Fall World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 30, Issue 2

Full Contents Now Available!

The Business Continuity Institute

With phishing and social engineering maintaining their position as the top driver of cyber disruptions, there is a need for a stronger cyber resilience culture across organizations, and a focus on the human aspects of the threat.

This is one of the key findings of the Cyber Resilience Report, published today by the Business Continuity Institute, the world’s leading Institute for continuity and resilience, in collaboration with Sungard Availability Services ® (Sungard AS), a leading provider of information availability through managed IT, cloud and recovery services.

With the WannaCry ransomware attack still fresh in our minds, it is clear that the cyber threat is very real with this one attack affecting almost a quarter of a million computers across 150 countries. It is also clear that business continuity plays a key role in responding to an incident, and ensuring that the organization is able to manage through any disruption and so prevent it from becoming a crisis.

The Cyber Resilience Report found that nearly two-thirds of respondents (64%) to the global survey had experienced at least one cyber disruption during the previous 12 months, while almost 1 in 6 (15%) had experienced at least 10. Of those who had experienced a cyber disruption, over half (57%) revealed that phishing or social engineering had been one of the causes, demonstrating the need for users to be better educated about the threat and the role they can play in helping to prevent an incident occurring.

The study also found that:

  • A third of respondents (33%) suffered disruptions totalling more than €50,000, while more than 1 in 10 (13%) experienced losses in excess of €250,000.
  • 1 in 6 respondents (16%) reported a single incident resulting in losses of more than €50,000.
  • 1 in 5 respondents working for an SME (18%) reported cumulative losses of more than €50,000. These are significant losses considering 40% of SMEs involved in this study reported an annual turnover of less than €1 million.
  • Phishing and social engineering are the top cause of cyber disruption, with over half of those who experienced a disruption (57%) citing this as a cause.
  • 87% of respondents reported having business continuity arrangements in place to respond to cyber incidents, indicating that it is now widely accepted as playing a key role in helping to build cyber resilience.
  • 67% of respondents stated that their organization takes over one hour to respond to a cyber incident, while 16% stated that it can take over four hours.

The number of respondents reporting top management commitment to implementing the right solutions to the cyber threat increased to 60%, and this is likely due to a number of factors such as the intense media coverage of cyber security incidents, and the impending European Union General Data Protection Regulation, which is due to come into force in less than a year and will have an impact on any organization that holds data on EU citizens.

David Thorp, Executive Director at the BCI, commented: “Cooperation is key to building cyber and organizational resilience. Different disciplines such as business continuity, information security and risk management need to come together, share intelligence and start speaking the same language if they want to build a safer future for their organizations and communities.”

Keith Tilley, EVP and Vice Chair at Sungard Availability Services, said: “Brexit and the pending EU General Data Protection Regulation (GDPR) have thrown up even more questions about data laws and compliance, so data sovereignty is a focus. Companies need to demonstrate a holistic understanding of where their data is hosted, where it’s backed up, moved and recovered, as well as who can see it along the way. The fact that data laws are constantly subject to change, with region and country specific regulation, means a headache for large organizations. Establishing how to meet these regulations, as well as global needs will be vital, as will the ability to handle data access, residency, integrity and security.”

It’s hurricane season again, so hopefully you’ve prepared by updating your disaster recovery and business continuity plans to be ready for any disaster that might come your way.

While the character in our cartoon may have taken his boss’s request the wrong way, he had the right idea: Cover the essentials first. What’s the milk, eggs, and bread for your operation? Identify the data you need to stay up and running, and keep it safe and recoverable.

How solid and actionable will your IT disaster recovery plan be when a natural disaster hits? If you don’t have one or haven’t tested it in a while, it could mean lights out for your mission-critical data.

While we may not be able to exactly predict a hurricane’s course, you should chart your own course of action for when the unexpected happens. For a few more suggestions on how to batten down the hatches and ensure your business is disaster ready, check out this slideshow from CSO.

Hurricane preparedness cartoon

Feel free to share this cartoon, with a link back to this post and this attribution: “Cartoon licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License. Based on a work at blog.sungardas.com

https://blog.sungardas.com/2017/06/whats-the-milk-bread-and-eggs-of-your-disaster-recovery-plan/

US-CERT has received multiple reports of Petya ransomware infections occurring in networks in many countries around the world. Ransomware is a type of malicious software that infects a computer and restricts users' access to the infected machine until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.

Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate that the ransomware exploits vulnerabilities in Server Message Block (SMB). US-CERT encourages users and administrators to review the US-CERT article on the Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010 (link is external). For general advice on how to best protect against ransomware infections, review US-CERT Alert TA16-091A. Please report any ransomware incidents to the Internet Crime Complaint Center (IC3).

Whether your company is already operating in the European Union or has expansion plans there in the future, the upcoming GDPR rules will have a profound impact on how all organizations handle, manage and use consumer data.  Even if your website simply collects data on EU citizens, you must comply or face fines of up to €20 million or 4 percent of global annual turnover. Companies will face five common challenges on the path to compliance.

Though the GDPR implementation date is less than one year away, companies large and small are still struggling to comprehend what must be done to prepare. The General Data Protection Regulation (GDPR) seeks to improve privacy protection for consumers by changing the way businesses collect, use and transfer personal data. Companies purposely were given plenty of warning about the changing policies, but the vague language and complex structural changes mean a complete overhaul to anything remotely related to data in all companies – even for companies outside of the European Union and United Kingdom that do business with the U.K. and EU member states.

There are five main challenges companies need to address immediately in regard to data.

  1. Data Storage and Access
  2. Team Compliance and Training
  3. Data Subject Requests
  4. Data Notifications
  5. Adaptability and Scalability

GDPR does not only affect IT departments; instead, this new regulation reaches far and wide, from human resources to finance and anyone in between who touches data. Companies that address these five challenges will be more ready to face the GDPR’s implementation deadline of May 25, 2018.

...

http://www.corporatecomplianceinsights.com/5-challenges-companies-must-address-now-prepare-gdpr/

You've heard a million times: there’s a robot coming for your job. I’ve written about it before. Several times.

New evidence suggests the reality is no joke.

The New York Times kicked the week off with a poignant story on the subject: “Indian Technology Workers Worry About a Job Threat: Technology.”

It punctuates a story on the raw numbers of tech workers who are losing their work to robots, chatbots, artificial intelligence (AI) and machine learning with some human stories. The article opens with something a good many American workers will relate to: a tale of a laid off tech worker who laments, “I have an 11-year-old child. My wife is not working. How to pay the home loans?”

...

http://mspmentor.net/your-business/doyle-report-can-your-career-withstand-coming-onslaught-robots

Instructor and student practicing CPR on mannequin.

We observed CPR and AED Awareness Week at the beginning of June. I recently had the opportunity to sit down with Stacy Thorne, a health scientist in the Office of Smoking and Health, who is also a certified first aid, CPR and AED instructor.

Stacy Thorne, PhD, MPH, MCHES

Stacy has a history of involvement in emergency response and preparedness activities at CDC. She is part of the building evacuation team; a group of employees who make sure that staff gets out of the building in case of a fire; or shelters in place during a tornado. When she learned CDC offered CPR and AED training classes to employees, she couldn’t think of a better way to continue volunteering, while helping people prepare for emergencies.

Stacy became a CPR/AED instructor in 2012. She felt these were important skills to have and wanted to stay up-to-date with the latest guidelines. She said, “You have to get recertified every two years, so if I was going to have to take the class anyway why not teach and make sure other people have the skills to save a life.”

Practice makes perfect

Stacy teaches participants first aid, CPR, and AED skills and gives them an opportunity to practice their skills and make sure they are doing them correctly. The class covers first aid for a wide-variety of emergency situations, including stroke, heart attack, diabetes and heat exhaustion. Participants learn how to:

  • Administer CPR, including the number of chest compressions and the number and timing of rescue breaths
  • Use an Automated External Defibrillator, more commonly referred to as an AED, which can restore a regular heart rhythm during sudden cardiac arrest.
  • Splint a broken bone, administer an epinephrine pen for allergic reactions, and bandage cuts and wounds

In order to receive their certification, all participants must complete a skills test where they demonstrate that they can complete these life-saving skills in a series of scenarios.

Lifesaving skills in actionCardiopulmonary resuscitation, commonly known as CPR, can save a life when someone’s breathing or heartbeat has stopped. CPR can keep blood flowing to deliver oxygen to the brain and other vital organs until help arrives and a normal heart rhythm can be restored.

Stacy shared, “The most rewarding part of teaching is meeting the different people who come to take these classes and hearing the stories of how they have used their skills.” One of her students recalled how she used her CPR skills to save someone while she was out shopping. Her instincts kicked in and when she was able to get the person breathing again the people watching applauded.

Another student reflected, “While I hope I never am in a situation where I need to perform CPR, the notion that I am now equipped with these life-saving skills is reassuring and helps me feel prepared if I should find myself in that scenario.” Stories like these show how important it is for everyone to be trained in first aid, CPR, and how to use an AED. You can spend six hours in training, and walk out with a certification that can save someone’s life.

Always on alert

As the mother of a 6-year old daughter, Stacy is constantly on alert for situations where she might need to use her skills. The closest she has come to using her skills was when her daughter was eating goldfish crackers while laying down and started gagging; she was at the ready to perform the Heimlich maneuver. Her role as an instructor made Stacy feel confident that she could use her first aid, CPR, and AED skills in an emergency.

Resources

Posted on by Suzie Heitfeld, Health Communications Specialist, Office of Public Health Preparedness and Response

Tags , , ,

Tuesday, 27 June 2017 14:36

CDC: Teaching skills that save lives

WannaCry has hit again. This recent attack involved a Honda plant in Japan, shutting down production. As Nick Bilogorskiy, senior director of Threat Operations with Cyphort, told me in an email comment:

Automakers are especially vulnerable to network worms like WannaCry because they often use computers with older versions of Windows and those are vulnerable to security flaws. Unlike other businesses such as banks, automakers do not upgrade their factory floor hardware or software aggressively and may get behind in installing patches.

He went on to explain how devastating these attacks can be to an industrial site. Once a machine is infected, you have to decrypt files, power down all the machines so nothing else gets infected, and then re-image or re-install all infected machines, as that is the only safe method to avoid any back doors that have been dropped by WannaCry. Finally, you need to locate necessary backups and restore data from them and reset all your systems to pre-WannaCry state, and test that your applications are working as intended.

...

http://www.itbusinessedge.com/blogs/data-security/industrial-control-systems-at-risk-for-cyberattacks.html