DRJ's Fall 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Spring Journal

Volume 31, Issue 1

Full Contents Now Available!

Industry Hot News

Industry Hot News (409)

(TNS) - Compared to this time last year, Santa Cruz Police Department’s calls for service are down by more than a quarter.

During a city Public Safety Committee meeting Monday, Police Chief Andy Mills unveiled early plans on how to further drive down those calls.

“Yesterday, I saw a person reporting that he responded to a call of a person dancing in the rain,” Mills told the committee, comprised of Mayor David Terrazas and Councilwomen Cynthia Chase and Richelle Noroyan. “That is why we’re allowing sergeants to screen out calls officers are responding to.”

The department saw the nearly 27 percent reduction in the first three months of the year, to 17,630 calls, in the wake of a consultant’s report showing city officers’ workload-to-population ratio was much higher than many cities Santa Cruz’s size. Arrests, on the other hand, were up nearly 12 percent in the same period, department statistics show.



The IRS spent Tax Day trying to resolve IT issues rather than processing last-minute returns.

When the news broke that the IRS’s Modernized e-File (MeF) system was down, along with the Direct Pay and Payment Plan pages on the IRS site, three possible scenarios that can take businesses down came to mind: a hack, overloaded systems, or pure coincidence.

How likely is each?

The IRS spent Tax Day trying to resolve IT issues rather than processing last-minute returns

While an attacker could breach the systems and/or perimeter and turn off services that allow connections to the systems accepting the tax returns, no one is claiming responsibility and so far, there’s no evidence that this is a malicious denial of service attack.



Florida’s small P/C insurers have withstood losses from Hurricane Irma and a legal environment that’s dubbed a “judicial hellhole” by the American Tort Reform Association, a recent article in S&P Global Market Intelligence reports.

The financial ratings firm Demotech affirmed the financial strength of over 50 companies in late March, a decision found “encouraging” by the CEO of the state-run Citizens Property Insurance Corp, Barry Gilway.

Gilway said that Demotech’s March actions is evidence of the resilience that smaller carriers showed during a year in which Hurricane Irma caused insured losses of about $8.61 billion, according to the latest Florida Office of Insurance Regulation tally.



By Tim Crosby

PREFACE: This article was written before ‘Meltdown’ and ‘Spectre’ were announced – two new critical “Day Zero” vulnerabilities that affect nearly every organization in the world. Given the sheer number of vulnerabilities identified in the last 12 months, one would think patch management would be a top priority for most organizations, but it is not the case. If the “EternalBlue” (MS17-010) and “Conflicker” (MS08-067) vulnerabilities are any indication, I have little doubt that I will be finding the “Meltdown” and “Spectre” exploits in my audit initiatives for the next 18 months or longer. This article is intended to emphasize the importance of timely software updates.

“It Only Takes One” – One exploitable vulnerability, one easily guessable password, one careless click, one is all it takes. So, is all this focus on cyber security just a big waste of time? The answer is NO. A few simple steps or actions can make an enormous difference for when that “One” action occurs.

The key step everyone knows, but most seem to forget is keeping your software and firmware updated. Outdated software provides hackers the footholds they need to break into your network as well as privilege escalation and opportunities for lateral movement. During a recent engagement, 2% of the targeted users clicked on a link with an embedded payload that provided us shell access into their network. A quick scan identified a system with a Solaris Telnet vulnerability that was easily exploitable and allowed us to establish a more secure position. The vulnerable Solaris system was a video projector to which no one gave a second thought, even though the firmware update had existed for years. Our scan thru this projector showed SMBv1 traffic so we scanned for “EternalBlue”; targeting 2008 servers due to the likelihood that they would have exceptions to the “Auto Logoff” policy and would be a great place to gather clear text credentials for administrators or helpdesk/privileged accounts. Several of these servers were older HP Servers with HP System Management Home Pages, some servers were running Apache Tomcat with default credentials (should ring a bell – the Equifax Argentina hack), a few running JBoss/JMX and even a system vulnerable with MS09-050.

The vulnerabilities make the above scenario possible have published exploits readily available in the form of free opensource software designed for penetration testing. We used Metasploit Framework to exploit a few of the “EternalBlue” vulnerable systems, followed the NotPetya script and downloaded clear text credentials with Mimikatz. Before our scans completed, we were on a Domain Controller with “System” privileges. The total time from “One careless click” to Enterprise Admin: less than 2 hours.

The key to our success?? Not our keen code writing ability, not a new “Day 0” vulnerability, not a network of super computers, not thousands of IOT devices working in unison, it wasn’t even a trove of payloads we purchased with Bitcoin on the Dark Web. The key was systems vulnerable to widely publicized exploits with widely available fixes in the form of updated software and/or patches. In short, outdated software. We used standard laptops running Kali or Parrot Linux operating systems with widely available free and/or opensource software, most of the which come preloaded on those Linux distributions.

The projector running Solaris is not uncommon, many office devices including printers and copiers have full Unix or Linux operating systems with internal hard drives. Most of these devices go unpatched and therefore make great pivoting opportunities. These devices also provide an opportunity to gather data (printed or scanned documents) and forward them to an external FTP site off hours, this is known as a store and forward platform. The patch/update for the system we referenced above has been available since 2014. Many of these devices also come with WiFi and/or Bluetooth enabled interfaces even when connected directly to the network via Ethernet, making them a target to bypass your firewalls and WPA2 Enterprise security. Any device that connects to your network, no matter how small or innocuous, needs to be patched and/or have software updates applied on a regular basis as well as undergo rigorous system hardening procedures including disabling unused interfaces and changing default access settings. This device with outdated software extended our attack long enough to identify other soft targets. Had it been updated/patched, our initial foothold could have vanished the first-time auto logoff occurred.

Before you scoff or get judgmental believing only incompetent or lazy network administrators or managers could allow this to happen, slow down and think. Where do the patch management statistics for your organization come from? What data do you rely on? Most organizations gather and report patching statistics based on data directly from their patch management platform. Fact – systems fall out of patch management systems or are never added for many reasons, such as: a GPO push failed, a switch outage during the process, systems that fall outside of the patch managers responsibility or knowledge (printers, network devices, video projector, VOIP Systems). Fact – Your spam filter may be filtering critical patch fail reports, this happens far more often than you might imagine.

A process outside of the patching system needs to verify every device is in the patch management’s system and that the system is capable of pushing all patches to all devices. This process can be as simple and cost effective as running and reviewing NMAP scripts on or as complex and automated as commercial products such as Tenable’s Security Center or BeyondTrust’s Retina that can be scheduled to run and report immediately following the scheduled patch updates. THIS IS CRITICAL! Unless you know every device connected to your network; wired, wireless or virtual and where it’s patch/version health status, there are going to be wholes in your security. At the end of this process, no matter what it looks like internally, the CISO/CIO/ISO should be able to answer the following:

  • Did the patches actually get applied?

  • Did the patches undo a previous workaround or code fix?

  • Did ALL systems get patched?

  • Are there any NEW critical or high-risk vulnerabilities that need to be addressed?

There are probably going to be devices that need to be manually patched, there is a very strong likelihood that some software applications are locked into vulnerable versions of Java, Flash or even Windows XP/2003/2000. So, there are devices that will be patched less frequently or not at all. Many organizations simply say, “That’s just how it is until manpower or technology changes - we just accept the risk”.

That may be a reasonable response for your organization, it all depends on your risk tolerance. What about Firewall or VLANs with ACL restriction for devices that can’t be patched or upgraded if you have a lower risk appetite?? Why not leverage virtualization to reduce the security surface area of the that business-critical application that needs to run on an old version of Java or only works on 2003 or XP? Published application technologies from Citrix, Microsoft, VMware or Phantosys fence the vulnerabilities into a small isolated window that can’t be accessed by the workstation OS. Properly implemented, the combination of VLANs/DMZs and Application Virtualization reduces the actual probability of exploit to nearly zero and creates an easy way to identify and log any attempts to access or compromise these vulnerable systems. Once again these are mitigating countermeasure when patching isn’t an option.

We will be making many recommendations to our clients including multi-factor authentication for VLAN access, changes to password length and complexity, and additional VLAN. However, topping the list of suggestions will be patch management and regular internal vulnerability scanning, preferably as the verification step for the full patch management cycle. Keeping your systems patched makes sure when someone makes a mistake and lets the bad guy or malware in – they have nowhere to go and a limited time to get there.

As an ethical hacker or penetration tester, one of the most frustrating things I encounter is spending weeks of effort to identify and secure a foothold on a network only to find myself stuck; I can’t escalate privileges, I can’t make the session persistent, I can’t move laterally, ultimately rendering my attempts unsuccessful. Though frustrating for me, this is the optimal outcome for our clients as it means they are being proactive about their security controls.

Frequently, hackers are looking for soft targets and follow the path of least resistance. To protect yourself, patch your systems and isolate those you can’t. By doing so, you will increase the level of difficulty, effort and time required rendering a pretty good chance they will move on to someone else. There is an old joke about two guys running from a bear, the punch line applies here as well – “I don’t need to be faster that the bear, just faster than you…”

Make sure ALL of your systems are patched, upgraded or isolated with mitigating countermeasure; thus, making you faster than the other guy who can’t outrun the bear.

About Tim Crosby:

Crosby TimTimothy Crosby is Senior Security Consultant for Spohn Security Solutions. He has over 30 years of experience in the areas of data and network security. His career began in the early 80s securing data communications as a teletype and cryptographic support technician/engineer for the United States Military, including numerous overseas deployments. Building on the skillsets he developed in these roles, he transitioned into network engineering, administration, and security for a combination of public and private sector organizations throughout the world, many of which required maintaining a security clearance. He holds industry leading certifications in his field, and has been involved with designing the requirements and testing protocols for other industry certifications. When not spending time in the world of cybersecurity, he is most likely found in the great outdoors with his wife, children, and grandchildren.

Did you know that business continuity management professionals are a lot like family doctors?

Let’s rephrase that: BCM professionals SHOULD conduct themselves like family doctors, in many important respects.

The family doctor, of course, is the general practitioner who takes a holistic view of our medical care. They’re mindful of the whole spectrum of our well-being, physical and mental, and often coordinate the efforts of various specialists.

Ideally, business continuity professionals should approach their role as the family doctors of the BC program, overseeing the efforts of the subject matter experts who are the leaders of the various business units.



We hear a lot about “digital transformation” these days. It’s constantly on the minds of every CIO, CISO and CTO. Marketing and sales organizations are keenly aware of the importance of the ‘digital experience’ they offer their customers. CEOs and boards of directors discuss how their companies should respond to the growing demands of a digital economy, and the value that comes from the right technology approach.

But what does digital transformation really mean? Quite simply, the very nature of business has changed as technology has infiltrated our lives. From apps that track customer location, social media activity and spending power, to RFID readers that help manage factory automation – technology has enabled businesses to respond to customers and markets better than ever.

To manage all this technology and the data that comes with it, companies are adopting various types of clouds. IT executives want to adopt cloud technology to gain the inherent benefits of cloud, but at the same time, they need to minimize the risk and resource impacts associated with their cloud deployments.



Just when you were done being afraid of the cloud, it turns out the real threat comes from the folks making your processors. In about one day, your computer’s brain became the biggest computer security threat, likely ever.

Unless you’re in hibernation for the winter, you know all about the Meltdown and Spectre CPU vulnerabilitiesthat affect every processor made in the last 15 years from, well, everyone. Now hold on, don’t roll your eyes. I’m not going to regurgitate the same old news about what’s affected, what mitigations are available, or what you need to patch. That’s boring and I’ve already read enough of those articles to make my own eyes glaze over.

Instead let’s talk about is the overall approach to security in your own environments. Maybe that’s your datacenter, your client machines spread across the world, your Amazon, Azure or Google Cloud services, it doesn’t matter. When a threat affects everyone, from your grandmom in Ohio that only uses Facebook to the largest organizations on the planet, we should all take a step back and evaluate ourselves.



Creating an emergency response plan that truly works when you need it requires research, thought and consideration — and a great deal of flexibility.

It’s practically impossible to consider every type of disaster that could occur or to plot all of the variables. The best you can hope for is to create a plan that takes into account broad strokes for any type of disaster. This foundation allows you to build smaller scenarios for specific events, utilizing them as needed to create an ad hoc preparedness plan that is both expansive and flexible at the same time. There are some key considerations that you’ll need in this adaptable foundation, including emergency communication strategies, training development and drills, plan adaptations for different scenarios and continuous evaluation and review processes.

Emergency Communication Strategy

Maintaining a clear line of communication is critical throughout any emergency, allowing you to stay in touch with both internal and external stakeholders and provide necessary information to your audience. When there are only moments to make a decision that could mean life or death, you want to be sure that you have everything in place before you need it. Having a sophisticated push notification option at your fingertips provides you with the ability to send different messages to various audience segments, ensuring that everyone receives the right message for their needs at a particular time. Creating the messages that you want to send before you need them is only the first step. You also have to assure that everyone on your emergency management team fully understands your platform and is able to use it seamlessly when they need to.



Our world has gone global and mobile at a drastic speed in the last decade.

Giving your employees the right tools and amount of accessibility is vital to the success of your organization. Here are some of the leading technologies and tools that can assist your employees in achieving significant gains in the mobile workforce.

Go Big on Mobile Technology

Let’s talk tech. Providing a mobile phone for voice calls and texting is not enough if you want to stay truly connected with your remote workers. In a review of the TRaD Works Forum by Inc. magazine, ways you can elevate your mobile technology includes providing your workers with virtual toolkits on their mobile devices.

The virtual toolkit consists of a variety of technologies and services readily available to any person who joins your mobile workforce. The toolkit can be easily uploaded to your company phones or mobile devices. Toolkits often include apps for file sharing, project management, emergency notification, virtual meetings, and video chats. Having the toolkits ready in advance speeds implementation when a new employee is onboarded.



The Importance of Digital Vendor Management

As the digital landscape grows and changes, businesses rely on an increasingly sprawling network of third, fourth, and fifth parties to render final, consumer-facing content. Chris Olson, CEO at The Media Trust, explains why a sound digital vendor management strategy is so crucial not only for compliance purposes, but also for brand health.

The digital age breeds constant change – none more powerful than the availability of data and, more specifically, the ease of collecting and using personal data. For industry, this data has the power to both accelerate new opportunities for growth and act as an anchor to drag down momentum. In an era where businesses prize data and guard against its misappropriation, its troubling that this discernment doesn’t carry over to the digital environment, where countless third parties and partners on enterprise websites and mobile apps have access to personal user data, often without a company’s knowledge.

Impending regulations and the changing political landscape require a more cautious approach to the collection, use and sharing of personal data. Threats of not only hefty fines, but also long-term reputational damage induce enterprises to take a closer look at their own websites and mobile apps to understand exactly which partners execute code and which capture personal data. This basic knowledge — standard elements in a vendor risk management program — could very well be the key to mitigating future troubles if adapted for a digital-first economy.



Monday, 16 April 2018 15:05

Data Is Power: Wield It Wisely

(TNS) - A likely change in federal reimbursement policy for local governments' disaster-related costs could impose a new financial burden on county governments.

Currently, school districts and county governments submit their costs associated with hurricanes or other natural disasters separately to the Federal Emergency Management Agency.

The Manatee County School District — which opened 24 campuses as shelters prior to Hurricane Irma in September — submitted to FEMA documentation for more than $1 million just in labor costs. It has yet to be reimbursed and is still calculating other expenses associated with its feeding and housing more than 25,000 evacuees.



There are few things more important than the willingness to work hard when it comes to building a top-flight business continuity program. However, I am sorry to report that hard work is not enough. In fact, sometimes it can lead you into a ditch.

How so?

The answer is when people are so intent on working hard that they forget to make sure what they are doing is actually useful for accomplishing their primary goals.

As John Wooden said, “Never confuse activity with achievement.”

I mention the foregoing because I wanted to talk about BCM metrics today, and metrics is one area where, in my experience, people are especially likely to confuse effort with results.



Friday, 13 April 2018 14:43

You’re Doing It Wrong: BCM Metrics

(TNS) - Officials from the city, state, Kamehameha Schools and National Oceanic and Atmospheric Administration unveiled a dramatic, 10-foot high banner at the steps of Honolulu Hale Wednesday to hammer home the threat that tsunamis can wreak across the islands at any moment.

The banner includes a map of Oahu that pinpoints just six of the more than 100 tsunamis that have hit Oahu since tsunamis have been recorded. Its 10-foot height is just a third of the 30-foot wave that pounded Kaena Point in 1952, Mayor Kirk Caldwell said.

But the tsunami threat to Oahu and all of the neighbor islands never ends, Caldwell said, as tsunami information brochures are going out in 13 non-English languages, including Hawaiian, for the first time.



Friday, 13 April 2018 14:37

Tsunami Threat Never Ends

Few activities and operations are truly set it and forget it.

Lights-out factories like the showcase installation run by technology company Siemens are proof of concept, but still the exception.

Business continuity in most cases requires periodic adjustment because environments and conditions are constantly changing.

However, here’s a thought that could change that.

The idea comes from the combination of the self-driving vehicle and decentralised financial transactions, plus the Uber (or Lyft or whoever) model of hire-to-drive services.

In theory, the artificial intelligence in the vehicle would allow it to interact with the Uber model to acquire customers, and use a technology like blockchain (decentralised transactions) to receive payment for services rendered and make payments on its lease back to its manufacturer.



Charles Werner remembers back to 1978 when as a new Charlottesville, Va., firefighter he came upon an incident involving a train in the heart of the city.

This train had been leaking carbon disulfide while running on the outskirts of Charlottesville and the conductor thought he’d just guide it into town and park it close to where the fire station was. Unfortunately, as the train arrived in Charlottesville, the leaking carbon disulfide caught fire from sparks from the train’s breaks.

Werner said it took 24 hours to get the leak and fire contained and a good portion of that time was spent getting information on what exactly was leaking and what the hazards were. If that were to happen today, Werner and all other fire service personnel and other first responders could have access to the train’s contents in minutes with the AskRail mobile app.



Study by Cavirin finds organizations are concerned with visibility and the ability to manage risk and security with hybrid cloud accounts and workloads

SANTA CLARA, Calif. – Cavirin Systems, Inc., the only company providing cybersecurity risk posture and compliance for the enterprise hybrid cloud today announced the availability of Cavirin Hybrid Cloud CyberPosture Intelligence. CyberPosture intelligence is the ability to deliver risk, cybersecurity and compliance management by providing visibility and actionable intelligence to the CISO and other stakeholders across hybrid environments.  The Cavirin platform delivers this through real-time visibility, predictive analytics, and intelligent remediation through DevSecOps integrations.

In a new study of 250 hybrid cloud security leaders, “Cyber Security Posture: The Challenges and Strategies of Hybrid Cloud”, the two top concerns identified were verification that public cloud accounts are secure (69 percent) and confirmation that workloads in the cloud are secure as well (69 percent).  This lends credence to the reality that both account and workload security are critical.

However, security is still a key issue and barrier to adopting a hybrid cloud architecture, with specific concerns including increased complexity (55 percent), a lack of visibility into cloud endpoints (32 percent), difficulty instituting security controls (37 percent) and a clear need for more assessment tools (29 percent).



Law firms face a significant challenge during critical events: quickly locating their people to keep them safe. Lawyers, and those supporting their activities, typically do not work solely in one location. At any given time, some of them will be working in offices, spread across floors, buildings, cities, and even countries while others will be working from home or visiting a client location. This fluid movement has traditionally challenged how firm leadership connects people with the timely information needed to improve outcomes during emergencies.

The evolution of the emergency mass notification market has improved how law firms communicate. Some products focus on speed, accelerating message creation and delivery. Other advancements simplify how company administrators locate people and understand their proximity to danger. As you think about how your firm can use technology to communicate with your people, these must-have elements of a modern mass notification system should be utilized to mitigate loss during any critical event.



Lack of understanding and fear of failure in an enterprise setting is a combination that leaves most organizations paralyzed when trying to develop a digital strategy. In a survey conducted at the 2018 Enaxis Leadership Forum, most business leaders viewed digital transformation as a high priority; however, only 54% claimed to be ready to take advantage of it. Leadership knows that digital driven change is inevitable. In today’s evolving environment change comes in tidal waves, resulting in complete overhauls to revenue and operational models alike. The challenge is understanding WHERE to start and HOW to harness disruptive technologies to create a sustainable and successful digital transformation.

Getting Out Of The Starting Blocks

The first step is to avoid the two most common pitfalls when setting out on a digital transformation:



For businesses, having a disaster recovery plan in place is not optional – it's critical. Indeed, the recent spike in natural disasters has many organizations thinking about their business continuity plans.

Events like hurricanes Harvey, Irma and Maria; tornadoes in the Midwest and South, fires and floods in California and storms all across the nation affected thousands of businesses, causing some to go without power and Internet connectivity for days, weeks or even months.

According to the National Oceanic and Atmospheric Administration (NOAA), 2017 was the costliest year ever for the United States when it comes to natural disasters. The country experienced 16 different events that resulted in more than a billion dollars in damage each, with a total price tag of $306.2 billion.



If your business continuity plan is like most of the plans we see, then it is highly likely that it bears more than a passing resemblance to Swiss cheese.

We don’t mean that it would taste very good served with ham on rye.

We mean that it is probably full of holes—of omissions of key provisions and information whose absence would sharply reduce its effectiveness if and when you had to turn to it to help your organization get through a disruption, and which might even make it fail altogether.

In today’s blog, we’re going to bullet out some of the more common business continuity plan holes—and also explain what can be done to plug them.

Are any of the following holes baked into your organization’s BC plan?



Migrating to the cloud can be one of the best IT moves you can make for your enterprise, offering security, customization, agility and cost-savings.

And Amazon Web Services (AWS) is one of the most reliable and tested cloud service providers available.

Whether you’re already running applications in the public cloud or thinking about getting started, it’s important to know what you can do with AWS.

Here’s an A to Z (but by no means complete) overview of AWS features and strategies that you should keep in mind:



From vacuums that buff your floors while you sleep to drones, self-driving cars, and video games, AI is everywhere. Do you trust it?

Cutter Consortium contributors Keng Siau and Weiyu Wang recently examined the role of trust in AI, machine learning, and robotics. To set the stage, the authors define trust as either (1) a set of specific beliefs dealing with benevolence, competence, integrity, and predictability, or (2) the willingness of one party to depend on another in a highly risky situation, or (3) a combination of 1 and 2. However, that definition is best applied to human, interpersonal relationships.

Trust in a human-technology or human-machine relationship is a little different. In addition to the human characteristics (personality and ability) and environmental characteristics (culture, task, and institutional factors) that impact interpersonal trust, trust in AI, machine learning and robotics are affected by technology characteristics, including performance, process, and purpose. Siau and Weiyu explain:



Thursday, 12 April 2018 14:14

Who (or What) Do You Trust?

(TNS) - The emergency alert systems that blare out warnings during natural disasters, terrorist incidents or manmade calamities could be hijacked into sending out false alarms.

A security company, Bastille, said Tuesday that it had found a vulnerability in San Francisco’s emergency alert system that would allow hackers to trigger the city’s sirens or even blare out malicious messages.

The Boston manufacturer, ATI Systems, said it had developed a patch that will be rolled out shortly and noted that such a hack “is not a trivially easy thing that just anyone can do.”

Balint Seeber, director of vulnerability research at Bastille, which has offices in San Francisco and Atlanta, said he began studying vulnerabilities in the system of 130 or so public sirens and outdoor speakers scattered about San Francisco in 2016. Once he determined the radio frequencies employed, he said it would be easy to hijack the unencrypted system, even using only a $30 radio and a laptop.

A hacker could broadcast his or her own voice as a public address audible to the entire city, Seeber said.



Puerto Rico is still suffering the devastating aftereffects from 2017 hurricanes Irma and Maria. Rebuilding the island will cost up to $50 billion according to a recent statement by FEMA head, William “Brock” Long.  Many residents are still without power and the new hurricane season is just around the corner.

The situation in Puerto Rico is a warning to North America of what could happen If we fail to address our outdated and crumbling infrastructure, according to a new report from Zurich North America.

The report, Rebuilding Infrastructure: The Need for Sustainable and Resilient Solutions, points out that during the years leading up to Hurricane Maria, Puerto Rico’s infrastructure had been in increasing need of routine maintenance. The island’s power grid had fallen into a particular state of disrepair as a result of declining revenues and political corruption.



The 4 extreme threats public safety personnel need to know

By Glen Denny, Baron Services, Inc.

78% of disasters recorded in the United States each year are weather-related. Still, when asked what type of incidents they expect to respond to over the next year, Emergency Management Personnel (EMP) and public safety officials underestimate the number of weather-related disasters that will occur. This misconception results in EMP and public safety officials being undertrained to respond to weather-related disasters. In order to more effectively and cost efficiently keep the public safe, EMP and public safety officials need to be more knowledgeable about weather phenomenon and the impact severe weather can have on their communities. In the United States, there are a few weather threats that are nearly universally experienced across the country. These are thunderstorms, tornadoes, lightning, and hailstorms.


The most common severe weather threats seen in the United States and worldwide are thunderstorms. A thunderstorm is a rain shower which features thunder. Since thunder is generated from lightning, all thunderstorms feature lightning, whether frequently visible or not. There are approximately 100,000 thunderstorms each year in the U.S. alone. While this indicates that thunderstorms are quite common, specific atmospheric conditions must be present for a thunderstorm to form. Three basic ingredients are required for the formation of a thunderstorm:

  1. Moisture: This needed to form clouds and rain.
  2. Unstable Air: Air that is relatively warm and can rise rapidly.
  3. Lift: from fronts, sea breezes or mountains

Lightning is produced high in thunder clouds when liquid and ice particles above the freezing level collide and build up large electrical fields. Once these electric fields become large enough, a giant “spark” occurs between them (or between the particles and the ground) like static electricity, reducing the charge separation. The lightning spark can occur between clouds, between the cloud and air, or between the cloud and ground. Thunder is caused by the rapid expansion of the air surrounding the path of a lightning bolt.

It is likely that nearly all Americans have experienced a storm in their lives that featured the above characteristics. However, the majority of thunderstorms, while impressive to watch, are mostly harmless. Only about 10% of thunderstorms reach severe levels. A thunderstorm is classified as severe when it contains one or more of the following:

  • Hail one inch or greater
  • Winds gusting in excess of 50 knots (57.5 mph)
  • A tornado

These criteria are not widely known by laypeople, so, in an effort to better communicate severe weather hazards and risk, the National Weather Service (NWS) Storm Prediction Center released a graphical table which concisely describes the hazards associated with five increasing levels of severe weather risk intended to complement the maps they release every day.




One of the characteristics of a thunderstorm that will make the NWS classify it as severe is the presence of one or more tornadoes. Tornadoes, though, are much more than a characteristic of a severe thunderstorm. They are a severe weather threat all their own – perhaps the most dangerous of the common threats discussed in this article. And they are quite common – The US leads the world with an average of 1,000 tornadoes every year.

Tornadoes are the most violent of all atmospheric storms. A tornado is a swiftly rotating column of air that descends from the bottom of a thunderstorm cloud to the ground. Tornadoes become visible as a condensation funnel is created. The funnel is composed of water droplets and dust and debris swept up from the ground. The most destructive and deadly tornadoes are born of supercells – giant rotating thunderstorms with a defined radar circulation called a mesocyclone. While much research has been conducted around tornadoes, researchers are still not entirely sure what exact combination of circumstances are needed for their creation. The most common theories revolve around the temperatures and downdrafts in and around the mesocyclone. There is also still a great deal of mystery surrounding the exact forces which cause a tornado to dissipate.

While tornadoes can occur any time of year, peak season for the hardest hit regions of the country are:

  • Southern Plains: May into early June
  • Southeastern US: Early spring and fall
  • Gulf coast: Early spring
  • Northern plains/upper Midwest: June or July.

Most tornadoes occur between 4 and 9 p.m., but can happen at any time of day when conditions are favorable.

The NWS uses a watch and warning system to indicate the tornado threat level in an area during a severe thunderstorm. A Tornado Watch is issued by NOAA Storm Prediction Center meteorologists when conditions are favorable for a tornado. A watch can cover parts of a state or several states. The NWS recommends residents in the area of a Tornado Watch review and discuss their emergency plans, and be ready to act quickly if a warning is issued or if a they suspect a tornado is approaching. A Tornado Warning is issued by the local National Weather Service Forecast Office responsible for monitoring weather in a specific region. A Tornado Warning means a tornado has been reported by spotters or identified by radar. This designation signifies that persons and property in the path of the tornado are in serious danger. Residents should take shelter at once. Warnings can apply to parts of counties or multiple counties along the anticipated tornado track and typically last less than an hour.


Another characteristic of severe thunderstorms that is a real threat even considered on its own is lightning. Cloud-to-ground lightning bolts are a common phenomenon – about 100 strike Earth’s surface every single second – and yet their power is extraordinary. Each bolt can contain up to one billion volts of electricity and travels at 90,000 miles/second. A bolt can be over five miles long and can strike up to 10 miles from an area of rainfall.

In the United States, there are about 25 million lightning flashes every year. While lightning fatalities have decreased over the past 30 years, lightning continues to be one of the top weather killers in the United States: lightning causes an average of 50- 60 fatalities each year. Research has shown that dramatic increases in lightning over a short period of time, especially positive strikes, indicates storm intensification.

A few key facts about lightning:

  • Standing under a tree is the second leading cause of lightning fatalities. If you must be outside during a thunderstorm, under a tree is not a safe place to take shelter.
  • Rubber-soled shoes do not provide any meaningful protection from lightning.
  • Victims of lightning do not retain the charge and are not electrified. It is safe to help them.

https://www.nssl.noaa.gov/education/svrwx101/hail/Hail is another aspect of a thunderstorm that when present in certain forms, with cause the NWS to classify the storm as severe. Again, like lightning, hail is also a threat considered on its own, but is even more threatening when present in the typical conditions of a storm. Hail forms when the warm updraft of a thunderstorm pushes water droplets high enough into the clouds to freeze. These frozen droplets are caught by the storm’s cold downdraft and pushed down into warmer air. As the frozen droplets begin to melt, they pick up more water droplets and grow larger. With each pass of this cycle, the frozen water droplets become bigger and heavier. Eventually, the updrafts are no longer strong enough to push the large droplets up and around, so the balls of ice finally fall to the ground as hail. The stronger the updraft, the larger the hailstones become.

According to the National Weather Service, hail is generally no larger than 2-inches in diameter. However, hail has been known to come in many different shapes and proportions and a standard scale was developed to describe it, ranging from nickel-sized (roughly .75” in diameter) to softball-sized (4.5 inches in diameter). Hail as small as 1” in diameter can cause damage, and severe thunderstorms can feature hail 2” and larger.

The Perfect Severe Weather Tool for All Regions

http://www.baronweather.com/industries/public-safety/emergency-management/weather-monitoring-system/baron-threat-net/Throughout this article, we have discussed the various kinds of common severe weather threats in the United States. But how can EMP and public officials know for sure when a weather event has reached severe levels? An example of a tool that public safety officials and EMP can use to help them protect their area with precision is Baron Threat Net. Baron Threat Net is a web-based meteorological tool that provides critical weather intelligence when and where it is needed most. Baron Threat Net delivers the features safety officials need to be decisive and accurate when responding to severe weather. With a tool like Threat Net, EMP can easily track tornadoes, flooding, lightning strikes, dangerous road conditions, hail coverage and probability and more. No matter the location, severe weather can strike in many forms. One thing is certain: mother nature won’t wait. It is up to EMP and public officials to educate themselves on the threats posed to their region, to use the appropriate tools to track those threats, and then to act on those threats appropriately.

Tuesday, 10 April 2018 20:06

Severe Weather:

April is National Volunteer month, and in time with this event State Farm® has conducted an interesting survey which reveals key insights into what motivates people to volunteer.

The study found that that only 23 percent of younger millennials currently volunteer, compared to 46 percent of older millennials (those who are married, have kids, or own a home). State Farm research confirms what others have found, that younger people are looking to align their giving opportunities with their life goals.

Millennials have supplanted Baby Boomers as the largest population group in the United States, and as a result they have the biggest potential to influence volunteerism.  With that in mind the study offers several useful tips for engaging young professionals in volunteer activities:



8 Principles to Guide the Risk Assessment Process

Organizations don’t need to involve the board in every risk by any means, but critical enterprise risks are a special breed. Protiviti’s Jim DeLoach provides the formula for an appropriately designed risk assessment process – the first step to identifying and ultimately mitigating the risks in this category.

Directors and executives need to consider several categories of risk. Of particular interest are the normal, ongoing business management risks, emerging risks and critical enterprise risks. Below, we focus on the last category, which we define as the top five to 10 risks that can threaten the company’s strategy, business model or ongoing viability.

These risks should be a significant focal point of the board’s risk oversight agenda and risk-related discussions in the C-suite, because they present the most significant risks (and opportunities) affecting the achievement of the performance objectives of greatest importance to the enterprise’s leaders. Identifying them provides a starting point for assigning ownership for management; once ownership is assigned, accountability for results can be established and monitored over time.



Do more with less.

Who hasn’t already heard that in business?

And just because something – like disaster recovery planning and management – is vital to ensuring enterprise survival does not mean that you cannot leverage your investment to get more out of it.

The more DRP and DRM can help you increase profits or cut costs, without sacrificing disaster recovery effectiveness, the safer your DR budget will be. Here are a few ideas.



Ransomware and malware may have been the leading concerns for healthcare IT professionals in 2017, but 2018 is likely to be the year when data governance becomes an even bigger issue to address.

Between preparing for the GDPR May 2018 release date, and the overwhelming number of data breaches, healthcare IT security professionals will have plenty to keep them up at night.

Big data is once again in the spotlight as healthcare leaders look for ways to streamline processes, reduce costs, and improve the patient experience. Unfortunately, quality problems with personal data and analytics frequently lead healthcare IT teams to focus on improving data quality first, with governance taking a back seat.



Using Content Analytics to Ensure Compliance

Buzzwords like AI and machine learning tend to grab the attention of C-suite leaders, but the most exciting tool in the digital transformation toolbox is RPA, robotic process automation. Anthony Macciola defines RPA, discusses the realities of machine learning and covers strategies for driving content intelligence.

There has been no other new regulation in recent years that has made organizations worldwide in every industry more concerned than the EU’s General Data Protection Regulation (GDPR). Effective May 25, 2018, it expands the rights of individuals to control how their personal information is collected and processed and forces organizations to be more accountable for data protection. Violators risk a minimum fine of at least €20 million or 4 percent of global revenue, so naturally, global organizations are turning to technology to help ensure compliance.

At the root of GDPR is personal data that directly or indirectly identifies a natural person in any format. It mandates that organizations cannot keep data and content forever and advocates better records management and strong information governance. That, however, is where the compliance challenge lies: information is locked inside of documents. Many organizations are turning to robotic process automation (RPA) to help unlock information from documents in any format – whether structured or unstructured, digital or not.



Tuesday, 10 April 2018 16:02

The Impact Of RPA On GDPR

In an emergency situation, having an effective mass notification solution does more than protect individuals and keep them safe.

It also gives residents a sense of confidence. They understand where to go when they need information about local hazards. They know where to turn when they want to find out if an emergency is imminent. These are key to helping provide effective emergency preparedness alerts and information before a disaster. Find out how you can increase the success rate of your mass notification system and build trust with your residents.

Statistics on Emergency Preparedness

According to statistics reported by FEMA in the report “Preparedness in America in 2014,” people are becoming more aware of the importance of disaster preparedness and response plans. The report concluded that:



Tuesday, 10 April 2018 16:01

Why Mass Notifications Matter

Storage management software is a critical tool for today's storage administrator. In fact, aside from sheer data storage capacity and the connectivity technologies, few aspects of maintaining a storage environment are more important than management software.

Available from storage hardware vendors like Dell EMC, HPE, NetApp and IBM, and some independent providers, storage management software typically provides an array of features that enable businesses to monitor and optimize their storage environments, enhance reliability and ensure the continual delivery of storage services to applications and users. Here's what users can expect from most storage management software products.



Tuesday, 10 April 2018 16:00

Storage Management Software Essentials

The cybersecurity landscape

If you had a dollar for every report detailing the recent effects of ransomware on global businesses, you could close shop today and retire in comfort. Ransomware is a major issue threatening cybersecurity around the world. According to Justice.gov, “more than 4,000 ransomware attacks have occurred every day since the beginning of 2016. That’s a 300% increase over 2015, where 1,000 ransomware attacks were seen per day.”

You realize ransomware is a threat, but do you know how to fight it? You have a couple of options. You could use a software solution for backup, or you could trust a managed service provider with your backup and recovery. Let’s discuss why we think you should pick the latter.



Tuesday, 10 April 2018 15:59

Is your data protected from ransomware?

Health for all is the theme of the World Health Organization’s World Health Day, and a new ISO committee recently formed aims to help.

Health matters, and access to health services, quality care and safe medical practices and equipment is a fundamental right for everyone, everywhere. Good health and well-being are also one of the UN Sustainable Development Goals, the United Nations’ new roadmap to improve people’s lives by 2030.

World Health Day is part of the World Health Organization’s (WHO) drive to support countries in moving towards Universal Health Coverage,

Not only is the WHO one of our key partners, but we have more than 1 300 International Standards that focus on health across all kinds of sectors, from public health and medical devices to health informatics and traditional medicines.

ISO technical report ISO/TR 14639, Health informatics – capacity-based eHealth architecture roadmap, for example, provides best-practice guidance on the implementation and use of information and communication technology, and a framework for health authorities to use when building their own eHealth architecture, leading to better public healthcare services.



In the folk tale “Ali Baba and the Forty Thieves,” all the hero had to do to access the cave full of treasure was say the magical phrase, “Open, Sesame.”

This will most likely not work for you when you go before your management to present your business continuity management program.

Unfortunately, I don’t know any magical phrases I can pass on to you which you can say to get your management to support and fund your initiatives.

However, I do have five tips I can share which, if you follow them in explaining your program with your bosses, will most likely increase the chances that you’ll have a good BCM presentation and obtain a favorable outcome.



It may sound strange to talk about “touchy-feely” stuff like user experience in the context of IT disaster recovery.

After all, the priority is on getting systems up and running again within recovery time and recovery point objectives, rather than sitting around in focus groups discussing feelings and opinions.

The only UX that many IT teams know about is the one in Linux, HP-UX and others, where UX is shorthand for Unix rather than for user experience. Yet good user experiences could make a significant difference to recovering productivity and profitability after an outage.

Take the IT team, to start with. No matter how techy or geeky members of your team are, there will always be an application, a system or a process that has them rolling their eyes at the thought of having to use it.

It might be a commercial product or an in-house development. But if it’s a critical part of your recovery process while being difficult or laborious to use, it will inevitably depress your recovery performance.



(TNS) — Hundreds of faculty, staff and students at Northeastern State University must coexist in ways that help them avoid acts of violence or threats to campus life. But just in case, the institution has infrastructure in place to deal with most any emergency that arises.

The NSU Campus Police, Department of Public Safety and the Division of Student Affairs hosted Campus Safety Day to display the services available to them, as well as advice on how to react during dangerous situations.

"I kept getting all of these emails from people that didn't realize we had an emergency manager, or they didn't realize we had a BIT [Behavioral Intervention Team]," said Patti Buhl, director of public safety. "It just sort of culminated and I figured we could just do a general safety day and talk about all of our services, what we do and how we collaborate together."



Enterprise storage environments continue to evolve, which means that storage hardware systems are evolving in step. Here's a look at the storage hardware that makes a modern storage environment tick, including flash arrays, NVMe, hyperconvergence and the various other storage technologies that are slinging data across today's data centers.

Storage Hardware Infrastructure Management

Conceptually, storage infrastructure management is pretty straightforward. On a fundamental level, IT professionals use a combination of hardware tools and processes to ensure the timely delivery of data to end users, applications servers and other IT systems in accordance to an organization's objectives and policies, along with making certain that data is stored appropriately along the way.

In this regard, it's essential that IT professionals tasked with managing data storage systems always keep a few things in mind.



Thursday, 05 April 2018 14:23

Enterprise Storage Hardware Systems Guide

(TNS) - A number of cities big and small in Southern California are taking steps to identify seismically vulnerable buildings for the first time in a generation, acting in part on the devastating images of earthquake damage in Mexico and elsewhere around the world.

“What happened last year in Mexico City, we don’t want to experience in California,” David Khorram, Long Beach’s superintendent of building and safety, said of the quake that left more than 360 people dead. “We want to be progressive.”

In hopes of mitigating the loss of life from a major quake that experts say is inevitable, Long Beach is discussing spending up to $1 million to identify as many as 5,000 potentially vulnerable buildings.



It seems clear that enterprise data storage compliance gets more difficult every year. The regulations seem to multiply annually. Handed down by governments and regulatory agencies, the rules governing the conduct of businesses can't help but influence how data is stored, managed and protected. Here's what IT executives should know about enterprise storage compliance.

Compliance with government regulations for data retention

One of the most crucial aspects of ensuring that your organization is compliant with the many rules affecting how data is stored is data retention. As the term suggests, organizations are often required to hang onto certain types of information for specified amount of time, typically unaltered, before it can be safely deleted, if ever.

Complicating the matter is that different types of data are subject to different types of retention periods, not to mention that fact that businesses today are collecting more information on their customers than ever. Although data compliance comes at a cost, it's much preferable to invest accordingly than cut corners.



Thursday, 05 April 2018 14:21

Enterprise Data Storage Compliance Guide

(TNS) - Although it has been just over seven months since Hurricane Harvey hit the Texas coast, there are still residents in the region struggling to recover.

A crisis counseling program called Texans Recovering Together is trying to help.

“The majority of what I’m seeing is the need for materials,” said Katrina Lowrey, team lead with the local provider of Texans Recovering Together. “A lot of people just don’t even know where to go and what’s out there.”

There are also hurricane survivors who aren’t sure where to go after the government’s hotel program is expected to end later this month.



The average lifespan of businesses is shrinking, yet some have been around for hundreds of years. How to stay afloat in a rapidly changing world? A newly published standard aims to help.

By 2027, the average company on the Standard & Poor’s 500 Index (S&P 500) – an index of 505 stocks issued by 500 large companies with market capitalizations of at least USD 6.1 billion – will last just 12 years, according to the 2018 Corporate Longevity Forecast1). New technologies, economic shocks, disruptive competitors and failure to adequately anticipate and prepare for future challenges are the key reasons cited for their demise.

The freshly published ISO 9004, Quality management – Quality of an organization – Guidance to achieve sustained success, divulges the secrets and strategies of some of the longest lasting businesses around the world to help other organizations prepare for such challenges, optimizing their performance at the same time.



In some ways, the relationship between business continuity professionals and their colleagues from the information technology/disaster recovery team can be compared to that of a man who is drifting in a hot air balloon and asking for directions.

Imagine the balloonist seeing someone a hundred feet below on the ground and calling down to them, “Would you mind telling me where am I?” If the person answers, “You’re a hundred feet up in a hot air balloon,” there is a good chance he or she is an IT/DR person.

Or at least this is how the story goes when told from a BC person’s point of view.

The information is correct but also not very helpful, in that it doesn’t help the balloonist understand where they are in the larger context or assist them in getting to where they need to go.



Wednesday, 04 April 2018 14:45

Learning to Talk to Your IT/DR Colleagues

Enterprise data storage management is easier said than done. The problem is, storage managers have a lot going on. Managing systems, dealing with IT and end-users, and everyday firefighting take up days and weeks, leaving little time to do proactive tasks like optimizing the storage environment.

However, if you take consistent time to plan and optimize your storage management, you’ll improve your storage environment and get back the time you’re losing.

Start with the 7 major storage domains that you are responsible for:



Kawasaki Motors is a well-recognized brand for motorcycles, ATVs, Jet SkiⓇ watercrafts, a market leader by consumers who appreciate speed. So what does this U.S. company do when it needs to quickly reach all of its 450 employees across six states?

We spoke with Tom Porter, former director of Human Resources & Administration for Kawasaki Motors Corp., U.S.A. to get a customer view of why an integrated mass communication system was so important for this fast-moving company.



Patching has never been more important. The WannaCry ransomware attack that infected more than 300,000 systems, the NotPetya attack that hobbled approximately 16,500 more, and of course the Equifax breach that compromised the information of 145.5 million Americans all happened because patches weren’t added quickly enough.

But what if patches weren’t available at all? That’s the potential dilemma for users of open source software, especially if the open source product is old or never gained popularity, or the community lacks enthusiasm or focus.

How long can you go without the functions the open source software supports? If mission-critical functions are run on open source software, how much revenue could downtime cost you if a problem arises?

There is no guaranteed support cycle for vulnerability remediation in open source, and while those vulnerabilities go uncorrected, the critical nature of the risk increases.

So the question is, can your organization stomach the potential risk of open source? Here are some factors to consider.



12 Steps to Compliance

We all procrastinate. But when it comes to missing the May 25th deadline for complying with the GDPR, this is one compliance project that you need begin right away. Learn how the GDPR may impact your business and what you need to do to become compliant.

Why put off until tomorrow what you can do today? When it comes to the European Union’s General Data Protection Regulation (GDPR), many — even most — enterprises may be doing just that.

In one survey, most United States company representatives said they expect to be fined for noncompliance with the GDPR.

If so, let us hope they have budgeted accordingly. When the law takes effect on May 25, 2018, failure to comply can incur a fine of €20 million ($25 million, as of this writing) or 4 percent of annual revenues, whichever is greater.

Many enterprises simply are not ready for this game-changing privacy-and-security law — in spite of its having been adopted nearly two years ago, in April 2016.



Wednesday, 04 April 2018 14:41

The Procrastinator’s Guide To The GDPR

IMG 4272

IMG 4307ORLANDO, Fla. – Disaster Recovery Journal saw an unprecedented spike in attendance at DRJ Spring 2018 here last week.

More than 750 attendees joined another 200 speakers, board members, and exhibitors from around the globe at Walt Disney World’s Coronado Springs Resort, March 25-28, 2018.

IMG 4303“We had a 10 percent increase in paid attendance from last year,” said DRJ President Bob Arnold. “That’s the biggest jump in 13 years! We’re really looking forward to what the future brings.”

DRJ’s 58th conference featured 62 sessions, a concurrent exhibit hall with almost 100 booths, product demonstrations, and numerous networking events.

IMG 4661Gold sponsor Onsolve hosted the Monday Night Hospitality event, featuring food, drinks, dancing, and giveaways. Silver sponsors included eBRP Solutions, Firestorm, Fusion Risk Management, IBM Resiliency Services, Regus, RSA, and Strategic BCP. Co-sponsors included Avalution Consulting, BC in the Cloud, ContinuityLogic, Everbridge, Kingsbridge Disaster Recovery, Quantivate, Recovery Planner, Rentsys Recovery Services, Resolver, RES-Q Services, Ripcord Solutions, and Rockdove Solutions. Business partners include Business Continuity Institute (BCI), Forrester Research, International Consortium for Organizational Resilience (ICOR), and Public & Private Businesses Inc. (PPBI).

“I want to thank all of our sponsors and exhibitors for helping us provide so many networking opportunities with attendees and vendors,” said Arnold. “We were really happy with everyone who joined us for another great show in Orlando.”

IMG 0261In addition to individual vendor drawings, attendees raked in dozens of technology items at the DRJ booth as part of the popular exhibit hall raffle. Grand attendance prize drawings also went to Joanne Race, Jesse Van Nevel, and Janet Bledsoe Wednesday morning before the final general session. All three attendees win a free pass to a future DRJ conference.

Check out the DRJ.com Live page for more photos, tweets, and other details from DRJ Spring 2018.

Preparations are already underway for the next conference, DRJ Fall 2018, which will be held Sept. 23-25, 2018, in Phoenix. Potential speakers have until April 9, 2018, to submit a Call For Papers presentation.

To attend DRJ Fall 2018, visit http://www.drj.com/fall2018/.

Hotels & Travel
Key Contacts
ROI Toolkit


Wednesday, 04 April 2018 20:43

Big Spike in Attendance for DRJ Spring 2018

Is Your Organization's Reputation at Risk?

This course is ideal for management responsible for leading their organization during a crisis, public sector personnel, professional communicators, and those in public affairs or public relations.
Description: Understanding the elements of crisis management and communications is crucial to adapting and responding appropriately when faced with managing an incident. The Crisis Management and Communications professional course teaches useful strategies and techniques for analyzing situations and making difficult decisions with limited time, information, and resources while managing an incident and leading teams.

It is important that any enterprise have an understanding of Crisis Management since it poses the greatest threat to an organization's survival. That can only be achieved by adopting a management philosophy that includes prevention of potential crises, mitigation of those that do occur, and recovery and restoration in the wake of a crisis.

The importance of effective crisis communications cannot be underestimated. Both internal and external messages need to be drafted as well as the spokespersons trained. Who speaks to the media? What do they say? Planning for crisis communications ensures that your organization is in control of what the public and stakeholders hear in order to protect its reputation.

The course includes multi-media, sample policies, and templates. 



8 Lessons / Competency Areas  
5010 The Discipline of Crisis Management
This session focuses on the crisis management discipline, different scenarios to consider when preparing to write a crisis management plan, and the key elements of a crisis management plan based on standard requirements.
5020 Culture & its Impact on the Crisis Management Capability
It is essential to understand the importance of organizational culture in managing every day events and when managing crises by looking at how to analyze the culture of the organization and work within its structure to create a more resilient organization.
5030 Structure and Crisis Management
The structure of an organization can be its greatest asset or its greatest weakness - evaluating your organization and its structure may impact it crisis management capability. This lesson discusses the pros and cons of different organizational structures as they relate to managing crises.
5040 Crisis Communication Planning
It is important to develop a crisis communication system that will align to any crisis incident impacting the organization. This lesson looks at communication tools, strategies including social media, message development, and the importance of media training.
5050 Issues Management & Crisis Readiness
This lesson discusses topics such as situational awareness, horizon scanning, issues management, and how they contribute to a more "crisis-aware" organization.
5060 Leadership in a Crisis
Understanding the elements of leadership in times of crisis may help better explain more than any set of crisis plans why some organizations survive crises better than others and clarify how organizations can endure future crises. This lesson explores leadership qualities that have been shown to support the development of an effective crisis response.
5070 The Role of Teams in Crisis Management
A crisis cannot be managed by one person. A key factor in all crisis management programs is the designation of a crisis management team engaged to manage the crisis event. This lesson focuses on the purpose of crisis management teams, who to choose to be on the team, and the importance of managing conflict within the team itself.
5080 Managing the Crisis Communication Response
The focus of this lesson is on crisis communication and reputation management by looking at modern case studies of organizations who have done it well - and at some who have not done it as well.
Crisis Management & Communication Professional (CMCP) Certification

The CMCP Certification Exam is included in the course fee or can be challenged without taking the course. 

The CMCP Certification Exam consists of 8 short answer questions requiring you to answer a question by top management.  One question for each of the competency areas. 

If interested in earning CEUs complete the essay for each lesson.
Toll free North America 866-765-8321, +1-630-705-0910 or This email address is being protected from spambots. You need JavaScript enabled to view it.
The ICOR Difference 
Recognized globally for its vendor-neutral, standards-based education programs, ICOR's certification competency areas align to specific jobs or job areas in the business continuity and continuity of operations workplace.
ICOR courses meet your learning style. Take the full course or as individual competency areas. Learn from an instructor or on your own via elearning or self-study course books. Interactive activity-based curriculum.
SAVE 10% On All ICOR Courses
Did you know that you can save 10% on all ICOR courses if you are a member of one of the following organizations? Contact them to find out how you can save - ICOR, ACP, AFCOM, ASIS, BRPA, BRPA SW, IAEM, IFMA, NEDRIX - or email .
  build-resilience.org   |   theICOR.org   |   This email address is being protected from spambots. You need JavaScript enabled to view it.
+1.630.705.0910 (International)   |   1.866.765.8321 (Toll Free North America)
See what's happening on our social sites:

(TNS) — Marin County, Calif., is adding nine new weather gauges that collect real-time data on rain, wind and stream activity, bringing its fleet of such devices to 18 across the county.

The Marin County Flood Control and Water Conservation District announced this month that it has won approval to receive the devices used to help with flood preparedness. They will likely be in hand this summer and ready to install by the end of fall, said Julian Kaelon, a spokesman for the department of public works.

“These provide a good framework with weather patterns, to see timelines and trends,” Kaelon said. “It’s a snapshot of activity and we are able to see when certain creeks might be raising.”



According to the latest FEMA flood map data, 40 million people in the continental U.S. are at risk for a 100-year flood event; that’s three times more than previously estimated. Additionally, the amount of property in harm’s way is twice the current estimate.

Gathering Information

Start by putting together a communications plan to implement in the event of a flooding disaster. Questions that need answers at this point include:

  • How will your residents receive official alerts, warnings, and emergency information?
  • What is the shelter plan for your community?
  • For evacuations, what are the official routes to use?
  • How will your team broadcast flood alerts and other pertinent information to your community?



Tuesday, 03 April 2018 14:54

Emergency Guide to Flooding Preparedness

To better understand the legal industry’s current practices in handling unprecedented pressure from clients and cybersecurity threats, Bluelock is conducting a survey: “2018 Legal Data Protection & Recovery Survey.”

The first 125 participants will receive a complimentary $20 Amazon Gift Card.

The survey takes approximately 10-15 minutes to complete. All responses will be kept entirely confidential and shared with the public anonymously. All participants can request to see the survey results.



Simulated crisis tabletop exercises are like a flu shot: The vaccine won’t prevent the illness one-hundred percent of the time, but if you do get the flu, the vaccine will greatly reduce the illness’ severity and bring you back to health more quickly.

The potential illness in your organization is, of course, a crisis. Natural disaster or human-caused, the crisis brings pain and suffering to your organization and could even spell its demise. The tabletop exercise is a carefully orchestrated practice session where your crisis response team is assembled to respond to a realistically simulated crisis scenario — a very prudent vaccine. The scenario could be anything that could harm your organization’s reputation and its ability to function, from a natural disaster or accident to human-caused crises such as a security breach, terror attack or internally perpetrated wrongdoing.

The tabletop exercise provides the most efficient way to test and improve the effectiveness of your organization’s crisis plan and your crisis response team. Professional analysis of the exercise provides the crucial information you need to determine how well your organization would actually respond and continue functioning in a crisis, as well as how your plan and response team could be improved.



Selecting a mass notification system can be daunting. The last thing you want is an April Fool’s joke — on you — when you realize that the system you selected doesn’t have all the features you need. Successful communication isn’t easy. It requires a sophisticated system that is still exceptionally easy to use. Don’t be fooled: here are the requirements to consider when purchasing an emergency communications system.

Segmenting Your Audience

Business managers know how important it is to ensure that the correct message gets to its intended audience. You want to keep management and emergency leaders in the loop with recommendations for helping alleviate any challenges. However, a different message should be sent to employees with specific instructions on steps they need to take to stay safe. If your communications strategy doesn’t allow for multiple threads of messaging, you’ll need to keep looking. Segmentation is not just by audience group, and it can also be by region or area, too. Make sure that the notification system that you select offers a variety of options for sharing the right message with the correct group when they need it.



The attacks have taken on a numbing familiarity in recent years: five shot to death at an airport in South Florida. Twenty-six slain at a church in Texas. Five killed by a gunman rampaging through Northern California. There is a common thread in these are more recent mass shootings…red flags every where!

These violent outbursts last year, and others like them, had key things in common. Chief among them: Long before the violence, the people identified as attackers had elicited concerns from those who had encountered them, red flags that littered their paths to wreaking havoc on unsuspecting strangers.

This is a common thread in most of the mass attacks carried out in public spaces last year, the majority of which were preceded by behavior that worried other people, according to a report released Thursday by the U.S. Secret Service National Threat Assessment Center.



It’s become a fact of life that hackers might lock down your computer, blocking access to your most valuable data, and vowing to free it only if you pay up. Ransomware is nothing new, but it’s profitable, and hackers are deploying it left and right.

Mitigating ransomware is actually fairly straightforward. If you have backups, if your network is segmented, really all you have to do is wipe the infected computers, and reimage them from backups. If you’re prepared, the recovery takes maybe 20 minutes.

If you think your IT systems are the target of ransomware, you’re not alone. But you’re also not correct.

But if it’s so easy to recover from ransomware, why is it still such a problem?

It comes down to human psychology. If we truly want to stop ransomware in its tracks, it takes an understanding of the real problems that this malware preys on.



The number-one goal of business owners for their technology is to achieve ROI. Technology investments are often difficult ventures because either the capital isn’t there, or because the limited technical knowledge of the key players makes the long-term investment seem a little cloudy. With new advancements in cloud computing and some strategic IT planning, you can find a technology solution that works well for your business.

As a business, it’s important that you understand the various cloud computing models and how each affects your workflow. These models – SaaS, PaaS, IaaS – each offer some incredible benefits for companies looking to migrate to the cloud.

Below, we break down the main cloud computing models and show you how they could help drive innovation and improvements in your business.



Given the ever-increasing prevalence and impact of cybersecurity incidents, companies must now recognize that protecting their business assets against exposure and downtime also means guarding their bottom line. But how do you know if you’re prepared? How do you stay ahead of the curve?

Bluelock has compiled a quick guide with nine steps to assess your organization’s IT stance. We explain what successful risk mitigation looks like and offer expert recommendations for preparedness. In the guide, you’ll learn how to fully understand what risks your business faces; how to secure what’s most important while stretching a budget and internal resources; and how and when to solicit advice from experts for continual improvement.

The security of your IT systems depends upon readiness and taking a unique approach for full mitigation. Bluelock’s guide, “9 Steps to Mitigate Risk from Cyber Threats,” is designed to help you and your organization’s leadership improve your current IT stance for the future.



There are around 5,500 hospitals in the U.S., and sometimes I feel like I have been to every one of them to consult with their staff about their Business Continuity Management (BCM) program.

I’m exaggerating, obviously, but it is true that we at BCMMETRICS and MHA Consulting have been privileged over the years to work with a great many hospitals around the country to help them assess and strengthen their hospital BCM program.

Two things I can tell you off the bat, based on these experiences:

  1. Nurses make great sources when you want to hear in plain language exactly what’s going on at a hospital.
  2. Despite one commonly encountered opinion, American hospitals and the people who work in them have an intense and impressive focus on caring for their patients and keeping them safe.



Tuesday, 03 April 2018 14:36

How Hospitals Can Heal Their BCM Programs

Expert IT professionals at your service

If you’re a small or mid-sized business, it’s unrealistic to expect your IT department to have expert knowledge in all facets of technology. By using a managed IT services solution like wekos from Continuity Centers, you gain the knowledge of a team of dedicated IT professionals, each with more than 16 years of experience in the industry.

With a partner like Continuity Centers, you have the relationship of a small business service provider with the knowledge and experience of a Fortune 500.

Leveraging the expertise of an MSP creates the opportunity for you to dedicate your time and energy to the work you enjoy, knowing your technology is running seamlessly in the background. While you brainstorm new ideas to take your business to the next level, wekosis perfecting the technology to make it happen.



Time is money, as they say, and it is also a key factor in IT disaster recovery. Take, for instance, the well-known recovery time objective or RTO, which defines how fast you should get back to normal operations after an IT incident.

However, time has an impact in more ways than one. While you may be focused on speed of recovery, another vital aspect of time may have escaped your attention altogether.

There may be little point in obsessing about an RTO if the disaster recovery plan defining it is itself out of date.

DR plans that are past their sell-by date may not only be useless. They may even be downright dangerous, instructing people to follow erroneous steps that could lead to further damage, now that systems and data repositories have changed. In this case, you may well be better off without a plan.



People often ask which aspect of business continuity management is most important. Is it crisis management? The recovery of critical business processes? Data recovery?

Some people don’t even bother to ask the question. They just assume they know, and typically they are convinced that IT systems and data recovery are the essence of business continuity, with everything else being negligible.

Actually the question, “Which aspect of BCM is most important?” is a tough one to answer.

It’s not tough because it is difficult to identify the potential damage to the organization of being unprepared in the different areas. Rather, it is difficult in the same way as the question “Which wing of the airplane is more important, the left one or the right one?” is difficult. Or the question, “Which legs of your tripod can you remove and still have your camera standing up steady?”



Many organizations have vulnerability management tools in place like scanners, threat feeds, and patch managers, but don’t have the right people and supportive processes to complete the puzzle.

That’s why we welcomed one of our industry partners, Chad Truhn from BRTRC to chat with us about what it takes to build a successful vulnerability management program. Chad talked about the common challenges he sees among organizations, both big and small, and shared some tips about where you should start if you’re seeing the same challenges. Paired with the industry insight of Sales Executive, Nevra Ledwon, we had a great (non-salesy) discussion.

In case you missed it, here’s what you should know:



Mobile is far more than just smartphones and tablets. Barcode scanners, video cameras, and even Wi-Fi are considered mobile devices.

In the realm of mobile technology, billions of endpoints provide connectivity in our everyday environments. The connection of these endpoints is where the Internet of Things comes into the picture. With the IoT, these mobile devices are capable of inter-connectivity, as well as for data gathering and event recording. Developing an emergency notification system that takes into account mobile and the IoT is a natural transition in this ultra-modern way of communicating. But where does your organization get started?

Beyond Mobile Phones

To reach the widest audience with emergency notifications, mobile phones offer several advantages. You can make calls, send texts and set alerts on almost all the mobile phone models currently on the market. Yet, with the IoT, your organization can go a step further. GPS tracking on smartphones allows you to pinpoint the location of individuals in emergency situations. Those who are within a radius of an emergency zone can receive information specific to their location.



Fifty-one years ago, in mid-March 1967, Paul McCartney and John Lennon began writing a song they intended as a featured vocal for Beatles drummer Ringo Starr. “With a Little Help from My Friends” became one of Starr’s most beloved hits, and since then he has closed every concert performed by his All-Starr Band with this song. “With a Little Help from My Friends” has been re-recorded by more than 50 artists (including a Grammy Hall of Fame-winning version by Joe Cocker, used in a VW ad in 2017) and ranks as #311 on Rolling Stone’s list of the 500 Greatest Songs of All Time.

Why is “With a Little Help from My Friends” still popular today? There’s no real explanation, other than the fact that it’s simple, easy to sing, and reflects something we all can relate to: friends can be relied upon when we need them. And we all need them.

Today, Sungard AS took a page out of Sir Ringo’s playbook and recognized seven of its partners with the annual Sungard AS Partner Performance Awards. Each year, Sungard AS recognizes partners globally that have excelled at both execution and customer service, while helping customers solve IT transformation problems so they can accelerate business.



Modern Finance’s Imperative to Manage Risk with Data

While businesses have more information than ever to drive decision-making, many are struggling to shift organizational structures and manage data to minimize business risk. Eric Dowdell, Global Head of Dun & Bradstreet’s Trade Credit business, dives into the relationship between risk and data and discusses how the utilization of data should be changing risk management practices.

Over the past 10 years, I’ve seen the way business is done change at a dizzying rate as global macroeconomic conditions shift and the pace of innovation accelerates. Thought leaders continue to predict an array of changes to the inside of businesses: flatter organizational structures, remote-friendliness with mobile work capability in organizations’ DNA and the horizontal flows of ideas and information rather than trickling down, as in historical work environments. I see some of these trends already manifest in innovative organizations that are able to stay on top of global market risk due to their agility, adoption of new technologies and willingness to collaborate.

“In the corporate context, innovation can be defined as the profitable implementation of creative ideas,” writes Jeffrey Baumgartner, blogger and author of the book, The Way of the Innovation Master. “Profitable implementation means that the ideas, once implemented, have to deliver value to the organization.”

There’s a huge opportunity for the future of finance to deliver value through innovation as the very definition of risk changes. From building internal cultures around innovation to exploring opportunities for automation to becoming inspired by the possibilities of data, AI, blockchain and machine learning, the business world is especially hungry for a new breed of finance leader to help navigate through the new complexities of risk management.



Imagine taking your car to the garage for an urgent repair, only to be told that you’ll have to wait for week because the garage mechanics are off on a training course.

A silly example? Not at all – In fact, an example drawn from real life and personal experience! While the garage in question was unlikely to go bust for this reason alone, the unavailability of its mechanics will tend to push customers into the arms of its competitors. Its business continuity may grow fragile. In a tough economic climate, this might even tip the balance in terms of bankruptcy. So, what’s the solution?

Training can be a tricky thing to organise. Workforces need training in new methods and new technologies.



The Network Effect is the idea that a product or service increases in value as more people utilize it.  This is a key concept underlying the rise of the Network Economy.  In the Network Economy the number of connections to a product or service drives its usability and value.  Airbnb is a flagship member of the Network Economy and a prime example of growth via the Network Effect.  The usefulness of the service has risen with the rise in users seeking accommodations and homeowners providing listings.  In 2008 Airbnb guests numbered about 20 thousand.  In 2017 the total number of guests were 100 million.  This service clearly becomes more valuable as more travelers use it and more homeowners list their homes as available.  Airbnb now offers more than three times the number of listings Marriott or Hilton offer.  These numbers come from a company called Vizlly, (http://www.vizlly.com/blog-airbnb-infographic/) which offers services to hotels trying to fight back against Airbnb.  In 2008, it would have been hard to imagine that such a company would even exist.  Uber and Lyft are other examples of exponential growth via the Network Effect.  If you own a taxi company, you are probably engaged in a desperate search on a daily basis for the transportation version of Vizlly.

The good news for those of us in Business Continuity is that we don’t need to worry about countering the Network Economy or the Network Effect; we need to imagine ways to leverage them.  So, what service or product can we offer that can leverage the Network Effect?  How can we bring a value to our organizations that will grow organically and improve in value as more people become involved?  Our product is often viewed as not having a value.  Our activities are seen as a drag on current staff.  We ask them for valuable time in completing Business Impact Analyses (BIAs), building and updating recovery plans, and participating in exercises.  The most conscientious among our coworkers understand the need and benefit of doing these things, but they would likely rank their enthusiasm for participating in them equal to paying their insurance premiums.  The need is understood, but there is a perceived value only if something goes wrong.



It’s no surprise that hybrid cloud storage is growing. Hybrid cloud itself is an increasingly popular approach to deploying IT services. In fact, Gartner predicts that 90 percent of enterprises will be using hybrid infrastructure management capabilities by 2020.

What does this mean for your data storage strategy? First, let's cover some basics about hybrid cloud.

What is Hybrid Cloud?

As the term suggests, hybrid cloud is a mix of different IT environments that are used together to provide enterprises with flexible ways managing their data storage and running application workloads.



Thursday, 29 March 2018 14:15

Hybrid Cloud Storage: Guide for Businesses

Imagine taking your car to the garage for an urgent repair, only to be told that you’ll have to wait for week because the garage mechanics are off on a training course.

A silly example? Not at all – In fact, an example drawn from real life and personal experience! While the garage in question was unlikely to go bust for this reason alone, the unavailability of its mechanics will tend to push customers into the arms of its competitors. Its business continuity may grow fragile. In a tough economic climate, this might even tip the balance in terms of bankruptcy. So, what’s the solution?

Training can be a tricky thing to organise. Workforces need training in new methods and new technologies.

Sometimes, this is to ensure an enterprise remains competitive. Sometimes, it is to comply with regulations, and sometimes simply to keep employees engaged.



(TNS) — City councilors — alarmed by back-to-back storms — held a special hearing on the threat of coastal flooding, after seeing waterborne debris flow through Boston's harborside streets.

"We've had two 'once in a hundred year' storms in the past month," said Councilor Michelle Wu, the hearing's sponsor. "Throughout Boston this is going to an issue. There will be tremendous costs. How do we plan to pay for it? How do we plan to maintain that level of resiliency? What are the governing structures, are there laws that should be passed?"

Wu first called the meeting after city waters rose 15 feet during the Jan. 5 nor'easter, sending garbage dumpsters floating down streets and stranding residents in their cars. Two more major storms hit Boston in the weeks that followed.



(TNS) — If a tsunami slammed the Southern California coastline, would we be ready?

California's Tsunami Preparedness Week, from Monday, March 26 through Friday, March 30, aims to make sure residents and visitors know what to do if a tsunami threatens or hits the coast. Some communities have been holding educational drills all month to prepare for such a scenario.

Tsunamis are mammoth waves caused by underwater activity such as an earthquake. Coastal communities in Southern California started taking the threat seriously a little more than a decade ago, after a massive earthquake in 2004 off the coast of Indonesia triggered a tsunami that left at least 230,000 people dead.



Tornadoes, hail, lightning, thunderstorms, fluctuating temperatures, the risk for flooding—spring, oh what a season it is!

Mark Twain had it right when he said, “In the spring I have counted one hundred and thirty-six kinds of weather inside of four and twenty hours.” All of this extreme weather comes with a hefty price tag. In 2017, the spring season cost the US an estimated $19.2 billion according to the US National Centers for Environmental Information. Your organization cannot prevent severe spring weather, but you can find ways to prepare for the storms and save lives.

Best Practices for Preparation

As an emergency official, it is your mission to provide applicable services and resources for your community in the case of severe storms this spring. Start by implementing the best mass notification system available to your organization.

Understand how to utilize this system and set up training programs for all applicable parties. Create an emergency notification plan and run plan testing routinely. By the time a tornado touches down, your community should be well acquainted with how to receive important emergency information.



Three months into the year, 2018 has already been rife with disasters— both manmade and natural.

From active shooter situations at schools to rapid flooding and odd weather patterns, emergency management personnel throughout the country are running drills, prepping communication strategies and actively managing difficult situations. Any time there is a lull in the first quarter of the year, it makes sense to do a quick touch-base with your teams to wrap up any loose ends from 2017 and ensure that you’re completely ready for whatever else 2018 has to offer.

Staff Check-In

Having your incident management team at full strength is critical to protecting your community. Everyone should fully understand your systems and be prepared to run drills — either physical or digital. Is your staff ready? Here’s some questions to consider when you’re preparing for potential risks to your community:



Natural disasters such as tornados, hail and even flooding can strike at a moment’s notice, seldom leaving significant time to plan your response.

Does your business continuity plan account for tornados? Including a tornado response plan can better prepare your organization during peak tornado season. Staying safe during a stormrequires planning, equipping, training and ultimately execution of the defined strategy to protect lives and property from unnecessary loss. Use these proactive communication prep steps to reduce the overall risk to your organization in the event of an emergency.

Best Laid Plans

You’ve drilled your staff on what to do when a tornado is on the horizon. You’ve created plans, emailed them to your community and implemented security procedures that kick in immediately in the event of a tornado alert. However, it’s a proven fact that tornadoes are one of the most dangerous natural weather phenomena simply because they can come up so quickly that you may have virtually no warning before needing to trigger your business continuity plans. Is your staff so well-educated and trained that they can execute even in the event of a surprise emergency? If not, having a proactive communication strategy in place may be your best bet to weathering the storm with the lowest possible human, technology and direct costs.



(TNS) — Pacific Gas and Electric Co. plans to unveil a sweeping set of steps to prevent wildfires or contain them when they erupt.

The utility, whose equipment is being investigated as a potential cause of the Wine Country fires last fall, will create a wildfire prediction and response center in San Francisco that will operate around the clock during fire season. The company will greatly expand its own network of weather stations to monitor conditions, adding hundreds more this year.

PG&E will contract with out-of-state firefighters, keeping them on retainer for emergencies. And it will harden its electrical grid to better endure windstorms, replacing wooden poles with sturdier steel ones over time.



Making Sense of Dollars and Cents

With the upcoming GDPR directive on everyone’s minds, compliance is a hot issue. Many see compliance as an unnecessary additional expenditure. What they fail to realize, however, is that noncompliance costs nearly three times as much as compliance does.

Today, data is more valuable than gold, and organizations are hyperaware of how precious this commodity really is. Data provides organizations with invaluable insight into their operations, competitors and customers. As organizations continue to grow and the demand for data increases, so does the frequency of data movement. This increased movement is directly related to an increase in data vulnerability, putting companies at risk of loss, leaks and theft.

Recognizing this vulnerability, governing entities have begun to implement compliance standards aimed at preventing data from falling into the wrong hands. However, many organizations hear the word compliance and only see dollar signs. Organizations often believe that they are unable to afford the necessary steps to meet heightened compliance standards set forth. Yet, a recent study from Ponemon and Globalscape reports that it is 2.71 times more costly for an organization to not comply with mandates. The average cost of compliance is $5.47 million versus an average of $14.82 million for noncompliance, which is an average difference of $9.35 million annually.



Wednesday, 28 March 2018 05:39

The True Cost Of Compliance

Data growth is putting tremendous pressure on enterprise IT, and in many cases, IT managers are turning to cloud storage to help them deal with that data growth.

In fact, when the Interop ITX 2018 State of Infrastructure Report survey asked which factors were driving the most change in organization's IT infrastructure environment, 55 percent of respondents chose "growth of storage/data," making it the number one response, by far. How quickly is data growing? Sixty-two percent of those surveyed said their data was increasing by more than 10 percent every year.

According to 451 Research, "Data and capacity growth continue to be the top storage problems plaguing infrastructure professionals, and that is consistent across most geographies and industry segments. Meeting disaster recovery requirements and the high cost of storage (capex) were nearly tied for second place on the list of storage problems." Data growth and backup needs are driving up costs related to storage hardware and storage management. In response, organizations are looking for options that can help them reduce costs — and frequently, that means looking to the cloud.



Public cloud storage is an effective way for businesses to access massive amounts of data storage capacity and advanced storage management capabilities with pay-as-you-go pricing and without massive up-front investments. Today, it's not uncommon for organizations to use a public cloud provider as a repository for backup and archival data, files used in productivity and collaboration software suites, and many more other use cases.

But any discussion about entrusting your organization's data to a public cloud or online storage provider requires an understanding of how the public cloud works compared to private clouds and on-premises data storage systems.

Differences between Public and Private Cloud

Cloud-based storage is available from several providers, including Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform, IBM Cloud – the list goes on. Typically, key characteristics include a multi-tenant architecture and the underlying use of object or block storage and APIs (application programming interfaces) that allow applications to access data over the Internet.



Wednesday, 28 March 2018 05:13

Public Cloud Storage: Guide for Businesses

Migrating and managing your data storage in the cloud can offer significant value to the business. Start by making good strategic decisions about moving data to the cloud, and which cloud storage management toolsets to invest in.

Your cloud storage vendor will provide some security, availability, and reporting. But the more important your data is, the more you want to invest in specialized tools that will help you to manage and optimize it.

Cloud Storage Migration and Management Overview

First, know if you are moving data into an application computing environment or moving backup/archival data for long-term storage in the cloud.  Many companies start off with storing long-term backup data in the cloud, others with Office 365. Still others work with application providers who extend the application environment to the vendor-owned cloud, like Oracle or SAP. In all cases you need to understand storage costs and information security such as encryption. You will also need to decide how to migrate the data to the cloud.



Tuesday, 27 March 2018 05:11

Managing Cloud Storage Migration

Leveraging Compliance to Build Regulator and Customer Trust

Bitcoin and other cryptocurrencies continue to gain ground as investors buy in, looking for high returns, and as acceptance of it as payment takes hold. However, with such growth come risks and challenges that fall firmly under the compliance umbrella and must be addressed in a proactive, rather than reactive, manner.

Cryptocurrency Challenges

One of the greatest challenges faced by the cryptocurrency industry is its volatility and the fact that the cryptocurrency markets are, unlike mainstream currency markets, a social construct. Just as significantly, all cryptocurrency business is conducted via the internet, placing certain obstacles in the path of documentation. The online nature of cryptocurrency leads many, especially regulators, to remain dubious of its legitimacy and suspicious that it is used primarily for nefarious purposes, such as money-laundering and drug trafficking, to name a few.

This leaves companies that have delved into cryptocurrency with an onerous task: building trust among regulators and customers alike, with the ultimate goal of fostering cryptocurrency’s survival. From a regulatory standpoint, building trust involves not only setting policies and procedures pertaining to the vetting of customers and the handling of cryptocurrency transactions and trades, but also leveraging technology to document and communicate them to the appropriate parties. Earning regulators’ trust also means keeping meticulous records rendered legally defensible by technology. Such records should detail which procedures for vetting customers were followed; when, by whom and in what jurisdiction the vetting took place; and what information was shared with customers at every step of their journey.

On the customer side, records must document the terms of all transactions and the messages conveyed to customers throughout their journey. Records of what customers were told regarding how a company handles its cryptocurrency transactions and any measures it takes to ensure the legitimacy of activities connected with transactions should be maintained as well.



Lessons Learned from the Trenches

The #MeToo and #TimesUpNow social media campaigns sparked a movement to expose intimidating behavior and sexual assault in the workplace. Because of the resulting paradigm shift, harassed employees are empowered to speak up about wrongdoings. Corporate investigators Amy Conway-Hatcher and Bridget Moore discuss the need for corporations to re-evaluate their whistleblower reporting programs, assess current conduct policies and determine whether they are sufficiently prepared to deal with allegations.


If you follow whistleblower developments, most of 2017 looked a lot like years past with its fair share of whistleblower reports, settlements and litigated cases, adding to the momentum whistleblower advocates have built over the last decade.  The real story, however, is what began to unfold in the wake of the #MeToo and #TimesUpNow movements that spread virally through social media, exposing the prevalence of sexual harassment and, in some cases, sexual assault, in the workplace. Raw and powerful, a widespread culture shift has taken place, empowering whistleblowers to “speak up” and expose – unilaterally or with the help of others – injustice, unfairness, bad behavior and illegal conduct. The shockwaves are widespread and will continue to be felt at the board level and in the C-suite across many industries and organizations.

In the past, whistleblowers operated from a position of weakness, often in the dark, alone, afraid of losing employment opportunities and unaware of their rights. That is no longer true. While exposing bad behavior is still intimidating and risky, the balance of power is shifting. Whistleblowers have support from nonprofit organizations, anti-retaliation laws, sophisticated legal counsel, investigative reporters and the power of the internet and social media. From this support, people feel more empowered to “speak up” about wrongdoing. The impact is being felt by institutions at the highest levels, from Wynn Resorts, Michigan State, Lululemon, Red Cross, Uber and recently, Ford. Some of these institutions seem to be weathering the storm and others have struggled, facing accusations of complicity or looking the other way and allowing toxic cultures to flourish.

Now more than ever, business leaders and directors need to take a hard look at their culture and the behaviors that can lead to widespread misconduct. They must be willing to peel back the onion and address inappropriate conduct that may exist in their organizations. They need to re-evaluate whistleblower and other reporting programs to assess whether their culture in fact encourages or discourages people to “speak up” when they experience or observe misconduct. Leaders must have the courage to look at themselves to assess the tone they have set. They also need to ask, if that day comes, whether they are sufficiently prepared to deal with potential allegations that touch the highest levels of the organization.



The bull market for bitcoin is catching a lot of attention. Most notably among hackers.

This is why the cost of a ransomware attack was expected to grow 1500 percent between 2015 and 2017 to a predicted $5 billion. Some expect costs to rise to $11.5 billion in 2019.

Others saw a drop in ransomware toward the end of 2017, as cryptojacking continued to grow in popularity; hackers are stealing CPU bandwidth through compromised websites or malware.

One locks down your systems, the other slows them down. Both feed hackers’ appetite for cryptocurrency. Here’s how to stop them.



Data storage backups seem like a simple enough way of protecting valuable business data against accidental erasure, application crashes, server mishaps, ransomware and the countless other ways data winds up irretrievable. IT leaders soon discover that managing a comprehensive data protection strategy involves much more than pointing a backup solution to a storage target.

It often involves an exhaustive examination of available tools, thorough planning and a data recovery strategy that delivers on all that hard work.

Here's where to start and the critical journey toward effective enterprise backup and recovery management.



Tuesday, 27 March 2018 05:03

Enterprise Backup and Recovery Management

I live in Arizona which is of course the Grand Canyon State. And if you’ve ever stood on the South Rim of the Grand Canyon and looked across at the North Rim, you will definitely know the meaning of the expression, “So close but yet so far.”

This situation is actually similar to one that people often encounter in business continuity.

If you have read my ebook 10 Keys to a Peak-Performing Business Continuity Program, you will know that I believe every organization should adopt a BC standard and strive to bring their program into compliance with it. (For a quick refresher on business continuity standards, see our blog Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now.)

But often when I give this advice, I feel as if I have done the equivalent of transporting my reader to the South Rim then dropping them off and saying, “Now all you have to do is get to the North Rim. It’s right there, so I’m sure you’ll have no problem reaching it. Anybody can do it, it’s a piece of cake.”

Of course, it isn’t really a piece of cake getting from the South Rim to the North Rim, unless you’re a bird.

And it isn’t a piece of cake going from having adopted a BC standard to actually understanding how your organization stacks up against the standard and pinpointing what you need to do to boost your compliance with it.

On the one hand, you have a bundle of written guidelines and requirements, and on the other, you have your organization’s real-life situation, in all its complexity and hidden details, in terms of the different departments and their different needs and levels of readiness in terms of business continuity.



Instant Business Recovery

You may be familiar with the term, “disaster recovery as a service,” or DRaaS. Continuity Centers has developed its own DRaaS solution, designed to let our customers get back to work as quickly and efficiently as possible. We call this state-of-the-art solution Instant Business Recovery (IBR).

In the past, having a disaster recovery plan in place was a great idea. Today, it’s essential. Countless perils, physical and cyber, constantly threaten the operation of your business. Instant Business Recovery through Continuity Centers gives you the freedom and peace of mind to focus on your business while we ensure your technology supports your needs.



A Framework for Assessing Regulatory Maturity

In the current regulatory environment, banks find it complex and challenging to interpret and assess regulatory requirements on conduct risk.  In this this article, experts from Tata Consultancy Services suggest a robust approach for assessing the level of maturity attained by a bank in conduct risk vis-à-vis regulatory requirements and a remediation plan to bridge gaps.

Conduct risk is a key emerging risk and has been defined by the Financial Conduct Authority (FCA) as “the risk that firm behaviour will result in poor outcomes for customers.” Conduct risk has evolved over the years from being an underestimated and unattended risk to one of the major risks faced by banks.

In addition to sizeable regulatory fines and costs of remediation, banks consider reputational damages as a prominent cost of conduct risk.  With the digital landscape evolving and changing the way how businesses are run, digital conduct and analytics has been one of the major areas of focus for banks in the recent years. This has been underscored by the FCA in its annual business plan 2017/18, where it has identified technological development as one of the forward-looking areas.



Monday, 26 March 2018 14:49

6 Steps To Minimize Conduct Risk

Military precision? Business descriptions? No fluff? All these qualifications have a bearing on a disaster recovery plan, but with certain conditions.

Your DR plan must be readable, practical and action-oriented. Otherwise, in the heat of an incident, trying to understand and implement your plan may cost you precious time or lead you into errors, omissions, or conflicts.

Your DR plan should be something your staff wants to read because it is clear, flows well, and is of direct interest, rather than a tome that must be ploughed through, teeth gritted and matchsticks propping up your eyelids. Fortunately, a few simple rules can help.

Try the following rules from George Orwell (of “1984” and “Newspeak” fame!). He was referring to writing in terms of essays, newspaper articles, and the like, but much of what follows applies to disaster recovery plans too:



In 2017 alone, an estimated 6.5 million people evacuated communities in California, Florida, Puerto Rico and Houston — some for days, some for weeks and some even longer. During times of mass evacuation, neighboring communities and border states see an influx of people with varying medical needs, from injuries sustained during evacuation to ongoing issues like diabetes.

But while we regularly practice drills to prep for severe weather and set communication plans in place in case of evacuation, rarely do we prepare for how to access health care when disaster strikes our neighboring communities. 

To alleviate the disruption of being forced to evacuate, health-care providers are using solutions such as online appointment scheduling to not only provide quick access to doctors, but also to help those needing onsite medical attention easily identify available local providers that match their specific medical needs. Using tools that offer instant access to information enables patients to continue making informed health-care decisions despite being away from familiar providers and having no knowledge of area resources.



(TNS) - Wildland firefighters expect the Pacific Northwest will see another busy fire season this year with land around Yakima especially vulnerable.

“If I were to pick one place that might experience above-average fire danger, it’s the Yakima Valley and the eastern slopes” of the Cascade Mountains, said Josh Clark, a meteorologist with the state Department of Natural Resources.

Less rain in the winter, above-average temperatures and less mountain snow mean fires could start earlier and burn longer than a typical season, Clark said.



We may live in a digital age, but much of the concepts from the previous industrial era still carries through.

We have virtual cloud data factories and production lines, just like their physical counterparts for making cars, furniture, aircraft and so on. IT systems management often looks like asset management in other domains.

“Digital” isn’t so new, more a different point of view. Management thinking in non-digital contexts frequently maps onto IT operations and systems management – or at least offers food for thought. The 5S methodology is a case in point.

With quality circles, Kanban, and just-in-time manufacturing, Japan has already stamped past and current production management in ways that few other cultures can match.

So, it might be easy to dismiss 5S as “just another Japanese system for productivity”. Yet a peek into 5S methodology and the concepts driving it can rapidly reveal ideas of interest for IT systems management.

For example, “Dirty, cluttered, or damaged surfaces attract the eye, which spends a fraction of a second trying to pull useful information from them every time we glance past.



Thursday, 22 March 2018 14:42

IT Systems Management and the 5 S’s

If Ben Franklin had been around in our day, he might well have expressed his most famous quote a little bit differently. He might have said: “Nothing is certain but death, taxes, and data loss.”

He would have been right, too.

Even in our current environment of real-time data replication and zero loss data solutions, there is almost always some data loss after a system crash. In fact, in most data protection schemes, a certain amount of data loss is designed in, because a true zero data loss solution is prohibitively expensive.

In today’s post, we are going to share some tips regarding what you as a business continuity professional should be doing to make sure your organization is prepared for these tough realities.



5 Steps to Prevent Loss

Employee theft costs U.S. businesses an estimated $50 billion a year. For companies today, safeguarding against employee fraud should be a top priority. In this article we’ll explore a few ways that businesses can take steps to help protect themselves from fraud.

Looking to keep your company safe?

For any company with employees, preventing employee fraud is an issue that should be at the top of the list when it comes to safeguarding the business.

With employee theft costing U.S. businesses $50 billion a year, it’s easy to see why fraud prevention is so important.

The truth is, employee theft comes in many different forms, and there simply isn’t a one-size-fits-all solution when it comes to preventing fraud. From outright embezzlement to skimming extra hours, any form of employee fraud is serious, and all instances can cost your business and negatively impact your bottom line.

While fraud can be devastating, there are ways to go about preventing and reducing the risk to your company. With this in mind, here’s a look at some steps you can take to help prevent employee fraud.



As we start moving into the deep learning and AI world, it might be a good idea to reflect on how we went from basic data collection to an information-based world.

Stored data is just stuff until you can figure out how to turn it into actionable information, and sometimes it takes years of collecting data to have enough to get to that point. Good examples of data that require long-term collection include: medical trials with new processes, medication or equipment; group behavior based on external factors that happen infrequently; and climatic change.

The thing about data is you do not know what you do not know about it. A good example is "junk DNA," a term from the 1970s and 1980s that was used to describe DNA that was not chromosomes and was often in between chromosomes. By the 2000s, it was discovered that some of that "junk" DNA regulated how and when chromosomes replicated. Good thing people stored that data, which was costly at the time given the cost of storage per byte. An even higher cost at the time was the cost to sequence the DNA, which is why it was kept. Historically this is pretty common, where the cost of collecting the data was high and the cost to store the data was also high, so we can thank those who preceded us for doing the right thing. They stored this old data because we have learned a lot from it.



Wednesday, 21 March 2018 13:46

Data Storage: Turning Data into Information

(TNS) — A reckoning on public preparedness long in the making is underway in California after a year that saw unprecedented death, destruction and loss from disasters set off by extreme weather.

Though California has long experienced natural disasters tied to weather, the last year recorded a staggering human toll — more than 40 dead in wine country fires and more than 20 in Santa Barbara County mudslides.

The disasters revealed gaping holes in the state's county-controlled warning systems — a mix of services from multiple vendors, subscriber programs with low participation rates, outdated landline lists, and a federal cellphone alert system so imprecise some emergency managers are afraid to use it. Public warnings failed to reach most of those in harm's way, or understated the risk.



Suitability Surveillance and Controls

Despite how many risk and compliance eyes an investment bank has inspecting client activity, when it comes to managing risk, it’s impossible to review each and every investment recommendation or transaction by a simple eyeballing of trade records. And understanding any recommendation or transaction in the context of a client’s investment profile is both a critical and mandatory part of the review process. What steps should banking compliance be taking to make sure their sales practices and suitability controls are up-to-date?

Best practices for managing suitability compliance risk is a good news/bad news bedtime story in the financial services industry. The good news is that I am hard pressed to identify another area where both the global regulators and regulations, including, but not limited to, the FINRA, the SEC, MiFID and the IOSCO, speak with one voice with respect to global statutes, rules and regulations. On a global basis, capital markets compliance is usually a patchwork of disparate requirements. However, the global requirements relating to suitability are nothing short of harmonious and work to support the actions of many firms for adopting and implementing a holistic compliance framework across the enterprise.

The not-so-good news is that holistic compliance itself has struggled over the years with its own identity crisis, trying to ascertain what it needed to do to evolve. With that in mind, the framework of holistic compliance is not a “one-size-fits-all” solution, because the business models and scale of firms vary significantly. With respect to a few of the contemporary expectations of the global requirements, best practices in holistic suitability compliance must ensure that your organization does not fail to establish, document and maintain a system of risk management controls and supervisory procedures. Considering this, a well-organized system of “detection, prevention, deterrence” coupled with follow-up and review should be integrated and reasonably designed to manage suitability risk.



Tuesday, 20 March 2018 13:48

Moving Targets That Reinvent Themselves

Resilience is a buzz word currently being tossed around and twisted to meet the criteria of the writer, grant proposal or academic looking to publish a paper. One could argue that you are looking to establish resilience in every aspect of the four phases of emergency management. In reality, resilience is added to a community only when there is a singular focus on disaster mitigation. Unfortunately, often the use of the word resilience is used as an excuse to not do any mitigation.

Today, our emergency management system is being caught in the whirlpool of disaster response and recovery. These two elements of the emergency management system are sucking all the energy, in the form of time and funding out of people and organizations. 2017 saw FEMA chasing its tail, going from one disaster to the next, shifting people, resources, and priorities from one disaster to the next. 

The only phase of emergency management that can end this cycle of destruction and rebuilding, in the same way, in the same place—is disaster mitigation. While mitigation may have some funding, compared to the costs of disaster response and recovery, they swamp what little funding is available for mitigation.

To break this hold on disaster response and recovery it would be wise to reexamine a previous program that was ended when one presidential administration replace another and the baby was thrown out with the bathwater. This program was named Project Impact. 



Tuesday, 20 March 2018 13:47

Building Disaster Resilience

Adopting New Strategies to Increase Agility

In order to capitalize on cloud velocity, organizations must adopt new approaches and tools developed for the cloud. Failing to do this will delay migration, weaken overall security posture and cost time and money, losing the agility they seek.

Organizations are in the midst of a digital transformation, and many are looking to surge past their competition – or rush to try to keep up with the pace of business. It is now a strategic business requirement to deliver online services and products as rapidly as possible or risk being left in the dust. The cloud delivers the velocity businesses seek, but those diving in head-first learn a difficult truth: cloud security is very different from on-premises architectures. In order to capitalize on cloud velocity, security teams must adopt new approaches and implement new solutions engineered specifically for the cloud. Failing to evolve may hinder migration, deteriorate overall security posture and cost time and money trying to make it work.



(TNS)- The city and county have a 929-page plan that outlines who does what, when and how in the event of a disaster like Hurricane Harvey.

That plan outlines critical steps governments should take to protect citizens, such as warning residents of oncoming hazards and protecting water supplies.

But during Hurricane Harvey, some parts of the plan weren’t followed, including steps to estimate damage to homes and businesses and organize volunteers.

Now, some community leaders are calling for an updated version.

“The lesson is learned,” said Victoria architect Rawley McCoy, who called for discussions on how to improve after the storm. “Now what are we going to do about it?”



Three months into the year, 2018 has already been rife with disasters— both manmade and natural.

From active shooter situations at schools to rapid flooding and odd weather patterns, emergency management personnel throughout the country are running drills, prepping communication strategies and actively managing difficult situations. Any time there is a lull in the first quarter of the year, it makes sense to do a quick touch-base with your teams to wrap up any loose ends from 2017 and ensure that you’re completely ready for whatever else 2018 has to offer.

Staff Check-In

Having your incident management team at full strength is critical to protecting your community. Everyone should fully understand your systems and be prepared to run drills — either physical or digital. Is your staff ready? Here’s some questions to consider when you’re preparing for potential risks to your community:



Over the twenty years or so that I have been professionally engaged in the field of business continuity, I have noticed that most organizations fall into one of two categories when it comes to how they go about scheduling their BIAs.

One group schedules their BIAs following the same principles that most people use in making appointments to get their teeth cleaned: They schedule them months in advance, going by a rational timetable, which has been endorsed for sound reasons by well-informed people, and which is not in conflict with any other important obligations they might have.

This is, as you might know from experience, an efficient, low-drama method of making plans to efficiently take care of a chore which is not necessarily enjoyable, but which is clearly important to the long-term health of your organization.



Natural disasters such as tornados, hail and even flooding can strike at a moment’s notice, seldom leaving significant time to plan your response.

Does your business continuity plan account for tornados? Including a tornado response plan can better prepare your organization during peak tornado season. Staying safe during a stormrequires planning, equipping, training and ultimately execution of the defined strategy to protect lives and property from unnecessary loss. Use these proactive communication prep steps to reduce the overall risk to your organization in the event of an emergency.

Best Laid Plans

You’ve drilled your staff on what to do when a tornado is on the horizon. You’ve created plans, emailed them to your community and implemented security procedures that kick in immediately in the event of a tornado alert. However, it’s a proven fact that tornadoes are one of the most dangerous natural weather phenomena simply because they can come up so quickly that you may have virtually no warning before needing to trigger your business continuity plans. Is your staff so well-educated and trained that they can execute even in the event of a surprise emergency? If not, having a proactive communication strategy in place may be your best bet to weathering the storm with the lowest possible human, technology and direct costs.



In today's enterprises, often the whole point of collecting and generating data is to capture its value and capitalize on it. That requires moving it from storage systems to servers or other systems across a network for processing, which typically means that some form of storage networking is at play.

There are various forms of storage networking, including network-attached storage (NAS) and storage area networks (SANs). Essentially, they all deliver data services from external storage systems across a network and allow multiple users or devices to share storage capacity.



Collaboration Needed to Effectively Manage Data Security

Cyber exposure at all levels of business operations, from financial transactions to customer service and customer apps, is increasing. At the same time, new regulations regarding the governance of data are posing higher potential fines, to the point of also posing a threat to business. As a result, security and compliance personnel are seeing their duties increasingly overlap in their effort to fight these threats — and they understand that to pull off both operations, a certain level of collaboration and consolidation of their efforts is essential.

In an interview with Corporate Compliance Insights, Managing Director of the Information Security Forum (ISF) Steve Durbin identified the increasing burden of compliance on organizations as a serious area of concern. According to Durbin, while regulations including GDPR are well intentioned, enforcing compliance practices can consume enormous time and resources and does not always equate well with ensuring security, privacy and other ends regulations seek to achieve.

At the same time, realizing organizations’ own commitments to ensuring security often requires a suite of measures that is separate from protecting their customers. The result has been a piecemeal approach to security and compliance that has created unnecessary cost and complexity as well as, in many cases, overlapping security and compliance functions that could better be handled by a unified approach.



Software defined software adoption is growing, which puts the spotlight on the costs of SDS. One of the major drivers for adoption of SDS is cost savings. Ideally, SDS enables lower storage costs by reducing capital expenditures and sharply reducing operational costs over proprietary SAN and NAS.

However, some business still wonder: can you save money with SDS? Yes, but you need to be smart with your investment.



One of the most common fears that come up when doing active shooter preparedness trainings is the fear of being confronted and shot by a gunman.

Although it’s a common fear, the good news is that it’s not as serious as many people think. By attending life-saving training and preparedness programs, you can dramatically increase your odds of surviving an active shooter event.

While there is no central registry for fatal gunshot wound information, some experts have estimated that, excluding gunshots to the brain, heart and lungs, “on the whole, the survival rate is 70 to 80%.”



From the Oct. 1, 2017, outdoor shooting in Las Vegas that killed 53 and injured at least 1,000 to the Parkland, Fla., high school shooting on Feb. 15 that killed 17 and injured dozens more, active shooter events are dominating the news.

As a result, organizations are realizing that they need to create or update their active shooter preparedness plans. A critical part of these plans includes lockdown procedures, including knowing how and where to shelter-in-place. By planning and training for lockdowns, organizations can provide clear guidance on what to do to save lives.



When we get sick, are you the type of person who rushes right to the doctor for treatment or would you try your home remedies first?  Whether you chose to increase your vitamin C intake, drink plenty of fluids, rest and take over the counter medications, or receive a prescribed antibiotic, the hope is that you were able to have a speedy recovery.  More importantly, hopefully you were able to contain the cold and not spread it to family and friends.   Regardless of the situation, a decision had to be made to get medical attention or not, while also taking into consideration your family and their health.  The same should be considered when planning for a pandemic type situation at your company.

In 2018, many companies gawk at the idea of still planning for the big “pandemic” outbreak; however, take into consideration that it could take weeks if not months for the Public Health Department along with Center for Disease Control (CDC) to identify a public health emergency. Emerging viruses or new global pathogens are difficult to assess due to several factors: no diagnostic tests exist, treatment/prevention may not be available, poor understanding of transmission and many locations could be affected at the same time causing resources to be scarce.  And, after identification, it could take several months to develop antibiotics to treat the infectious disease. In the meantime, your organization will see a degradation of services provided working with limited staff.

Now that the number of cases related to influenza is decreasing in March, your planning activities and preparation should increase and mature.  As part of your planning, what are you prepared to do if faced with a “pandemic” situation in your workplace?  Here are some factors to consider within your plan:



Managing a business continuity program is a job that puts unique political burdens on its practitioners, as you will be well aware if that’s what you do for a living. Few other departments face the same need to continually justify their existence to senior management as the BC program, and few are as dependent on having good working relationships with other departments.

For these reasons, it is valuable for the BCM professional to step back every now and then and think about how they can work smoothly with the other entities within their organization, both vertically and horizontally.

To help you do this, in today’s post we’ll share a few thoughts on the different hierarchical levels found at most organizations, and sketch out what interaction each typically has with the BCM program. In the end, we’ll give a few tips to help you navigate among the different levels at your organization so that your program has a better chance of obtaining the resources and support it needs to perform its critical if sometimes undervalued mission.



The bigger an organisation gets, the more the plans multiply. There may be plans for dealing with contingencies, crises, disasters, emergencies, pandemics, risks and who knows what else, all in addition to your business continuity plan.

Even for small and medium-sized businesses, it is not always clear as to what should go into which plan, and how many of them you need. Here’s a quick rundown and rule of thumb guide to what you should have and how it all fits together.

The first step is to understand your business risks. Whether you are starting a business or already running one, you need to know what could affect it.

Depending on the risk in question, including its potential impact and probability of occurring, you then have up to four choices. You can eliminate it, transfer it to somebody else, mitigate it or accept it.

Your business continuity plan then starts with the risks you have decided to mitigate or accept. It is also a document that focuses on maintaining or restoring business operations.

While it does not ignore personal safety, items like evacuation procedures are handled in a separate emergency plan. The two plans can, of course, reference each other.



(TNS) — First there were the simulated gunshots and actors screaming.

Then came shouts of pain and desperation.

"Owww! Oh my God!"

"Help! Help!"

"I think I'm dying."

The chaos, simulating the aftermath of a movie-theater shooting, was created for the benefit of about three dozen Ohio State University medical students.

Held in a training area on the OSU Wexner Medical Center campus, the Tuesday event was designed for fourth-year medical students who are finishing up an optional course in emergency preparedness and disaster response. Also participating were students who plan to specialize in emergency medicine.

Each was asked to play a part in the scenario, from the theater-goer trying to help victims to the emergency medical technician to the emergency department physician.



Hard disk drives have been around forever, if you define “forever” as 1953. In 2018 they are still the backbone of data storage, even with fast-growing SSD sales and the tenacity of tape.

Let’s look behind the curtains at modern HDD technology, capacity, performance, and reliability. We’ll revisit the types of hard drives in use in business today and peek into the future of storage and hard disk drives.



Thursday, 15 March 2018 14:11

Hard Disk Drives: An Overview

Not All Emergency Notification Systems Are The Same

Does your company have a modern mass communication system? When I say “modern,” I am referring to one that doesn’t rely solely on email or phone; one that is able to contact employees on multiple devices simultaneously; one that can be activated in a matter of seconds and reach its intended audience within minutes. I’m going to add another feature in the mix because it is so invaluable when it comes to reaction time – interactive maps.Interactive maps use GPS to track and monitor employees and events – not in a creepy, big brother way but in a way that ensures employees are safe and accounted for no matter where they work. GPS can provide more immediate location information to help first responders to act quickly when seconds count. Think of it this way: if you were working in a location where an emergency struck, would you be uncomfortable or thankful that your employer was sending help to your exact location within seconds of the incident?



Millennial women have embraced STEM and are steadily driving up the percentage of women pursuing technology careers. But finding women in technology leadership roles is still rare. Although women have been involved in “computing” since the late 1800s, when a team of women at Harvard were tasked with computational duties that their male counterparts considered too tedious, it was only recently that we entered in the corner office of technology companies. Women like Meg Whitman, Diane Greene, Ginni Rometty and Cheryl Sandberg are inspirational leaders paving the way for my generation and continue to prove we can be successful in any technology position.

What took so long? And what can women in technology do to shape their career paths so we can continue to grow the number of women in the C-suite?

My company, Sungard Availability Services (Sungard AS), has a corporate vision that mirrors many of the things I have learned in my own career. “At Sungard Availability Services, we design, build, and run production and recovery environments that are more resilient and available – giving your business the agility it needs to compete cost-effectively in the marketplace.”

Being resilient, agile, available, and ready to meet the competition all while building relationships along the way will undoubtedly help to advance your career. So, here are five of my own top tips for women building their careers in the technology field, based on my own experiences:



Wednesday, 14 March 2018 14:50

5 Career Tips for Women in Technology

Let’s admit it. We don’t always read everything corporate sends out. We are all bogged down with too many emails, voicemails we rarely hear, and well-meaning company newsletters that hardly get a look. No offense to the people who take the time to put them together, but we all have a lot to manage these days and kind of assume the critical stuff will get to us somehow.

What can a company do to improve employee communications open rates? Here are a few ideas to ensure you get your messages heard.

Only communicate what really needs communicating.

Choose your words wisely, a proverb surely once said. If you want to get your employees’ attention, you have to be selective on what you put out there. If you’re mass emailing every little thing on a frequent basis, chances are, your emails are ending up in the recycle bin.

Instead, decide how frequently you really need to communicate and what exactly you should communicate on a regular basis. New product launch? Sure thing. Accounts won? Likely so. Reminder that St. Patrick’s Day is coming and wear green? Please don’t. Of course, some communications aren’t planned for, such as emergencies or other critical events. You can still establish a protocol for these, however, by assessing your risks per location and devising a communication plan for the most probable scenarios.



(TNS) - The third nor'easter in two weeks has left 108,000 households in the dark in Massachusetts this morning, as a blizzard warning has extended through Boston.

Strong winds reduced visibility to near zero as the storm drove north from New Jersey this morning, prompting the National Weather Service to extend its blizzard warning overnight to include Boston.

“That is a change from yesterday,” said NWS meteorologist Kim Buttrick. “Basically, pretty much the entire eastern coast of Massachusetts is under a blizzard warning.”

That warning will remain in effect until 8 p.m., as will a winter storm warning for the rest of the state. Buttrick said 12 to 18 inches of snow is still expected to blanket Massachusetts east of Worcester east. Plymouth County and upper Cape Cod could get slammed with up to 2 feet of “white mud,” wetter, pastier snow than locations north and west.



A huge amount of innovation is taking place around AI right now. Many, including Cutter Consortium Senior Consultant Curt Hall, think AI has the potential to disrupt lots of industries, including banking/financial services, healthcare, automotive, retail, Internet of Things (IoT), IT security, government, and the military.

We’re in the midst of conducting a study on AI and machine learning. As part of it, we’ve asked end-user organizations how they feel about the potential for AI to disrupt their particular industries and lines of business. While the research is ongoing, a snapshot of the first 64 responses shows that more than ¾ of them think AI might impact their organization’s industry or LOB, and only 8% say it won’t have any impact at all! Curt Hall reacts:

Given that AI remains a technology many organizations are still trying to determine how to practically apply, this finding is impressive. It indicates that the majority of organizations view AI as having some potential to seriously shake up the industries in which they operate.



Wednesday, 14 March 2018 14:47

How Much Disruption will AI Cause?

(TNS) - After six months of chasing down and documenting the death and destruction Hurricane Irma left behind from the eastern Caribbean to the Carolinas, the National Hurricane Center released its report on Monday.

It underscores the wide swath of damage left behind by the massive storm, which brought wind and storm surge to much of Florida last September.

At least 129 deaths are attributed to the storm, either directly or indirectly. Irma's powerful storm surge, seas, winds and flooding were directly responsible for 44 deaths, concluded the team of three hurricane specialists who wrote the report, John Cangialosi, Andrew Latto and Robbie Berg. At least another 85 deaths were indirectly related to the storm.



Did you know that the hidden cost of climate change is now reaching billions of dollars a year?

Between hurricanes, wildfires and yes — tornados — the U.S. has been devastated both physically and financially by natural disasters. According to a new report published by the Universal Ecological Fund in late 2017, extreme weather has caused over $240 billion per year in damage to our world. While hurricanes may get the big billing on the news due to the extended length of the impact and subsequent flooding, tornadoes alone cause billions of dollars of damage each year. In 2017 alone, there were 425 tornadoes between January and March 2017, and 2018 and future years are expected to be even worse. See how these costs can potentially be mitigated by early warning of these natural acts.



It’s commonplace to see articles and discussions about cyber security and the law, but this article is not about that.

It is about cyber security and law firms, those august institutions with their lawyers, barristers, and attorneys.

Legal firms benefit from a sort of professional halo that makes it more difficult to question their probity and their cyber security.

Yet in the light of the Panama Papers data breach of last year, the legal sector may need to do some significant catching up in terms of protecting its own assets and those of its clients.

IT has brought benefits to legal companies, but has also multiplied their risks.

Legal firms often manage not only their own data and financial resources, but those of their clients too. They handle sensitive customer data, details about company operations including mergers and acquisitions, and initiate movements of client funds, including those destined to buy other companies.



Tuesday, 13 March 2018 14:36

Cyber Security and the Legal Sector

Digital transformation refers to the integration of technology into all areas of a business resulting in profound changes in how the business operates and interacts with customers.

A recent McKinsey and Company blog post points out that successful companies do not just focus on a digital strategy but instead devise a strategy for the digital age —  “a complex, many-tiered undertaking that is made more challenging by continuously shortened development cycles.”

The post explores a few of the digital transformation lessons insurance companies learned in 2017 and questions CEOs should be asking in 2018.



(TNS) — Between the Oroville Dam emergency spillway and wildfires, the past year was a learning opportunity for area emergency services officials.

Though emergency response plans have long been in place, 2017 presented lessons in public trust, public notification, emergency center organization and preparedness.

Officials submitted reflections on what their entities have learned about emergency response and how Yuba-Sutter is better prepared for the future.

Smith traveled to Emmitsburg, Maryland Feb. 21 and 22 on behalf of Sutter County to participate in the 25th annual National Dam Safety Program Technical Seminar, at the Federal Emergency Management Agency’s National Emergency Training Center.



On October 1, 2018, a shooter from the 32nd floor of the Mandalay Bay hotel opened fire upon a concert crowd fenced in a 15-acre open air lot. 1,100+ rounds were fired in a span of 10 minutes. 58 people died, excluding the shooter, 851 were injured of which 422 were gunshot wounds. 14 of those shot were off-duty firefighters and police officers enjoying the concert. Police and EMS personnel assigned to work the concert that night also took fire.

How do you react when under live fire? What do you do when there are people to help? How do you manage your emotions afterwards?

I am an All-Hazards Psychological Trauma Responder that was deployed to both the Route 91 Harvest Festival concert massacre and most recently the Marjory Stoneman Douglas High School shooting rampage. I supported the Crisis Intervention teams response for each incident.

Las Vegas Fire-Rescue (LVFR) personnel, both on and off-duty, did a heroic job of saving lives. Heroic is not a word I like to use as it has become diluted by overuse. However, in this case, there is no other word to describe their efforts.  LVFR saved people during the shooting and triaged afterwards. The large number of injured and dead was overwhelming. The ever-present thought expressed was “We have a job to do…”



Technology is not like a fine wine. It doesn’t get better with age. This fact can hit a company pretty hard. When you realize your technology has depreciated significantly enough that it causes damage to your company’s productivity, you’re now in the market for a new system of tools. To avoid dropping $30,000 or more on new hardware, you may want to consider infrastructure-as-a-service (IaaS).

IaaS is simply a way to get you to industry standards in terms of your technology. This is often called certified network infrastructure. All it means is that your equipment and network is current enough to be compatible with the latest technology. (If your files are saved on floppy disks, for example, you’re going to have a tough time with business continuity.)

IaaS is a new way for businesses to bring their technology up-to-date while giving them some exciting tax benefits to help improve profitability by flatlining IT budgets.



Monday, 12 March 2018 14:11

Why Outsource Your Infrastructure?

A prevalence of high-risk industries such as mining, exposure to powerful pesticides in agriculture and the exacerbation of risks due to climate change, these are just some of the factors that contribute to occupational health and safety hazards in Latin America. But a culturally rooted lack of awareness and engagement is perhaps the greatest danger of all. 

With some 130 million workers earning their livelihoods in conditions of informality and one in ten not having access to social protection, it is little wonder that health and safety is not always top of mind for employees in the Latin America region. However, some organizations are taking the lead in challenging the mindset of many of their workers to bring their health and safety performance to the next level. Here, we talk to experts in Latin America about “where to from here” with ISO 45001, the new International Standard on occupational health and safety management systems.

“Occupational health and safety concerns all of us… It is about the lives and well-being of our colleagues,” says Sergio Henao Osorio, Organizational Change Manager at Ingenio Pichichí S.A., one of Colombia’s leading sugar cane manufacturers. “But the key issue in Colombia is that there is not a true health and safety culture in the workplace. That is one of our challenges, but it is also one of the pillars of our mission: to make it a key value for all our staff, and something we honour in all our activities.”

Ingenio Pichichí S.A., which has a staff of 792 plus 995 contractors, boasts an accident rate well below the 7% average in Colombia and is one of the highest-performing organizations in the industry when it comes to safety. “Our aim is to achieve a zero-accident rate,” explains Sergio, “therefore, we are continually working on ways to encourage self-responsibility, the use of protective equipment, providing the best technologies and generally promoting an overall safety culture.”



In the 21st Century, Organizations Make Their Own Luck

This year’s World Economic Forum Global Risks Report found that two of the most prominent risks for U.S. businesses will be inadequate protection against cyberattacks and the potential environmental disasters stemming from climate change. And these are just the predictable risks. What of the “Black Swans?” – large economic, political and business shocks are hard to predict. In the last decade, we have had the credit crunch in 2008, the Deepwater Horizon oil spill in 2010, the Arab Spring and Fukushima in 2011 and Black Monday in 2015. The report also says that we fail to understand and plan for the systemic risks that arise from the increasingly interconnected networks of digital systems and transport, infrastructure and financial networks. The interconnected nature of these networks increases the chances of cascades; shocks trigger other shocks, affecting supply chains, customers, investors and counterparts elsewhere. The impact of one of these shocks today is more widespread and costly than a decade ago. The more interconnected we are, the more vulnerable we are. The irony of networks is that they both attract and disperse risk.

Businesses have become remarkably adept at understanding how to mitigate risks that can be relatively easily isolated and managed with standard risk management approaches. But it does not help that we often design fragility into our systems and processes, particularly through efficiency and cost-cutting initiatives. Indeed, in a world of increasing risk and rapid change, organizations are regularly slipping up as they struggle to navigate new environments.



Once upon a time, there was a business continuity consulting firm that held business impact analysis interviews with their clients WITHOUT first getting them to gather and provide basic information about their business units ahead of time.

As the owner and CEO of that firm (MHA Consulting), let me tell you something:


The interviews went on for hours and hours, since we had to gather every little scrap of information while we were all sitting there in the meeting.

Worse, the quality of the information was not very good. In the excitement (or whatever) of all of us being there together in a conference room, and the lack of opportunity to think things over, people tended to leave out a lot of critical information.

Eventually, we hit on the idea of providing our clients with forms requesting certain information beforehand. We referred to this as the BIA pre-work, and after we started incorporating this into our BIA process, our lives were never the same.

Ok, I’m exaggerating (a little), but it is definitely true that after we started gathering information ahead of time, the following good things happened:



Third party abuse of assignment-of-benefits is having a negative impact on Florida’s homeowners insurers’ 2017 financial results, according to a recent S&P Global article.

An assignment of benefits occurs when a person with an insurance claim allows a third party to be paid directly by the insurance company. Usually this happens after a claim, when the insured assigns their benefits right to a contractor or whoever is making the repair the claim is meant to cover. A loophole in the Florida law invites abuse of the right and the ensuing litigation drives up costs.

S&P Global’s article showed how the loophole has dramatically increased costs at Florida’s Citizens Property Insurance Corp.

Hurricane Irma by itself made 2017 a challenging one for Florida’s Citizens: over $1 billion in net losses and loss adjustment expenses.



The Role of BYOID in Meeting Requirements

With the deadline fast approaching to have solutions in place that comply with GDPR regulations, it’s predicted that 80 percent of companies won’t be ready. Blockchain technology offers a new, innovative and purpose-built way to meet the regulation’s requirements. Here’s what you need to know about blockchain-based identity management, BYOID and how they address the same principles and goals of GDPR.

The blockchain, the technology behind Bitcoin and cryptocurrency in general, has far-reaching applications.  The underlying capabilities of the blockchain – that of a decentralized, immutable ledger – can be applied to multiple industries to protect data and identify information of users and companies and to meet compliance standards.

With the enforcement of the EU’s General Data Protection Regulation (GDPR) beginning on May 25, 2018, all companies processing or handling the personal data of persons residing in the EU, including U.S.-based companies, are searching for data-handling solutions that find innovative ways to comply with the new regulations. The GDPR is designed to give people more power over their own data, giving less to the organizations that collect and use it for monetary gain. Blockchain-based identity management enables the concept of “bring your own identity,” or BYOID, which aims to accomplish much of the same things as GDPR – giving back to users control over their data.



How to help your organization plan for and respond to weather emergencies

By Glen Denny, Baron Services, Inc.

Hospitals, campuses, and emergency management offices should all be actively preparing for winter weather so they can be ready to respond to emergencies. Weather across the country is varied and ever-changing, but each region has specific weather threats that are common to their area. Understanding these common weather patterns and preparing for them in advance is an essential element of an emergency preparedness plan. For each weather event, those responsible for organizational safety should know and understand these four important factors: location, topography, timing, and pacing.

In addition, be sure to understand the important terms the National Weather Service (NWS) uses to describe changing weather conditions. Finally, develop and communicate a plan for preparing for and responding to winter weather emergencies. Following the simple steps in the sample planning tool provided will aid you in building an action plan for specific weather emergency types.

Location determines the type, frequency and severity of winter weather

Denny1The type of winter weather experienced by a region depends in great part on its location, including proximity to the equator, bodies of water, mountains, and forests. These factors can shape the behavior of winter weather in a region, determining its type, frequency, and severity. Knowing how weather affects a region can be the difference in the number of lives saved and lives lost.

Winter weather can have a huge impact on a region’s economy. For example, in the first quarter of 2015, insurance claims for winter storm damage totaled $2.3 billion, according to the Insurance Information Institute, a New York-based industry association. One Boston-area insurance executive called it the worst first quarter of winter weather claim experience he’d ever seen. The statistics, quoted in an article that appeared in the Boston Globe, noted that most claims were concentrated in the Northeast, where winter storms had dumped 9 feet of snow in Greater Boston. According to the article, Mounting insurance claims are remnants of a savage winter, “That volume of claims was above longtime historic averages, and coupled with the recent more severe winters could prompt many insurance companies to eventually pass the costs on to consumers through higher rates.”

Denny2Every region has unique winter weather, and different ways to mitigate the damage. Northern regions will usually have some form of winter precipitation – but they also have the infrastructure to handle it. In these areas, there is more of a risk that mild events can become more dangerous because people are somewhat desensitized to winter weather. Sometimes, they ignore warnings and travel on the roads anyway. Planners should remember to issue continual reminders of just how dangerous winter conditions can be.

Areas of the Southwest are susceptible to mountain snows and extreme cold temperatures. These areas need warming shelters and road crews to deal with snow and ice events when they occur.

Denny3Any winter event in the Southeast can potentially become an extreme event, because organizations in this area do not typically have many resources to deal with it. It takes more time to put road crews in place, close schools, and shut down travel. There is also an increased risk for hypothermia, because people are not as aware of the potential dangers cold temperatures can bring. Severe storms and tornadoes can also happen during the winter season in the Southeast.

Figure 1 is a regional map of the United States. Table 1 outlines the major winter weather issues each region should consider and plan for.

Topography influences winter weather

Denny4Topography includes cities, rivers, and mountains Topographical features influence winter weather, because they help direct air flow causing air to rise, fall, and change temperature. Wide open spaces – like those found in the Central U.S. – will increase wind issues.

Timing has a major effect on winter weather safety

Denny5Knowing when a winter event will strike is one of the safety official’s greatest assets because it enables a degree of advance warning and planning. But even with early notification, dangerous road conditions that strike during rush hour traffic can be a nightmare. Snowstorms that struck Atlanta, GA and Birmingham, AL a few years ago occurred in the middle of the day without adequate warning or preparation and caused travel-related problems.

Pacing of an event is important – the speed with which it occurs can have adverse impacts

Denny6Storms that occur in a few hours can frequently catch people off guard and without appropriate preparation or advanced planning. In some regions, like the Northeast, people are so immune to winter weather that they ignore the slower, milder events. Many people think it is fine to be out on the roads with a little snowfall, but it will accumulate over time. It is not long before they are stranded on snowy or icy roads.

Denny7As part of considering winter event pacing, emergency planners should become familiar with the terms the National Weather Service (NWS) currently uses to describe winter weather phenomenon (snow, sleet, ice, wind chill) that affect public safety, transportation, and/or commerce. Note that for all advisories designated as a “warning,” travel will become difficult or impossible in some situations. For these circumstances, planners should urge people to delay travel plans until conditions improve.

A brief overview of NWS definitions appears on Table 2. For more detailed information, go to https://www.weather.gov/lwx/WarningsDefined.

Planning for winter storms

After hurricanes and tornadoes, severe winter storms are the “third-largest cause of insured catastrophic losses,” according to Dr. Robert Hartwig, immediate past president of the Insurance Information Institute (III), who was quoted in Property Casualty 360° online publication. “Most winters, losses from snow, ice and other freezing hazards total approximately $1.2 billion, but some storms can easily exceed that average.”

Given these figures, organizations should take every opportunity to proactively plan. Prepare your organization for winter weather. Have a defined plan and communicate it to all staff. The plan should include who is responsible for monitoring the weather, what information is shared and how. Identify the impact to the organization and show how you will maintain your facility, support your customers, and protect your staff.

Denny8Once you have a plan, be sure to practice it just as you would for any other crisis plan. Communicate the plan to others in the supply chain and transportation partners. Make sure your generator tank is filled and ready for service.

Denny9Implement your plan and be sure to review and revise it based on how events unfold and feedback from those involved.

Denny10A variety of tools are available to help prepare action plans for weather events. The following three figures are tools Baron developed for building action plans for various winter weather events.

Use these tools to determine the situation’s threat level, then adopt actions suggested for moderate and severe threats – and develop additional actions based on your own situation.

Weather technology assists in planning for winter events

A crucial part of planning for winter weather is the availability of reliable and detailed weather information to understand how the four factors cited affect the particular event. For example, Baron Threat Net provides mapping that includes local bodies of water and rivers along with street level mapping. Threat Net also provides weather pattern trends and expected arrival times along with their expected impact on specific areas. This includes 48-hour models of temperature, wind speed, accumulated snow, and accumulated precipitation. In addition to Threat Net, the Baron API weather solution can be used by organizations that need weather integrated into their own products and services.

To assist with the pacing evaluation, proximity alerts can forecast an approaching wintery mix and snow, and can be used along with NWS advisories. While these advisories are critical, the storm or event has to reach the NWS threshold for a severe weather event. By contrast, technology like proximity alerting is helpful – just because an event does not reach a NWS defined threshold does not mean it is not dangerous! Pinpoint alerting capabilities can alert organizations when dangerous storms are approaching. Current conditions road weather information covers flooded, slippery, icy, and snow covered conditions. The information can be viewed on multiple fixed and mobile devices at one time, including an operation center display, desktop display, mobile phone, and tablet.

An example is a Nor’easter storm that occurred in February 2017 along the east coast. The Baron forecasting model was accurate and consistent in the placement of the heavy precipitation, including the rain/snowfall line leading up to the event and throughout the storm. Models also accurately predicted the heaviest bands of snow, snow accumulation, and wind speed. Based on the radar image showing the rain to snow line slowly moving to the east the road conditions product displayed a brief spatial window where once the snow fell, roads were still wet for a very short time before becoming snow-covered, which is evident in central and southern NJ and southeastern RI.

Final thoughts on planning for winter weather

Denny11Every region within the United States will experience winter weather differently. The key is knowing what you are up against and how you can best respond. Considering the four key factors – location, topography, timing, and pacing – will help your organization plan and respond proactively.

Atkins Unbottling VolnerabilitiesGraphic2By Ed Beadenkopf, PE

As we view with horror the devastation wrought by recent hurricanes in Florida, South Texas, and the Caribbean, questions are rightly being asked about what city planners and government agencies can do to better prepare communities for natural disasters. The ability to plan and design infrastructure that provides protection against natural disasters is obviously a primary concern of states and municipalities. Likewise, federal agencies such as the Federal Emergency Management Agency (FEMA), the U.S. Army Corps of Engineers (USACE), and the U.S. Bureau of Reclamation cite upgrading aging water infrastructure as a critical priority.

Funding poses a challenge

Addressing water infrastructure assets is a major challenge for all levels of government. While cities and municipalities are best suited to plan individual projects in their communities, they do not have the funding and resources to address infrastructure issues on their own. Meanwhile, FEMA, USACE and other federal agencies are tasked with broad, complex missions, of which flood management and resiliency is one component.

Federal funding for resiliency projects is provided in segments, which inadvertently prevents communities from being able to address the projects entirely. Instead, funding must be divided into smaller projects that never address the entire issue. To make matters even more challenging, recent reports indicate that the White House plan for infrastructure investment will require leveraging a major percentage of funding from state and local governments and the private sector. 

Virtually, long-term planning is the solution

So, what’s the answer? How can we piece together an integrated approach between federal and local governments with segmented funding? Put simply, we need effective, long-term planning.

Cities can begin by planning smaller projects that can be integrated into the larger, federal resilience plan. Local governments can address funding as a parallel activity to their master planning. Comprehensive planning tools, such as the Atkins-designed City Simulator, can be used to stress test proposed resilience-focused master plans.

A master plan developed using the City Simulator technology is a smart document that addresses the impact of growth on job creation, water conservation, habitat preservation, transportation improvements, and waterway maintenance. It enables local governments to be the catalyst for high-impact planning on a smaller scale.

By simulating a virtual version of a city growing and being hit by climate change-influenced disasters, City Simulator measures the real impacts and effectiveness of proposed solutions and can help lead the way in selecting the improvement projects with the highest return on investment (ROI). The resulting forecasts of ROIs greatly improve a community’s chance of receiving federal funds.

Setting priorities helps with budgeting

While understanding the effectiveness of resiliency projects is critical, communities must also know how much resiliency they can afford. For cities and localities prone to flooding, a single resiliency asset can cost tens of millions of dollars, the maintenance of which could exhaust an entire capital improvement budget if planners let it. Using effective cost forecasting and schedule optimization tools that look at the long-term condition of existing assets, can help planners prioritize critical projects that require maintenance or replacement, while knowing exactly the impact these projects will have on local budgets and whether additional funding will be necessary.

It is imperative to structure a funding solution that can address these critical projects before they become recovery issues. Determining which communities are affected by the project is key to planning how to distribute equitable responsibility for the necessary funds to initiate the project. Once the beneficiaries of the project are identified, local governments can propose tailored funding options such as Special Purpose Local Option Sales Tax, impact fees, grants, and enterprise funds. The local funding can be used to leverage additional funds through bond financing, or to entice public-private partnership solutions, potentially with federal involvement.

Including flood resiliency in long-term infrastructure planning creates benefits for the community that go beyond flood prevention, while embracing master planning has the potential to impact all aspects of a community’s growth. Local efforts of this kind become part of a larger national resiliency strategy that goes beyond a single community, resulting in better prepared cities and a better prepared nation.

Atkins Beadenkopf EdEd Beadenkopf, PE, is a senior project director in SNC-Lavalin’s Atkins business with more than 40 years of engineering experience in water resources program development and project management. He has served as a subject matter expert for the Federal Emergency Management Agency, supporting dam and levee safety programs.

Have you ever noticed how people, when asked to draw a map of the United States, will draw a shape with sections sticking out on the right-hand corners for Florida and New England, a curve on the left for the West Coast, and a wedge on the bottom for Texas? If they are ambitious, they might even draw some indentations at the top for the Great Lakes. However, there are two parts that almost always get left out: Alaska and Hawaii. Everyone knows they exist, but they frequently get overlooked, even though Alaska is as big as the Eastern Seaboard.

We’ve noticed that the same thing often happens in business continuity management when it comes to the IT side of BCM versus all the other parts of BCM.

IT issues tend to get a lot more notice and press, not to mention attention from management. Sometimes people assume that if you can recover your IT, you can recover the business, forgetting that you need facilities to work in and people to operate them.



A disaster recovery plan is an insurance policy, of sorts. Your business needs a DR plan because a well-implemented disaster recovery plan will make your IT infrastructure whole when disaster strikes.

More than an offsite data center and a collection of tools for data recovery and getting your systems back up and running, disaster recovery—often shortened to DR—also encompasses the policies and procedures that your organization's IT workers should follow to successfully get your business back on track.

As any seasoned IT pro will tell you, disasters can take many forms. And they don't necessarily have to rise to the level of a data center-rattling earthquake or the storm of the century.



Thursday, 08 March 2018 15:27

Disaster Recovery Planning

(TNS) - Houston has learned the hard way time and again that the maps FEMA uses to set flood insurance rates are way out of whack with the reality on the ground.

Now, a scientific study in the journal Environmental Research Letters pinpoints just how much: 41 million Americans live in a 100-year flood zone - three times as many as the Federal Emergency Management Agency estimates. That means a full 28 million are outside the boundaries of the 100-year flood zone on current FEMA maps, but would be in it if FEMA used what the study argues is better data.

"Producing maps the FEMA way essentially misses a lot of flood hazard," Oliver Wing, of the University of Bristol and lead author of the study, told City Lab. "And these maps are what inform risk management decisions in the U.S. at the moment."



Artificial intelligence is finding its way into many applications and systems, so why not disaster recovery? The advantages are multiple.

AI tools and techniques can automate DR procedures to make them faster than manual intervention, while keeping them reliable and intelligent – for example, by making choices according to incidents or circumstances.

They can help estimate times to complete recovery. Advanced systems can learn from past situations (machine learning) and recognise problems likely to arise in the future, which can then be mitigated or avoided before they happen.

However, while AI can help DR performance and results, it is by no means a miracle solution.



(TNS) - California had more than 9,100 wildland fires in 2017, according to Cal Fire data, burning across more than 1.2 million acres.

The largest was in Southern California in December, the most destructive was here in Sonoma County two months earlier.

One thing common to many, if not most, California wildfires is a concerted response, a marshaling of equipment and personnel from local, state and federal firefighting agencies.

California’s mutual-aid system, created in 1950, has been described as the gold standard for wildland firefighting. But the resources haven’t kept pace with the growing threat in a state where almost a third of all homes are in areas bordering on forests, grasslands and other natural vegetation — a zone known as the wildland-urban interface.

The fraying was never clearer than in the first hours of the Wine Country fires.



A military background isn’t necessary to run a successful tabletop exercise or war gaming scenario

The idea of war gaming as a resource to practice strategic planning and increasing your readiness for the worst-case scenarios has been around for hundreds, if not thousands of years. It is a proven method used by organisations, the military, defense force and even seen in computer games as the main foundation to understanding situational awareness. Also known as conflict simulations, or “consims” for short, war gaming’s most popular pastime is now seen in games like chess, as a way for Generals and military leaders to hone their strategic thinking. This was documented as far back as ancient Indian warfare and the Romans.

A general consensus exists that all such games must explore and represent some feature or aspect of human behaviour. For military operations, this is used to understand the bearing of conflict or war. In the 21st century, business war games have become popular for many crisis management professionals and senior executives to find gaps in markets which competitors may fill. Generally however, they are only role-playing games based on market situations, business continuity and simulations for crisis teams. PreparedEx introduces war gaming to clients as valuable tabletop tool in increasing that situational awareness.

In 2018, realistic scenarios, layouts, and technologies all help enhance the training and planning for individuals to get the best experience from the war game. Introducing the concept of war gaming in tabletop exercises may involve hypothetical games that are grounded in historical facts but concern issues or conflicts that have yet to happen. The sweet spot for these games is to promote a moderate level of uncertainty to the team. This helps communicate and train out possible scenarios to that specific organisation or individual to be able to handle with no ramifications. It also enhances situational awareness by providing a bird’s eye view of the event which adds value to the session.



Thursday, 08 March 2018 15:21

How the Military Use Tabletop Exercises

Enterprise backup software is a safety net that keeps businesses running when application errors, cyber-attacks, negligent workers and countless other IT mishaps strike. Technical approaches between vendors vary somewhat, as do each organization's data protection requirements and objectives. But essentially, all enterprise backup solutions keep a duplicate copy of information on a storage device, separate from a primary server, PC or storage system for safekeeping.

Backup software solutions have also grown more sophisticated over time, reflecting the advances that have shaped the modern operating system, application and data center markets.

Accordingly, many of today's backup products do more than just transfer files and application data from one storage device to another. They can include resource-optimizing data management capabilities and other features that once used to belong to distinct classes of data protection tools.



Thursday, 08 March 2018 15:14

Enterprise Backup and Recovery Software

The old Farmer’s Almanac saying 'in like a lion, out like a lamb' was in the fullest of force last year

On March 1, the first EF4 tornado of the year ripped across Missouri and Illinois. Then on March 6 to 7, one of the worst tornado outbreaks in history sent 63 tornadoes tearing across the Central US in just nine and a half hours. Nineteen people were injured from Oklahoma to Ontario and $6.7 billion in damages incurred due to the tornadoes. So what can your organization do for March 2018 to reduce the impact of twisters during tornado season?

Identifying the Threats

Let’s take a look back at the biggest losses from the tornado outbreak that hit Perryville, Oak Grove, and dozens of other Central Plains cities. During the first two tornadoes that whipped through on March 1, there were four fatalities and 38 injuries, many of which occurred in the aftermath of the tornado. As noted, this day was when the first major EF4 tornado touched down for the year; an EF5 is the most damaging, and an EF4 produces winds of up to 200 mph resulting in devastation.

Then by March 6-7, the number of fatalities dropped to zero and the injuries were reduced—even though the tornado count went from two to 63. There are two main reasons why there weren’t more deaths in the second round of tornadoes. First, among the 63 tornadoes on the 6th and 7th, an EF3 was the most severe of the twisters.

Secondly, the awareness from the first round of tornadoes most definitely prompted emergency response teams and individuals to be on high alert for pending threats. What can community leadersr be doing to help minimize safety risks during tornado season?



It’s been 16 years since an American woman won a speed skating medal at the Winter Olympics, but last week, Team USA brought home the Bronze in the Long Track Relay. Bronze is no laughing matter, with the American women beating Canada by a mere .45 seconds. An intensive and sometimes dangerous event, American team member Brittany Bowe summed it up like this: “Our strategy was to get out there, get a jumpstart, and hang on for dear life at the end.”

Long Track Speed Skating is a complicated sport. Strategies and tactics are key, where races are often won by the smartest vs. the fastest skaters. Relay races typically involve four teams of four skaters per race, but instead of passing a baton, the skater on the track must simply “tag” the incoming skater to complete an exchange. Passing requires quick acceleration, agility, good balance, and gritty determination.

That’s a little what selling IT solutions to the corporate market is like. Keeping up with technology shifts, following up on leads, and assembling the right solution for companies looking to shave costs can be exhausting, not to mention complying with a growing number of laws and regulations. Managing those deals used to mean logging into SharePoint repositories or exchanging outdated Excel spreadsheets, but these static, unintegrated documents rely on manual reporting, resulting in version control issues in larger organizations. That’s no way to win a race.'



Wednesday, 07 March 2018 15:22

Bringing Home the Bronze is as Good as Gold

Technology can transform nearly any process to be more efficient and streamlined

However, innovation sometimes comes at a cost. By utilizing technology like cloud-based storage and the Internet of Things, corporations risk threats to cybersecurity. In fact, cyber-attacks are growing just as rapidly as technological innovation. Juniper Research reports that cybercrime costs across the world will exceed $2.1 trillion by 2019. That is four times the cost of data breaches in 2015. By 2020, a single cybersecurity breach will cost more than $150 million. The very technologies that enable cyber threats are also useful for reducing risks and minimizing threats.

Building a Blockchain

If you have been keeping up with the cryptocurrency news, then you have likely heard a bit about blockchain. This is the technology ensuring the validity of Bitcoin, Ripple, and other digital currencies. More specifically, blockchain is an online ledger that accounts for every piece of data in a program. In the case of cryptocurrency, this data is in the form of coins and transactions. However, blockchain has far greater benefits than just tracking Bitcoin.

In fact, blockchain can help corporations fight against cyber-attacks. When blockchain is created, it cannot be changed, altered, or deleted over time. It is set in cyber stone. Blockchain is created through a series of sequential hashing coupled with cryptography, the same method used to develop secret languages among secret service agencies. How does this relate to cyber protection against hackers and malicious entities? Organizations can use blockchain to handle secure information. As explored by Tech Crunch, blockchain allows corporations to prevent tampering and detect any form of cyber vandalism. Several companies have already jumped on the blockchain bandwagon including Microsoft, IBM, JPMorgan Chase, Walmart, and UPS.



Wednesday, 07 March 2018 15:20

How Technology Can Help Combat Cyber Attacks

The Agung volcano in Indonesia has been in the news recently. At time of writing, observers are sending back reports of clouds and glows that suggest that major eruption could be imminent.

Evacuations of hundreds of thousands of people from the area have already been carried out. The authorities have cautiously allowed nearby airports to function, while keeping a close eye on the state of the volcano.

The business continuity impact on Indonesia is clear, with emergency services on the go, and the population and the tourist industry trying to cope with the disruption. Less obvious perhaps is the impact of Agung on the other side of the world.

This may sound a little like the classic chaos theory concept of a butterfly flapping its wings in the Pacific and setting off a storm, thousands of miles away.



(TNS) - Liam's wasn't the only casualty of erosion from this past weekend's stormy weather along the Outer Cape beaches.

Karst Hoogeboom, chief of facilities and maintenance for the Cape Cod National Seashore, estimated at least $500,000 worth of damage from the storm, including to the staircase at Marconi Beach, which cost $150,000 to build last year after storm damage. The Seashore will also have to replace the shingles on six park buildings, repair Moors Road in Provincetown, and repair toilets at Herring Cove Beach.

Erosion undercut the parking lot at Maguire Landing Beach, said Suzanne Grout Thomas, Wellfleet beach administrator.

Town landings in Chatham also suffered storm damage, said Theodore Keon, director of coastal resources in Chatham. The opening of what is known as the Fool's Cut just south of the 1987 Chatham Break appears to have widened and helped drive flooding in the Little Beach neighborhoods. North Beach Island appears thinner and flatter, but the two cottages on the island survived the storm.

More than 100 impact assessments had been conducted in 19 communities by 13 coastal zone management team as of Sunday evening, according to the Massachusetts Emergency Management Agency, with the majority reporting widespread beach and dune erosion, and overwash of sand, gravel, and cobble material on roadways.



10 Issues Social Media Presents

Social media is a compendium of many highly accessible media – corporate blogs, video-sharing sites such as YouTube, social networks like Facebook, microblogging tools such as Twitter, rating/review sites (e.g., Yelp, TripAdvisor), wikis that allow many authors to simultaneously edit and create a source of knowledge and crowdsourcing, among many others. These media leverage the power of the internet, Web 2.0 and mobile technologies to facilitate the creation, exchange, use and modification of user-generated content. The convergence of these technologies has significantly altered the dynamics of customer relationship management, marketing and corporate communications for many businesses.

Business-to-people communications and social media peer groups have emerged as a new model for connecting with markets and customers directly and efficiently. Companies ignore this model at their own risk. These mediums set terms for interaction, requiring organizations to contribute value-added content and transparency in an environment where customers and other parties drive the dialogue and demand a genuine level and quality of communication. Organizations that fail to harness the potential value of social networking run the risk of becoming laggards as they cede to competitors the ability to brand their products and services distinctively in the public eye, as well as obtain continuous improvement insights.

Social media sites enable companies to listen to and learn from satisfied and dissatisfied customers regarding their ideas, experiences and knowledge, and they offer businesses an opportunity to reach out and proactively respond to extreme views and reactions. In addition, social media is providing opportunities to product development teams to share roadmaps and obtain early input from potential buyer groups on new product plans. On a near real-time basis, marketing can test and learn which messages work best, and companies can educate and inform customers by engaging them on many topics around product uses and applications.

While these developments are presenting significant opportunities for companies to connect with their customers and others, they are creating a whole set of new issues. The following are 10 examples of risks:



Napa County Fire Chief Barry Biermann wasn’t scheduled to work until Monday morning, but he decided to head in Sunday, Oct. 8, just in case.

He knew that conditions in Napa’s wine country, known for its Mediterranean climate and valleys of vineyards, were ripe for a fire: There was a high wind advisory, it was an unusually warm day, and there was plenty of dried-out brush and grass that late in the year.

By the time Biermann got into work, many of his fire crews were already tied up at small blazes. So when a call came in just before 10 p.m. reporting a fire in a neighborhood above the Silverado Country Club, Biermann decided to head up to Atlas Peak.



The Value of Big Data

When it comes to regulated industries, few are more highly regulated than banking and financial services. The regulatory landscape is rapidly changing, and as a result, regulatory technology (regtech) has emerged to help banks keep pace with competitors. While the combination of regulation and technology to solve business problems is not new, it is proving more essential than ever as regulatory obligations become more complex. As a result, regtech is already proving its worth by helping banks find more efficient and effective ways to manage their compliance obligations.
In financial services, risk culture is changing from one that reacts to regulatory changes to a proactive one, seeking to create new value for the bank and its customers. There’s no reason why revenue and profit goals must conflict with sound compliance and risk management policies. Technology can play a role in enabling banks to have both.

Artificial intelligence (AI) and other technologies such as analytics are not only helping banks comply with laws and regulations, but also helping to mitigate the potential for fines and penalties. In fact, these types of technological innovations often encourage employees across the organization’s lines of defense to make compliance their holistic responsibility. This ultimately results in better outcomes for the business, the institution and the customer.



When it comes to your organization’s recovery plan, your business recovery checklists might just be the single most important ingredient. They are the engine of your recovery plan.

As we state in MHA’s Complete Guide to Creating and Implementing a Business Recovery Plan, “Recovery checklists guide you step-by-step through the process of getting your business back up and running” after a disruption. Without such checklists, your team would have no direction as to the steps and actions they would need to take to respond to and recover from a disruption and to resume business operations. I urge you to take checklists seriously.

If you’re still reading, I will assume that means you are taking them seriously. Great. Now, let’s roll our sleeves up and get to the heart of today’s post.

Having accepted the importance of recovery checklists, you might be wondering how to develop them for your own organization.



2017 was a test of business resilience. While cyberattacks and natural disasters devastated some businesses, many others kept their operations running without disruption. Advances in artificial intelligence, machine learning and blockchain technology, among others, began helping more businesses eliminate inefficiencies, human error and downtime.

What will 2018 hold?

We tapped our industry experts for their predictions on what IT trends they’re watching this year.

We asked how cyber security will evolve, what emerging technologies will take hold (and which ones are over-hyped), what mistakes companies may be making, and what all this means for the coming year.



(TNS) - An Oklahoma school system is the first in the country to install bulletproof shelters in its classrooms.

Healdton Public Schools in Healdton, Oklahoma, installed seven bulletproof shelters at its elementary schools and two larger ones in its middle school, KOCO reported. Future plans call for adding the shelters to the system's high school.

Each shelter can hold up to 40 students and two teachers. Video monitors inside the shelter display a feed from the classroom, with the door locking from the inside.



When hackers try to penetrate your databases and IT infrastructure (or perpetrate any other cybercrime), they often plan a sequence of steps to get what they want. Individual steps may seem innocent or meaningless.

Linked one to the other, however, they are the stepping stones that take the hackers to their target. Lockheed Corporation coined the term “kill chain” to describe this sequence.

Once you know kill chains exist and see how cybercriminals plan them, you can get ahead of the curve by following kill chains yourself and breaking the links in as many places as possible. Here’s an example.

Social engineering is a common tactic of attackers. Phishing emails are often effective for this. Here are kill chain steps and possible blocking moves (in parentheses like this) for a phishing email attack supposedly bringing information about “New Employee Stock Option Rules.”



A couple of months ago we published an ebook entitled “10 Keys to a Peak-Performing BCM Program,” written by MHA Consulting CEO Michael Herrera.

It’s available for free download here and is full of information and insights that can help you give your business continuity management program a boost.

The ebook has become the most downloaded resource on our site. Though authored by Michael, it amounts to a channeling of the collective brain of those of us who have been at MHA for a long time.

With that in mind, we thought it might be worthwhile to do an occasional series where we present these 10 keys one or two at a time in a stripped-down, blog-appropriate format. This is also a chance for me to share my own personal experience on the subject, with the hope that it helps you understand each topic.

If today’s post tells you everything you want to know about the topic, great. If it motivates you to turn to the ebook for the full story, great. If it moves you to want to reach out to one of us to initiate a more personalized conversation about how MHA might be able to help your organization optimize its BCM program, that would be fine, too.

Without further ado, here is an excerpt from the first chapter of “10 Keys to a Peak-Performing BCM Program,” covering the first key, “Know Yourself” about the importance for BCM program leaders of understanding and capitalizing on their personal strengths and managing their weaknesses.



Implementing DMARC is one thing. Making the commitment to implement DMARC in its most aggressive configuration is another.

Conceptually, Domain-based Message Authentication, Reporting, and Conformance (DMARC) is simple. DMARC provides a mechanism for email receivers to validate the source and integrity of inbound email. DMARC also specifies what receivers should do with messages that are not valid based on criteria pre-configured by senders. DMARC is designed to protect against direct domain spoofing, so it isn’t a complete solution to phishing. That said, DMARC has the potential, when deployed in an aggressive configuration, to take a page out of a hacker’s or spammer’s playbook.

DMARC is the result of a collaborative effort between leading organizations who originally came together in 2011 to provide senders and receivers with a tool to fight against fraudulent email activity. The remainder of this post provides an overview the mechanisms that enable DMARC, explores DMARC’s deployable configurations, and provides an overview of obstacles preventing wider adoption and/or more effective use of DMARC.

DMARC is built upon two existing standards, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). SPF enables an email sender to specify the servers from which email will come and provides instructions for how an email receiver should handle a message that does not originate from a specified server. DKIM, on the other hand, enables senders to include a digital signature on their messages, enabling receivers to verify that the message has not be altered in transit by a third-party.

DMARC brings these two mechanisms together in a powerful manner by allowing senders to specify a policy that tells receivers what to do with email messages that fail to pass SPF and/or DKIM validation. DMARC also enables senders to receive data back from receivers, providing insight into fraudulent email patterns. Before DMARC, there was not an effective feedback channel for failed email, so senders were largely in the dark on email once messages left their servers. There are only three DMARC policies that a sender can specify, and thus, three deployable configurations for DMARC:



Thursday, 01 March 2018 15:07

Using DMARC Effectively

How Much Due Diligence is Enough?

If you want to learn and read about managing third-party risks, you will have no trouble finding articles, white papers, webinars and more available to you on the internet.  And for good reason.

Third parties create significant risks, and these risks are not just limited to bribery; they extend into sanctions, money laundering, privacy and cybersecurity, human trafficking, child labor and reputational damage.  The compliance marketplace offers lots of solutions, including automation, due diligence, risk ranking and a host of alternative solutions.

Before you leap into the due diligence world, however, it is important to understand exactly what you are trying to accomplish and why you need to tailor your solutions to your specific needs.

When assessing the issue, there are three important points to understand about due diligence:



A deadly storm system pummeled the southern and central U.S. this weekend leaving many areas flooded. The weather system extended from the Canadian Maritime provinces to Texas, and brought gale force winds and widespread flooding from the northern Midwest through Appalachia.

Flooding will continue to be a threat this week, the Weather Channel reports, as more than 200 river gauges reported levels above flood stage from the Great Lakes to eastern Texas. Floodwaters on the Ohio River in Louisville and Cincinnati are at their highest level in about 20 years.

Flood damage is excluded under standard homeowners and renters insurance policies. However, flood coverage is available in the form of a separate policy both from the National Flood Insurance Program (NFIP) and from a few private insurers.



Wednesday, 28 February 2018 15:29


Much of business continuity today can be automated. Production lines, supplies reordering, failovers in case of problems, management reports, many of these things now work on a “set it and forget it” basis.

Other items still need manual intervention. A turbine making strange noises, accounts that don’t tally, a delivery truck breakdown, somebody may have to figure out the problem from scratch. Between the two lies a third approach, that of the runbook (also known as “playbook” or “cookbook”), a set of instructions on what to do in case a common or predictable problem occurs.

If you can automate cost-effectively, then automation is probably the way to go. With so much of business being driven by IT, the opportunities for automation are numerous.

On the other hand, if it takes too much effort to automate or if the problem is a corner case with a lower probability of happening, then writing a business continuity runbook may be more appropriate.



Why “Minimal Viable Compliance” Can’t Be the Goal

Major regulatory deadlines often lead firms to settle for minimum viable compliance – taking whatever action is needed to avoid regulatory scrutiny, regardless of the cost. But this approach inevitably leads to an inefficient, patchwork approach to compliance, where new procedures are created for each new regulation. As firms move past the MiFID II implementation date, the sheer size and complexity of this new regulation may finally be giving firms the impetus that’s needed to change their approach.

When major regulatory deadlines loom large, there’s an inevitable tendency for the financial industry to scramble for minimum viable compliance. In layman’s terms, this means doing whatever it takes, regardless of the expense, just to keep the prying eye of the regulator away. Ring any recent bells? The trouble is, while taking this approach may seem like a sensible option now, it’s unlikely to service future requirements and actually goes against the spirit of the regulations. This is why, as the post-January 3rd dust starts to settle, financial institutions need to quickly adjust to ensure compliance with all regulations, not just MiFID II.



(TNS) — The city of Aberdeen, S.D., this month issue its first public safety alert by text message.

The process wasn’t perfect, though there’s no faulting the effort in spite of a few hiccups.

The text message was sent out the morning of Feb. 6 after an explosion and house fire at 507 N. Second St. that ultimately destroyed the uninhabited home. The messaged noted that there was a “gas explosion.”

It still hasn’t been determined whether that was actually the case; fire officials are still investigating. But at least the public knew to steer clear of the area — or at least reasonable residents who didn’t use the alert as an excuse to go see what happened stayed away to let first responders work.



(TNS) - John Gargett, the deputy director of Whatcom County Sheriff’s Office Division of Emergency Management, offers this list for your emergency kit:

Basic assumptions:

There will not be emergency response by Fire Services, Emergency Medical Services or Law Enforcement for an unknown time.

Individuals must be self-resilient until services are restored

Neighborhoods are the basis for community resilience.



ISO 31000:2009 on risk management is intended for people who create and protect value in an organization by managing risks, making decisions, setting and achieving objectives and improving performance. The standard’s revision process discovers the virtues of keeping risk management simple.

The revision of ISO 31000:2009, "Risk management – Principles and guidelines," has moved one step further to Draft International Standard (DIS) stage where the draft is now available for public comment. What does it mean? And what happened in the revision process since the Committee Draft (CD) stage in March 2015?

The revision work follows a distinct objective: to make things easier and clearer. This is achieved by using a simple language to express the fundamentals of risk management in a way that is coherent and understandable to users.



Standardization is a truly international activity, and I've been lucky to have worked with more nationalities than I can remember. But, that said, my first business meeting with a German remains etched in my memory. It was in fact nothing more than a working breakfast, a chance to meet face-to-face after a good number of productive and friendly phone calls. "So, we'll meet at the café at half-nine? Look forward to meeting you then!"

Well, it turns out that for Germans, half-nine, means "half-an-hour-before-nine-o’clock-has-arrived" (08:30), while for an Englishman, such as myself, it means "half-an-hour-has-passed-since-nine-o’clock" (09:30). It was an embarrassing mistake, though without serious consequence; an apology, and the pancakes and coffee on me. But it could have been something much more serious than a fudged Frühstück.

That’s why in 1988, ISO 8601 was published. In a single document, "Data elements and interchange formats – Information interchange – Representation of dates and times," established a fool-proof format for computer users, ensuring that critical events happen on time. Whether scheduling flights and public transport; broadcasting sports events; keeping public records; managing major projects; or establishing a reliable way to swap the inconceivably huge amount of data that keeps modern life on track, ISO 8601 is a game-changer.



While any cyber-attack can occur at any time, there are some that are especially prevalent at specific times of the year.

Knowing their “seasonality” can help your organization stay on the defensive.

The following infographic takes a detailed look at the seasonality of cyber-attacks and how you can prepare your employees for scammer’s timely initiatives.



Financing a large-scale emergency notification system can be a costly venture.

Fortunately, there are a number of government grant programs to help foot the bill. When looking for ways to help cover the costs of OnSolve emergency notification services, consider the following grant opportunities. These financial resources do not have to be paid back, and can be renewed on a yearly basis.

Grants for Emergency Management

Each fiscal year the US government provides financial grant money through the Homeland Security Grant Program. This money is allotted to qualified communities and applicable organizations that offer emergency response, mitigation, protection, and recovery. Through the program there are three specific grants that applicants can apply to via FEMA:



Putting Plans Into Effect

While 2017 was spent frantically preparing for regulations like MiFID II and GDPR, 2018 looks to be a year to stabilize and see if the work will pay off. As these regulations go into effect, the time has come to evaluate how they affect the enterprise ecosystem and if the adjustments made to compliance programs will be enough to satisfy regulators.

The benefits of the changes implemented last year will come primarily through compliance enforcement, which means that a major theme of 2018 will be proving compliance adherence through — or, in some cases, despite — continuously changing technology. With that in mind, these are the top trends to watch to ensure your company is demonstrating its commitment to protecting your customers and their data.

Companies will need to ensure they are using the latest security technologies to protect themselves from new external and internal threats as users move sensitive content to social channels as part of their business process.



When we walk into a doctor’s office, nothing is more important than knowing we’re receiving quality care and effective treatment. Similarly, a hospital’s staff needs to know it has the most reliable IT resources and support to deliver exceptional service—now more than ever. Healthcare is charging forward into new technologies like the Internet of Things (IoT) and machine learning that herald the future of better patient care and interaction. At the same time, IT teams in these organizations face numerous challenges: aging systems, outdated applications, and security risks unprecedented in complexity and volume.

The adoption of new and significantly advanced applications combined with sensitive patient data and old systems can not only limit an organization’s efficiencies, but also pose serious risks. Among those are the three major IT concerns in healthcare today, and you’re likely contending with at least one, if not all of them.



Privacy has taken on new dimensions in our hyperconnected world. New guidance from IEC, ISO and ITU – the world’s three leading international standards bodies – has just been published, providing a code of practice for the protection of personally identifiable information.

Uber is making headlines for its reaction to the theft of personal data of 57 million drivers and users. The July 2017 breach of Equifax, a large US credit bureau, exposed the social security numbers, birthdates and addresses of 143 million people. And last month, Yahoo, just prior to its acquisition by telecommunications conglomerate Verizon, shared new intelligence that a data breach in 2013, thought to have affected only a billion users, had in fact compromised all three billion Yahoo user accounts.

The increasing prevalence of high-profile data breaches has motivated countries worldwide to investigate potential reforms to policy and regulation. One of the best-known examples is the European Union’s General Data Protection Regulation, due to come into force in May 2018, with global implications.



Since 2011, organizations have been able to follow a systematic approach in achieving continual improvement of energy performance, including energy efficiency, energy use and consumption, thanks to ISO 50001.

Like all International Standards, ISO 50001 has come under periodic review to ensure that it continues to meet the rapidly changing needs of the energy sector. This work is being carried out by the ISO technical committee responsible for energy management and energy savings (ISO/TC 301), whose secretariat is held by ANSI, ISO’s member for the USA, in a twinning arrangement with the ISO member for China, SAC. Here, we explain the main changes with the help of Deann Desai, Professor at the Georgia Institute of Technology and Convenor of the working group tasked with revising the standard. 

“Perhaps the most important change for the 2018 version is the incorporation of the high-level structure, which provides for improved compatibility with other management system standards.” The high-level structure (HLS) is a simple and effective concept. “Because organizations often implement a number of management system standards, the use of a shared structure, as well as many of the same terms and definitions, helps to keep things simple,” explains Prof. Desai. This is particularly useful for those organizations that choose to operate a single (sometimes called “integrated”) management system that can meet the requirements of two or more management system standards simultaneously.



Software-defined storage (SDS) decouples storage intelligence from the underlying storage devices. The environment orchestrates multiple storage devices into a software storage management layer that operates above the physical storage layer. By moving intelligence up the stack, customers can buy commodity hardware that supports SDS policy-driven workload processing, load balancing, dedupe, replication, snapshots, and backup. Instead of purchasing expensive proprietary NAS or SAN, SDS runs on commodity hardware and standard operating systems.

This is true as far as it goes. However, some SDS vendors – especially the software-only sellers – claim that the hardware doesn’t matter. But when it comes to software-defined storage design, hardware choices are critical.

It’s true that software-defined storage users can use commodity hardware and avoid expensive SAN or NAS with built-in storage intelligence. But software-defined storage users still need to integrate SDS with hardware, and design the physical infrastructure, so it optimizes the software-defined storage layer.



I looked in the mirror and couldn’t believe I had waited so long to get my hair cut. As I packed for a business trip the following day, I sighed and opened Google Maps on my phone. “B-A-R-B-E-R” I typed and clicked search. 23 entries popped up, none of them familiar to me. I clicked through a few, reading the reviews and checking out the websites to see who wasn’t going to charge me an arm and a leg but also wouldn’t make me look like Beaker from the Muppets. Naturally, I had waited until noon on a Saturday, so I had to toss a few options out immediately for various reasons: some closed at 2pm, some weren’t open at all, others were a week out for appointments. “Who makes an appointment to see a barber?” I asked myself.

Post-haircut the following day, I pondered why I was having such a hard time committing to a new barber or even looking for one. I had a 17-year relationship with my previous barber who retired the end of December. I can’t blame him as he’s had his business since the 80’s and saw an opportunity to take some time to enjoy life and not work almost every day of the week. However, I kept coming back to the fact that it was just so easy and painless to get my hair cut when he was open.



How Compliance Can Help

Effective business continuity planning starts with honest assessments of risk areas, plus resolve, resources and funding to address those risks. For the past 10 years, we’ve conducted primary research on business continuity and resilience, focusing specifically on IT systems, given their essential role to the functioning of today’s enterprises.

A decade of research into business continuity and resilience has showed that, surprisingly, there is continued exposure to risk in areas for which solutions have been available for many years. Our recently released 2017 State of Resilience report, reflecting the responses of 5,632 IT professionals globally, revealed four troubling risks that have persisted over time and that threaten the continuity and function of critical enterprise systems:



Monday, 26 February 2018 15:53

4 Risks That Keep Your CIO Up At Night

Driving Down Risk, From the Cubicle to the C-Suite

Effective employee engagement and reporting is key to accountability and effective risk management. So why are we not paying more attention to how today’s workforce prefers to communicate?

We are entering an era in which seemingly every decision made by managers of fraud prevention, audit, security and ethics are reviewed not just by C-Suite leadership and board members, but also after-the-fact by regulators, stockholders and the public. In financial services, managers of risk from across the enterprise, as well as directors and board members, are finding the evolution from an emphasis on meeting compliance obligations to a longer-term focus on organizational values, ethics and culture to be challenging. Ensuring that you have unvarnished observations from every corner and level of the organization is key to ensuring that you can meet the expectations of both internal and external customers and stakeholders.

A core responsibility of senior leadership and the board of directors is ensuring communication channels for employee reporting of workplace concerns are both available and effective.

As a senior executive or board member, you are probably aware of information gaps and are concerned. You don’t want to learn about events in the headlines or when reporters begin calling you for comment. One way to ensure you learn what is really going on in your organization is to listen more effectively. Each and every staff member, contractor or vendor connected to your organization may possess vital clues that too often remain undiscovered until after the fact.



Monday, 26 February 2018 15:52

Often-Overlooked Factors In Risk Management

There’s a crack in California. It stretches for 800 miles, from the Salton Sea in the south, to Cape Mendocino in the north. It runs through vineyards and subway stations, power lines and water mains. Millions live and work alongside the crack, many passing over it (966 roads cross the line) every day. For most, it warrants hardly a thought. Yet in an instant, that crack, the San Andreas fault line, could ruin lives and cripple the national economy.

In one scenario produced by the United States Geological Survey, researchers found that a big quake along the San Andreas could kill 1,800 people, injure 55,000 and wreak $200 million in damage. It could take years, nearly a decade, for California to recover.

On the bright side, during the process of building and maintaining all that infrastructure that crosses the fault, geologists have gotten an up-close and personal look at it over the past several decades, contributing to a growing and extensive body of work. While the future remains uncertain (no one can predict when an earthquake will strike) people living near the fault are better prepared than they have ever been before.



Sunday, 25 February 2018 13:35

Extreme Science: The San Andreas Fault

Business continuity, disaster recovery and emergency management are tough jobs that rarely get the credit they deserve. You’ve dedicated your life to protecting your organization and the people in it, and we get how stressful that can be.

Here’s a roundup of our favorite internet memes for business continuity, disaster recovery and emergency management to brighten your work week.



Lots of people saw warnings signs that Nikolas Cruz could be a danger to others. It may have been worse than anyone could imagine — 14 students and three teachers killed at Stoneman Douglas High School in Parkland, Fla. — but the signs of trouble were there.

Several students noted after the shooting the antisocial tendencies exhibited by Cruz and that police had been to his house on numerous occasions. Obviously there was no system in which that information could get processed and help, in the form of counseling, restraining order or whatever appropriate, could be dispensed.

This is typical, say experts on school safety, and needs to change. There are other viable ways of protecting students as well, including centralized entry, where the students are greeted and perhaps even move through a metal detector.



I recently saw an article that said the most commonly searched questions on Google in 2017 included “What is a solar eclipse?,” “What is bitcoin?,” and “What is a fidget spinner?”

At BCMMETRICSTM we don’t get quite as many inquiries as Google, but we get enough to detect some patterns in terms of what our web visitors are most interested in.

You won’t be surprised to learn that we aren’t asked a lot of questions about fidget spinners. What do people ask us?

Hands-down, the topic our web visitors show interest in above all others is the Business Impact Analysis (BIA). This is the most frequently searched-for topic on our website and the one we are most commonly asked about at business continuity events.



(TNS) - Less than a week after a 19-year-old shot and killed 17 of his classmates at a Florida high school, Silsbee ISD teachers watched a video of a mock school shooting play out on a screen in their auditorium.

The district decided last week to spend part of Monday's staff workday on a two-hour active shooter training session, discussing their emergency plans and watching training videos.

"You can never fully prepare for something like this," Superintendent Richard Bain said. "In light of the stuff that's happened here recently in our nation, I think everybody is a little more sensitive and we felt like it was a good idea."



(TNS) - The catastrophic mudslide that inundated houses in Montecito in Santa Barbara County in January, killing 21 people, appeared to hit suddenly. But the disaster, mere weeks after a wildfire scorched the area, didn’t come out of nowhere.

For over two decades, Cal State Fullerton’s Binod Tiwari has studied such mudslides and landslides around the world, including in Southern California, to understand their causes and mitigate their devastation.

In 2014, the civil and environmental engineering professor and his students worked on a regional study on debris flow and mudflow after a series of December storms. The study included areas affected by the Silverado Canyon fire and the 91 Freeway fire, both in September 2014. It found that reports of mudflows and mudslides appeared to be exclusively in areas that burned that year or the year before.



Linux has an enviable reputation as a secure platform for servers. But Linux the Unhackable?

Certain myths persist about the inherent resistance of Linux to viruses and the superfluity of firewalls.

However, the only basis for truth (and fast fading at that) is statistical. Linux as a minority platform attracted less hacker interest, who made fewer viruses to attack it.

As Linux’s popularity has grown, so has the number of viruses, not to mention the need for additional firewalls.

Linux is no more unhackable than other operating systems. You can however reduce its hackability with some simple precautions that unsurprisingly look like steps you would take for other systems.



Thursday, 22 February 2018 16:25

Linux the Unhackable? That All Depends ...

(TNS) - Local government officials from coastal communities battered by Hurricane Harvey voiced anxieties and frustrations about the recovery process - and the fact that hurricane season is only three months away - to a Texas House subcommittee Tuesday.

Just days before the six-month anniversary of the devastating hurricane, the Texas House Appropriations Subcommittee on Disaster Impact and Recovery met in Victoria, where mayors and county leaders shared lists of projects needed to be undertaken so communities would be protected from future storms.

Many of the government leaders who came from communities spanning from Fulton to Victoria said they didn't have a place for residents or first responders to take shelter.



Blockchain is the underlying distributed ledger technology for cryptocurrencies such as Bitcoin; it has been at the forefront of business news in the last two years. Fortunes have been built and lost buying and selling cryptocurrencies. In one case, a nice gentleman threw CD containing his private keys, losing all access to his bitcoin portfolio. He petitioned the city to allow him to climb through the dump to salvage a CD that will give whoever finds it access to millions of dollars in bitcoin. There have been countless initial coin offerings promising to revolutionize business with underlying applications of blockchain technology. An organization created digital cats, called Cryptokitties, and a single, rare, digital cat can fetch close to $100,000. We see headlines and blog posts like the following:

Clearly, the hype cycle is in full swing. Interestingly, though, many people have very little understanding of the capabilities and limitations of blockchain technology. Moreover, the hype cycle has caused business leaders to spend time investigating use cases that are not necessarily good fits for blockchain.



Sometimes there is a good reason to reinvent the wheel—for example, if you are in business and the current “wheel” is a proprietary product controlled by your competitor.

However, sometimes the tried-and-true solution is the best way to go, and we believe that is the case when it comes to emergency management systems.

An emergency management system is the methodology an organization uses for managing emergencies.

Having such a system is critical for the protection of your organization since if and when you do face an emergency, your problems can be made significantly worse if your response is hampered by role confusion and poor communication.

So you should definitely have an emergency management system in place—but what kind of system?



Crisis Management Teams Should Always Have a Toolkit That Supports Them During the Crisis.

One of the questions that I get asked most often is “what are some of the most common mistakes you see as you visit various clients?”  Other than companies not being committed to exercising (another article, another time) my biggest concern is with companies that treat crisis management as something that they would pull together in an ad-hoc fashion.  They may have a Crisis Management Plan, but they don’t treat crisis management as a Program – and therefore aren’t developing, exercising, measuring and refining their tools.  Ideally, your Crisis Management Team has these six tools in their tool belt.



Thursday, 22 February 2018 15:38

Every Crisis Team Should Have These Six Tools

How will your business respond if faced with a natural disaster, a cyberthreat or an active shooter scenario?

Will the organization stay afloat in the midst of such a crisis? Any amount of disruption costs your business money and can destroy customer relations. In fact, 75 percent of companieswithout a continuity plan fail in three years after facing a disaster. Those companies unable to get back up and running in 10 days post emergency do not survive at all.

business continuity plan provides your company with the roadmap to navigate a major business disruption, including a natural disaster or large-scale emergency. However, having a plan in place is only the first step; the plan also needs to be continuously monitored and tested for gaps or obstacles.



Last year, major investments and advancements were made in communication technologies, both within the mobile space and the Internet of Things (IoT).

Additionally, we saw continued advancements in virtual reality and increased video conferencing. Unsurprisingly, social media platforms remain a viable contender in the way we communicate. As you consider how to improve your organization with better emergency notification and communication plans this year, take notice of how top trends can solve your biggest problems.



Wednesday, 21 February 2018 16:07

Emergency Management Trends in 2018

(TNS) — Four months after a ferocious firestorm devastated communities in California's wine country, those who lost their homes are still struggling.

Animal feeding stations remain on roadsides, monitored by volunteers searching for pets left behind when their owners fled. Cats that had been feared dead continue to be found.

Signs are everywhere, advertising the services of contractors, engineers, debris removers and lawyers. Many burned homes have yet to be cleared.

The shock and horror of the early days have given way to lingering grief and agony over whether to rebuild or move on. But the most perplexing and time-consuming matter for victims has been insurance.



How Effective and Efficient is Your Process?

In-house investigation teams are expected to be agile to be able to help organizations in addressing cases that come from whistleblowing channels and sustaining the ethical standards of the organization. By supporting your investigation teams with measures to assess effectiveness and efficiency you can help make the teams more agile and enable them to deliver better results.

The efforts of in-house investigation teams are integral to upholding organizations’ ethics and compliance. These teams must navigate through mazes of evidence to uncover violations and take appropriate disciplinary actions. With more cases, evolving case trends and increased expectations of senior management and boards of directors, investigation processes need to be dynamic, effective and efficient. However, unlike other processes, measuring effectiveness or efficiency in this process can be difficult.

Measuring effectiveness means assessing whether the efforts of the investigation team result in visible changes in the ethics environment or types of cases it sees. Measuring efficiency means assessing how long it takes to close the case and recover from fraud losses.

Organizations can use these tips to evaluate the effectiveness and efficiency of their in-house investigation processes:



Wednesday, 21 February 2018 16:05

7 Tips To Evaluate In-House Investigations

The business world is changing. Not that we have to tell you that. The rise of cloud computing has brought with it a host of non-traditional options for how companies can structure their business operations.

Studies suggest that between 80 and 90 percent of the US workforce would like to work remotely at least part-time. In fact, 3.7 million US employees already do.

And that number is on the rise as companies shift to cloud technologies to decrease the overhead associated with physical locations and create better work-life flexibility for their employees.



Business continuity is good for your business, but is it also a legal requirement? Laws and regulations differ from one country or one industry to another, although there is a basic expectation that organisations will act responsibly.

Data integrity, security and availability are part of those expectations, implicitly or explicitly.

Due diligence is now a concept that extends beyond mergers and acquisitions. It also covers compliance with various standards of IT and data management. So, how might this affect your enterprise?

In Australia, regulations to be observed concerning business continuity and disaster recovery exist for specific sectors such as finance.

Austraclear, the organisation providing settlement services for the Australian Stock Exchange, specifies obligations for “participants” to put BCP in place.



Tuesday, 20 February 2018 15:44

Legal Requirements for Business Continuity

Key Concerns for Private Funds in 2018

With the public equity markets at an all-time high and private equity fundraising setting new records, it might seem counterintuitive to forecast litigation and regulatory risks. The opposite is true. Disputes typically follow capital, and the steeper the growth curve, the greater the risk of litigation and regulatory scrutiny. With that backdrop, we are pleased to present our Top 10 Regulatory and Litigation Risks for Private Funds in 2018.



Tuesday, 20 February 2018 15:42

The Top 10 Regulatory And Litigation Risks

(TNS) - The University of Iowa’s emergency preparedness — including its ability to handle bomb threats, health crises and hostage situations — has “unacceptable weaknesses” that expose the campus to “unacceptable risks,” a new audit reports.

The report, completed in October and made public last week, found problems with the UI’s emergency policies and plans, its training protocols, its communication strategies and its incident follow-ups.

“Incident and emergency exercise information is not documented fully, completed timely, distributed appropriately, or reviewed for possible improvements,” the report from the UI Office of Internal Audit determined. “The lack of appropriate distribution of emergency information results in delays for corrective actions.”



(TNS) - As flags were being lowered to half-staff after Wednesday’s Parkland, Florida, school shooting, school administrators here were fielding telephone calls from concerned parents.

“I’m fed up with school shootings,” said Carl Murphy, an Eastmont parent who called The Wenatchee World after talking to his child’s school principal. “I want to know why anyone can walk into a school and cause whatever harm they choose.”

Similar calls and emails from parents worried about school security in the wake of the shooting that killed 17, prompted both Wenatchee and Eastmont superintendents to post letters of assurance to community and staff members.



The world’s population is ageing, just like us. As we enter the era of “super-aged societies,” governments, communities and businesses need to adapt. A new ISO technical committee has just been formed to help.

In 2017, the number of people aged 60 years or over worldwide was more than twice as big as in 1980, and it is expected to double again by 2050 to reach nearly 2.1 billion. The changing demographics of our society brings with it pressures and challenges ranging from everything to healthcare to the local bus. But opportunities, too, are rife. The recently formed ISO technical committee ISO/TC 314, Ageing societiesaims to develop standards and solutions across a wide range of areas, to tackle the challenges posed as well as harness the opportunities that ageing populations bring.

ISO/TC 314 Secretary Nele Zgavc from BSI, ISO’s member for the UK, said dementia, preventative care, ageing workforces, technologies and accessibility are just some of the areas of standardization that the committee proposes to work on. “Ageing societies have global implications,” she said. “Governments and service providers need to effectively cater to the needs of their populations as they age for the benefit of society as a whole. There is a crucial need for standards to support this in order to provide a high-quality level of service and harness the opportunities that ageing societies hold.”



(TNS) - Triangle blood donation centers that supply area hospitals are experiencing a drop in donors as a national flu epidemic is keeping people home.

The Blood Connection announced an urgent need for all blood types this week, saying the flu outbreak has cut blood inventories by at least 10 percent. The organization lost two days worth of blood from cancelled blood drives.

The American Red Cross Carolinas said bad weather forced the cancellation of 121 blood drives in January, resulting in the loss of about four days of blood collections. The organization is also seeing a lower donor turnout this month because of the flu.



Hurricanes, wildfires, earthquakes and floods strike communities every year, injuring and displacing thousands. A plan and an emergency kit are important, but they only go so far. Ideally, your whole community should be ready, and if you don’t think it is, here’s how you can help make sure.

Organizing your neighbors with a plan in case the worst happens is no simple feat. It’s difficult enough for most of us to plan for our own families, much less a dozen in our building or on our block. So how do you do it?

We spoke to Mitch Stripling, the assistant commissioner of Agency Preparedness and Response for the New York City Department of Health and Mental Hygiene and the co-host of “Dukes of Hazards: The Emergency Management Podcast,” about the best ways to get everyone in your area aware and prepared for the types of disasters that are most likely to impact your community.



Monday, 19 February 2018 15:21

How to Prepare Your Community for a Disaster

If I told you about something you could do that would swiftly vault your organization into the ranks of the elite, in terms of your business continuity management program, would you do it? Would you at least be interested in learning more about it?

There is such a step you can take, and it’s so easy, inexpensive, and helpful in terms of the direction it can give your BC program that I’m always amazed that more companies don’t do it. In fact, I would say that fewer than 10 percent of the organizations have implemented this measure, based on the informal surveys I conduct when I speak at business continuity events around the country.

What is the step I am talking about? Adopting a business continuity standard for your organization.

Now, when I say it is easy to adopt a standard I am not saying that coming into compliance with one is necessarily a piece of cake. Some standards are tougher than others to align with and some are very hard to meet indeed (here’s looking at you, FFIEC—and if you don’t know what I mean by “FFIEC” keep reading).



This is part 3 of a 3-part series on digital blueprints.

Digital transformation has tremendous potential to unleash value for organizations; thus, more and more organizations are formulating digital strategies.  However, many are missing significant value and opportunities that are made possible by a holistic digital strategy.  Many digital strategies are focused too narrowly.  For example, leaders claim they are achieving the digital strategy by moving applications and infrastructure to the cloud.  A digital strategy establishes the enterprise vision and priorities for digital transformation.  To power your digital transformation, leverage a digital blueprint–  a structured approach used to evaluate opportunity areas, value drivers, and risks, and align the digital path with business drivers.



Making the Investment to Shift Risk Culture

Risk culture, though difficult to define, is one of the most mentioned topics by Fortune 500 executives and for regulators across several industries. However, despite this visibility in quarterly calls, creating, measuring and influencing risk culture continues to defy easy answers for organizations. Yet – as Matt Shinkman and Chris Matlock detail – it is this very challenge that makes tackling risk culture in 2018 a strategic opportunity that pays dividends beyond compliance.

Over the past decade, organizations have made great strides in improving their risk management processes and systems. While this has generally helped senior leaders understand their biggest risk exposures, progressive organizations are now turning their attention to the need for a cultural shift where employees embed risk management in their day-to-day workflows. Our conversations with heads of enterprise risk management (ERM) at over 300 large, global organizations have surfaced a multitude of questions; yet the question, “How do I define and improve risk culture?” is one of the most common. Moreover, it’s a growing concern and interest among financial regulators globally. However, despite this heightened visibility, defining and influencing risk culture continues to defy easy answers for many organizations.

To start, there is no clear sense for what risk culture actually is or how to influence it. Discussions on risk culture sound similar to the parable about the blind men and the elephant, where each person touches a different part of the animal and makes their own judgments about what it is. As a result, we end up defining risk culture in simple terms: the deeply held assumptions, beliefs and values shared by an organization’s employees with respect to risk management.



How to Mitigate Risk and Liability

When allegations of misconduct are raised, leadership should quickly turn its attention to an internal investigation. Depending on the nature of the supposed wrongdoing, the matter may need to be investigated quickly. But a haphazard investigation won’t do. Jeffrey Klink offers seven steps to a successful investigation.

Businesses regularly confront allegations of internal misconduct. These allegations can involve breaches of the law or the business’s policies or procedures. Successfully navigating the potential pitfalls of internal investigations is essential to protect your brand and important assets, as well as to avoid the risk of having to deal with additional problems resulting from adverse media coverage. This article outlines seven steps that will assist corporate counsel, owners and others in managing and mitigating internal misconduct allegations.

Many professionals like to make internal investigations confusing. But the reality is that there are basic steps that can be taken to determine if a misconduct allegation has merit and if a comprehensive investigation is required. The first step is determining whether an allegation has merit; if it does, then some or all the next steps may be required. Step two is assigning a case supervisor and other professionals to conduct the investigation.  Steps three to seven are: (3) obtain and review all pertinent data and documents; (4) conduct discreet background research on significant parties and subject(s); (5) interview knowledgeable persons; (6) interview subject(s); and (7) assess which internal controls and procedures can be improved to avoid future problems.



What’s that old saying? “Build a better mousetrap, and the world will beat a path to your door?”

The phrase is credited to Ralph Waldo Emerson, although the exact wording is up for debate. Regardless, the sentiment has caught on over the past 150 years and today, more than 4,400 patents have been issued by the U.S. Patent office for original mousetraps. A “better mousetrap” is a metaphor for any innovation that solves a problem – Scotch tape, revolving doors, Velcro. Identify a problem, observe the world around you, and experiment (repeatedly) for a solution.

“Cloud computing” has been ripe for innovation over the last 12 years, since the term was added to the mainstream vernacular when Amazon.com released its Elastic Compute Cloud product in 2006. Various flavors of cloud have been introduced (public, private, hosted private, hybrid, etc.), and today, there are so many companies offering “cloud services” that Forbes publishes a Forbes Cloud 100 list of new vendors each year.



Damage to reputation or brand, cyber crime, political risk and terrorism are some of the risks that private and public organizations of all types and sizes around the world must face with increasing frequency. The latest version of ISO 31000 has just been unveiled to help manage the uncertainty.

Risk enters every decision in life, but clearly some decisions need a structured approach. For example, a senior executive or government official may need to make risk judgements associated with very complex situations. Dealing with risk is part of governance and leadership, and is fundamental to how an organization is managed at all levels.

Yesterday’s risk management practices are no longer adequate to deal with today’s threats and they need to evolve. These considerations were at the heart of the revision of ISO 31000, Risk management – Guidelines, whose latest version has just been published. ISO 31000:2018 delivers a clearer, shorter and more concise guide that will help organizations use risk management principles to improve planning and make better decisions. Following are the main changes since the previous edition:



Thursday, 15 February 2018 15:54

The new ISO 31000 keeps risk management simple

It’s the rare workplace disaster that is dramatic enough to burst into the news. Most business emergencies are managed privately, with the outside world unaware that anything was ever wrong.

This is great from the companies’ point of view. It’s bad enough having a disaster without having a public-relations distraction piled on top of it.

However, there is a drawback for the business-continuity community: All this discretion deprives people outside the firm of the benefit of their peers’ experience.

One interesting consequence of this is that many BC professionals have a limited concept of the kind of negative events that can impact their organizations. Everyone knows about fires, hurricanes, and cyberattacks—they’re in the news all the time—but many other kinds of things can disrupt a business and frequently do, including things most people couldn’t even imagine.



While cyber security may have you thinking in zeros and ones, and wondering which next generation firewall you should buy next, the human element is alive and well in cyber crime.

Indeed, it can be argued that cyber crime only exists because human beings are motivated to take or break digital assets that do not belong to them.

So, while you mull over your cyber security defence, it may be helpful to consider how criminologists view the matter, especially in terms of crime displacement, a natural result of any security strategy.

Basically, the idea behind crime displacement is that if you stop criminals (including cyber criminals) from perpetrating crime in one way, they may well look for another way. Professional hackers including teams working for governments are more likely to develop other lines of attack.



Thursday, 15 February 2018 15:52

Cyber Security and Pointers from Criminology

(TNS) - An American nightmare unfolded Wednesday afternoon at a North Broward high school when a former student came onto campus and opened fire, killing and injuring multiple people.

Details remain cloudy amid a flurry of police activity at Marjory Stoneman Douglas High School in Parkland off the Sawgrass Expressway. Students, who heard a fire alarm go off just before dismissal, followed by guns shots, fled off campus and hid under desks as police sped to the scene. Parents, blocked from getting onto campus, stood by helpless.

The Broward Sheriff’s Office is reporting “at least 14 victims.”

The shooter, a former student identified by law enforcement sources as Nicolas de Jesus Cruz, managed to make it off campus. He was cornered and taken into custody in a townhouse at Pelican Pointe at Wyndham Lakes in Coral Springs.



Looking back on the past decade, few would argue that certain man-made threats – active shooters, cybercrime, and workplace violence – are on the rise.

What are the facts behind these incidents?  And is your organization prepared to respond should they occur at your workplace?  Let’s take a closer look.



What Compliance Should Be Doing Now

CCI has covered the General Data Protection Regulation (GDPR) extensively, and by now most readers may know that the deadline for GDPR compliance is barreling toward us. Kevin Gibson walks us through what businesses must do to prepare.

May 25, 2018, the day on which the General Data Protection Regulation (GDPR) takes effect, is fast approaching. Some firms have been proactively working toward GDPR compliance, which is wise given that failure to do so exposes organizations to fines of up to €20 million (US $23.5 million) or 4 percent of global revenue — whichever is higher. However, it appears that a majority of firms whose business requires them to comply with GDPR have yet to do so and are instead waiting to take action until just before the deadline or worse, after it passes. Such procrastination is ill advised. The GDPR compliance countdown, as outlined here, should start now.



Wednesday, 14 February 2018 15:18

Countdown To The GDPR

Page 1 of 2