Fall World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 30, Issue 2

Full Contents Now Available!

Industry Hot News

Industry Hot News (7291)

There has always been some degree of risk involved in transporting dangerous goods (DG)/hazmat, with the responsibility for compliance typically assigned solely to the compliance or shipping department. Today, with more than 1.4 million DG shipments being made daily in the U.S. and a greater number of goods now classified as hazardous, that risk has multiplied exponentially — and so have rules and regulations.

The challenge of ensuring compliance with these complex and changing regulations is made even more difficult due to shifts in responsibility within many organizations, with the role of hazmat compliance now often involving a number of divisions, including IT, supply chain, compliance, warehouse, shipping, EHS (environmental, health and safety) and more.

The path to safety and compliance requires a commitment to developing the necessary infrastructure, establishing the right processes and having the right personnel to carry it out.

The result is not just enhancing your company’s brand by being a good corporate citizen; it can give your business a competitive edge and boost your bottom line by helping to reduce costs, mitigate risk and virtually eliminate penalties and fines due to violations and rejected shipments.



The world is littered with thousands of examples of the problems associated with data center strategy mistakes around capacity and performance.

For example, Lady Gaga fans brought down the vast server resources of Amazon.com soon after her album “Born This Way” was offered online for only 99 cents. Similarly, a deluge of online shoppers caused the data center to crash after they bombarded Target.com for a mammoth sales event. And, of course, there was the famous healthcare.gov debacle, when an ad campaign prompted millions of Americans to rush to the website for healthcare coverage only to face long virtual lines and endless error messages. In total, it is estimated that more than 40,000 people at any one time were forced to sit in virtual waiting rooms as available capacity had been exceeded.

Each of these examples highlights why data center managers have to make sure their data center strategy stays ahead of organization expansion needs as well as watching out for sudden peak requirements that have the potential to overwhelm current systems. The way to achieve that is via data center capacity planning.



Cybercrime is one of the biggest challenges society faces today.

As the world becomes more digitized and dependent on connected systems and devices, the threat and the potential impact is exponential.

As we just recently witnessed the WannaCry attack, this is a wake-up call and we should expect to see global attacks of this nature accelerate.

There is good news.



Thursday, 25 May 2017 14:45

CEO Forum: WannaCry Raises the Red Flag

Having the right business continuity tools can make the work you do on your BCM program easier and more consistent. In this post, we’ll explore categories of tools that will make your program more efficient and help you be prepared to respond effectively to a crisis event.

Here at MHA Consulting, we have had the opportunity to see multiple business continuity tools in action. While we strive to be tool-agnostic, not necessarily recommending any single tool, we do work with our clients to ensure that the tools they use will best meet their needs and requirements.

There are many providers in these spaces; the ones listed are those we are familiar with through use in client engagements or other situations. A review of these tools may be a good place to start.



The Business Continuity Institute

With only one year to go before the European Union General Data Protection Regulations (GDPR) deadline, many US businesses with European customers are not fully prepared to comply with the new laws, which include ‘Right to be Forgotten’ customer consent mandates and regulations on how customer data is handled. US companies, or any organization that stores data on EU citizens, will face hefty fines or lawsuits if they don’t fully comply - up to 4% of annual turnover or €20 million, whichever is greater.

US large-company CIOs saying they are well-briefed on the impending laws, up from 73%, when asked the same question last year. However, only 60% have detailed plans in place to address the new laws’ requirements. This is up from 33% from last year’s survey, but suggests there is still significant work ahead.

94% of the large US company CIOs surveyed say their companies have personally identifiable information (PII) on EU customers, making the new mandates applicable to them.

Particularly challenging is the mandate to obtain customer permission to use PII in application testing, a critical part of software development. 55% of US firms have a plan in place to address this, but nearly one-third say they don’t fully understand the impact of this ruling.

The data complexity of modern systems is also an issue, as 85% admit it’s sometimes difficult to know exactly where all their customer data resides, an increase from last year’s survey with 78% then admitting that difficulty.

“US organizations are heading in the right direction on GDPR compliance, but there is still work to be done to improve data governance capabilities,” said Chris O’Malley, CEO of Compuware. “Manual processes that are used to locate and protect customer data must be replaced with automated capabilities that enable businesses to quickly, accurately and visually manage data privatization and protection.”

The findings also reveal US organizations are better prepared for the GDPR than their European counterparts. Compared to the 60% of US companies saying they have detailed and far-reaching plans in place, only 19% of UK companies have such plans prepared, a modest improvement of only 1% since last year.

US respondents ranked their biggest GDPR compliance hurdles to overcome as follows:

  • Design and implementation of internal processes (65%)
  • Securing customer consent to use their personal data and handling the process of data withdrawal if requested by the customer (64%)
  • Ensuring data quality (52%)
  • Cost of implementation (43%)
  • Data complexity (41%)
Thursday, 25 May 2017 14:35

BCI: US more prepared for GDPR than UK

The Business Continuity Institute

As companies outsource processes and services, they expose themselves to a plethora of third-party risks. Whether it's data security, business disruptions or compliance risks, organizations must have the relevant measures in place to mitigate their potential impact on business continuity and reputation.

A report my MetricStream however, shows that one in five respondents to a survey (21%) reported that their organization has faced significant risks due to third-parties during the last 18 months. Of those that shared financial impact data on the losses, a quarter said that the loss was greater than £8 million (generated through cost of downtime, regulatory fines and reputational damage).

How organizations are managing third-party risk also revealed that nearly three quarters (73%) of businesses do not track fourth-parties, meaning they have no visibility past their immediate suppliers. This finding emphasises some of the concerns raised in the Business Continuity Institute's latest Supply Chain Resilience Report which revealed that only two-thirds of organizations maintain adequate visibility over their full supply chain.

French Caldwell, chief evangelist at MetricStream, commented: “As companies continue to outsource their processes and services in order to decrease costs, streamline or scale up quickly, they are opening themselves up to risks. However, despite some supplier incidents costing upwards of £8 million, 44% of the respondents said that their business had no dedicated third-party risk management function. Furthermore, as enterprises rapidly adopt cloud services, entities that would have been third-parties when the services were managed in-house become fourth parties which are more difficult to monitor.

“Businesses can no longer plead ignorance. They are responsible for the actions of their third-parties and they will bear the brunt of any fallout. For example, if a business shares sensitive data with a third-party without checking if it has relevant cyber security, and that supplier suffers a data breach, under some rules the company could be liable. Not only will it suffer reputational damage, but new regulations such as the EU GDPR could see large fines imposed too."

I’ve said it before, and I’ll say it again: All companies, no matter the size or the industry, will eventually be targeted by hackers, cybercriminals and other bad actors. At the same time, more and more instances of cyberattacks are being carried out against high-ranking executives, many of them C-level executives and directors. Not only do these individuals have access to a company’s most sensitive and confidential information, but often, they have the least amount of oversight and the worst cybersecurity habits.

For a corporation, falling victim to such attacks is damaging enough for obvious reasons (just ask Yahoo!), but for a high-ranking business leader, the fallout is particularly embarrassing, as it signals a clear lack of awareness about basic security precautions. Further, leadership is being held increasingly accountable for a wide swath of security missteps, a narrative that all too frequently plays out in news headlines and almost always ends in the loss of a job, an investigation or legal action.

With all of these consequences considered, one would hope that leadership is scrambling to close critical security gaps. But new research from Diligent and the New York Stock Exchange’s Governance Services paints a starker picture.



Not All Emergency Notification Systems Are The Same

Does your company have a modern mass communication system? When I say “modern,” I am referring to one that doesn’t rely solely on email or phone; one that is able to contact employees on multiple devices simultaneously; one that can be activated in a matter of seconds and reach its intended audience within minutes. I’m going to add another feature in the mix because it is so invaluable when it comes to reaction time – interactive maps.Interactive maps use GPS to track and monitor employees and events – not in a creepy, big brother way but in a way that ensures employees are safe and accounted for no matter where they work. GPS can provide more immediate location information to help first responders to act quickly when seconds count. Think of it this way: if you were working in a location where an emergency struck, would you be uncomfortable or thankful that your employer was sending help to your exact location within seconds of the incident?



(TNS) — California will probably introduce a limited public earthquake early warning system next year, researchers building the network say.

Earthquake sensing stations are being installed in the ground, software is being improved and operators are being hired to make sure the system is properly staffed, Egill Hauksson, a seismologist at the California Institute of Technology, said at a joint meeting of the Japan Geoscience Union and American Geophysical Union.

The new stations are particularly important for rural Northern California, where gaps in the network have put San Francisco at risk for a slower alert if an earthquake begins on the San Andreas fault near the Oregon border and barrels down to the city. Last summer, California lawmakers and Gov. Jerry Brown approved $10 million for the early warning system.



(TNS) - When Hurricane Opal plowed through the Florida Panhandle, those who chose to ride out the devastating storm were left without power and resources for days.

That was back in September 1995. Kelly Jo Bailey, disaster program manager for the local American Red Cross, was living in Bay County at the time of the fatal and historic Category 4 hurricane. She said the community was changed in an instant of the storm making landfall.

"It brings the best and worst out of people," she said. "You can have people stealing or looting, but you also have neighbors helping neighbors."

Bailey, along with several volunteers and other emergency response agencies, were sharing information and assistance Saturday during Hurricane Preparedness Day at the Panama City Mall, 2150 Martin Luther King Jr. Blvd. With hurricane season starting June 1, officials were urging passers-by in the mall to have supplies on hand and make a plan before a serious storm rolls through.



(TNS) — Mass casualty events — ranging from the slaughter of 26 innocents at Sandy Hook Elementary School in 2012 to the bombs that killed three and injured more than 250 at the Boston Marathon in 2013 — have highlighted the need for a well-trained citizenry, according to a doctor promoting bleeding control techniques.

After chronicling several other mass casualty attacks in the United States and Europe, Dr. Lenworth Jacobs said, “It’s a big problem, and it’s getting worse.”

Jacobs, speaking to roughly 250 people at a trauma care symposium that Gundersen Health System sponsored Friday at Western Technical College in La Crosse, noted the attacks at schools besides Sandy Hook, including Columbine and several colleges and universities.



When people hear the word “compliance,” they often imagine red tape and a governing body restricting your free will – so suffice it to say, it’s not the most pleasant word in the English dictionary. But compliance is so much more than the equivalent of a teacher’s pet making you stay late after school. It’s an essential part of business practices, and failure to be compliant can lead to penalties, fraud and the loss of your business. There are many challenges that come with navigating the murky waters of compliance; luckily the dawn of technology can help solve those problems.

Bolstering Corporate Compliance with a Solid BPM Strategy

In the wake of cybercrime and corporate scandals, the age-old concept of compliance ensures companies act responsibly and are protected. With tighter compliance comes reduced legal problems, improved operations, higher productivity levels and greater employee retention.

A key area in compliance that often gets shoved under the rug is within Business Process Management (BPM) – a systematic approach to making an organization’s workflow more effective, more efficient and more capable of adapting to an ever-changing environment. Compliance in this area consists of a) demonstrating that you have documented your process, b) demonstrating that you have followed that process, c) demonstrating you have visibility over all processes and d) demonstrating that you can spot cases in which processes were not followed.



I have gotten some inquiries about where spending on artificial intelligence and cognitive technologies occur in our tech market numbers (see, for example, "US Tech Market Outlook For 2017 And 2018: Mostly Sunny, With Clouds And Chance Of Rain").  The short answer is that we include them in our data on business intelligence and analytics, though so far  spending on these technologies is still small -- probably than a billion dollars for 2017.

But even as artificial intelligence spending grows, it is likely to remain small in terms of visibility.  That's because artificial intelligence solutions are likely to be functions in existing software products, and not something that firms buy directly.  Put another way, the biggest buyers of AI will probably be software, services, and hardware vendors, who use AI to help their products and services work better.

There is precedence for this pattern in the BI and analytics market.  My Forrester colleague Boris Evelson has been collecting data from the leading BI vendors as to the percentage of their revenues that they get from end customers versus from OEMs (original equipment manufacturers).  On average, about 10% of these vendors' revenues come from sales to OEMs.  And that could well be understated, because vendors like IBM, Microsoft, Oracle, or SAP don't provide data on the explicit (or more likely implicit) value of their analytics products that are used in their applications.



Let me pose a question: “Is it a bad thing to give the average person a hand grenade with the pin pulled?” I think most of us would respond to that question with an emphatic “YES!”  No one in their right mind would think it's a good idea in any possible reality to allow anyone without extensive military or professional training to access an explosive--especially not one that is live and has no safety device in use. Bad things would happen, and people would probably lose their lives; at the very least, there would be damage to property. No matter what, this scenario would be a very bad thing and should NEVER happen.

OK, now let me change that question a bit: “Is it a bad thing for every person with a network connection to have access to extremely powerful nation-state-level cyber weapons?”  Hopefully you would respond similarly and say “YES!”

Just as the hand grenade juggling is a problem, so is the proliferation of nation-state-level exploits. These malicious tools and frameworks have spread across the world and are presenting a very complicated problem that must be solved. Unfortunately, the solution that we've currently been offered amounts to a variety of vendors slinging solutions and tools that, without good strategy, cannot effectively combat the myriad cyber artillery shells now being weaponized against every system that touches the World Wide Web. The bad guys have now officially proven that they can “outdev” the defensive technologies in place in many instances and have shown that it's highly likely that many installed legacy technologies are wide open to these weaponized attacks (anti-virus be darned) across the planet.



The Business Continuity Institute

In 2016 global supply chains continued to face a range of security, social responsibility, and business continuity risks, with many of these issues provoked by one another, according to BSI's Global Supply Chain Intelligence Report.

The report noted multiple incidents that started out as a security, social responsibility, or a business continuity risk that cascaded into other supply chain issues. The European migrant crisis is perhaps the best example of a type of event that began as a single security risk, before building into a business continuity disruption as countries imposed border controls, which in turn was exacerbated by blocked migrants looking for work, often falling victim to forced labour in certain nations. As risks, such as the migrant crisis, continue to evolve, it's imperative that organizations work together to take a holistic risk management approach to ensure they are informed and prepared to address multiple areas of concern.

In 2016, governments in Asia responded to increasing levels of supply chain risks, but many policies were merely reactive and often led to further threats to the integrity or continuity of the supply chain. BSI observed a shift in labour strike threats in China in 2016, driven mainly by concerted government efforts to limit strikes in the country following years of increasing labour disruption. Labour strikes still occurred in large numbers across China last year, but the number of strikes dropped in 2016 for the first time in recent years. Strikes at factories dropped by 31%; with two-thirds of provinces – including major apparel, consumer goods, and electronics production hubs – witnessing a decline in manufacturing strikes. An emerging area of concern is the growth in strikes in the logistics sector, including trucking, shipment processing, and delivery, which rose more than fourfold from nine incidents in 2014 to 40 last year.

Asia also saw an increase in labour rights concerns in Bangladesh in both the ready-made garments sector and in other industries. A December 2016 survey of the Dhaka slums found a far higher incidence of child labour than previous government studies had suggested, with 15% of children employed in formal and informal enterprises. Additionally, the survey found that a significantly larger proportion of children were employed in the formal RMG sector than had been previously believed. The study also documented abusive practices in garment factories that employed children. Over 37% of girls reported being forced to work overtime, while children employed in the formal garment sector earned only half the national minimum monthly wage for garment workers.

Europe experienced significant terrorist attacks in Nice, France in July and Berlin, Germany in December, along with dozens of counter-terrorism arrests across Europe in 2016. Those attacks in particular also underscored the threat that terrorists will exploit the supply chain to perpetrate attacks. In both cases, Tunisian men linked to the Islamic State in Iraq and Syria (ISIS) used cargo trucks to ram into crowds of civilians. The Berlin attacker even perpetrated an explicit disruption of the supply chain before the attack by hijacking a Polish tractor-trailer carrying a shipment of steel beams. ISIS-linked plots involving similar timing and tactics are likely to continue challenging European security into 2017.

In Turkey, a faction within the military launched a failed coup against the reigning Justice and Development Party (AKP) government, leading to significant security and business continuity impacts in the short and long terms. The Turkish government's response to the coup attempt has exacerbated security and business continuity threats in the country. Days after the coup, the government began widespread purges of numerous government departments and agencies across virtually every ministry, as well as the military, police, and intelligence services. There have been 100,000+ officials removed from public duty, 70,000 investigated and 32,000 arrested in total.

Supply chains in the Americas faced a wide range of risks related to security, corporate social responsibility, and business continuity in 2016. Cargo theft remains a main concern for the Americas with the most dramatic increase in cargo theft rates in Rio de Janeiro last year. Already the second largest hotspot for cargo theft in the country, officials in Rio de Janeiro reported a total of 9,870 cargo theft incidents in 2016, 36% more incidents than those recorded in the state in 2015. The year-over-year increase in cargo theft incidents in both Rio de Janeiro and Sao Paulo, combined with minimal efforts to curb the rate of theft, suggests that Brazil could see another year of increased cargo theft in 2017.

BSI also recorded varying degrees of improvement in corporate social responsibility protections in Latin America in 2016. The BSI SCREEN Intelligence Team reduced the rating for the threat of child labour in both Ecuador and Panama due to each country's sustained efforts to drastically eliminate the problem. In Ecuador, the government reduced the rate of children working in the country from the 16% recorded in 2007 to now less than 3%, with Panama succeeding in reducing the rate of child labour in the country to about 4%, a number that represents a 50% reduction since 2012. Although most countries in Latin America improved upon their corporate social responsibility record, some nations, particularly Peru, failed to make much headway last year.

In 2017, BSI expects continued threats of cargo theft and drug smuggling in the Americas and Europe, protests over wage and other labour issues across Asia, and persistent risks of terrorism, including terrorist targeting of the supply chain. New initiatives to address security, social responsibility, and continuity risks in many regions will require close monitoring to assess their effectiveness at the ground-level.

Okay, I’ll apologize right away to the IT ops teams that are already security-savvy. Hats off to you. But I suspect there are still a few that leave security to the CISO’s team.

On Friday, May 12, 2017, evil forces launched a ransomware pandemic, like a defibrillator blasting security into the heart of IT operations. What protected some systems? It wasn’t an esoteric fancy-pants security tool that made some organizations safe; it was simple e-hygiene: Keep your operating systems current. Whose job is that? IT operations’. Had the victims kept up with OS versions and patches, they wouldn’t have been working over the weekend to claw back from disaster. What’s the path to quick restoration? Having a safe offline backup. Whose job is that? IT operations’. The WannaCry ransomware outbreak is a brutal reminder that IT operations plays a critical role (or not!) in protecting the business from villains.



As the global WannaCry ransomware attack began spreading to computer systems around the world on May 12, Microsoft president Brad Smith quickly responded by publicly blaming part of the problem on businesses which don’t keep up with critical security patches, leaving their systems vulnerable to attackers.

Smith’s comments came in response to critics who had blamed Microsoft for leaving systems vulnerable in the first place by not doing enough sooner to assist customers and for ending security patches for older operating systems such as Windows XP and Windows Server 2003. Many enterprises, including hospitals and a wide range of businesses, still rely on systems running older operating systems or embedded operating systems, leaving them open to hackers and ransom attacks.

The problem with that argument, according to several industry analysts who spoke with ITPro, is that Smith and Microsoft are right this time to criticize IT administrators and their companies that are failing to keep their systems patched and updated.



The Business Continuity Institute

Switzerland, Luxembourg and Sweden are the three countries most resilient to the pressures of the 21st century according to the  2017 FM Global Resilience Index, with Nepal, Venezuela and Haiti making up the bottom three on their list. The study, which ranks 130 countries and territories by their enterprise resilience to disruptive events, also highlighted that the most pressing risks to business performance are cyber attack, natural hazards and supply chain failure.

For organizations concerned by the increasing incidence of cyber attack, oil-rich Saudi Arabia has emerged as a country with above-average inherent cyber risk. Its high internet penetration, combined with a limited cyber security industry, make it a more vulnerable target. Developing India, by contrast, with its growing information technology industry, emerges as a country with below-average inherent cyber risk.

For organizations aware of the heavy toll of natural disasters, Sweden has above-average resilience due, in part, to its lower-than-average exposure to hazards such as windstorms, flood and earthquakes. On the other hand, flood-prone Bangladesh, a major manufacturing hub for apparel and textiles, ranks toward the bottom of the index.

For organizations with global supply chains, Germany, a major exporter and importer, ranks near the top in resilience, driven in part by its strong ability to demonstrate where parts, components or products are in transit. Russia ranks below average in this respect.

The index also ranked countries in terms of overall enterprise resilience with wealthy Switzerland occupying the number-one spot. This reflects high scores for its infrastructure, local supplier quality, political stability, control of corruption and economic productivity. Hurricane-ravaged Haiti ranks at the bottom of the index due in part to its high natural hazard exposure and poor economic conditions.

Many of the insights originate from three new resilience drivers added to the index this year. Inherent cyber risk reflects a country’s vulnerability to a cyber attack and its ability to recover; urbanization rate serves as a proxy for stress (on water supplies, power grids and other infrastructure) that would be exacerbated by natural disasters such as windstorms, flood and earthquakes; and supply chain visibility – reflects the ability to track and trace consignments across a country’s supply chain.

Other drivers of resilience that form the index include: productivity, political risk, oil intensity, exposure to natural hazard, natural hazard risk quality, fire risk quality, control of corruption, quality of infrastructure and quality of local suppliers.

“Our clients have found the index valuable when making important decisions about their properties, business strategies and supply chains,” said Bret Ahnell, executive vice president at FM Global. “We upgraded the index this year to reflect escalating threats that can make a lasting impact on business performance. FM Global will continue to improve the index and make the data publicly available to any business, client or not.”

Digital transformation is a must in today’s competitive landscape, radically speeding the pace of operations and increasing the demands placed on businesses to deliver new experiences. Businesses that embrace digital transformation will capitalize on this disruption to become industry leaders. It’s a reality that rewards swiftness and agility.

But speed is nothing without control. Without proper controls, moving faster may simply mean developers are releasing security vulnerabilities faster, exposing their organizations and customers to greater risk. The increasing pace of rapid innovation isn’t going to slow down. Organizations have to master shipping software faster, with higher efficiency and lower risk. The primary defense to ensure safety and speed work together is how to test for compliance through Agile, Lean and DevOps (ALDO) principles.



Friday, 19 May 2017 16:31

The Case for Compliance Automation

“Go all-flash, young man,” appears to be the current mantra of the storage industry. Vendor after vendor is urging enterprises to ditch hard disk drives (HDDs) in favor of solid state drives (SSDs). You also hear about flash-first strategies that urge organizations to look at flash storage first, last and always.

While this approach makes sense in many cases, what about existing storage assets? And in particular, are there any times when all-flash storage just doesn't make sense?

Here are some possible situations where it might be wise to skip the flash:



According to certain industry analysts and software vendors, we are now midway between a stage 10 years ago when few applications used machine learning, and a stage 10 years into the future when apparently, most applications will function with it.

The Gartner “Hype Cycle” shows machine learning due to become mainstream in software in about four or five years’ time. In that case, business continuity, like any other area of business activity, is likely to be affected. The time to start thinking about it may well be now. But what is machine learning, and how might it influence BC planning and management?

Simply put, machine learning is the capability of systems to construct models from data, without the intervention of human beings. Examples of machine learning today include self-driving vehicles and fraud detection, both of which reflect aspects of business continuity. Machine learning can be done in two ways.



Recent incidents remind us that knowledge is power. Earlier this week, US President Trump shared classified information with foreign delegates — and by doing so, he potentially declassified it. When The Washington Post exposed the headline first, the article became the most viewed digital news story in the publication’s history. This comes only a few days after a sweep of global cyberattacks locked major corporations and governments out of their data and threatened to release stolen content (like a soon-to-be-released Disney film) in increments. These stories remind us that those who own and control information wield power — but also that the boundary between public and private information is becoming easier to transgress.  

Organizations and regulators are not the only ones contending with the power play of public and private information. Consumers are also becoming empowered as their knowledge of institutions’ inner workings and related data risks grows. As a result, consumers are striving to control their personal information. Forrester’s Consumer Technographics® data reveals that consumers around the world are motivated to manage their data, and those in the US and UK are especially conscious:



(TNS) - More than 140 courthouses across California are seismically unsafe, a study commissioned by state officials determined, and fixing just the worst dozen would cost more than $300 million.

In a serious earthquake, 145 courthouses could face “substantial” structural damage, “extensive” non-structural damage and “substantial” risk to the life of those in the buildings, says the study, presented Wednesday to a committee with the Judicial Council, which sets policy for California courts.

Glendale Superior and Municipal Courthouse received a seismic risk rating of 44.2, the highest in the state and among a dozen facilities considered very high risk. The report used seismic-risk ratings developed by the Federal Emergency Management Agency, or FEMA.



In light of the very recent WannaCry ransomware cyber attack that has impacted more than 230,000 victims in over 150 countries since it began last week, it is more important now than ever to be thinking about your organization’s business resiliency, specifically your business continuity plan and IT disaster recovery plan. Should your organization experience any type of business disruption—such as a cyberattack—the best defense is having not only a plan, but also a crisis communications platform that will aid in the management of such an event.

Business Continuity Awareness Week 2017

Given the recent cyber attack, it’s perfect timing for Business Continuity Awareness Week (BCAW) which is happening now—May 15-19, 2017, and this year’s theme is dedicated to Cyber Security.

This annual global event is facilitated by the Business Continuity Institute (BCI). The purpose of BCAW is to provide a vehicle to raise the awareness of and to showcase the value of Business Continuity Management as an integrated part of an organization’s strategy.

BCAW opens up the doors to anyone who wants to find out more about what business continuity is all about and how it might benefit their own organization. The BCI educates organizations on the importance of business continuity planning by sharing experiences, knowledge, and best practices. This year they are focused on “Building Resilience by Improving Cyber Security.”



The Business Continuity Institute

Quite often with cyber security, the public sees what might appear to be a game of cat and mouse: the perpetrators (bad guys) attack, then the cyber security establishment (government, private companies, and so on; the good guys) defend and try to plug, patch, and repair the problem after the fact. What we are missing in this picture—what may not be reported, or underreported - is how many companies and organizations are unaffected, as well as those who may have been impacted but are hesitant to admit this and risk bad publicity.

The latest example of this is the WannaCry attack, which now looks like it came from the North Korean-affiliated Lazarus group. This attack would have been defeated if organizations simply allowed computers running Microsoft-based operating systems to install the update that would have fixed the vulnerability. With personal computers, most users allow this to operate automatically, but with corporate computers this task is generally taken care of by an IT department that often runs several versions of Windows behind.

It is interesting that, according to reports, this ransomware attack - which claims to encrypt all of users’ files and offers a payment-based decryption service to restore them - has only generated $50,000 in ransom. However, it is our guess that this number is severely underreported; we have found few people like to admit to having been a victim of this kind of attack, just as users affected by Nigerian scams often deny being victims. It’s also interesting to speculate whether people will continue to pay any ransom given that, according to reports, no one who’s paid the ransom thus far has had their files decrypted.

How can organizations break this vicious cat-and-mouse cycle? One way to effectively build and maintain organizational resilience on an enterprise level is creating a cyber security program that repels and recovers from cyber attacks, following the Four Rs of Resilience: Robustness, Redundancy, Resourcefulness, and Rapidity. For our purposes with regards to WannaCry, let’s focus on just two factors: Robustness and Redundancy.

Robustness is the ability of systems and elements to withstand disaster forces without significant degradation or loss of performance. The simple fix here is making sure all operating systems are updated, including any systems by vendors, home systems that may be used (or prevented from accessing corporate systems) and tertiary systems an organization relies on. More sophisticated solutions such as software defined perimeter would also have prevented the attack, by establishing a dark layer and credentialing process, restricting access.

Redundancy is the extent to which systems and elements or other units are substitutable or capable of satisfying functional requirements, if significant degradation or loss of functionality occur. Regular backups would remove the concern about having data encrypted or destroyed as users could just retrieve the same data from their backup.

So in short, what’s the best way to keep your personal and organizational data safe in the age of WannaCry? It may seem simple, but it’s the most basic cyber security advice for a reason: update and backup your files. Frequently.

Andrew Boyarsky and Douglas Graham are the academic director of the master’s program in enterprise risk management at the Mordecai D. and Monique C. Katz School of Graduate and Professional Studies at Yeshiva University and an advisory council member at the Katz School, respectively. The opinions expressed above are solely those of the authors and should not be attributed to Yeshiva University.

The Business Continuity Institute

Last week's ransomware attack, which affected 200,000 computer systems in 150 countries and crippled hospitals across the United Kingdom, is a frightening reminder of how much damage can be done by this type of malicious cyber attack. However, a new survey reveals that most people are ill equipped to deal with such an attack.

“It is simply unacceptable that people do not get the care they need because of cyber criminals attacking hospitals. We have a shared responsibility to collaboratively get this under control,” says Kathy Brown, President and Chief Executive Officer of the Internet Society which helped to fund the survey. “Law enforcement, IT professionals, consumers, business, and the public sector all have responsibility to act to keep enabling the good that the internet brings.”

According to the joint CIGI, ISOC and UNCTAD Global Survey on Internet Security and Trust, conducted by global research company Ipsos, before the latest attack, 6% of internet users globally had already been personally affected by ransomware, with internet users in India, Indonesia, China and the United States the most likely to be affected. An additional 11% knew someone who has been hit by these malicious programmes.

"Cyber thieves now operate on a global scale, as the most recent attack illustrates, and just about anybody can launch a ransomware attack,” says Fen Osler Hampson, Distinguished Fellow and Director of Global Security at CIGI. “Ransomware attackers have discovered that they don't have to steal or destroy your data to enrich themselves, they just have to hold it hostage. Our survey data shows that many people are willing to pay to get their data back, which makes such attacks highly profitable."

People remain largely unprepared for this new form of cyber attack, which encrypts their data and renders it inaccessible until they pay a ransom. Nearly a quarter (24%) of people admit they would have no idea what to do if their computer were to be hit with ransomware.

Many would turn to the authorities with 22% contacting law enforcement, 15% contacting their Internet Service Provider and 9% contacting a private firm to try to retrieve their data. Unfortunately, the authorities are often unable to help. Once the data is locked, it is extraordinarily difficult to retrieve without either paying the ransom or restoring the files from a backup. Here again, internet users are woefully unprepared, as only 16% of people globally indicate that they would retrieve their data from a backup.

As individuals and as organizations, our data is important to us, and our time is important too. We do not want to lose either as it could be costly. We need to make sure that we have plans in place to be able to respond to such an attack and manage through any disruption that occurs as a result. Business continuity has played an important role is the response to this latest ransomware attack with many organizations invoking their plans and putting processes in place to ensure that it didn't turn into a crisis.

Organizations of all sizes need to develop a business continuity programme. If you haven't already done so, read the Good Practice Guidelines Lite Edition, which is free download published by the Business Continuity Institute that offers some basic guidance on the steps you will need to take.

In Oklahoma, for each barrel of oil extracted by energy companies, seven to 10 barrels of wastewater are produced. Oil and gas companies use a technique called ‘dewatering,’ which allows a cheap separation of oil and water, making old geologic formations economic. The water, which sits underground for millions of years getting saltier and nastier with the passage of time, must be disposed of safely. Oil companies send it to disposal wells where it is injected deep into the earth. This disposal process has been linked to an increase in earthquakes because the injected wastewater counteracts the natural frictional forces on underground faults and, in effect, “pries them apart”, thereby facilitating earthquakes. Because of wastewater disposal earthquakes on natural faults are occurring faster than they would have happened otherwise.

The spate of earthquakes in Oklahoma (Figure 1) over the past few years has driven earthquake insurance take-up rates in that state from 2 percent to 15 percent (higher than in California).  According to NAIC data from S&P Global Market Intelligence and the I.I.I., direct premiums written from earthquake insurance in Oklahoma increased by over 300 percent from 2006 to 2015 (Figure 2). The Oklahoma market has been declared noncompetitive as only four companies combine to write a 55 percent market share. The action gave the state Insurance Department the right to approve rate changes in advance. Some insurers suggested a better solution would be to encourage competition rather than increase regulation.



Cybersecurity is now a C-Suite concern. Major business disruptions, compromised customer data, bank heists and even state-sponsored hacks have prompted boards and CEOs to action.

In the past few years, organizations have been scrambling to recruit Chief Information Security Officers (CISOs). Accountability for cyber risk has risen as the number and magnitude of attacks has climbed well past the nuisance level into the sphere of major business risk.

How effective this management strategy will be in arresting the modern plague of cybercrime remains to be seen. A recently published global survey of C-Suite level executives and IT decision-makers1 (ITDMs) revealed a large gap in assessments of cyberthreats, costs and areas of responsibilities. Here are three of the most significant disconnects:



Why have some organizations been around for hundreds of years while others last only five minutes? The key is to create success that lasts. ISO 9004 gives guidance to help companies achieve “sustained success” and has just reached a crucial stage in its revision process.

ISO 9004, Quality management – Quality of an organization – Guidance to achieve sustained success, is currently under revision and has just reached Draft International Standard (DIS) stage, meaning that interested parties can submit feedback on the draft before its final publication in 2018.

The standard provides a framework based on a quality management approach, within which an organization can achieve ongoing success through identifying its strengths and weaknesses, and opportunities for improvements or change. It offers guidance for enhancing the overall quality of an organization by improving its maturity level, namely in terms of its strategy, leadership, resources and processes.



(TNS) - What would you do if…..

That was the question put before multiple county agencies and first responders on Saturday as part of a mock disaster drill held at the Meigs County Fairgrounds and Meigs High School.

“Drills like these are important to test area responders and build a better working relationship between agencies in the event of a real disaster,” stated Meigs County EMA Director Jamie Jones.

Arriving at the school on Saturday morning, first responders, actors and others were given information on the scenario for their role in the mock disaster.



BATON ROUGE, La. — Hurricane season officially begins June 1 and FEMA urges Louisianans to prepare. Getting ready now goes a long way in saving lives and reducing property damage later.

Readiness for the tropical season depends on preparing, planning and staying informed.


  • Update your disaster kit. Ready.gov recommends gathering a number of items such as: a three-day supply of non-perishable food and bottled water, a battery-operated radio, a flashlight, extra batteries, cash, medicines, a first aid kit, pet foods, and important family documents.
  • Cut down or trim damaged trees and limbs, clear out debris from pipes or culverts so that water doesn’t back up and cause flooding.
  • Tie down or take inside unattached outdoor toys and furniture when a severe storm approaches.


Be Informed:

  • Download the FEMA Mobile App for disaster-related information.
  • Listen to NOAA Weather Radio  or local radio or TV stations for up-to- date storm information, and be prepared to take action.
  • Search the internet or log on to Twitter with the name of your metropolitan area and the word “alerts” to be connected to the latest information.
  • Wait until local officials say it’s safe to return home before doing so.

Those who live in FEMA manufactured housing units should know this temporary housing does not provide safe shelter during a hurricane or tornado. Here are some tips for those who live in FEMA MHUs:

  • Leave an MHU when there are tornado or hurricane warnings.
  • All FEMA MHUs come equipped with weather radios; listen for storm warnings.
  • Put important items on high shelves in case of floods.

More information may be found online at www.fema.gov/pdf/areyouready/areyouready_full.pdf.




Louisiana Emergency Preparedness Guide

Get A Game Plan App 

Louisiana 2-1-1 provides information about available health and human services.
National Flood Insurance Program or call or call FEMA at 1-800-427-4661.

Thursday, 18 May 2017 15:51

FEMA: Prepare Now for Hurricane Season

The Business Continuity Institute

This news item contains embedded media. Open the news item in your browser to see the content.

The recent ransomware attacks affecting about 200,000 networks across 150 countries, including the NHS in the UK, is a stark reminder, as if one were needed, of just how great the cyber threat is.

Our modern world is heavily reliant on IT systems, and although these systems provide many benefits, they also have their pitfalls. Research conducted by the Business Continuity Institute presents the inevitability of an attack with the Cyber Resilience Report showing that two-thirds of organizations had experienced an incident during the previous year, and 10% had experienced at least ten.

Collectively we must do more to make our organizations more cyber secure. While there are mechanisms that organizations can put in place to improve cyber security, there are also steps that individuals can take. Several studies have shown that the insider threat is as much of a concern as external threats. This may not necessarily be down to malicious activity, or even negligence, sometimes it could just be down to a simple mistake.

In a new paper published by the BCI – Building resilience by improving cyber security – it is revealed that several activities which many of us perform out of habit could be making our organizations more vulnerable to the cyber threat, and identifies six simple steps that each of us can take to help improve security.

  1. Use strong passwords – A study showed that ‘123456’ was the most common password used among a given sample, and the rest of the top twenty weren’t much better. By using weak passwords it makes it far easier for intruders to gain access to our systems.
  2. Keep passwords safe – It’s all very well having a strong password, but if we’re writing that password down on a post-it note and leaving it next to our computer then we are leaving ourselves extremely vulnerable.
  3. Lock unattended computers – With studies showing the insider threat to be as much of a concern as external threat, we need to be more careful of who has access to our computers.
  4. Be cautious of public Wi-Fi – By accessing a public network, you are also potentially allowing that network, and anyone on it, access to your computer. If you are on public Wi-Fi, use a VPN to help improve security, and don’t share sensitive information.
  5. Don’t plug in untrusted devices – The report revealed that even devices from reputable sources can contain malware, so never plug an untrusted device into your computer.
  6. Don’t click on unknown links – Many attacks such as ransomware take place because users have clicked on a link they shouldn’t have and invited the intruders in. We must develop a culture whereby we think twice before clicking on links, however enticing they may appear.

Download your free copy of 'Building resilience by improving cyber security' by clicking here.

The UK may not be hit by monsoons, but it has had its share of overflowing rivers and torrential rain wreaking havoc on British homes over the last decade.

It’s particularly England and Wales that have suffered from flooding issues; Hull in 2007, Cumbria in 2009 and many UK areas in the 2013/14 winter. The Environment Agency estimate that five million Brits actually live or work in flood danger zones.

Needless to say, if your home is listed as a flood risk, it’s important to protect the property as much as you can from any potential dangers. You should also be sure to have adequate home insurance in the event your property is affected by flooding. It’s also worth knowing a little about Flood Re, a collaborative project between the Government and insurance companies. This scheme, launching during 2015, will ensure home insurance is available and affordable for properties at high risk of flooding.

With that said, no insurance can cover you protect you from the disruption and emotional trauma caused from flooding in your home or business. What’s more, many people seem unsure how best to protect their properties. What action can you take to minimise the impact of flooding on your property?



(TNS) - Boise River Flood District No. 10 might spend the next three years pulling out all of the trees that have fallen into the river this spring or are leaning so badly they soon will, said Bill Clayton, chairman of the flood control district’s board of commissioners.

That’s just for the area inside the district’s boundaries, which stretch from the Plantation Golf Course near State Street in Boise to just east of the Interstate 84 bridge over the river in Caldwell, Clayton said.

As federal water managers prepare to raise the Boise River to its highest flows since 1983 Tuesday, there are likely more trees, debris and other challenges ahead for the district’s crews to handle this spring. Clayton guessed crews will find hundreds of downed or compromised trees by the time the flooding stops.



The web offers a lot of opportunities, but with them, threats are sure to follow. The faster the technological advance, the more security gaps appear. Just in the last year, we’ve seen an unprecedented increase in the number of denial of service (DoS) attacks. DoS attacks account for more than 55% of all annual cyber crime and are the most costly cyber crimes. These attacks specifically target the vulnerabilities of hosting, nameserver, and IT infrastructures.

Denial of service renders a website or system unavailable to users, and a successful one can hit an entire online user database. That’s why DoS awareness and protection is critical to any cyber security plan.

What Is a DoS Attack?

In short, the purpose of a DoS attack is to make a host, device or environment unavailable for its intended purpose. The attacker typically causes the disruption by flooding the device with excessive requests, overloading the device and preventing the fulfillment of legitimate requests. Think of when a website is extremely slow due to increased traffic. DoS attacks simulate increased traffic through automated processes.

A cyber criminal often uses a DoS attack to take down websites, but they can also cause disruption on any application environment in order to prevent business functions from operating normally.



Wednesday, 17 May 2017 15:10

What is a DoS Attack?

The Business Continuity Institute

As business enters the digital age, cyber resilience must become a regular agenda item for boards and excos. Given the extent of the cyber risks companies face, and their extreme reliance on ICT, cyber security is only a partial answer. Nobody can identify and prepare for all the risks that threaten ICT systems, so it is essential that security and risk mitigation measures are part of a wider programme to ensure that the organisation can detect a cyber attack, respond appropriately and recover operational functionality.

There are signs however that the C-suite may not yet have come to grips with the nature of the challenge posed by the digitalisation of business, and thus the extreme need to look beyond cyber security.

Research from a leading consulting firm has shown that CEOs, CIOs and Chief Information Security Officers (CISO) alike remain confident about their cyber security measures - while security breaches are quite high. This misplaced confidence is surely one of the primary contributory causes for the belief that, at present, the bad guys appear to have the upper hand.

Despite financial service respondents admitting the number of detected incidents remaining relatively unchanged from 2013, last year saw that a 154% increase was evident in the number of detected security incidents against retail and consumer products companies, with the number of e-mail compromises and ransomware threats a growing risk, and phishing at the top of the log of these concerns. So much so, that research has shown security investments increased 11% in the last year, and 41% of these companies aim to address these concerns by increasing their budgets respectively. CISO’s roles are increasingly growing to become pertinent to Boards directly, as a matter of urgency to address the reality of cyber related incidents.

Regulatory authorities are far from unanimous about how data ought to be protected, as the current roll-back of existing US data privacy regulations by the Trump administration shows. These kinds of regulatory gaps offer unscrupulous operators plenty of opportunity.

The growing use of accelerometers on mobile devices to report on physical activity as part of health/ wellness programmes shows just how new threats are manifesting all the time. These and similar apps are insecure, and can allow hackers to 'eavesdrop' on keystrokes, and so access passwords and other sensitive information. The same vulnerability is multiplied across industrial systems as the Internet of things takes hold, and insecure sensors and similar devices proliferate. A hacker could thus use a sensor tracking the flow of chemicals or fuel to shut a plant down, dramatically affecting whole value chains or, in the case of a power utility, the national economy.

We must accept that event and technology based security is no longer adequate to protect the organisation’s very ability to function. Organisations must begin taking proactive action to subsume cyber security into the broader, strategic initiative of cyber resilience.

Cyber threats cannot be considered and provided for in isolation; they must be integrated into business and organisational strategic thinking, and specifically into the business continuity management lifecycle. In so doing, the organisation will move away from a compliance mindset, becoming better able to identify cyber risks and recover from cyber incidents. In other words, becoming a cyber resilient organisation. To achieve this, cyber resilience needs to be integrated into the very corporate culture. It must form part of existing policies, rather than a silo of new ones; very critically, a cyber recovery plan must be part of the overall recovery plan.

The end goal should be that the organisation have processes and procedures in place to identify the risks it faces, mitigate them and recover from the materialisation of any risk. Focusing on specific responses to specific threats becomes counterproductive when the risk is multiplying so rapidly.

Business Continuity Awareness Week (BCAW2017) [15-19 May] this year explores the issue of cyber resilience. Find out more about the series of webinars designed to explore this critical subject.

Karen Humphris CBCI is the Senior Manager Advisory Services at ContinuitySA, and Alex Ferguson is an Intern at ContinuitySA.

The massive cyberattack targeting computer systems of businesses, government agencies and citizens in more than 150 countries is now being linked to the North Korean government. Called WannaCry, the ransomware encrypts the victim’s hard drive and demands a ransom to be paid in the virtual currency bitcoin equivalency of about $300.

According to the Washington Post:

Several security researchers studying “WannaCry” on Monday found evidence of possible connections to, for instance, the crippling hack on Sony Pictures Entertainment in 2014 attributed by the U.S. government to North Korea. That hack occurred in the weeks before Sony released a satiric movie about a plot to kill North Korean leader Kim Jong Un.

The New York Times reported that the malicious software was transmitted via email and stolen from the National Security Agency. It targeted vulnerabilities in Windows systems in one of the largest ransomware attacks on record. The virus took advantage of a weakness in Microsoft’s Windows operating system. Although the flaw was patched by the company, not all users had applied the update.Institutions and government agencies affected included the Russian Interior Ministry, FedEx in the United States and Britain’s National Health Service.



Tech buying in business and governments is clearly shifting from the sole or primary control of the CIO and the tech management organization and into the hands of business leaders.  But how much is this happening? Anecdotal comments and surveys – including Forrester’s own Business Technographics surveys – suggest that most tech purchases are now controlled by business executives.  However, in our just-published report, “C-Suite Tech Purchasing Patterns,” Forrester’s analysis shows that the shift of tech buying from the CIO to business executives is much less dramatic, with just 5% of all new tech purchases fully controlled by business by 2018.  Moreover, this shift varies dramatically by C-level executive. CMOs and eCommerce heads have the highest proportion of new project spending under their control, but CFOs, COOs, supply chain heads, and heads of customer service are much less likely to go it on their own.

The big issue in making statements about who is buying technology is the fundamental difference between how consumers buy technology and how businesses and governments buy tech.  In business and government, there is seldom one person who makes the decision to buy a piece of technology.  Instead, there is a complex process of identifying a business need, finding and choosing a vendor with the right technology solution, implementing that solution, and making sure it is working well.  Different stakeholders will be involved in each stage of this process.  The growing tech-saaviness of business leaders and the wider availability of cloud solutions does mean that business leaders are playing a bigger role in the front end of this process. But the persistence of licensed software, the growing adoption of cloud as a replacement for licensed software, and challenges of implementing and optimizing solutions mean that CIOs and tech management teams still play a dominant role in overall tech purchases by businesses and governments.

Key findings of Forrester’s analysis of data on actual tech purchases:



During a keynote at his company’s big annual conference in Silicon Valley last week, NVIDIA CEO Jensen Huang took several hours to announce the chipmaker’s latest products and innovations, but also to drive home the inevitability of the force that is Artificial Intelligence.

NVIDIA is the top maker of GPUs used in computing systems for Machine Learning, currently the part of the AI field where most action is happening. GPUs work in tandem with CPUs, accelerating the processing necessary to both train machines to do certain tasks and to execute them.

“Machine Learning is one of the most important computer revolutions ever,” Huang said. “The number of [research] papers in Deep Learning is just absolutely explosive.” (Deep Learning is a class of Machine Learning algorithms where innovation has skyrocketed in recent years.) “There’s no way to keep up. There is now 10 times as much investment in AI companies since 10 years ago. There’s no question we’re seeing explosive growth.”



“When life gives you lemons, make lemonade,” goes the popular saying, which inspires us to tackle life’s challenges in a positive way to help us grow and learn from hardships. For organizations struggling to meet the upcoming GDPR compliance deadline in May 2018, it may be difficult to view the massive data privacy compliance project as a positive, a piece of investment that can change the way an organization stores and handles user data for the better.

But how can an organization successfully turn GDPR “lemons” into lemonade? By using this time to solidify its overall compliance strategy, an organization can get a return on its GDPR compliance investment. Below is a quick summary of the payoff an organization can potentially see from implementing a comprehensive GDPR strategy:



Tuesday, 16 May 2017 15:43

Turn GDPR Compliance into Lemonade

The National Emergency Number Association (NENA) said that in light of the recent ransomware attack that hit both private- and public-sector entities in multiple countries, it was not aware of any attacks on public safety answering points (PSAPs) or 911 service.

It said it was issuing a special alert to help its members defend against any attacks that may occur, according to a news release.

The so-called “WannaCry” attack leveraged recently released vulnerabilities and exploit techniques to take control of Windows-based computers. The attack software infects vulnerable machines and demands $300 or more in bitcoin. Victims that don’t pay are threatened with deletion of the encryption key, and that renders their data irretrievable.



Data is the perimeter, defend it that way

Unless you have been living under a rock or possibly hiding in the mountains of Montana with a giant beard and eating way too many government issued MRE’s you probably heard about the nuclear bomb of a ransomware attack that kicked off last week.  Welcome to the post apocalypse folks.  For years, many of us in the cybersecurity industry have been jumping up and down on desks and trying to get the world (writ large) to pay attention to managing and patching outdated systems and operating systems that have been running legacy software, to no avail.  Now that Pandora’s box has been opened and the bad guys have use the NSA leaked tools as weapons platforms all the sudden everyone gives a dang.  I caught no less than 17 talking heads on the news this morning stating that “this is the new reality”, and “cybercrime is a serious threat to our way of life.”  Duh, also water is wet and fire is hot.  Thank you news.  

Regardless of all the bad that is bouncing around the news and everywhere else today (and as I type this I can literally see a pew pew map on CNN that looks like a Zika Virus map showing the spread of WannaCry dominating the screen behind the anchor team) the reality around this “massive hack” and “global attack” is that if folks didn’t suck at patching their systems and followed basic best practices instead of crossing their fingers and hoping that they didn’t get hit the “end of days malware” would be basically ineffective.  The “hack” targets Windows XP systems, an old, outdated, unsupported OS that should have been pulled from use eons ago.  And if the legacy system running that OS couldn’t be pulled, IT SHOULD HAVE AT LEAST BEEN PATCHED.  Problem solved, or at least made manageable.



The Business Continuity Institute

“Maybe you are busy looking for a way to recover your files but do not waste your time.
Nobody can recovery your files without our decryption service.”

This is what users infected by the WannaCry virus read on their screens having accidentally let the malware in. Unfortunately, the criminals were not lying in this case, as most businesses are not equipped to decrypt their files following an attack like this within an acceptable timeframe. Some might be able to recover their files, especially when the malicious code is not too sophisticated, but it is likely that it will take a long time and thus incur significant financial losses to do so. Dealing with an infection once it happens can be painful; however, the good news is that by following the right guidelines it is possible to drastically reduce the chances of that happening.

At this regard, it is interesting to look at the threat, in order to better understand the response. According to Kaspersky lab, WannaCry is an encryption programme that uses an exploit, which is a piece of software that takes advantage of the weaknesses in an operating system (in this case Windows) in order to install malware. The main ways to bring the exploit into a computer include clicking on the wrong link or downloading a malicious attachment from an untrusted source. Once the malware is into the system, it encrypts all or part of its data and asks the victims to pay a ransom in bitcoins. If they do not pay within a few days, they can forget about all the hard work and long hours they spent in front of that machine and sadly they can start counting their losses.

The case of WannaCry shows once again how the weakest link in a computer system is the human operating on it. There is no firewall that will protect a computer from an employee clicking on the wrong link thinking it’s just another invoice. Industry research shows that the vast majority of ransomware is delivered through phishing and social engineering attacks, revealing the need for better education and awareness-raising programmes. Information security experts are doing an excellent job in designing the right technical solutions against cyber criminals, yet they might be struggling to deal with the human aspect.

In this respect, business continuity (BC) professionals can provide a great deal of help, as their job is to know a business from top to bottom, understand its weaknesses, and make sure everyone is aware of their role when preparing for a crisis. Continuity and recovery tactics place a big emphasis on resources, such as IT and information equipment, also taking into account people, premises, and suppliers. The strategies adopted for recovery by BC professionals include replication, which means being able to recreate the necessary conditions to keep the business running while the main site is not operational. Thus, a BC professional will always make sure business-critical resources such as data are backed up, in case something (such as ransomware) makes them suddenly unavailable. Backing up files is the most effective and quickest solution to get up and running after being hit, and it is sometimes neglected as a practice due to a lack of threat awareness, rather than technical ability. BC professionals will know how to embed a strong safety culture among staff members, having experience in managing awareness campaigns. This can go a long way when trying to educate employees on how to avoid falling for phishing or social engineering attacks. After all, organizations are already starting to move in this direction. According to a BCI survey, 75% of the respondents had business continuity arrangements in place to deal with cyber disruptions.

The recent attack presents a great opportunity for organizations to improve their response and make lasting changes to become more cyber resilient. In the next few weeks, 'ransomware', 'back-up' and 'disaster recovery' will probably be the buzzwords of the moment, but the real challenge will be not to forget about them in the long term. Business continuity professionals have been advocating for better arrangements to prevent disruptions of this kind for a long time, and they will keep doing so. Thus, if you’re looking for someone to thank for implementing the right measures the next time ransomware strikes, business continuity professionals are likely to be the right choice for your business.

Gianluca Riglietti CBCI is currently a Research Assistant at the Business Continuity Institute, where he provides support in managing publications and global thought leadership initiatives. He graduated at King’s College London in 2015, completing a Master’s in Geopolitics, Territory and Security.

The Business Continuity Institute

Despite the Wanna Decryptor ransomware attack affecting a reported 200,000 systems across over 150 countries, and despite the tales of disaster we are reading about in the media, the encouraging news from many organizations is that their business continuity process is preventing a disruption from turning into a crisis.

As a result of this latest attack, organizations across the world, including many NHS Trusts in the UK, have been invoking their business continuity procedures, ensuring that the priority activities are carried out, an appropriate level of service is provided to customers and any damage to reputation is limited.

“With a major incident now declared by NHS England, it is evident just how disruptive cyber attacks such as ransomware can be,” said David Thorp, Executive Director of the Business Continuity Institute. “Organizations must have mechanisms in place so they are prepared to deal with the consequences of a cyber security incident, or in fact any other type of incident, and can continue as near ‘normal’ operation as possible, while maintaining the confidence of their stakeholders.”

The modern business environment is heavily reliant on IT systems, and although these systems provide many benefits, they also have their pitfalls, which stem from this reliance. Research conducted by the Business Continuity Institute presents the inevitability of an attack with the Cyber Resilience Report showing that two-thirds of organizations had experienced an incident during the previous year, and 10% had experienced at least ten.

The dramatic effects of an attack such as last Friday’s should not be underestimated, yet organizations, such as the NHS, have managed to keep operating under attack. All Trusts are required to have in place an effective business continuity plan, and it is testament to the effectiveness of this planning that disruption has not been more severe.

All businesses can develop similar levels of resilience. It is business continuity that makes an immediate difference during any kind of emergency, crisis or disruption. It is what makes an organization resilient, ready to respond and carry on, even amid difficult circumstances. Yet business continuity cannot be improvised. It requires specialised and trained staff as well as the support of everyone within an organization – from executive management to junior staff.

David Thorp added: “The Business Continuity Institute has a range of free resources, via our website, that can be accessed by businesses and other organizations that need to avoid damaging disruptions to their activities. If prevention fails it is essential that smooth operations are maintained.”

Founded in 1994 with the aim of promoting a more resilient world, the Business Continuity Institute (BCI) has established itself as the world’s leading Institute for business continuity and resilience. The BCI has become the membership and certifying organization of choice for business continuity and resilience professionals globally with over 8,000 members in more than 100 countries, working in an estimated 3,000 organizations in the private, public and third sectors.

The vast experience of the Institute’s broad membership and partner network is built into its world class education, continuing professional development and networking activities. Every year, more than 1,500 people choose BCI training, with options ranging from short awareness raising tools to a full academic qualification, available online and in a classroom. The Institute stands for excellence in the resilience profession and its globally recognised Certified grades provide assurance of technical and professional competency. The BCI offers a wide range of resources for professionals seeking to raise their organization’s level of resilience, and its extensive thought leadership and research programme helps drive the industry forward. With approximately 120 Partners worldwide, the BCI Partnership offers organizations the opportunity to work with the BCI in promoting best practice in business continuity and resilience.

The BCI welcomes everyone with an interest in building resilient organizations from newcomers, experienced professionals and organizations. Further information about the BCI is available at www.thebci.org.

The Internet of Things (IoT) is rapidly expanding. Our homes, cars and workplaces are filling with connected devices designed to cater to our personalized needs. They respond to our instructions, whether delivered through a mobile app or a spoken command, and they collect data about our activities in order to better anticipate our needs. All of this data collection creates a digital trail of consumers’ lives, which becomes richer and more detailed as multiple sources of data are combined. Big data analytics offer seemingly endless opportunities to use and commercialize this data in new ways.

Yet unanticipated uses and disclosures of user data may compromise consumer privacy and even undermine consumer trust. As a result, companies will need to pay increasing attention to privacy compliance in the IoT space as courts and regulators focus on issues such as notice, choice and security.

A recent FTC settlement with the smart TV manufacturer Vizio, Inc. highlights several key privacy compliance challenges facing companies in the IoT space. In the settlement, which included a hefty payment of $1.5 million, the FTC reiterated its position that collecting and using information in ways that surprise consumers — such as Vizio’s collection and sharing of consumers’ television viewing activity via its connected televisions — requires “just-in-time” notice and choice. In addition, the FTC expanded its view of what constitutes sensitive personal information to include consumers’ television viewing activity, an indication that regulators are willing to look beyond traditional concepts of personal information as they evaluate new types of data collected by connected devices.



Monday, 15 May 2017 14:26

Compliance in a Connected World

If you’re a marketer struggling to decipher the complicated marketing technology landscape of more than 5,000 vendors – and show me a marketer who isn’t – then I have some good news for you. It won’t be as easy as following the yellow brick road, but you can begin to make sense of today’s seemingly infinite array of enterprise marketing technology (EMT) offerings.

Two of my research areas at Forrester are Cross-Channel Campaign Management (CCCM) and Real-Time Interaction Management (RTIM). I field myriad inquiries on both, as they are critical, confusing, and conflated in terms of technology and vendor overlap. While CCCM primarily focuses on automating marketing-driven campaign strategies for outbound channels, and RTIM primarily focuses on next-best-action strategies for customer-initiated interactions via inbound channels, both rely heavily on systems of insight (customer data and analytics) and systems of engagement (automated content and interactions). And both cover multiple inbound, outbound, digital, and offline channels.

CCCM is evolving as marketers strive to align highly personalized marketing campaigns with customer-initiated interactions to drive deeper levels of engagement throughout the customer life cycle. I addressed this evolution in The Forrester Wave™: Cross-Channel Campaign Management, Q2 2016, which featured 15 leading vendors. Since the CCCM space is much broader, earlier this year I also published the Vendor Landscape: Cross-Channel Campaign Management, and it adds a further 32 vendors to the mix, categorizing them as enterprise, small, or regional players, and reviewing capabilities such as vertical expertise or content management.



Did you watch the Snowden video? Life (and our work) would be more predictable if everything existed in the Ordered Domain – but in the real world it doesn’t.

Our organisations, especially when viewed in the contemporary risk/threat/vulnerability environment are complex adaptive systems. When we promote simple (which often become simplistic) solutions we are essentially doomed to fail.

I guess that brings me to the most recent contribution to the debate. Charlie Maclean Bristol’s “Revamping the business continuity profession” published in April 2017.

The Oxford Dictionary tells us that “revamp” (with an object attached) is a verb and it means

“Give new and improved form, structure or appearance to”.

Let see which of these elements are applicable here.

The starting premise is that the discipline has lost it’s “mojo” in recent years. If you are not familiar with the term beyond Austin Power’s losing his, it would imply that BC has either lost its voodoo charm bag, its libido or run out of morphine.



The components of the global cyberattack that seized hundreds of thousands of computer systems last week may be more complex than originally believed, a Trump administration official said Sunday, and experts warned that the effects of the malicious software could linger for some time.

As a new workweek started Monday in Asia, there were concerns the malicious software could spread further and in different forms, with new types of ransomware afflicting computers around the globe.

There were initial reports of new cases found over the weekend in Japan, South Korea and Taiwan.

President Trump has ordered his homeland security adviser, Thomas P. Bossert, who has a background in cyberissues, to coordinate the government’s response to the spread of the malware and help organize the search for who was responsible, an administration official said Sunday.



The Business Continuity Institute

NHS services across England have been hit by an IT failure caused by a significant cyber attack, with Trusts and hospitals in London, Blackburn, Nottingham, Cumbria and Hertfordshire all affected. Some GP surgeries have shut down their phone and IT systems while Accident and Emergency Departments have told people not to attend unless it is a real emergency.

NHS Digital said in a statement that a number of NHS organizations have been affected by a ransomware attack, believed to be the malware variant Wanna Decryptor, but it was not specifically targeted at the NHS and is affecting organizations from across a range of sectors.

At this stage there is no evidence that patient data has been accessed. NHS Digital say they are working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organizations and ensure patient safety is protected. The focus is on supporting organizations to manage the incident swiftly and decisively.

Ransomware attacks are becoming more and more commonplace with public sector organizations arguably receiving an unfair proportion of the attacks due to a perceived, or perhaps even an actual, weakness in their cyber defences. Threats to our organizations in the cyber world can be just as disruptive as any physical event. With healthcare providers across the country having to cancel services, it is clear that this is an alarming situation for the NHS.

“It doesn’t matter where the threat comes from, organizations must have plans in place to deal with the consequence of disruptive events” said David Thorp, Executive Director of the Business Continuity Institute. “By putting plans in place to deal with such events, it means that organizations are better prepared to manage through them, lessen the potential impact, and still provide an appropriate level of service to their customers.”

So how do organizations prepare for a possible ransomware attack? First and foremost, they must make sure that their data is backed-up. If it data is backed-up and the organization experiences a ransomware attack then they can isolate the ransomware, clean the network of it, and then restore the data from the back-up. It’s not necessarily an easy process, but it means they don’t lose all their data and they don’t pay a ransom.

Make sure the operating system and installed software are up to date with the latest security patches, and that anti-virus and anti-malware tools are conducting regular scans of the network so they can pick up anything malicious before damage can be done. Configure access controls to the file directory so users can only access the files they need. The more restricted the flow of data is across the network, the better chance there is of stemming the spread of a ransomware attack.

They do say that prevention is better than cure, so one way to reduce the impact of ransomware is to stop it happening in the first place. The vast majority of the time, the user has to do something to install the software – click on a link, open an attachment – so if the user doesn’t do that, then the software can’t install. It may not be quite as simple as that, but it is important to develop a culture whereby users think twice about their actions.

With Business Continuity Awareness Week taking place next week, and event themed around cyber security and the need for organizations to make sure they prepared for disruptive events in the cyber world, the Business Continuity Institute is calling on all organizations to make sure they have plans in place to deal with such events so that disruptions don’t turn into disasters.

U.S. government agencies would need to increase the annual salaries of information security personnel by approximately $7,000 to equal the annual salaries of their private sector counterparts, a recent survey of 2,620 U.S. Department of Defense, federal civilian and federal contractor employees found.

The survey [PDF], sponsored by (ISC)2, Booz Allen Hamilton and Alta Associates, also found that 87 percent of respondents said hiring and retaining qualified information security professionals is key to securing an organization's infrastructure.

"It's crystal clear that the government must enhance its benefits offering to attract future hires and retain existing personnel given its fierce competition with the private sector for skilled workers and the unprecedented demand; unfortunately, the layers of complexity involved in fulfilling that goal are significant," (ISC)2 managing director Dan Waddell said in a statement.



With the Atlantic hurricane season’s official start on June 1, the time to check your buildings and existing contingency plans—or start a new one—is now, during hurricane preparedness week.

For 2017, Colorado State University’s hurricane research team predicts slightly below-average activity of hurricanes making landfall, with a forecast of 11 named storms, four hurricanes, and two major hurricanes.

The 2016 season is seen as a wakeup call, as 15 named storms and seven hurricanes formed in the Atlantic Basin—the largest number since 2012. Among the hurricanes was Matthew, a Category 4, which devastated Haiti, leaving 546 dead and hundreds of thousands in need of assistance. After being downgraded to a Category 2, Matthew pummeled southeast coastal regions of the U.S., with 43 deaths reported and widespread flooding in several states.



Friday, 12 May 2017 16:44

Make Your Hurricane Preparations Now

Small businesses are increasingly vulnerable to cyberattacks. A new website launched by the Federal Trade Commission (FTC) is aimed at helping small business owners be better prepared.

The site – ftc.gov/SmallBusiness – is a one-stop shop where small business owners can find information to protect themselves from scammers and hackers, as well as resources they can use if they are hit with a cyberattack.

Online FTC resources include a new Small Business Computer Security Basics guide with information to help companies protect their files and devices, train employees to think twice before sharing the business’s account information, and keep their wireless network protected, as well as how to respond to a data breach.



I recently heard a segment on WBUR (a public radio station in Boston) on the emergence of microgrids and I was amazed at how much the concept of microgrids closely aligned with the concept of microperimeters within our Zero Trust model of information security. Zero Trust is a conceptual and architectural model for how security teams should redesign networks into secure microperimeters, increase data security through obfuscation techniques, limit the risks associated with excessive user privileges, and dramatically improve security detection and response through analytics and automation. Zero Trust demands that security professionals move away from legacy, perimeter-centric models of information security - which are useless for today's digital businesses no longer bounded by the four walls of their corporation - to a model that is both data and identity centric and extends security across the entire business ecosystem.



The Business Continuity Institute

Gianna Detoni FBCI, from Panta Ray Consulting in Italy, being presented with her Industry Personality of the Year award by James McAlister FBCI, Chairman of the Business Continuity Institute

At an Awards Ceremony at the Principal Hotel in Edinburgh, Scotland last night, the Business Continuity Institute presented its annual European Awards to recognise the individuals and organizations who have excelled in the field of business continuity and resilience throughout the year.

The European Awards are one of seven regional awards hosted by the BCI each year, and culminate in the annual Global Awards held in November during the Institute’s annual conference in London, England. They are designed to recognise the individuals and organizations who have excelled in the field of business continuity and resilience throughout the year.

Business continuity is an established industry across the continent, so the standard of entries to the BCI European Awards is always incredibly high, and this year was no different, giving the judges some tough decisions to make. All those who were on the shortlist can take great pride in their achievement, however there can only be one winner in each category, and those celebrating on the night were:

Continuity and Resilience Consultant
Petra Morrison MBCI, Daisy Group

Continuity and Resilience Professional Private Sector
Rob van den Eijnden AMBCI, Philips

Continuity and Resilience Professional Public Sector
Russ Parramore MBCI, South Yorkshire Fire and Rescue

Continuity and Resilience Newcomer
Timothy Dalby-Welsh AMBCI, Needhams 1834

Continuity and Resilience Team
Chief Fire Officers Association

Continuity and Resilience Provider (Service/Product)
ClearView Continuity

Continuity and Resilience Innovation

Most Effective Recovery
BPER Banca

Industry Personality
Gianna Detoni FBCI, Panta Ray

James McAlister FBCI, Chairman of the Business Continuity Institute and host of the Awards Ceremony, commented: "Once again I have been impressed with the high standard of entry we had for the BCI European Awards. Each and every one of the nominees has done an incredible job in helping to build resilience in a world full of disruptions. I would like to offer my congratulations to all the winners who are a credit to the industry, and I am delighted that the Business Continuity Institute is able to honour their hard work and dedication through these awards."

Keith Tilley, EVP and Vice-chair of Sungard Availability Services, said: "Sungard Availability Services has a long history in supporting the advancement and development of the continuity, resilience and availability industry, whether across standards development, proactive involvement in industry for a or rewarding attainment. To this end we’re delighted to be sponsors of this year's BCI European Awards, which are designed to recognise the outstanding contributions of business continuity, risk and resilience professionals and organizations."

The Business Continuity Institute

More than two-thirds (70%) of IT managers at small and medium sized enterprises say budget considerations have forced them to compromise on security features when purchasing endpoint security, according to a survey by VIPRE. Overall, price was the top factor in endpoint security purchases (chosen by 53% of respondents), followed by ease of use (47%), feature set (41%), support (34%), advanced detection technology (31%), cloud-based management (29%) and ransomware (2%).

"SME IT managers need to better recognize the security dangers facing their organizations," said Usman Choudhary, chief product officer at VIPRE. "Ransomware alone was responsible for $1 billion in cyber-extortion payments last year, according to the FBI, but only 21% of survey respondents considered ransomware as a factor when they purchased endpoint security. We understand that price and budgets are a factor but forgoing advanced protection features such as those available through VIPRE can put a company at risk."

As ransomware attacks and awareness of the threat increases, 53% of respondents would recommend negotiating a payment to the attackers. This represents a significant increase from a 2015 survey where only 30% of IT security pros said they would negotiate. The current study also noted that 82% of companies suffering a cyber attack in the last year would negotiate a ransomware attack.

With ransomware on the rise, perhaps it is no surprise that phishing attacks remain the most pervasive cyber security threat. About 45% of IT managers have had to remove malware from an executive's computer due to phishing, a figure that rises to 56% for larger companies (351-500 employees).

Meanwhile, survey respondents also cited visits to porn websites (26%), letting a family member use a company-owned device (22%), attaching an infected USB stick or phone (22%) and installing a malicious app (21%) as reasons they had to remove malware. Only 25% said they have never been asked to remove malware from an executive's computer.

(TNS) - The Sutter Butte Flood Control Agency will host a meeting next Wednesday to update residents on how years of levee work and hundreds of millions of dollars in improvements have fared these past few months with the high water levels in the Feather River.

"Our focus will be on the work we've done on emergency repairs and some of the future work that is going to be done on the levee to rehabilitate the unimproved levees due to recent high-water events," said Mike Inamine, general manager of SBFCA.

The meeting is an opportunity for community members to learn about SBFCA's Feather River West Levee Project — how it fared during the recent storm events and the Lake Oroville spillway incident, and what still needs to be completed.



All-flash storage is clearly on the up-and-up. Gartner analyst Valdis Filks predicts that by 2020, 50 percent of data centers will use only all-flash arrays (AFA) for primary data, up from less than 1 percent in the middle of 2016. Overall, Gartner expects flash to be the dominant form of enterprise storage within a couple of years. By 2020, the firm predicts all-flash array revenue will reach $9.67 billion.

Who dominates in this field? Just about every vendor says they are number one. Cutting through the hype, what do the analysts say about who leads the way in all-flash arrays (AFAs)? Analyses by both International Data Corp. (IDC) and Gartner agree on some points. For example, both list the top AFA vendors as Dell EMC, Pure Storage, IBM, NetApp and HPE, though not necessarily in that order.



Thursday, 11 May 2017 14:21

Buying Guide: All-Flash Storage

Service Level Agreements (SLAs) need to cover all aspects of a business and their subsidies, which means they are often broad and generic and can leave your data center unprotected. The SLA made with the Original Equipment Manufacturers (OEMs) is used as a way to ensure timely repairs and any service needs. What often happens with a typical SLA, however, is providers can wait until the last minute of a quoted time frame to repair your systems, causing your business costly downtime. Doing this is not a breach of contract, though it can be frustrating for businesses who need to keep equipment in use full-time.

An enhanced support SLA can help avoid these pitfalls.  Enhanced SLAs can supplement your existing warranty, offer flexibility and cost savings, and extend the life of your equipment.

If your business has had problems in the past with an SLA, then it’s time to consider an enhanced support SLA.



Thursday, 11 May 2017 14:20

Data Centers Need Better SLAs

This is part 4 of a multi-part series on the Analytics Operating Model.

As we move forward in our blog series on the Analytics operating model, we pinpoint the essential processes for delivering analytics. Data may be a prerequisite for most of these processes, but a successful solution is born from both science and art. Unlocking business value requires a healthy dose of creativity to work with data in its native state – incomplete and confounding.

Pierre Teilhard de Chardin, a 19th century Jesuit priest and philosopher, may have been one of the first to encapsulate our need for creativity: “Our duty, as men and women, is to proceed as if limits to our ability did not exist. We are collaborators in creation.”

An elusive, but extremely important question in the advanced analytics journey is how to push past the limits and consistently discover new insights.  In one case, valuable insight may be revealed from a clustering algorithm which diagnoses data flow anomalies and points to a potential corporate network breach. In another case, a supervised machine learning model may be required to drive down false positive fraud alerts for consumer credit.



The data center of the future is a constantly evolving concept. If you go back to World War II, the ideal was to have a massive mainframe in a large room fed by punched cards. A few decades later, distributed computing promoted an Indiana Jones-like warehouse with endless racks of servers, each hosting one application. Virtualization upset that apple cart by enabling massive consolidation and greatly reducing the number of physical servers inside the data center.

Now it appears that we are entering a minimalist period: Data center spaces remain but have been so stripped down that all that remains are a few desktops in the center of an otherwise empty space. Like a magic trick by David Copperfield, the Lamborghini under the curtain has disappeared in a puff of smoke. But instead of showing up at the back of the room, the compute hardware has been transported to the cloud. And just as in a magic trick, IT operation managers are applauding loudly.

“We moved backup and disaster recovery (DR) to the cloud and now intend to move even more functions to the cloud,” said Erick Panger, director of information systems at TruePosition, a company that provides location intelligence solutions. “It looks like we are heading to a place where few real data centers will exist in most companies with everything being hosted in the cloud.”



A recent Bromium survey of 210 security professionals in the U.S. and U.K. found that 35 percent of respondents admitted having gone around, turned off, or bypassed their own corporate security settings.

Even more alarmingly, 10 percent of respondents admitted having paid a ransom or hid a breach without alerting their team.

"While we expect employees to find workarounds to corporate security, we don't expect it from the very people overseeing the operation," Bromium co-founder and CTO Simon Crosby said in a statement. "Security professionals go to great lengths to protect their companies, but to learn that their decisions don't protect the business is frankly rather shocking."

"To find from their own admission that security pros have actually paid ransoms or hidden breaches speaks to the human factor in cyber security," Crosby added.



Assurance functions are on the rise. With continued proliferation in global regulations and increased public scrutiny of corporate behavior, companies have made significant investments in assurance programs (e.g., compliance, information security, quality) and control systems. These investments are made to identify and manage the operational, compliance and reputational risks that affect an enterprise’s financial results and brand value.

Unfortunately, despite these investments, legal and other assurance executives like compliance officers and information technology executives feel no more capable of managing risks today than they did 10 years ago. This can largely be traced to the fact that the process of managing risk is complex, and there are often assurance mandates and requirements that overlap between teams. This overlap leads to boards that lack visibility into corporate risks, business leaders who are more risk averse and employees who struggle to get work done while navigating compliance requirements.

So what’s the answer? For most companies, it’s coordinated assurance.



The overriding theme of every disruption story I’ve ever heard is that firms thought they had more time than they did. So, I’ve been pondering the why. We can see disruption happening all around us, but whyis it so difficult to get out in front of it?

Then I slogged my way through Ray Kurzweil’s Law Of Accelerating Returns and it hit me. Digital disruption is about the clash between exponential change and our brain’s wanting things to be linear. Here is what I mean:



Wednesday, 10 May 2017 13:30

Why You Are Getting Disrupted

If it ain’t broke, don’t fix it. That’s been the mantra for the data center throughout much of the IT era, but at what point does the enterprise have to consider the very real possibility that without significant upgrades, the data center of today will no longer provide the support needed for modern applications and workflows?

At the moment, much of the industry is engaged in digital transformation to a new services-driven economy, and it is becoming clear that yesterday’s data infrastructure is woefully inadequate to the task. So without question, it must be modernized, and quickly. The question is, how? Is there value in revamping the local data center for the digital age, or should the enterprise go cloud-native?

No matter how you do it, says VMware’s Muneyb Minhazuddin, the overriding goal should be to abstract infrastructure away from hardware so applications can achieve the flexibility they need to produce real value. The enterprise should start by mapping out which apps require on-premises infrastructure and which can go to the public cloud. Once you have an idea of where you want to be at each point in the transitional timeline, you can set about making the necessary changes in hardware and software. And all the while, you should see steadily improving agility and a greater capacity to innovate as software-defined infrastructure takes hold.



We recently asked Cutter Senior Consultant San Murugesan a question: If you consider the transformation of business to be phenomenal thus far, what do you expect the future of business will be? He answered our questions in his opening statement of a Cutter Business Technology Journal issue focused on the business opportunities in the new digital age:

“Well, it’s definitely not going to be ‘business as usual.’ The business landscape is poised for an unprecedented wave of further innovations and changes. How these will emerge, who will be the leading players in different sectors, and how the changes will affect us — average people in both advanced and developing countries, young and old — are still unknown. Nevertheless, we can make educated guesses, which may eventually become reality.”



Over the past few years, I’ve had the wonderful opportunity to travel the world and visit factories, distribution centers, ports, warehouses, and several offices for the company where I work. Apart from being a great way to see the world, it has also been an opportunity to learn from the ways different cultures see and manage risk.

Coming from Latin America, it was clear to me that the concept of risk management was something not highly promoted or recognized in the region. Companies that operated locally took the approach of using intermediaries to transfer their risks to insurance companies. Occasionally I would find buyers focused on managing their own risks efficiently. But that was more than a decade ago. During my most recent trips to South America, I had the opportunity to see the implementation of a regional affinity program—a collaboration between a well-known broker and our company’s financial operations. In this case, those involved were highly educated in insurance concepts and their understanding of risk acceptance was completely in line with more developed markets.

Another interesting aspect of dealing with this program was the strong relationship between the broker and our office. It was a very cordial and open communication that transcended the usually formal interaction between these parties—and included text messages flying back and forth to get the deal done. In a way, the warm personality of South Americans permeated the business environment. So when it comes to this colorful part of the world, business is, in fact, personal.



Forrester has just published our updated forecast for the US tech market for 2017-2018 (see “US Tech Market Outlook For 2017 And 2018: Mostly Sunny, With Clouds And Chance Of Rain”). We are forecasting growth of 4.8% in 2017 and 5.2% in 2018 for US business and government spending on tech goods, services, and staff. This forecast assumes moderate US economic growth (2% to 2.5% real GDP growth, 4% to 4.5% nominal GDP growth). Considering  this economic outlook, our updated 2017 forecast is slightly less positive than our December forecast (4.8% vs. 5.1%) for US budget growth in 2017, with our new 2018 forecast pointing to a modest improvement next year.

Three main themes define our updated forecast:



More than 80 percent of Americans are more concerned about their online privacy and security today than they were a year ago, a recent AnchorFree survey [PDF] of more than 2,000 Americans found.

Following the recent passage of a bill allowing ISPs to collect users' personal data without their permission, the survey found that over 95 percent of respondents are concerned about companies collecting and selling their personal information without their consent, and more than 50 percent are looking for new ways to safeguard their personal data.

The survey also found that while 70 percent of respondents are doing more today to protect their online privacy than they were a year ago, just one in four believe they're ultimately responsible for ensuring safe and secure Internet access.



The Business Continuity Institute


Despite rising awareness of the threats posed by users with privileged access permissions, most organizations still allow a myriad of internal and external parties to access their most valuable systems and data. Many are placing trust in both employees and third parties without a proven means of managing, controlling, and monitoring the access that these individuals, teams and organizations have to critical systems and networks.

Bomgar's 2017 Secure Access Threat Report revealed that 90% of security professionals trust employees with privileged access most of the time, but only 41% trust these insiders completely. Despite placing a lot of trust in employees by granting them privileged access, security professionals are paradoxically aware of the numerous risks that these individuals pose to the business. While most were not primarily worried about breaches of malicious intent, they were concerned that a breach was possible due to employees unintentionally mishandling sensitive data, or that employee’s administrative access or privileged credentials could easily be phished by cyber criminals. Yet, businesses are still falling behind with only 37% of respondents having complete visibility into which employees have privileged access, and 33% believing former employees could still have corporate network access.

Generally, employees want to be productive and responsible at work, suggesting that most employees are not malicious, but rather skirt security best practices to speed up productivity. This is driving the need for access solutions that prioritize both productivity and usability, without sacrificing security, that can be seamlessly integrated into applications and processes that employees already use.

“It only takes one employee to leave an organization vulnerable,” said Matt Dircks, Bomgar CEO. “With the continuation of high-profile data breaches, many of which were caused by compromised privileged access and credentials, it’s crucial that organizations control, manage, and monitor privileged access to their networks to mitigate that risk. The findings of this report tell us that many companies can’t adequately manage the risk related to privileged access. Insider breaches, whether malicious or unintentional, have the potential to go undetected for weeks, months, or even years – causing devastating damage to a company.”

The report also uncovered that data breaches through third-party access are widespread. External suppliers continue to be an integral part of how most organizations do business. On average, 181 vendors are granted access a company’s network in any single week, more than double the number from 2016. In fact, 81% of companies have seen an increase in third-party vendors in the last two years, compared to 75% the previous year.

With so many third-parties granted access to an organization’s systems, perhaps it’s no surprise that more than two thirds (67%) have already experienced a data breach that was ‘definitely’ (35%) or ‘possibly’ (34%) linked to a third-party vendor. While 66% of security professionals admit that they trust third-party vendors too much, action has not followed this recognition. Processes to control and manage privileged access for vendors remains lax, as evidenced by only 34% of respondents being totally confident that they can track vendor log-ins, and not many more (37%) confident that they can track the number of vendors accessing their internal systems.

“As with insiders, third-party privileged access presents a multitude of risks to network security. Security professionals must balance the business needs of those accessing their systems – whether insiders or third-parties – with security,” added Dircks. “As the vendor ecosystem grows, the function of managing privileged access for vendors will need to be better managed through technology and processes that provide visibility into who is accessing company networks, and when, without slowing down business processes.”

BATON ROUGE, La. — Kim Aucoin moved to Baton Rouge from Charlotte, North Carolina, in March 2016. She was raised in Lafayette and was happy to once again live in her home state of Louisiana. Little did she know that just five months later the area would be devastated by historical flooding.

“My landlord came to the house and said ‘Get out, we’re going to flood,’” said Aucoin. The home had never flooded before, even during a big flood event in 1989, but she said this time her landlord didn’t want to take any chances. Aucoin and her husband, Randy, evacuated to her boss’s home in Prairieville, but before leaving, they placed sandbags around the property. The sandbags didn’t help; the house took in 16 inches of water. 

Aucoin had hazard insurance for her rental home, but it didn’t include damages from rising water.  They did not purchase flood insurance. “I work for an insurance company so why I didn’t get it was just stupidity,” said Aucoin. She wasn’t alone, 39 percent of the residents who flooded in August were not living in a flood-prone area and some didn’t have flood insurance coverage.

While their landlord repaired and renovated the damaged home, the Aucoins lived in a small trailer they borrowed for a few weeks. Then they moved into a hotel and were pleased to find out FEMA’s Individuals and Households Program (IHP) would reimburse them for hotel expenses.  “We received FEMA money within five business days,” Aucoin said. The money was electronically deposited into their bank account which made the process fast and convenient.

Even though the Aucoins contents weren’t a total loss, they still qualified for FEMA assistance and filed a claim.  “It helped us start to replace things,” said Aucoin. Another big help was receiving a Louisiana Electronic Benefit Transfer (EBT) card. “We lost all of our food in the flood and neither the trailer or hotel had a kitchen so it was very helpful.” The $300 EBT card was reloaded once, totaling 600 disaster dollars to assist with grocery expenses.

The Aucoins are some of the fortunate flood survivors in the sense that they were able to move back into their rental house just two months after the August floods. And this time they have flood coverage through the National Flood Insurance Program (NFIP). A smart move since hurricane season begins June 1st and there is a 30-day waiting period between purchasing a policy and the date it goes into effect.  Despite the unsettling start the couple plans to stay in Baton Rouge. Aucoin said, “It’s been a rough few months, but I’m glad to be here.”

NFIP Facts:

  • In Louisiana, flood-related events occur every year.
  • The National Flood Insurance Program (NFIP) provides contents as well as structure coverage for home and business owners.
  • The average annual cost of flood insurance is about $700. Depending on the policy, insurance holders may receive up to $250,000 for home damage.
  • NFIP policies offer coverage for flood damage that federal disaster assistance and most homeowners insurance policies do not cover.
  • NFIP payments are not dependent on state or federal disaster declarations.
  • New flood insurance policies go into effect 30 days after purchase.
  • More than 39 percent of structures flooded in August were located in low- and moderate- risk areas.
  • Properties outside of the Special Flood Hazard Area (SFHA) account for more than 20 percent of the country’s NFIP claims and receive a third of flood-related federal disaster assistance.

Go to www.floodsmart.gov to learn more about any property’s flood risk, estimate an NFIP premium or locate an insurance agent who sells flood insurance.

Visit Floods | Ready.gov for flood information and safety tips.

(TNS) - Higher education and public safety officials across the state say a bill aimed at making campuses safer by allowing people to carry concealed handguns on school grounds would have the opposite effect.

“Based on my 40 years in law enforcement, I know that when there are more guns allowed, there is more risk and less safety,” said Roland LaCroix, chief of campus police at the University of Maine in Orono.

The bill, LD 1370, would require Maine’s universities, community colleges and Maine Maritime Academy to allow people to carry concealed handguns on campus. The Legislature’s Committee on Education and Cultural Affairs held a public hearing on the bill this week, where it met widespread resistance from higher education and public safety officials.



In our Business Continuity and Disaster Recovery planning, we spend much of our time assessing, documenting and developing strategies for when an event may occur. This is all to prepare for or prevent an outage. What is the point of all these preparations? When disaster strikes, you want to get back to normal as quickly as possible. It’s important to go through these three phases of disaster recovery.



Tuesday, 09 May 2017 15:11

The Three Phases of Disaster Recovery

Key Message:

  • Section 404 hazard mitigation and Section 406 hazard mitigation funding are distinct programs with  key differences in their scope, purpose and funding.

Section 404 – Hazard Mitigation Grant Program

  • The 404 funding is used to provide protection to undamaged parts of a facility or to prevent or reduce damages caused by future disasters.
  • The entire state - not just presidentially declared counties - may qualify for 404 mitigation projects.
  • The 404 grant is managed by the State under funding provided for in the Stafford Act. Section 404 mitigation measures are funded under the Hazard Mitigation Grant Program (HMGP).
  • The State receives a percentage of the Total Federal share of the declared disaster damage amount (20%), which it uses to fund projects anywhere in the State, regardless of where the declared disaster occurred or the disaster type.
  • Applicants who have questions regarding the Section 404 mitigation program should contact the State Hazard Mitigation Officer, Tim Cook, 253-512-7072, This email address is being protected from spambots. You need JavaScript enabled to view it..
  • 404 grant funding may be used in conjunction with 406 mitigation funds to bring an entire facility to a higher level of disaster resistance, when only portions of the facility were damaged by the current disaster event.
  • All subapplicants for HMGP must have a FEMA-approved local or Tribal Mitigation Plan at the time of obligation of grant funds for mitigation projects.
    • The Regional Administrator may grant an exception to the local or Tribal Mitigation Plan requirement in extraordinary circumstances when justification is provided. If this exception is granted, a local or Tribal Mitigation Plan must be approved by FEMA within 12 months of the award of the project subaward to that community.

Section 406 – Public Assistance Program

  • The 406 grant is managed by the State under funding provided for in the Stafford Act. Section 406 mitigation measures are funded under the Public Assistance, or Infrastructure, program (PA).
  • The 406 funding provides discretionary authority to fund mitigation measures in conjunction with the repair of the disaster-damaged facilities, so is limited to declared counties and eligible damaged facilities.
  • Section 406 is applied on the parts of the facility that were damaged by the disaster and the mitigation measure directly reduce the potential of future, similar disaster damages to the eligible facility.
  • Applicants who have questions regarding the Section 406 mitigation program should contact the State Public Assistance Officer assigned to their projects.

Last week, I wrote a bit about the dangers of passwords and the relationship with the Google Docs phishing scam that recently broke. Today, I’m going back to the Google Docs issue, but to look at it from a different angle: how scammers continue to use social engineering so successfully.

An eSecurity Planet article touched on this:

Fidelis Cybersecurity threat research manager John Bambenek said by email that the attack is a stark reminder that criminals and nation states are targeting the one thing technology can't fix -- the user. "If you can trick the user into compromising themselves, you have no need for a zero-day," he said. "Security awareness and vigilance of end users are the key to the security of any system."

This echoes what Nathan Wenzler, chief security strategist at AsTech, told me in an email message. Hackers are using attacks such as ransomware and honed spearphishing campaigns to go after the weakest link: people, adding:



(TNS) - Think outside the levee.

As concerns about the state's aging flood-control infrastructure grow, experts are seeking ways to address the San Joaquin River's big-time risks in less traditional ways.

We'll still need to strengthen our levees and dams in the future, of course. But a recently released draft plan contains some new and creative ideas that could help save hundreds of lives and prevent billions of dollars in damages.

There may be other benefits, too: Improving conditions for endangered fish, reducing pollution, or providing new recreational opportunities.



Hurricane season has yet to begin and already record-setting flooding in parts of the central United States will likely become the country’s sixth billion-dollar disaster event of 2017.

While Missouri and Arkansas have been hit the hardest, recent flooding in the central U.S. has been widespread and it will likely take weeks before the full extent of flood damages is known.

So far, 2017 has seen five billion-dollar disaster events, including one flooding event, one freeze event, and 3 severe storm events, according to NOAA.



The Business Continuity Institute

Research commissioned by Crises Control from the Business Continuity Institute for their annual cyber resilience report 2016 confirms much of what we already suspected about the changing nature of the cyber threat and the way that cyber criminals have found new ways past corporate perimeter security.

66% of respondents to the survey reported that their companies had been affected by at least one cyber security incident over the last 12 months. The costs of these incidents varied greatly, with 73% reporting total costs over the year of less than €50,000, but 6% reporting annual costs of more than €500,000.

The increased difficulty of breaching perimeter security and the increased human resources available to cyber criminals has combined to produce a new point of attack. This is focused on the weakest link in the corporate security chain, which is now human beings rather than technology.

The term “social engineering" describes this attack vector, which relies heavily on human interaction and often involves tricking people into breaking normal security procedures. The BCI research shows clearly that phishing (obtaining sensitive data through false representation) and social engineering is now the single top cause of cyber disruption, with over 60% of companies reporting being hit by such an incident over the past 12 months. A further 37% were hit by spear phishing (phishing through identity fraud).

The research has also confirmed that to effectively counter this threat companies now need behavioural threat detection, provided by a cyber security network monitoring solution. These plugin devices monitor your network for signs of suspicious insider activity and failed attempts to hack into the system. They can also provide invaluable intelligence to be acted upon proactively to nip a successful hack or insider threat in the bud.

Traditional anti-virus monitoring software is no longer enough. The BCI research shows that 72% of companies have this software in place, but only 26% of real cyber security incidents were actually discovered through this route. Much worse, 18% of incidents came to attention through an external source such as a customer, a supplier or the impact on a public website.

Network monitoring solutions are much more effective than anti-virus software in terms of alerting companies to a cyber breach, with 63% of companies having a network monitoring software in place and 42% of cyber incidents coming to attention through the work of the IT department to whom such systems report.

The scale of the cyber threat can feel overwhelming at times. But educating your own employees about the nature of the threat and then putting in place the right solutions can go a long way towards mitigating the social engineering threat and significantly enhancing your corporate cyber resilience. Act now before it is too late.

Sonny Sehgal and Adam Blake, from Crises Control partners Transputec and ThreatSpike, will be talking about the social engineering threat in their webinar on cyber security and the insider threat during Business Continuity Awareness Week 2017 on Tuesday 16th May.

The Business Continuity Institute

Having an effective business continuity programme does not just mean making sure your own organization has a plan in place to deal with disruptions, it also means ensuring that your supply chain is resilient too. How would your organization cope if your supplier was no longer able to supply, or perhaps their supplier and so on? As the saying goes: you’re only strong as your weakest link.

The 2016 Supply Chain Resilience Report, published by the Business Continuity Institute in collaboration with Zurich Insurance Group, showed that one in three organizations had experienced cumulative losses of over €1 million during the previous year as a result of supply chain disruptions. Furthermore, the report showed that 70% of organizations had experienced at least one supply chain disruption during this same time period, while 22% had experienced at least eleven.

Has your organization experienced a disruption to its supply chain? What were the causes and consequences of those disruptions? Help inform our next Supply Chain Resilience Report by taking a few minutes to complete the survey, and be in with a chance of winning a £100 Amazon gift card.

Tuesday, 09 May 2017 14:33

BCI: Managing the supply chain

How well do you understand your commercial partners’ compliance programs? Recent eye-popping settlements have reminded non-U.S. companies of the danger of failing to comply with U.S. sanctions and export control laws. But strengthening your own compliance program will not provide complete protection when your business partners are targeted by authorities. An unexpected enforcement action against a key supplier or financial institution can disrupt the flow of goods and services along global supply chains and threaten well-established trading networks.  Customers, lenders, manufacturers and retailers, among others, are taking a closer look at their counterparties and asking for stronger legal protections against follow-on sanctions and export control risks.

Extraterritorial Power

The U.S. government has an impressive arsenal of tools for enforcing laws against non-U.S. persons for conduct taking place outside the United States, especially in the areas of sanctions and export controls (collectively, “sanctions”).

The Office of Foreign Assets Control (OFAC) has long been known for its ability to sanction non-U.S. actors who threaten U.S. national security and policy. Individuals and entities who appear on the OFAC list of Specially Designated Nationals (SDNs) are virtually excluded from the U.S. financial system, not to mention the growing number of non-U.S. banks that “voluntarily” follow OFAC regulations to de-risk their operations.



Data security has traditionally been seen as a matter of locking down data in a physical location, such as a data center. But as data migrates across networks, borders, mobile devices, and into the cloud and Internet of Things (IoT), focusing solely on the physical location of data is no longer relevant.

To prevent disclosure of sensitive corporate data to unauthorized people in this new corporate environment, data needs to be secured. Encryption and data masking are two primary ways for securing sensitive data, either at rest or in motion, in the enterprise.  It is an important part of endpoint security.

Encryption is the process of encoding data in such a way that only authorized parties can access it. Using homomorphic encryption, sensitive data in plaintext is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted.



Is it time to put the public vs. private/hybrid cloud debate behind us? Like Mac vs. PC or open vs. proprietary, it seems that the biggest arguments over technology have a shelf-life, and the time to put conflicts over cloud infrastructure is nearing its end.

The reason is simple: In an age of virtual, abstract data environments, the enterprise is no longer limited to stark choices when it comes to resource configurations.

While it’s true that, as InfoWorld’s David Linthicum points out, public cloud providers are pushing the envelope on emerging technologies like artificial intelligence and serverless computing, the fact remains that local infrastructure still provides unique capabilities that cannot be matched by third-party infrastructure, no matter how advanced. This goes way beyond the security issue, which some say is better in the public cloud, to factors like latency, data residency, governance and single-vendor lock-in.



A massive phishing campaign impersonating a request to share Google Docs documents hit inboxes worldwide earlier this week.

Victims who clinked on links in the emails were asked to share access to their Gmail contact lists and Google Drive, the New York Times reports -- and those contact lists were then used to distribute the attack to victims' contacts.

In a statement, Google said, "We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again."



Distributed Denial of Service attacks (DDoS) are a favorite attack method of hackers and hacktivists, in large part due to their simplicity.  We list the different types of DDoS attacks and offer resources to stop DDoS attacks.

What is a DDoS attack?
 So what is a DDoS attack? It’s when hackers are able to flood an IP address with hundreds or thousands of messages, often through the use of botnets or through a coordinated hacktivist effort, taking the network to the point where legitimate users aren’t able to get through – hence, the denial of service.

DDoS attacks are also profitable while being affordable, leading more people to take advantage of this type of attack, Tim Pat Dufficy, managing director of ServerSpace, told eSecurity Planet: “The barrier to entry of DDoS attacks in terms of cost has largely gone. That means anyone can launch an attack: organized crime, a group of blackmailers, or just a disgruntled ex-employee or a competitor. And anyone can be the victim. One of our customers is a very small company that does training for people in the construction business, yet they came under attack for two weeks.”

While DDoS offer a less complicated attack mode than other forms of cyberattacks, they are growing stronger and more sophisticated. There are three basic categories of attack:



Friday, 05 May 2017 14:20

Types of DDoS Attacks

Happy World Password Day! (Yeah, there really is a day for everything, but I can’t complain about the increasing number of days that highlight better cybersecurity practices.) Much as we dislike them and complain about having so many of them, we really can’t live without passwords, not if we want to have any kind of online presence or conduct business securely. The importance of protecting our passwords has been highlighted today with the announcement of the Google Docs phishing scam making the rounds. As Travis Smith, senior security research engineer at Tripwire, explained in an email comment:

Someone created a malicious app in Google Docs. While it had an official sounding name, it was far from it. Once you click on the link, the application will ask for permissions to your email account. If granted, it will begin to use your account to send out further spam emails. At this time, there does not appear to be anything malicious in the sense of stealing sensitive data; however having your account compromised in this manner can still make you feel violated.

Asks for permission also means wants your password. And even though Smith said that, as of right now, the Google Docs phishing scam may not be doing anything overly malicious, if we are handing over our password to one account, we are likely handing over an old familiar password that can access multiple accounts. A Telesign study found that 71 percent of accounts are protected by duplicate passwords and 46 percent of us are using passwords that are over five years old. Think about it – what might be in your Google account that could tip off a hacker to other, more lucrative accounts that share the password? How much of your company’s sensitive data may be connected to the Google account and password?



The Problem

Most companies are making progress with compliance – they have codes of conduct, are working to improve their cultures and are hiring staff including compliance, diversity, privacy and ethics officers. These companies should be credited for laying down necessary, ethical infrastructures.

Yet, despite these efforts, terrible things happen in the workplace. Companies rocked by scandals, such as the fraudulent sales practices at Wells Fargo and the Yahoo data breach, found “unethical behavior” and “failures in communication, management, inquiry and internal reporting” respectively, despite both parties having knowledge of the potential for harm.  Fraud and conflicts of interest continue to plague organizations and governments.  Sexual harassment continues to be a problem, devastating its victims and demoralizing the workplace, according to a recent report by the EEOC. Discrimination, diversity, hiring bias: these are not just buzzwords, but real problems that exist across the globe.

We believe that almost all organizations care about their employees’ well-being, but sometimes the link between attitude and action gets lost in the shuffle. The potential is there, it just needs to be unlocked. Education and technology can help unlock that potential.



The Business Continuity Institute

The vast majority of organizations worldwide (86%) are concerned that a failure to adhere to the upcoming General Data Protection Regulation (GDPR) could have a major negative impact on their business, according to a study by Veritas Technologies. Nearly 20% said they fear that non-compliance could put them out of business. This is in the face of potential fines for non-compliance as high as €20 million or 4% of annual turnover – whichever is greater.

Intended to harmonize the governance of information that relates to individuals ('personal data') across European Union (EU) member states, the GDPR requires greater oversight of where and how personal data – including credit card, banking and health information – is stored and transferred, and how access to it is policed and audited by organizations.

GDPR, which comes into force on the 25th May 2018, will not only affect organizations within the EU, but extend globally, impacting any organization that offers goods or services to EU residents, or monitors their behaviour, for example, by tracking their buying habits. The study indicates that a whopping 47% of organizations globally have major doubts that they will meet this impending compliance deadline.

Data breaches are already a major concern for business continuity and resilience professionals according to the Business Continuity Institute's latest Horizon Scan Report, and this is only going to be exacerbated over the coming year and beyond as organizations try to develop their understanding of what compliance means.

The Veritas 2017 GDPR Report found that more than one in five (21%) are very worried about potential layoffs, fearing that staff reductions may be an inevitable outcome as a result of financial penalties incurred as a result of GDPR compliance failures.

Organizations are also worried about the impact non-compliance could have on their brand image, especially if and when a compliance failure is made public, potentially as a result of the new obligations to notify data breaches to those affected. Nineteen percent of those surveyed fear that negative media or social coverage could cause their organization to lose customers. An additional one in ten (12%) are very concerned that their brand would be de-valued as a result of negative coverage.

The research also shows that many organizations appear to be facing serious challenges in understanding what data they have, where that data is located, and its relevance to the business – a critical first step in the GDPR compliance journey. Key findings reveal that many organizations are struggling to solve these challenges because they lack the proper technology to address compliance regulations.

There is also widespread concern about data retention. More than 40% of organizations admitted that there is no mechanism in place to determine which data should be saved or deleted based on its value. Under GDPR, companies can retain personal data if it is still being used for the purpose that was notified to the individual concerned when the data was collected, but must delete personal data when it is no longer needed for that purpose.

“There is just over a year to go before GDPR comes into force, yet the ‘out of sight, out of mind’ mentality still exists in organizations around the world. It doesn’t matter if you’re based in the EU or not, if your organization does business in the region, the regulation applies to you,” said Mike Palmer, executive vice president and chief product officer at Veritas. “A sensible next step would be to seek an advisory service that can check the level of readiness and build a strategy that ensures compliance. A failure to react now puts jobs, brand reputation and the livelihood of businesses in jeopardy.”

The Business Continuity Institute

Lax approaches to popular threats such as email attachments, and inadequate threat-awareness, poor work-practices and out-of-date technology, are exposing organizations to hacking, ransomware and zero-day attacks, says a report published by Glasswall Solutions.

Your employees won't protect you noted that the vast majority (82%) of respondents to a survey usually or always opened email attachments if they appear to be from a known contact, despite the prevalence of well-known sophisticated social engineering attacks. Of these respondents, 44% open these email attachments consistently every time they receive one, leaving organizations highly vulnerable to data breaches sourced to malicious attachments.

"Employees need to trust their emails to get on with their work, but with 94% of targeted cyber-attacks now beginning with malicious code hidden in an email attachment, the security of major businesses should no longer be the responsibility of individual office-workers," said Greg Sim, CEO of Glasswall Solutions. "Conventional antivirus and sandboxing solutions are no longer effective and relying on the vigilance of employees clearly leaves a business open to devastating cyber-attacks that will siphon off precious data or hold the business to ransom."

A large majority of workers could at least identify characteristics of a phishing attack, with 76% acknowledging that they had received suspicious attachments. However, the survey also found that 58% of respondents usually opened email attachments from unknown senders, while 62% didn't check email attachments from unknown sources, leaving businesses open to breaches from documents carrying malicious exploits hidden inside common file-types such as Word, Excel, PDFs and more.

These findings help demonstrate why cyber attacks and data breaches are such a concern for business continuity and resilience professionals, as highlighted in the Business Continuity Institute's latest Horizon scan Report. It also reinforces the theme for Business Continuity Awareness Week which highlights that cyber security is everyone's responsibility, and with a little more awareness on the right policies and procedures, we can all play a part in building a resilient organization.

"This research confirms anecdotal evidence that, although security awareness campaigns have their place, all too often they fail to equip workers with effective strategies for protecting data and systems," said professor Andrew Martin at the University of Oxford. "Technology that's fit for purpose reduces risks without placing added burdens on those simply trying to do their jobs."

This implicit trust in both familiar and unknown emails stands in direct contrast to the scale of threats delivered via email. Despite thousands of attacks launched every year against businesses, only 33% of respondents maintained that they had been victim of a cyber attack. And almost a quarter (24%) said they did not know if they had been attacked or not.

Greyhound, the largest provider of intercity bus transportation, serving over 3,800 destinations across North America, has deployed AlertMedia’s emergency notification system. Greyhound sought out to find a communication tool that would be easy for both executives and staff to streamline the way they were communicating within their workforce. With thousands of employees who are always on the go, the bus carrier recognized the need for a speedy and reliable way to connect with their workers. With the help of AlertMedia’s intuitive interface and customizable platform, Greyhound can now communicate updates and notifications with their people instantly and across any device.

While Greyhound initially purchased AlertMedia to notify their employees of critical events like closures, accidents, and other emergency situations, the transportation company has also incorporated the software in various departments to overall improve business operations. They use AlertMedia the two-way messaging capabilities to notify employees of general company-wide communications, and to increase employee engagement and coordination.

AlertMedia’s cloud-based communications software helps Greyhound keep their people safe, informed, and connected.

To read more visit BUSRide Magazine!



One of the predictable things about the BC industry is that periodically there is a bout of introspection – we are in a bad spot, how do we change to move forward?

The predictable outcome is that little actually changes other than the name – Disaster Recovery, Business Continuity Management, BCMS, Resilience, Business Resilience. The most recent one I heard in this line is “Digital Resilience”. That one is a real winner in its attempt to merge two “hot” concepts into a new promotable product.

The latest published introspection is from Charlie Maclean Bristol “Revamping the Business Continuity profession“. That paper includes discussion of emerging ideas like “Adaptive BC” and a number of other suggestion to shape future practice. Although at times they read like “Back to the Future” prescriptions.



Thursday, 04 May 2017 14:50

Back to the Future?

When you're hit by a ransomware attack, it's tempting to think that just restoring from backup can make the problem go away -- but according to DataGravity CEO Paula Long, it's not necessarily that simple.

While backups can be key to recovering from ransomware, Long told eSecurity Planet, restoring correctly may be more complex than you expect. "First of all, you have to figure out what it is you have and what's been damaged -- and if you don't have everything in place, that can be a time-consuming process," she said.

If the damage is significant enough that you have to do a full restore, you may sidestep the ransomware itself, but be left not knowing what data may have been lost or changed since the last backup. "So now you've got sanctioned data loss, and you don't know what happened," Long said.

Even more importantly, Long said, there's a decent chance your backup is infected with ransomware as well.



Bigger isn’t always better, and innovative technologies aren’t always best. But, when choosing vendors and suppliers, the best choices aren’t always evident until the equipment is installed or the contract has been let. That’s when nasty surprises may occur and you realize that what you expected isn’t quite what you received, or—worse—what you asked for wasn’t exactly what you wanted.

To minimize the odds of that happening to you, use these five steps:



If you thought virtual reality (VR) and augmented reality (AR) were just gimmicks for people with too much time on their hands, you could be in for a surprise.

Both technologies have now progressed to a point where it is feasible to integrate them into business continuity management.

As a reminder, VR creates a virtual world for users to interact with, and is suited to training and simulations (not to mention gaming).

AR, on the other hand, overlays views of the real world with virtual elements, helping users interact better with the real world, by offering help, advice, explanations, and more, specifically targeted to what the user sees. Both VR and AR can help better deal with threats that affect business continuity.



Think about all the time and energy we spend preparing for emergency events. We develop strategies and plans, generate documentation, identify risks, and work to mitigate those risks. We’re going to help you answer those internal and external questions about how BCP provided concrete value or prevented an outage.  In this blog post, we’re offering you five real-life client examples where business continuity planning efforts have been utilized.



Netflix recently experienced a third-party breach. The data lost is Season 5 of Orange is the New Black, which is original Netflix content. Many are calling it the largest entertainment industry hack since Sony. I guess that is right, but how bad is it really?

First, here is what happened. Netflix transferred season five to their post-production third party in Los Angeles, Larson Studios, for sound mixing and editing. Larson does the post work for at least 25 episodics that run on Fox, ABC, IFC and Netflix. It was Larson Studios that was hacked and, according to thedarkoverlord (TDO), they made off with not just Netflix content but network content as well, putting at risk the release of Documentary Now, Portlandia, Fargo and many others.  TDO contacted Netflix and asked for a bitcoin ransom or it would dump their content for download. Netflix refused to be extorted and TDO made good on its threat.

That got me thinking…was Netflix right to not pay the ransom? What was the real impact of that decision? Can networks and studios do the same thing? Are they inoculated from third party damage because of their industry or their product? Let’s find out.



Most companies have accepted the new market reality: customers are in charge, having digital chops is table stakes, and disruption is becoming normal. 

Although most companies have accepted this reality, they also admit that they are not prepared for it. In our Customer Obsessed Assessment, 62% of companies identified as being behind the power curve addressing current customer demands and an additional 25% are slightly behind where they want to be.

The results are not terribly shocking; there’s a lot of work to do. But it doesn’t make it any less scary once you realize we’re in the early stages of change.

The large-scale market response is still playing out - and the cycle of far-reaching (and sometimes painful) change will be playing out for many years to come. Arguably the large-scale market response is still to come. For example:



(TNS) - Missouri state Rep. Bill Lant wanted to join Gov. Eric Greitens when he unveiled his plan to address flooding in the state.

But the ditches carved into the road in front of his Pineville home almost prevented him from doing that. He had been stuck the whole weekend while more than 10 inches of rain fell around him.

Lant said he planned to ask the governor for state assistance when it came to the devastation in his county.

“I’m fine, but there are parts of Noel, Anderson that have just had terrible flooding,” Lant said.

Although the state has expended all available resources to provide relief, many of those affected are hoping that President Donald Trump will declare Missouri a disaster zone.



It happens often in conversations with clients that I realize they have disjointed initiatives going on to support their digital transformation. The most dangerous parallel initiatives are those where, on one side, they are changing their development teams to become more Agile, but a separate initiative in the same enterprise exists where their Operations folks are running a development and operations (DevOps) transformation. The first thing I recommend to those clients is to unify or tightly connect those programs with an underlining common lean strategy. But I don’t want to dig in here about Agile+DevOps and how overused and abused the term “DevOps” is. I will just recommend to you some reports we’ve published explaining how “Agile” and “DevOps” are two sides of the same coin (see, for example, “Faster Software Delivery Will Accelerate Digital Transformation”).  The Modern Application Delivery playbook I’ve co-authored for years is all about what it means to adopt Agile+DevOps. Check that out too.

But the second and equally important thing I realize with these clients happens when I start querying them about their testing capabilities and approach during those journeys towards more agility and DevOps. And that opens the next can of worms. Why? Because if Agile disrupts how we test applications, continuous delivery, which DevOps is a core enabler of, represents unprecedented disruption of testing. I just published a report on the  continuous testing (CT) services providers landscape, where I provide my definition of what continuous testing means and is. I think the figure here makes it very clear.



The cloud is still growing by leaps and bounds, but not as fast as it was at the beginning of the decade. But it is unclear if this represents a long-term trend as the market reaches the front end of a traditional bell curve, or just a minor pause in the technology’s ultimate takeover of the enterprise data environment.

According to IDC, vendor revenue from the sale of cloud-based infrastructure products grew by 9.2 percent in 2016. This represents a healthy market of $32.6 billion, but it still represents a drawback of about $4.5 billion from what the company had predicted based on earlier growth data. The company suspects that part of this is due to a slowdown in the hyperscale market, but it can also be attributed to the fact that many companies have migrated some of their workload to the cloud and are seeing how it performs before moving forward. And it is important to note that cloud revenues are increasing while spending on traditional data center infrastructure is declining on the order of about 9 percent per quarter.

But this isn’t to say that the enterprise is ready to give up on the local data center just yet. According to a recent survey from the Uptime Institute, the percentage of workloads residing in enterprise owned and operated facilities has been stable at about 65 percent since 2014. To the institute, this means that regardless of what happens with the public cloud, local data center infrastructure will remain as a critical asset for most enterprises as they pursue digital-centric strategies.



Tuesday, 02 May 2017 15:40

Cloud Growth Slows, Slightly

Despite the challenges of a slowed economy in an election year, a shifting risk landscape as a result of technological advances, and a slow to negative growth rate in some sectors, 2016 saw the total cost of risk (TCOR) decline for the third consecutive year, according to the 2017 RIMS Benchmark Survey.

Even in the face of such uncertainties, the TCOR per $1,000 of revenue continued to drop, ending at $10.07 in 2016. The main drivers were declines in all lines excluding fidelity, surety and crime costs, according to the report. TCOR is defined in the survey as the cost of insurance, plus the costs of the losses retained and the administrative costs of the risk management department.

The survey encompasses industry data from 759 organizations and contains policy-level information from 10 coverage groups, subdivided into 90 lines of business.



(TNS) - Powerful storms that generated flooding and tornadoes across the south-central United States killed at least 12 people over the weekend.

The National Weather Service said multiple tornadoes ripped through central Texas on Saturday.

The town of Canton, located about 50 miles east of Dallas, was hit especially hard. Mayor Lou Ann Everett said Sunday that at least four people died and almost 50 others were injured, according to local media.

The fire department said the death toll could rise as people continue to comb through the debris. Dozens of cars were reportedly tossed in the air on the interstate that runs through town.



If data center managers thought virtualization and cloud computing were challenging in terms of big shifts in architecture, they better get ready for the next big thing. The Internet of Things is likely to give you far more headaches in terms of volume of data to store, devices to connect with and systems to integrate.

Long-term data center managers have certainly borne witness to immense change in recent decades. From mainframes to minicomputers and client/server, then virtualization and cloud computing. The pattern seems to be as follows: at first, their entire mode of operation is challenged and altered. After a few hectic years, life calms down, only for yet another wave of innovation to sweep the world of the data center off its axis.

And, here we go again with the Internet of Things (IoT). The general idea is that sensors and microchips are placed anywhere and is subjected to advanced analytics to give business a competitive edge, and provide the data center with greater capabilities in terms of infrastructure management and security.



Have you ever gotten to the end of your journey to find you’re not in the place you thought you’d be – or wanted to get to?  It’s that way for many projects and programs, including BCM/DR initiatives.  Sometimes what you intended to achieve isn’t what you end up accomplishing – if at all.

Developing and the maintaining a Business Continuity Management (BCM) / Disaster Recovery (DR) program means managing – and sometimes juggling – multiple components.  You could be juggling Business Impact Analysis (BIA) reviews while starting to plan the next major Simulation Exercise.  This is common and in project management terminology, it’s a bit of an Agile approach; not your traditional ‘waterfall’ approach (e.g. end one task before starting another).   When this occurs, you do run the risk of overlapping initiatives and sometimes, overlapping approvals being required.   But don’t think that your approvals can be delayed or rebuffed; they are important.



Monday, 01 May 2017 14:30

BCM & DR: Managing Expectations

BATON ROUGE, La. — There is still time to apply for 100 FEMA reservist positions for Public Assistance (PA) Site Inspector Specialists.  FEMA has extended the application deadline by a week to 5/6/2017 and is looking for construction managers, building inspectors and disaster recovery specialists to work in various locations.

This week the Baton Rouge Joint Field Office (JFO) also kicked off a national pilot program designed to convert FEMA’s local hires to reservist status.  A robust team of FEMA reservists need to be available and ready to respond to disasters at anytime, anywhere in the nation. 

FEMA provides help and support to people in the midst of an emergency situation and those dealing with the aftermath. Reservists are brought to the site to assist in federally declared disaster operations. PA specialists will conduct site inspections of claimed disaster-related damage.  Essential knowledge for these positions include: understanding and experience related to general engineering and construction practices for public infrastructure, experience inspecting and assessing damaged infrastructure and general knowledge of building codes and standards.

Preferred professional certifications: construction management, construction and building inspectors, disaster recovery specialists, sewage and waste water treatment experts, roads and bridge work and customer service experience. 

Those who sign up for the Reservist Program must be able to deploy with little or no notice to anywhere in the United States and its territories for an extended period of time.  While activated and deployed reservists will serve in a federal travel status and be entitled to lodging, transportation and per diem reimbursement for authorized expenses in accordance with travel regulations. Expected hourly rate will be up to $24/hour, depending on experience.

All applications must be sent via e-mail to: This email address is being protected from spambots. You need JavaScript enabled to view it. with the following subject line: 2401 – Public Assistance Site Inspector Specialist – PA.  Again, applications will be accepted through 5/6/2017. For more information visit www.laworks.net.

We heard two very different perspectives on the future of on-premise enterprise data centers from top executives on this week’s earnings calls by two of the world’s largest cloud providers.

Microsoft, which has a huge – and growing – on-premise data center software business in addition to a quickly growing cloud one, is continuing to pursue a hybrid strategy, pushing the idea that companies will want to continue using their internal data centers while augmenting them with cloud services.

Alphabet subsidiary Google, which never had the need for an on-premise software business, is playing up wholesale shift of enterprise workloads from corporate data centers to its cloud. Here’s Alphabet CEO Sundar Pichai on the company’s earnings call Thursday:



Over the years, I have had the opportunity to travel often for my career. Of all the cities I’ve visited, London is one of my favorites. On a recent visit, one thing became overwhelmingly clear; The city aims to build awareness in its citizens and visitors and to change their behaviors. How so? You have probably seen a version of the famous London Underground sign: MIND THE GAP.

If you aren’t familiar with it, this insignia is displayed at the edge of train platforms to remind passengers of the gap between the walkway and the train car. The purpose of the message is to boost awareness and ultimately, alter passenger behavior. Similarly, this is also the purpose of training in corporations – to increase the awareness of employees, to change their behaviors and increase their safety.

Over the last few decades, companies have reacted to legal and financial threats, as well as safety threats, by building a collection of mandatory training for their personnel. Following the founding of OSHA in the 70’s, we saw a rise in training around safety-related behaviors, both in the field and in the office. In the 80’s, sexual harassment was a hot topic, and even lawyers joined the business of training clients on both the law itself, and the behaviors that were and were not acceptable. Following major ethical lapses and the Enron failure in 2001, corporations set their sights on ethics training. Today, those training topics are the norm, and new topics continue to be added in, such as cultural sensitivity, and improving diversity in the workplace.



Business Intelligence (BI) pros continue to look for outside professional services. Forty-nine percent of decision makers say their firms are already engaging and/or expanding their engagements with outside data and analytic service providers, and another 22% plan to do so in the next 12 months. There are two main reasons for this sustained trend:

  • The breadth and depth of BI deployments cannot be internally replicated at scale. Delivering widely adopted and effective BI solutions is not easy. It requires rigor in methodology, discipline in execution, the right resources, and the application of numerous best practices. No internal enterprise tech organization can claim this wealth of expertise and experience; this only comes after delivering thousands of successful and unsuccessful BI projects — which we believe is solely the realm of management consultants and systems integrators. These partners have collectively accumulated such experience over many years and thousands of clients and projects.
  • Implementation partners help connect technology and business priorities. While business and technology pros ultimately work toward the same goal — improving their companies' top and bottom lines — they often use different approaches to get there. Business pros often have a preference for a particular BI tool and just want to get their jobs done quickly, efficiently, and effectively. It's not that they don't care about a single version of the truth, enterprise software standards, security, and procurement guidelines — it's just that getting their jobs done trumps everything else, while technology pros have different goals. Finding a middle ground between opposing priorities is tough. When all else fails, firms look for a reputable, well-respected professional services organization that can act as a referee and provide an objective road map to align business and technology management goals, objectives, and priorities.

Take a look at our recently published research report - The Forrester Wave™: Business Intelligence Platform Implementation Service Providers, Q2 2017 - where we review

  • Forrester recommended BI implementation service provider shortlisting and selection methodology and
  • Evaluate 13 top providers in this market


Today is World Day for Safety and Health at Work and the ideal time to consider a new International Standard due out early next year – ISO 45001 – ISO’s first standard for occupational health and safety management systems.

Latest estimates from the International Labour Organization (ILO) show that more than 6 300 people die each day (that’s over 2.3 million a year) as a result of work-related activities, and in total over 300 million accidents occur on the job annually. The burden to employers and employees alike is immense, resulting in losses to the wider economy from early retirements, staff absence and rising insurance premiums.

The ILO’s awareness-raising campaign, held annually on 28 April, is intended to focus international attention on the magnitude of the problem and on how promoting and creating a safety and health culture can help reduce the number of work-related deaths and injuries.



MSPs are tasked with keeping everything running. They have an around-the-clock, constant flow of information, accessible at any time from anywhere. Each and every single business depends in some way shape or form on that network of information flowing. However, we often consider only a small subset of what users actually interact with to be the MSP’s responsibility--for example, desktops, servers, laptops and maybe some simple network monitoring.

We need to expand what we consider fundamental to our monitoring responsibilities. Today’s customers are more comfortable than ever with technology. With that comfort, their expectations for availability, performance and quality have grown. Moreover, large telecom providers have made information flow easier, unlimited and available all over with faster speeds than ever before--changing users’ expectations outside of their work lives.

When users arrive in the office, expectations have already been set. Your role as an MSP and manager of that network of information comes front and center. Clients begin to engage with phones over the network, wireless access points, data in the cloud, virtualized applications running in the data center and, of course, hosted email.



WASHINGTON – The application period for the 2017 Federal Emergency Management Agency (FEMA) Individual and Community Preparedness Awards is now open. The awards highlight innovative local practices and achievements by honoring individuals, organizations and jurisdictions that have made outstanding contributions toward strengthening their community to prepare for, respond to, recover from, and mitigate a disaster.

FEMA and partners from the emergency management industry will review all entries and select the winners in each of the following categories:

  • Outstanding Citizen Corps Council
  • Community Preparedness Champions
  • Awareness to Action
  • Technological Innovation
  • Outstanding Achievement in Youth Preparedness
  • John. D. Solomon Whole Community Preparedness Award
  • Outstanding Private Sector Initiatives
  • Outstanding Community Emergency Response Team (CERT) Initiatives
  • Outstanding Citizen Corps Partner Program
  • Preparation in Action

Winners will be announced in the fall of 2017, and a series of webinars and local ceremonies will celebrate their achievements.

To be considered for this year’s awards, all submissions must be received by May 30, 2017, at 11:59 p.m. EDT, and must feature program activities taking place between Jan. 1, 2016, and May 30, 2017. Applications are accessed online and should be submitted to This email address is being protected from spambots. You need JavaScript enabled to view it..

More information about the awards is available at www.ready.gov/preparedness-awards


FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain and improve our capability to prepare for, protect against, respond to, recover from and mitigate all hazards.

Follow FEMA online at www.fema.gov/blog, www.twitter.com/fema, www.facebook.com/fema and www.youtube.com/fema. Also, follow Acting Administrator Robert Fenton’s activities at www.twitter.com/bobatfema.

The social media links provided are for reference only. FEMA does not endorse any non-government websites, companies or applications.

The world is changing fast, and bring-your-own-device (BYOD) and telecommuting are increasingly becoming the norm, not the exception. This increasingly mobile and flexible workforce creates new security challenges as more and different types of devices are being used in multiple locations. Security and risk professionals must ensure that only the right people get access to the right information at the right time and for the right reasons. Identity and access management (IAM) tools help evaluate who has authorized access to which resources and why.

In our recently published Forrester Data: World Identity And Access Management Software Forecast, 2016 To 2021 (Global), Forrester predicts that the IAM software market will grow to $13.3 billion by 2021, from $7.7 billion in 2016, implying an 11.5% CAGR.



North American insurers lead the way in IT spending globally and will invest $73 billion in tech areas such as data analytics, cloud, and insurtech in 2017.

Digital Insurance reports that global IT spending by insurers is slated to reach $185 billion by the end of this year, according to the Celent “IT Spending in Insurance 2017” report.

After North America, insurer technology spending by region is as follows: Europe ($69 billion); Asia ($33 billion); Latin America ($5 billion); then a group of territories comprising Africa, the Middle East and Eastern Europe (around $5 billion collectively).



There's a good chance you've considered the implications of machine learning for your security team. As data increases, the skill gap widens, and hackers' strategies get more complex, businesses struggle to detect and address cyberattacks.

Machine learning enables behavioral analytics and cognitive security to detonate attachments before they arrive in someone's inbox, or correlate types of activity across a network of thousands of users.

The ability to stop attacks before they occur is powerful, but how should security leaders start the process of making their systems smarter with machine learning?



The Business Continuity Institute

There is an alarming level of exposure for corporate and sensitive files across organizations, including an average of 20% of folders per organization open to every employee, according to a new study conducted by Varonis.

The Data Risk Report was the result of an analysis of 236.5 million folders containing 2.8 billion files, comprising 3.79 petabytes of data. Of that figure, 48,054,198 folders were open to 'global access groups', or groups that grant access to the entire organization. Nearly half (47%) of organizations had at least 1,000 sensitive files open to every employee, while one in five (22%) had 12,000 or more sensitive files exposed to every employee.

Failure to reduce the use of global access groups, lock down sensitive files and dispose of stale data exposes an organization to data breaches, insider threats and crippling ransomware attacks. A recent Ponemon study found that 62% of end users say they have access to company data they probably should not see, and a Forrester Consulting study found that 59% don’t enforce a need-to-know permissions model for sensitive files.

Business continuity professionals are all too aware of the damage a cyber security incident could cause, as identified in the Business Continuity Institute's latest Horizon Scan Report. In this report cyber attack and data breach were ranked as the top two threats with the vast majority of respondents to a global survey (85% and 80% respectively) expressing concern about the prospect of them materialising.

“In data breaches and ransomware attacks, files are targeted because they are high value assets and usually vulnerable to misuse by insiders and outsiders that transgress the perimeter. While organizations focus on outer defenses and chasing threats, the data itself is left broadly accessible and unmonitored,” said Ken Spinner, VP of Field Engineering at Varonis.

Some IT security attacks start from the most innocent mobile apps and in ways that let cyber-criminals simply pick up confidential communications without having to hack into anything at all.

While it may sound surprising, many mobile apps leak user data to anybody ready to receive it. While some free apps rely on being able to harvest and resell such user data, other paying apps, some of them from highly reputable brands, are simply careless about the user IDs, passwords, user profile information, and other information they ask for via mobile permissions. And even consumer user IDs and passwords can move hackers a step along to getting into business systems. Here’s why.

The danger of leaky mobile apps may be indirect, but it is still very real.



The bedrock of the insurance industry is quaking. For decades, large North American insurers got bigger by dominating distribution and methodically mastering information technology.  But the confluence of changing customer demands, hundreds of insuretech startups and non-traditional competitors sniffing around the business of insurance is messing up the long-standing insurance equilibrium.  Insurance carriers--and their agents and brokers--must go digital or go bust.  

During the second half of 2016, my fellow Forrester analyst, Oliwia Berdak and I interviewed digital business strategy executives with traditional insurers and hot startups around the globe to get their take on the role that digital will play in the business of insurance over the coming decade.  What were the big takeaways from our conversations?  Consider that:



Attention to America’s immigration policies has intensified recently, with politicians and citizens wrangling over whether and how to control the number of foreigners entering the country. Emergency managers, however, largely don’t believe immigration is their issue. Except, in a sense, it is.

“I don’t see why or how [immigration] really relates to emergency management, which is distinct from homeland security,” said hazmat and emergency management logistics lecturer Bob Jaffin. “Why would that even come up … in a situation that is an emergency?” 

That sentiment holds true when evaluating the black-and-white definition of emergency management, but shades of gray exist in a number of areas. Immigration affects emergency managers in roundabout manners; instead of focusing on direct involvement — such as enforcement or policymaking — they attend to indirect effects, such as language barriers and population shifts.



The Business Continuity Institute

Cyber espionage is now the most common type of attack seen in manufacturing, the public sector and education, warns Verizon's latest Data Breach Investigations Report. Much of this is due to the high proliferation of propriety research, prototypes and confidential personal data, which are hot-ticket items for cyber criminals. Nearly 2,000 breaches were analyzed in this year’s report and more than 300 were espionage-related, many of which started life as phishing emails.

In addition, organized criminal groups have escalated their use of ransomware to extort money from victims with this year’s report showing a 50% increase in ransomware attacks compared to last year. Despite this increase and the related media coverage surrounding the use of ransomware, many organizations still rely on out-of-date security solutions and aren’t investing in security precautions. In essence, they’re opting to pay a ransom demand rather than to invest in security services that could mitigate against a cyber attack.

“Insights provided in the DBIR are leveling the cyber security playing field,” said George Fischer, president of Verizon Enterprise Solutions. “Our data is giving governments and organizations the information they need to anticipate cyber attacks and more effectively mitigate cyber risk. By analyzing data from our own security team and that of other leading security practitioners from around the world, we’re able to offer valuable intelligence that can be used to transform an organization’s risk profile.”

Cyber security is also a major concern for business continuity professionals, with cyber attacks and data breaches featuring as the top two threats yet again in the Business Continuity institute's latest Horizon Scan Report. It is for this reason that it was chosen as the theme for Business Continuity Awareness Week 2017 with the intention of improving an organization's overall resilience by enhancing its cyber resilience, and recognising that people are key to achieving this.

“Cyber attacks targeting the human factor are still a major issue,” says Bryan Sartin, executive director, Global Security Services, Verizon Enterprise Solutions. “Cyber criminals concentrate on four key drivers of human behaviour to encourage individuals to disclose information: eagerness, distraction, curiosity and uncertainty. And as our report shows, it is working, with a significant increase in both phishing and pretexting this year.”

With 81% of hacking-related breaches leveraging either stolen passwords and/or weak or guessable passwords, getting the basics right is as important as ever before. Some recommendations for organizations and individuals alike include:

  1. Stay vigilant - log files and change management systems can give you early warning of a breach.
  2. Make people your first line of defence - train staff to spot the warning signs.
  3. Keep data on a “need to know” basis - only employees that need access to systems to do their jobs should have it.
  4. Patch promptly - this could guard against many attacks.
  5. Encrypt sensitive data - make your data next to useless if it is stolen.
  6. Use two-factor authentication - this can limit the damage that can be done with lost or stolen credentials.
  7. Don’t forget physical security - not all data theft happens online.

“Our report demonstrates that there is no such thing as an impenetrable system, but doing the basics well makes a real difference. Often, even a basic defence will deter cyber criminals who will move on to look for an easier target," concludes Sartin.

Ever since marketing figured out that companies could do better by asking customers what they wanted, rather than just trying to tell them, businesses have moved massively to the notion of working backwards from the customer.

Indeed, Jeff Bezos, founder of Amazon.com, declared, ‘‘We start with the customer and we work backward.

We learn whatever skills we need to service the customer.’’

It seems like business continuity planners could take a leaf out of the marketing playbook and ask customers what they would like to see in terms of their provider’s business continuity.

But is that enough?



Wednesday, 26 April 2017 16:25

Business Continuity by Working Backwards

A penetration test, when carried out by outside experts, is the best way to establish how vulnerable your network is from a malicious hacker attack.

But while thorough, third-party penetration testing can be expensive and is effectively out of date as soon as you make changes to your infrastructure or as new vulnerabilities that affect it are discovered.

One way to sidestep both of these problems is to carry out your own network penetration tests.

In this article, we'll discuss both how to do your own security testing and conduct internal penetration testing, and how to find the best third-party service should you choose to hire an outside pen tester.



A successful entrepreneur spends all the time necessary to plan, down to the smallest detail, the workings of his or her business. Staffing, marketing, inventory, equipment, investors, and location and more are all a part of the dynamic. One aspect missing from many business plans is a strategy and system for unexpected problems caused by a disaster that harms the company’s physical plant. Whether resulting from natural forces, mechanical breakdowns, or human error, damage to your place of business halts production and risks the ruin of your hard work and vision. What can ensure your business continues even in the face of tragedy?

Half of the commercial enterprises suffering the effects of water, fire, or other disaster close their doors to deal with the crisis and then never reopen. This shocking statistic is one no business owner dares ignore. Customers and clients need to know the services and products you offer are reliable, available without fail with no room for excuses. Business continuity is crucial to your company’s growth and survival in a competitive economy. If they are forced to look elsewhere to replace the unique product you provided before a mishap many of your leads never return. Even a short break in service can predict the downfall of your company



Wednesday, 26 April 2017 16:22

Survive And Thrive After Disaster

The Business Continuity Institute

Over 80% of security professionals identify ‘people’ as the industry’s biggest challenge, as opposed to technology and processes, according to the results of the second annual survey from the Institute of Information Security Professionals (IISP).

The survey also indicates that while 60% of respondents still feel that investment is not keeping pace with threat levels, there was a modest 5% increase in businesses that feel better placed to deal with a breach or incident if it happens. In real terms, spending does appear to be on the rise with 70% of companies seeing an increase in budget, up from 67%, and only 7% reporting a reduction, which is down from 12% last year.

While people have long been seen as the weakest link in IT security through lack of risk awareness and good security practice, the people problem also includes the skills shortage at a technical level as well as the risk from senior business stakeholders making poor critical decisions around strategy and budgets.

Cyber security is a hot topic for business continuity and resilience professionals with cyber attacks and data breaches yet again featuring as their top two concerns according to the Business Continuity Institute's latest Horizon Scan Report. It is with this in mind that cyber security was chosen as the theme for Business Continuity Awareness Week 2017 which has a particular focus on the actions that individuals can take to play their part in an organization's cyber security.

“Many of the figures in this year’s survey show a step in the right direction,” says Piers Wilson, author of the report and Director at the IISP. “The continuing high frequency of cases hitting the headlines and the regulatory pressures, including from GDPR, are leading to a corresponding increase in investment and a drive for increased skill, experience, education and professionalism. However, there is still a lot of work to do and we need to redouble our efforts to meet the challenge of increasingly sophisticated threats.”

The U.S. Justice Department recently announced that 32-year-old Roman Valeryevich Seleznev, known as "Track2," was sentenced to 27 years in prison for a series of cyber attacks that caused over $169 million in damages.

It's the longest prison sentenced ever given to a hacker in the United States.

Seleznev was convicted in August 2016 for hacking into point-of-sale (PoS) systems and installing malware designed to steal millions of credit card numbers from more than 500 U.S. businesses between October 2009 and October 2013. Approximately 3,700 financial instutitions were impacted by the attacks.

The stolen data was then transferred to servers under Seleznev's control in Russia, the Ukraine, and McLean, Virginia, after which Seleznev sold stole the credit card numbers on carding websites.

Among the businesses Seleznev targeted was Seattle, Washington's Broadway Grill, which was forced into bankruptcy following the attack.



Today’s threat environment is more complex than ever before, requiring that businesses be prepared to combat attacks from many different directions.

These days,  outages or issues are often the result of non-traditional concerns or events. As you think about each of the items below, remember that your first step will be to determine the potential risk. Once you understand the risk, you can identity the impact of an occurrence, and determine and implement an appropriate mitigation strategy.

Ask yourself the following questions to determine your potential threats and risks.



Efficient storage management includes migrating aging data through progressively less-expensive storage tiers. When data ends its migration at the cold storage stage, you can keep it for long periods of time at very low cost.

Cloud-based data storage generally falls into these four storage classes or tiers:

  • Hot storage is primary storage for frequently accessed production data.
  • Warm storage stores slightly aging but still active data. It costs less because the underlying storage systems don’t have the high performance and availability requirements, but it keeps data quickly accessible.
  • Cool storage houses nearline data, which is less frequently accessed data that needs to stay accessible without a restore process.
  • Cold storage is a backup and archival tier that stores data very cheaply for long periods of time. Restore expectations are few and far between. Security, durability and low cost characterize this tier.



I have a huge German Shepherd that ranks only slightly behind my human children when it comes to being spoiled and how much attention he gets.  I’ve been working on training him for nearly a year now, and he amazes me with how intelligent he is. He knows all the basics: sit, stay, here, lay down, etc. But he also picked up detecting scents very quickly and is learning to detect things with his nose that I can’t even see with my eyes. And he does all of these things faster than most kids learn to break the Netflix password.  

The other day, working with him on his training points, I thought to myself, “Woah, my dog speaks human.” Not just English either. He speaks German (that’s the language he's trained in), and he totally understands it. I realized the problem is that I don't speak “Dog.” My dog knows about 30 human words, and they are words in a language his master has no business trying to pronounce, mind you. But he knows what those words mean, and he gets the tasking or request down every time they're uttered. He could look at me for an hour and bark, growl, howl, yip, or yelp constantly, and he could be telling me the cure for cancer and I wouldn’t know it.  

OK that’s interesting, but what does it have to do with better communication among techies?



The debate over the efficacy of the hybrid cloud is likely to continue for as long as there are hybrid clouds. Pure-cloud advocates say hybrids are merely a marketing ploy by vendors looking to preserve their legacy platforms, while hybrid supporters say they are simply meeting the demands of the enterprise community.

But it seems that lost in the debate is one salient fact: that infrastructure, and even architecture, is quickly becoming a secondary consideration in the deployment of advanced data environments. Rather, many organizations are starting with the needs of the process they wish to support, and then working their way back to systems and applications. Sometimes this leads to a cloud-native solution, sometimes to a hybrid, and sometimes to physical, on-premises infrastructure.

In Microsoft’s recent State of the Hybrid Cloud report, the company noted that virtually all enterprises have either deployed a hybrid cloud or are planning to do so within the year. But what’s more interesting, says Redmond Channel Partner’s Jeffrey Schwartz, is the finding that nearly half of those who say they have yet to implement a hybrid actually already have one. Part of this is due to the confusion as to what constitutes a hybrid, but it also reflects the fact that IT deployment decisions are increasingly made by line-of-business managers these days, not IT, and they have little interest regarding the mechanics of their underlying infrastructure – they just want their processes to run.



The Business Continuity Institute


A worrying number of UK businesses have no formal plan to protect them from cyber attack and there has been no improvement from a year ago, according to a study conducted jointly by the Institute of Directors and Barclays.

The Cyber security: Ensuring business is ready for the 21st century report found that almost all companies (94%) think security of their IT systems is important, but only a little over half (56%) have a formal strategy in place to protect their devices and data.

The report shows that, despite a number of high-profile cyber attacks over the last year, more than one third (37%) of IoD members work in organizations without a formal cyber security strategy.

Given that the Business Continuity Institute's latest Horizon Scan Report identified cyber attacks and data breaches as the greatest concern to business continuity and resilience professionals, it is essential that organizations do more to protect themselves from such an incident, or equip themselves to respond to the likelihood that one should occur.

The new General Data Protection Regulation, which comes into effect in May 2018, will make organizations much more accountable for their customers' data, so the IoD and Barclays are urging business leaders to step up their preparations now. The IoD is calling on companies to increase cyber training for directors and employees, and run attack simulations, to make sure security systems are robust.

Stephen Martin, director general of the IoD, said: "This report has revealed that business leaders are still putting cyber security on the back burner."

The amount of energy Apple used in data centers it leases from third-party providers more than quadrupled over the last four years, going from about 38,550 MWh total in fiscal year 2012 to more than 180,200 MWh in fiscal 2016, according to the latest annual environmental responsibility report the company released this month. Leased footprint now consumes close to one-quarter of Apple’s total data center energy consumption.

Fiscal 2016 was the first year Apple started tracking its exact energy use in colocation facilities using meters and reporting it as part of the company’s global footprint in its environmental report, offering for the first time a glimpse into the scale of its leased capacity and how quickly that scale has increased over the years.

This rate of growth illustrates just how much hyper-scale cloud platforms still rely on leased data centers, despite also spending enormous sums on building out their own server farms around the world every year. In addition, Apple’s focus on energy supply of these third-party facilities is an example of the growing demand for colocation services powered by renewable energy, which many providers and their customers have been observing recently.



Delivering exceptional customer experiences and product for your business take speed and flexibility. More than ever before, speed and flexibility are required from every part of your organization, business and IT alike. DevOps provides your business leaders, enterprise architects, developers and I&O leaders a philosophy to achieve, not only the velocity that customers desire but also drive innovation and enforces quality. One example is ING. The company is undergoing a major digital transformation in which DevOps is a primary driver supporting their transformation. ING CIO Ron van Kemenade has initiated DevOps as the vehicle to aggressively support ING’s evolving customer needs. At ING, technology is the beating heart of the bank.



Monday, 24 April 2017 14:43

DevOps, Invest For Velocity And Quality!

More often than she would like, Carrie Simpson fields a call from a panicked managed services provider (MSP) desperate for new business after realizing their sales funnel is near empty.

The owner of Winnipeg, Canada-based Managed Sales Pros is an expert at finding small businesses that want to buy managed IT services, and scheduling them for appointments with salespeople at MSPs.

Making that happen is a product of smart, grinding work behind the scenes – after which Simpson and her team are powerless to guide sales tactics that ultimately determine whether a deal closes.



Analytics is becoming a crucial element in the enterprise data ecosystem. It is one of the key drivers of the Internet of Things (IoT), and will undoubtedly provide key competitive advantages as the digital economy unfolds.

But it doesn’t come cheap, and it is by no means an easy process to master. So as the enterprise finds itself between the rock of an increasingly data-driven business model and the hard place of having to create a highly sophisticated analytics environment, it is understandable that many organizations are willing to launch this particular endeavor on the cloud.

According to the Harvard Business Review, nearly 70 percent of organizations expect to have cloud-based analytics solutions up and running by the end of the year. The reasons vary from improved decision-making and forecasting to greater speed and efficiency, but underneath the operational benefits is a simple fact: The cloud offers the means to launch analytics infrastructure quickly and at the scale required of modern production environments. To be sure, issues like data migration and lack of customization exist in the cloud, but these are generally seen as secondary considerations to the need to put analytics to work quickly before business models are disrupted by a more nimble, data-savvy competitor.



Amid ongoing political upheaval in Venezuela and a volatile geopolitical landscape elsewhere, the need for political risk insurance is rising to prominence for multinational companies.

AP reports that General Motors just became the latest corporation to have a factory or asset seized by the government of Venezuela.

GM said assets such as vehicles were taken from the plant causing the company irreparable damage.

To protect themselves against loss or damage to physical assets caused by political action and instability, businesses should consider purchasing political risk insurance.



An annual assessment of the nation’s day-to-day preparedness for managing community health emergencies improved slightly over the last year—though deep regional inequities remain.

The Robert Wood Johnson Foundation (RWJF) has released the results of the 2017 National Health Security Preparedness Index, which found the United States scored a 6.8 on a 10-point scale for preparedness—a 1.5 percent improvement over the last year, and a 6.3 percent improvement since the Index began four years ago.

The Preparedness Index analyzes more than 130 measures—such as hazard planning in public schools, monitoring food and water safety, wireless 9-1-1 capabilities, flu vaccination rates, and numbers of paramedics and hospitals—to calculate a composite score that provides the most comprehensive picture of health security and preparedness available.



Sustainable purchasing can improve supplier relations – and your business. ISO 20400 for sustainable procurement has just been published to help organizations make sustainable purchasing a way of life.

Procurement plays a large role in any organization, large or small. Who an organization buys from has just as big an impact on its performance as what it buys. Ensuring suppliers have sound and ethical practices – across everything from working conditions and risk management to their environmental impact – has the potential to not only make businesses work better, but to improve the lives of everyone in the communities where they are situated.

Sustainable procurement entails making purchasing decisions that meet an organization’s needs in a way that benefits them, society and the environment. It involves ensuring that a company’s suppliers behave ethically, that the products and services purchased are sustainable and that such purchasing decisions help to address social, economic and environmental issues.

ISO 20400, Sustainable procurement – Guidance, is the world’s first International Standard for sustainable procurement and aims to help organizations develop and implement sustainable purchasing practices and policies.



The Business Continuity Institute

It’s important to keep our business continuity plans up to date. That almost goes without saying. But what, exactly, do we mean by keeping our plans up to date?

Most organisations with a business continuity plan will assign someone to review it periodically - in particular, to check that the names and contact details of the various team members are kept up to date. Which is an important activity. But there’s a bit more to it than that.

There are essentially two reasons for reviewing and updating our plans.

Firstly, to ensure the plans’ content - the names, contact details, checklists, etc - remains current.

Secondly, and just as importantly, to ensure that the strategies and solutions that underpin the plans remain fit for purpose and continue to enable us to meet our continuity objectives. Which implies that now and again we need to review those objectives and the strategies and solutions that support them.

Many organisations focus entirely on the operational detail of the plans and neglect the strategic elements. If that sounds familiar, you might consider adding a periodic strategic review to your plan maintenance programme. Otherwise, whilst you might be able to contact people without too much difficulty, it may well be to tell them that the plan doesn’t work!

Andy Osborne is the Consultancy Director at Acumen, and author of Practical Business Continuity Management. You can follow him on Twitter and his blog or link up with him on LinkedIn.

Monday, 24 April 2017 14:16

BCI: An objective review ...

Sixty-four percent of security professionals doubt their organizations can prevent a breach to employees' mobile devices, a recent Dimensional Research survey [PDF] of 410 security leaders found.

The survey, sponsored by Check Point Software, also found that 20 percent of businesses have experienced a mobile breach, and another 24 percent don't know, or can't tell, whether they've experienced one.

Strikingly, 51 percent of respondents believe the risk of mobile data loss is equal to or greater than that for PCs.

"Perhaps the high level of concern is based on the frequency of mobile device loss or theft, as well as the limited security measures companies use to protect enterprise mobile devices," the report states.



Enterprises are loading up their data centers with hybrid flash storage systems in increasing numbers, according to a new survey from ActualTech Media commissioned by storage array maker Tegile Systems.

More than half (55 percent) of the 700 IT professionals polled for the study said they were using hybrid flash storage systems, which typically use a combination of solid-state drives and traditional hard disk drives to speed up data services, in their environments. Last year, 47 percent reported the same.

Meanwhile, all-disk storage systems are steadily losing their appeal. Adoption rates dipped from 41 percent in 2016 to 37 percent in the first quarter of 2016. All-flash environments remain relatively rare with a mere two-percent penetration rate.



Customer service departments in all industries are increasing their use of chatbots, and we will see usage rise even higher in the next year as companies continue to pilot or launch their own versions of the rule-based digital assistant. What are chatbots? Forrester defines them as autonomous applications that help users complete tasks through conversation.
While Forrester’s Consumer Technographics® data reveals that 60% of US online adults already use online messaging, voice, or video chat services, there are challenges to widespread adoption. We reached out to our ConsumerVoices Market Research Online Community members to better understand consumer impressions of chatbots and found that our respondents had a difficult time identifying clear benefits to interacting with them. Many prefer to communicate with a representative who can show real empathy, address more complex needs, and offer them assurance.

(TNS) - Six months after dangerous Hurricane Matthew buzzed up Florida’s Atlantic coast, storm experts are still debating why some people didn’t evacuate in the face of what became the 10th most destructive storm in U.S. history.

A clutch of coastal condo dwellers and beachfront homeowners refused to budge despite mandatory orders and unusual public pleas from South Florida hurricane hero Bryan Norcross and National Hurricane Center Director Rick Knabb.

They got lucky when Matthew delivered only a glancing blow, but how to better convey potential storm risk was a theme at Wednesday’s National Hurricane Conference in New Orleans where forecasters lamented ineffective messaging.



I am pleased to announce that the new for infrastructure and operations professionals is now live! This Wave evaluation uncovered a market in which four providers — Sungard Availability Services, Bluelock, IBM, and iland — all emerged as Leaders, although their strengths differ. Another five providers — HPE Enterprise Services (now DXC Technology), Recovery Point, Plan B, Daisy, and TierPoint — are Strong Performers. NTT Communications is a Contender.

To evaluate these vendors, we developed a comprehensive set of criteria in three high-level buckets: current offering, strategy, and market presence. The criteria and their weightings are based on past research and user inquiries. In addition to typical user demands, this Forrester Wave™ evaluation also has a few thought-provoking criteria such as the provider’s capability to deliver security services, real-time views through a readiness score, automated change management, and orchestration-led enterprise application recovery.



The Business Continuity Institute

Not only are many employees likely to share confidential information, but they are doing so without proper data security protocols in place or in mind, according to a new study by Dell. Today's workforce is caught between two imperatives: be productive and efficient on the job, and maintain the security of the organization's data. To address data security issues, organizations must focus on educating employees and enforcing policies and procedures that secure data wherever they go, without hindering productivity.

The Dell End-User Security Survey indicates that among the people who work with confidential information on a regular basis, there is a lack of understanding in the workplace regarding how confidential data should be shared and data security policies. This lack of clarity and confusion is not without merit, there are many circumstances under which it makes sense to share confidential information in order to push business initiatives forward.

Three in four employees say they would share sensitive, confidential or regulated company information under certain circumstances for a wide range of reasons,with nearly half (43%) saying they would do so when directed by management. Four-fifths of employees in financial services (81%) would share confidential information, and employees in education (75%), healthcare (68%) and federal government (68%) are also open to disclosing confidential or regulated data at alarmingly high rates.

"When security becomes a case-by-case judgement call being made by the individual employee, there is no consistency or efficacy," said Brett Hansen, vice president of Endpoint Data Security and Management at Dell. "These findings suggest employees need to be better educated about data security best practices, and companies must put procedures in place that focus first and foremost on securing data while maintaining productivity."

The survey finds that when employees handle confidential data, they often do so insecurely by accessing, sharing and storing the data in unsafe ways. A quarter of respondents (24%) indicated they do so to get their job done and one-fifth (18%) say they did not know they were doing something unsafe. Only 3% of respondents said they had malicious intentions when conducting unsafe behaviours.

Further findings of the report include:

  • 45% of employees admit to engaging in unsafe behaviours throughout the work day
  • These behaviours include connecting to public wifi to access confidential information (46%), using personal email accounts for work (49%), or losing a organization-issued device (17%)
  • One in three employees (35%) say it is common to take corporate information with them when leaving a company
  • Employees take on unnecessary risk when storing and sharing their work, with 56% using public cloud services such as Dropbox, Google Drive, iCloud and others to share or back-up their work
  • 45% of employees will use email to share confidential files with third-party vendors or consultants

These findings help reinforce the theme for Business Continuity Awareness Week which highlights that cyber security is everyone's responsibility, and with a little more awareness on the right policies and procedures, we can all play a part in building a resilient organization.

The survey findings indicate that employees struggle with cyber security in the workplace because they do not want to see their organization suffer a data breach, but they also struggle with the limitations security programmes can put on their day-to-day activities and productivity.

"While every company has different security needs, this survey shows how important it is that all companies make an effort to better understand daily tasks and scenarios in which employees may share data in an unsafe way," says Hansen. "Creating simple, clear policies that address these common scenarios in addition to deploying endpoint and data security solutions is vital in order to achieve that balance between protecting your data and empowering employees to be productive."

Much ink has been spilled over United Airlines' latest public incident and social media's role in rapidly spreading video of a passenger being dragged off an airplane. Today's consumers are more polarized than ever and increasingly expressing their opinions and showing their own values in the way they spend their money. Brands worry about making missteps on social media and falling out of favor, prompting them to ask: "How can my brand respond to a social crisis?" In reality, the question they should be asking is: "How can my brand plan for any social crisis so that when it hits, our response is clear and automatic?"
Navigating today's social environment requires returning to crisis management basics. Brands with established and rehearsed crisis management plans — no matter the channel — will rise above the fray. In our latest Forrester report, "Social Crisis Management: Get Back To Basics," we discuss social crisis management 101:  

(TNS) - National Hurricane Center forecasts have evolved beyond the staid Saffir-Simpson wind scale that shoehorns tropical cyclones into tidy categories while ignoring flooding waters from sea and sky.

This hurricane season, an array of products will alert to killer storm surge, predict arrival time of damaging winds and show storm size.

One forecast map will warn of systems that have the potential for cyclonic wind-up, but have not yet developed into a storm.

It’s all in an effort to inform the public beyond Saffir-Simpson, but is the public ready to digest more than categories 1, 2, 3, 4 and 5?



According to a study by Indeed.com, conducted earlier this year, the severe shortage of skilled cybersecurity professionals continues. It’s estimated that a million security jobs are unfilled today, and that’s probably only going to get worse. This comes at a time when organizations are looking to increase their security spending and improve their security posture.

Yet, here is something that doesn’t make sense to me. Plenty of security talent is being developed in colleges and universities across the country. The National Collegiate Cyber Defense Championship held earlier this month highlighted that talent. From an original pool of 230 teams, a group from the University of Maryland, Baltimore County emerged as the winner after a final competition of the top 10 competitors. As CSO reported about the contestants of the cybersecurity event:

They have spent years honing their cyber skills, and some of the participants have some pretty interesting hacks ranging from an insulin pump and an electric car to a video surveillance camera in a school lab. Still others have hacked a connected avionics system that loads maps onto an airplane, an elevator, a McDonald's router, and even a beer kegerator.



The Business Continuity Institute


We have recently seen how quickly a crisis can impact on a business if not managed correctly by placing people at the heart of a crisis response.

The appalling treatment of a United Airlines passenger and the subsequent response from the company, showed a complete disregard for the very people who pay the wages, its customers. 

As crisis managers we all advocate the importance of plans and procedures to ensure that in the event of something going wrong, the crisis management teams responsible have a framework to guide them, however, at the heart of this has to be the right culture.

The power of the internet is immense and you only have one opportunity to set the tone of your response when something does go wrong. You should have clear processes, procedures and ways of working that staff fully understand, but most importantly you must have a culture that ensures that people are at the heart of what you do. 

If your customers are your number one priority, regardless of the nature of the incident, it is very likely your crisis managers will respond with that in mind.

I was reading an article during the past week written by Michael Balboni of Redland Strategies, and one of the keynote speakers at last year's BCI World Conference, where he highlighted the four key points to consider in your crisis communications. These points can be summarised as:

  1. Try to get out ahead of the story with statements like, "We are also concerned about the events as reported and are conducting an investigation."
  2. Whatever the message, be consistent. Changing statements leaves room for doubt on a whole bunch of aspects.
  3. Never attack the victim! Ever! The customer is the only reason that a business is in business, or a government official is in office.
  4. Respond to the internet firestorm with facts and apologies and a description of how you will try to prevent this situation from ever repeating. Never try to block people from commenting.

When you are next reviewing your ways of working and approach to crisis communications make sure you keep this in mind. Most importantly though remember: “It is not the employer who pays the wages. Employers only handle the money. It is the customer who pays the wages” --- Henry Ford.

Are you satisfied that your company culture sets the right tone to respond effectively to a major incident or crisis event?

Chris Regan is the Director of Blue Rock Risk Limited a specialist crisis and risk management consultancy. Chris works with both private and public sector clients to help them plan, prepare and respond effectively to a wide range of crisis and risk issues. Chris can be contacted by email at This email address is being protected from spambots. You need JavaScript enabled to view it. or by telephone 0117 244 0154.

The Business Continuity Institute

Businesses large and small are being urged to protect themselves against cyber crime after new Government statistics found nearly half of all UK businesses suffered a cyber breach or attack during the previous year.

The Cyber Security Breaches Survey 2017 reveals nearly seven in ten large businesses identified a breach or attack, with the average cost to large businesses of all breaches over the period being £20,000 and in some cases reaching millions. The survey also shows businesses holding electronic personal data on customers were much more likely to suffer cyber breaches than those that do not (51% compared to 37%).

The most common breaches or attacks were via fraudulent emails - for example coaxing staff into revealing passwords or financial information, or opening dangerous attachments - followed by viruses and malware, such as people impersonating the organisation online and ransomware.

These new statistics show businesses across the UK are being targeted by cyber criminals every day and the scale and size of the threat is growing, which risks damaging profits and customer confidence.

Cyber security is a hot topic for business continuity and resilience professionals at the moment with cyber attacks and data breaches yet again featuring as their top two concerns according to the Business Continuity Institute's latest Horizon Scan Report. It is with this in mind that cyber resilience was chosen as the theme for Business Continuity Awareness Week 2017 which has a particular focus on the actions that individuals can take to play their part in an organization's cyber security, and this includes effective password control.

The Government survey also revealed that, of the businesses which identified a breach or attack, almost a quarter had a temporary loss of files, a fifth had software or systems corrupted, one in ten lost access to third party systems they rely on, and one in ten had their website taken down or slowed.

Firms are increasingly concerned about data protection, with the need to protect customer data cited as the top reason for investing by half of all firms who spend money on cyber security measures.

Following a number of high profile cyber attacks, businesses are taking the threat seriously, with three quarters of all firms saying cyber security is a high priority for senior managers and directors; nine in ten businesses regularly update their software and malware protection; and two thirds of businesses invest money in cyber security measures.

Areas where industry could do more to protect itself include around guidance on acceptably strong passwords (only seven in ten firms currently do this), formal policies on managing cyber security risk (only one third of firms), cyber security training (only one in five firms), and planning for an attack with a cyber security incident management plan (only one in ten firms).

Ciaran Martin, CEO of the National Cyber Security Centre, said: "UK businesses must treat cyber security as a top priority if they want to take advantage of the opportunities offered by the UK’s vibrant digital economy The majority of successful cyber attacks are not that sophisticated but can cause serious commercial damage. By getting the basic defences right, businesses of every size can protect their reputation, finances and operating capabilities."

The firewall is the first line of defense for traffic that passes in and out of a network. The firewall examines traffic to ensure it meets the security requirements set by the organization, and unauthorized access attempts are blocked.

Firewall protection has come a long way in recent years. In addition to monitoring internet traffic, the latest firewall security products incorporate a wide range of additional features.

“The latest firewalls can neutralize an attacker’s ability to use stolen credentials for lateral movement and network compromise,” said Navneet Singh, product marketing director at Palo Alto Networks. “This is done by enforcing multi-factor authentication at the network layer.”



The ever-dependable Barb Darrow at Fortune reported late last week that the OpenStack Innovation Center (OSIC) is to shut down. Cue wailing, gnashing of teeth, and portents of doom. But this may not be quite so bad as it appears, because the OpenStack Innovation Center isn’t nearly so critical to the open source cloud computing project as its name might imply.

Before I joined Forrester I used to post a short thought (almost) every day, commenting on some piece of news that caught my interest. The last of these, on 24 July 2015, was concerned with the then-new OpenStack Innovation Center.

I was unimpressed.

You see, the OpenStack Innovation Center isn’t an initiative of the OpenStack Foundation. Despite the name, it was only a joint initiative of two contributors to the OpenStack project - Intel and (OpenStack co-founder) Rackspace. They set up some clusters, for developers to test code. And they did some work to make OpenStack more enterprise-ready. Both efforts were useful, for sure. But both of these things were already happening in plenty of other places.



Most people can sort out what tangibles they need for a solid BCM program, but the following critical steps can make or break an enterprise in times of crisis. Without functional crisis management and effective preparations, your organizational resilience will be impacted, resulting in more than just higher costs or lost sales (see Strategic Issues Surrounding Your Organization’s Resiliency).

1.  Clarify Roles and Responsibilities

Numerous teams are organized and active during crisis events: Crisis Management, IT Emergency Management, Individual Recovery, Business Recovery, Communications, and more. Often individuals participate on several teams. Due to multiple tasks and efforts, individuals must clearly understand their roles and responsibilities – these are not necessarily based on job title. Individuals should be trained in roles and responsibilities at least annually.



Wednesday, 19 April 2017 15:11

4 Key Steps on the Roadmap to Resilience

Focal Point Data Risk, LLC (Focal Point), one of the largest pure-play data risk consulting firms in North America, today announced the release of the inaugural Cyber Balance Sheet Report. This first-of-its-kind research study uses in-depth surveys and interviews with corporate board members and chief information security officers (CISOs) to conclusively identify specific cyber risk issues resonating in boardrooms. Equally important, the unprecedented research reveals how CISOs and boards can quickly improve communication and collaboration in this critical area.

The Cyber Balance Sheet Report was independently produced, after several months of intensive research, by the Cyentia Institute (Cyentia), a cybersecurity research firm, co-founded by Dr. Wade Baker, who is widely recognized as the creator of the Verizon Data Breach Investigations Report (DBIR). In the study, Focal Point and Cyentia conducted comprehensive interviews with more than 80 board members, CISOs and subject matter experts. The report’s findings offer a rare window into the cyber risk dialogue in the boardroom, contrasting with many years of assumptions and security vendor characterizations.

“For years pundits have been saying ‘Cyber needs to be a boardroom issue,’ but the Cyber Balance Sheet Report replaces this sound bite with the most illuminating look yet at where cyber issues are making headway with boards or falling off the table,” said Yong-Gon Chon, CEO of Focal Point. “The report reveals important indicators around cyber awareness at the top levels of governance. We have evolved from cybersecurity being a component of IT performance to becoming an issue that prompts broader questions about protecting valuable company data. Yet, as the report discloses, it’s the nature of these questions and how CISOs respond that determines how far oversight and accountability still have to evolve.”



Ransomware hits a particularly raw nerve because of its brazenness. A criminal breaks into a computing device and simply takes over, demanding money – usually paid in bitcoins – for providing the owner the privilege of accessing his or her own data.

The reality is that the ransomware story is more nuanced than the pure fear that idea engenders. Ransomware, according to experts, is not monolithic: There are levels of qualities to the malware and how it is delivered. The targets are far from helpless.

IT Business Edge sent emailed questions with important questions about ransomware to Jon Clay, the director of Global Threat Communications for Trend Micro; Chester Wisniewski, the principal research scientist at Sophos; and Kevin Haley, the director of Security Response at Symantec. The answers painted a picture of a very serious problem, but one that can be avoided if an organization uses best security practices.



(TNS) - Every spring, like azaleas at Pinehurst, questions begin blooming for Scot Brooks.

“It seems every year at about this time, people new to the area call and ask when they can expect us to test our tornado sirens,” said Brooks, the emergency management deputy director of Moore County, N.C.

“I explain to them that we don’t have sirens — at least not for tornadoes.”

Nor does any other county in the Cape Fear region. A check with emergency management directors in the region reveals that no countywide systems exist. In fact, none have ever existed, according to these directors.



Topping $5.7 billion. That’s the record cost of insured losses from severe thunderstorms and convective weather in the United States in the first quarter of 2017.

The latest figures come via Steve Bowen, director and meteorologist at Impact Forecasting, the catastrophe risk modeling center at Aon Benfield.

Here’s the chart (via @SteveBowenWx):



Wednesday, 19 April 2017 15:05

U.S. Thunderstorm Losses Add Up To Q1 Record

Over the last decade, huge growth in demand for Internet and mobile services has driven rapid transformation in digital businesses. This growth has been highly disruptive, and it has created new business opportunities and challenged the status quo.  In the data center, two forces have created much of this change:  the evolution of virtualization and the rise of cloud computing.

Latest-generation technologies in computing hardware and software platforms, including but not limited to unified computing, pervasive virtualization, containerization, new rack designs, disaggregation of compute resources, improved telemetry and analytics have all added to lowering the total cost of ownership (TCO) but also greater return on investment (ROI).  This has set the stage for agile infrastructure and a further explosion in the number and type of instrumentation metrics available to today’s data center managers.

Optimization, as applied to data centers, means always having the right amount of resources, to cost-effectively enable the business use of those data centers. Right resourcing means, in effect, enough to get the data center “job” done, but not so much as to waste money. Everything from enough power and floor space to enough “computes,” and everything else. Easily said, but increasingly challenging to accomplish.



NEW YORK, NY –  Duff & Phelps, the premier global valuation and corporate finance advisor, today highlighted research affirming that financial services professionals are poised to significantly accelerate resources dedicated to preventing and combating cyber breaches. The survey of nearly 200 senior financial services professionals included the following highlights:

  • 86% of financial services firms intend to increase the time and resources they spend on cybersecurity in the next year.  This contrasts with 2016, when less than 60% said they planned to spend more resources and time on cybersecurity planning and initiatives.
  • 31% of respondents expect cybersecurity to be the top priority for regulators this year - a 63% increase over 2016 when just 19% of respondents held this view.
  • 21% of respondents believe that Anti-Money Laundering and “Know Your Customer” considerations – which are increasingly converging with cybersecurity and technology – will be a top regulatory focus.



Our latest case studies in business continuity management and planning focus on banking customers.

PlainsCapital Bank—a subsidiary of Hilltop Holdings—is the sixth-largest bank in Texas. They maintain a statewide presence with approximately 1,500 employees and nearly 70 commercial and retail locations. Their diverse range of service includes commercial banking, treasury management, private banking, wealth management, and consumer banking. The Business Continuity Planning team includes Operational Risk Manager Jay Geppert and Operational Risk Analyst Jessica Camacho. They are responsible for the bank’s Business Continuity, Vendor Management, and Operational Risk programs. Together, they coordinate annual tests of critical departments and applications and work with business unit managers to update plans for their Business Continuity Committee, Information Systems Steering Committee, and other senior management officials. The company invested in ResilienceONE from Strategic BCP to help elevate planning to a strategic level within the organization. Planning has shifted to a functional approach in-line with overall corporate objectives. The system helps ensure consistency of the operational risk management framework, allows for effective implementation across business units, meets operational and regulatory requirements, and prepares the organization for future growth—all while adapting to the changing demands of a dynamic corporation. Read the full case study including the expanded benefits to the team and the organization.



Forty-one percent of enterprises have an encryption strategy applied consistently throughout the organization (up from 37 percent last year), according to the results of Thales' 2017 Global Encryption Trends Study.

The report, based on a Ponemon Institute survey of more than 4,800 people across several industry sectors, also found that 46 percent of respondents perform encryption on-premise prior to sending data to the cloud, and 21 percent encrypt in the cloud using keys they generate and manage on premises.

Surprisingly, 37 percent of enterprises turn over complete control of keys and encryption processes to cloud providers.



Scenario planning, in which you seek to identify higher risk and higher probability causes of business interruption, attracts both supporters and cynics.

One of the criticisms levelled at scenario planning is that it often results in business continuity plans that are hard to manage and keep up to date.

Complexity rises exponentially with the number of scenarios being considered.

On the other hand, viewing BC purely in terms of impacts to be avoided (effects rather than causes) calls for faculties of imagination and vision that may surpass what some organisations can muster.

The best way forward may be to combine the strengths of both and in parallel eliminate their weaknesses.



Security remains one of the biggest roadblocks for enterprises to move to the cloud, numerous studies and research firms have stated.

We often talk about security as one thing, but in actuality, it is quite multifaceted. That’s why it’s important to distinguish between layers of security in a public cloud environment — and why concerns about data security and public clouds must be taken seriously.

As 451 Research concluded in a recent report, leading public cloud providers, such as Amazon Web Services and Azure, have very good security. They have to. They are “secure by default because they have a vested business interest in being as durable as possible,” 451 says. Again, I agree. Public cloud providers do a great job of traditional network and operational security.

In today’s world, and especially in the cloud, that’s not good enough anymore. While the cloud environment may be secure, the data inside that environment may not be. If the database you’re using lacks comprehensive, hardened security, you’re still at risk. You can’t read the news without seeing numerous data breaches that underscore this fact.



Tuesday, 18 April 2017 16:12

Move to the Cloud, but Mitigate Risk

Data-centric protection and security focuses on the organization’s sensitive data (as opposed to its overall computer networks and applications). This is accomplished by locating, identifying, and cataloging sensitive data as well as by applying encryption, data masking, and policy-based data access controls (and end-user monitoring) to protect data residing across multiple enterprise environments.

To what extent are organizations adopting, or planning to adopt, data-centric protection and security practices? In a recent Cutter Consortium survey, Senior Consultant Curt Hall asked 50 organizations about their data protection practices to shed some light on this important question.

As shown in the figure below, more than a third (37%) of surveyed organizations currently have data-centric protection and security practices in place.



No. The buy side market is nowhere near maturity and will continue to be a greenfield opportunity to many BI vendors. Our research still shows that homegrown shadow IT BI applications based on spreadsheets and desktop databases dominate the enterprises. And only somewhere between 20% and 50% of enterprise structured data is being curated and available to enterprise BI tools and applications.

The sell side of the market is a different story. Forrester’s three recent research reports are pointing to a highly mature, commoditized and crowded market. That crowded landscape has to change. Forrester is making three predictions which should guide BI vendor and BI buyer strategies in the next three to five years.



(TNS) - Several communities in the mid-Hudson (N.Y.) are spending more than $40 million to get ready for the next weather disaster.

Sixteen municipalities have crafted plans to make their communities less vulnerable to the kind of devastation left behind by Hurricane Irene, Tropical Storm Lee and superstorm Sandy in 2011 and 2012.

Communities slammed by the storms picked up the pieces, and when New York state and the federal government offered help, they took it.

The state pulled together federal funding streams and channeled them through the Governor's Office of Storm Recovery into a program called the NY Rising and Community Reconstruction plan.



2017 has so far been a wild ride of change. Companies are navigating through a new U.S. administration, Brexit and cyber risks that are more daunting each day. We are bombarded with uncertainty and unchartered waters. Nevertheless, it’s a great time to be a risk manager.

This kind of disruption is the reason many of us got into the risk and insurance industry.  Addressing disruption is what we do best. According to a recent CNN report, in fact, Risk Management Director is the number-two Best Job in America for 2017. Recognizing the meaningful contributions and rewarding work of a risk manager, the report highlighted the role in “identifying, preventing, and planning for all the risks a company might face, from cybersecurity breaches to a stock market collapse.”

In the midst of a riskier environment, the insurance industry that serves risk managers faces highly competitive market conditions. The result is more choices and better services for the risk management community. Now is the time for the risk manager to take the lead.



Tuesday, 18 April 2017 16:08

It’s a Great Time to Be a Risk Manager

A consistent challenge that I have heard from Business Continuity Professionals over the past 20 years is mastering the art of getting buy in, and engagement, from their colleagues.  As business continuity practitioners, you have chosen a very rewarding career.  We all know how important your job is to the organization.  However, some of your colleagues don’t always recognize it and they must be constantly reminded of how important business continuity is.  You and I know that you’re the glue that keeps things together during an incident, however large or small.

You’re constantly engaging management teams in Human Resources, Safety & Security, Information Security, IT, Facilities, Property Management, Legal, Executive Management, as well as, Local Law Enforcement, Public Information Officers, and Social Media Administrators. Oh my goodness, if that is not enough to do, you must also ensure that your planners have updated their plans, prepared for audits, prepared for tests, and most importantly deal with real incidents that can happen at any time of day.



Tuesday, 18 April 2017 16:07

For Continuity Sake……

BATON ROUGE, La. — Louisiana schools will soon close for summer and the elimination of a normal routine may increase the need for crisis counseling for both adult and child survivors of the August floods.  Free disaster crisis counseling is available through Louisiana Spirit, a program administered by the state and funded by a FEMA grant.  If you wish to speak with the counselors call 866-310-7977.

Children should keep a routine and positive focus in the recovery process of disasters. Both are recommended by a number of children-focused organizations working on the Louisiana recovery.  Summer camps, sports and outdoor adventures are good options to keep your child active and engaged.

In Louisiana, FEMA has been working with federal partners, including the U.S. Department of Education, nongovernmental organizations, pediatric experts and external stakeholders to ensure the needs of children are considered and integrated into disaster related efforts initiated at the federal level. The work is underway and will continue for as long as it takes.

Louisiana Spirit crisis counselors also go door-to-door in disaster-affected areas to provide services for both adults and children. In Louisiana, the program is working side-by-side with the Metropolitan Human Services District in New Orleans, the American Red Cross and other organizations. For more information, visit dhh.louisiana.gov/index.cfm/page/201.

Eighty-six percent of financial services firms plan to spend more time and resources on cyber security in the coming year, a recent Duff & Phelps survey of 183 senior financial service professionals found.

That's a significant increase from 2016, when less than 60 percent of firms said they planned to do so.

Similarly, 31 percent of respondents said they expect cyber security to be the top priority for regulators this year -- a 63 percent over 2016, when just 19 percent expected it to be the focus.



Insurers are moving away from the rate cuts of 2016, according to online insurance exchange MarketScout’s take on the first quarter 2017 rate environment.

For the first time in 20 months, the composite rate index for commercial accounts in the United States measured a rate increase at plus 1 percent, MarketScout said.

Richard Kerr, CEO of MarketScout:

“The plus 1 percent composite rate index was driven by larger rate increases in commercial auto, transportation, professional and D&O rates. We also recorded small rate increases in the majority of coverage and industry classifications.”

Rates for business interruption, inland marine, workers’ compensation, crime, and surety coverages held steady in the first quarter. Rates for all other coverages either moderated or increased.



Monday, 17 April 2017 14:44

Commercial Insurance Prices Moving On Up

Cyberattacks have pretty much become a part of every day life.  Security firm ForeScout’s State of Cyber Defense Maturity Report found that more than 96 percent of organizations experienced a major IT security breach in the past year. One in six organizations had five or more significant security incidents in the past 12 months, and almost 40 percent had two or more incidents.

“The media reports of stolen information or compromised networks are almost a daily occurrence,” wrote Ray Boisvert, president of I-Sec Integrated Strategies. “The stories are increasingly alarming and the trend line is troublesome.”

How you respond, though, is the key factor. Here are several tips on how to disinfect your data center and beef it up against further attacks.



Monday, 17 April 2017 14:43

Tips for Disinfecting Your Data Center

The city of Dallas, Texas boasts 156 emergency weather sirens throughout the entire city charged with warning residents when there is an imminent threat from a tornado or other severe weather. On Friday, April 7, 2017 Dallas residents were startled awake when every siren in the city was activated at the same time. The sirens blared for more than an hour and half before city officials were able to manually turn them off. The reaction from the 1.3 million residents was predictable; over 4,000 calls to 911 flooded the city’s emergency response lines. Wide-spread panic eventually turned into irritation as residents were informed there was no danger, just a system malfunction. It wasn’t until later that an investigation revealed hackers had in fact manipulated the wireless radio system behind the alerting system, triggering these alarms.

In light of this discovery, a new concern has emerged surrounding the security of emergency communication protocols as evidenced by this hacker’s ability to override the security of the city’s critical infrastructure. This is not the only city where a breach like this has occurred, and the array of system infrastructure that can be impacted by such attacks raises serious concerns about the effectiveness of all emergency communication tools—with good reason.



Three very different brands with an unfortunate commonality: Each has recently incurred the wrath of a growing segment that Forrester calls the values-based consumer.

Last week at Forrester’s Consumer Marketing Forum, my colleague Jim Nail and I launched a new line of research. It helps marketers manage the trend of consumers looking beyond the direct, personal benefits they receive from a brand to also value the brand’s impact on society and the world. Paired with Anjali Lai’s powerful companion data report on how empowered consumers’ decision making is changing, this set of research represents a new dimension of Forrester’s overarching thesis on the age of the customer.

To be “customer obsessed,” brands need to do more than study their customers’ technology habits and the digital data they have about them, and even go beyond delivering extraordinary experiences. These are things all companies are trying to do today and will differentiate brands just until their competitors catch up. Increasingly, brands will be evaluated beyond the sum of their features, benefits, personality, and positioning. Tapping the increased transparency created by social technologies, consumers are able to choose brands that reflect their own beliefs on issues related to their personal interpretation of societal impact.



Increasing globalization and the growing world market presents employees with opportunities to travel and experience new countries and cultures. With travel comes risk, however. In the event of an unforeseen incident, it is an organization’s top priority to ensure its employees are safe and out of harm’s way.

By following proactive travel risk management strategies, employers can help ensure not only the safety of their employees abroad, but also the success of their businesses while avoiding major financial, legal and reputation costs. When developing travel policies, companies must consider the health, safety and security risks that their employees could encounter.



The Business Continuity Institute

Ever wondered what all the different terms or acronyms relating to business continuity mean? Now the Business Continuity Institute has made it easier for you to find out with the creation of its joint BCI DRJ Glossary of Business Continuity Terms.

This new glossary is a result of merging the definitions from the ‘Business Continuity Glossary by DRJ’, the BCI’s Dictionary of Business Continuity Management Terms and the glossary in the Good Practice Guidelines.

The combined glossary contains all terms approved by the DRJ Editorial Advisory Board’s Glossary of Terms Committee, which includes representation from the BCI. This joint effort is evidence of the continuing and deepening partnership between DRJ and the BCI. The glossary is one of many resources available as part of our knowledge bank, and it can be downloaded from the BCI website.

Does it sound strange that many organisations believe they are exposed to major problems with Internet of Things device security, yet few of them have taken any measures to resolve those problems?

IoT devices are increasingly part of business life, as businesses use them for the remote monitoring and control of industrial machines and systems, or they fall into the BYOD zone, where personal and professional data may coexist (for example, Apple Watches and other wearables).

A recent survey by Ponemon Institute showed how much of a problem there could be.

According to the survey results of over 500 IT and IT security practitioners:



United Airlines stock tumbled nearly 4% in early trading Tuesday morning before recovering late in the day as the company continued to deal with fallout after video surfaced showing a passenger being forcibly dragged from a United flight at Chicago’s O’Hare International Airport. United shares were down by as much as 6% in premarket trading Tuesday morning, according to MarketWatch.

Shocked viewers responded with universal outrage Monday to a video appearing to show a 69-year old man being brutally dragged off his flight by three uniformed officers from the Chicago Department of Aviation, one of which has since been placed on leave. The man’s face was bloodied and he appeared disheveled as officers dragged him along the narrow aisle of the plane.

“The incident on United flight 3411 was not in accordance with our standard operating procedure and the actions of the aviation security officer are obviously not condoned by the Department,” the agency said in a statement. “That officer has been placed on leave effective today pending a thorough review of the situation.”



Last month HPE announced its plans to acquire Nimble and double down on its move into “the fast-growing flash market” for the enterprise. Days later Dell EMC announced it would drop its DSSD flash offering for big data and HPC because the market is too small.

Although Dell EMC “found little market” for DSSD, don’t be deceived about whether or not there’s a market for big data flash storage. There is and it’s growing.  In the HPC space, where DDN Storage plays, we continue to see a clear and growing need for flashed-based innovation. DDN’s Infinite Memory Engine (IME) flash offering is seeing strong demand.

Alongside traditional labs such as the Joint Center for Advanced High Performance Computing (JCAHPC) and Oak Ridge National Laboratory, and the more traditional high-end academic high performance computing (HPC) research, there’s also growing interest within enterprise organizations who want to to speed up their HPC-like workflows.



Thursday, 13 April 2017 16:28

What’s Next for Big Data Flash Storage?

While the social media firestorm following the forcible removal of a passenger from a United Airlines flight highlights the importance of crisis and reputation risk management, it also underscores the potential liability airlines face from balancing duties to their customers, employees and to shareholders.

USA Today reports that three things govern a carrier’s relationship with its passengers: contracts of carriage, the U.S. Department of Transportation and laws approved by Congress:

United’s dispute with a passenger forcible removed from a Sunday flight shines a spotlight on the contracts that set rules and expectations between carriers and travelers.



(TNS) - Annapolis has hired a company to carry out design of flood mitigation plans in an effort to reduce nuisance flooding downtown at City Dock.

The design phase begins a multi-year process for a two-phase project along City Dock to reduce and prevent nuisance flooding. This flooding, primarily due to rising sea levels, is what causes City Dock to sometimes feel partially underwater as water bubbles up through storm drains and overtakes parking along Dock Street and other downtown areas.

Annapolis has an average of about 39 nuisance flooding days a year, according to data between 2007 and 2013 collected by the National Oceanic and Atmospheric Administration.



This is a bit concerning. Officials in Dallas said the city’s warning system was hacked late on Friday night, disrupting the city when all 156 of its emergency sirens sounded into the early hours of Saturday morning. The Dallas Emergency Sirens started going off around 11:40 p.m. Friday and lasted until 1:20 a.m. Saturday. This created a sense of fear and confusion, jarring residents awake and flooding 911 with thousands of calls. The sirens are meant to alert the public to severe weather or other emergencies, but was interpreted by some as a warning sign of a “bomb or something, a missile.” The city said that every time that they turned it off, it would sound again as the hacker kept bombarding the system.

The system was still down on Saturday afternoon, and officials said they hoped to have it functional again by the end of the weekend. They said they had pinpointed the origin of the security breach after ruling out that the alarms had come from their control system or from remote access.



Over the past few weeks, hackers have leveraged passwords exposed in high-profile breaches to compromise Amazon third-party sellers' accounts, the Wall Street Journal reports.

The attackers have stolen tens of thousands of dollars from sellers' accounts, and have also used the accounts to post nonexistent items for sale in order to steal more funds.

More than two million seller accounts on Amazon.com account for more than half of its sales, Fox Business reports, and over 100,000 of those sellers earn more than $100,000 a year.



NEW YORK — Employees and third-party services are most likely the weakest links in a company’s cyber security system, but regular risk assessments can help prevent information leaks, a financial services regulatory attorney said last week. 

“Employees are the sources of many compromises within companies, much more so than the Chinese hackings that we read about every day,” said Jeffrey Taft, a partner with Mayer Brown during a conference Wednesday at the firm’s New York office. “It’s probably 20 times more likely that somebody in this room will be penetrated by employee malfeasance or negligence than any Chinese hacker. There’s a heck of a lot more you can do to keep your employees from leaking information than the Chinese hackers.”

Mr. Taft gave the attendees an overview of the New York State Department of Finances Cyber Regulations, which became effective March 1.




LaPedis RonBy Ron LaPedis

I attended Spring World DRJ at Disney’s Coronado Springs Resort during the last week of March. Their 56th conference had over 60 sessions with 75 speakers, split between general sessions, breakout sessions, workshops, and a Senior Advanced Track which was sponsored by the Business Continuity Institute. Disaster Recovery Journal has morphed from an IT disaster recovery conference to an all-hazards business continuity training camp. Some of the most interesting sessions this year covered topics such as:

  • Linking cyber to business continuity
  • Lunch with your auditors
  • Effective risk management
  • Supply chain resiliency
  • Effective exercise design
  • Using the Incident Command System (ICS)
  • Active shooter incident response

My job at Micro Focus is to work with our sales teams so that they can have topical conversations about cyber security and risk management with their customers. At the end of the day, Micro Focus sells software and hardware. However, customers don’t buy software and hardware, they buy solutions to their problems – and unless I know what problems they are facing, I cannot help. This means open-ended questions and drilling down until I can understand the real problem – and not just the symptoms that the customer might think are his problems. Of course, as technology advances the problems evolve, which means I need to keep up with the latest trends.


Continuing Education Is Not Only a Good Idea, It’s the Law

DRJ2I have a lot of letters after my name. Most of them require me to earn continuing education units or CEUs every year. But earning CEUs is not the point; earning CEUs which add to my understanding of the business continuity and cyber fields is the point. One of my favorite presenters and authors is Regina Phelps, who is the queen of realistic tabletop exercises. Her latest book details how to develop a realistic cyber exercise. And just like real life, you may not come out of an exercise with the perfect solution – but it will make you think (and perhaps realize how far you need to come in your planning!)

Step Right Up to the Micro Focus Chalk Talks!

Have you checked out the Micro Focus chalk talks? These are a fun way to learn about our solutions to many of your organization’s problems to build, operate, and secure your computing infrastructure. They cover a handful of different solution areas and each runs about five minutes. This means that they are easy to fit in when you need a kicker to help ping your brain when you are trying to address one of your work problems.

And when you are ready to chat with us, we’ll have someone waiting by the phone ready to solve your hardest problems. As a FTSE 100 company, we have offices all over the world.

Republished with permission of Micro Focus at https://blog.microfocus.com/drj-spring-world-2017/.

Thursday, 13 April 2017 15:42

Preventing Disaster, One Attendee at a Time

The Business Continuity Institute

The vast majority of small to medium sized enterprises (86%) have less than a tenth of their total IT budget allocated to cyber security, while 75% have between zero and two IT security staff members, according to the results of a survey by EiQ Networks.

The survey also noted a significant drop in confidence over the past two years. In 2015, more than a quarter of respondents (27%) expressed confidence in their security posture, but in 2017 less than 15% said they feel confident that their currently deployed technologies will be successful in detecting and responding to attacks.

Vijay Basani, founder and CEO of EiQ Networks, commented "One of the most striking results is how little SMEs are spending on cyber security as compared to the overall IT budget, despite the very high risks they face daily from ransomware, phishing, and zero-day attacks, to name just a few."

"Without the IT security resources and expertise necessary to continually monitor, detect, and respond to security incidents, SMEs are simply exposing themselves to loss of revenue, brand equity, IP, and customer data on a daily basis."

Cyber security is as much of an issue for SMEs as it is for larger organizations with the Business Continuity Institute's latest Horizon Scan Report revealing that businesses of all sizes share the same concerns. A global survey identified the top three concerns for both SMEs and large organizations as cyber attack, data breach and unplanned network outage.

Further findings of the study were that just under half of respondents (45%) were breached or believe they were breached at least once in the past year, while just over half (56%) feel they're unprepared to identify and respond to a security incident. Three-quarters of respondents (75%) said they're concerned about protecting customer data, and two-thirds (67%) are concerned about protecting personally identifiable information.

Thursday, 13 April 2017 14:48

BCI: SMEs underfunding cyber security

It’s no secret that strategy and finance need to work together to encourage growth – in fact, last year, both corporate functions cited integrating their planning as a top priority. Yet new research suggests that they need a third partner, risk, to move beyond incremental earnings increases and achieve long-term efficient growth.

Why risk? Because risk is the essence of growth.

CEB recently investigated companies that have consistently outgrown their industry peers while making simultaneous margin improvements. Just 60 companies we studied demonstrated this kind of “efficient growth,” and the single biggest differentiator of these profitable growers was their ability to allocate capital to bigger, riskier bets. Their R&D portfolios were disproportionately weighted toward transformational innovation projects, and their M&A deals were 40 percent larger on average.



Wednesday, 12 April 2017 15:24

Rethinking Risk to Achieve Efficient Growth

OMG!  If you were ever going to want your crisis team to be “on it”… it would be in a case like this.  And of course, you already know, United apologized on Tuesday and said it would review its policies. Really…after videos showed a passenger being forcibly removed from a full plane to make room for its own employees, setting off public outrage. I understand the need to reposition staff but really?!?!?!

Oscar Munoz, the company’s chief executive, said in a written statement that United would take “full responsibility” for the situation and that “no one should ever be mistreated this way.” He committed to making changes to ensure that the situation would not repeat itself, adding that United would conduct “a thorough review of crew movement, our policies for incentivizing volunteers in these situations, how we handle oversold situations and an examination of how we partner with airport authorities and local law enforcement.

That’s it?  Really?



The long-time goal of first responders and the ecosystem supporting them to create a nationwide broadband network is close to fruition, though it likely will fall short of expectations.

On March 30, AT&T announced that it had been selected by the First Responder Network Authority (FirstNet) to build the network, which it said will cover “50 states, 5 U.S. territories and the District of Columbia, including rural communities and tribal lands in those states and territories.”

The rationale for a discrete network is simple: Today, first responders use commercial networks that tend to be overwhelmed when a crisis occurs. Work on the project is expected to begin later this year and create 10,000 jobs.



Data breaches don’t seem to attract our attention much these days; commonplace activities often lead to complacency. Remember that your organization will, if it has not already, have some type of data breach. Depending on the type and scope of the data breach, costs can quickly reach millions of dollars. This is an event you should have a specific plan for – at a minimum, you should include a detailed section in your Crisis Management Plan.

Here are the minimum items to consider:

1. Response Team

This is the team that will monitor and manage the event itself, not the individuals performing any investigative or forensic tasks. Often this team will be composed of senior leadership who have a corporate or organizational view of impacts. Others may be brought in to provide support or information. The roles to be filled for this team are:



Wednesday, 12 April 2017 15:19

Data Breach Response Planning: A Guide

Former Gen. Stanley McChrystal’s Team of Teams is an excellent book about leadership and the need to adapt to changing circumstances. In the book, he explains how the U.S. Special Operations Task Force in Iraq had to become a more nimble and networked organization to combat al-Qaida. Many of the lessons and strategies discussed are directly relatable to other disciplines, including emergency management.

The importance of networks within emergency management is not a new concept, as our thinking has evolved to embrace “whole community” partners, including the private sector and nonprofit organizations. Although a fair amount of effort has gone into the idea of networked emergency management, I would like to offer some additional perspectives on what it means to be a networked emergency manager. In doing so, it is helpful to consider the management consulting theory that organizational success stems from three factors: people, process and technology.    

In terms of people, the networked emergency manager must be willing and able to work with people and all types of personalities. Building and maintaining relationships takes time, but it is well worth the effort, particularly when you need to rely on other people for information or assistance during an emergency. Emergency managers also play an important role in helping to organize people and in bringing different groups and individuals together to tackle problems, often during a crisis. Investing in these people and relationships ahead of time will help build trust and increase the likelihood of success when it matters the most.



Wednesday, 12 April 2017 15:18

The Networked Emergency Manager

Dallas residents were wide awake and in a state of confusion late Friday night when the city’s outdoor emergency system was hacked, causing all of its 156 alarms to blast for an hour-and-a-half until almost 1:30 a.m.

With some interpreting the warning as a bomb or missile, a number of residents dialed 9-1-1, but the number of calls—4,400 in all—overwhelmed the system, causing some callers to wait for up to six minutes for a response, the New York Times reported.

The alarms blasted for 90-second durations about 15 times, Rocky Vaz, the director of the city’s Office of Emergency Management, told reporters at a news conference.

Mr. Vaz said emergency workers and technicians had to first figure out whether the sirens had been activated because of an actual emergency. And turning off the sirens also proved difficult, eventually prompting officials to shut down the entire system.



Millions of student, staff and faculty email addresses and passwords from 300 of the largest universities in the United States have been stolen and are being circulated by cyber criminals on the dark web, according to a recent report. 

Hacktivists, scam artists and even terrorists intend to sell, trade or just give away the addresses and passwords, said the Digital Citizens Alliance report. 

During eight years of scanning the dark web—the portion of the Internet not indexed for open searches, where criminals covertly operate—researchers from the security firm ID Agent discovered nearly 14 million addresses and passwords belonging to faculty, staff, students and alumni available to cyber criminals. Of those, 79 percent of the credentials were placed there within the last year.



Business no longer controls all its data, now that the data is spread out over systems that could be in-house, in the cloud, or in somebody’s pocket.

From the mainframe era when two people controlled everything (the person who knew about the mainframe and the person who had the key to get in), organizations are now faced with situations in which data could be here, there, or anywhere.

Part of this is deliberate: wider, more flexible access to data can help people do their jobs better, and different storage solutions can help cut costs. But as the following anecdote shows, business continuity needs to adapt too.

The story comes from IBM executive Michael Puldy who describes how he had a close brush with catastrophe in his article “The Importance of a Personal Business Continuity Plan”.



Between the need to protect corporate data and regulations requiring that consumer data be protected, organizations are under more pressure than ever to keep their data safe. Data loss prevention (DLP) technology can help.

And regulations like the EU General Data Protection Regulation (GDPR) are upping the stakes. GDPR assesses hefty fines – up to 4 percent of global revenues – for failing to adequately protect consumer information, especially medical and financial data.

With a deadline of May 25, 2018, it's a daunting task for companies to plug all the leaks in their information systems in time, and global companies are panicking, according to Angel Serrano, senior manager of advanced risk and compliance analytics at PwC UK in London, who's also a active in ISACA, a professional organization focused on risk management and information security.



Early 2017 Atlantic hurricane forecasts are predicting fewer storms, but here’s why coastal residents shouldn’t let their guard down.

Colorado State University’s (CSU) Tropical Meteorology Project: “Coastal residents are reminded that it only takes one hurricane making landfall to make it an active season for them, and they need to prepare the same for every season, regardless of how much activity is predicted.”

London’s TSR (Tropical Storm Risk): The precision of hurricane outlooks issued in April is low and large uncertainties remain for the 2017 hurricane season.

Forecasters believe development of potential El Niño conditions in the coming months will suppress storm activity.



About this time every year, Swiss Re publishes the data on the previous years total economic losses and global insured losses from natural catastrophes, man-made disasters.  Turns out that 2016 was the highest since 2012, reversing the downtrend of the previous four years.

Globally there were 327 disaster events in 2016, of which 191 were natural catastrophes and 136 were man-made. In total, the disasters resulted in economic losses of USD 175 billion, almost double the level in 2015.

In terms of devastation wreaked, there were large-scale disaster events across all regions, including earthquakes in Japan, Ecuador, Tanzania, Italy and New Zealand. In Canada, a wildfire across the wide expanses of Alberta and Saskatchewan turned out to be the country’s biggest insurance loss event ever, and the second costliest wildfire on sigma records globally.



Hybrid computing models are starting to infiltrate enterprise data environments as organizations seek to leverage both public and private cloud infrastructure. But while this may seem to diminish traditional in-house data centers, it’s actually the outsourcing industry that has reason to worry.

According to Gartner, hybrid infrastructure will feature prominently at 90 percent of data-driven organizations by 2020, leading to a nearly three-fold increase in the cloud computing market to $68.4 billion. At the same time, spending on data center outsourcing (DCO) is expected to contract from today’s $55.1 billion to $45.2 billion. At the moment, DCO and infrastructure utility services (IUS) make up about half of the $154 billion data center services market, but this is expected to drop to a third by 2020 as hosting and cloud-based IaaS models gain in popularity.

What this means is that while organizations continue to reduce their direct management of physical-layer infrastructure, they will reassume control of their higher-level data and services architectures. But this transition is not without its challenges. A recent study by 451 Research noted that management aspects like cost containment, data migration and security are top concerns in the hybrid cloud, and are producing the most divergent responses. Some organizations, for example, pursue multi-vendor strategies to address these difficulties while others say they have greater success with single-vendor solutions. As well, hybrid cloud adoption is being driven by distinct challenges within vertical industries and national boundaries, with some organizations vexed by erratic user demand while others are faced with limited compute and storage capacity.



Monday, 10 April 2017 14:41

Keeping Control of the Hybrid Enterprise

It’s typical for hyper-scale data center operators like Amazon to build their own infrastructure technology when it isn’t available on the market or when they feel they can make it cheaper on their own.

One piece of technology Amazon built in-house is meant to circumvent what one of the company’s top infrastructure engineers described as misplaced priorities in the way electrical switchgear vendors design their products.

It is this problem that likely caused last summer’s Delta data center outage that ultimately cost the airline $150 million, as well as the infamous 2013 power outage during Super Bowl. And John Hamilton, VP and distinguished engineer at Amazon Web Services, has seen this type of failure in data centers he has overseen during his career.



Identity and access management (IAM) are more important than ever in an age when passwords can be hacked in minutes, corporate data breaches are a daily occurrence and cybercriminals have successfully infiltrated many top government and large-scale enterprise systems. It requires only one hacked set of credentials to gain entry into an enterprise network, and that’s just too easy for the bad guys.

A study by security firm Preempt noted that 35% of the passwords linked to a recent recent LinkedIn breach were identical to those used for other accounts. The remaining 65% could be cracked with unsophisticated brute force cracking hardware. The challenge for organizations, then, is to go beyond mere passwords to encompass all aspects of identity and access control, and that's where IAM comes in.



Here’s a short post, ideal for illustrating the simple but not always easy principle of minimalism:

Whatever you have, chances are you don’t need it all. You don’t need all the data you may be asking for, or for that matter, giving out. Medical forms and even veterinary offices often ask for social security numbers, though there are few cases where a medical facility needs that information. Many forms ask for a driver’s license, though they have no need for that information.

Conversely, companies don’t always think through the data they collect on their websites, in their products or from their employees. Look at what you have, what you collect, and where you keep it and realize the following:



The Business Continuity Institute

Business Continuity Awareness Week is now only a little over a month away and we would really like you to get involved. To help incentivize you, this year we are launching two competitions, each one giving you the chance to win a £250 Amazon gift card.

What could I do to improve cyber security?

Our BCAW posters offer six simple tips on how individuals can improve cyber security within their organization. What we want from you are more suggestions on what each of us could do to help make our organizations more cyber secure.

Email your suggestions to This email address is being protected from spambots. You need JavaScript enabled to view it., and each submission will be in with a chance of winning a £250 Amazon gift card.

The winning tip will be chosen by our communication sponsor for BCAW - Everbridge.

My experience of a cyber security incident

For our second competition we are looking for something a bit more substantial - case studies.

Has your organization experienced a cyber security incident, how did you respond, what was the impact on your organization? It doesn't need to be a lengthy document and you can of course anonymise it if you wish.

Submit your case study to This email address is being protected from spambots. You need JavaScript enabled to view it. and again you will be in with a chance of winning a £250 Amazon gift card. The winner will be drawn at random.

(TNS) — Here's some welcome news for most Floridians: The upcoming hurricane season could be slightly below average.

In fact, we could see as few as four hurricanes.

An early forecast from scientists at Colorado State University's (CSU) Tropical Meteorology Project concluded that a weak or moderate El Niño is likely by the height of the Atlantic hurricane season, along with cooling temperatures in the tropical Atlantic and the North Atlantic Ocean. An El Niño weather pattern generally results in fewer hurricanes in the Atlantic basin, as it increases wind shear — strong winds that can break up hurricanes as they're forming.



Astute receivables leaders know how to identify issues and act on them before they become major problems – especially when it comes to compliance. The cost of noncompliance and damage to reputation can be debilitating, but preventive measures save resources by eliminating the cost of noncompliance and damage to reputation, helping to create new business and maintain advantage over the competition. For this reason, ARM agencies should work diligently to prepare for potential compliance audits from the CFPB or other regulatory authorities who oversee their operations. If they don’t, the risk of fines, penalties and legal actions may mount to an untenable extent if they aren’t avoided through mitigation actions.

Despite the warnings, many choose less favorable options, either ignoring the need for checks on their compliance tactics, hiring outside contractors who don’t know their business or simply absorbing the inevitable cost of noncompliance. Leaders take the proverbial bull by the horns, act immediately to avoid expenses and put their operations in a stronger position.

Immersing yourself in your own business and fearlessly seeking out issues that need correction brings your operation to heights you wouldn’t think possible. Here are 10 key components you need to avoid botching your compliance audit:



Friday, 07 April 2017 16:38

How to Conquer the Compliance Audit

A sophisticated global hacking operation emanating from China has compromised managed service provider (MSP) networks and is targeting additional MSPs in an effort to steal sensitive data and intellectual property from enterprise customers.

That’s the conclusion of a new joint report from PwC UK and BAE Systems, which details an intricate cyber espionage campaign by a well-known threat actor known as APT10.

So-called “Operation Cloud Hopper” has been in effect since at least last year, and has intensified during 2017, the researchers said.



Depression and mental health conditions are on the rise globally. Affecting more than 300 million people of all ages across the world, depression causes immense suffering to people and their families, as well as placing a great economic cost on society. Its consequences and solutions are highlighted in this year’s World Health Day on 7 April.

Mental health problems and stress-related disorders are a major health concern and the biggest overall cause of early death, according to the World Health Organization, which organizes World Health Day each year. Resulting from a complex interaction of social, psychological and biological factors, depression is often triggered by adverse life events such as unemployment, bereavement or psychological trauma. It can be debilitating for the affected person, who functions poorly at work, at school and in the family.

Some of the root causes of depression are related to living and working conditions. For example, the working environment is a powerful determinant of health and has a significant impact on the employee’s mood. In today’s context of economic globalization, the occupational environment is delivering increasing mental stress, which can lead to job dissatisfaction, reduced work performance, ill health and depression.



Since its inception last summer, the No More Ransom project, and anti-ransomware initiative formed by the Dutch National Police, Europol, Intel Security and Kaspersky Lab, has been growing by leaps and bounds.

In addition to raising awareness and keeping tabs on the ransomware scene, the group banded together to help victims of regain access to their files without having to pay their attackers. No More Ransom offers tools that can be used to decrypt files affected by popular strains of the malware.

"This collaboration goes beyond intelligence sharing, consumer education, and takedowns to actually help repair the damage inflicted upon victims," said Raj Samani, Intel Security's CTO for the EMEA region, in a July 2016 announcement. "By restoring access to their systems, we empower users by showing them they can take action and avoid rewarding criminals with a ransom payment."



Friday, 07 April 2017 16:35

Anti-Ransomware Decryption Toolkit Grows

Page 1 of 36