Fall World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 30, Issue 2

Full Contents Now Available!

The Business Continuity Institute

We have just published the latest version of our Cyber Resilience Report and one of the conclusions of the report was that business continuity professionals need to collaborate more with their cyber/information security colleagues. The report noted that if expertise and resources are pooled then resilience can be built in a much more coordinated way. That seems eminently sensible.

Going beyond just IT, in my own foreword within the report I mentioned that cooperation is key to building cyber and organizational resilience, and that different disciplines must come together, share intelligence and start speaking the same language if they want to build a safer future for their organizations and communities.

Is that stating the obvious? Is that something that is already happening? The BCM Futures Report we published last year along with PwC showed that 90% of business leaders believe that resilience is greater when functions such as risk management, business continuity, ITDR and security are joined up, but only 37% believe that these areas are appropriately joined up at the moment. That’s a significant gap between the two, a gap that we all need to put more effort into reducing.

When devising your business continuity programme, do you engage with the IT department on issues relating to cyber security? Do you work with facilities management on the response to your building being out of action? Do you engage with the security department on your response to a terrorist incident? Do you talk to your communications department on reputational issues? There is so much crossover in the work of a business continuity professional, that we need to make that crossover is being addressed. Otherwise it could lead to duplication of effort, or incomplete response plans.

Our current research project on megatrends looks at this issue in further detail, asking those working in the industry whether the different departments collaborate on both preparing for potential threats and responding to those threats materialising. From experience, and from listening to people within the industry, I very much get the impression that silos still exist, management disciplines still work in isolation, and lots more needs to be done. The initial responses to the megatrends survey seem to be quite mixed so far, and perhaps this is a fair reflection of the profession.

My challenge to those people working in the industry is to make sure you are engaging with the other management disciplines on a regular basis to ensure you are all coordinated, and are working together to improve the overall resiliency of the organization. The BCM Futures Report I mentioned earlier showed that about half of business continuity professionals already see this has becoming more important in the future, but I think we need to start increasing that percentage.

As an Institute, we need to do our bit too, so my challenge to us is to engage more with other professional associations working in the resilience space, and build relationships with these organizations from across the world. By working in partnership with others it will enable us to provide those in the resilience community with access to the right training, education and thought leadership.

As always, I would welcome your feedback. Are we already doing enough? Can we, or should we, be doing more? Please do share your thoughts.

David Thorp
Executive Director of the Business Continuity Institute

Another global ransomware attack, dubbed Petya, has disrupted operations at major firms across Europe and the United States.

More than 100 companies and organizations across various industries were affected, including shipping and transport firm AP Moller-Maersk, advertising firm WPP, law firm DLA Piper, Russian steel and oil firms Evraz and Rosneft, French construction materials company Saint-Gobain, food company Mondelez, drug giant Merck & Co, and Pennsylvania healthcare systems provider Heritage Valley Health System.

Today’s Insurance Information Institute Daily, via The Wall Street Journal, reports that the attack has exposed previously unknown weaknesses in computer systems widely used in the West.

The U.S. cyber insurance market grew by 35 percent from 2015 to 2016, based on recent reports.

...

http://www.iii.org/insuranceindustryblog/?p=5135

If you want to find major emitters of global carbon dioxide, look no further than your city’s skyline. Buildings account for more than one-third of all final energy consumption and half of global electricity use. And they’re responsible for approximately one-third of global carbon emissions.

According to the International Energy Agency, energy consumption in buildings needs to be reduced by 80 % by 2050 if we want to limit the world’s temperature rise to under 2 °C. But now there’s a solution to making our building stock more energy-efficient. Here’s introducing the new ISO 52000 series of standards!

With ISO 52000-1, Energy performance of buildings – Overarching EPB assessment – Part 1: General framework and procedures, as its leading document, the ISO 52000 family will accelerate energy efficiency in the world’s building market. From heating, cooling, ventilation and smart controls, to energy-using or -producing appliances, the series will help architects, engineers and regulators assess the energy performance of new and existing buildings in a holistic way – without overheating budgets – as the temperature rises.

...

https://www.iso.org/news/ref2196.html

An email provider being used by the perpetrators of a global ransomware attack today shut off the hackers’ access to the account, blocking the main avenue by which victims could regain access to their files.

Today’s attack marked the second time in as many months that hackers have launched sophisticated, international ransomware campaigns based on EternalBlue, an exploit purportedly stolen last year from the National Security Agency and leaked to the public.

The German firm Posteo published a blog entry this afternoon announcing its security specialists had identified one of their accounts which was being used by the hackers to collect on $300 (USD) ransom demands from each victim.

...

http://mspmentor.net/managed-security-services/firm-cuts-email-account-hacker-global-ransomware-attack

The security industry has an accountability crisis. It's time to talk about it, then fix it. Whenever a massive cyber attack occurs inevitably a chorus of voices rises to blame the victims.  WannaCry on 5/12 and Petya on 6/27 yet again kicked off the familiar refrains of:

“If users didn’t click on stuff they shouldn’t….”

“If they patched they wouldn’t be down….”

“This is what happens when security isn’t a priority….”

“Now maybe someone will care about security…”

I have yet to meet a single user that clicked a malicious link intentionally – beyond security researchers and malware analysts that is. I have yet to meet anyone that delights in not patching as a badge of honor. There are great reasons not to patch, and terrible reasons not to patch. As always context and situation matter.

...

http://blogs.forrester.com/jeff_pollard/17-06-27-victim_blaming_wont_stop_global_ransomware_attacks

More than ever, your users are the weak link in your network security. Mitigating insider threats isn’t just about thwarting the malicious action of a disgruntled employee; a careless insider can also cause catastrophic damage. If you are not already doing so, you need to train employees in your policies and best practices. Employees that have been conditioned to remain vigilant –  keeping security in mind during all activities – are far less likely to pose an insider threat. This method of mitigating insider threats is just one of the ways to protect your business.

First, let’s establish a simple definition of an insider threat as we discuss it in this article: an insider threat is a threat to a network or computer system that originates from a person with authorized system access. Insider threats are sometimes called insider risks or insider attacks.

...

https://www.mha-it.com/2017/06/mitigating-insider-threats/

The Business Continuity Institute

Despite ransomware being around for many years, with several high profile organizations suffering the consequences of such an attack, 57% of respondents to a survey carried out by Carbon Black said that WannaCry was their first exposure to how ransomware works.

Ransomware attacks have thrust cyber security onto the global stage in unprecedented fashion, with two recent attacks - WannaCry and NotPetya - rapidly spreading across the world and locking down thousands of networks. Organizations and individuals are now beginning to give greater consideration to how they would react if they were exposed to an attack, or if an organization they dealt with was exposed.

The Ransom-Aware Report noted that, while it’s never a good thing when 150 countries are simultaneously affected by a cyber attack, the increased awareness will only serve to incite positive action. Ransomware is certainly nothing new, but consumers are  increasingly turning to organizations with questions about how they are protecting sensitive data. Organizations, in turn, putting more effort into improving cyber security in order to protect their data and remain operational in the event of an attack.

For many consumers, losing trust in an organization could result in them taking their custom elsewhere. When presented with the statement: 'I would consider leaving my current financial institution / healthcare provider / retailer if my sensitive information was taken hostage by ransomware,' the study found that 72% of consumers said they would consider leaving their financial institution; 68% of consumers said they would consider leaving their healthcare provider; and 70% of consumers said they would consider leaving their retailer.

When respondents were asked if they would personally be willing to pay ransom money if their own computer and files were encrypted by ransomware, it was close to a dead heat with 52% of respondents saying they would pay and 48% saying they would not. Of the 52% who said they would pay: 12% said they would pay $500 or more, 29% said they would pay between $100 and $500, while 59% said they would pay less than $100 to get their data back.

The Business Continuity Institute's latest Cyber Resilience Report showed that two-thirds of organizations had experienced a cyber security incident during the previous year. With consumers giving a lot more attention to how organizations are responding to those incidents, it is essential that organizations have plans in place to respond effectively and prevent data being lost.

The Business Continuity Institute

On the day that the Business Continuity Institute launched its latest Cyber Resilience Report, the importance of ensuring our organizations are prepared for a cyber security incident has once again been demonstrated as a new ransomware attack is causing turmoil across the world.

The attack, dubbed NotPetya due to its similarities to a previous virus called Petya, has resulted in organizations worldwide having their data encrypted, with a demand made for the equivalent of about $300 to be paid in Bitcoin.

NotPetya uses the same exploit that allowed WannaCry to spread so rapidly, but is thought to have found additional ways to infect new systems. It is not yet known how computers originally became infected, but it does not appear to be via email.

This particular attack was first reported in Ukraine where the state power company and Kiev's main airport were both affected, but it has now spread to many other countries including the US, UK, France, Russia and India.

Business continuity can be key to minimising the impact of such an attack and can make a real difference during any kind of emergency, crisis or disruption. It is what makes an organization resilient, ready to respond and carry on, even amid difficult circumstances. Yet business continuity cannot be improvised. It requires specialised and trained staff as well, as the support of everyone within an organization.

Having specialised and trained business continuity staff with the ability and resources to develop, implement and maintain a business continuity plan, will help organizations identify the risks they face and key operational areas that need to be prioritised during a crisis.

"We need to learn from these experiences," said David Thorp, Executive Director at the BCI. "It is clear that the cyber threat is not going away any time soon, so organizations must do more to make sure they can respond to them effectively and prevent them from becoming a crisis."