape should be considered.



When the Ontario Volunteer Emergency Response Team (OVERT) was started about 20 years ago, it focused on providing a traditional search-and-rescue team to aid operations in the greater Toronto area. The group of unpaid professionals embraced its mission of providing well trained searchers to assist law enforcement looking for lost or missing persons. But then the severe acute respiratory syndrome (SARS) epidemic hit Canada in 2003 — 800 people were killed worldwide including 44 in Canada — marking the first big community incident that OVERT was involved in.

“Our public health department found themselves without the manpower or resources to deal with a lot of the problems,” said OVERT Coordinator Glen Turpin. “And it was solving basic issues, things such as delivering food to quarantined homes and assisting with triage at hospitals.”



When terrorist suspects Tamerlan and Dzhokhar Tsarnaev set off two bombs near the finish line of the Boston Marathon in April, those immersed in the science of homeland security pondered a handful of obvious questions: What had authorities done to secure the route, and was securing all 26.2 miles of the course even possible? Had local law enforcement picked up any chatter related to a possible attack in advance of the incident? And were the brothers homegrown terrorists or connected with some foreign group?

Those are the kinds of questions that routinely get examined though an extensive intelligence infrastructure in place in the form of nationwide “fusion centers.” They were set up by the Department of Homeland Security (DHS) after the Sept. 11, 2001, terror attacks as a way to improve information gathering and intelligence surveillance among the country’s various law enforcement agencies.



WASHINGTON - Recent twisters in Oklahoma are a reminder that preparation is critical, because bad weather can strike just about anywhere.

Hurricane season also is officially here, and Tropical Storm Andrea has prompted a warning for a swath of the East Coast, all the way to Cape Charles Light in Virginia.

To help you prepare for the possibility of bad weather, WTOP's David Burd recently sat down with Seamus Mooney, director of the Department of Emergency Preparedness for Frederick County, Md.



A business had no excuse for not being prepared for hurricanes a decade ago. After Hurricane Katrina and Hurricane (and then Superstorm) Sandy, there is even less rationale to not take the necessary steps, especially if the business is located in the area most likely to be pounded. Unfortunately, that area seems to be getting bigger.

Last Saturday was the beginning of hurricane season, and May 26 to June 1 was National Hurricane Preparedness Week. Unlike some crises, such as fires and power outages, hurricanes and other weather-related challenges are vaguely predictable. That’s a good thing. The other good news is that a tremendous amount of information is available on hurricane preparedness and, more generally, on business continuity/disaster recovery.



As part of my ongoing research into data privacy laws in Asia Pacific (AP), I spoke with chief information security officers (CISOs), consultants, lawyers, and governance, risk, and compliance (GRC) professionals. This is critical to gauge key decision-makers’ awareness and understanding of the ever-evolving data privacy regulations and policies across 15 different jurisdictions in the region.

Some senior people have admitted to me that their organizations have not traditionally taken data privacy issues terribly seriously within their AP operations. However, in a clear sign that this is beginning to change, GRC practitioners are starting to see increased demand for their compliance-related services from both government and business sectors, particularly since late 2012. Regardless of where you stand on this spectrum, the reality is that the awareness levels of data-related regulations – and the level of compliance required to abide by these regulations – varies widely across the region.



Thursday, 06 June 2013 14:24

5 Disaster Recovery Misconceptions

Do you know how your business technology would fare if a true disaster were to hit? With the rate technology and your applications change and evolve, your DR plan may need a dusting off and updating. If your plan is outdated or relies on older assumptions, you may have gaps in your protection.

Don’t leave your infrastructure vulnerable. Assess your plan for the most common misconceptions of disaster recovery.

Misconception #1: Backup-as-a-Service and Recovery-as-a-Service are the same.

A good DR plan is not about backups, but rather it’s about getting back up and running as quickly and efficiently as possible. The placement of that one space makes a big difference.

Thursday, 06 June 2013 14:22

Determining a Tornado's Path-Width, etc.

The following is from an email sharing how the National Weather Service (NWS) measures a tornado's direction, path, width, etc.

For the most part tornado path width is determined by the measurable damage observed during the storm survey. Our WFOs will integrated into that assessment any additional evidence they can get (e.g., video, photos, radar data, survivor accounts) to make their best determination. That goes for all the characteristics of the tornado - path length, path width, EF-Scale rating, etc - that they report. Here is our Norman WFO's El Reno event web page - http://www.srh.noaa.gov/oun/?n=events-20130531

Below is the NWS policy guidance for our storm survey teams to utilize with regard to determining tornado path length and width. The full NWS Storm Data policy can be accessed here: http://www.nws.noaa.gov/directives/sym/pd01016005curr.pdf



Thursday, 06 June 2013 14:21

Practitioner’s Requirements

Selecting a candidate to protect the organization

The perennial question is once again causing clutter in the ether. The question:

Must a practitioner be an IT expert?

In a word: No.

Perhaps the practitioner should be an MBA to handle the business side? Is a degree even necessary?

Maybe an SPHR to understand the human relations concerns?

How about a CompTIA Security+ certification for security issues?

Is a PMI or Six Sigma black belt necessary to manage the project or program?

Same answer. No, No, No, and No again.

So what qualifications should a practitioner possess?



Most companies would describe responding to e-Discovery requests as time-consuming, expensive and something they would rather avoid altogether if at all possible. But if that’s not enough to make it a leading cause of indigestion among corporate executives, there are potential compliance risks that can result from responding to e-Discovery requests that are potentially as great or greater than the risk of mishandling the e-Discovery obligations themselves.

Executives cannot address the risk without first understanding the key ingredients in this recipe:



Wednesday, 05 June 2013 15:33

IT Basics 5: Business continuity

How to keep your IT systems working when the worst happens, by IT consultant John Dryden


IT is the life blood of any modern charity, linking its head, heart and essential organs. If it stops flowing, things will instantly seize up.

This is especially true for international charities, for whom email is the most practical way to communicate with far-flung colleagues. Where staff are operating in different time zones and remote locations across the developing world, it can sometimes be the only way to communicate regularly.

For example, an international medical charity we work with has 1,400 staff spread across the globe. On an average day its London-based team send and receive more than 11,000 emails – some of them involving life-or-death medical decisions.



Most small and medium-sized enterprises (SMEs) are experiencing difficulties with data backup and recovery, a study has shown.

A poll of 500 SMEs in Europe and the US shows that 85% are experiencing cost-related challenges with backup and recovery, 83% with lack of capabilities and 80% with complexity.

Other problems include high ongoing management costs (51%), expensive licensing models (48%) and backups either requiring or using too much storage (44%).

This means there is a maximum of 15% of SMEs that currently have no issues with data protection, said backup, replication and virtualisation management firm Veeam Software, which commissioned the survey.



Preliminary results from a joint CII, London School of Economics and University of Plymouth research project on how financial organisations approach risk culture, revealed that firms were becoming increasingly conservative and it could damage their profitability.

The research project was designed to deliver practical guidance for firms to improve the cultures and behaviours associated with risk-taking and control activities.

Interviews were carried out at nine financial institutions with risk management professionals and the study also included the findings from a survey of 2258 CII members.



As the security industry continues to grapple with a shortage in skilled professionals, particularly within very specific niches like application security, the state of security professional development continues to keep the industry locked up in a number of hotly contested debates. Beyond the most obvious argument over the value of security certifications, some security pundits have stepped up to argue about a more fundamental impediment to rising the tide for all boats in the industry: the cost of paid training.

"Mathematically it's easily demonstrable that organizations can't afford to send all of their employees to a class when you're talking classes that typically are around $1,000 a day," says Xeno Kovah, lead infosec engineer at The Mitre Corporation. "It's just not possible to take a group of 50 people out of your company, if you have a large one, and pay the amounts of money that are being asked to sufficiently bootstrap your employees."



Dozens of government agencies have no idea whether their websites or public kiosks are a security risk.

The widespread failing has been revealed in a review of 70 government departments and ministries that was able to identify 12 systems at risk because of insecure passwords, potential access by unauthorised users or being connected to internal networks. However, there was no evidence of privacy breaches.


KPMG investigated 215 publicly accessible computer systems and found 73% lacked formal security standards and had no formal risk management processes.

The offenders included the Ministries of Social Development, Education and Justice, as well as the Earthquake Commission and the MidCentral District Health Board.



Why would you need a Policy once you have Business impact analysis, Business continuity strategy and Business continuity plan? This is probably a question many experienced business continuity/disaster recovery practitioners are asking themselves, so here’s why ISO 22301 (a leading business continuity management standard) says it’s mandatory.

Main purpose

The main purpose of Business continuity policy is that the top management defines what it wants to achieve with business continuity. Now why would that be important? Because in many cases the executives have no idea how business continuity can help their organization, which means they won’t be particularly interested in supporting the business continuity effort in their company.



Wednesday, 05 June 2013 15:19

The Time is Right for an 'IT Petting Zoo'

Computerworld — SAN FRANCISCO - Bringing consumer technology into the enterprise doesn't mean corporate data will be at risk or that money spent on failed projects was wasted. Just ask NASA, which regularly brings shiny toys into its "IT petting zoo" to play with and test, many of which have gone on to be venerated products.

Tom Soderstrom, CTO of IT at NASA's Jet Propulsion Laboratory, regularly brings consumer tech into his shop to see if it will result in an increase in productivity and innovation.

"I'm often called chief toy officer ... and I'm proud of that title," Soderstrom told an audience at the CITE Conference and Expo here. "Ideas come from everywhere. Productize them and dare to fail. The ones that make sense go into pilot mode and then become products and typically last for years."



Federal agencies are grappling with an unprecedented growth in data at the same time that backup solutions are nearing capacity, a situation that could hamper efforts to recover data in the event of an emergency.

Moreover, agency officials are not testing their disaster recovery solutions as often as they should, raising questions about their preparedness for a natural disaster or man-made incident, according to a survey of 150 federal defense and civilian IT managers in a new MeriTalk report.



Reducing data at the source is the smart way to do backup. That is the conclusion I came to in my last post, If files were bricks, you'd change your backup strategy.  But I also left off by saying “there are technologically different ways to do this, which have their own smart and dumb aspects.” Let’s take a look at them. 

There are two common ways of reducing data at the host (as I mentioned last time, I am only considering traditional backup from servers, not disk-array snapshots). Since terminology can be used in different ways, I’ll define the terms as I use them.



Wednesday, 05 June 2013 15:15

Disaster Recovery: Test, Invest and Educate

Amidst internal and external security threats, natural disasters, hacking attempts and technological changes, banks and service providers today are constantly faced with the possibilities of data loss, security breaches and breaks in business continuity. These institutions are being asked more frequently than ever what plans they have in place for speedy recovery should systems be compromised. Following a number of hard-hitting storms in the United States, including Hurricane Sandy and the devastation wrought on the Midwest following recent tornadoes, attention is focused on preparing for a recovery after natural disasters. Though preparing for natural impact is important, it becomes easy to forget there is just as much, if not more, potential for malicious manmade threats from a security and technology perspective.

All disaster recovery efforts, whether they are for natural disasters or security threats, must ultimately be tested for efficiency and reliability. While banks across the board conduct regular tests, the way in which these tests are conducted is crucial to determining a bank’s true ability to recover in the event of a disaster. In most instances, testing can be considered either static or dynamic. Most disaster recovery tests currently conducted are static in nature, meaning they are crafted to be sterile and built for success, to allow banks to ‘prove’ they have the ability and tools needed to succeed in the event of disruption. In these instances, banks and service providers are able to conduct tests and prove they have a perfect fail-over recovery system in place. The issue here is that these tests are rarely built to actually mimic any real disaster.



I can’t stop thinking about the Oklahoma tornado tragedy and the families who suffered from loss of life and property. The images of the wreckage have been burned into my brain and I feel that I need to do something about it. Which is why I want to talk about safe rooms, and why it is important to have a disaster recovery planning checklist for those people and organizations who are located in tornado zones (or flood zones, or hurricane zones, or earthquake zones, or…).

If you live in an area with extreme weather conditions, I recommend that you look into building a safe room, which could include a properly designed and equipped storm cellar.



An industrial plant explodes in Texas. Bombs shut down the city of Boston. A hurricane floods the east coast with water. A tornado hits Oklahoma.

All those recent disasters caused tremendous human suffering. All of them, too, brought devastation to businesses large and small. From damaged buildings to wrecked inventory to disrupted supply lines, natural and man made disasters can tear a huge hole through profitability. In many cases businesses close their doors for good.

Plan for recovery

What lessons can we learn from all this? Here’s one: Business owners must design and implement disaster recovery plans designed to mitigate harm when bad things happen. With that in mind, now would be a good time to revisit your own recovery plans with a fresh look. Are you taking the right actions to minimize damage if you are hit with a wind storm, a lightning strike, a flood or a power outage?



Wednesday, 05 June 2013 14:23

Active Shooter and Mass Casualty Incidents

An active shooter is an individual actively engaged in killing or attempting to kill people in a confined and populated area.

Overview of the FBI’s Role

When an active shooter incident takes place, local and state law enforcement are always the first on the scene. The FBI, however, has played a role in supporting the response to virtually every major incident in recent years and has much to offer in terms of expertise and resources.

Shortly after the tragic shootings at Sandy Hook Elementary School in Newtown, Connecticut in December 2012, the FBI sought ways its personnel could better assist its law enforcement partners. Two actions enhanced these efforts.

First, the Investigative Assistance for Violent Crimes Act of 2012, signed into law by the President in January 2013, permits the U.S. attorney general—at the request of appropriate state or local law enforcement personnel—to provide federal assistance after active shooter incidents and mass killings (defined by the law as three or more people) in public places. The attorney general delegated this responsibility to the FBI.



PC sales continue to decline, mobile sales continue to climb, people work at home, and the notion of strict work/life separation for equipment is on its way out for many information workers. Yet most IT organizations and security vendors insist on applying legacy thinking for information security that simply cannot work in the modern world of heterogeneous, anywhere, and mixed personal/business computing. They keep trying to build mobile prisons, extending perimeter defenses across the digital world or creating satellite fortresses on every device. No one willingly enters a prison, and the gulag and straitjacket approaches favored by IT and security vendors simply will be bypassed by business users, who've been doing so for years on the desktop.

It's time to stop the madness and protect what really matters: the information that moves among all the devices. To do so, the industry needs to stop trying to turn smartphones into fortresses that people can't use and forcing the use of proprietary app containers that can't scale a heterogeneous, interconnected digital environment or that provide read-only access (what's the point, then, of having the file?). Instead, it's time we focus on protection at the information level, essentially using the notion of digital rights management (DRM) that travels with the data itself. The only way to make that work is through an industry standard.



Tuesday, 04 June 2013 16:15

BYOD: Banks Need to Stay Ahead of Risk

The evolving mobile landscape, including the bring-your-own-device trend, is requiring banking institutions to be mindful of emerging risks, says Jim Pitts, who oversees mobile financial services and vendor management for BITS, the technology policy division of The Financial Services Roundtable. Pitts says financial institutions are more at risk when it comes to mobile services and practices than many other sectors because of the types of transactions and sensitive information they manage.

When it comes to their BYOD policies, banks must address data loss prevention, application security and exposure liability management, he says in an interview with Information Security Media Group [transcript below].



Cybercrime has become a national crisis, said South African Centre for Information Security CEO Beza Belayneh on Tuesday, equating the scale to that of South Africa’s prevalent HIV/Aids pandemic.

Speaking at a Neotel/Mail & Guardian business breakfast, he said that South Africa had ranked the third-most “fished” country in the world, and was open to attack in a well-connected society.

“Cybercrime is no longer a criminality, it is a national crisis,” he said, adding that this was an event that should bring together all the Cabinet Ministers, banks and consultants, besides others.

“Governments are hacked, police websites are hacked, banks are losing millions – the statistics are that South Africa loses R1-billion a year, and it now threatens human life,” he said.



The survey also indicated feds are facing unprecedented data growth and must address backup solutions nearing capacity.

Just 8 percent of federal IT executives are completely confident that their agency could recover 100 percent of its data in the event of a disaster, according to a report from MeriTalk, an online community and go-to resource for government IT. The study also revealed that while agencies might feel prepared, they are not testing their systems as often as they should and face challenges with data growth, mobile devices and on-site backup. Only one in four federal workers give their agency an "A" in data resilience and disaster recovery (DR2) preparedness.



Tuesday, 04 June 2013 16:10


On Monday the Wall Street Journal ran a story on hacking back titled, “Support Grows to Let Cybertheft Victims Hack Back.”  The article describes a growing desire to permit the private sector to retaliate against attackers. Being proactive is one thing, but the notion of enterprises retaliating against attackers is ludicrous. I honestly cannot understand why this topic is still in the public discourse. I thought debating this was so 2012.  Legality is an issue, but so is the ability of companies to successfully conduct these types of operations without blowback.



Don Schmidt is CEO of risk consulting company Preparedness LLC and a 20-year member and chair of the technical committee that writes the National Fire Protection Association (NFPA) 1600 standard. He also is the editor of the handbook Implementing NFPA 1600 National Preparedness Standards, which was published in 2007. NFPA 1600 was updated this year, and the U.S. Department of Homeland Security adopted it as a voluntary consensus standard for preparedness.

In this Q&A, Schmidt reflects on the evolution of standards in emergency management and business continuity.

Question: What is the background on the creation of the NFPA 1600 standard? How did it become established?



As illustrated by the devastation of Hurricane Sandy in 2012 when countless businesses were without power and data centers went down, it’s becoming increasingly important to have a well-conceived business continuity and disaster recovery (BC/DR) program in place.

Remember, there is a difference between a BC/DR program and a BC/DR plan. A program is a set of policies, practices and responsibilities that provide the structure for management, governance and sustainability to accomplish the goals. A plan is a documented set of action-oriented tasks and procedures to be followed when a disruptive event occurs or is imminent. In this article, we are going to discuss the key success factors of a successful BC/DR program.

There are four key components that stand out. A successful BC/DR program should be:



Computerworld — I recently misinterpreted some CEO cost-speak. The enormous gap between what I thought I was hearing and what the CEOs were actually saying is tremendously illustrative and well worth looking at.

I was involved, albeit tangentially, in a dozen executive searches for new CIOs. All of these searches were being led by CEOs of global, brand-name, Fortune 300 companies. In fact, nine of the companies were in the Fortune 100. In my experience, such leaders are enlightened and appreciative of the value of IT.

That's why I was surprised -- shocked, actually -- to find that every one of these CEOs ranked IT cost management among the top three capabilities they were looking for in their next CIO. I couldn't understand it. How could that be when just about everything one reads in the business press and from subscription research firms claims that growth is the primary focus for top companies' leaders? What was going on?



Threat intelligence is emerging as a topic of both interest and debate within the infosec community. The fact that there's interest probably isn't hard to understand in light of the growing volume of security related information organizations receive.

For the average security practitioner, information about threats arrives in a nearly constant stream via a hodgepodge of formats and channels -- emails from vendors, bulletins from a variety of sources, word of mouth from colleagues, news updates from the industry press and so on. The information supplied via these various updates covers a number of disparate topics, from specific vulnerability information to attacker tools and techniques to information about who's been attacked most recently.



In the good old days, protecting your assets was all about making sure you have a big enough lock or thick enough walls. Today however the locks are digital and firewalls have replaced concrete as businesses seek to protect data from the prying eyes of cyber-criminals around the world.

Data is the new gold, as cyber-criminals look to steal everything from your identity to your credit card information. But they are not going after you directly, they are looking to pilfer this information from the companies you deal with online and who hold huge hoards of such information, all of which can potentially be accessed from anywhere in the world, simply by clicking a few buttons.



In seven years the information security industry will see more cloud delivery and no central IT.

According to recent predictions by Forrester on ‘The CIO's World in 2020', 90 per cent of the 325-strong audience said that central IT would not exist in the future, as IT will be directly embedded in business units such as marketing, product development and customer service.

The audience also said that most technology would be delivered via the public cloud, according to 85 per cent, who agreed that companies will architect and deploy business solutions from a growing pool of external as-a-service resources, with IT playing the role of orchestrator.



Monday, 03 June 2013 17:16

When Big Data Doesn’t Work

With few exceptions, articles about Big Data start off with promises to be smarter, run more efficiently, or make more money.  As proof, each article cites standard examples of how data analytics and robotics have transformed warehouse operations, IBM’s Watson’s mastery over Jeopardy, the game show, and how firms will make decisions more effectively.

Examples of success may be far fewer than we realize given the context of a future state as opposed to the few actual case studies cited above.  Real or not we may learn more from stories of failure to gauge how much progress we have yet to achieve.



Monday, 03 June 2013 17:15

The Demise Of The Player/Manager CISO

The role of the CISO is changing.

For years we have talked about the requirement to make the top security and risk (S&R) role increasingly business-facing, and this is now turning into a reality. Surprisingly, however, we see an increasing number of non-IT security folk stepping up to take the CISO role, often ahead of experienced IT professionals.

These "next-gen" CISOs are commonly savvy business professionals, experienced at implementing change and evolving processes, and adept at dealing with strategies, resource plans and board-level discussions. Their placement into these S&R roles often comes as an unwelcome surprise to those that have been working within the IT security teams; however, we have to recognise that this new breed are simply filling a gap. Unfortunately, although we have talked about the professionalization of the role and the need for greater business engagement, many S&R professionals are still not ready for the leap, and this opens up an opportunity for others to steal their way in.