Fall World 2016

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 29, Issue 3

Full Contents Now Available!

Industry Hot News

Industry Hot News (6253)

How much do you know cloud-based disaster recovery? 

Recovery-as-a-Service, commonly referred to as RaaS, enables organizations to recover critical IT resources with increased efficiencies and complete effectiveness when an adverse situation strikes.  Cloud-based RaaS is nothing like traditional disaster recovery (DR) solutions of the past. Cloud-based RaaS users are able to install one piece of software (not an agent) which includes a control VM as well as an appliance on all participating VMware hosts. This increases self-service, testing and reliability of complete application protection. 

Even with all the changes in technology that have happened lately, there are still a lot of myths circulating that may have you confused about disaster recovery. Test your knowledge of what is fact and what is fiction with this short quiz, below.



Wednesday, 22 May 2013 16:54

Finding the time for cyber security

Possibly the most disturbing feature to emerge from the Federation of Small Businesses' (FSB) new cyber security report is that making computer systems secure can be a complex and time consuming process that a lot of small firms can't manage.

Cyber Security and Fraud: the impact on small business, makes it clear that too many companies are falling foul of online crime, with about three in 10 of its 2,667 survey respondents suffering from attacks over the past year, and the average annual cost coming in a just below £4,000.

But there's an acknowledgement that despite a growing awareness of the threats, small firms are not always taking preventative action if it's a complex process.



It is easy to think that your startup is too small or too new to face threats to your data security. But the simple fact is that in the current competitive climate of the biotech industry, when many companies of all sizes are rushing to develop innovations, the security of your data is more important than ever.

The best way to ensure that your data is secure from threats that come from both inside and outside of your company is to partner with an IT provider with expertise in both security and the unique needs of biotech startups. Such a partner can assist you in putting together the right mix of solutions now while thinking of where you company is going in the future so these solutions can be built on and used as your company grows. It is much simpler and cost effective to start with the right mentality around information security then trying to change these systems and procedures while your company is in growth mode. When developing the IT infrastructure for your biotech startup business, be sure that you keep the following security concerns in mind.



To rebuild or not to rebuild?

As recovery slowly begins after deadly tornadoes flattened subdivisions in Moore, Okla., and tore through nearby areas, the complex question has come up again for the disaster-prone region that sits within Tornado Alley.

Moore, a 55,000-resident city south of Oklahoma City, is no stranger to destruction. A 1999 tornado that wreaked havoc upon Moore had winds topping 300 miles per hour, and it was slammed by smaller tornadoes in 1998, 2003 and 2010. But each time, like dozens of other American communities prone to natural disaster, it has rebuilt.

Disaster recovery and urban planning experts say the tendency to rebuild American cities that have experienced tornadoes, hurricanes, earthquakes and flooding -- and are likely to see such trauma again -- can be attributed to a mixture of economics, politics, nationalism and spiritual views that often sets the U.S. apart from other nations.



Many of the small businesses battered by Hurricane Sandy are still waiting for U.S. government assistance, raising concerns among some about Midwest businesses hit by devastating tornadoes.

The U.S. Small Business Administration has approved loans to one out of every four business owners who applied for assistance after Sandy hammered the East Coast in October, according to analysis of data the agency submitted to Congress.

In addition to the low approval rate, which included employers who submitted but eventually withdrew their applications, the agency has been slower to process applications and disburse funds than in the aftermath of hurricanes Ike in 2008 and Irene in 2011. Rep. Nydia M. Velázquez (D-N.Y.) noted the comparison in a letter sent to the U.S. Government Accountability Office asking for further examination of the disaster loan program.



With the growing movement of enterprises to the cloud, it’s more important than ever that service providers demonstrate and prove good security practices to their customers, in good times and in bad. During an incident, how a cloud provider communicates to its customers says a lot about its commitment to security.

Sounds obvious, right? Well, three different times during the past seven months – and once while I was on a panel at the 2012 CSA Congress in Orlando – I’ve learned that it isn’t clear after all. As CSO at Okta, I work closely with our customers and they always ask, “What will you guys do if a breach occurs?”



In a large country with myriad natural threats, some responders are more experienced than others in handling certain types of disasters. Certain phenomena, such as earthquakes and hurricanes, typically don’t happen in some areas of the country.

But with a surge in the number of incidents declared as disasters by FEMA over the last 20 years, it’s become paramount for regions to plan for the unexpected, particularly when it comes to Mother Nature.

In 2011, tornado activity was observed in places that rarely see it, from Northern California to the East Coast and in between, leaving some residents in disbelief that the weather phenomena actually occurred there.



Wednesday, 22 May 2013 16:15

Risk Management’s Gender Pay Gap

Next month marks the 50th anniversary of the Equal Pay Act, which was signed into law by President John F. Kennedy on June 10, 1963. At the time, women earned about 59 cents for every dollar paid to their male counterparts. To correct this disparity, the law made it illegal for employers to pay women lower wages than men for doing the same job.

Today, the gender pay gap has narrowed, but as we reported in the May issue of Risk Management, it still exists. According to the Bureau of Labor Statistics, in 2011, women were paid 82 cents for every dollar paid to men. While a 23% gain is certainly progress, there is still significant ground to be made up before full equality can be achieved.



There’s plenty of talk about security threats from internal employees—but what about the threats associated with outsourcing?

The stats may (or may not) surprise you. Forty-six percent of organizations do not evaluate the security and privacy practices of vendors before sharing sensitive or confidential information, according to a recent study conducted by the Ponemon Institute. The survey polled nearly 750 individuals in organizations that transfer consumer data to third-party vendors.

“Many companies have higher standards for their in-house data security practices than they have for vendors that they enlist to hold customer information,” says Michael Bruemmer, vice president at Experian Data Breach Resolution. “The standards should be consistent, because not adhering to the same policies leaves companies vulnerable.”



Very few business owners would dispute the wisdom behind having a Disaster Recovery plan.  This doesn’t stop many (if not most) businesses from having an outdated,  ineffective, incomplete or untested plan.

One reason for this is, like insurance, folks like the peace of mind knowing they have a Disaster Recovery plan, but they never really expect to use it.  As a result the plans are frequently slipshod in design, and execution.    A Disaster Recovery plan should have these elements, at a minimum:



Tuesday, 21 May 2013 15:58

Creating a disaster recovery plan

As a financial advisor, you are aware of the importance of being properly insured. But are you prepared for the disruption your business would suffer in the event of a disaster — such as a flood, a hurricane or a tornado?

"I am often struck by how few [organizations] have actually gone through the exercise of developing a proper disaster recovery plan," says Dean Tremblay, manager of professional services in Ottawa with Toronto-based Blackiron Data. "In the wake of events such as Hurricane Sandy and others, it is something that every practitioner should have."

Tremblay offers the following advice on how you can begin to ensure your business is prepared for the unexpected:



CIO — IT executives continually evaluate the technology trends that will impact their business in 2013 and beyond. Some simply deploy technology to advance the goals spelled out in business plans. Others take on the role of chief innovation officer and introduce different models of using existing data to generate new revenue and gain insight into who clients are and what they want.

Buzz has certainly surrounded big data for some time, but many IT executives still and wonder how they can begin to leverage the three "V's" of big data—volume, variety and velocity, or the frequency at which data is generated and captured—and augment the value of data for their organization.



If you're a managed services provider (MSP) looking to dive into the backup and disaster recovery (BDR) pool this summer, we've compiled a few swimming lessons for you to keep your head above the water. We've connected with CCNS Consulting owner Karl Bickmore to discover how three simple BDR lessons would have relieved a lot of tension in the beginning for him. So slip-on your sandals and swim trunks, and head down to the pool for three swimming lessons that will make you better than your competition in this MSPmentor exclusive.

Bickmore promoted three initial areas of focus for those MSPs starting with BDR: vendor selection, the value of standardization of backup, and the cost of initial seeding.



MOORE, Okla. — A giant tornado, a mile wide or more, killed at least 91 people, 20 of them children, as it tore across parts of Oklahoma City and its suburbs Monday afternoon, flattening homes, flinging cars through the air and crushing at least two schools.

The injured flooded into hospitals, and the authorities said many people remained trapped, even as rescue workers struggled to make their way through debris-clogged streets to the devastated suburb of Moore, where much of the damage occurred.

Amy Elliott, the spokeswoman for the Oklahoma City medical examiner, said at least 91 people had died, including the children, and officials said that toll was likely to climb. Hospitals reported at least 145 people injured, 70 of them children.



In a previous post on making suggestions for updating NIMS, I suggested that social media monitoring should go into the ICS structure rather than be considered a part of the JIC or PIO responsibilities. This prompted some thoughtful responses from readers of this blog--I encourage you to read them at the bottom of that post.

I wanted to respond in particular to the comments of Ed McDonough who raises some very important objections to my suggestion. Here is the crux of his concerns:

If we move social media monitoring to planning, then should we also move tradition media monitoring to plans? How about the monitoring of public query lines? Furthermore, what sense would it make to move the monitoring of social media away from the same group of people that are pushing out the social media messaging?



Network World - This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Disaster recovery plans and the usual mix of uninterrupted power supplies (UPSs), co-location services, data mirroring and hot-standby technologies theoretically make it possible to weather any storm. But are backup systems, replication rules and fast failover solutions enough?

Any data center manager that has implemented a DR solution understands there are always compromises. To save costs, for example, the generators and co-lo facilities are typically designed to support only a subset of the services being provided during times of normal operation. Here are some considerations meant to ensure the compromises are based on the right facts, and that the DR plan stays aligned with the dynamic requirements of the business it protects.



Tuesday, 21 May 2013 15:51

Business continuity fundamentals

Business continuity management has evolved into a specialized discipline, but you don’t need a team of specialists to create and manage your BCM program. With a little help, and an understanding of these 14 fundamentals, you can build and manage your BCM program easier than you thought, and at a much lower cost.

1. BCM is risk management, not insurance: BCM ensures that business processes are appropriately resilient to disruptions, or are recoverable at an appropriate time. Insurance is a grudge purchase. You buy as little as you need and accept as many risks as tolerable. If nothing goes wrong, you feel like you wasted your money. Don’t “sell” your BCM program as insurance. Nobody wants to buy that. Sell the ancillary benefits of BCM, i.e., service delivery, compliance. Seek strategic partners and leverage their resources.



While Bloomberg‘s data terminals, which serve up volumes of intricately detailed financial information to Wall Street pros on a daily basis, have enjoyed a reputation as must-have tools, a privacy breach scandal has landed the company in a threatening crisis.

Last week, it was revealed that Bloomberg reporters have had special access to data on how customers used their terminals for DECADES, and actively sought to use it in order to break stories first. Customers ranging from JPMorgan and Goldman Sachs to the U.S. Federal Reserve have all expressed extreme dismay, and the legal letters demanding further information are already starting to pour in.



A United Nations group and consultancy PwC warned businesses that they are exposed more than ever to billions of dollars worth of economic losses linked to natural disaster risks.

According to a report by the UN International Strategy for Disaster Reduction (UNISDR) and PwC, it warns large multinationals' dependencies on international supply chains, infrastructure and markets poses a systemic risk to 'business as usual.'



On May 13, California government officials and private-sector leaders met behind closed doors to discuss a comprehensive cybersecurity plan for the state -- it was the beginning of the California Cybersecurity Task Force, the first state-led collaboration of its kind.

Because of the interconnectedness of government and private-sector IT assets, collaboration has become crucial, said Michele Robinson, acting director for the Office of Information Security.

“Those working relationships need to be strong in order to really affect this area,” she said. “We all own a piece of that infrastructure, so it’s a shared responsibility."



VARs and MSPs assume a number of responsibilities when they take on a new client, or sign a long-term contract with a current customer. In addition to providing disaster recovery and other IT services, this relationship offers the opportunity to become the go-to consultant for a number of issues that their customers experience, including those that appear unrelated to IT systems.

While consultants or service providers in other industries may consider questions outside their “sphere of influence” as nuisances, most IT professionals understand that those queries present a real business opportunity. When clients are willing to seek their VARs’ advice on a business-related subject not directly associated with their computer or network systems, it should be considered a sign of respect and an opening for forging a closer relationship.



Tuesday, 21 May 2013 15:26

IT's New Concern: The Personal Cloud

Computerworld — Bring your own device is so 2012. The next big push in the consumerization of IT is bring your own cloud. And just as when consumer devices poured into the enterprise, many IT organizations have already responded with a list of do's and don'ts.

The standard approach has been to forbid the use of personal cloud applications for business use, by offering official alternatives -- the "use this, not that" approach -- and to carve out separate cloud storage workspaces for business documents that can be walled off, managed and audited. But personal cloud services are difficult to control, and users are adept at going around IT if the productivity tools in their personal cloud can do the job easier, faster and better. IT wants a bifurcated approach to consumer and professional cloud apps and storage. But users don't work that way anymore.



Monday, 20 May 2013 15:17

What is a Disaster?

Many commercial contracts include specific definitions of what a 'disaster' is. Generally speaking, however, in a contractual context a 'disaster' refers to an unplanned interruption of, or inaccessibility to, a service, product or system. For example, the most frequent disasters are component failure, human errors and longer term data centre electrical failures.

Organisations should analyse and manage the risk applicable to its business in the event of a disaster. A commonly used preventative and reactive management technique is the inclusion of a business continuity disaster recovery (BCDR) plan as part of the organisation's risk strategy and within its key commercial contracts.



In many periods of downtime, any service outages cause only minor disturbances for businesses. But in the wake of natural disasters, such as Hurricane Sandy, the impact of extended downtime could be far more consequential

Fewer than a quarter of East Coast companies had comprehensive disaster recovery and business continuity plans in place when Sandy struck in late October, according to a release from On Hold Company. 

"Many businesses treat their disaster plans like casual readers treat a copy of War and Peace: They like having it on the shelf, but aren't interested in reading it," said Bryant Wilson, CEO of On Hold Company.



This cloud is definitely getting cloudy and has been for the last few weeks. I can't help it, as the conversation I'm having with customers is all about the cloud.

Many organizations are exporting certain workloads -- like messaging and collaboration -- to the cloud. You can throw disaster recovery in with them. Many of my clients tell me that they cannot justify paying a hefty price for a secondary DR site to protect against disasters that may never happen. For those clients, DR is a workload that is well suited for the cloud.

As with any other "as a service" offering, there are tons of providers out there offering these services. So, this week I offer a few considerations when choosing the best provider to meet your company's expectations:



Monday, 20 May 2013 15:12

ERM: 5 Steps to Success

Most agree that working from the top down, meaning to first identify corporate objectives, then focus on the details of how to achieve them is what most managers wish they could be doing more of. However, the reality is most managers are so busy with day-to-day activities that little time is left over to work on the big picture. Everyone agrees the role of ERM is for risk management to be involved in the "key business decisions," however, some misinterpret this as interviewing only the senior executives in "big picture" assessments. In reality, aligning day-to-day activities of all managers to the strategic objectives set senior leadership, and then aggregating and analyzing this information is the winning approach.

So how is this accomplished?



Monday, 20 May 2013 15:11

How to Prevent IT Department Overload

Computerworld — Not long ago, IT consultant Mark A. Gilmore was called in to help an IT department that was struggling with project overload. "They'd gotten this kind of attitude -- the executive vice president calls it 'Burger King Syndrome,'" he recalls. "Their approach was, 'You can have it your way.'"

The business executives believed IT could supply whatever they wanted, whenever they wanted it. Salespeople had gotten into the habit of asking the development team to create applications within a week to fulfill promises they'd made to customers. As a result, IT employees were spending about 80% of their time reacting to crises or struggling to meet impossible deadlines rather than calmly planning their workloads, says Gilmore, president of Wired Integrations in San Jose.



Network World — When the moderator of a panel discussion at the recent RSA conference asked the audience how many thought their risk management programs were successful, only a handful raised their hands. So Network World Editor in Chief John Dix asked two of the experts on that panel to hash out in an email exchange why these programs don't tend to work.

Alexander Hutton is director of operations risk and governance at a financial services firm (that he can't name) in the Greater Salt Lake City area, and Jack Jones is principal and Co-Founder of CXOWARE, Inc., a SaaS company that specializes in risk analysis and risk management.



CLUSTERS of corporate techies hunched over their laptops one recent evening in Mountain View, California, feverishly trying to figure out how RK Industries hacked into and stole critical information from its rival, EntraDyn.

It’s a common occurrence, but in this case the firms were fictitious, and the event—a simulated exercise put on by security firm Symantec—featured rock music, a buffet and an open bar for the participants. Even so, it had a serious purpose: Increasingly under Internet attack, more and more businesses are using “cyberwar games” to learn how to spot and counter the tricky tactics used by hackers.



BC shares common goals and objectives with other management activities. When
John Bartlett CBCI, DBCI

implemented correctly and with maturity, BC can provide significant benefit through the sharing of key information and the prioritisation of activities.

The Business Continuity Institute (BCI), a recognised world leader in setting and communication best practices for BC, states that an organisation’s vulnerabilities in its business and operating model can be categorised into seven areas: Reputation, Supply Chain, Information and Communication, Sites and Facilities, People, Finance and Customers. It can also be argued that the categories of Technology and Processes should also be included in this list. Anything that can affect one or more of these categories can potentially disrupt the organisation and therefore should be reviewed and/or considered by the organisations BC.

That does not mean that the BC function should manage areas that could introduce a vulnerability under these categories, but it does mean that BC should perform a Quality Assurance and Governance role to ensure activities that could introduce vulnerabilities are being performed correctly, diligently and with the necessary controls. This will ensure BC remains a pro-active measure within the organisation as well as a reactive one.



Monday, 20 May 2013 15:05

Are we ready for hurricane season?

The official hurricane season is June 1 through Nov. 30, and every year there are named storms and predictions. Each of us has a personal responsibility to have our homes and businesses prepared.

Disasters can hit the economy hard and with tourism being the number one industry in Manatee County we must embrace the concept of year-round preparedness and be able to jump back quickly for the good of our community.

If you think about it, we are focused on preparations for hurricane season, but emergency preparedness can help a business survive when any kind of disaster strikes.



Let’s face it. We are always online in one form or another. If I am not watching television, checking mail, or using one of the 44 apps I have on my smartphone, then I am probably sleeping. Because of these use patterns, the demands on application availability are on the rise, and data is exploding. So let’s think about these two forces and how they impact disaster recovery (DR) planning for your businesses. These forces increase the DR workload for IT staff. As a result, your IT staff may be spending more time on DR instead of supporting strategic and revenue-generating projects. In other words, IT is only helping to maintain the business, not grow the business.

Cloud disaster recovery may be the answer

How do you overcome tight budgets and leaner IT staff when you are constantly being asked to do more with less? Well, you might consider “out-tasking” DR management by using cloud-based disaster recovery services.



Every managed services provider (MSP) has had a question or two on backup and disaster recovery (BDR). To help answer some of the top questions we reached out to disaster recovery (DR) and business continuity (IC) solutions vendor Datto  to find out what MSPs have been asking them. Take a seat, grab a pen and paper, and pay attention to what we've learned in this MSPmentor exclusive. But don't worry, there won't be a test.

Datto Sales Manager Hallett Nichol helped us with his insights on this topic. His answers focused on costs, bandwidth and local recovery capabilities.



The highly regulated health care industry has long generated attendant compliance risks. However, a recent spate of legislation and updated regulations, a new Office of Inspector General (OIG) Special Fraud Alert, and increased government enforcement actions are shining a bright light on some of the top compliance risks facing today’s health care professionals. This article reviews the risk areas of strategic relationships and patient information and offers smart steps to consider for health care organizations seeking to mitigate such risks.

Risk areas: strategic relationships, patient information

Federal and state government mandates calling for improved reporting of patient outcomes are among factors driving the formation of strategic relationships between hospitals (providers) and physician groups, providers and health plans, and providers and pharma/medical device manufacturers. The increasing proliferation of risk-/gain-sharing partnerships such as Accountable Care Organizations (ACOs) and other physician-owned entities (aka physician-owned distributorships, or “PODs”) generates numerous compliance risks. Of particular note are risks associated with provisions and regulations such as the following:



Getting people to think about business continuity and include it in their daily lives is one ofthe most difficult and underestimated aspects of a business continuity programme, yet it can make or break the perception of how successful the programme is. It doesn’t matter how good your resilience and continuity are, if people do not know about it, what to do in an incident or how to maintain it, then you have failed to achieve some of the fundamental principles of implementing business continuity.
This requires communication in the form of education, training and awareness on your organisations business continuity at all levels: staff, management, Directors and key suppliers. Embedding business continuity in the organisation requires an organisational culture change. Organisational culture is often described as ‘the way we do things’, which can be broken down into a collection of shared values, working styles and patterns of behaviour, typically enforced by a set of strong social controls which establish behaviour and control the behavioural patterns. Industry experience has shown that behaviour change initiatives fail to achieve lasting commitment unless attitudes and beliefs are also engaged and corrected. One such attitude which occurs frequently as a barrier to BCM is: ‘it will never happen here’ or ‘it will never happen to us’. In 2003, when embarking on my first BCM project in Oman, I heard these exact comments when discussing BCM threats and risks relating to Cyclones, Hurricanes, floods, industrial disputes and civil disorder/strikes.



For years now, the risk management gurus of the world have lamented the scourge of check-box compliance, urging organizations to make more security decisions based on sound risk management. The philosophy is that risk-based decisions generally yield more compliant environments: if an organization manages its risks, then compliance will naturally fall into place.

It's a sound idea, but when organizations flip their world view from check-box compliance to risk-first decision-making, there's bound to be times when an organization may be managing most risks well but still falls short of compliance requirements. In some cases, the organization has not documented mitigation measures well enough for the auditors yet and in others they are not quite totally compliant yet.



Friday, 17 May 2013 14:36

The five minute CIO: David Cahill

This week, the focus switches to security as AIB’s senior information security specialist talks about managing mobile devices, why real-world testing is important and user buy-in is essential.

As a percentage, how much of your annual IT budget goes on security?

That’s always a good question. To be honest, it’s nearly impossible to quantify as very often, security is taken out of several different budgets. For example, you could look at firewall admin, putting in new security rules – that would fall to the IT network guys rather than the information security team per se. Likewise, we have mainframe sec rules and that would come down to the mainframe team.



The advanced persistent threat is waging an all-out attack on enterprises’ intellectual property.

Yet most companies continue to try to protect themselves using approaches that are years out of date.

That is one of the conclusions in Responding to Targeted Cyberattacks, a frank new how-to book published by global IT association ISACA and written by professionals at Ernst & Young LLP.

The threat landscape has progressed from unsophisticated “script kiddies” to hackers to insiders to today’s state-sponsored attacks, where enterprises are attacked because of who they are, what they do and the value of their intellectual property (IP).



Friday, 17 May 2013 14:34

How to Customize IT Security Controls

Organizations in and out of government can more easily tailor their information security plans to fit their specific business missions and operational environments by using overlays, new tools introduced in the latest revision of the National Institute of Standards and Technology's information security controls guidance.

"We realize that organizations have to be able to develop their security plans that really talk to their specific mission," says NIST Fellow Ron Ross, who oversaw the drafting of the latest catalogue of IT security and privacy controls. "The overlay concept is introduced to allow that specialization."



SAN FRANCISCO — No one can be certain when a natural disaster will strike, so to better prepare for such events, the city of San Francisco, outside agencies and organizations, and volunteers participated in the annual Golden Guardian statewide exercise on Wednesday, May 15. This year's functional exercise focused on carrying out policies, response and recovery after a magnitude 7.8 earthquake struck the San Andreas Fault near San Francisco. The city focused on what would be required in its response for up to 48 hours after the earthquake hit.

During the exercise, San Francisco’s Department of Emergency Management practiced its response inside the EOC and worked with other agencies including FEMA, the U.S. Navy and the city’s Human Services Agency. The agencies worked together and practiced communicating about how they would help coordinate the city’s recovery to the earthquake scenario. Offsite from the EOC, shelter and feeding exercises were performed to get a better understanding of the response required when an emergency leaves nearly 1.2 million people stranded in the city.



We are pleased to announce the shortlist for the BCI Inaugural European Awards. The BCI European Awards recognise the outstanding contribution of business continuity professionals and organizations living in or operating in Europe.

The winners will be announced at an Awards Dinner that is taking place on the 12th June in Belgium as an integral part of the Executive Forum.

All winners from the BCI European Awards 2013 will be automatically entered into the BCI Global Awards 2013 that take place in November during the BCM World Conference and Exhibition 2013, 6th to 7th November 2013 in London.

And here are the finalists in no particular order:

Business Continuity Manager of the Year

  • John Gray MBCI
    Global BCM Programme Manager
    Hewlett Packward
  • Dave Clarke
    Business Continuity Manager
    Telefónica UK Limited
  • Elaine Tomlin MBCI
    Business Continuity Manager
  • Lesley Grimes MBCI
    Business Resilience Manager

Most Effective Recovery of the Year

  • NHS Blood and Transplant
  • Vodafone Libertel BV
  • Telefónica UK Limited & DHL Supply Chain Ltd (Joint submission)

Business Continuity Team of the Year

  • European Commission
  • BT

BCM Newcomer of the Year

  • Adele Lock AMBCI
    BCM Relationship Manager
    HSBC Bank Plc
  • Andrew MacLeod AMBCI
    Business Continuity Consultant
    Needhams 1834 Ltd
  • Louise Taylor AMBCI
    Service Delivery Consultant
    Hewlett Packard

Public Sector BC Manager of the Year

  • James McAlister MBCI
    Business Continuity Manager
    Merseyside Police
  • Mary-Ellen Lang MBCI
    Corporate Resilience Manager
    The City of Edinburgh Council
  • Alan Jones MBCI
    Head of Resilience & Emergencies
    West Sussex County Council and West Sussex Fire & Rescue

Business Continuity Provider of the Year (Service)

  • Deloitte LLP
  • PlanB Consulting
  • Continuity Shop

Business Continuity Provider of the Year (Product)

  • Vocal Ltd
  • eBRP Solutions Network, Inc.
  • ClearView Continuity

Business Continuity Innovation of the Year

  • HI CARE Association
  • PwC
  • Easy Continuity Ltd
  • xMatters

Based in Caversham, United Kingdom, the Business Continuity Institute (BCI) was established in 1994 to promote the art and science of business continuity worldwide and to assist organizations in preparing for and surviving minor and large-scale man-made and natural disasters.  The Institute enables members to obtain guidance and support from their fellow practitioners and offers professional training and certification programmes to disseminate and validate the highest standards of competence and ethics.  It has circa 8,000 members in more than 100 countries, who are active in an estimated 3,000 organizations in private, public and third sectors.

For more information go to: www.thebci.org

When Adobe was hit with a break-in to one of its code-signing servers last September, chief security officer (CSO) Brad Arkin used the crisis to drive security change and improvement.

Attackers exploited an insecure configuration on a server in the company and initiate code-signing requests for malicious software to infiltrate the corporate network.

The attack was quickly detected and shut down, but it revealed weaknesses in the security processes which Arkin set about changing, using a five-step plan.



Increased awareness of the need to prepare for risk and risk of disaster does not always translate into action. One of the reasons businesses choose not to become more actively involved in planning for increased preparedness is that they feel prior events are not likely to recur or that the effects if they were to occur would not be overly severe.[1] Interestingly, while the Asia-Pacific Economic Cooperation (APEC) region accounts for 40 percent of the world’s population and half of global gross domestic product, the area sustains almost 70 percent of the world’s natural disasters.[2] A 2011 survey among APEC member economies found that only 15.9 percent of small and medium-sized enterprises and 52 percent of large company respondents have a business continuity plan.



Thursday, 16 May 2013 15:29

How to prevent (or fix) a crisis

The way Salomon “Samy” and Amy Bouzaglo acted during the season-finale episode of Fox’s “Kitchen Nightmares” was a big enough public-relations mess. But all the post-show insults posted online — whether authentic or not — turned an ugly situation into a social-media disaster that could have been prevented.

On the show, which aired Friday, the Bouzaglos, owners of Amy’s Baking Company in Scottsdale, are seen yelling at and pushing customers. Patrons are unaware that the tips they leave for the servers end up with the owners. The couple refuse to listen to chef Gordon Ramsay’s criticism, prompting him to walk away from the restaurant before his job was done, a first for the British host, who has a surly reputation himself.

What happened on social media after the show aired elevated the restaurant’s problems to a full-blown crisis.



A cottage industry is growing up around virtual padlocks that consumers can place on cloud services so that the vendors themselves can't get to the information -- even if the government requests access.

And in recent years there have been a lot of those government requests for access from storage-as-a-service providers.

For example, Google regularly receives requests from governments and courts around the world to hand over user data. Last year, it received 21,389 government requests for information affecting 33,634 user accounts. Sixty-six percent of the time, Google said it provided at least some data in response.



Where are the most dangerous places in the world to run a business? The geography of risk changed significantly in the last year, according to the 2013 Risk Map released today by the risk management business of Aon, a London-based insurance and business services company.  But some parts also stayed the same: Central Africa remains a no-go zone, while the Middle East and Central Asia are still very risky.

The whole map can be seen here (PDF).

Countries were evaluated for overall risk, and also given special mention for particular risks in six categories: exchange transfers, sovereign non-payment of debts, political interference, supply chain disruption, legal and regulatory risk and political violence. Nine Middle Eastern countries and 23 African countries were said to be particularly risky in all six of them.



For quite some time, business continuity professionals have been associating Cyber Security as an important Business Continuity Planning (BCP) concern, but, like so many other issues in the world of BCP, without full buy-in from upper management (or the Board of Directors), it will be almost impossible to truly implement effective Cyber Security policies, plans and procedures throughout any organization.

With that point in mind, and to assist the process of increasing cyber security awareness in your company’s upper management, our staff recommends reading an article written by Edward B. (Ted) Brown III, CBCP CBCV MBCI, where Brown not only stresses the importance and need for awareness of how Cyber Security relates to your organization, but primarily presents a logical argument for what an organization needs to do to heighten that awareness and develop proactive and preventive action plans to mitigate those potential cybersecurity related risks and threats against your organization.



Thursday, 16 May 2013 15:25

IT Security: Meeting Future Needs

What's it going to take to attract individuals to information security and develop the right skills required to tackle the profession's future needs? ISACA's Allan Boardman offers his insights on growing the field.

The current cybersecurity climate looks like this: Organizations struggle to find qualified staff to fill all the roles open in information security and risk management, and within the existing talent pool there's a lack of skills necessary to succeed in those roles, says Boardman, international vice president of ISACA.



How much can a flawed disaster recovery and business continuity plan cost you? Try an average of $90,000 for every hour of downtime among corporations, according to Strategic Research. Whether we're talking a hurricane, flood, terrorism or simply a loss of power, CIOs must consider every worst-case scenario and come up with a comprehensive failover and response strategy. In fact, the survival rate for companies without a disaster recovery plan is less than 10 percent, according to a study from Touche Ross. To lend proper guidance, Janco Associates has come up with the following "Ten Commandments of Disaster Recovery and Business Continuity" list of best practices. They cover a comprehensive range of needs, including proper documentation, information accountability and multiple-testing processes. In other research from Janco in which more than 180 enterprises were surveyed, nearly 67 percent reported that errors in planning accounted for disaster-recovery failures—the top reason cited. The next highest are outdated plans (51 percent), inability to find passwords (37 percent) and insufficient backup power (24 percent).



Pamela Jenkins is a research professor of sociology at the University of New Orleans. After Hurricane Katrina, she expanded her focus to the human and community impact of disasters. She spoke with Emergency Management recently about the lingering effects of Katrina and lessons learned for long-term planners as they consider the social toll of major events.



One day something large and very bad will happen in Los Angeles. That’s a given. With training and preparation, emergency managers will be ready to respond on that day. What comes next, however, is a topic seldom discussed.

Whether in advance of a crisis or in the wake of a disaster, long-term planning is both vital and often overlooked. How will the community survive and thrive 10 years down the road, or 20 years?



Thursday, 16 May 2013 15:14

Developing a response for the unexpected

A number of organisations believe that, somehow, they are different and unlikely to experience or suffer from an incident, the “it will never happen to me” attitude. More often than not, they are wrong. No organisation wants to be affected by an incident or expects it, but that does not mean that they should not consider and plan a response in case it does happen. 
Developing and implementing a response to incidents and disruptions is at the core of Business Continuity. It can determine how your organisation is perceived and whether your business survives. It consists of ensuring the appropriate plans are developed and communicated; the required infrastructure and facilities are implemented to support the plans; and completing the necessary risk treatments to achieve the desired Business Continuity strategy defined and agreed (see previous article).

With the start of the Atlantic hurricane season only two weeks away, experts across the board are predicting another active season. Today, AccuWeather.com released its findings calling for 16 named tropical storms, eight hurricanes and four major hurricanes. They expect three hurricanes to make landfall in the United States. These numbers are all slight increases over the average numbers recorded by NOAA from 1981-2010 and are comparable to last year’s activity.

According to AccuWeather, the season should begin quickly after June 1, but isn’t anticipated to start as early as 2012 when two named storms appeared in May. However, 2013 could see stronger storms than last year due to the reduced amount of Saharan dust in the air, which can inhibit a storm’s severity.



MENLO PARK, Calif.  – Demand for added attention to high-risk processes, growing costs and the increasing role of IT controls and testing reports are some of the key changes and challenges companies faced over the last year as they worked to meet Sarbanes-Oxley (SOX) requirements, according to findings in the 2013 Sarbanes-Oxley Compliance Survey (www.protiviti.com/soxsurvey) by global consulting firm Protiviti (www.protiviti.com).

 When executives and professionals involved in SOX compliance were asked what was driving the most change in their SOX compliance processes, 66 percent said there was at least moderate change due to demand for increasing process and control documentation for high-risk processes. Additionally, 60 percent of respondents indicated that the increased amount of time required for walkthroughs and documentation around processes was also driving moderate change.



Increased awareness of the need to prepare for risk and risk of disaster does not always translate into action. One of the reasons businesses choose not to become more actively involved in planning for increased preparedness is that they feel prior events are not likely to recur or that the effects if they were to occur would not be overly severe.[1] Interestingly, while the Asia-Pacific Economic Cooperation (APEC) region accounts for 40 percent of the world’s population and half of global gross domestic product, the area sustains almost 70 percent of the world’s natural disasters.[2] A 2011 survey among APEC member economies found that only 15.9 percent of small and medium-sized enterprises and 52 percent of large company respondents have a business continuity plan.



The information security job market continues to expand. In fact, according to a report by Burning Glass Technologies, over the past five years demand for cybersecurity professionals grew 3.5 times faster than that for other IT jobs.

To make things even more interesting for those looking to pursue a career in information security, the InformationWeek 2013 Salary Survey reports that 63% of IT security staffers are satisfied or very satisfied with all aspects of their jobs, while nearly two-thirds of IT security managers are similarly content. The demand for security pros is booming, so much so that the gender gap has nearly closed when it comes to pay.




New regulations are driving significant changes in risk management systems and processes - and financial institutions need to ensure their technology is flexible enough to respond, according to Tony Webb, director of analytics at Fincad, at British Columbia, Canada-headquartered risk analytics and derivatives risk management software provider.

Regulators across the globe are working to implement a Group-of-20 pledge to clear all standardised over-the-counter derivatives through a central counterparty and to report transaction-level data to repositories. Meanwhile, several countries implemented Basel III on schedule from the start of 2013, which - among other things - requires banks to meet a credit valuation adjustment capital charge and comply with new liquidity ratios. Other jurisdictions - US and Europe among them - have not yet implemented the new Basel framework, but have pledged they will.



Wednesday, 15 May 2013 15:53

11 Tips for Deploying ERP Applications

CIO — As companies become increasingly complex, finding an enterprise resource planning (ERP) solution that meets all needs may be as likely as finding a unicorn. Indeed, in today's global mobile environment, organizations are looking for an ERP system that does more than integrate with a legacy system.

However, with so many solutions on the market, how do you choose the software system that's right for your enterprise, that your different business groups will actually use?

To help you increase your odds of finding and deploying an ERP solution that will benefit your organization (and to help you cut through all the marketing hype), CIO.com queried dozens of ERP experts. Their top 11 suggestions on how to choose and deploy an ERP system successfully appear below.



CIO — WASHINGTON -- For IT managers in the federal government to wring more value out of the enormous stores of data they oversee, they must develop deeper partnerships with service providers in the private sector, according to a panel of experts speaking here at the annual FOSE government IT conference.

"The reason why government is hesitant towards a lot of the private sector is the private sector would push solutions looking for problems."

Federal IT workers from the CIO on down are dealing with the challenges of big data, but they're doing so amid the various pressures of contracting budgets, exponential growth in data volumes and a mounting expectation for higher-level, technology-enabled citizen services.



When looking in the face of a disaster, the last thing your enterprise needs is to scramble to achieve business continuity. Many businesses are strapped for cash after a prolonged period of economic hardship. New standards are emerging to help align business continuity initiatives and provide guidelines to follow. Certifications can even serve to review standards-based internal programs, so your teams know they are going forward with a plan based on established criteria.

Recent years have shown enterprises are vulnerable to events in the outside world, including the September 11, 2001 terrorist attacks and Hurricane Sandy in 2012. The Department of Homeland Security was not only formed to deter terrorist attacks, but to help people and businesses be most prepared for the unknown. To establish more effective standards, it created the Private Sector Preparedness (PS-Prep) initiative. Standards related to the initiative include:



Enterprises spend billions every year maintaining (and powering) duplicate racks and even entire data centers, solely for occasional potential use (in the event of an unforeseen outage or disaster). Required by law in many cases, it is probably one of the largest IT investments with among the lowest returns on investment. The money invested in disaster recovery isn’t wasted; it simply represents money well spent ensuring that applications will be highly available to users.

In the financial community (and others responsible for handling massive amounts of transactions and critical supply chain data), the cost of downtime has been well documented and more than justifies the DR investment. Outages are often more costly in terms of lost revenue, brand erosion and employee productivity. So DR is like a kind of insurance policy, except instead of a policy-holder getting compensated for a loss the policy-holder instead maintains two (or more) of everything. That is perhaps not the most efficient use of high cost IT assets as well as the energy used to power them.



Lean manufacturing practices can create efficiency and reduce waste, but smaller inventories put companies at risk for major supply chain disruptions. Many organizations are reconsidering their procurement strategies for emergency preparedness after discovering their operational vulnerability in the aftermath of the 2011 earthquake and tsunami in Japan, as well as the flooding in Thailand, according to Lloyd's.



Eighty five percent of companies with global supply chains experienced at least one supply chain disruption in the previous 12 months.1 Risk is inherently unpredictable. Fortunately, the current workforce is undergoing its own transformation to be able to identify and manage risk on a global basis.

For more than 35 years I have worked with companies and manufacturers around the world on supply chain related business opportunities. One thing senior executives of those firms all had in common was a relentless, positive perspective and motivation for improvements in the global supply chain. Risk management has become the pervasive mantra throughout the supply chain world, but as technology evolves the need for increased business agility is at an all-time high. As manufacturers continue to adopt more technology and become more sophisticated and global, not only do they become more vulnerable to risk, they also have more opportunities to manage risk.



I've devoted my last two columns to the issue of education for emergency managers. However, I don't want to give the impression that education alone is sufficient for success as an emergency manager. As several of my colleagues have pointed out, success is determined by a combination of education, training, and experience. The mix can change depending on the environment and the position but all three are essential.

The question, though, is what constitutes "training?" Where education teaches concepts, training provides the general and specific skills needed to do the job. Education tells us why we do something; training tells us how we do it.



Wednesday, 15 May 2013 15:45

Securing Hadoop Data: 10 Best Practices

Storing data in Hadoop has become a common practice in IT these days. However, there are some concerns about securing sensitive data in Hadoop. Dataguise, a maker of data security intelligence and protection solutions, has provided us with 10 security best practices for organizations considering or implementing Hadoop. By following these procedures to provide privacy risk, data and security management, enterprises can prevent costly exposure of sensitive data, reduce their risk profile and better adhere to compliance mandates. These practices and procedures come from Dataguise's experience in securing large and diverse environments. The explosion in information technology tools and capabilities has enabled advanced analytics using big data. However, the benefits of this new technology area are often coupled with data privacy issues. In these large information repositories, personally identifiable information (PII) such as names, addresses and social security numbers may exist. Financial data such as credit card and account numbers might also be found in large volumes across these environments and pose serious concerns related to access. Through careful planning, testing, pre-production preparation and the appropriate use of technology, much of these concerns can be alleviated.



A survey of 506 data professionals working in UK businesses, carried out by London Economics on behalf of the UK Information Commissioner’s Office (ICO), reveals today that 87 per cent of them don’t know what it will cost to implement the EU’s General Data Protection Regulation.

Worse still, accurate understanding of the new regulation, likely to come into force in 2016, is very scant indeed. The survey interviewees were asked questions about the 10 main provisions proposed by the new law and 40 per cent failed to give a fully accurate description of any of them. Not one. And these are data specialists.



In recent years, companies—public companies in particular, but private companies as well—have increasingly created standalone compliance functions to guide, monitor, and measure adherence to company ethics policies, as well as myriad laws and regulations, including those relating to fraud and corruption. As compliance offices expand globally and take on more authority, personnel, and responsibility, they also become more visible cost centers in the organization. A question that may be increasingly asked of compliance officers is how they are defining and measuring value. In short: what is the return on investment (ROI) of their departments?

Capturing this ROI in a detailed and effective manner can be elusive. It is self-evident that compliance functions exist for the purpose of preventing and detecting violations of law and company policy and promoting a culture of compliance, but how can that be measured with any degree of reliability? Specifically, there is the difficulty of proving a negative: how does a company quantify what might go wrong—or would have gone wrong—had the company not invested in compliance initiatives?



Companies are playing it safe when developing new products and services, research shows.

A new study by Accenture revealed that nearly half of executives feel their businesses have become more risk averse when considering new ideas. Instead of inventing new products and services, 64 percent of companies focus more on product-line extensions.



In the summer of 1968, a new strain of influenza appeared in Hong Kong. This strain, known as H3N2, spread around the globe and eventually killed an estimated 1 million people.

A new study from MIT reveals that there are many strains of H3N2 circulating in birds and pigs that are genetically similar to the 1968 strain and have the potential to generate a pandemic if they leap to humans. The researchers, led by Ram Sasisekharan, the Alfred H. Caspary Professor of Biological Engineering at MIT, also found that current flu vaccines might not offer protection against these strains.

“There are indeed examples of H3N2 that we need to be concerned about,” says Sasisekharan, who is also a member of MIT’s Koch Institute for Integrative Cancer Research. “From a pandemic-preparedness point of view, we should potentially start including some of these H3 strains as part of influenza vaccines.”



Security and technology heads at top Australian organisations say the impact of a mandatory data breach reporting scheme on businesses will largely depend on what the Federal Government determines are 'reasonable' security controls.

Plans for a data breach notification scheme were shared with a small number of stakeholders as the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013, obtained by SC.

The scheme was recommended by the Australian Law Reform Commission in 2008 and would force organisations to notify the Federal Privacy Commissioner, affected consumers and on occasion the media when data breaches occur.



Tuesday, 14 May 2013 14:59

Not what it seems

I was walking my dog, Barney recently when someone stopped to say hello. To him, not me – he’s always the first one that people talk to, I can’t think why. “I love Springer Spaniels,” she said, when she eventually acknowledged my presence, “in fact I have two myself.” 

"Actually he's a Field Spaniel" I replied, to which she asked "are you sure? He looks like a Springer."
I pointed out that whilst his markings are quite Springer-like, Field Spaniels are generally a bit shorter, a bit stockier and a bit squarer-faced than Springers (and a tad more expensive, but I kept that one to myself as I thought she might take it the wrong way).

Business continuity is a big deal. Having your infrastructure up and running in the case of an outage, a disaster, or some other unforeseen event can make the difference between generating more revenue (based in large part on your consistency as a business) and losing untold dollars and credibility.

One of the hallmarks of the new, distributed and mobile workforce is BYOD, a movement that is increasingly enabled by innovative cloud technologies. BYOD has great virtues for an organization, especially in the instances where business continuity planning comes into play. If your workforce can still access their communication and collaboration tools, any disruption to business as usual can be mitigated.



Tuesday, 14 May 2013 14:58

Preparing SMBs when disaster strikes

Determining an organization’s tolerance for loss is a key first step in preparing for disaster recovery. The cost a business incurs to maintain a suitable disaster recovery plan depends largely on how closely it relies on IT for its revenue.

This is true for any sized business from the large online vendors such as Zalora.com or Xinmsn.com to SMEs with a small online cart.

For example, companies like Amazon or Google depend so heavily on its IT infrastructure that its tolerance for outages is zero, whereas a factory in rural Malaysia might have a higher tolerance for outages or even data loss.



India has made encouraging progress in recent years to put in place mechanisms for disaster prevention and mitigation, but there is still a long way to go and local communities must be involved in the effort, Prime Minister Manmohan Singh said Monday.

Addressing the first session of the National Platform for Disaster Risk Reduction (NPDRR) here, the prime minister called for greater attention to arrangements for providing funds to people to cope with losses suffered in the wake of natural disasters.

"Disaster management is an area of vital national importance to our country, and I believe that the integration of disaster risk reduction strategies into our development initiatives must necessarily involve local communities. We must make full use of our Panchayat Raj institutions to achieve this objective," the prime minister said.



If somebody asked you to do the exact same work over and over again, would you think that was a smart thing to do? Of course not. But that’s exactly what many of us are doing in our backup environments.

There are a lot of technology approaches to backup, and all of them have to deal with ever increasing amounts of data.  But they are not all equally smart. In fact, when you look at them a certain way they can be downright stupid. And while “Dumb and Dumber” may have been quite popular as a movie, it shouldn’t serve as an approach to backup.



Emergency medical technology (EMT) students at San Jacinto College in Houston were plenty busy recently learning proper procedures for a rescue demonstration all the while dodging flying paintballs.

It was part of a training exercise that points to the importance of communication and teamwork, even during the heat of a scenario like a shooting or bombing. San Jacinto College North (there are two programs, North and Central) instructor and Army veteran, Ali Shah said the paintball exercise is a “watered down” version of the Tactical Combat Casualty Care course that soldiers experience in the military.



As the current Terrorism Risk Insurance Act (TRIA) moves closer to its scheduled expiration date of December 31, 2014, the debate is heating up over whether the federal backstop remains necessary and whether the market demand for terrorism coverage still exists. According to the Marsh 2013 Terrorism Risk Insurance Report, released April 30, demand for coverage has remained both steady and strong. These results only reinforce the need for a long-term extension of the terrorism backstop.

During the first full year of TRIA, only 27% of organizations obtained terrorism coverage as the market was still adjusting to the TRIA program and the fallout from the 9/11 attacks. Since that time, take-up rates have grown steadily. By 2005 the take-up rate for terrorism insurance was 58%. Today the rate is more than 60%—where it has been since 2009. The take-up rates are highest among companies with total insured value (TIV) over $500 million, but even those companies with less than $100 million in TIV obtained terrorism insurance at a 59% rate in 2012.



Andras Cser probed a sore spot in IAM last week with his post, “XACML Is Dead.” It’s a necessary conversation (though I did see a glint in his eye at the Forrester BT Forum after he pressed Publish!). Our Q3 2012 Identity Standards TechRadar showed that XACML has already crested the peak of its moderate success trajectory, heading for decline. We haven’t seen its business value-add or ecosystem grow since then, despite the publication of XACML 3.0 and a few other bright spots, such as Axiomatics’ recent funding round.

It’s not that we don’t need an interoperable solution for finer-grained access control. But the world’s demands for loosely coupled identity and access systems have gotten...well, more demanding. The solution needs to be friendly to open web API security and management. It needs to be friendly to mobile developers. And it most certainly needs to be prepared to tackle the hard parts of integrating authorization with truly heterogeneous cloud services and applications, where business partners aren’t just enterprise clones, but may be tiny and resource-strapped. This admittedly gets into business rather than technical challenges, but every ounce of technical friction makes success in the business realm less likely.



Top executives within organizations are always thinking about how they expand beyond their role. For chief audit executives (CAEs) specifically, the demand and necessity to do so has ebbed and flowed over the past decade, but it has picked up steam in recent years because of the increased expectation on CAEs to deliver more value. The ways CAEs can do this include being more strategic, having more of a business risk mindset rather than pure audit, and bringing business acumen to the table. But right up there with those three mandates is increasing adoption of technology by internal audit departments.



Experts say employers can prevent many motor vehicle accidents among their workers, often at little expense. By focusing on the issue and including driving as part of a corporate safety culture, businesses can greatly mitigate the risks associated with motor vehicle incidents.

Latest trends. A preliminary estimate of motor vehicle fatalities for 2012 indicates an increase over 2011, according to the National Safety Council. The 36,200 deaths represent a 5 percent increase and the first since 2005. Crash injuries that required medical attention were also estimated to have increased by 5 percent to 3.9 million.



We can learn a lot about risk from academia. University environments embody the whole data privacy world in microcosm. Colleges and universities handle a broad range of personal information — from students, staff, alumni, donors, and other community members — with their functions in financial services, food services and housing, student stores, and medical services.

On average, educational institutions report 1.3 million records compromised per year, based on statistics from Privacy Rights Clearinghouse. (Check out this infographic from Open Site, for an overview of data breaches in higher education.)

Nobody understands the privacy and security risks in the academic world better than Grace Crickette, chief risk officer for the University of California, a sprawling system that includes ten campuses and five medical centers. She shared her insights, which can be translated into 3 lessons on risk:



Monday, 13 May 2013 15:19

Are you prepared for an incident?

Increased media attention on cyber incidents, strong data protection legislation and regulatory interest in security has brought increasing investment and progressive improvement in proactive security within companies.

This usually takes the form of a manager responsible for information security, and the introduction of technical security controls. However, I have seen companies struggle with optimising the use of these controls both in defending against attacks, and responding effectively to an incident when an attacker breaches these controls.



Monday, 13 May 2013 15:18

Active Data Vs. Active Archive

In my last column I discussed how what we used to consider active data is changing. We now have to look at the potential working set instead of the actual working set. Thanks to initiatives like real-time analytics, some data that we used to classify as archivable now needs to be at the ready. If this is the case, what is the role of archive? How do disk and tape archives participate in an increasingly active world?

The key to a balanced storage strategy, even with all this active data, is to change how we decide to archive a certain set of data. Under the current archive methodology the most common decision point was last modification date. In other words, data that is X days/years old can be archived, everything else has to stay on primary storage. The problem with this methodology is it is not compatible with real-time analytics and not even really compatible with the way users use data.



Monday, 13 May 2013 15:14

Top five tips to master BYOD security

Business owners are becoming increasingly concerned with the proliferation of technology in the workplace. Innovations such as BYOD, cloud, global access and social networking have many CIOs spinning their wheels on how to effectively secure their data and protect valuable intellectual property.

In this (n)ever-changing threat landscape, companies and governments are constantly battling organised cybercrime and hacktivism. With malware such as Flame, Stuxnet and Shamoon in the modern day cybercriminals’ arsenal, CIOs need to stay one-step ahead of the game and prepare for attacks accordingly.


Residual Risk: if you’re not familiar with the term, you should learn how it applies to your Business Continuity Management program.

In pulmonary science (the study of lungs) there’s something called ‘residual volume’.  That’s the amount of air that remains in your lungs after you forcefully exhale.  No matter how hard you try, there will always be residual volume.

In Business Continuity Management there’s something called ‘residual risk’.  It’s not much different: once you’ve mitigated identified risks, what’s left is residual risk.  No matter what you do, there will always be residual risks.  Business Continuity Plans are the primary tactic to deal with those residual risks.



Monday, 13 May 2013 15:11

7 Things That Can Ruin a BCM Program

When financial hardships strike an organization, the Business Continuity program usually takes a hit. In fact, often it will take a hit when times are good so that the corporation can focus on other initiatives; initiatives designed to build upon the good times and keep the company making money. Increase that revenue, YEAH!! When this occurs, resources get reassigned to other projects and the BCM program gets placed on the back burner or it will see resources funnelled away to support other initiatives.
What kind of things do organizations cut from their budgets that can undermine and slowly dismantle a BCM program? Here’s just a short list of some of the actions corporations will take in diverting BCM intended resources.

1. Training – Training is suspended because sending employees on courses to upgrade and keep skills current is deemed as being too costly, especially if travel and accommodation is required. This training also helps to bring new ideas to the organization on how to better their programs but at the same time many executives (or those that approve BCM training) will simply state that the corporation knows what it would do. Thus, additional training isn’t required. Or worse, they send BCM people on courses that have nothing to do with their role.



Are you a believer in serendipity, that magic moment when several disparate things come together to produce something marvelous that is greater than the sum of its parts? I am and I believe we could be on the cusp of such a moment if we can seize the opportunity.

Three things occurred this week that makes me feel this way. The first are the thoughtful comments of readers of last week's blog on emergency management education, particularly those that reminded me of the Emergency Management Institute's Emergency Management Professional Program. EMPP is intended to develop core competencies for emergency managers and does an excellent job of combining concepts and general and specific skills.



There’s no telling when a major natural or man-made disaster can affect your company’s operations. Just because no calamity has ever affected your community doesn’t mean you’re completely safe. The specter of disastrous data loss can make most business operators think ahead and draft a reliable disaster recovery plan. This website and our publication The Data Center Journal will keep you abreast of the latest practices.

Disaster recovery, often shortened as DR, is the process of getting operations back on track in the critical period following a serious calamity. This is a step-by-step process that requires extensive brainstorming and support from the rank-and-file all the way up to senior management. For instance, a DR plan should first be raised within upper management as they need to be convinced of the viability of any proposed solution.



Monday, 13 May 2013 14:49

The Next Pandemic: Not if, but When

TERRIBLE new forms of infectious disease make headlines, but not at the start. Every pandemic begins small. Early indicators can be subtle and ambiguous. When the Next Big One arrives, spreading across oceans and continents like the sweep of nightfall, causing illness and fear, killing thousands or maybe millions of people, it will be signaled first by quiet, puzzling reports from faraway places — reports to which disease scientists and public health officials, but few of the rest of us, pay close attention. Such reports have been coming in recent months from two countries, China and Saudi Arabia.

You may have seen the news about H7N9, a new strain of avian flu claiming victims in Shanghai and other Chinese locales. Influenzas always draw notice, and always deserve it, because of their great potential to catch hold, spread fast, circle the world and kill lots of people. But even if you’ve been tracking that bird-flu story, you may not have noticed the little items about a “novel coronavirus” on the Arabian Peninsula.



Who would have imagined? At a time when the Dow Jones Industrial Average climbs above 15,000 for the first time and investor euphoria persists, trust in companies and their CEOs ranks near or at record lows. In this case, "rank" can serve as an adjective, too. Investors even have turned against the CEO who once could do no wrong, JP Morgan Chase's Jamie Dimon, urging him to surrender one of his roles as chairman and CEO because of some celebrated gaffes.

These corporate governance issues and crises have sparked a steep rise in reputational risk as trust in business continues a decade-long erosion. And good business practices alone won't remedy it. Challenges to a company's reputation arise from a specific business decision or practice. To manage that reputation successfully requires the active leadership of the CEO with the board of directors serving as avid monitors.



Patrick Meier is an expert on the application of new technologies to crisis earlywarning, humanitarian response and resilience. He currently serves as Director of Social Innovation at the Qatar Foundations’ Computing Research Institute and blogs at www.iRevolution.net. He co-founded the Harvard Humanitarian Initiative’s Program on Crisis Mapping and Early Warning, CrisisMappers, Digital Humanitarians, and the award-winning Standby Task Force. He served as Director of Crisis Mapping at Ushahidi and has consulted extensively for many international organizations and programs. He received his PhD from the Fletcher School.

While a fast and comprehensive means of reporting breaking news, social media brings with it the risk of misreporting, which in some cases can be quite dangerous, as with Reddit’s misidentification of the Boston bombing culprit. How can authorities determine what’s credible? What is the relationship between law enforcement and social media?



Cloud technology is the future for the business-world. According to KPMG, it’s now used by most organisations. However, with this new technology come new risks for company information security, and it is important for HR teams to ensure that they update company IT policies to adequately protect business interests.

What’s different about cloud computing?

Cloud systems are often different from the traditional IT infrastructure set up by a company itself because they are normally provided by a third party supplier, and so businesses do not have as much control over the cloud system as they would over their own IT infrastructure.



This Tuesday, May 14, marks the second annual World Risk Day—a global forum for those in the industry to discuss trends, challenges and best practices in risk management. One of the many speakers lined up for the event is Michael Lopez, senior associate at Booz Allen Hamilton. To get his take on the role of the modern risk manager, we asked him a few questions.

Risk Management Monitor: Has the idea of the role of risk manager been lost? How so?



In news that certainly won't be music to the ears of the CIO, new research has found that as many as 46% of employees have admitted to bypassing security to get their jobs done.

This is despite the converse figure that 85% has said that security has added value to their company.




Leo Scanlon, chief information security officer of the National Archives and Records Administration, has an information security question for federal CIOs: “Are you satisfied that where you are is good enough? Do you understand the risk?”

Too often, he says, federal C-level officials do not know if their security is adequate because they do not understand the risks they face and what the risk tolerance of their agencies should be. And too often, they are content to remain that way.


Concern over the government's IT supply chain typically have centered on issues like counterfeit parts or defective materials. But there's a "soft underbelly" to supply chain vulnerabilities, and it is becoming more critical as agencies increasingly purchase managed services often delivered via software. Officials warn that this risk is especially acute in critical infrastructure, where there is growing and interconnected reliance on cyber.

Cloud services, software as a service and service-oriented architecture allow the government to get out of businesses that are not core competencies. But they also allow agencies to believe they are handing over security responsibilities to outside providers, according to Joe Jarzombek, director for software assurance within the Department of Homeland Security's Office of Cyber Security and Communications.



The growing threat of cyber attacks has moved IT disaster recovery planning up the agenda for many businesses, but why pay every year for something you are never likely to use?

Developing an IT disaster recovery plan, with step-by-step procedures for recovering disrupted systems will identify business-critical IT systems and networks. It will assess the required recovery time and establish the steps to restarting, reconfiguring and recovering them. 

Instead of outsourcing the entire responsibility for disaster recovery to external service providers, it’s possible for smaller businesses to plan and protect their business, but only pay if disaster strikes.



Network World — "The coming meltdown of IT; the out of control proliferation of IT failure is a future reality from which no country or enterprise - is immune. The same IT failures that are eroding profitability in the United States are impacting the economy in Australia. IT failures are rampant in the private sector, the public sector, and the not-for-profit sector. No place is safe. No industry is protected. No sector is immune. This is the danger, and it is real."-- Roger Sessions, CTO, ObjectWatch

Have you had a IT project go astray? Maybe you were lucky and it was a brief hiccup with minimal financial consequences. Or maybe you had a disaster of biblical proportions, such as the one that befell Levi Strauss in 2008.



During his keynote address at the 15th annual New Jersey Emergency Preparedness Conference in Atlantic City, the Honorable Tom Ridge praised emergency and first responders for their impressive response to Superstorm Sandy.

“The emergency management community in New Jersey gets it,” he said. “I’m fascinated by the stories I’ve heard about the response to Superstorm Sandy.” For example, the seamless communication between private and public sectors during the response demonstrated how well those in the state had trained and practiced together, he said.



IN A STRANGE TWIST of evolution, the influenza virus seems to have endless capability to reinvent itself, infecting waterfowl, swine and humans over and over again with great power and destructive force. A periodic reassortment of its genes gives rise to new variants that have not been seen before. Each time, the new variant poses a potential threat to both man and animal. Another shuffle of the deck has just occurred, leading to a new outbreak of bird flu in China, where people and fowl are often in close contact.

This variant, known as H7N9, has not reached U.S. shores, but it is a reminder of the unpredictable nature of influenza. It might cause a pandemic, or settle into a slow burn for years, or simply die out. At this stage, no one knows. The uncertainty ought to remind us of past lessons about infectious disease and globalization, which remain as urgent as ever.



Thursday, 09 May 2013 15:18

A data loss reality check

Virtualisation and the cloud are bringing greater flexibility, agility and capabilities to users - but very little has been done to test data recovery plans.

This lack of preparation can have serious consequences if a data disaster strikes. Adoption might be inevitable but it takes time and investment to create a data recovery plan that can protect businesses. It might require some cost upfront but safeguarding data can provide long-term savings that are too big to ignore.


CSO — While organizations have been hot to virtualize their machine operations, that zeal hasn't been transferred to their adoption of good security practices, according to a survey released on Wednesday.

Nearly half (42 percent) of the 346 administrators participating in the security vendor BeyondTrust's survey said they don't use any security tools regularly as part of operating their virtual systems, and more than half (57 percent) acknowledged that they used existing image templates for producing new virtual images.



When disaster strikes on or near a college campus, local first responders don’t always have the staff or resources to help immediately — especially when the campus is as big as a small city.

That’s why thousands of students, faculty and staff on campuses nationwide are being certified to help.



Many managed services providers (MSPs) selling backup and disaster recovery (BDR) offerings may not have hit the ground running when they first rolled out their services. Some strategies worked, while others failed. To find out where MSPs may have made common errors, we’ve reached out to a couple of MSPs in the channel and asked them to share their mistakes for the sake of education. Here’s what we found in this MSPmentor exclusive.

Strata Information Technology, Inc President Pete Robbins (pictured) and CCNS Consulting owner Karl Bickmore (pictured in the promo image) confessed their initial BDR mistakes to us, and let us share them to help alleviate early BDR pains for other MSPs. We’ve broken down their errors into three categories: sizing BDR, operating and understanding data in a disaster, and selling complicated offerings.



A new report released by Ernst & Young presents a disconcerting paradox when it comes to corporate sustainability efforts.

While more companies are concerned about increased risk and proximity of natural resource shortages, corporate risk response appears to be inadequate to address the scope and scale of some of these challenges.



Six months later, the cleanup from Hurricane Sandy is still a work in progress. The Storm that caused some $50 billion in damage and killed 159 people has not been forgotten by those along the east coast. The following is a snapshot of Hurricane Sandy by the numbers.



Computerworld — Big data may seem to promise big insights to users, but more isn't always better, cautions statistician Nate Silver, who became one of America's most well-known faces of data analysis after his FiveThirtyEight blog accurately predicted 2012 presidential election results in all 50 states.

The more data there is, "the more people can cherry pick" data points that confirm what they want it to show, he said.



Not very long ago disaster recovery was a luxury afforded by only the very large companies due to the prohibitive cost and effort required. Frequently even these large companies were unable to justify the investment and went without a disaster recovery plan. Today, virtualization and cloud enables companies of all sizes to implement a scalable, highly efficient disaster recovery plan without a huge investment.


At one time, investment in disaster recovery came in one of two forms: build a replica or subset of the production- computing environment at a secondary site or contract with a disaster recovery provider. These disaster recovery providers maintained data centers equipped with compatible computing platforms upon which a company could restore their environments when a disaster was declared. The latter was often the more feasible solution since the service provider was able to leverage their hardware investment over a pool of customers thereby lowering their per unit cost and passing some of the savings along to their customers. Though, I have heard many companies complain over their $50,000-$400,000 monthly costs to maintain their contract for a secondary site disaster recovery location. These exorbitant fees did not even cover the customer’s annual testing costs to simulate a disaster and test their recovery process that often included IT staff members rolling through airports with cases of backup tapes.



Wednesday, 08 May 2013 15:09

Beyond GRC

A bold new experiment is taking place in the Federal government across a number of agencies to identify and address systemic risk before the next financial collapse occurs.  You may be familiar with the Securities and Exchange Commission’s Division of Risk, Strategy, and Financial Innovation.

Over the last 3 years, the S.E.C. has revamped this Office into a “think tank” with a multidisciplinary team of professionals from a variety of academic disciplines.  This is not your father’s SEC; the team is made up of 35 PhD financial economists, financial engineers, programmers, MBA’s and other experts.



Analysts and experts examining the field of government technology and innovation identify the emergence of cloud computing to be a major trend in government transformation. However, from the discussions I participated in during FutureGov Forum Singapore 2013, it was clear that the concerns most government departments have about cloud computing have not changed, and remain common across departments and even countries!

Two interactive discussion tables on cloud computing at FutureGov Forum Singapore 2013 gave senior IT decision-makers the chance to share their experiences and concerns, and gain new ideas to respond to the challenges they’re facing in their organisations.



CIO — With so many social media outlets to choose from -- Facebook, Twitter, Pinterest, LinkedIn, YouTube and Google+, as well as more specialized sites -- how do you pick the one, or three, that will deliver the best return on your investment of time and resources? To find out, CIO.com queried dozens of IT executives and social media experts. Following are their top six tips for choosing the best social media sites for your small business.



We've seen too many security breaches, password leaks, and account takeovers recently, and it's only getting easier for hackers to crack large databases of passwords. Although passwords aren't as strong a protection as they used to be, they're still the frontline of our defense against cyber thieves, so it's worth the few minutes it takes to make your password as strong as possible. Today, Change Your Password Day, is the perfect day for that.

Intel and McAfee banded together to name May 7th Change Your Password Day, but in truth, if you're reading this on May 8th or on any other month and day, it's still Change Your Password Day if you haven't thought about your passwords in a while.



Disasters are scary — there’s no question about it. But as much as they cause fear, they also bring people together, connecting communities in ways that few other incidents can. Focusing on those connections, rather than the catastrophe, is the theory behind the San Francisco Department of Emergency Management’s (SFDEM) new project SF72.org, created to enhance the city’s disaster preparedness.

The site, set to launch this fall, aims to connect citizens willing to offer resources and services — from food, water and an extra generator to mechanical services and a place to stay — 72 hours after a disaster occurs.



Wednesday, 08 May 2013 15:04

XACML is dead

Conversations with vendors and IT end users at Forrester's Security lead us to predict that XACML (the lingua franca for centralized entitlement management and authorization policy evaluation and enforcement) is largely dead or will be transformed into access control (see Quest APS, a legacy entititlement management platform based on BiTKOO, which will probably be morphed by Dell into a web SSO platform).

Here are the reasons why we predict XACML is dead:



While companies recognize potential risks posed by natural catastrophes, many have insufficient mitigation plans in place, according to global survey results from Zurich Insurance Group.

There is a widespread perception that natural catastrophes are becoming not only more frequent, but more severe. Companies are assigning adequate importance to assessing and mitigating the associated risks, the research confirmed.

The study, Natural catastrophes: business risks and preparedness, which polled 170 executives from medium and large companies around the world, was conducted in January by the Economist Intelligence Unit and sponsored by Zurich.



Wednesday, 08 May 2013 15:01

From CDC to ABC: H7N9 from Hong Kong

Taking on the role of interim CDC director can be an intimidating task, but an impending pandemic can make the position exponentially more daunting. This is the situation Dr. Richard Besser faced in 2009 when he stepped into his new job. But Besser took the task head on and guided the country’s premier health agency through the H1N1 outbreak with skill and confidence. Through this experience Besser saw first hand how important communication is to building the publics’ trust and improving health behaviors.

When it was time for Besser to hand over the reins, his next career choice made perfect sense, Chief Health and Medical Editor for ABC News. He would be able to continue his work communicating important health information to the public, and hopefully help improve the lives of his viewers.



The lack of comprehensive control over cloud-based environments, coupled with the uncertainty about how to manage insider threats, mobile access and compliance issues, poses daunting challenges for senior IT managers. Data is suddenly everywhere, and so are the number of people, access points and administrators who can control – or worse, copy – the data. This is a key issue for businesses as they are losing control of their data in the cloud.

This creates real uncertainty about how to manage IT security in the cloud. Recent independent research revealed that 89% of the global information security workforce lacks clarity as to how security applies to the cloud, and 78% of information security professionals lack understanding of cloud security guidelines and reference architectures.



Building a disaster recovery plan (DRP) can be simple, yet many businesses are still without one, which leaves them vulnerable to data loss. Your role as a managed services provider (MSP) is to protect your customers from catastrophic losses by assisting them with a customized plan that fits their backup and disaster recovery (BDR) needs. Disaster recovery (DR) and intelligent business continuity (IBC) solutions vendor Datto offered MSPs some insight regarding this topic on the company's blog. We'll reveal the key points of an effective DRP that ensures business continuity (BC).



Identity management problems arose nearly a decade ago when organizations began to increase the number of business processes automated through web applications and integrate more systems into daily operations. This situation provoked a new challenge: How should you keep access control lists up-to-date when users are given multiple usernames and passwords? Even worse, if an employee leaves the company, how do you coordinate with HR departments to have IT teams disable access to their applications?

Today, with the evolution of technologies and the increased use of cloud-based applications, organizations face the same challenges in finding an effective way to perform user identity management. Though the environment has evolved, the nature of the problem persists: Identity management is time-consuming, expensive and difficult.



MARION — As the four-year anniversary of the May 8, 2009, derecho approaches, Ameren Illinois officials remind the public to be prepared for and cautious during storms and inclement weather.

Ameren invited members of the media to visit its Southern Illinois emergency operations center and explore of one of the utility company’s five disaster recovery trailers.

“Our job is to keep the lights on and the gas flowing,” George Justice, Ameren’s Southern Illinois division director, said. “Our message has been put into practice many times in the past few years.”



Computerworld — HIPAA and outdated communications devices can make it harder to deliver effective patient care, according to a survey of physicians, hospital administrators and IT pros, has found that.

The survey by the Ponemon Institute is based on responses from 577 healthcare and IT professionals in organizations that ranged from fewer than 100 beds to more than 500.

Fifty-one percent of respondents say HIPAA compliance requirements can be a barrier to providing effective patient care. Specifically, HIPAA reduces time available for patient care (according to 85% of respondents), makes access to electronic patient information difficult (79%) and restricts the use of electronic communications (56%).



Working with a backup and disaster recovery (BDR) vendor may be a new experience for some managed services providers (MSPs), but that doesn't mean the relationship has to be treated differently than any other business partnership -- or does it? We reached out to disaster recovery (DR) and intelligent business continuity (IBC) solutions vendor Datto to learn more about the relationship (partnership) between MSPs and BDR vendors in the channel. How can MSPs work more productively with BDR vendors? We'll reveal the answers in this MSPmentor exclusive.



Commonwealth Healthcare Corp. emergency preparedness director Warren Villagomez assures that the CNMI still has zero suspected cases of a bird flu strain originating from China.

As of May 3, the World Health Organization website has recorded 126 cases and 24 deaths caused by the avian influenza A(H7N9) virus.

According to Villagomez, the corporation remains vigilant against this bird flu outbreak and continuously monitors all activities from different sources such as daily updates from WHO and from the U.S. Centers for Disease and Control, among other sources.



Threats to water, a requirement for life, make for compelling story lines. The movie Batman Begins includes a poisoned water supply as a plot point, for example. But threats to the water supply aren’t just the stuff of modern fiction.

“The idea of poisoning drinking water goes back a long way,” said James Salzman, a professor of law and environmental policy at Duke University and author of Drinking Water: A History. The Roman emperor Nero is said to have poisoned his enemies’ wells in the first century. J. Edgar Hoover obsessed over threats to the water supply during World War II.



Deloitte’s Risk Intelligence White Papers are a set of thought leadership that I have strongly recommended in the past — and continue to do so today.

They get an A- from me for their latest addition, The board’s role in cultivating a risk-intelligent enterprise (PDF). They get the A- for some truly excellent guidance, but a small “mistake” (in my opinion) prevents their receiving a top grade.



Monday, 06 May 2013 16:53

Foiling Phishing With Authentication

In its new report on using e-mail authentication to fight phishing attacks, BITS offers a list of best practices and recommendations, including expanded use of the DMARC security protocol.

BITS, the technology policy division of The Financial Services Roundtable, believes that the Domain-based Message Authentication, Reporting and Conformance protocol plays a key role in mitigating phishing schemes.



Recent years have seen severe weather events make a tremendous impact on business owners, resulting in lost and delayed sales, increased expenses for repair work, and the delayed resumption of normal business activity. Such events have only reinforced the need for a documented disaster recovery plan for your business.

Every day that a disaster puts the average small business or midsize company offline and out of office costs big—a median cost of $12,500 per day, according to a survey by the software company Symantec.



With the June 1 start of the 2013 Atlantic hurricane season just one month away the Insurance Information Institute (I.I.I.) is urging people to prepare for heightened flood risks that come with hurricanes and tropical storms.

The I.I.I. notes that the most recent two hurricane seasons have shown how devastating the consequences of seasonal flooding can be, with losses felt well beyond the high risk areas nearest the water:



STATEN ISLAND, N.Y. -- Borough residents who turned down Small Business Administration loans because they didn't want to go deeply into debt to fix their storm-battered homes and businesses may get less federal grant money because of that choice, according to Rep. Michael Grimm.

In a letter dated this Monday, Grimm (R-Staten Island/Brooklyn) is asking Housing and Urban Development Secretary Shaun Donovan -- who chairs President Obama's Hurricane Sandy Rebuilding Task Force -- to waive a federal policy he says punishes "people who played by the rules and maintained good credit."



This new guidance raises the need for the academic community to address what is sometimes perceived to be a fundamental dichotomy between the need for openness and the need for the control of sensitive information.

Information security is most easily understood as being concerned with the protection of three key attributes: confidentiality (keeping information away from those not authorised to access it), integrity (keeping data or information in the form intended), and availability (making sure that information systems can provide information to those authorised to have it whenever needed).



Monday, 06 May 2013 16:47

To Fight Pandemics, Reward Research

THAT frightening word “pandemic” is back in the news. A strain of avian influenza has infected people in China, with a death toll of more than 25 as of late last week. The outbreak raises renewed questions about how to prepare for possible risks, should the strain become more easily communicable or should other deadly variations arise.

Our current health care policies are not optimal for dealing with pandemics. The central problem is that these policies neglect what economists call “public goods”: items and services that benefit many people and can’t easily be withheld from those who don’t pay for them directly.



The novel avian influenza A H7N9 virus originated from multiple reassortment events. The HA gene might have originated from avian influenza viruses of duck origin, and the NA gene might have transferred from migratory birds infected with avian influenza viruses along the east Asian flyway. The 6 internal genes of this virus probably originated from 2 different groups of H9N2 avian influenza viruses, which were isolated from chickens. Detailed analyses also showed that ducks and chickens probably acted as the intermediate hosts leading to the emergence of this virulent H7N9 virus. Genotypic and potential phenotypic differences imply that the isolates causing this outbreak form 2 separate subclasses.



Imagine that Hurricane Sandy came knocking at your door. Would your IT infrastructure be safe? Would your staff have a suitable workspace to continue operations? Don’t let your business be a victim of a disaster as some experienced in New York and New Jersey when their cooling systems were forced to power down and flooding killed their network. These events are further explained in an article entitled In Sandy’s Aftermath, Epic Challenges for Data Centers about some of the effects Hurricane Sandy had on data centers. To ensure that your disaster recovery strategy can withstand the test of a disaster, here are four important items to consider.



Friday, 03 May 2013 16:17

Terrorism: understanding & mitigation

The World Economic Forum recently issued its 8th report on Global Risks. It examines different threats on a twin axis of impact and likelihood. It should come as no surprise that terrorism remains towards the higher end of the spectrum, a fact of particular concern given that it can have an immediate financial impact.

While developed countries have suffered comparatively few major attacks since 9/11, in general global terrorist activity has increased significantly over the past decade. If anything, the fragmentation of Al Qaeda has brought greater unpredictability as new groups emerge that may share Al Qaeda's beliefs but are not funded by them. Some of the most high-profile attacks over recent years have been the Madrid bombings in 2004 (where 191 people died and damage was $125m), the London attacks in 2005 and Mumbai in 2008 (where 170 people died and damage to three hotels totalled more than $110m) plus suicide bombings across Moscow.



CIO — Would you trade your thousand-page outsourcing contract--the one that provides commitment, certainty, and clear-cut requirements and pricing--for a much simpler master services agreement and a handshake with your IT service provider?

Thomas Young, partner at outsourcing consultancy and research firm Information Services Group (ISG), thinks you should.

For years, outsourcing industry experts have likened a successful outsourcing relationship to a happy marriage--one that requires mutual hard work, assurance and respect to last in the long term. But rather than marrying your next outsourcing provider, Young argues, why not take the outsourcer out on a date and see how things go?



BEIJING — Chinese authorities have detained two Internet users for allegedly spreading rumors about the new bird flu virus on the nation's top Twitter-like microblogging site, Sina Weibo.

The two Internet users, surnamed Li and Gong, deliberately created the online rumors as a way to draw attention, according to a Thursday posting from China's State Internet Information Office.



Scientists at the Earth Science Office at the NASA Marshall Space Flight Center in Huntsville, Ala., are testing an airborne system that could drastically change the way hurricanes are forecast.

The Hurricane Imaging Radiometer (HIRAD) flies on a Global Hawk unmanned vehicle to gauge the intensity of a hurricane out over the ocean. There are differences with this system and conventional hurricane forecast tools that could make HIRAD a game changer for forecasters and emergency managers.



Enhancing resilience requires a detailed understanding of the character of organizations. Culture is at the heart of organizational identities; it is part of what characterises organizations and, by association, what brings strength and success. It comprises perceptions of norms and standards and it encapsulates ‘ways’ of doing things largely based upon locations, organizational structures and interpretations of shared experiences. It is built from the aggregation of sub-unit standpoints as well as the interactions between those sub-units. Culture evolves in response to experiences as the perception of what occurred during particular episodes becomes part of the grain of an organization. More often than not, culture is thought of in positive terms, differentiating one organization as better or stronger than another.

When attempting to improve resilience, a ‘start state’ is an important feature in order to fully understand the scale of the task in attaining the desired end state. This is a truism which is equally relevant whether one is dealing with a single small organization or a grouping of states containing hundreds of millions of citizens. In both cases, cultural considerations are of the utmost relevance.



A paper in the journal Nature by Dirk Helbing, Swiss Federal Institute of Technology Zurich, has looked at the various global networks that exist and illustrated how cascade effects and complex dynamics amplify the vulnerability of these systems.

Our global networks have generated many benefits and new opportunities. However, they have also established highways for failure propagation, which can ultimately result in man-made disasters. For example, today's quick spreading of emerging epidemics is largely a result of global air traffic, with serious impacts on global health, social welfare, and economic systems.

Helbing's publication illustrates how cascade effects and complex dynamics amplify the vulnerability of networked systems. For example, just a few long-distance connections can largely decrease our ability to mitigate the threats posed by global pandemics. Initially beneficial trends, such as globalization, increasing network densities, higher complexity, and an acceleration of institutional decision processes may ultimately push man-made or human-influenced systems towards systemic instability, Helbing finds. Systemic instability refers to a system, which will get out of control sooner or later, even if everybody involved is well skilled, highly motivated and behaving properly. Crowd disasters are shocking examples illustrating that many deaths may occur even when everybody tries hard not to hurt anyone.



LAS VEGAS - For Alex Delgado, things were going from bad to worse as Superstorm Sandy slammed the Jersey Shore. It was high tide, during a full moon. There was a 13 foot storm surge, and the data center was less than a mile from the beach. Six hours into the storm, the company’s operations team in India had to be evacuated due to a cyclone.

The staff at the International Flavors & Fragrances (IFF) data center in Union Beach, N.J. used to joke about a single telephone pole that carried “half of the Internet and half of its power.” As Sandy came ashore, that was the pole that fell. In short, had Delgado won a raffle that week, it would have been for the Hunger Games. Everything was going wrong.



Computerworld - Given the dire warnings about climate change, some business and IT people are pondering this question: How should data center managers handle the crop of 100- and even 500-year storms, coastal flooding and other ecological disasters that climatologists predict are heading our way?

Some experts suggest that managers of mission-critical IT centers simply need to harden existing facilities, other observers say they need to move the centers to higher ground and a third group says both strategies are needed.



The passenger from Vietnam didn’t speak English. And U.S. Customs and Border Protection agents at Dulles International Airport say they could not immediately find a translator. So they let the contents of the traveler’s luggage speak for itself and ran it through an X-ray machine.

That’s when they spotted the chickens, 20 of them, packed in Ziploc bags and tucked inside a cooler.



The very word can strike fear into the heart of every in-house lawyer.  The costs can be astronomical and the price of mistakes can be fatal to a case.  What can you do to minimize risk?  As with many things in life, the keys are preparation and follow-through.  Particularly for companies that are regularly involved in litigation, in-house counsel and compliance personnel can reduce uncertainty by understanding their information systems and staying on top of technological changes.  When litigation is imminent or a government investigation strikes, companies with well-oiled processes will be in a better position to minimize costs and  reduce the risk of devastating sanctions resulting from spoliation or incomplete compliance.  While the details of the e-discovery process will be different for every company, attention to these five critical points will reduce the risks of a calamity with respect to electronically stored information (ESI).



Everyone has an opinion on the ‘cloud’ and its effect on business – some believe it is dark and scary and fraught with unnecessary risk, while others would argue it’s silver lined and the path to greater business performance and cost savings. The truth is that the cloud undeniably has the potential to open up a whole new dimension of opportunities to businesses – but only if data security is properly addressed.

First let’s dispel any misperceptions you might have about the cloud. It’s nothing mystical, nothing whimsical, - nothing to be afraid of. The reason many fear the cloud is its reputation as a dangerous, or ‘risky’, place. And that is true. Anything beyond the physical perimeter of the organisation is also, theoretically, beyond the physical protection of the organisation. And let’s face it, there are dangers and risks out there, but that doesn’t mean you have to stay behind a locked door. Instead, by arming yourself with the right security you can stay clear of danger and fully tap into the cloud’s potential.


Data shows that publicized hacks, cyberattacks and data breaches continue to increase, and the majority of attacks are from outsiders. According to Verizon's 2013 Data Breach Investigations Report, released in April, 92% of breaches in 2012 were attributed to outsiders, and 19% involved state-affiliated actors.

Regardless of the motives and the types of hackers or attackers, it behooves chief information security officers (CISOs) and security staff to take actions to better defend their data from these miscreants. Data theft has consequences for organizations: bad press, impact on reputation, devalued share prices and the costs of investigating the breach. Companies may also have to take legal action and make notifications to affected individuals if a breach involves personal data theft.



The Federal Emergency Management Agency's Collaboration Community website, www.fema.ideascale.com, is currently being used to assess stakeholders' opinions of possible changes to National Incident Management System (NIMS) doctrine.

FEMA's National Integration Center (NIC) is taking feedback and engagement in this way. The site lets visitors express approval or dislike of individual ideas; some are in the negative zone but a few have positive margins of 30 or even 50 "votes." One idea currently in positive territory is this: "FEMA should assist with the implementation Risk Management framework by assisting communities to develop a community specific Risk Register to assess future risks to the community and mitigation activities that can lower the risk score. This would NOT be a FEMA product (so not meant to be tracked as a deliverable with metrics assigned, etc.,) but a communications technique that can start with listening to the community of what they see as future risks and where FEMA can help identify mitigation resources that can help (grants, CRS, future conditions modeling, etc.,). The community would own this risk register in that FEMA is only interested in helping them apply this to become more resilient. However, it would be a good way for FEMA to measure action as a result of the Risk MAP program. The key concept here is to apply the Risk Management approach as a communications process rather than a part of production task."



At 11KBW’s information law seminar in May, one of the discussion topics was ‘the future of data protection’. Here are some further thoughts on some interesting trends and developments.

Progress at the EU level

A major issue on this front is of course progress on the draft EU Data Protection Regulation – on which see this blog post from the ICO’s David Smith for an overview of the issues currently attracting the most debate. While that negotiation process runs its course, the Article 29 Working Party continues to provide influential guidance for users and regulators on some of the thorniest data protection issues. Its most recent opinion addresses purpose limitation, i.e. the circumstances under which data obtained for one purpose can be put to another. A summary of its views is available here.



Thursday, 02 May 2013 15:36

MSPs: KISS Your BDR Customers

Go through the content in our Backup and Disaster Recovery (BDR) Infocenter to learn how to close deals with customers, leverage demos for sales, and sell BDR in an uncertain economy -- all helpful, practical, and useful topics. The next step, however, is to keep customers happy and wanting more. Customers want to see result and a return on their investment, which may be difficult to demonstrate if disaster hasn't reared its ugly head. How should managed services providers (MSPs) keep BDR customers happy, without being technical about it? It's a lot easier than you may think.



Marsh has recommended that United States Congress reauthorize the Terrorism Risk Insurance Program Reauthorization Act (TRIPRA) in light of ongoing strong demand for terrorism risk insurance and the possibility that opting not to reauthorize the program could lead to price increases.

If TRIPRA, commonly known as TRIA, is allowed to expire or is substantially changed, terrorism insurance capacity may be difficult to acquire at reasonable costs for insureds, especially those with significant exposures in a central business district or major city, notes Marsh’s 2013 Terrorism Risk Insurance Report, released Tuesday. Almost 2,600 companies were surveyed, notes Marsh, a global leader in insurance broking and risk management.



Thursday, 02 May 2013 15:33

Public Health: Are We Too Slow?

One of the many roles of public health is to protect consumers from threats like foodborne outbreaks. Much of this hinges on quickly getting out clear messages to the public that provide simple steps to help stem the spread of disease. This is something public health professionals have been doing for over a hundred years, but a recent outbreak of Salmonella Heidelberg got us wondering, “Are we doing enough to keep the public safe? Are we too slow? And, How can we improve?”

That’s not to say there weren’t triumphs in this outbreak, but like most responses we had a moment of self-reflection when the crisis was over and we were able to take a step back and consider our methods. What we found was a need for stronger policies and faster messaging to the public.



As law enforcement desperately hunted the Boston Marathon bombing suspects, the city’s reliance on commercial cellular wireless carriers became an escalating problem. Just like runners who had trouble reconnecting with their families, the city experienced major crashes in the aftermath of the deadly bombing.

"I called Comcast and asked them to open up the Xfinity Wi-Fi in Watertown," Boston Chief Information Officer Donald Denning said in an interview with Stateline.



Thursday, 02 May 2013 15:31

Every Employee is a Crisis Manager

Sure, your employees are hired to fill specific roles, but anyone who’s been in the middle of a crisis situation knows that a whole new set of responsibilities pops up, whether you’re ready or not.

BCM president Jonathan Bernstein was recently interviewed for a Hotel News Now article on terrorism risks for hoteliers, and the insight he shared holds true for any type of organization:



As data flows between countries with disparate data protection laws, firms need to ensure the safety of their customer and employee data through regulatory compliance and due diligence. However, multinational organizations often find global data privacy laws exceedingly challenging. To help our clients address these challenges, Forrester developed a research and planning tool called the Data Privacy Heat Map (try the demo version here). Originally published in 2010, the tool leverages in-depth analyses of the privacy-related laws and cultures of 54 countries around the world, helping our clients better strategize their own global privacy and data protection approaches.

Regulation in the data privacy arena is far from static. In the year since we last updated the heat map, we have seen many changes to how countries around the world view and enforce data privacy. Forrester has tracked and rated each of these 54 countries across seven different metrics directly within the tool. Among them, seven countries had their ratings change over the past year. Some of the most significant changes corporations are concerned with involve:



Only about half of state and local government CIOs polled in a recent survey said they’re prepared for a cyber-attack — even as 28 percent of them reported experiencing a system hacking or attack attempt in the previous year.

While a majority of the 36 state and local government CIOs told the Consero Group’s Government IT survey that they had necessary infrastructure in place, about 42 percent said they found the systems vulnerable to security breaches and cyber threats, and 44 percent said they don’t feel prepared for such attack.



Wednesday, 01 May 2013 16:49

The Top 50 Global Risks

As it does twice per year, Aon released its Global Risk Management Survey, which, among other things, pinpoints a significant decline in risk readiness among many of the more than 1,400 survey respondents. In fact, risk readiness for the top 10 risks dropped 7% from the 2011 survey.

“One possible explanation of the decline in risk readiness could be that the prolonged economic recovery has strained organizations’ resources, thus hampering the abilities to mitigate many of these risks,” said Stephen Cross, chairman of Aon Global Risk Consulting. “Our survey revealed that, despite diverse geographies, companies across the globe shared surprisingly similar views on the risks we are facing today – whether or not they feel prepared.”



Wednesday, 01 May 2013 16:48

Using Big Data to Fight Phishing

Today's spear-phishing campaigns are localized, small and can slip through typical spam filters. As a result, detection practices have to evolve, says researcher Gary Warner of the University of Alabama at Birmingham.

"The important thing to realize is that the average attacker is going to keep coming back until that institution puts in an effective countermeasure," says Warner, director of research for computer forensics at the university. "So how do we learn from the past incidents? We have to log the data, analyze it and recognize the indicators."



A common theme during this week's SAS and FICO user conferences was how to use Big Data to make fraud decisions faster, more accurately and without impacting the customers in any negative way.

Big Data is basically about 3Vs: Volume, Velocity and Variety of data to gain veracity and value in fraud management. Volume and Velocity are nothing new: fraud management products have long been capable of analyzing terabytes of data in billions of transactions - in real time.



Not all CIOs are jumping on board with the Bring-Your-Own-Device (BYOD) approach to deploying tablets, smartphones and other technologies inside their businesses.

Just ask Tony Young, the CIO at Informatica, a Silicon Valley-based cloud and on-premises data integration software vendor. He believes that BYOD often caters more to employees than to their employers and stockholders, which end up paying the costly bills for the strategy.

Essentially, says Young, BYOD can create costly new needs, such as mobile device management (MDM) systems and other products that are necessary to maintain privacy, security, and data protection for a business when workers want to use their own devices.



Data breaches are becoming more commonplace, causing millions of dollars in damages for companies that have personally identifiable information (PII) hacked by cybercriminals.

“Think about all of the losses you can incur. Not only do you have to hire a security expert to find what happened, you may be assessed fines or penalties by the merchant’s acquiring bank or payment card brand. In addition, you could be responsible for credit card charges made by the criminals and lose business because no one trusts you anymore,” says William M. Goddard, CPCU, principal, Insurance Advisory Services at Brown Smith Wallace.

Smart Business spoke with Goddard and Lawrence J. Newell, CISA, CISM, QSA, CBRM, security and privacy manager, about protecting companies from cybercrime.



A minority of UK small and medium enterprises (SMEs) are giving high priority to cyber threats, research has revealed.

Although cyber threats are gaining recognition among SMEs, there is a clear need to raise awareness and protection, according to the Institution of Engineering and Technology (IET).

Threats to systems are increasing and new vulnerabilities are emerging daily, said Hugh Boyes, the IET’s cyber security expert. 



Since the bird markets were closed in affected cities the numbers have slowed however the disease remains a significant threat.  For those of you keeping track we now have a total of 126 cases and 24 deaths reported from 10 provinces in China and Taiwan.



As discussed in our prior installment, while there is no “one-size fits all” path to cloud infrastructure adoption, a roadmap can ease and simplify the transition to cloud while minimizing IT disruption. More importantly, a phased approach (as shown in the figure below) enables organizations to take advantage of on-demand infrastructure sooner than later, leveraging scalability, cost advantages and rapid deployment capabilities of cloud.



Computerworld — IT leaders can be excused for feeling like their supply chains are one link away from disintegration these days. The news over the past few months has been alarming, from outcries over horsemeat in Europe and mislabeled fish in New York to the longer-term impacts on supply chains from environmental events like the tsunami in Japan, monsoons in Thailand and the volcano in Iceland.



Tuesday, 30 April 2013 15:02

The Mobility Conundrum

Take any event, survey or discussion with a vendor, or pick any IT magazine or newsletter, all of them have something on mobility and integrally linked to that is BYOD. Mobility has prominently featured in the top priorities in every survey. It has become as discussed or more a subject as BITA (Business IT Alignment) was a decade back. There are views and opinions on everything going mobile from business process to commerce from company to consumer and everything in between.



Note:  It was not a school shooting, it was a shooting at a school

The following are notes I took during a lecture by Mary Schoenfeldt at the 2013, Partners in Emergency Preparedness Conference. She spent two weeks in the community after the shooting incident.

Since she was addressing an audience of emergency managers she did not specifically address in depth the school system impact or the impact on families.  Instead, she looked at the community response and impact.



Disaster recovery has rapidly evolved from being somewhat of an afterthought for decision-makers to a critical business component. 

There are a number of reasons for this, most notably the growing frequency of natural disasters and the noticeable impact that significant downtime has on an organization's revenue. 

A recent MSPmentor blog post pointed out some of the questions owners should ask when they pursue DR solutions. For instance, how much downtime can they afford before it starts to hurt their business? How much data can they lose? How fast of a recovery system can they afford to purchase?



Lost data and disaster recovery are topics that seems to appear in the news on an almost weekly basis. Between employees and professionals losing devices, bring-your-own-device (BYOD) practices, hacking, natural disasters, or hardware failure, protection of personal and professional information is on everyone’s minds.

For those who work in the legal field, lost digital information can have dire consequences. Litigation lawyers have custody of confidential and sensitive documents regarding their clients, in addition to information regarding the internal and financial operations of the firm itself. All of these must be safeguarded against loss and security breaches while meeting the pertinent state and bar association requirements for safe digital storage. If however, data is lost, a litigation law firm must deal with notifying various governing bodies, the interruption of their regular business, disaster recovery expenses, and potential insurance issues.



Tuesday, 30 April 2013 14:53

Disaster Recovery Planning 101 for MSPs

Building a disaster recovery plan (DRP) can be simple, yet many businesses are still without one, which leaves them vulnerable to data loss. Your role as a managed services provider (MSP) is to protect your customers from catastrophic losses by assisting them with a customized plan that fits their backup and disaster recovery (BDR) needs. Disaster recovery (DR) and intelligent business continuity (IBC) solutions vendor Datto offered MSPs some insight regarding this topic on the company's blog. We'll reveal the key points of an effective DRP that ensures business continuity (BC).



How much of an impact can a small group of volunteers make after a disaster?

Last Wednesday, I had the honor of addressing the Hurricane Sandy Champions of Change – a group of “ordinary” people who did (and are still doing) extraordinary things to help those who were impacted by Hurricane Sandy.  Many of them suffered damage to their homes and businesses as a result of the storm, but continued to fulfill the needs they saw in their communities.



Tuesday, 30 April 2013 14:50

Tape Versus Disk: The Backup War Exposed

The debate over whether disk or tape is the better solution for backup has been going on for some time now, and it seems the answer you get typically depends on who is responding to the question.

According to many chief financial officers (CFOs), backup and disaster recovery (DR) are just like insurance policies for the business, so the least expensive method is the one they usually select. This view of data protection flies in the face of what IT operations managers deal with on a day-to-day basis. For them, protecting the organization’s critical data assets is not just an insurance policy; it’s their job. They need to assure the smooth operation, recovery and security of the applications and data that run the business, no matter what. The problem is the CFO usually wins the argument, so it all comes down to cost.



Monday, 29 April 2013 19:55

Combating 'Don’t Care' attitude

Three disasters come to mind as I read about the building collapse in Dhaka, India.

Actually more, but the other two come to mind more than the others.

The first is the infamous Triangle Shirtwaist Factory fire in New York City on March 25, 1911 that killed 146 workers.

The second is the World Trade Center disaster of September 11, 2001.

Dhaka is the third.


Assumptions are the IED’s (Improvised Explosive Devices) of Business Continuity.  Anyone can create one and, once strategically placed (usually tucked among the Mission Statement and Objectives) they have the capability to destroy a Business Continuity or Disaster Recovery Plan in an instant.

So what can a Planner do to protect against those roadside bombs?


Monday, 29 April 2013 19:53

Disruptive Trends in Public Safety

Ah, if we could only look into the crystal ball and really see the future.  While I know a few things about the future, most of what I garner comes from reading and personal observation.  Check out the notes I took sometime ago that I came across this afternoon while looking at my files.  The future is near...


People talk a lot about what you should do with your Business Continuity Plan, but we are going to discuss what you should not do.

5. Do NOT keep your DR/BC plan in a single binder stored somewhere in your office.

What good is the plan to you if no one can get into your office? Your plan should be available in multiple formats and from any location. Considering that your plan should be updated frequently, storing the plan digitally makes for easy updating. There is of course always a place and time for hard copies, but you have to be diligent about updating it and it should NOT be the only copy you have.


Monday, 29 April 2013 19:50

5 Ways Disaster Recovery Can Fail

Disaster recovery (DR) in the cloud is one of those things – while it’s so obvious, it can really get messed up if not approached in the right way. We see a lot of businesses work through DR scenarios, so we thought it would be great to provide a short list of how NOT to go about DR in the cloud.

Lumping in DR with HA: High availability (HA) and disaster recovery (DR) are all too often mistakenly understood as overlapping concepts where cloud computing is concerned. The truth is they are very different. While they are complementary in their positive impact on a business’ infrastructure, they cannot be considered in the exact same way. HA has more to do with operational performance, while DR directly involves failure contingency and disaster preparedness.

Monday, 29 April 2013 19:48

Compliance is not Information Security

Small firms can confuse security with data protection

Small and midsized businesses often make a big mistake in assuming that compliance with data protection regulations provides the basis of information security, according to a specialist who serves a number of companies in the sector.

Peter Bassill of Hedgehog Security raised the point in a presentation on information security for SMBs at the Infosecurity show in London, coming soon after the 2013 Information Security Breaches Survey highlighted the high level of attacks suffered by small firms. He said that they tend to confuse their legal obligations to protect data with protecting themselves.


For the past couple of years, data security company ViaSat UK has spiced up the Infosecurity Europe conference by filing an FoI (freedom of information) request for data breach statistics.

In previous years, things have ended up with ViaSat in a spot of biffo with the UK Information Commissioner's Office (ICO).

In 2011, ViaSat noted that "monetary penalties have been enforced in less than one per cent of the data losses [the ICO] has dealt with."


Monday, 29 April 2013 19:38

What Went Wrong in West, Texas?

A week after a blast at a Texas fertilizer plant killed at least 15 people and hurt more than 200, authorities still don't know exactly why the West Chemical and Fertilizer Company plant exploded.

Here's what we do know: The fertilizer plant hadn't been inspected by the Occupational Safety and Health Administration since 1985. Its owners do not seem to have told the Department of Homeland Security that they were storing large quantities of potentially explosive fertilizer, as regulations require. And the most recent partial safety inspection of the facility in 2011 led to $5,250 in fines.


Thursday, 25 April 2013 15:38

Bird Flu Seen Beyond Mainland, in Taiwan

BEIJING—Taiwan reported the first case of a new form of avian flu found outside China's mainland on Wednesday and said that three health-care workers who treated the patient had developed undiagnosed respiratory symptoms, raising concerns over the virus's potential for spreading by human-to-human contact.


Taiwan First Case

Taiwan health authorities confirmed the island’s first human infection of H7N9 avian flu on Wednesday.

A 53-year-old Taiwanese man was confirmed to be infected with the new type of bird flu virus. The patient is believed to have been infected outside Taiwan as he showed symptoms three days after returning from Suzhou City in Jiangsu Province. The patient, who is Hepatitis-B-positive and suffers from high blood pressure, is in a serious condition. A total of 139 people who have had close contact with him are being monitored.


There is no such thing as information security risk, according to Serge Baudot, head of information security and business continuity management at easyJet. The only risk that matters within any organisation is the risk to the bottom line.


During the FirstNet board meeting held April 23 in Washington, D.C., the Boston Marathon bombing was raised and how this future public safety broadband network might have helped in this type of terrorist bombing situation.


A few weeks ago, HR magazine attended a conference. On the agenda: culture, engagement, values, trust. Nothing new there. But this wasn’t an HR event. In fact, there weren’t even any HR professionals there. This was a risk-management seminar.


There is no such thing as information security risk, according to a panel of security professionals speaking at the Infosecurity Europe 2013 conference in London; the only risk that matters within any organisation is the risk to the bottom line.


Agencies are taking a deeper dive to understand not only how their computers are being attacked but the pattern of the attacker.

Cyber threat intelligence is a growing trend across the government. It's more than just knowing that one's computer network is under attack, and it's more than knowing even who or what kind of attacker is going after your data—whether a nation state actor or a cyber criminal group or even just a run-of-the-mill nuisance hacker.  


There is no such thing as information security risk, according to a panel of security professionals speaking at the Infosecurity Europe 2013 conference in London; the only risk that matters within any organisation is the risk to the bottom line.

Serge Baudot, head of information security and business continuity management at easyJet, explained that one of easyJet's most important assets is its reputation. The organisation is therefore constantly looking for ways to protect its reputation, and has identified about 12 events that would cause it serious reputational damage. 


Wednesday, 24 April 2013 16:44

Companies are less prepared for risk

Companies are struggling with risk analysis in strategic sourcing, according to a recent report from Aon Risk Solutions. The report found companies are overall less prepared for risk.


Facebook has more than 1 billion users worldwide. Twitter processes more than 340 million tweets per day. What is the liability for your company? Are you liable for postings made from employees’ own devices? Can you legally access your employees’ social media sites or base hiring and firing decisions on them?


For a manager or senior team member in any public sector organisation, the forecast of snow or extreme weather brings some headaches. The severity of the disruption depends on the job the organisation does, but when providing a service to the public, it is vital that a swift, seamless service is resumed as soon as possible.


The economic justification for outsourcing in mortgage originations is generally thought of in terms of the historic cyclicality of the underlying mortgage business. The source of this historical variation in mortgage originations emanates from the seasonality in the home purchase market and interest rate moves in the refinancing market. But the business has experienced radical changes in the last decade and the historic behavior of the market has been overwhelmed by periods of paucity and demand from the financial crisis and the responses to it. As we absorb ongoing industry changes such as HARP 2.0, and its impending demise, to the risks inherent in pending qualified residential mortgage (QRM) rules, the horizon is full of unforeseeable shocks in mortgage origination demand. With these changes in the market have come new demands on market participants. Economic and policy shocks have brought the role of outsourcing to a new and distinct level.


Enterprise rights management? What does that even mean?! You’re using security speak!” exclaimed my colleague TJ Keitt.

TJ sits on a research team serving CIOs, and covers collaboration software. We were having a discussion around collaboration software and data security considerations for collaboration. “Security speak” got in the way. It wasn’t the first time, and it will likely not be the last, but it is a good reminder to remember to communicate clearly using non security speak – and not just to fellow S&R pros, but to the rest of the business (in this case – the CIO) – to talk about what we really mean. That’s how collaboration starts.


As of 21 April, there were 102 cases and 20 deaths.  No additional provinces have been added and no clearer picture about the source of infection. What happens next?!?  Who knows! Virus reproduction and replication will continue and if the “right” random event occurs things could really change…otherwise, this could go on for who knows how long or it could fizzle out.


A CIO once quipped, "Security isn't hard, compliance is." And in fact many companies focus their security efforts on meeting compliance requirements. But if you are audit compliant, have you in fact addressed all of your risks, or are you just kidding yourself? Is it better to focus on the risks presuming that doing so will cover you off on the compliance side? Network World Editor in Chief put the question to two practitioners, both of whom come down on the side of risk.


Tuesday, 23 April 2013 15:43

Business skills key to CISO’s survival

Business skills are key components of any chief information security officer (CISO), says Paul Swarbrick, CISO at aeronautical information service, NATS.

“After 25 years in information assurance, I am convinced that in the modern era that the role is not about technical expertise, but about being a business expert,” he told Computer Weekly.


Gloomy news: Companies across the world are now less prepared to deal with risks than they were two years ago. Even worse: Though companies have had nearly five years to respond to the global economic slowdown — which they cite as as the biggest risk to business — they are increasingly unable to confront the revenue problems it has created.


When teams are determining and developing their Business (unit) Continuity Plan (BCP) the fact that manual procedures will be used, often crops up. ‘What will you do in a DR situation?’ they’re asked and the answer all too often – and quickly – comes back as “we’ll do ‘x’ manually.” Really, is it that easy to do; just revert to a manual process for what normally includes many checks and balances and possibly varying numbers of applications?


I was very excited to finally get a copy of the much-anticipated 2013 Verizon Data Breach Investigations Report (DBIR.)  I have found the report to be valuable year after year.  This is the 6th iteration and this year’s report includes 621 confirmed data breaches, as well as over 47,000 reported security incidents.  18 organizations from across the globe contributed to the report this year.  The full report is 63 pages, and I have to say that Wade Baker and company did a great job making it an enjoyable read. I enjoyed the tone, and I found myself laughing several times as I read through it (Laughing and infosec aren't commonly said in the same breath.)  There are tons of great references as well, ranging from NASCAR, to Biggie Smalls, the Violent Femmes and more.  The mantra of this year’s report is “Understand Your Adversary’ is Critical to Effective Defense and Response.”


Making use of the petabytes of patient data that healthcare organizations possess requires extracting it from legacy systems, normalizing it and then building applications that can make sense of it. That's a tall order, but the facilities that pull it off can learn a lot.


Cyber-threats, along with breaches in security and privacy, are forcing corporate risk managers to reconsider how they protect their company's data and proprietary business information, according to an annual survey by global professional services company Towers Watson (NYSE, NASDAQ: TW). The survey examined how North American companies use outside resources, tools and frameworks to address their risk exposure across a variety of eventualities, ranging from a hardening property & casualty insurance market to natural catastrophes and the threat of terrorism.


Within the last 11 days there has been a bombing at the Boston Marathon, the related shooting at MIT, an explosion at a fertilizer plant in West, Texas and bomb threats to schools and businesses across the Treasure Valley, including Boise State. In light of these recent events, it seems that emergency preparedness and safety are on a lot of minds.


Monday, 22 April 2013 15:25

Gauging BYOD Acceptance

The debate about the bring-your-own-device movement (BYOD) has quieted down, mostly because, it seems, while IT has been over in the corner arguing the pros and cons, employees have been streaming into office with their shiny new toys and using them to get work done.


Lots of questions and not many answers seem to be the current theme regarding H7N9. Helen Branswell wrote a great article in the Canadian Press, as has CIDRAP on this very issue.

  • Why men? 57 of 82 patients are men (Those with available gender data). For H5N1, the gender balance has been more even.


As businesses in the downtown area prepared for the One Spark festival, one thought on some minds was how they’d deal with any of the sort of problems that might arise when a large group of people descended on the area.

Particularly in the wake of the Boston Marathon bombing, experts say, the type of planning that goes into getting ready for a major event should pave the way for businesses preparing for any disruption, from a natural disaster to a man-made crises.

Monday, 22 April 2013 15:23

Avoid The Information Security Squirrel

In the Pixar film Up, squirrels frequently distract Dug the talking dog. In our space, we are frequently distracted by technology. "I am a good and smart security professional; I must protect my enterprise so that we are secure. APT defense in a box!"