Fall World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Spring Journal

Volume 30, Issue 1

Full Contents Now Available!

Industry Hot News

Industry Hot News (7173)

Wednesday, 26 April 2017 16:25

Business Continuity by Working Backwards

Ever since marketing figured out that companies could do better by asking customers what they wanted, rather than just trying to tell them, businesses have moved massively to the notion of working backwards from the customer.

Indeed, Jeff Bezos, founder of Amazon.com, declared, ‘‘We start with the customer and we work backward.

We learn whatever skills we need to service the customer.’’

It seems like business continuity planners could take a leaf out of the marketing playbook and ask customers what they would like to see in terms of their provider’s business continuity.

But is that enough?

...

http://www.opscentre.com/business-continuity-working-backwards/

A penetration test, when carried out by outside experts, is the best way to establish how vulnerable your network is from a malicious hacker attack.

But while thorough, third-party penetration testing can be expensive and is effectively out of date as soon as you make changes to your infrastructure or as new vulnerabilities that affect it are discovered.

One way to sidestep both of these problems is to carry out your own network penetration tests.

In this article, we'll discuss both how to do your own security testing and conduct internal penetration testing, and how to find the best third-party service should you choose to hire an outside pen tester.

...

http://www.esecurityplanet.com/network-security/penetration-testing.html

Wednesday, 26 April 2017 16:22

Survive And Thrive After Disaster

A successful entrepreneur spends all the time necessary to plan, down to the smallest detail, the workings of his or her business. Staffing, marketing, inventory, equipment, investors, and location and more are all a part of the dynamic. One aspect missing from many business plans is a strategy and system for unexpected problems caused by a disaster that harms the company’s physical plant. Whether resulting from natural forces, mechanical breakdowns, or human error, damage to your place of business halts production and risks the ruin of your hard work and vision. What can ensure your business continues even in the face of tragedy?

Half of the commercial enterprises suffering the effects of water, fire, or other disaster close their doors to deal with the crisis and then never reopen. This shocking statistic is one no business owner dares ignore. Customers and clients need to know the services and products you offer are reliable, available without fail with no room for excuses. Business continuity is crucial to your company’s growth and survival in a competitive economy. If they are forced to look elsewhere to replace the unique product you provided before a mishap many of your leads never return. Even a short break in service can predict the downfall of your company

...

http://nationaldisasterrecovery.org/survive-and-thrive-after-disaster/

The Business Continuity Institute

Over 80% of security professionals identify ‘people’ as the industry’s biggest challenge, as opposed to technology and processes, according to the results of the second annual survey from the Institute of Information Security Professionals (IISP).

The survey also indicates that while 60% of respondents still feel that investment is not keeping pace with threat levels, there was a modest 5% increase in businesses that feel better placed to deal with a breach or incident if it happens. In real terms, spending does appear to be on the rise with 70% of companies seeing an increase in budget, up from 67%, and only 7% reporting a reduction, which is down from 12% last year.

While people have long been seen as the weakest link in IT security through lack of risk awareness and good security practice, the people problem also includes the skills shortage at a technical level as well as the risk from senior business stakeholders making poor critical decisions around strategy and budgets.

Cyber security is a hot topic for business continuity and resilience professionals with cyber attacks and data breaches yet again featuring as their top two concerns according to the Business Continuity Institute's latest Horizon Scan Report. It is with this in mind that cyber security was chosen as the theme for Business Continuity Awareness Week 2017 which has a particular focus on the actions that individuals can take to play their part in an organization's cyber security.

“Many of the figures in this year’s survey show a step in the right direction,” says Piers Wilson, author of the report and Director at the IISP. “The continuing high frequency of cases hitting the headlines and the regulatory pressures, including from GDPR, are leading to a corresponding increase in investment and a drive for increased skill, experience, education and professionalism. However, there is still a lot of work to do and we need to redouble our efforts to meet the challenge of increasingly sophisticated threats.”

The U.S. Justice Department recently announced that 32-year-old Roman Valeryevich Seleznev, known as "Track2," was sentenced to 27 years in prison for a series of cyber attacks that caused over $169 million in damages.

It's the longest prison sentenced ever given to a hacker in the United States.

Seleznev was convicted in August 2016 for hacking into point-of-sale (PoS) systems and installing malware designed to steal millions of credit card numbers from more than 500 U.S. businesses between October 2009 and October 2013. Approximately 3,700 financial instutitions were impacted by the attacks.

The stolen data was then transferred to servers under Seleznev's control in Russia, the Ukraine, and McLean, Virginia, after which Seleznev sold stole the credit card numbers on carding websites.

Among the businesses Seleznev targeted was Seattle, Washington's Broadway Grill, which was forced into bankruptcy following the attack.

...

http://www.esecurityplanet.com/hackers/russian-hacker-sentenced-to-27-years-in-u.s.-prison.html

Today’s threat environment is more complex than ever before, requiring that businesses be prepared to combat attacks from many different directions.

These days,  outages or issues are often the result of non-traditional concerns or events. As you think about each of the items below, remember that your first step will be to determine the potential risk. Once you understand the risk, you can identity the impact of an occurrence, and determine and implement an appropriate mitigation strategy.

Ask yourself the following questions to determine your potential threats and risks.

...

https://www.mha-it.com/2017/04/todays-threat-environment-how-vulnerable-is-your-business/

Efficient storage management includes migrating aging data through progressively less-expensive storage tiers. When data ends its migration at the cold storage stage, you can keep it for long periods of time at very low cost.

Cloud-based data storage generally falls into these four storage classes or tiers:

  • Hot storage is primary storage for frequently accessed production data.
  • Warm storage stores slightly aging but still active data. It costs less because the underlying storage systems don’t have the high performance and availability requirements, but it keeps data quickly accessible.
  • Cool storage houses nearline data, which is less frequently accessed data that needs to stay accessible without a restore process.
  • Cold storage is a backup and archival tier that stores data very cheaply for long periods of time. Restore expectations are few and far between. Security, durability and low cost characterize this tier.

...

http://www.enterprisestorageforum.com/storage-services/the-cold-cloud-long-term-backup-storage-in-the-public-cloud-1.html

I have a huge German Shepherd that ranks only slightly behind my human children when it comes to being spoiled and how much attention he gets.  I’ve been working on training him for nearly a year now, and he amazes me with how intelligent he is. He knows all the basics: sit, stay, here, lay down, etc. But he also picked up detecting scents very quickly and is learning to detect things with his nose that I can’t even see with my eyes. And he does all of these things faster than most kids learn to break the Netflix password.  

The other day, working with him on his training points, I thought to myself, “Woah, my dog speaks human.” Not just English either. He speaks German (that’s the language he's trained in), and he totally understands it. I realized the problem is that I don't speak “Dog.” My dog knows about 30 human words, and they are words in a language his master has no business trying to pronounce, mind you. But he knows what those words mean, and he gets the tasking or request down every time they're uttered. He could look at me for an hour and bark, growl, howl, yip, or yelp constantly, and he could be telling me the cure for cancer and I wouldn’t know it.  

OK that’s interesting, but what does it have to do with better communication among techies?

...

http://blogs.forrester.com/chase_cunningham/17-04-24-for_better_security_operations_speak_to_the_pack_in_its_native_tongue

The debate over the efficacy of the hybrid cloud is likely to continue for as long as there are hybrid clouds. Pure-cloud advocates say hybrids are merely a marketing ploy by vendors looking to preserve their legacy platforms, while hybrid supporters say they are simply meeting the demands of the enterprise community.

But it seems that lost in the debate is one salient fact: that infrastructure, and even architecture, is quickly becoming a secondary consideration in the deployment of advanced data environments. Rather, many organizations are starting with the needs of the process they wish to support, and then working their way back to systems and applications. Sometimes this leads to a cloud-native solution, sometimes to a hybrid, and sometimes to physical, on-premises infrastructure.

In Microsoft’s recent State of the Hybrid Cloud report, the company noted that virtually all enterprises have either deployed a hybrid cloud or are planning to do so within the year. But what’s more interesting, says Redmond Channel Partner’s Jeffrey Schwartz, is the finding that nearly half of those who say they have yet to implement a hybrid actually already have one. Part of this is due to the confusion as to what constitutes a hybrid, but it also reflects the fact that IT deployment decisions are increasingly made by line-of-business managers these days, not IT, and they have little interest regarding the mechanics of their underlying infrastructure – they just want their processes to run.

...

http://www.itbusinessedge.com/blogs/infrastructure/to-hybrid-or-not-to-hybrid-is-that-the-right-cloud-question.html

The Business Continuity Institute

 

A worrying number of UK businesses have no formal plan to protect them from cyber attack and there has been no improvement from a year ago, according to a study conducted jointly by the Institute of Directors and Barclays.

The Cyber security: Ensuring business is ready for the 21st century report found that almost all companies (94%) think security of their IT systems is important, but only a little over half (56%) have a formal strategy in place to protect their devices and data.

The report shows that, despite a number of high-profile cyber attacks over the last year, more than one third (37%) of IoD members work in organizations without a formal cyber security strategy.

Given that the Business Continuity Institute's latest Horizon Scan Report identified cyber attacks and data breaches as the greatest concern to business continuity and resilience professionals, it is essential that organizations do more to protect themselves from such an incident, or equip themselves to respond to the likelihood that one should occur.

The new General Data Protection Regulation, which comes into effect in May 2018, will make organizations much more accountable for their customers' data, so the IoD and Barclays are urging business leaders to step up their preparations now. The IoD is calling on companies to increase cyber training for directors and employees, and run attack simulations, to make sure security systems are robust.

Stephen Martin, director general of the IoD, said: "This report has revealed that business leaders are still putting cyber security on the back burner."

The amount of energy Apple used in data centers it leases from third-party providers more than quadrupled over the last four years, going from about 38,550 MWh total in fiscal year 2012 to more than 180,200 MWh in fiscal 2016, according to the latest annual environmental responsibility report the company released this month. Leased footprint now consumes close to one-quarter of Apple’s total data center energy consumption.

Fiscal 2016 was the first year Apple started tracking its exact energy use in colocation facilities using meters and reporting it as part of the company’s global footprint in its environmental report, offering for the first time a glimpse into the scale of its leased capacity and how quickly that scale has increased over the years.

This rate of growth illustrates just how much hyper-scale cloud platforms still rely on leased data centers, despite also spending enormous sums on building out their own server farms around the world every year. In addition, Apple’s focus on energy supply of these third-party facilities is an example of the growing demand for colocation services powered by renewable energy, which many providers and their customers have been observing recently.

...

http://www.datacenterknowledge.com/archives/2017/04/24/apples-leased-data-center-energy-use-quadrupled-since-2012/

Monday, 24 April 2017 14:43

DevOps, Invest For Velocity And Quality!

Delivering exceptional customer experiences and product for your business take speed and flexibility. More than ever before, speed and flexibility are required from every part of your organization, business and IT alike. DevOps provides your business leaders, enterprise architects, developers and I&O leaders a philosophy to achieve, not only the velocity that customers desire but also drive innovation and enforces quality. One example is ING. The company is undergoing a major digital transformation in which DevOps is a primary driver supporting their transformation. ING CIO Ron van Kemenade has initiated DevOps as the vehicle to aggressively support ING’s evolving customer needs. At ING, technology is the beating heart of the bank.

...

http://blogs.forrester.com/robert_stroud/17-04-22-devops_invest_for_velocity_and_quality

More often than she would like, Carrie Simpson fields a call from a panicked managed services provider (MSP) desperate for new business after realizing their sales funnel is near empty.

The owner of Winnipeg, Canada-based Managed Sales Pros is an expert at finding small businesses that want to buy managed IT services, and scheduling them for appointments with salespeople at MSPs.

Making that happen is a product of smart, grinding work behind the scenes – after which Simpson and her team are powerless to guide sales tactics that ultimately determine whether a deal closes.

...

http://mspmentor.net/sales/finding-qualified-leads-msps-equal-parts-science-art

Analytics is becoming a crucial element in the enterprise data ecosystem. It is one of the key drivers of the Internet of Things (IoT), and will undoubtedly provide key competitive advantages as the digital economy unfolds.

But it doesn’t come cheap, and it is by no means an easy process to master. So as the enterprise finds itself between the rock of an increasingly data-driven business model and the hard place of having to create a highly sophisticated analytics environment, it is understandable that many organizations are willing to launch this particular endeavor on the cloud.

According to the Harvard Business Review, nearly 70 percent of organizations expect to have cloud-based analytics solutions up and running by the end of the year. The reasons vary from improved decision-making and forecasting to greater speed and efficiency, but underneath the operational benefits is a simple fact: The cloud offers the means to launch analytics infrastructure quickly and at the scale required of modern production environments. To be sure, issues like data migration and lack of customization exist in the cloud, but these are generally seen as secondary considerations to the need to put analytics to work quickly before business models are disrupted by a more nimble, data-savvy competitor.

...

http://www.itbusinessedge.com/blogs/infrastructure/is-the-cloud-the-best-place-for-analytics.html

Amid ongoing political upheaval in Venezuela and a volatile geopolitical landscape elsewhere, the need for political risk insurance is rising to prominence for multinational companies.

AP reports that General Motors just became the latest corporation to have a factory or asset seized by the government of Venezuela.

GM said assets such as vehicles were taken from the plant causing the company irreparable damage.

To protect themselves against loss or damage to physical assets caused by political action and instability, businesses should consider purchasing political risk insurance.

...

http://www.iii.org/insuranceindustryblog/?p=4948

An annual assessment of the nation’s day-to-day preparedness for managing community health emergencies improved slightly over the last year—though deep regional inequities remain.

The Robert Wood Johnson Foundation (RWJF) has released the results of the 2017 National Health Security Preparedness Index, which found the United States scored a 6.8 on a 10-point scale for preparedness—a 1.5 percent improvement over the last year, and a 6.3 percent improvement since the Index began four years ago.

The Preparedness Index analyzes more than 130 measures—such as hazard planning in public schools, monitoring food and water safety, wireless 9-1-1 capabilities, flu vaccination rates, and numbers of paramedics and hospitals—to calculate a composite score that provides the most comprehensive picture of health security and preparedness available.

...

https://ems-solutionsinc.com/blog/state-ready-health-emergency-many-still-lag-behind/

Sustainable purchasing can improve supplier relations – and your business. ISO 20400 for sustainable procurement has just been published to help organizations make sustainable purchasing a way of life.

Procurement plays a large role in any organization, large or small. Who an organization buys from has just as big an impact on its performance as what it buys. Ensuring suppliers have sound and ethical practices – across everything from working conditions and risk management to their environmental impact – has the potential to not only make businesses work better, but to improve the lives of everyone in the communities where they are situated.

Sustainable procurement entails making purchasing decisions that meet an organization’s needs in a way that benefits them, society and the environment. It involves ensuring that a company’s suppliers behave ethically, that the products and services purchased are sustainable and that such purchasing decisions help to address social, economic and environmental issues.

ISO 20400, Sustainable procurement – Guidance, is the world’s first International Standard for sustainable procurement and aims to help organizations develop and implement sustainable purchasing practices and policies.

...

https://www.iso.org/news/Ref2178.html

Monday, 24 April 2017 14:16

BCI: An objective review ...

The Business Continuity Institute

It’s important to keep our business continuity plans up to date. That almost goes without saying. But what, exactly, do we mean by keeping our plans up to date?

Most organisations with a business continuity plan will assign someone to review it periodically - in particular, to check that the names and contact details of the various team members are kept up to date. Which is an important activity. But there’s a bit more to it than that.

There are essentially two reasons for reviewing and updating our plans.

Firstly, to ensure the plans’ content - the names, contact details, checklists, etc - remains current.

Secondly, and just as importantly, to ensure that the strategies and solutions that underpin the plans remain fit for purpose and continue to enable us to meet our continuity objectives. Which implies that now and again we need to review those objectives and the strategies and solutions that support them.

Many organisations focus entirely on the operational detail of the plans and neglect the strategic elements. If that sounds familiar, you might consider adding a periodic strategic review to your plan maintenance programme. Otherwise, whilst you might be able to contact people without too much difficulty, it may well be to tell them that the plan doesn’t work!

Andy Osborne is the Consultancy Director at Acumen, and author of Practical Business Continuity Management. You can follow him on Twitter and his blog or link up with him on LinkedIn.

Sixty-four percent of security professionals doubt their organizations can prevent a breach to employees' mobile devices, a recent Dimensional Research survey [PDF] of 410 security leaders found.

The survey, sponsored by Check Point Software, also found that 20 percent of businesses have experienced a mobile breach, and another 24 percent don't know, or can't tell, whether they've experienced one.

Strikingly, 51 percent of respondents believe the risk of mobile data loss is equal to or greater than that for PCs.

"Perhaps the high level of concern is based on the frequency of mobile device loss or theft, as well as the limited security measures companies use to protect enterprise mobile devices," the report states.

...

http://www.esecurityplanet.com/mobile-security/64-percent-of-security-pros-cant-stop-a-mobile-data-breach.html

Enterprises are loading up their data centers with hybrid flash storage systems in increasing numbers, according to a new survey from ActualTech Media commissioned by storage array maker Tegile Systems.

More than half (55 percent) of the 700 IT professionals polled for the study said they were using hybrid flash storage systems, which typically use a combination of solid-state drives and traditional hard disk drives to speed up data services, in their environments. Last year, 47 percent reported the same.

Meanwhile, all-disk storage systems are steadily losing their appeal. Adoption rates dipped from 41 percent in 2016 to 37 percent in the first quarter of 2016. All-flash environments remain relatively rare with a mere two-percent penetration rate.

...

http://www.enterprisestorageforum.com/storage-management/hybrid-storage-becomes-the-go-to-application-performance-booster.html

Customer service departments in all industries are increasing their use of chatbots, and we will see usage rise even higher in the next year as companies continue to pilot or launch their own versions of the rule-based digital assistant. What are chatbots? Forrester defines them as autonomous applications that help users complete tasks through conversation.
 
While Forrester’s Consumer Technographics® data reveals that 60% of US online adults already use online messaging, voice, or video chat services, there are challenges to widespread adoption. We reached out to our ConsumerVoices Market Research Online Community members to better understand consumer impressions of chatbots and found that our respondents had a difficult time identifying clear benefits to interacting with them. Many prefer to communicate with a representative who can show real empathy, address more complex needs, and offer them assurance.
...

(TNS) - Six months after dangerous Hurricane Matthew buzzed up Florida’s Atlantic coast, storm experts are still debating why some people didn’t evacuate in the face of what became the 10th most destructive storm in U.S. history.

A clutch of coastal condo dwellers and beachfront homeowners refused to budge despite mandatory orders and unusual public pleas from South Florida hurricane hero Bryan Norcross and National Hurricane Center Director Rick Knabb.

They got lucky when Matthew delivered only a glancing blow, but how to better convey potential storm risk was a theme at Wednesday’s National Hurricane Conference in New Orleans where forecasters lamented ineffective messaging.

...

http://www.govtech.com/em/disaster/Experts-Debate-Whether-Hurricane-Matthews-Risks-Were-Understood.html

I am pleased to announce that the new for infrastructure and operations professionals is now live! This Wave evaluation uncovered a market in which four providers — Sungard Availability Services, Bluelock, IBM, and iland — all emerged as Leaders, although their strengths differ. Another five providers — HPE Enterprise Services (now DXC Technology), Recovery Point, Plan B, Daisy, and TierPoint — are Strong Performers. NTT Communications is a Contender.

To evaluate these vendors, we developed a comprehensive set of criteria in three high-level buckets: current offering, strategy, and market presence. The criteria and their weightings are based on past research and user inquiries. In addition to typical user demands, this Forrester Wave™ evaluation also has a few thought-provoking criteria such as the provider’s capability to deliver security services, real-time views through a readiness score, automated change management, and orchestration-led enterprise application recovery.

...

http://blogs.forrester.com/naveen_chhabra/17-04-20-check_out_the_new_forrester_wave_of_leading_draas_providers

The Business Continuity Institute

Not only are many employees likely to share confidential information, but they are doing so without proper data security protocols in place or in mind, according to a new study by Dell. Today's workforce is caught between two imperatives: be productive and efficient on the job, and maintain the security of the organization's data. To address data security issues, organizations must focus on educating employees and enforcing policies and procedures that secure data wherever they go, without hindering productivity.

The Dell End-User Security Survey indicates that among the people who work with confidential information on a regular basis, there is a lack of understanding in the workplace regarding how confidential data should be shared and data security policies. This lack of clarity and confusion is not without merit, there are many circumstances under which it makes sense to share confidential information in order to push business initiatives forward.

Three in four employees say they would share sensitive, confidential or regulated company information under certain circumstances for a wide range of reasons,with nearly half (43%) saying they would do so when directed by management. Four-fifths of employees in financial services (81%) would share confidential information, and employees in education (75%), healthcare (68%) and federal government (68%) are also open to disclosing confidential or regulated data at alarmingly high rates.

"When security becomes a case-by-case judgement call being made by the individual employee, there is no consistency or efficacy," said Brett Hansen, vice president of Endpoint Data Security and Management at Dell. "These findings suggest employees need to be better educated about data security best practices, and companies must put procedures in place that focus first and foremost on securing data while maintaining productivity."

The survey finds that when employees handle confidential data, they often do so insecurely by accessing, sharing and storing the data in unsafe ways. A quarter of respondents (24%) indicated they do so to get their job done and one-fifth (18%) say they did not know they were doing something unsafe. Only 3% of respondents said they had malicious intentions when conducting unsafe behaviours.

Further findings of the report include:

  • 45% of employees admit to engaging in unsafe behaviours throughout the work day
  • These behaviours include connecting to public wifi to access confidential information (46%), using personal email accounts for work (49%), or losing a organization-issued device (17%)
  • One in three employees (35%) say it is common to take corporate information with them when leaving a company
  • Employees take on unnecessary risk when storing and sharing their work, with 56% using public cloud services such as Dropbox, Google Drive, iCloud and others to share or back-up their work
  • 45% of employees will use email to share confidential files with third-party vendors or consultants

These findings help reinforce the theme for Business Continuity Awareness Week which highlights that cyber security is everyone's responsibility, and with a little more awareness on the right policies and procedures, we can all play a part in building a resilient organization.

The survey findings indicate that employees struggle with cyber security in the workplace because they do not want to see their organization suffer a data breach, but they also struggle with the limitations security programmes can put on their day-to-day activities and productivity.

"While every company has different security needs, this survey shows how important it is that all companies make an effort to better understand daily tasks and scenarios in which employees may share data in an unsafe way," says Hansen. "Creating simple, clear policies that address these common scenarios in addition to deploying endpoint and data security solutions is vital in order to achieve that balance between protecting your data and empowering employees to be productive."

Much ink has been spilled over United Airlines' latest public incident and social media's role in rapidly spreading video of a passenger being dragged off an airplane. Today's consumers are more polarized than ever and increasingly expressing their opinions and showing their own values in the way they spend their money. Brands worry about making missteps on social media and falling out of favor, prompting them to ask: "How can my brand respond to a social crisis?" In reality, the question they should be asking is: "How can my brand plan for any social crisis so that when it hits, our response is clear and automatic?"
 
Navigating today's social environment requires returning to crisis management basics. Brands with established and rehearsed crisis management plans — no matter the channel — will rise above the fray. In our latest Forrester report, "Social Crisis Management: Get Back To Basics," we discuss social crisis management 101:  
...

(TNS) - National Hurricane Center forecasts have evolved beyond the staid Saffir-Simpson wind scale that shoehorns tropical cyclones into tidy categories while ignoring flooding waters from sea and sky.

This hurricane season, an array of products will alert to killer storm surge, predict arrival time of damaging winds and show storm size.

One forecast map will warn of systems that have the potential for cyclonic wind-up, but have not yet developed into a storm.

It’s all in an effort to inform the public beyond Saffir-Simpson, but is the public ready to digest more than categories 1, 2, 3, 4 and 5?

...

http://www.govtech.com/em/disaster/Hurricane-information-overload-New-products-cause-some-concern.html

According to a study by Indeed.com, conducted earlier this year, the severe shortage of skilled cybersecurity professionals continues. It’s estimated that a million security jobs are unfilled today, and that’s probably only going to get worse. This comes at a time when organizations are looking to increase their security spending and improve their security posture.

Yet, here is something that doesn’t make sense to me. Plenty of security talent is being developed in colleges and universities across the country. The National Collegiate Cyber Defense Championship held earlier this month highlighted that talent. From an original pool of 230 teams, a group from the University of Maryland, Baltimore County emerged as the winner after a final competition of the top 10 competitors. As CSO reported about the contestants of the cybersecurity event:

They have spent years honing their cyber skills, and some of the participants have some pretty interesting hacks ranging from an insulin pump and an electric car to a video surveillance camera in a school lab. Still others have hacked a connected avionics system that loads maps onto an airplane, an elevator, a McDonald's router, and even a beer kegerator.

...

http://www.itbusinessedge.com/blogs/data-security/despite-cyber-skills-gap-security-graduates-struggle-to-get-hired.html

The Business Continuity Institute

 

We have recently seen how quickly a crisis can impact on a business if not managed correctly by placing people at the heart of a crisis response.

The appalling treatment of a United Airlines passenger and the subsequent response from the company, showed a complete disregard for the very people who pay the wages, its customers. 

As crisis managers we all advocate the importance of plans and procedures to ensure that in the event of something going wrong, the crisis management teams responsible have a framework to guide them, however, at the heart of this has to be the right culture.

The power of the internet is immense and you only have one opportunity to set the tone of your response when something does go wrong. You should have clear processes, procedures and ways of working that staff fully understand, but most importantly you must have a culture that ensures that people are at the heart of what you do. 

If your customers are your number one priority, regardless of the nature of the incident, it is very likely your crisis managers will respond with that in mind.

I was reading an article during the past week written by Michael Balboni of Redland Strategies, and one of the keynote speakers at last year's BCI World Conference, where he highlighted the four key points to consider in your crisis communications. These points can be summarised as:

  1. Try to get out ahead of the story with statements like, "We are also concerned about the events as reported and are conducting an investigation."
  2. Whatever the message, be consistent. Changing statements leaves room for doubt on a whole bunch of aspects.
  3. Never attack the victim! Ever! The customer is the only reason that a business is in business, or a government official is in office.
  4. Respond to the internet firestorm with facts and apologies and a description of how you will try to prevent this situation from ever repeating. Never try to block people from commenting.

When you are next reviewing your ways of working and approach to crisis communications make sure you keep this in mind. Most importantly though remember: “It is not the employer who pays the wages. Employers only handle the money. It is the customer who pays the wages” --- Henry Ford.

Are you satisfied that your company culture sets the right tone to respond effectively to a major incident or crisis event?

Chris Regan is the Director of Blue Rock Risk Limited a specialist crisis and risk management consultancy. Chris works with both private and public sector clients to help them plan, prepare and respond effectively to a wide range of crisis and risk issues. Chris can be contacted by email at This email address is being protected from spambots. You need JavaScript enabled to view it. or by telephone 0117 244 0154.

The Business Continuity Institute

Businesses large and small are being urged to protect themselves against cyber crime after new Government statistics found nearly half of all UK businesses suffered a cyber breach or attack during the previous year.

The Cyber Security Breaches Survey 2017 reveals nearly seven in ten large businesses identified a breach or attack, with the average cost to large businesses of all breaches over the period being £20,000 and in some cases reaching millions. The survey also shows businesses holding electronic personal data on customers were much more likely to suffer cyber breaches than those that do not (51% compared to 37%).

The most common breaches or attacks were via fraudulent emails - for example coaxing staff into revealing passwords or financial information, or opening dangerous attachments - followed by viruses and malware, such as people impersonating the organisation online and ransomware.

These new statistics show businesses across the UK are being targeted by cyber criminals every day and the scale and size of the threat is growing, which risks damaging profits and customer confidence.

Cyber security is a hot topic for business continuity and resilience professionals at the moment with cyber attacks and data breaches yet again featuring as their top two concerns according to the Business Continuity Institute's latest Horizon Scan Report. It is with this in mind that cyber resilience was chosen as the theme for Business Continuity Awareness Week 2017 which has a particular focus on the actions that individuals can take to play their part in an organization's cyber security, and this includes effective password control.

The Government survey also revealed that, of the businesses which identified a breach or attack, almost a quarter had a temporary loss of files, a fifth had software or systems corrupted, one in ten lost access to third party systems they rely on, and one in ten had their website taken down or slowed.

Firms are increasingly concerned about data protection, with the need to protect customer data cited as the top reason for investing by half of all firms who spend money on cyber security measures.

Following a number of high profile cyber attacks, businesses are taking the threat seriously, with three quarters of all firms saying cyber security is a high priority for senior managers and directors; nine in ten businesses regularly update their software and malware protection; and two thirds of businesses invest money in cyber security measures.

Areas where industry could do more to protect itself include around guidance on acceptably strong passwords (only seven in ten firms currently do this), formal policies on managing cyber security risk (only one third of firms), cyber security training (only one in five firms), and planning for an attack with a cyber security incident management plan (only one in ten firms).

Ciaran Martin, CEO of the National Cyber Security Centre, said: "UK businesses must treat cyber security as a top priority if they want to take advantage of the opportunities offered by the UK’s vibrant digital economy The majority of successful cyber attacks are not that sophisticated but can cause serious commercial damage. By getting the basic defences right, businesses of every size can protect their reputation, finances and operating capabilities."

The firewall is the first line of defense for traffic that passes in and out of a network. The firewall examines traffic to ensure it meets the security requirements set by the organization, and unauthorized access attempts are blocked.

Firewall protection has come a long way in recent years. In addition to monitoring internet traffic, the latest firewall security products incorporate a wide range of additional features.

“The latest firewalls can neutralize an attacker’s ability to use stolen credentials for lateral movement and network compromise,” said Navneet Singh, product marketing director at Palo Alto Networks. “This is done by enforcing multi-factor authentication at the network layer.”

...

http://www.esecurityplanet.com/network-security/network-firewalls.html

The ever-dependable Barb Darrow at Fortune reported late last week that the OpenStack Innovation Center (OSIC) is to shut down. Cue wailing, gnashing of teeth, and portents of doom. But this may not be quite so bad as it appears, because the OpenStack Innovation Center isn’t nearly so critical to the open source cloud computing project as its name might imply.

Before I joined Forrester I used to post a short thought (almost) every day, commenting on some piece of news that caught my interest. The last of these, on 24 July 2015, was concerned with the then-new OpenStack Innovation Center.

I was unimpressed.

You see, the OpenStack Innovation Center isn’t an initiative of the OpenStack Foundation. Despite the name, it was only a joint initiative of two contributors to the OpenStack project - Intel and (OpenStack co-founder) Rackspace. They set up some clusters, for developers to test code. And they did some work to make OpenStack more enterprise-ready. Both efforts were useful, for sure. But both of these things were already happening in plenty of other places.

...

http://blogs.forrester.com/paul_miller/17-04-18-demise_of_openstack_innovation_center_does_not_mean_demise_of_openstack

Wednesday, 19 April 2017 15:11

4 Key Steps on the Roadmap to Resilience

Most people can sort out what tangibles they need for a solid BCM program, but the following critical steps can make or break an enterprise in times of crisis. Without functional crisis management and effective preparations, your organizational resilience will be impacted, resulting in more than just higher costs or lost sales (see Strategic Issues Surrounding Your Organization’s Resiliency).

1.  Clarify Roles and Responsibilities

Numerous teams are organized and active during crisis events: Crisis Management, IT Emergency Management, Individual Recovery, Business Recovery, Communications, and more. Often individuals participate on several teams. Due to multiple tasks and efforts, individuals must clearly understand their roles and responsibilities – these are not necessarily based on job title. Individuals should be trained in roles and responsibilities at least annually.

...

https://www.mha-it.com/2017/04/4-key-steps-on-the-roadmap-to-resilience/

Focal Point Data Risk, LLC (Focal Point), one of the largest pure-play data risk consulting firms in North America, today announced the release of the inaugural Cyber Balance Sheet Report. This first-of-its-kind research study uses in-depth surveys and interviews with corporate board members and chief information security officers (CISOs) to conclusively identify specific cyber risk issues resonating in boardrooms. Equally important, the unprecedented research reveals how CISOs and boards can quickly improve communication and collaboration in this critical area.

The Cyber Balance Sheet Report was independently produced, after several months of intensive research, by the Cyentia Institute (Cyentia), a cybersecurity research firm, co-founded by Dr. Wade Baker, who is widely recognized as the creator of the Verizon Data Breach Investigations Report (DBIR). In the study, Focal Point and Cyentia conducted comprehensive interviews with more than 80 board members, CISOs and subject matter experts. The report’s findings offer a rare window into the cyber risk dialogue in the boardroom, contrasting with many years of assumptions and security vendor characterizations.

“For years pundits have been saying ‘Cyber needs to be a boardroom issue,’ but the Cyber Balance Sheet Report replaces this sound bite with the most illuminating look yet at where cyber issues are making headway with boards or falling off the table,” said Yong-Gon Chon, CEO of Focal Point. “The report reveals important indicators around cyber awareness at the top levels of governance. We have evolved from cybersecurity being a component of IT performance to becoming an issue that prompts broader questions about protecting valuable company data. Yet, as the report discloses, it’s the nature of these questions and how CISOs respond that determines how far oversight and accountability still have to evolve.”

...

http://www.corporatecomplianceinsights.com/focal-point-data-risk-publishes-inaugural-cyber-balance-sheet-report/

Ransomware hits a particularly raw nerve because of its brazenness. A criminal breaks into a computing device and simply takes over, demanding money – usually paid in bitcoins – for providing the owner the privilege of accessing his or her own data.

The reality is that the ransomware story is more nuanced than the pure fear that idea engenders. Ransomware, according to experts, is not monolithic: There are levels of qualities to the malware and how it is delivered. The targets are far from helpless.

IT Business Edge sent emailed questions with important questions about ransomware to Jon Clay, the director of Global Threat Communications for Trend Micro; Chester Wisniewski, the principal research scientist at Sophos; and Kevin Haley, the director of Security Response at Symantec. The answers painted a picture of a very serious problem, but one that can be avoided if an organization uses best security practices.

...

http://www.itbusinessedge.com/articles/how-to-fight-against-ransomware-its-hard-not-hopeless.html

(TNS) - Every spring, like azaleas at Pinehurst, questions begin blooming for Scot Brooks.

“It seems every year at about this time, people new to the area call and ask when they can expect us to test our tornado sirens,” said Brooks, the emergency management deputy director of Moore County, N.C.

“I explain to them that we don’t have sirens — at least not for tornadoes.”

Nor does any other county in the Cape Fear region. A check with emergency management directors in the region reveals that no countywide systems exist. In fact, none have ever existed, according to these directors.

...

http://www.govtech.com/em/disaster/No-Tornado-Sirens-in-Region-Despite-Top-10-Threat-of-Twisters.html

Wednesday, 19 April 2017 15:05

U.S. Thunderstorm Losses Add Up To Q1 Record

Topping $5.7 billion. That’s the record cost of insured losses from severe thunderstorms and convective weather in the United States in the first quarter of 2017.

The latest figures come via Steve Bowen, director and meteorologist at Impact Forecasting, the catastrophe risk modeling center at Aon Benfield.

Here’s the chart (via @SteveBowenWx):

...

http://www.iii.org/insuranceindustryblog/?p=4941

Over the last decade, huge growth in demand for Internet and mobile services has driven rapid transformation in digital businesses. This growth has been highly disruptive, and it has created new business opportunities and challenged the status quo.  In the data center, two forces have created much of this change:  the evolution of virtualization and the rise of cloud computing.

Latest-generation technologies in computing hardware and software platforms, including but not limited to unified computing, pervasive virtualization, containerization, new rack designs, disaggregation of compute resources, improved telemetry and analytics have all added to lowering the total cost of ownership (TCO) but also greater return on investment (ROI).  This has set the stage for agile infrastructure and a further explosion in the number and type of instrumentation metrics available to today’s data center managers.

Optimization, as applied to data centers, means always having the right amount of resources, to cost-effectively enable the business use of those data centers. Right resourcing means, in effect, enough to get the data center “job” done, but not so much as to waste money. Everything from enough power and floor space to enough “computes,” and everything else. Easily said, but increasingly challenging to accomplish.

...

http://www.datacenterknowledge.com/archives/2017/04/18/optimizing-todays-data-centers-metrics-matter/

NEW YORK, NY –  Duff & Phelps, the premier global valuation and corporate finance advisor, today highlighted research affirming that financial services professionals are poised to significantly accelerate resources dedicated to preventing and combating cyber breaches. The survey of nearly 200 senior financial services professionals included the following highlights:

  • 86% of financial services firms intend to increase the time and resources they spend on cybersecurity in the next year.  This contrasts with 2016, when less than 60% said they planned to spend more resources and time on cybersecurity planning and initiatives.
  • 31% of respondents expect cybersecurity to be the top priority for regulators this year - a 63% increase over 2016 when just 19% of respondents held this view.
  • 21% of respondents believe that Anti-Money Laundering and “Know Your Customer” considerations – which are increasingly converging with cybersecurity and technology – will be a top regulatory focus.

...

http://www.darkreading.com/risk/financial-services-firms-report-spike-in-cyber-preparedness-anticipated-regulatory-scrutiny/d/d-id/1328627

Our latest case studies in business continuity management and planning focus on banking customers.

PlainsCapital Bank—a subsidiary of Hilltop Holdings—is the sixth-largest bank in Texas. They maintain a statewide presence with approximately 1,500 employees and nearly 70 commercial and retail locations. Their diverse range of service includes commercial banking, treasury management, private banking, wealth management, and consumer banking. The Business Continuity Planning team includes Operational Risk Manager Jay Geppert and Operational Risk Analyst Jessica Camacho. They are responsible for the bank’s Business Continuity, Vendor Management, and Operational Risk programs. Together, they coordinate annual tests of critical departments and applications and work with business unit managers to update plans for their Business Continuity Committee, Information Systems Steering Committee, and other senior management officials. The company invested in ResilienceONE from Strategic BCP to help elevate planning to a strategic level within the organization. Planning has shifted to a functional approach in-line with overall corporate objectives. The system helps ensure consistency of the operational risk management framework, allows for effective implementation across business units, meets operational and regulatory requirements, and prepares the organization for future growth—all while adapting to the changing demands of a dynamic corporation. Read the full case study including the expanded benefits to the team and the organization.

...

http://www.strategicbcp.com/blog/new-business-continuity-case-studies-banking-industry/

Forty-one percent of enterprises have an encryption strategy applied consistently throughout the organization (up from 37 percent last year), according to the results of Thales' 2017 Global Encryption Trends Study.

The report, based on a Ponemon Institute survey of more than 4,800 people across several industry sectors, also found that 46 percent of respondents perform encryption on-premise prior to sending data to the cloud, and 21 percent encrypt in the cloud using keys they generate and manage on premises.

Surprisingly, 37 percent of enterprises turn over complete control of keys and encryption processes to cloud providers.

...

http://www.esecurityplanet.com/network-security/41-percent-of-enterprises-have-a-consistent-encryption-strategy.html

Scenario planning, in which you seek to identify higher risk and higher probability causes of business interruption, attracts both supporters and cynics.

One of the criticisms levelled at scenario planning is that it often results in business continuity plans that are hard to manage and keep up to date.

Complexity rises exponentially with the number of scenarios being considered.

On the other hand, viewing BC purely in terms of impacts to be avoided (effects rather than causes) calls for faculties of imagination and vision that may surpass what some organisations can muster.

The best way forward may be to combine the strengths of both and in parallel eliminate their weaknesses.

...

http://www.opscentre.com/combining-scenario-impact-planning-business-continuity/

Tuesday, 18 April 2017 16:12

Move to the Cloud, but Mitigate Risk

Security remains one of the biggest roadblocks for enterprises to move to the cloud, numerous studies and research firms have stated.

We often talk about security as one thing, but in actuality, it is quite multifaceted. That’s why it’s important to distinguish between layers of security in a public cloud environment — and why concerns about data security and public clouds must be taken seriously.

As 451 Research concluded in a recent report, leading public cloud providers, such as Amazon Web Services and Azure, have very good security. They have to. They are “secure by default because they have a vested business interest in being as durable as possible,” 451 says. Again, I agree. Public cloud providers do a great job of traditional network and operational security.

In today’s world, and especially in the cloud, that’s not good enough anymore. While the cloud environment may be secure, the data inside that environment may not be. If the database you’re using lacks comprehensive, hardened security, you’re still at risk. You can’t read the news without seeing numerous data breaches that underscore this fact.

...

http://www.datacenterknowledge.com/archives/2017/04/17/move-cloud-mitigate-risk/

Data-centric protection and security focuses on the organization’s sensitive data (as opposed to its overall computer networks and applications). This is accomplished by locating, identifying, and cataloging sensitive data as well as by applying encryption, data masking, and policy-based data access controls (and end-user monitoring) to protect data residing across multiple enterprise environments.

To what extent are organizations adopting, or planning to adopt, data-centric protection and security practices? In a recent Cutter Consortium survey, Senior Consultant Curt Hall asked 50 organizations about their data protection practices to shed some light on this important question.

As shown in the figure below, more than a third (37%) of surveyed organizations currently have data-centric protection and security practices in place.

...

http://blog.cutter.com/2017/04/17/data-centric-protection-and-security-what-are-the-trends/

No. The buy side market is nowhere near maturity and will continue to be a greenfield opportunity to many BI vendors. Our research still shows that homegrown shadow IT BI applications based on spreadsheets and desktop databases dominate the enterprises. And only somewhere between 20% and 50% of enterprise structured data is being curated and available to enterprise BI tools and applications.

The sell side of the market is a different story. Forrester’s three recent research reports are pointing to a highly mature, commoditized and crowded market. That crowded landscape has to change. Forrester is making three predictions which should guide BI vendor and BI buyer strategies in the next three to five years.

...

http://blogs.forrester.com/boris_evelson/17-04-17-is_business_intelligence_bi_market_finally_maturing_forrester_three_big_bi_market_predictions

(TNS) - Several communities in the mid-Hudson (N.Y.) are spending more than $40 million to get ready for the next weather disaster.

Sixteen municipalities have crafted plans to make their communities less vulnerable to the kind of devastation left behind by Hurricane Irene, Tropical Storm Lee and superstorm Sandy in 2011 and 2012.

Communities slammed by the storms picked up the pieces, and when New York state and the federal government offered help, they took it.

The state pulled together federal funding streams and channeled them through the Governor's Office of Storm Recovery into a program called the NY Rising and Community Reconstruction plan.

...

http://www.govtech.com/em/disaster/local-communities-prep-for-future-weather-disasters.html

Tuesday, 18 April 2017 16:08

It’s a Great Time to Be a Risk Manager

2017 has so far been a wild ride of change. Companies are navigating through a new U.S. administration, Brexit and cyber risks that are more daunting each day. We are bombarded with uncertainty and unchartered waters. Nevertheless, it’s a great time to be a risk manager.

This kind of disruption is the reason many of us got into the risk and insurance industry.  Addressing disruption is what we do best. According to a recent CNN report, in fact, Risk Management Director is the number-two Best Job in America for 2017. Recognizing the meaningful contributions and rewarding work of a risk manager, the report highlighted the role in “identifying, preventing, and planning for all the risks a company might face, from cybersecurity breaches to a stock market collapse.”

In the midst of a riskier environment, the insurance industry that serves risk managers faces highly competitive market conditions. The result is more choices and better services for the risk management community. Now is the time for the risk manager to take the lead.

...

http://www.riskmanagementmonitor.com/its-a-great-time-to-be-a-risk-manager/

Tuesday, 18 April 2017 16:07

For Continuity Sake……

A consistent challenge that I have heard from Business Continuity Professionals over the past 20 years is mastering the art of getting buy in, and engagement, from their colleagues.  As business continuity practitioners, you have chosen a very rewarding career.  We all know how important your job is to the organization.  However, some of your colleagues don’t always recognize it and they must be constantly reminded of how important business continuity is.  You and I know that you’re the glue that keeps things together during an incident, however large or small.

You’re constantly engaging management teams in Human Resources, Safety & Security, Information Security, IT, Facilities, Property Management, Legal, Executive Management, as well as, Local Law Enforcement, Public Information Officers, and Social Media Administrators. Oh my goodness, if that is not enough to do, you must also ensure that your planners have updated their plans, prepared for audits, prepared for tests, and most importantly deal with real incidents that can happen at any time of day.

...

http://www.bcinthecloud.com/2017/04/for-continuity-sake/

BATON ROUGE, La. — Louisiana schools will soon close for summer and the elimination of a normal routine may increase the need for crisis counseling for both adult and child survivors of the August floods.  Free disaster crisis counseling is available through Louisiana Spirit, a program administered by the state and funded by a FEMA grant.  If you wish to speak with the counselors call 866-310-7977.

Children should keep a routine and positive focus in the recovery process of disasters. Both are recommended by a number of children-focused organizations working on the Louisiana recovery.  Summer camps, sports and outdoor adventures are good options to keep your child active and engaged.

In Louisiana, FEMA has been working with federal partners, including the U.S. Department of Education, nongovernmental organizations, pediatric experts and external stakeholders to ensure the needs of children are considered and integrated into disaster related efforts initiated at the federal level. The work is underway and will continue for as long as it takes.

Louisiana Spirit crisis counselors also go door-to-door in disaster-affected areas to provide services for both adults and children. In Louisiana, the program is working side-by-side with the Metropolitan Human Services District in New Orleans, the American Red Cross and other organizations. For more information, visit dhh.louisiana.gov/index.cfm/page/201.

Eighty-six percent of financial services firms plan to spend more time and resources on cyber security in the coming year, a recent Duff & Phelps survey of 183 senior financial service professionals found.

That's a significant increase from 2016, when less than 60 percent of firms said they planned to do so.

Similarly, 31 percent of respondents said they expect cyber security to be the top priority for regulators this year -- a 63 percent over 2016, when just 19 percent expected it to be the focus.

...

http://www.esecurityplanet.com/network-security/86-percent-of-financial-services-firms-to-increase-cyber-security-spend-in-2017.html

Monday, 17 April 2017 14:44

Commercial Insurance Prices Moving On Up

Insurers are moving away from the rate cuts of 2016, according to online insurance exchange MarketScout’s take on the first quarter 2017 rate environment.

For the first time in 20 months, the composite rate index for commercial accounts in the United States measured a rate increase at plus 1 percent, MarketScout said.

Richard Kerr, CEO of MarketScout:

“The plus 1 percent composite rate index was driven by larger rate increases in commercial auto, transportation, professional and D&O rates. We also recorded small rate increases in the majority of coverage and industry classifications.”

Rates for business interruption, inland marine, workers’ compensation, crime, and surety coverages held steady in the first quarter. Rates for all other coverages either moderated or increased.

...

http://www.iii.org/insuranceindustryblog/?p=4935

Monday, 17 April 2017 14:43

Tips for Disinfecting Your Data Center

Cyberattacks have pretty much become a part of every day life.  Security firm ForeScout’s State of Cyber Defense Maturity Report found that more than 96 percent of organizations experienced a major IT security breach in the past year. One in six organizations had five or more significant security incidents in the past 12 months, and almost 40 percent had two or more incidents.

“The media reports of stolen information or compromised networks are almost a daily occurrence,” wrote Ray Boisvert, president of I-Sec Integrated Strategies. “The stories are increasingly alarming and the trend line is troublesome.”

How you respond, though, is the key factor. Here are several tips on how to disinfect your data center and beef it up against further attacks.

...

http://www.datacenterknowledge.com/archives/2017/04/14/tips-disinfecting-data-center/

The city of Dallas, Texas boasts 156 emergency weather sirens throughout the entire city charged with warning residents when there is an imminent threat from a tornado or other severe weather. On Friday, April 7, 2017 Dallas residents were startled awake when every siren in the city was activated at the same time. The sirens blared for more than an hour and half before city officials were able to manually turn them off. The reaction from the 1.3 million residents was predictable; over 4,000 calls to 911 flooded the city’s emergency response lines. Wide-spread panic eventually turned into irritation as residents were informed there was no danger, just a system malfunction. It wasn’t until later that an investigation revealed hackers had in fact manipulated the wireless radio system behind the alerting system, triggering these alarms.

In light of this discovery, a new concern has emerged surrounding the security of emergency communication protocols as evidenced by this hacker’s ability to override the security of the city’s critical infrastructure. This is not the only city where a breach like this has occurred, and the array of system infrastructure that can be impacted by such attacks raises serious concerns about the effectiveness of all emergency communication tools—with good reason.

...

http://www.mir3.com/importance-enhanced-system-security-look-recent-weather-alarm-hacking-scandal/

Three very different brands with an unfortunate commonality: Each has recently incurred the wrath of a growing segment that Forrester calls the values-based consumer.

Last week at Forrester’s Consumer Marketing Forum, my colleague Jim Nail and I launched a new line of research. It helps marketers manage the trend of consumers looking beyond the direct, personal benefits they receive from a brand to also value the brand’s impact on society and the world. Paired with Anjali Lai’s powerful companion data report on how empowered consumers’ decision making is changing, this set of research represents a new dimension of Forrester’s overarching thesis on the age of the customer.

To be “customer obsessed,” brands need to do more than study their customers’ technology habits and the digital data they have about them, and even go beyond delivering extraordinary experiences. These are things all companies are trying to do today and will differentiate brands just until their competitors catch up. Increasingly, brands will be evaluated beyond the sum of their features, benefits, personality, and positioning. Tapping the increased transparency created by social technologies, consumers are able to choose brands that reflect their own beliefs on issues related to their personal interpretation of societal impact.

...

http://blogs.forrester.com/henry_peyret/17-04-14-uberpepsithe_ringling_brothers_circus_our_values_based_analysis

Increasing globalization and the growing world market presents employees with opportunities to travel and experience new countries and cultures. With travel comes risk, however. In the event of an unforeseen incident, it is an organization’s top priority to ensure its employees are safe and out of harm’s way.

By following proactive travel risk management strategies, employers can help ensure not only the safety of their employees abroad, but also the success of their businesses while avoiding major financial, legal and reputation costs. When developing travel policies, companies must consider the health, safety and security risks that their employees could encounter.

...

http://www.riskmanagementmonitor.com/protecting-employees-in-the-face-of-international-risks/

The Business Continuity Institute

Ever wondered what all the different terms or acronyms relating to business continuity mean? Now the Business Continuity Institute has made it easier for you to find out with the creation of its joint BCI DRJ Glossary of Business Continuity Terms.

This new glossary is a result of merging the definitions from the ‘Business Continuity Glossary by DRJ’, the BCI’s Dictionary of Business Continuity Management Terms and the glossary in the Good Practice Guidelines.

The combined glossary contains all terms approved by the DRJ Editorial Advisory Board’s Glossary of Terms Committee, which includes representation from the BCI. This joint effort is evidence of the continuing and deepening partnership between DRJ and the BCI. The glossary is one of many resources available as part of our knowledge bank, and it can be downloaded from the BCI website.

Does it sound strange that many organisations believe they are exposed to major problems with Internet of Things device security, yet few of them have taken any measures to resolve those problems?

IoT devices are increasingly part of business life, as businesses use them for the remote monitoring and control of industrial machines and systems, or they fall into the BYOD zone, where personal and professional data may coexist (for example, Apple Watches and other wearables).

A recent survey by Ponemon Institute showed how much of a problem there could be.

According to the survey results of over 500 IT and IT security practitioners:

...

http://www.opscentre.com/iot-device-security-doomsday-horizon/

United Airlines stock tumbled nearly 4% in early trading Tuesday morning before recovering late in the day as the company continued to deal with fallout after video surfaced showing a passenger being forcibly dragged from a United flight at Chicago’s O’Hare International Airport. United shares were down by as much as 6% in premarket trading Tuesday morning, according to MarketWatch.

Shocked viewers responded with universal outrage Monday to a video appearing to show a 69-year old man being brutally dragged off his flight by three uniformed officers from the Chicago Department of Aviation, one of which has since been placed on leave. The man’s face was bloodied and he appeared disheveled as officers dragged him along the narrow aisle of the plane.

“The incident on United flight 3411 was not in accordance with our standard operating procedure and the actions of the aviation security officer are obviously not condoned by the Department,” the agency said in a statement. “That officer has been placed on leave effective today pending a thorough review of the situation.”

...

http://www.riskmanagementmonitor.com/firestorm-over-forced-removal-proves-costly-for-united/

Thursday, 13 April 2017 16:28

What’s Next for Big Data Flash Storage?

Last month HPE announced its plans to acquire Nimble and double down on its move into “the fast-growing flash market” for the enterprise. Days later Dell EMC announced it would drop its DSSD flash offering for big data and HPC because the market is too small.

Although Dell EMC “found little market” for DSSD, don’t be deceived about whether or not there’s a market for big data flash storage. There is and it’s growing.  In the HPC space, where DDN Storage plays, we continue to see a clear and growing need for flashed-based innovation. DDN’s Infinite Memory Engine (IME) flash offering is seeing strong demand.

Alongside traditional labs such as the Joint Center for Advanced High Performance Computing (JCAHPC) and Oak Ridge National Laboratory, and the more traditional high-end academic high performance computing (HPC) research, there’s also growing interest within enterprise organizations who want to to speed up their HPC-like workflows.

...

http://www.datacenterknowledge.com/archives/2017/04/12/whats-next-big-data-flash-storage/

While the social media firestorm following the forcible removal of a passenger from a United Airlines flight highlights the importance of crisis and reputation risk management, it also underscores the potential liability airlines face from balancing duties to their customers, employees and to shareholders.

USA Today reports that three things govern a carrier’s relationship with its passengers: contracts of carriage, the U.S. Department of Transportation and laws approved by Congress:

United’s dispute with a passenger forcible removed from a Sunday flight shines a spotlight on the contracts that set rules and expectations between carriers and travelers.

...

http://www.iii.org/insuranceindustryblog/?p=4931

(TNS) - Annapolis has hired a company to carry out design of flood mitigation plans in an effort to reduce nuisance flooding downtown at City Dock.

The design phase begins a multi-year process for a two-phase project along City Dock to reduce and prevent nuisance flooding. This flooding, primarily due to rising sea levels, is what causes City Dock to sometimes feel partially underwater as water bubbles up through storm drains and overtakes parking along Dock Street and other downtown areas.

Annapolis has an average of about 39 nuisance flooding days a year, according to data between 2007 and 2013 collected by the National Oceanic and Atmospheric Administration.

...

http://www.govtech.com/em/disaster/Annapolis-flood-mitigation-design-planning-underway.html

This is a bit concerning. Officials in Dallas said the city’s warning system was hacked late on Friday night, disrupting the city when all 156 of its emergency sirens sounded into the early hours of Saturday morning. The Dallas Emergency Sirens started going off around 11:40 p.m. Friday and lasted until 1:20 a.m. Saturday. This created a sense of fear and confusion, jarring residents awake and flooding 911 with thousands of calls. The sirens are meant to alert the public to severe weather or other emergencies, but was interpreted by some as a warning sign of a “bomb or something, a missile.” The city said that every time that they turned it off, it would sound again as the hacker kept bombarding the system.

The system was still down on Saturday afternoon, and officials said they hoped to have it functional again by the end of the weekend. They said they had pinpointed the origin of the security breach after ruling out that the alarms had come from their control system or from remote access.

...

https://ems-solutionsinc.com/blog/hacking-activates-dallas-emergency-sirens/

Over the past few weeks, hackers have leveraged passwords exposed in high-profile breaches to compromise Amazon third-party sellers' accounts, the Wall Street Journal reports.

The attackers have stolen tens of thousands of dollars from sellers' accounts, and have also used the accounts to post nonexistent items for sale in order to steal more funds.

More than two million seller accounts on Amazon.com account for more than half of its sales, Fox Business reports, and over 100,000 of those sellers earn more than $100,000 a year.

...

http://www.esecurityplanet.com/network-security/amazon-sellers-hacked-targeting-the-weak-link-in-the-supply-chain.html

NEW YORK — Employees and third-party services are most likely the weakest links in a company’s cyber security system, but regular risk assessments can help prevent information leaks, a financial services regulatory attorney said last week. 

“Employees are the sources of many compromises within companies, much more so than the Chinese hackings that we read about every day,” said Jeffrey Taft, a partner with Mayer Brown during a conference Wednesday at the firm’s New York office. “It’s probably 20 times more likely that somebody in this room will be penetrated by employee malfeasance or negligence than any Chinese hacker. There’s a heck of a lot more you can do to keep your employees from leaking information than the Chinese hackers.”

Mr. Taft gave the attendees an overview of the New York State Department of Finances Cyber Regulations, which became effective March 1.

...

http://www.businessinsurance.com/article/20170411/NEWS06/912312855/Regular-risk-assessments-can-help-mitigate-cyber-exposures

Thursday, 13 April 2017 15:42

Preventing Disaster, One Attendee at a Time

DRJ1

LaPedis RonBy Ron LaPedis

I attended Spring World DRJ at Disney’s Coronado Springs Resort during the last week of March. Their 56th conference had over 60 sessions with 75 speakers, split between general sessions, breakout sessions, workshops, and a Senior Advanced Track which was sponsored by the Business Continuity Institute. Disaster Recovery Journal has morphed from an IT disaster recovery conference to an all-hazards business continuity training camp. Some of the most interesting sessions this year covered topics such as:

  • Linking cyber to business continuity
  • Lunch with your auditors
  • Effective risk management
  • Supply chain resiliency
  • Effective exercise design
  • Using the Incident Command System (ICS)
  • Active shooter incident response

My job at Micro Focus is to work with our sales teams so that they can have topical conversations about cyber security and risk management with their customers. At the end of the day, Micro Focus sells software and hardware. However, customers don’t buy software and hardware, they buy solutions to their problems – and unless I know what problems they are facing, I cannot help. This means open-ended questions and drilling down until I can understand the real problem – and not just the symptoms that the customer might think are his problems. Of course, as technology advances the problems evolve, which means I need to keep up with the latest trends.

DRJ3

Continuing Education Is Not Only a Good Idea, It’s the Law

DRJ2I have a lot of letters after my name. Most of them require me to earn continuing education units or CEUs every year. But earning CEUs is not the point; earning CEUs which add to my understanding of the business continuity and cyber fields is the point. One of my favorite presenters and authors is Regina Phelps, who is the queen of realistic tabletop exercises. Her latest book details how to develop a realistic cyber exercise. And just like real life, you may not come out of an exercise with the perfect solution – but it will make you think (and perhaps realize how far you need to come in your planning!)

Step Right Up to the Micro Focus Chalk Talks!

Have you checked out the Micro Focus chalk talks? These are a fun way to learn about our solutions to many of your organization’s problems to build, operate, and secure your computing infrastructure. They cover a handful of different solution areas and each runs about five minutes. This means that they are easy to fit in when you need a kicker to help ping your brain when you are trying to address one of your work problems.

And when you are ready to chat with us, we’ll have someone waiting by the phone ready to solve your hardest problems. As a FTSE 100 company, we have offices all over the world.

Republished with permission of Micro Focus at https://blog.microfocus.com/drj-spring-world-2017/.

Thursday, 13 April 2017 14:48

BCI: SMEs underfunding cyber security

The Business Continuity Institute

The vast majority of small to medium sized enterprises (86%) have less than a tenth of their total IT budget allocated to cyber security, while 75% have between zero and two IT security staff members, according to the results of a survey by EiQ Networks.

The survey also noted a significant drop in confidence over the past two years. In 2015, more than a quarter of respondents (27%) expressed confidence in their security posture, but in 2017 less than 15% said they feel confident that their currently deployed technologies will be successful in detecting and responding to attacks.

Vijay Basani, founder and CEO of EiQ Networks, commented "One of the most striking results is how little SMEs are spending on cyber security as compared to the overall IT budget, despite the very high risks they face daily from ransomware, phishing, and zero-day attacks, to name just a few."

"Without the IT security resources and expertise necessary to continually monitor, detect, and respond to security incidents, SMEs are simply exposing themselves to loss of revenue, brand equity, IP, and customer data on a daily basis."

Cyber security is as much of an issue for SMEs as it is for larger organizations with the Business Continuity Institute's latest Horizon Scan Report revealing that businesses of all sizes share the same concerns. A global survey identified the top three concerns for both SMEs and large organizations as cyber attack, data breach and unplanned network outage.

Further findings of the study were that just under half of respondents (45%) were breached or believe they were breached at least once in the past year, while just over half (56%) feel they're unprepared to identify and respond to a security incident. Three-quarters of respondents (75%) said they're concerned about protecting customer data, and two-thirds (67%) are concerned about protecting personally identifiable information.

Wednesday, 12 April 2017 15:24

Rethinking Risk to Achieve Efficient Growth

It’s no secret that strategy and finance need to work together to encourage growth – in fact, last year, both corporate functions cited integrating their planning as a top priority. Yet new research suggests that they need a third partner, risk, to move beyond incremental earnings increases and achieve long-term efficient growth.

Why risk? Because risk is the essence of growth.

CEB recently investigated companies that have consistently outgrown their industry peers while making simultaneous margin improvements. Just 60 companies we studied demonstrated this kind of “efficient growth,” and the single biggest differentiator of these profitable growers was their ability to allocate capital to bigger, riskier bets. Their R&D portfolios were disproportionately weighted toward transformational innovation projects, and their M&A deals were 40 percent larger on average.

...

http://www.corporatecomplianceinsights.com/rethinking-risk-to-achieve-efficient-growth/

OMG!  If you were ever going to want your crisis team to be “on it”… it would be in a case like this.  And of course, you already know, United apologized on Tuesday and said it would review its policies. Really…after videos showed a passenger being forcibly removed from a full plane to make room for its own employees, setting off public outrage. I understand the need to reposition staff but really?!?!?!

Oscar Munoz, the company’s chief executive, said in a written statement that United would take “full responsibility” for the situation and that “no one should ever be mistreated this way.” He committed to making changes to ensure that the situation would not repeat itself, adding that United would conduct “a thorough review of crew movement, our policies for incentivizing volunteers in these situations, how we handle oversold situations and an examination of how we partner with airport authorities and local law enforcement.

That’s it?  Really?

...

https://ems-solutionsinc.com/blog/everyone-is-talking-about-united-today-and-not-in-a-good-way/

The long-time goal of first responders and the ecosystem supporting them to create a nationwide broadband network is close to fruition, though it likely will fall short of expectations.

On March 30, AT&T announced that it had been selected by the First Responder Network Authority (FirstNet) to build the network, which it said will cover “50 states, 5 U.S. territories and the District of Columbia, including rural communities and tribal lands in those states and territories.”

The rationale for a discrete network is simple: Today, first responders use commercial networks that tend to be overwhelmed when a crisis occurs. Work on the project is expected to begin later this year and create 10,000 jobs.

...

http://www.itbusinessedge.com/blogs/data-and-telecom/states-opting-out-of-nationwide-first-responder-network.html

Wednesday, 12 April 2017 15:19

Data Breach Response Planning: A Guide

Data breaches don’t seem to attract our attention much these days; commonplace activities often lead to complacency. Remember that your organization will, if it has not already, have some type of data breach. Depending on the type and scope of the data breach, costs can quickly reach millions of dollars. This is an event you should have a specific plan for – at a minimum, you should include a detailed section in your Crisis Management Plan.

Here are the minimum items to consider:

1. Response Team

This is the team that will monitor and manage the event itself, not the individuals performing any investigative or forensic tasks. Often this team will be composed of senior leadership who have a corporate or organizational view of impacts. Others may be brought in to provide support or information. The roles to be filled for this team are:

...

https://www.mha-it.com/2017/04/data-breach-response-planning-a-guide/

Wednesday, 12 April 2017 15:18

The Networked Emergency Manager

Former Gen. Stanley McChrystal’s Team of Teams is an excellent book about leadership and the need to adapt to changing circumstances. In the book, he explains how the U.S. Special Operations Task Force in Iraq had to become a more nimble and networked organization to combat al-Qaida. Many of the lessons and strategies discussed are directly relatable to other disciplines, including emergency management.

The importance of networks within emergency management is not a new concept, as our thinking has evolved to embrace “whole community” partners, including the private sector and nonprofit organizations. Although a fair amount of effort has gone into the idea of networked emergency management, I would like to offer some additional perspectives on what it means to be a networked emergency manager. In doing so, it is helpful to consider the management consulting theory that organizational success stems from three factors: people, process and technology.    

In terms of people, the networked emergency manager must be willing and able to work with people and all types of personalities. Building and maintaining relationships takes time, but it is well worth the effort, particularly when you need to rely on other people for information or assistance during an emergency. Emergency managers also play an important role in helping to organize people and in bringing different groups and individuals together to tackle problems, often during a crisis. Investing in these people and relationships ahead of time will help build trust and increase the likelihood of success when it matters the most.

...

http://www.govtech.com/em/disaster/EM-Mag-The-Networked-Emergency-Manager.html

Dallas residents were wide awake and in a state of confusion late Friday night when the city’s outdoor emergency system was hacked, causing all of its 156 alarms to blast for an hour-and-a-half until almost 1:30 a.m.

With some interpreting the warning as a bomb or missile, a number of residents dialed 9-1-1, but the number of calls—4,400 in all—overwhelmed the system, causing some callers to wait for up to six minutes for a response, the New York Times reported.

The alarms blasted for 90-second durations about 15 times, Rocky Vaz, the director of the city’s Office of Emergency Management, told reporters at a news conference.

Mr. Vaz said emergency workers and technicians had to first figure out whether the sirens had been activated because of an actual emergency. And turning off the sirens also proved difficult, eventually prompting officials to shut down the entire system.

...

http://www.riskmanagementmonitor.com/dallas-alarms-hack-a-warning-of-infrastructure-vulnerability/

Millions of student, staff and faculty email addresses and passwords from 300 of the largest universities in the United States have been stolen and are being circulated by cyber criminals on the dark web, according to a recent report. 

Hacktivists, scam artists and even terrorists intend to sell, trade or just give away the addresses and passwords, said the Digital Citizens Alliance report. 

During eight years of scanning the dark web—the portion of the Internet not indexed for open searches, where criminals covertly operate—researchers from the security firm ID Agent discovered nearly 14 million addresses and passwords belonging to faculty, staff, students and alumni available to cyber criminals. Of those, 79 percent of the credentials were placed there within the last year.

...

http://www.afcea.org/content/?q=cyber-attack-101-criminals-go-after-us-universities

Business no longer controls all its data, now that the data is spread out over systems that could be in-house, in the cloud, or in somebody’s pocket.

From the mainframe era when two people controlled everything (the person who knew about the mainframe and the person who had the key to get in), organizations are now faced with situations in which data could be here, there, or anywhere.

Part of this is deliberate: wider, more flexible access to data can help people do their jobs better, and different storage solutions can help cut costs. But as the following anecdote shows, business continuity needs to adapt too.

The story comes from IBM executive Michael Puldy who describes how he had a close brush with catastrophe in his article “The Importance of a Personal Business Continuity Plan”.

...

http://www.opscentre.com/business-now-needs-personal-business-continuity/

Between the need to protect corporate data and regulations requiring that consumer data be protected, organizations are under more pressure than ever to keep their data safe. Data loss prevention (DLP) technology can help.

And regulations like the EU General Data Protection Regulation (GDPR) are upping the stakes. GDPR assesses hefty fines – up to 4 percent of global revenues – for failing to adequately protect consumer information, especially medical and financial data.

With a deadline of May 25, 2018, it's a daunting task for companies to plug all the leaks in their information systems in time, and global companies are panicking, according to Angel Serrano, senior manager of advanced risk and compliance analytics at PwC UK in London, who's also a active in ISACA, a professional organization focused on risk management and information security.

...

http://www.esecurityplanet.com/network-security/data-loss-prevention-dlp.html

Early 2017 Atlantic hurricane forecasts are predicting fewer storms, but here’s why coastal residents shouldn’t let their guard down.

Colorado State University’s (CSU) Tropical Meteorology Project: “Coastal residents are reminded that it only takes one hurricane making landfall to make it an active season for them, and they need to prepare the same for every season, regardless of how much activity is predicted.”

London’s TSR (Tropical Storm Risk): The precision of hurricane outlooks issued in April is low and large uncertainties remain for the 2017 hurricane season.

Forecasters believe development of potential El Niño conditions in the coming months will suppress storm activity.

...

http://www.iii.org/insuranceindustryblog/?p=4928

About this time every year, Swiss Re publishes the data on the previous years total economic losses and global insured losses from natural catastrophes, man-made disasters.  Turns out that 2016 was the highest since 2012, reversing the downtrend of the previous four years.

Globally there were 327 disaster events in 2016, of which 191 were natural catastrophes and 136 were man-made. In total, the disasters resulted in economic losses of USD 175 billion, almost double the level in 2015.

In terms of devastation wreaked, there were large-scale disaster events across all regions, including earthquakes in Japan, Ecuador, Tanzania, Italy and New Zealand. In Canada, a wildfire across the wide expanses of Alberta and Saskatchewan turned out to be the country’s biggest insurance loss event ever, and the second costliest wildfire on sigma records globally.

...

https://ems-solutionsinc.com/blog/2016-year-widespread-damages-disasters/

Monday, 10 April 2017 14:41

Keeping Control of the Hybrid Enterprise

Hybrid computing models are starting to infiltrate enterprise data environments as organizations seek to leverage both public and private cloud infrastructure. But while this may seem to diminish traditional in-house data centers, it’s actually the outsourcing industry that has reason to worry.

According to Gartner, hybrid infrastructure will feature prominently at 90 percent of data-driven organizations by 2020, leading to a nearly three-fold increase in the cloud computing market to $68.4 billion. At the same time, spending on data center outsourcing (DCO) is expected to contract from today’s $55.1 billion to $45.2 billion. At the moment, DCO and infrastructure utility services (IUS) make up about half of the $154 billion data center services market, but this is expected to drop to a third by 2020 as hosting and cloud-based IaaS models gain in popularity.

What this means is that while organizations continue to reduce their direct management of physical-layer infrastructure, they will reassume control of their higher-level data and services architectures. But this transition is not without its challenges. A recent study by 451 Research noted that management aspects like cost containment, data migration and security are top concerns in the hybrid cloud, and are producing the most divergent responses. Some organizations, for example, pursue multi-vendor strategies to address these difficulties while others say they have greater success with single-vendor solutions. As well, hybrid cloud adoption is being driven by distinct challenges within vertical industries and national boundaries, with some organizations vexed by erratic user demand while others are faced with limited compute and storage capacity.

...

http://www.itbusinessedge.com/blogs/infrastructure/keeping-control-of-the-hybrid-enterprise.html

It’s typical for hyper-scale data center operators like Amazon to build their own infrastructure technology when it isn’t available on the market or when they feel they can make it cheaper on their own.

One piece of technology Amazon built in-house is meant to circumvent what one of the company’s top infrastructure engineers described as misplaced priorities in the way electrical switchgear vendors design their products.

It is this problem that likely caused last summer’s Delta data center outage that ultimately cost the airline $150 million, as well as the infamous 2013 power outage during Super Bowl. And John Hamilton, VP and distinguished engineer at Amazon Web Services, has seen this type of failure in data centers he has overseen during his career.

...

http://www.datacenterknowledge.com/archives/2017/04/07/how-amazon-prevents-data-center-outages-like-deltas-150m-meltdown/

Identity and access management (IAM) are more important than ever in an age when passwords can be hacked in minutes, corporate data breaches are a daily occurrence and cybercriminals have successfully infiltrated many top government and large-scale enterprise systems. It requires only one hacked set of credentials to gain entry into an enterprise network, and that’s just too easy for the bad guys.

A study by security firm Preempt noted that 35% of the passwords linked to a recent recent LinkedIn breach were identical to those used for other accounts. The remaining 65% could be cracked with unsophisticated brute force cracking hardware. The challenge for organizations, then, is to go beyond mere passwords to encompass all aspects of identity and access control, and that's where IAM comes in.

...

http://www.esecurityplanet.com/network-security/identity-access-management.html

Here’s a short post, ideal for illustrating the simple but not always easy principle of minimalism:

Whatever you have, chances are you don’t need it all. You don’t need all the data you may be asking for, or for that matter, giving out. Medical forms and even veterinary offices often ask for social security numbers, though there are few cases where a medical facility needs that information. Many forms ask for a driver’s license, though they have no need for that information.

Conversely, companies don’t always think through the data they collect on their websites, in their products or from their employees. Look at what you have, what you collect, and where you keep it and realize the following:

...

http://www.mir3.com/cybersecurity-principle-minimalism/

The Business Continuity Institute

Business Continuity Awareness Week is now only a little over a month away and we would really like you to get involved. To help incentivize you, this year we are launching two competitions, each one giving you the chance to win a £250 Amazon gift card.

What could I do to improve cyber security?

Our BCAW posters offer six simple tips on how individuals can improve cyber security within their organization. What we want from you are more suggestions on what each of us could do to help make our organizations more cyber secure.

Email your suggestions to This email address is being protected from spambots. You need JavaScript enabled to view it., and each submission will be in with a chance of winning a £250 Amazon gift card.

The winning tip will be chosen by our communication sponsor for BCAW - Everbridge.

My experience of a cyber security incident

For our second competition we are looking for something a bit more substantial - case studies.

Has your organization experienced a cyber security incident, how did you respond, what was the impact on your organization? It doesn't need to be a lengthy document and you can of course anonymise it if you wish.

Submit your case study to This email address is being protected from spambots. You need JavaScript enabled to view it. and again you will be in with a chance of winning a £250 Amazon gift card. The winner will be drawn at random.

(TNS) — Here's some welcome news for most Floridians: The upcoming hurricane season could be slightly below average.

In fact, we could see as few as four hurricanes.

An early forecast from scientists at Colorado State University's (CSU) Tropical Meteorology Project concluded that a weak or moderate El Niño is likely by the height of the Atlantic hurricane season, along with cooling temperatures in the tropical Atlantic and the North Atlantic Ocean. An El Niño weather pattern generally results in fewer hurricanes in the Atlantic basin, as it increases wind shear — strong winds that can break up hurricanes as they're forming.

...

http://www.govtech.com/em/disaster/2017-hurricane-season-forecast-to-be-slightly-less-active.html

Friday, 07 April 2017 16:38

How to Conquer the Compliance Audit

Astute receivables leaders know how to identify issues and act on them before they become major problems – especially when it comes to compliance. The cost of noncompliance and damage to reputation can be debilitating, but preventive measures save resources by eliminating the cost of noncompliance and damage to reputation, helping to create new business and maintain advantage over the competition. For this reason, ARM agencies should work diligently to prepare for potential compliance audits from the CFPB or other regulatory authorities who oversee their operations. If they don’t, the risk of fines, penalties and legal actions may mount to an untenable extent if they aren’t avoided through mitigation actions.

Despite the warnings, many choose less favorable options, either ignoring the need for checks on their compliance tactics, hiring outside contractors who don’t know their business or simply absorbing the inevitable cost of noncompliance. Leaders take the proverbial bull by the horns, act immediately to avoid expenses and put their operations in a stronger position.

Immersing yourself in your own business and fearlessly seeking out issues that need correction brings your operation to heights you wouldn’t think possible. Here are 10 key components you need to avoid botching your compliance audit:

...

http://www.corporatecomplianceinsights.com/how-to-conquer-the-compliance-audit/

A sophisticated global hacking operation emanating from China has compromised managed service provider (MSP) networks and is targeting additional MSPs in an effort to steal sensitive data and intellectual property from enterprise customers.

That’s the conclusion of a new joint report from PwC UK and BAE Systems, which details an intricate cyber espionage campaign by a well-known threat actor known as APT10.

So-called “Operation Cloud Hopper” has been in effect since at least last year, and has intensified during 2017, the researchers said.

...

http://mspmentor.net/managed-services/global-hacking-operation-targeting-msps-stealing-customer-data

Depression and mental health conditions are on the rise globally. Affecting more than 300 million people of all ages across the world, depression causes immense suffering to people and their families, as well as placing a great economic cost on society. Its consequences and solutions are highlighted in this year’s World Health Day on 7 April.

Mental health problems and stress-related disorders are a major health concern and the biggest overall cause of early death, according to the World Health Organization, which organizes World Health Day each year. Resulting from a complex interaction of social, psychological and biological factors, depression is often triggered by adverse life events such as unemployment, bereavement or psychological trauma. It can be debilitating for the affected person, who functions poorly at work, at school and in the family.

Some of the root causes of depression are related to living and working conditions. For example, the working environment is a powerful determinant of health and has a significant impact on the employee’s mood. In today’s context of economic globalization, the occupational environment is delivering increasing mental stress, which can lead to job dissatisfaction, reduced work performance, ill health and depression.

...

https://www.iso.org/news/Ref2177.html

Friday, 07 April 2017 16:35

Anti-Ransomware Decryption Toolkit Grows

Since its inception last summer, the No More Ransom project, and anti-ransomware initiative formed by the Dutch National Police, Europol, Intel Security and Kaspersky Lab, has been growing by leaps and bounds.

In addition to raising awareness and keeping tabs on the ransomware scene, the group banded together to help victims of regain access to their files without having to pay their attackers. No More Ransom offers tools that can be used to decrypt files affected by popular strains of the malware.

"This collaboration goes beyond intelligence sharing, consumer education, and takedowns to actually help repair the damage inflicted upon victims," said Raj Samani, Intel Security's CTO for the EMEA region, in a July 2016 announcement. "By restoring access to their systems, we empower users by showing them they can take action and avoid rewarding criminals with a ransom payment."

...

http://www.esecurityplanet.com/malware/anti-ransomware-decryption-toolkit-grows.html

DURHAM, N.C. – Hurricane Matthew left a $1.5 billion impact on North Carolina, according to National Oceanic and Atmospheric Administration, and the state has made significant progress on recovery. As the aftermath of Matthew fades, the accomplishments of those who survived the storm verify a basic truth about disasters: Recovery takes the Whole Community.

North Carolina has taken significant steps toward recovery following the aftermath of Hurricane Matthew. Affected communities and disaster survivors are repairing and rebuilding better, stronger and safer with the help of neighbors, friends, family members, voluntary groups, faith- and community-based organizations and local, county, state and federal governments.

The following highlights recovery progress made in the six months since the Oct.10 presidential disaster declaration, and how disaster survivors and affected communities are overcoming challenges:

The declaration made 45 counties eligible to apply for help under FEMA’s Individual Assistance (IA) program.

In addition, local, county and state government infrastructure and certain private nonprofit organizations in 50 counties became eligible to receive funding through FEMA’s Public Assistance (PA) program to repair and rebuild certain eligible disaster-damaged facilities. Local, county and state government expenses related to debris removal, saving lives, providing security, and managing the immediate response became eligible for reimbursement.

Hazard Mitigation Grant funds were made available statewide. Because North Carolina took proactive efforts in Emergency Management, the state mitigation funding amount is 5 percent more than those states that meet minimum requirements. This will bring millions of additional dollars to the state for recovery programs.

Big Disaster Takes Big Response

FEMA individual assistance to North Carolina has surpassed $96 million, with nearly 82,000 survivors applying for federal and state assistance for housing, personal property and other expenses.

  • 82,000 North Carolina residents registered with FEMA.
  • Nearly $67 million approved for housing assistance, including short-term rental assistance and home repair costs.
  • More than $29 million has been approved to cover other essential disaster-related needs, such as medical and dental expenses and lost personal possessions.
  • More than $97 million in low-interest disaster loans for homeowners, renters, businesses and private nonprofit organizations has been approved by the U.S. Small Business Administration.
  • 271 households are currently checked in the Transitional Sheltering Assistance (TSA) Program. 100 households have been licensed-in to Manufactured Housing Units. At the height of the TSA program, more than 1900 survivors approved for housing.
  • Nearly $188 million National Flood Insurance Program claims paid. Nearly 6,000 flood insurance claims received.
  • At peak operations, more than 1,300 federal employees worked the disaster in North Carolina.
  • The state and FEMA staffed and operated 38 Disaster Recovery Centers and Mobile Disaster Recovery Centers. Before establishing DRCs, more than 200 Disaster Survivor Assistance team members went from door to door and store to store in damaged areas to provide information on FEMA assistance. They also staffed Mobile Disaster Recovery Centers that went to busy areas to provide information.
  • Public Assistance, which funds the rebuilding of infrastructure, public structures and reimburses local government for emergency response during disasters have received nearly 450 applications with nearly 2,100 projects identified, totaling more than $413 million; 377 projects have been obligated for over $32 million (federal share).
  • FEMA’s Hazard Mitigation 406 program proposals can augment Public Assistance funding, as is the case in North Carolina. To date, mitigation staff identified 28 projects for additional mitigation funding, totaling nearly $1.6 million.
  • Hazard Mitigation’s Community Education Outreach counseled 9,020 survivors at 38 Disaster Recovery Centers and Mobile Recovery Centers and 3,000 individuals at building supply stores, municipal buildings, libraries and fire departments on the importance of incorporating mitigation measures into recovery building projects.
  • In partnership with the state, FEMA’s 404 Hazard Mitigation Grant Program staff have supported North Carolina Emergency Management in collecting more than 2,300 homeowner applications for acquisition, elevation or reconstruction of homes to reduce the risk of loss of life and property from future disasters.

Volunteers: The Backbone of long-term recovery

Recovery has significantly progressed because of voluntary, faith and community-based groups that are donating their time and skills to help survivors muck out, repair and rebuild their homes. These groups are always the first and last presence to help disaster survivors recover.

Voluntary organizations have served over 1.6 million meals and 284,292 snacks and provided over 200,000 goods and services to thousands of people –and pets –in need. Long Term Recovery Committees are established in some affected communities and forming in others to assist those who still have unmet needs.

Interagency Recovery Coordination

The IRC multiagency group brings the full force of the federal family to federally declared disasters to identify the tools and resources necessary to support the state on its path to a sustained recovery.

The key outcome is the acceleration of the recovery process after a disaster through collaborative and inclusive planning processes with federal, state, tribal and local partners. Efforts include coordinating with whole community partners, mitigating risks, incorporating continuity planning, identifying resources, and developing capacity to effectively manage the recovery process.

All six of the Recovery Support Functions were activated for North Carolina. Five remain active including:

  • Community Planning and Capacity Building - FEMA
  • Economic - U.S. Department of Commerce - Economic Development Administration
  • Housing - U.S. Department of Housing and Urban Development
  • Infrastructure Systems - U.S. Army Corps of Engineers
  • Natural and Cultural Resources - U.S. Department of Interior

The group has completed the Mission Scoping Assessment, a compilation of issues the recovery support functions found in North Carolina. The group is currently working on the Recovery Support Strategy, which will suggest actions to aid the state in recovery.

Whole community partners continue to collaborate to find solutions to enable North Carolinas recovery and will be here as long as it takes.

For more information on North Carolina’s recovery, visit fema.gov/disaster/4285 and readync.org. Follow FEMA on Twitter at @femaregion4 and North Carolina Emergency Management @NCEmergency.

###

Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-3362 or TTY at 800-462-7585.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from and mitigate all hazards. Follow FEMA on Twitter at @femaregion4. Download the FEMA app with tools and tips to keep you safe before, during and after disasters.

Dial 2-1-1 or 888-892-1162 to speak with a trained call specialist about questions you have regarding Hurricane Matthew; the service is free, confidential and available in any language. They can help direct you to resources. Call 5-1-1 or 877-511-4662 for the latest road conditions or check the ReadyNC mobile app, which also has real-time shelter and evacuation information. For updates on Hurricane Matthew impacts and relief efforts, go to ReadyNC.org or follow N.C. Emergency Management on Twitter and Facebook. People or organizations that want to help ensure North Carolina recovers can visit NCdisasterrelief.org or text NCRecovers to 30306.

The U.S. Small Business Administration (SBA) is the federal government’s primary source of money for the long term rebuilding of disaster-damaged private property. SBA helps homeowners, renters, businesses of all sizes, and private nonprofit organizations fund repairs or rebuilding efforts and cover the cost of replacing lost or disaster-damaged personal property. These disaster loans cover losses not fully compensated by insurance or other recoveries and do not duplicate benefits of other agencies or organizations. For more information, applicants may contact SBA’s Customer Service Center by calling (800) 659-2955, emailing This email address is being protected from spambots. You need JavaScript enabled to view it., or visiting SBA’s website at www.sba.gov/disaster. Deaf and hard-of-hearing individuals may call (800) 877-8339.

S17 1

S17 5ORLANDO, Fla. – Disaster Recovery Journal debuted a new conference format for Spring World 2017, adding 15 additional sessions to the business continuity industry’s premier event.


More than 800 attendees joined speakers, board members, and exhibitors from around the globe at Disney’s Coronado Springs Resort in Orlando, Florida, March 26-29, 2017. The three-day event featured 62 sessions, a concurrent exhibit hall with almost 100 booths, and numerous networking events.


“The new format allowed us to provide more sessions and more educational opportunities for our attendees,” said DRJ President Bob Arnold. “Everyone loved it. More options allowed our speakers to present the latest and greatest trends in the industry.”


Aside from the new sessions, DRJ’s 56th conference featured another one-day track for Senior Advanced Practitioners. This special track allows the industry’s most advanced planners to interact with C-level personnel and other advanced practitioners.


S17 7DRJ Spring World 2017 gold sponsor RSA hosted the Monday Night Hospitality event, featuring food, drinks, dancing, and giveaways. Silver sponsors included Deloitte, eBRP Solutions, Firestorm, Fusion Risk Management, IBM Resiliency Services, MIR3, Regus, and Strategic BCP. Co-sponsors included AlertMedia, Avalution Consulting, BC in the Cloud, ContinuityLogic, Kingsbridge Disaster Recovery, Quantivate, Recovery Planner, Rentsys Recovery Services, RES-Q Services, Ripcord Solutions, Veeam, and Virtual Corporation. Business partners include Business Continuity Institute (BCI), Forrester Research, International Consortium for Organizational Resilience (ICOR), and Public & Private Businesses Inc. (PPBI).


S17 6“I want to thank all of our sponsors and exhibitors for helping us provide so many networking opportunities with attendees and vendors,” said Arnold. “We were really happy with everyone who joined us for another great show in Orlando.”


In addition to several individual vendor drawings, attendees raked in 14 of the hottest technology items at the DRJ booth as part of the exhibit hall raffle. Grand attendance prize drawings also went to Michael Barrett, Marilyn Boatman, and Ramon Zulueta Wednesday morning before the final general session. All three attendees win a free pass to a future DRJ conference.

 

S17 8Check out the DRJ.com Live page for more photos, tweets, and other details from DRJ Spring World 2017.


DRJ is now preparing for its next conference, DRJ Fall World 2017, which will be held Sept. 17-20, 2017, in Phoenix. Potential speakers have until April 21, 2017, to submit a Call For Papers presentation.
To attend DRJ Fall World 2017, visit https://www.drj.com/fallworld2017/.

 


Register
Sponsors
Sessions
Hotels & Travel
Pre/Post Classes
Key Contacts
ROI Toolkit

When a credit bureau hired Kevin Mitnick’s company to test its security defenses, he went straight for the crown jewels. He decided he would try to get inside the bureau’s data center, physically, on his own two feet.

After spending the second half of the nineties in prison for a number of computer crimes, he did not quit hacking. Instead, the legendary former cybercriminal put together an entire team of hackers who break into organizations’ systems using his signature combination of in-person deceit (Mitnick is a top authority on social engineering) and technological exploits as a service, to help them identify security holes.

This week, on stage at the Los Angeles Convention Center during the annual Data Center World conference, Mitnick demonstrated in real-time an entire list of ways one could get proprietary and personal information, using both internet search skills and sophisticated technological exploits, from personal computers as well as corporate networks.

...

http://www.datacenterknowledge.com/archives/2017/04/06/this-hacker-can-talk-his-way-inside-a-data-center/

Thursday, 06 April 2017 14:31

A More Strategic Approach to GRC

The Trump administration is already making good on its campaign promise to significantly roll back federal regulations. With change imminent, compliance and risk managers have found themselves in a fast-moving and unpredictable environment.

Regulatory reform poses a unique challenge for compliance and risk teams, who are responsible for keeping up with regulatory changes, ensuring personnel and third parties are aware of their responsibilities and understanding the complexity of risk management. Facing these mounting difficulties, many enterprises have realized they need to develop more mature governance, risk management and compliance (GRC) programs.

In late 2015, Gartner conducted a survey of its clients to understand how they are using GRC software to support enterprise risk management efforts. Nearly 40 percent of those surveyed were not using GRC software. In addition, 65 percent were not even familiar with the term “GRC.” However, in Gartner’s 2015 CEO survey, 65 percent of global CEOs and senior executives viewed the level of investment in risk management tools and practices as insufficient.

...

http://www.corporatecomplianceinsights.com/a-more-strategic-approach-to-grc/

Thursday, 06 April 2017 14:30

IT Asset Management of Grey Matter

If you’ve already moved all your systems and applications to the cloud, you may feel there is little left for you to manage other than your organisation’s data and your IT department’s skillsets.

But how about the behaviours and attitudes of the people in your IT team?

How about linking attributes like these to performance in achieving IT objectives and business goals?

Before you dismiss these ideas as “just HR stuff”, you might want to check out the following trends that could make this kind of people analysis directly relevant to IT, in more ways than one.

...

http://www.opscentre.com/asset-management-grey-matter/

The modern enterprise is mobile and employees are no longer tethered to their corporate owned and provisioned computing equipment. As is the case in the wired world, mobile end-user devices need to be managed to improve employee productivity and to reduce enterprise security risks. That's the world that Enterprise Mobility Management (EMM) inhabits.

What is EMM?

The term Enterprise Mobility Management (EMM) is an evolution of the technology used to help control and manage mobile devices.

EMM is an evolution of the Bring Your Device (BYOD) phenomenon that has been going on for well over a decade in organizations around the world. The emergence of Apple's iPhone a decade ago was a real catalyst in the movement, as employees chose to use their own iPhones over corporate provided devices. The first generation of BYOD management platforms was known as Mobile Device Management (MDM) and originally focused largely on the hardware enrollment and access part of the BYOD challenge.

...

http://www.esecurityplanet.com/mobile-security/enterprise-mobility-management-emm.html

PHILADELPHIA – The Department of Homeland Security, Federal Emergency Management Agency (FEMA) will evaluate a Biennial Emergency Preparedness Exercise at the Three Mile Island Nuclear Generating Station. The exercise will occur during the week of April 10th, 2017 to assess the ability of the Commonwealth of Pennsylvania to respond to an emergency at the nuclear facility.

“These drills are held every other year to evaluate government’s ability to protect public health and safety,” said MaryAnn Tierney, Regional Administrator for FEMA Region III. “We will assess state and local emergency response capabilities within the 10-mile Emergency Planning Zone as well as the adjacent support jurisdictions within the Commonwealth of Pennsylvania.”

Within 90 days, FEMA will send its evaluation to the Nuclear Regulatory Commission (NRC) for use in licensing decisions.  The final report will be available to the public approximately 120 days after the exercise.

FEMA will present preliminary findings of the exercise in a public meeting at 10:00 a.m. on April 14th, 2017, at the Sheraton Harrisburg Hershey Hotel, 4650 Lindle Road, Harrisburg, PA 17111.  Planned speakers include representatives from FEMA, NRC, and the Commonwealth of Pennsylvania. 

At the public meeting, FEMA may request that questions or comments be submitted in writing for review and response. Written comments may also be submitted after the meeting by emailing This email address is being protected from spambots. You need JavaScript enabled to view it. or by mail to:

MaryAnn Tierney

Regional Administrator

FEMA Region III

615 Chestnut Street, 6th Floor

Philadelphia, PA 19106

FEMA created the Radiological Emergency Preparedness (REP) Program to (1) ensure the health and safety of citizens living around commercial nuclear power plants would be adequately protected in the event of a nuclear power plant accident and (2) inform and educate the public about radiological emergency preparedness.

REP Program responsibilities cover only “offsite” activities, that is, state and local government emergency planning and preparedness activities that take place beyond the nuclear power plant boundaries. Onsite activities continue to be the responsibility of the NRC.

Additional information on FEMA’s REP Program is available online at FEMA.gov/Radiological-Emergency-Preparedness-Program.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. FEMA Region III’s jurisdiction includes Delaware, the District of Columbia, Maryland, Pennsylvania, Virginia and West Virginia.  Stay informed of FEMA’s activities online: videos and podcasts are available at fema.gov/medialibrary and youtube.com/fema. Follow us on Twitter at twitter.com/femaregion3.

Thursday, 06 April 2017 14:28

Experts to Residents: Be Weather Aware

(TNS) - Oklahomans know tornadoes can be deadly, but we may not always know how to protect ourselves.

In 2013, 24 people lost their lives when an EF-5 tornado hit Moore a day after another tornado destroyed multiple homes in east Norman. The risk of severe weather events such as large hail, tornadoes and flooding are higher in April and May, said National Weather Service meteorologist Wayne Ruff, meaning residents should be especially aware of weather.

“Pay attention to the weather forecasts, not only for today, but for the next two or three days so you can prepare,” Ruff said. “On any given day where there is a forecast for severe weather, think about changing plans that would put you at risk.

...

http://www.govtech.com/em/disaster/Experts-to-residents-Be-weather-aware.html

Thursday, 06 April 2017 14:23

Vendor Risk Management – Where to Start

Vendor management gets a lot of attention these days, but have you considered the risk associated with your vendors? When was the last time you conducted a vendor-related risk assessment? Is vendor risk management (VRM) even a part of your Business Continuity Program?

All organizations are interconnected. This is especially clear for large organizations with considerable numbers of vendors, particularly those with multiple locations or global operations, but even a small businesses with only local suppliers should consider the vendor-related risks to their organizations.

Definition of a critical vendor:

  • Any vendor/supplier whose missed commitments might cause the organization to be unable to achieve a stakeholder’s mission.
  • Any vendor/supplier crucial to recovering from a crisis event.
    • Key vendors may not be critical for day-to-day operations, but their criticality may increase during crisis events.

...

https://www.mha-it.com/2017/04/vendor-risk-management/

The Business Continuity Institute

The International Organization for Standardization has recently published a new standard that provides guidance to enhance organizational resilience for any size or type of organization. This international standard - ISO 22316:2017 – Security and resilience -- Organizational resilience -- Principles and attributes - defines organizational resilience as: “the ability of an organization to absorb and adapt in a changing environment”. It is the result of a lengthy development process and represents the global consensus on the concept of organizational resilience.

The Business Continuity Institute is grateful to our many members around the world who contributed to the process, either by providing comments in the public consultation process or by taking part in national and international working groups. We recognise and understand that organizational resilience is not the same as business continuity, but requires a collaborative effort between business continuity professionals and with other related management disciplines.

The BCI issued a position statement in February 2016 that outlined our perspective on the subject. We have also published two white papers on what we believe the challenges are to the business continuity profession and the professional - the resilience challenge for the business continuity profession and responding to the resilience challenge.

The BCI are pleased to announce the new one day ‘Introduction to Organizational Resilience’ training course aimed at those interested in the subject and wishing to gain a greater understanding of how to build resilience capabilities through a collaborative approach between established management disciplines.

ISO 22316 is a welcome addition to the guidance available for our global community on this subject. BS 65000, the British standard that was published in 2014, provides guidance for organizational resilience and addresses implementation and assessment issues, and is regarded as complementary to ISO 22316. These two standards are different in many respects but are underpinned by shared concepts, principles, and general approach to build greater levels of resilience in organizations of all types, sizes, and sectors. There will likely be further alignment and revision in the future in this evolving field and the BCI will continue to be involved and contribute to a more resilient society.

Deborah Higgins FBCI is the Head of Professional Development at the Business Continuity Institute

The Business Continuity Institute

It seems impossible to think about preparedness planning without thinking about time. Time is often at the very heart of any discussion of business continuity and IT disaster recovery. Nonetheless, there are deep flaws in the continued attempts to incorporate it into preparedness planning. These flaws lead to frustrated participants, disengaged managers, wasted effort and dubious outcomes. However, these flaws are avoidable and correctable.

In the latest edition of the Business Continuity Institute's Working Paper Series, David Lindstedt asserts that time is not a target; rather, it is a constraint. While it has its place in preparedness planning, time does not warrant its central focus in our methodology or practice.

Deborah Higgins FBCI, Head of Professional Development at the BCI, commented: "I welcome this paper as it challenges our thinking associated with preparedness planning. I see this work as a fantastic opportunity for fellow professionals to share their own experiences and explore how the theoretical arguments posed in this piece translate into practice."

"I would be happy to get your feedback on this as your engagement will ultimately drive our profession forward – considering the thorny problems we face together and applying our collective expertise to improve current practice."

The paper concludes that, when considering time, "it depends” is now a perfectly acceptable answer from the planning participant, and accepting this answer allows the planning practitioner to be more receptive, adaptive, and effective. The approach enables participants to self-assess restrictions rather than relying on the practitioner to facilitate the assessment of time requirements, thus allowing the practitioner to engage at a more strategic level.

In practical terms, the professional avoids any potential confrontation with regard to discussions about time. In theoretical terms, the professional does not fall into any traps, as time is discussed only as a constraint to recovery activities, not a target that has to be set without the proper ability to do so. And in financial terms, the organization will not waste money preparing to hit targets of time that are arbitrary at best and misleading at worst.

Download your free copy of 'Our deep misunderstanding of time in preparedness planning' to understand more about the concept of time as a constraint rather than a concept when managing your business continuity management programme.

Fully 86 percent of small to medium enterprises (SMEs) have less than 10 percent of their total IT budget allocated to cyber security and 75 percent have between zero and two IT security staff members, according to the results of a recent EiQ Networks survey of more than 150 SME IT security professionals.

"One of the most striking results is how little SMEs are spending on cyber security as compared to the overall IT budget -- despite the very high risks they face daily from ransomware, phishing, and zero-day attacks, to name just a few," EiQ Networks founder and CEO Vijay Basani said in a statement.

"Without the IT security resources and expertise necessary to continually monitor, detect, and respond to security incidents, SMEs are simply exposing themselves to loss of revenue, brand equity, IP, and customer data on a daily basis," Basani added.

...

http://www.esecurityplanet.com/network-security/86-percent-of-smes-are-underfunding-cyber-security.html

Wednesday, 05 April 2017 15:10

Finding the Sweet Spot for Your Data Center

There’s certainly no shortage of options for expanding data center capacity these days. You can renovate an existing facility or add a modular unit onsite or offsite, build one from scratch, lease data center space, or move non-critical data and applications off your servers and into a cloud … and just about any combination of the above.

Which scenario is right for your company? Whatever makes the most sense for the business, said HPE’s Laura Cunningham during her Data Center World session, “Finding the Sweet Spot for Your Data Center.”

So, it’s imperative to know the future direction and financial preferences of your company before meeting face-to-face with a CIO, CEO or CFO to ask approval for any IT project.

...

http://www.datacenterknowledge.com/archives/2017/04/05/finding-sweet-spot-data-center/

The Internet of Things (IoT) is taking shape at a rapid clip, but like any other cooperative technology initiative, the need for standards is starting to draw interest as well.

While it seems obvious that millions of sensors distributed around the globe would need some sort of interoperable framework, what about the rest of the IoT infrastructure? When we delve into wireless networks, backhaul and even analytics, where will standards help overall IoT functionality and where will they hurt?

At the recent Enterprise IoT Summit in Austin, Texas, InterDigital Executive Vice President Jim Nolan pointed out that when it comes to municipal IoT endeavors like smart cities, the need for standardization will be quite broad. Without commonality in M2M communications and other facets, the development of smart cities could see a collective cost overrun of some $341 billion, or about 30 percent of the cost of implementation, according to a recent study by Machina Research. When we consider that the World Economic Forum estimates that the IoT could drive some two-thirds of global GDP over the next decade, this represents a huge, and utterly avoidable, expense for the world economy.

...

http://www.itbusinessedge.com/blogs/infrastructure/what-is-the-proper-level-of-standardization-for-the-iot.html

Wednesday, 05 April 2017 15:02

10 Ways CDC Gets Ready For Emergencies

Dr. Stephen Redd, Director, Office of Public Health Preparedness and Response
Dr. Stephen Redd, Director, Office of Public Health Preparedness and Response

One of the best parts of my job is the opportunity to learn from a wide range of experiences. We have an obligation to not only respond to emergencies today, but to prepare for tomorrow by learning from the past. Our work extends to households affected by disease, communities ravaged by disasters, and U.S. territories battling new and changing threats. In fact, all over the world – we try to get ahead of, and manage, complex responses that touch many lives through ever changing circumstances. In an ideal world the health in every community would be at a level that would make recovery and reliance easier. The reality is that emergencies happen in all kinds of environments and populations.

The Public Health Preparedness and Response National Snapshot is our annual report that gives us an opportunity to showcase the work that we and our state partners do. The report reminds us that no matter how big the emergency, we need to work together to respond to the best of our ability—with the cards we are dealt.

Here are 10 ways CDC’s Office of Public Health Preparedness and Emergency Response worked to keep people safer in 2016 that can inform our work going forward.

1) Four Responses at Once: An Unprecedented Challenge

CDC experts continue to provide 24/7 monitoring, staffing, resources, and coordination in response to natural disasters, terrorist attacks, and infectious disease threats. In early 2016, CDC managed four public health emergencies at the same time through our Emergency Operations Center :

  • Ebola
  • Flint, Michigan, Water Quality
  • Zika Virus
  • Polio Eradication

See us in action:

2) A Complex Threat: Zika Hits the U.S.

CDC scientists and responders were activated in CDC’s Emergency Operations Center, where they combed through research, developed and distributed diagnostic tests, and provided on-the-ground mosquito control and education to protect people at higher risk for the virus, including pregnant women and infants.

3) Right Resources, Right Place, Right Time

CDC’s Strategic National Stockpile is ready to send critical medical supplies quickly to where they are needed most to save lives. The stockpile is the nation’s largest supply of life-saving pharmaceuticals and medical supplies that can be used in a public health emergency if local supplies run out.

Last year, we helped conduct 18 full-scale exercises and provided training for 2,232 federal and state, local, tribal, and territorial emergency responders to ensure that systems for delivering medicines are functioning well before they are needed in an actual emergency. We continue to work with our federal, state, local, and commercial partners to make sure every step of the medical supply chain – from manufacture to delivery – is coordinated.

4) State and Local Readiness

CDC connects with state and local partners to provide support and guidance, helping every community get ready to handle emergencies like floods, hurricanes, wildfires, or disease outbreaks.

This year, we created a new process to evaluate how well state and local jurisdictions can plan and execute a large-scale response requiring the rapid distribution of critical medicines and supplies. Through this program, we conducted assessments of 487 state and local public health departments. The information from these assessments will be used to help improve the ability to get emergency supplies quickly to those who need them most.

5) Cutting-Edge Science to Find and Stop Disease

To protect lifesaving research, CDC experts in biosafety and biosecurity conducted approximately 200 laboratory inspections and thousands of assessments of those who handle dangerous select agents and toxins like anthrax, plague, and ricin to keep these materials safe, secure, and out of the hands of those who might misuse them.

CDC’s Laboratory Response Network (LRN)l also develops and deploys tests to combat our country’s most pressing infectious and non-infectious health issues, from Ebola to Zika virus to opioid overdose. The network connects over 150 labs to respond quickly to high priority public health emergencies.

6) Protecting Our Most Vulnerable

CDC supports efforts all across the country to help those who may not be able to help themselves when a crisis strikes. Some populations, like children, older adults, and others with functional and access needs may need extra help during and after an emergency.

From planning for the 69 million children who may be in school when disaster strikes to the millions of Americans who need to make sure prescriptions are filled, medical equipment is working, and help arrives even if power is out and roads are blocked, it’s up to us to protect our most vulnerable in emergencies.

7) Emergency Leaders: The Future of Incident Response

When every minute counts, we need people who have the knowledge to step in and take immediate action. Learning and using a common framework like the CDC Incident Management System helps responders “speak the same language” during an event and work more seamlessly together.

CDC experts train leaders from around the world—25 countries in 2016—through an innovative, four-month fellowship based at our Atlanta headquarters. Lessons learned from this course were put to work immediately to head off an outbreak of H5N1 influenza in Cameroon.

8) The Power of Preparedness: National Preparedness Month

Throughout September, CDC and more than 3,000 organizations—national, regional, and local governments, as well as private and public organizations— supported emergency preparedness efforts and encouraged Americans to take action.

The theme for National Preparedness Month 2016 was “The Power of Preparedness.” During our 2016 campaign , we recognized the successes of countries and cities who have seen the direct benefits of being prepared, looked at innovative programs to help children and people with disabilities get ready for emergencies, and provided tips for home and family on making emergency kits.

9) Health Security: How is the U.S. Doing?

As part of the Global Health Security Agenda, teams of international experts travel to countries to report on how well public health systems are working to prevent, detect, and respond to outbreaks. In May, a team made a five-day visit to the U.S. to look at how well we’re doing.

In the final report, the assessment team concluded that, “the U.S. has extensive and effective systems to reduce the risks and impacts of major public health emergencies, and actively participates in the global health security system.” They recognized the high level of scientific expertise within CDC and other federal agencies, and the excellent reporting mechanisms managed by the federal government.

10) Helping YOU Make a Difference

Get a flu shot. Wash your hands. Make a kit. Be careful in winter weather. Prepare for your holidays. Be aware of natural disasters or circulating illnesses that may affect you or those you care about. There are many ways to prepare, and in 2016 we provided the latest science and information to empower every one of us to take action.

Every person needs knowledge to prepare their home, family, and community against disease or disaster before an emergency strikes. Whether it’s how to clean mold from a flooded home, how to wash your hands the right way, or how to use your brain in emergencies, our timely tips and advice put the power of preparedness in your hands. From the hidden dangers of hurricanes to the heartbreaking dangers of flu, there are steps we can all take to stay safe every day as we work toward a healthy and protected future.

For more ways we are helping protect America’s health, check out the new National Preparedness Snapshot.

To find out more about the issues and why this work matters, visit our website.

Wednesday, 05 April 2017 14:54

Testing Your Business Continuity Plan

If the employees in your organization are spending the time, energy, and resources to develop your business continuity plan, your organization must be ready for any disruption, right? Possibly, but making this assumption isn’t going to help anyone during an emergency if the plan is not spot on! If you document your plan, but don’t share it with your team or train on it, it’s like not having a plan at all.

RUNNING DRILLS & EXERCISES

Even more critical to your business continuity program’s success is to run your BC team and your plan through regularly scheduled drills and exercises. Organizations that perform well-planned exercises get better results when they are faced with a real event. Not only will these planned tabletop, functional, or full-scale exercises exploit issues with your plan and its execution, but they will allow your employees the opportunity to become comfortable with their roles and assigned tasks before an unexpected business disruption requires them to execute these mission-essential functions and be on top of their game during a real event.

...

http://www.missionmode.com/testing-business-continuity-plan/

http://www.drjenespanol.com/Articulo/2017/2017-04-04/tabid/841/language/es-ES/Default.aspx

Con los avances vertiginosos de la tecnología, (computación en la nube, virtualización, comunicaciones, nuevas tecnologías de replicación y mirroring para alta disponibilidad geográfica, etc.) surgen nuevas alternativas para mantener la resiliencia en las organizaciones y nuevos paradigmas deben ser contemplados en el caso de asegurar el “uptime” o disponibilidad de los servicios tecnológicos, especialmente aquellos clasificados como críticos por su alto impacto para la supervivencia de las organizaciones.

La Recuperación de Desastres (Disaster Recovery: DR) para atender eventos disruptivos no programados, entendida según el Glosario Internacional de Resiliencia del DRII, como la “Capacidad de una organización para recuperar y restablecer el componente TI después de una interrupción; es el aspecto tecnológico de la continuidad del negocio”, implica planear, diseñar, implementar y probar acciones que se activan ante un evento de interrupción/desastre no programado y para ello se debe disponer de un sitio alterno con los recursos necesarios, en el cual se recuperen los servicios tecnológicos de manera temporal, mientras se realizan acciones para restablecer la capacidad del sitio principal y así poder mantener, de retorno, la continuidad de las operaciones. Es decir, que bajo este modelo se requiere de fases típicas conocidas como Failover/Switchover y Fail back para los sistemas de información con sus plataformas, infraestructura básica, comunicaciones, bases de datos, almacenamiento, seguridad y demás componentes necesarios de las 7 capas del modelo OSI de la ISO.

Por otra parte, con las nuevas tecnologías, cada vez cobra más fuerza la denominada Disaster Avoidance (DA), que es una alternativa para mantener y asegurar la continuidad de los servicios de negocio de misión crítica, más centrada en la “resiliencia”, que en la recuperación y restauración de los servicios propios del DR.

En el caso de la DA, los servicios se mantienen de manera automática en dos o más centros activos (desaparece el concepto de centro de datos principal y secundario) manteniendo una replicación sincrónica prácticamente en tiempo real, y en la eventualidad de una interrupción programada o no programada, los servicios y funciones son asumidos en su totalidad por el (los) sitio(s) que no ha(n) sido afectado(s) por el desastre, mientras la operación se mantiene en estado normal de funcionamiento en los centros de datos que trabajan de manera cooperativa. Esta estrategia asegura que los datos están disponibles permanentemente y actualizados, es decir con un RPO aproximado a cero. En conclusión, bajo esta alternativa no existe pérdida de datos.

El DA significa una alternativa que puede generar más confianza a las organizaciones, en particular a aquellas que tienen servicios cuya disponibilidad es altamente crítica, casi inmediata, como aquellas que ofrecen las denominadas “infraestructuras críticas” para los países, servicios críticos financieros, servicios médicos de alto impacto por el riesgo de pérdidas humanas, la mayoría de los nuevos servicios relacionados con IoT (internet de las cosas), etc. cuyos tiempos objetivos de recuperación (RTO) y puntos objetivos de recuperación (RPO) deben ser muy cortos.

Como nada es totalmente perfecto. La estrategia DA requiere de una mayor inversión y costos de funcionamiento, ya que normalmente requieren múltiples, o por lo menos un centro de datos adicional, operando de manera continua, simultánea y cooperativamente entre sí. Esto también implica diferencias en el diseño, implementación, operación y desde luego en los costos en cuanto a infraestructura, personal, comunicaciones, bases de datos, almacenamiento, licenciamiento, monitoreo, etc. Adicionalmente, los equipos e infraestructura instalados deben ser similares en cuanto a capacidades, disponibilidad y tecnologías instaladas.

Ventajas y Desventajas: DR vs DA
  • Inversión y costos en los centros de datos y la tecnología de TI instalada según la estrategia

En Disaster recovery DR las alternativas para los centros de datos alternos clasificadas típicamente como Cold, Warm o Hot toman posición pasiva si no se presenta alguna situación de desastre y estos valiosos recursos permanecen normalmente ociosos.

Para las soluciones DA se exige que los múltiples centros de datos sean tipo Hot y coexistan permanentemente de manera activa para garantizar que los servicios tecnológicos críticos estén disponibles desde cualquier ubicación, independientemente de la situación e imprevistos. En el caso del DA las cargas de trabajo están balanceadas entre los centros de datos, si se trata de 2 sitios, estos deben tener capacidades similares y su carga debe estar a lo más cercana al 50%, lo que significa que también tienen recursos ociosos; por supuesto, están activos y en disponibilidad, pero en espera para cuando deban asumir la carga total de manera inmediata por la interrupción de su sitio replicado o espejo. Estas situaciones hacen de la alternativa DA mucho más costosa.

En el caso de la estrategia DR según los requerimientos de disponibilidad, se determina el tipo de centro de datos requerido, lo recomendable en la mayoría de los casos, según mi experiencia, es que el centro de datos principal tenga un nivel o Tier 3 (lo que significa una disponibilidad de 99,99) y lo ideal es que se cuente con un Tier 4 (disponibilidad 99,995). Para el centro de datos alterno lo apropiado normalmente debería ser un nivel 3.

En el caso de la alternativa DA se puede ser más flexible en el nivel de los centros de datos en la medida en que se gana en disponibilidad con la redundancia conseguida de los centros de datos operando mancomunadamente. Vistos los centros de manera individual, significa aparentemente una ventaja económica, por requerir una menor inversión en la construcción de cada uno de los centros propios con componentes internamente menos redundantes, o un menor valor en el caso de la contratación de estos servicios. Pero por el número de centros y la tecnología de TI instalada en cada uno de ellos y las comunicaciones para soportarlos, en suma, resulta mucho más costosa esta estrategia.

La distancia entre los centros de datos en soluciones DA, para un mejor desempeño de la replicación o mirroring y evitar posibles latencias, debe ser relativamente corta. La desventaja o condición especial está en que, para este tipo de soluciones, por buenas prácticas, los sitios no deben estar expuestos a los mismos tipos de riesgos, de ser así podría presentarse una situación de “outages” o caída simultánea de los centros de datos y no obrarían las ventajas que da la redundancia geográfica.

  • Atención de eventos de Desastre

Cuando ocurre una interrupción imprevista en soluciones DA, la afectación es muy parcial en la medida en que los servicios están distribuidos entre los centros de datos y los que permanecen activos asumen los servicios afectados del sitio impactado. Es decir, el riesgo está distribuido en el popular sentido que: “no todos los huevos están puestos en la misma canasta” y adicionalmente con la ventaja significativa que no implica una suspensión real de los servicios (el RTO es cercano a cero).

En el caso de DR, existe un período de tiempo de inactividad, hay procesos de valoración de daños de los equipos de respuesta, toma de decisiones para la activación del DR y las acciones necesarias para activar el sitio alterno y disponer efectivamente de la data, con viabilidad de pérdida de datos, (según sea la estrategia implementada para el RPO aprobado) y acciones para finalmente contar con el sitio alterno en operación.

En DA las acciones, procedimientos e intervención humana se ven reducidos y prácticamente los pasos de recuperación operan de manera automática y por definición: controlada.

En el caso de DR en interrupciones mayores con características de desastre existe un conjunto comúnmente complejo de acciones documentadas en planes, que deben ser realizadas de manera sincronizada con personal con las competencias y las capacidades necesarias, con prioridades establecidas y con la secuencia y responsabilidades debidas. Aun cuando un buen número de estas acciones son susceptibles de ser automatizadas, existe una mayor participación humana y mayor toma de decisiones, lo que demanda mayor capacitación y entrenamiento e incluso requiere una adecuada preparación para el personal que interviene en los momentos de emergencia, situaciones de crisis y atención del desastre.

  • Pruebas y Ejercicios

Las pruebas en DA, son relativamente más sencillas de efectuar, en teoría en cualquier momento se puede dar traslado de los servicios a un sitio y operar desde este, lo mismo que su retorno a las condiciones iniciales, o sea con las cargas distribuidas como se diseñó inicialmente. En DR se debe trabajar con todos los expertos en las tecnologías involucradas con actividades en el antes, durante y después para asegurar se efectúe de manera exitosa el traslado de la operación, el trabajo en continuidad y luego el retorno al sitio principal.

  • Mantenimientos

Para el caso de interrupciones programadas en soluciones DA para efectuar mantenimientos de infraestructura básica del centro de datos y/o de plataformas y equipos de TI se mantiene la prestación de los servicios, sin interrupción alguna, debido a que mientras se efectúan las actividades programadas dentro de la “ventana” de mantenimiento, las cargas de trabajo son asumidas y soportadas por los sitios cooperados sobrevivientes.

  • Gestión de servicios

Con DA debido a la carga compartida, se tiene una mejor utilización de los recursos, DA tiene una gestión relativamente más fácil, pero significa la gestión permanente de dos o más centros de datos activos simultáneamente. El proceso de diseño e implementación puede ser más complejo, pero la operación se simplifica y en eventos de desastre la gestión de la continuidad tecnológica es mucho más automatizada, lo que genera menor margen de error.

Conclusiones:

La determinación de la estrategia más apropiada depende de las necesidades específicas de cada empresa, de su apetito al riesgo y de la disponibilidad de recursos para determinar la estrategia y la inversión más apropiada.

En continuidad de negocio tecnológica, desde luego, siguen aplicando las mejores prácticas relacionadas con el ciclo del planear, hacer, verificar y actuar; es en la definición de estrategias y en la toma de decisiones sobre las soluciones pertinentes, a partir de los resultados del BIA y el Análisis de Riesgos, donde se establecen determinaciones acerca de lo más apropiado a implementar: DA o DR o, porque no, también es viable, un conjunto de soluciones mixtas.

Es posible implementar soluciones mixtas para abarcar un mayor abanico de servicios, teniendo soluciones DA para el top de aquellos clasificados como servicios de misión crítica de negocios y sus servicios conexos, involucrando siempre los aplicativos y sistemas de información interdependientes y DR para servicios críticos que no tienen RTOs tan extremadamente exigentes.

También es importante el fortalecimiento adicional de soluciones de alta disponibilidad locales y acciones preventivas, que prevengan y minimicen “in situ” la posibilidad de ocurrencia de desastres para todos los centros de datos involucrados, cualquiera sea la alternativa seleccionada.

El DA es una solución más resiliente y genera más confianza para los servicios tecnológicos críticos en la medida en que centros de datos redundantes y fácilmente accesibles desde cualquier sitio a través de medios y accesos redundantes, mantienen la continuidad de las operaciones, pero el costo de su inversión podría ser significativamente más alto.

Para una decisión apropiada, cobra vital importancia el conocimiento de la naturaleza del negocio y según la misma, se debe colocar en una balanza los tiempos y costos involucrados en el manejo del desastre y sus impactos versus los tiempos y costos de implementación, operación y mantenimiento de la solución. Un buen análisis permitirá determinar la estrategia más pertinente para la organización.

Tuesday, 04 April 2017 15:43

The Top Risks for 2017

North Carolina State University’s ERM Initiative and Protiviti recently completed the latest survey of C-level executives and directors worldwide regarding the macroeconomic, strategic and operational risks their organizations face. The top risks for 2017 provide insight as to what’s top-of-mind currently among leaders around the globe.

Overall, 735 C-level executives — 55 percent of whom are based in the United States, with the balance distributed between Europe and Asia-Pacific — participated in this year’s study, which was conducted in September 2016. These executives revealed that their respective organizations face significant issues and priorities that vary by industry, executive position and company size and type. They indicated that the overall global business context is noticeably more risky than in the two prior years, with respondents in the U.S. indicating it’s about the same as in prior years. The overall risk scores for all of the top 10 risks are higher than prior years, suggesting that executives perceive the level of risk is increasing across several dimensions.

Note that this survey was conducted during the fall of 2016 and was completed just before the 2016 election results were in. It is a fair question as to whether the survey results might have been different had President Trump’s election been known. We believe that, if anything, the results might reflect even greater uncertainty, because many observers were of the view prior to the election that a Clinton administration would have continued the policies of the prior administration. Such is not the case with the Trump administration, which has promised tax and regulatory reform as well as an overhaul of the nation’s trade deals with selected countries. Accordingly, the implications of change in policy on the global outlook must play themselves out over time.

...

http://www.corporatecomplianceinsights.com/the-top-risks-for-2017/

Tuesday, 04 April 2017 15:41

Disaster Recovery and Human Error

The title of this blog post could almost have read “Never send a human to do a machine’s job."

While computerisation and automation may seem dehumanising at times, they can reliably and rapidly perform procedures without error, avoiding the mistakes that people make through inexperience or inattention when trying to apply disaster recovery routines.

However, human error is still a major risk, both in terms of causing IT disasters in the first place, and in causing DR procedures to fail afterwards.

...

http://www.opscentre.com/disaster-recovery-human-error/

Iron Mountain announced a major investment in renewable energy for its data centers, one week after President Donald Trump signed an executive order in an attempt to roll back Obama-era climate regulations.

The data center provider signed a 15-year agreement with a new wind farm in Ringer Hill, Pennsylvania, to use 25 MW of its capacity—enough to power Iron Mountain’s data centers in three states. Part of a strategy that combines wind and solar, the company said its data center business is now powered 100 percent by renewable energy.

Despite the possibility of loosening restrictions on coal power handed down from Washington, Iron Mountain joins mega-data center providers Equinix and Digital Realty in making investments in wind and solar. Being able to provide data center services to big customers, such as Amazon, Microsoft, Apple, and Google — all staunch advocates of renewable energy — may take precedence for service providers, regardless of what shape federal policy on climate takes.

...

http://www.datacenterknowledge.com/archives/2017/04/03/iron-mountain-secures-wind-power-trio-data-centers/

BATON ROUGE, La. – A Disaster Recovery Resource Fair will be held at New Orleans East Hospital for flooding and tornado survivors on Saturday, April 8 from 9 a.m. until 3 p.m.

Local, state and federal agencies will gather as a one-stop-shop to assist survivors in their recovery. Legal services, flood insurance, mitigation advice, disaster tax relief and other recovery resources will be available.

Kids have a hand in recovery also, so there will be a Kids Corner with activities such as coloring and face painting. Admission is free.

The resource fair will be held at the following address:

New Orleans East Hospital
5620 Read Blvd.
New Orleans, LA 70127

April 8 is also the last Saturday day the Disaster Recovery Center will operate. DRC visitors that day may also attend the one-day Disaster Recovery Resource Fair across the street.

https://ems-solutionsinc.com/blog/how-do-you-do-with-an-insider-threat/

By

A new whitepaper just released by Intel will offer you some good guidance on how to deal with the insider threat. Insiders are responsible for almost as many losses, breaches, and thefts of sensitive and confidential data as cybercriminals. According to a recent Intel® Security data exfiltration study, more than 40% of data loss is caused by insiders, roughly half intentional and half accidental.

The latest insider thefts have even prompted the US Department of Defense to require affiliated companies to have a program that can “Gather, integrate, and report relevant and available information indicative of a potential or actual insider threat.”1 Whether you do business with the defense industry or not, tackling insider threats is not only a critical challenge to address, but it’s also a team effort, necessitating work in data classification, policy development, and incident response, backed by a strong set of data loss prevention tools.

The document peels back the issue into bite size valuable pieces.  Topics include:

  • Building a Defensive Formation
  • Focus on the Data
  • Coaching a Security Culture
  • Zone and Player Coverage
  • Profiling the Players
  • Building the Defensive Playbook

Finally, the human element is a fundamental part of insider theft that should be at the forefront of your planning. Social engineering and credential theft are much easier for internals than externals, so additional precautions and visible checks and balances are necessary to protect your most sensitive data. For example, multi-person controls make it much more difficult for a lone insider to access and exfiltrate restricted data. Or the simple mechanism of copying the manager as well as the user when a policy violation is detected.

You can’t totally eliminate the threat….but there is a lot you can do to improve your posture.

http://resources.idgenterprise.com/original/AST-0178225_Tackling_Insider_Threats_WP.pdf

 

 

Britain’s airports and nuclear power stations have been told to tighten their defences against terrorist attacks in the face of increased threats to electronic security systems.

Security services have issued a series of alerts in the past 24 hours, warning that terrorists may have developed ways of bypassing safety checks.

Intelligence agencies believe that Islamic State of Iraq and the Levant (Isil) and other terrorist groups have developed ways to plant explosives in laptops and mobile phones that can evade airport security screening methods.

...

http://www.telegraph.co.uk/news/2017/04/01/airports-nuclear-power-stations-terror-alert-government-officials/

By Louis Imershein, VP Products and Wayne Salpietro, Director of Marketing

Permabit Technology Corp

The cloud continues to dominate IT as businesses make their infrastructure decisions based on cost and agility. Public cloud, where shared infrastructure is paid for and utilized only when needed, is the most popular model today. However, more and more organizations are addressing security concerns by creating their own private clouds. As businesses deploy private cloud infrastructure, they are adopting techniques used in the public cloud to control costs. Gone are the traditional arrays and network switches of the past, replaced with software-defined data centers running on industry standard servers.

Efficiency features make the cloud model more effective by reducing costs and increasing data transfer speeds. One such feature, which is particularly effective in cloud environments is inline data reduction. This is a technology that can be used to lower the costs of data in flight and at rest. In fact, data reduction delivers unique benefits to each of the cloud deployment models.

Public Clouds

The public cloud’s raison d’etre is its ability to deliver IT business agility, deployment flexibility and elasticity. As a result, new workloads are increasingly deployed in public clouds.  Worldwide public IT cloud service revenue in 2018 is predicted to be $127B.  

Data reduction technology minimizes public cloud costs. For example, deduplication and compression typically cut capacity requirements of block storage in enterprise public cloud deployments by up to 6:1.  These savings are realized in reduced storage consumption and operating costs in public cloud deployments.   

Consider AWS costs employing data reduction;

If you provision a 300 TB of EBS General Purpose SSD (gp2) storage for 12 hours per day over a 30 day month in a region that charges $0.10 per GB-month, you would be charged $15,000 for the storage.

With data reduction, that monthly cost of $15,000 would be reduced to $2,500.  Over a 12 month period you will save $150,000.   Capacity planning is a simpler problem when it is 1/6th its former size.  Bottom line, data reduction increases agility and reduces costs of public clouds.

One data reduction application that can readily be applied in public cloud is Permabit’s Virtual Disk Optimizer (VDO) which is a pre-packaged software solution that installs and deploys in minutes on Red Hat Enterprise Linux and Ubuntu LTS Linux distributions. To deploy VDO in Amazon AWS, the administrator provisions Elastic Block Storage (EBS) volumes, installs the VDO package into their VMs and applies VDO to the block devices represented for their EBS volumes.  Since VDO is implemented in the Linux device mapper, it is transparent to the applications installed above it.

As data is written out to block storage volumes, VDO applies three reduction techniques:

  1. Zero-block elimination uses pattern matching techniques to eliminate 4 KB zero blocks

  2. Inline Deduplication eliminates 4 KB duplicate blocks

  3. HIOPS Compression™ compresses remaining blocks 

cloud1

This approach results in remarkable 6:1 data reduction rates across a wide range of data sets. 

Private Cloud

Organizations see similar benefits when they deploy data reduction in their private cloud environments. Private cloud deployments are selected over public because they offer the increased flexibility of the public cloud model but keep privacy and security under their own control. IDC predicts in 2017 $17.2B in infrastructure spending for private cloud, including on-premises and hosted private clouds.

One problem that data reduction addresses for the private cloud is that, when implementing private cloud, organizations can get hit with the double whammy of hardware infrastructure costs plus annual software licensing costs. For example, Software Defined Storage (SDS) solutions are typically licensed by capacity and their costs are directly proportional to hardware infrastructure storage expenses. Data reduction decreases storage costs because it reduces storage capacity consumption. For example, deduplication and compression typically cut capacity requirements of block storage in enterprise deployments by up to 6:1 or approximately 85%.

Consider a private cloud configuration with a 1 PB deployment of storage infrastructure and SDS. Assuming a current hardware cost of $500 per TB for commodity server-based storage infrastructure with datacenter-class SSDs and a cost of $56,000 per 512 TB for the SDS component, users would pay $612,000 in the first year. In addition, software subscriptions are annual, over three years you will spend $836,000 for 1 PB of storage and over five years, $1,060,000.

The same configuration with 6:1 data reduction in comparison over five years will cost $176,667 for hardware and software resulting in $883,333 in savings. And that’s not including the additional substantial savings in power cooling and space. As businesses develop private cloud deployments, they must be sure it has data reduction capabilities because the cost savings are compelling.

When implementing private cloud on Linux, the easiest way to include data reduction is with Permabit Virtual Data Optimizer (VDO). VDO operates in the Linux kernel as one of many core data management services and is a device mapper target driver transparent to persistent and ephemeral storage services whether the storage layers above are providing object, block, compute, or file based access.

VDO - Seamless and Transparent Data Reduction

cloud2

The same transparency applies to the applications running above the storage service level. Customers using VDO today realize savings up to 6:1 across a wide range of use cases.

Some workflows that benefit heavily from data reduction are;

  • Logging: messaging, events, system and application logs

  • Monitoring: alerting, and tracing systems

  • Database: databases with textual content, NOSQL approaches such as MongoDB and Hadoop

  • User Data: home directories, development build environments

  • Virtualization and containers: virtual server, VDI, and container system image storage

  • Live system backups: used for rapid disaster recovery

With data reduction, cumulative cost savings can be achieved across a wide range of use cases which makes data reduction so attractive for private cloud deployments.

Reducing Hybrid Cloud's Highly Redundant Data

Storage is at the foundation of cloud services and almost universally data in the cloud must be replicated for data safety. Hybrid cloud architectures that combine on-premise resources (private cloud) with colocation, private and multiple public clouds result in highly redundant data environments. IDC’s FutureScape report finds “Over 80% of enterprise IT organizations will commit to hybrid cloud architectures, encompassing multiple public cloud services, as well as private clouds by the end of 2017.” (IDC 259840)

Depending on a single cloud storage provider for storage services can risk SLA targets. Consider the widespread AWS S3 storage errors that occurred on February 28th 2017, where data was not available to clients for several hours. Because of loss of data access businesses may have lost millions of dollars of revenue. As a result today more enterprises are pursuing a “Cloud of Clouds” approach where data is redundantly distributed across multiple clouds for data safety and accessibility. But unfortunately, because of the data redundancy, this approach increases storage capacity consumption and cost.

That’s where data reduction comes in. In hybrid cloud deployments where data is replicated to the participating clouds, data reduction multiplies capacity and cost savings. If 3 copies of the data are kept in 3 different clouds, 3 times as much is saved. Take the private cloud example above where data reduction drove down the costs of a 1 PB deployment to $176,667, resulting in $883,333 in savings over five years. If that PB is replicated in 3 different clouds, the savings would be multiplied by 3 for a total savings of $2,649,999.

Permabit’s Virtual Data Optimizer (VDO) provides the perfect solution to address the multi-site storage capacity and bandwidth challenges faced in hybrid cloud environments. Its advanced data reduction capabilities have the same impact on bandwidth consumption as they do on storage and translates to a 6X reduction in network bandwidth consumption and associated cost.  Because VDO operates at the device level, it can sit above block-level replication products to optimize data before data is written out and replicated.

Summary

IT professionals are finding that the future of IT infrastructure lies in the cloud. Data reduction technologies enable clouds - public, private and hybrid to deliver on their promise of safety, agility and elasticity at the lowest possible cost making cloud the deployment model of choice for IT infrastructure going forward."

The Business Continuity Institute

Cyber resilience has for a long time been a major issue for business continuity professionals, with the  Business Continuity Institute's Horizon Scan Report routinely featuring digital threats such as cyber attacks and data breaches as the greatest concerns.

Our news channels are often filled with stories of organizations that have had their services severely disrupted by these kind of events, and with the BCI's latest Cyber Resilience Report revealing that almost two thirds of organizations experienced a cyber security incident during the previous year, it is clear that the threat is very real. Such is the topical nature of cyber resilience that it was chosen as the theme for the annual Business Continuity Awareness Week campaign.

The question is, how does your organization perceive the threat? Have you suffered from some form of cyber security incident during the last year, and what impact did it have on your organization? Do you feel you have adequate measures in place to deal with such an event, and perhaps just as importantly, do you have the backing of senior management to put measures in place to deal with them?

These are some of the questions the BCI is asking in order to inform the Cyber Resilience Report 2017, to be published later this year in collaboration with  Sungard Availability Services. Please do take the time to complete the survey. It will only take a few minutes and each respondent will be in with a chance of winning a £100 Amazon gift card.

Mobile banking not only makes our life easier, it gives access to banking services to those that have none. A new series of standards just published will provide the platform for this technology to expand and grow, bringing robust and secure banking services to more people than ever before.

According to the World Bank, around two billion people worldwide are “unbanked”, meaning they have no access to a bank account. Cash is king and that can bring with it its own problems. However, more and more people, particularly in developing countries, have a mobile device, whose functionality in the financial world is growing daily, offering more and more services and transactions.

The ability of mobile devices to execute transactions between the large number of platforms and financial institutions is due to a robust interface and effective operability. A new series comprising International Standards and technical specifications has just been published. ISO 12812, Core banking – Mobile financial services, defines common terms and requirements for greater interoperability. It specifies the technical components and their interfaces and the role of the various parties so that everyone is on the same page.

Patrice Hertzog, Chair of ISO/TC 68/SC 7, the ISO technical subcommittee that developed the series, said that with more people having mobile phones than bank accounts in the world, developing this technology will bring secure financial services to a wider audience.

...

https://www.iso.org/news/Ref2175.html

Can your company afford to lose $4 million? According to Ponemon Institute's 2016 Cost of a Data Breach Study, that's the consolidated cost of the average data breach. Even the smallest companies have to pay up after a cyberattack, and every compromised record containing sensitive or personal information costs a company about $158. That adds up quickly, and unfortunately for many businesses, it's a financial hit they are unable to survive.

Cyberattacks are a part of doing business in a digital world, and as many security experts warn, it isn't a matter of "if" a company will be attacked, but a matter of "when." And the smaller you are, the harder you'll fall. According to Small Business Trends, 43 percent of all cyberattacks are targeted at small businesses, and 60 percent of those businesses can't recover. While defending the network and data from threats by using multiple layers of security tools is absolutely necessary, many companies are now turning to cyber insurance as a way to limit post-incident damage.

Not surprisingly, the cyber insurance industry is growing and is predicted to reach $14 billion by 2022. That growth will be driven by three things:

...

http://www.esecurityplanet.com/hackers/cyber-insurance.html

Monday, 03 April 2017 15:54

Enterprises Earn a 'C' Grade in Backup

This World Backup Day, businesses have some work to do on the data protection front.

After evaluating the results of a survey of 710 internet users, CloudBerry Lab, a provider of file management and cloud backup services for small and midsized businesses, gave enterprises a "C" grade for their data backup practices. According to the company, businesses are falling short on some critical fronts.

In email remarks sent to InfoStor, Alexander Negrash, director of marketing at CloudBerry Lab, noted that "only 24 percent of companies have 3 or more copies" of their data. "Most of the companies don't follow the best practices '3-2-1 backup' rule. A 3-2-1 strategy means having at least three total copies of your data, two of which are local but on different mediums, and at least one copy offsite."

...

http://www.enterprisestorageforum.com/storage-management/enterprises-earn-a-c-grade-in-backup.html

Monday, 03 April 2017 15:53

FEMA: Spring Flood Risk: Are You Ready?

CHICAGO – Snowmelt may not be a significant concern this year, but severe storms and heavy spring rainfall could still cause flooding in the months ahead. Now is the time to prepare.

  1. Ensure you’re flood insured. A flood insurance policy could protect you from the devastating out-of-pocket expenses caused by flooding. Don’t wait until it’s too late. A policy takes 30 days to go into effect from application and payment. A typical homeowner’s insurance policy does not cover floods.
  2. Conduct a household inventory. Be sure to keep a record of all major household items and valuables. These documents are important when filing insurance claims. For help in conducting a home inventory, visit www.knowyourstuff.org.
  3. Protect important financial documents. Store copies of irreplaceable documents (such as birth certificates, passports, etc.) in a safe, dry place. Keep originals in a safe deposit box.
  4. Build an emergency supply kit. Food, bottled water, first aid supplies, medicines, and a battery-operated radio should be ready to go when you are. Visit www.Ready.gov for a complete disaster supply checklist.
  5. Plan for evacuation. Plan and practice a flood evacuation route. Ask someone out of state to be your “family contact” in an emergency, and make sure everyone in your family knows the contact’s address and phone number.

The spring season brings a heightened flood risk throughout our area in the coming months,” said FEMA Acting Regional Administrator Janet M. Odeshoo.  “Preparing now will help to ensure that you’re protected against the costly damage floodwaters can cause.”

Visit FloodSmart.gov or call 1-800-427-2419 to learn how to prepare for floods, how to purchase a flood insurance policy and the benefits of protecting your home or property investment against flooding. You can also contact your insurance agent for more information.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at twitter.com/femaregion5, www.facebook.com/fema, and www.youtube.com/fema. The social media links provided are for reference only. FEMA does not endorse any non-government websites, companies or applications.

The Federal Trade Commission has a simple and quick posting on how to manage and deal with phishing. The weakest link we have in cyber attacks and incidents is our staff.  How do we educate them to be careful and think before clicking?  Here are some great tips to share broadly from the FTC.

What is Phishing?

When internet fraudsters impersonate a business to trick you into giving out your personal information, it’s called phishing. Don’t reply to email, text, or pop-up messages that ask for your personal or financial information. Don’t click on links within them either – even if the message seems to be from an organization you trust. It isn’t. Legitimate businesses don’t ask you to send sensitive information through insecure channels.

The FTC post gives you solid information on:

...

https://ems-solutionsinc.com/blog/phishing-trick-you-about-personal-information/

Monday, 03 April 2017 15:51

Build a Better DR Environment

No matter the condition of your DR environment, you can make it better. Today’s blog provides ideas on how to improve an environment we hope to never use.

We emphasize one overriding principle, possibly the most important consideration in improving your DR environment – ensure that whatever you have in place will actually work. Once you’ve done this, how can you make it more functional?

Here are five things you should consider:

...

https://www.mha-it.com/2017/03/build-a-better-dr-environment/

Global Economic losses from disaster events almost doubled in 2016 to $175 billion from $94 billion in 2015, according to the most recent Sigma Study from the Swiss Re Institute.

Insured losses also rose steeply to $54 billion in 2016 from $38 billion in 2015, the study found. This led to a “protection gap,” as the company calls it, of some $121 billion, the difference between economic and insured losses, a figure highly indicative of the opportunity for greater insurance penetration, according to Swiss Re. “The shortfall in insurance relative to total economic losses from all disaster events…indicates the large opportunity for insurance to help strengthen worldwide resilience against disaster events,” said the report. The gap was $56 billion in 2015.

Total economic and insured losses in 2015 and 2016:

...

http://www.riskmanagementmonitor.com/disaster-losses-climb-as-protection-gap-widens-sigma-study/

The U.S. and United Kingdom bans on personal electronics including laptops, ipads and tablets in the cabin of some flights from the Mideast and Africa have sparked concerns. Many are now worried about a midair fires storm from lithium-ion batteries stored in airplane cargo bins below.

Rechargeable batteries have raised concerns for years because poor packing or manufacturing flaws can occasionally cause catastrophic problems. Storing batteries in cargo raises worry because that’s where a fire could spread unnoticed.

An issue with checked luggage could cause a small fire, and trigger other flammable materials such as hair spray or nail polish packed in the luggage. A fire in the cargo space is nothing that anybody wants.

...

https://ems-solutionsinc.com/blog/lithium-ion-batteries-airplane-cargo-laptops-fires/

While data backup and replication have their similarities, they are not the same, and rather than competing with one another can be used as complimentary tools to maximise the efficiency of an IT environment.

Data backup is the process of taking a copy of data at a fixed point in time and storing it for a set time frame (retention) in an alternate location to its original source.

Backups are typically used to make sure regulations and compliance around data protection are being met, and to protect against data loss.

Data replication, also requires a copy of data to be taken and transferred to an alternate storage platform. Replication however, creates a synchronous or near synchronous copy usually designed to limit and reduce any potential down time should primary systems fail.

Data Backup

Backup is an essential tool for organisations of all sizes and goes some way to meeting legislation around data protection and industry compliance around data such as those in The School Financial Value Standards (SFVS), for schools in the UK, The Protection of Personal Information Act (POPI) in South Africa or The Patriots Act in America.

The ability to restore a file that has been lost, corrupted or deleted in an efficient way is a driver for organisations to invest in backup solutions whether these be onsite, offsite or hybrid.

If replication gives me an identical copy almost instantly why is it not an effective backup?

An instant, or close to, fail over will be most effective in the case of a full system failure or loss. A disaster situation such as a fire or flood on a primary site has the potential to cause significant financial loses if a business cannot continue to operate. Being able to fail over and keep systems such as web or mail servers online can allow businesses to keep trading.

If a file is corrupted or deleted on a primary system then this will be copied to the replicated system, so a historical version may be needed to access a usable copy of the data; a backup is one way of making sure there is an intact copy of the file.

Ransomware remains a threat to all organisations and comes in many forms and strains. Should a system become infected with ransomware, this will be replicated to the secondary copy and would also render that system unusable. However, as long as there is a secure off-site backup then the data can be restored back to the primary storage systems.

When is it best to use replication?

Replication has the ability to drastically reduce the Recovery Time and Recovery Point Objective’s (RTO, RPO) of an organisation due to its near instant copy and the ability to fail over to secondary systems.

  • The Recovery Time Objective (RTO) is the time limit set by the business to have recovered data and have systems running at a normal level. Sub-sets of data may have different RTO’s dependent on their importance or availability.
  • The Recovery Point Objective refers to the last available copy of data that can be recovered from and the maximum amount of time between these backup points. If the business can afford to lose a day’s work, this is likely to be set at 24 hours.

Replication as a tool for business continuity and disaster recovery is something that enterprise organisations have relied on for years. Traditionally this would involve a secondary data centre or storage platform being, identical to the primary, being provisioned and maintained at a significant additional cost to the organisation.

With the ability to utilise public cloud storage platforms, such as Microsoft’s Azure platform or Amazon’s Glacier platform, and the ability to run virtual machines in these environments replication is becoming more accessible to smaller organisations.

Replication is most effective as a tool for near-instant recovery but not for historical copies or to keep in line with legislation.

Which one should I use?

Whether replication should be used ultimately depends on the requirement of your organisation and the policies that are in place. Backup however, should always be used in one form or another.

If there is a requirement for high availability or an RTO of less than 12 hours, then replication is a good fit. However,  unless utilising cloud based infrastructures this can still be a very costly investment.

https://www.redstor.com/en-gb/news/back-basics-differences-between-backup-and-replication/

Wednesday, 29 March 2017 13:56

1.4 Billion Data Records Exposed in 2016

Gemalto yesterday released the findings of its Breach Level Index for 2016, which states that 1,792 data breaches worldwide led to the compromise of almost 1.4 billion data records last year, an increase of 86 percent over the previous year.

Identity theft was the leading type of data breach in 2016, accounting for 59 percent of all data breaches.

The second most common type of breach was account access based breaches, accounting for 54 percent of all breached records, a surge of 336 percent over 2015.

...

http://www.esecurityplanet.com/network-security/1.4-billion-data-records-compromised-in-2016.html

Sure, malware's a persistent pain. But IT security pros today have other things on their minds.

Carbon Black, a Waltham, Mass. security vendor, recently polled 400 cybersecurity researchers. The majority of them, 93 percent in fact, said that non-malware attacks posed a bigger danger to businesses than the current crop of commodity malware that's making the rounds on the internet.

"Non-malware attacks will become so widespread and target even the smallest business that users will become familiar with them," according to an unnamed survey participant. "Most users seem to be familiar with the idea that their computer or network may have accidentally become infected with a virus, but rarely consider a person who is actually attacking them in a more proactive and targeted manner."

...

http://www.esecurityplanet.com/network-security/cybersecurity-pros-brace-for-non-malware-attacks.html

Tens of thousands of policyholders caught in a disaster in 2016 were better able to recover from the losses and hardships inflicted thanks to insurance.

Global insured losses from catastrophes totaled around $54 billion in 2016 – the highest level since 2012, according to the latest report from Swiss Re sigma.

North America accounted for more than half the global insured losses in 2016, with insured losses from disaster events reaching $30 billion, the highest of all regions.

...

http://www.iii.org/insuranceindustryblog/?p=4896

Is there a case for blockchain in your organization? Cutter Business Technology Journal contributing authors Steven Kurshand Arthur Schnure recently argued that companies should begin considering which parts of their organization might benefit from blockchain. Among their advice to CIOs and CTOs is to look for areas of friction when it comes to exchange of value or information that would benefit from a blockchain implementation and profit from a shared ledger system.

Write Kursh and Schnure, “Take a page from IBM, which announced in July 2016 that it plans to implement a solution to help its finance division resolve client and partner disputes. IBM believes the new system — one of the largest commercial rollouts of block­chain technology yet — will free up US $100 million in capital locked up in manual dispute resolutions. The company is beginning its journey to blockchain in a sector of its business where the benefits are real, yet the implementation is localized.”

“In the long run,” they continue, “blockchain technologies have the ability to enable cost savings, greater efficiency, more rapid transaction clearing, and greater cybersecurity. How­ever, the development and implementation costs at this stage are likely quite substantial. In addition, the greater energy requirements for a large-scale blockchain may be cost-prohibitive. Developing and implementing blockchain technologies in your organization will require resources and time. And as with most innovations, people and processes will need to change, potentially creating internal conflicts.

...

http://blog.cutter.com/2017/03/28/building-the-case-for-blockchain-in-your-organization/

According to a recent Kaspersky Lab report, attackers who demand a ransom in return for not launching a DDoS attack (or to call off an attack in progress) can earn thousands of dollars in bitcoins, enabling the profitability of such attacks to exceed 95 percent.

"And the fact that the owners of online sites are often willing to pay a ransom without even checking whether the attackers can actually carry out an attack (something that other fraudsters have already picked up on) adds even more fuel to the fire," the report notes.

DDoS attacks, according to the report, can cost anywhere from $5 for a 300-second attack to $400 for a 24-hour attack.

...

http://www.esecurityplanet.com/network-security/cybercriminals-see-95-percent-profit-from-ddos-attacks.html

While data backup and replication have their similarities, they are not the same, and rather than competing with one another can be used as complimentary tools to maximise the efficiency of an IT environment.

Data backup is the process of taking a copy of data at a fixed point in time and storing it for a set time frame (retention) in an alternate location to its original source.

Backups are typically used to make sure regulations and compliance around data protection are being met, and to protect against data loss.

...

https://www.redstor.com/en-gb/news/back-basics-differences-between-backup-and-replication/

“Give me your gut!” (as in “gut feeling”) has long been the cry of business continuity management in meetings, trying to make sense of complex situations or cut through to the essentials.

Gut feelings are nonetheless only as good as judgement and the experience used to make them. They may therefore be wrong, for any number of reasons, including incomplete information, personal prejudice, and faulty reasoning. In business continuity, as in other domains, organisations cannot afford to run on gut feelings when the risk of error is too high. But are data-driven decisions on business continuity a better option?

Business analytics are often suggested as the “cure” for gut feeling.

Instead of trying to deal with emotions or personal preferences, the idea is to use facts as the basis for decision.

...

http://www.opscentre.com/business-continuity-gut-feeling-data-driven-decisions/

As I’ve said many times, cybersecurity seems to be more about reacting than acting or being proactive. Now, a new study by 1E found that, in fact, IT professionals spend a third of their time reacting to emergencies.

Nearly 30 percent of the IT tasks are unplanned, which works out to be about 14 weeks of job time per year. More than half of the respondent admit that a problem that is found relatively quickly (within an hour) can take most of the day to resolve.

While this study looks at IT as a whole, it fits into the scope of security, as well. Think of the amount of downtime that is caused by a security incident and how long it takes you to get the company up and running properly again, or how long it takes to resolve that incident. Then ask yourself if you were prepared to address the security incident. Again, I think the formal statement that Sumir Karayi, founder and CEO of 1E, made is as applicable for security as well as overall IT functions:

We knew that IT teams spend a lot of time on unplanned incidents, but we didn’t think it was this high – one third of their time. That’s taking a huge toll on their ability to innovate.

...

http://www.itbusinessedge.com/blogs/data-security/why-your-business-must-be-prepared-for-security-incidents.html

More than 30,000 people in low-lying coastal areas have been urged to evacuate their homes ahead of powerful Cyclone Debbie, as it bears down on the Queensland coast in northeastern Australia.

With landfall expected early Tuesday, Cyclone Debbie is currently a Category 4 storm and could intensify to Category 5. A Category 4 storm on the Australian scale equates to wind gusts of more than 140 miles per hour, the New York Times said.

Storm surge poses the biggest threat as the cyclone strengthens, according to major weather forecasters and news outlets.

...

http://www.iii.org/insuranceindustryblog/?p=4885

We have been a fan of the Incident Command System (ICS) since the 1990s. It was created in my fair state – California – to manage wildfires. Everyone realized early on, it had many more uses that just the fire service.  It it now required for all city, county, state and federal departments and agencies. What about a company?

Many companies fail to have a great Crisis Management Team because they lack four simple things. Are you developing or retooling the team you have? Then you should consider using ICS.

On Wednesday, March 29, I will be doing a general session at DRJ in Orlando with one of our clients,Salt River Project (SRP), who have embraced ICS.  We will both be speaking so you will learn from the “horses mouth” how SRP reorganized their team and the results.

The goal of this presentation is to help you create both a great team and a great process in order to manage incidents large and small. There are four key things that we often find missing in company teams and plans:

  1. A clearly defined structure
  2. Identified roles and responsibilities
  3. A formal assessment process and team
  4. The ability or knowledge to develop an Incident Action Plan (IAP)

You will learn how SRP has embraced the Incident Command System, refocusing their Crisis Management Team and their processes to be even more effective.

Topics Covered

  • Incident Command System – a powerful methodology.
  • Crisis Management Teams – Roles and responsibilities.
  • Initial Assessment Team – Who should be on the team.
  • Incident Action Plan (IAP) – How to write one.

Speakers

  • Regina Phelps, EMS Solutions Inc.
  • Kenneth Lewis, Salt River Project, Principal Emergency Management Program Analyst

http://www.drj.com/springworld/index.php/event-program/general-sessions

You lock your home—now lock your network. This means having a reliable and secure data center and following basic safety rules, like locking down ports, shutting off services, removing rights and privileges when no longer justified, and using firewalls. You’ll also need host and network intrusion detection and prevention (IDS/IPS) as well as physical access controls such as badge, PIN pad and biometrics etc., to ensure you let only the right traffic and the right people in.

The best way to keep a secret is to encrypt it. But what to encrypt? Encryption can occur at many layers—the network, the physical disk drive, the database, or individual fields. All encryption is not the same; algorithms have different key lengths, some are slower in performance than others and some have been compromised through the ages. Be aware, and keep current with encryption techniques.

At the application layer, strong authentication is key. Create a process for good passwords and keep it simple so people will use it, but make it strong to keep the bad guys out. Passphrases, account ID images and challenge questions are other techniques. A simple technique to use for challenge questions is to not respond with the answer to the question being asked. If the question is “What is your mother’s middle name” use a word like “chair” or “fish.” These red herring responses cannot be traced back to your Facebook or other social accounts.

...

http://www.mir3.com/cybersecurity-principle-locked-door/

A man drives a car into pedestrians on Westminster Bridge, keeps driving, crashes the car outside the Houses of Parliament, then tries to enter the complex armed with a knife. Four people are dead, including a policeman and the assailant, and at least 40 injured.

The investigation into yesterday’s terrorist attack in the heart of London is ongoing, as Westminster bridge reopens and Parliament gets back to work.

Small group and “lone wolf” terrorist attacks are seen as indicative of the shifting nature of terrorism, according to experts (here and here).

...

http://www.iii.org/insuranceindustryblog/?p=4875

Monday, 27 March 2017 20:38

Crowds in Crises

Back in 2015 the world was captivated by the Universal film “Jurassic World”. Viewers praised Chris Pratt’s performance in this science fiction thriller, but were more entertained by a different kind of hero. During a pterosaur attack causing resort guests to push, shove, and trample each other as they flee, a man is spotted grabbing two margaritas before seeking his own safety…or the safety of the second margarita’s owner. #priorities

Movies typically depict a crowd’s response to an emergency or disaster scenario as emotionally driven, almost irrationally selfish. It’s widely assumed that as mass hysteria and panic take hold of a crowd, people do whatever they can to better serve themselves. But does this actually occur off the screens? Are we really all the margarita man?

Social psychology says no. Research dating back as far as the 1950’s show that behavior in disaster response is generally pro-social and collaboratively altruistic. History backs this theory up.

...

http://www.bcinthecloud.com/2017/03/crowds-in-crisis/

In theory, BYOD or bring your own device lightens the load in terms of IT sourcing, because it transfers the work (and cost) of acquiring a device to the user of that device.

 

Users are happy because they can use the devices they favour, while IT departments can free up time and budget to use elsewhere. Everyone is happy, end of story – or not quite.

Paranoid IT managers can over-compensate for the wide variety of different devices, going overboard on security and bandwidth investments.

On the other hand, unwary IT organisations can end up with more problems than they solve, if they fail to put IT management in place (which requires IT sourcing of its own) and users swamp out helpdesks with issues that mix personal and professional device usage.

Is CYOD rather than BYOD the answer?

...

http://www.opscentre.com/adapting-sourcing-byod-cyod/

Whether you’re looking to hire a business continuity expert, or you’re training to become one, this guide will help you determine the qualifications and experience that are required

Before we get into certifications or BCM specific qualifications, let’s review the important non-BCM skills that make an effective BCM professional.

  • Business function experience or technical IT experience. This is a must. Business Continuity is about business, and without basic business function knowledge and experience, guiding departments and interfacing with IT areas will be challenging.
  • Project management experience. You do not necessarily need a certified project manager, but you do need someone who is familiar with project management concepts and project organization. In the end, BCM is a program and requires organizational skills.
  • Interpersonal skills. Effective BCM programs must work with multiple levels of an organization, so the ability to communicate across all levels, as well as to understand and address concerns and pushback are necessary for success.
  • Flexibility and adaptability. Organizational needs change over time, and a demonstrated ability to be flexible in both process and problem solving will help identify solutions to BCM issues surrounding implementation, documentation, and governance.

...

https://www.mha-it.com/2017/03/business-continuity-expert-skills/

Got data?  But more to the point, got the RIGHT data, and now?  Low-friction and fast access to data are top priorities for data/analytics and marketing professionals in 2017.  Here’s the picture of priorities:  It’s a high or critical priority for 70% of marketing pros to increase their use of data and analytics for marketing measurement and customer insights – their fourth highest priority.  Data and analytics pros’ highest priority – at 60% of data and analytics pros – is implementing or expanding their complete view of the customer across channels, and over 50% are providing self-service data preparation tools to business users.   Firms are stepping up the pace.

What can help with these priorities?  Data preparation tools.  To accelerate time-to-insights and therefore time-to-actions, business end users and analysts who today wrangle data in spreadsheets or other traditional tools need direct access to data and a significant power assist. Data preparation tools can provide this power, but they must balance features and functions to support different roles and use cases and enable appropriate manageability, security, and governance in today's enterprises — while at the same time delivering speed-to-value.

...

http://blogs.forrester.com/cinny_little/17-03-21-seven_data_preparation_tools_for_business_insights_users_which_one_is_best_for_you_0

The concept of cyber threat intelligence is really not much different from other areas of the intelligence field. In national security, intelligence gathering techniques seek to detect potential situations and draw conclusions that enable people to take action before anything serious occurs. Similarly, cyber threat intelligence is only one tool in the security arsenal. Used well, it can warn companies that the bad guys are active inside their network and what they are looking for. It points out unusual patterns to look for in systems and other valuable data. But it won’t stop an attack. That takes human intervention and the deployment of the right technology tools to block or at least mitigate an attack.  

But as time goes on, the potential threat vectors are multiplying: servers, desktops, laptops, mobile devices, and now the Internet of Things (IoT), which could open enterprises to attacks via innocuous objects such as thermostats and a myriad of other devices that contain sensors and processors.

“Every device large or small becomes a source for cyber threat intelligence,” said Peter Tran, senior director of Worldwide Advanced Cyber Defense at RSA Security. “With the Internet of Things (IoT) projected to grow to over 50 billion connected devices by 2020, there is a real challenge ahead in terms of structuring effective threat analysis across massive volumes of smart connected devices.”

...

http://www.esecurityplanet.com/network-security/threat-intelligence.html

(TNS) — Communities across Ohio on Wednesday will be testing tornado sirens as part of a drill for the Emergency Alert System.

The sounding of the sirens, which is set for 9:50 a.m., is part of Severe Weather Awareness Week, which runs through March 25, according to the Ohio Emergency Management Agency.

The testing comes on the eve of Ohio’s tornado season, which runs April 1 through July 30.

...

http://www.govtech.com/em/disaster/As-Tornado-Season-Approaches-A-Look-Back-at-3-Deadly-Tornadoes-in-Ohio.html

DURHAM N.C. — If local building officials notified you that your home is substantially damaged, you may be able to receive funds to make your structure safer and stronger.

If you are rebuilding or repairing a substantially damaged home or business, your community may require you to elevate or make other changes. Substantial damage applies when the cost of restoring a structure equals or exceeds 50 percent of its pre-damage market value. However, some communities have regulations that are more restrictive. Check with your local building officials or community flood-plain administrator for more information.

If the substantial damage is solely from flooding, your National Flood Insurance Program (NFIP) policy may provide up to $30,000 to update your structure so it meets local flood-plain management regulations. To apply, you must first submit a signed Increased Cost of Compliance (ICC) Proof of Loss form to your insurance company.

To be considered for an ICC claim, your insurance company needs a contractor’s estimate for the proposed ICC-eligible measures to your home or business and copies of construction permits.

Structures that comply with flood-plain management regulations have an enhanced ability to withstand storms and floods. Mitigation measures eligible for ICC include elevation, relocation, demolition and flood proofing.

You have six years from the date of loss to complete the chosen and approved ICC measures.

The U.S. Small Business Administration (SBA) may be another source of funds if your home or business was determined to be substantially damaged.

If you applied for an SBA Home Disaster Loan or Business Physical Disaster Loan and your
application was approved, you may be eligible for additional funds to pay for improvements that will protect your property against future damage. The funds can be up to 20 percent of the amount of the approved loan.

For more information, call the SBA at 800-659-2955 or TTY 800-877-8339. You may also go online to sba.gov/disaster.

For more information on North Carolina’s recovery, visit fema.gov/disaster/4285 and readync.org. Follow FEMA on Twitter at @femaregion4 and North Carolina Emergency Management @NCEmergency.

###

Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-3362 or TTY at 800-462-7585.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. Follow FEMA on twitter at @femaregion4. Download the FEMA app with tools and tips to keep you safe before, during, and after disasters.

Dial 2-1-1 or 888-892-1162 to speak with a trained call specialist about questions you have regarding Hurricane Matthew; the service is free, confidential and available in any language. They can help direct you to resources. Call 5-1-1 or 877-511-4662 for the latest road conditions or check the ReadyNC mobile app, which also has real-time shelter and evacuation information. For updates on Hurricane Matthew impacts and relief efforts, go to ReadyNC.org or follow N.C. Emergency Management on Twitter and Facebook. People or organizations that want to help ensure North Carolina recovers can visit NCdisasterrelief.org or text NCRecovers to 30306.

The U.S. Small Business Administration (SBA) is the federal government’s primary source of money for the long-term rebuilding of disaster-damaged private property. SBA helps homeowners, renters, businesses of all sizes, and private non-profit organizations fund repairs or rebuilding efforts and cover the cost of replacing lost or disaster-damaged personal property. These disaster loans cover losses not fully compensated by insurance or other recoveries and do not duplicate benefits of other agencies or organizations. For more information, applicants may contact SBA’s Customer Service Center by calling (800) 659-2955, emailing This email address is being protected from spambots. You need JavaScript enabled to view it., or visiting SBA’s Web site at www.sba.gov/disaster. Deaf and hard-of-hearing individuals may call (800) 877-8339.

Passwords remain one of the most critical security controls widely used to protect and secure company infrastructure and data. While the need for strong passwords has long been discussed, they continue to be the difference between a secure infrastructure and a potential cyber catastrophe.

Last year was extremely busy in cybercrime, with more than 3 billion credentials and passwords stolen and disclosed on the internet. That works out to a rate of 8.2 million credentials and passwords each day or 95 passwords every second.

Passwords have always been a good security control, but password strength and how they are processed make a major difference in how secure they really are. For example, it is critical to choose an easy password to remember, keep it long, and use some complexity and uniqueness. In addition, how the password is processed and stored in an encrypted format plays a major role in password security.

...

http://www.riskmanagementmonitor.com/8-steps-to-stronger-passwords-enterprise-wide/

The Business Continuity Institute - Mar 22, 2017 12:11 GMT

Password leaks from public breaches help us learn how people think, allow us to identify patterns and build dictionaries of passwords. As password cracking methods evolve, Upper characters, Lower characters, Special characters and Digits (ULSD) recommendations and password complexity mean less.

People reuse passwords. They rotate them. Add a digit to them. And even use identical or share passwords with others. As data scientists, it is our job to go deeper, and identify the common human behavior. For example, we’ve seen how local culture impacts passwords, where local football team names are commonly used as passwords.

The problem is that only about 1% of people care and are aware that passwords are based on patterns and these patterns can be tracked or broken.

People need patterns to remember things, and to feel more secure they use a combination of ULSD. But ULSD itself has its own patterns. Most common? Take a word. Capitalize it and add digits to the end. Sound familiar? The majority of people do this.

At Preempt we have taken this a step further and analyzed passwords as they relate to recent large account breaches at companies like LinkedIn, Yahoo, etc. We have found there is a common denominator with regard to passwords between breaches -- and it is much greater than you think.

Stats and Findings:

Many people use (very) weak passwords

Preempt researches worldwide user account compromise and large-scale account breaches. Let’s take for example the relatively recent high-profile LinkedIn breach. One thing is certain, any person that used the same password for LinkedIn as they did for their work account (or other account), is currently vulnerable within these other accounts. Unfortunately, there are many users that don’t make that connection. Their LinkedIn account was breached, so they just change their LinkedIn password, not realizing that if they are using that same password elsewhere, they are actually exposed in all of those places as well. For IT security teams, this is an unknown vulnerability they have to deal with.

We set out to answer the question: How many LinkedIn accounts were weak PRIOR to LinkedIn breach?

To answer this, we compared how many passwords in LinkedIn’s password dump were already known from previous password dictionaries that had been established. The results were staggering 63,588,381 (~35%) of accounts used previously known passwords to begin with. No matter how complex these passwords were, they are considered weak because they can be quickly cracked offline by matching against a wordlist of known (or previously used) passwords.

Most Passwords Can Easily Be Cracked

After we looked at password weakness, we wanted to determine how easy passwords might be to crack. To do this, we estimated the relative strength of account passwords within a general organization. To be as conservative as possible, we made the following three assumptions:

  1. Users are not sharing passwords between themselves or other accounts.
  2. Some variation of Microsoft password policy recommendations is in place. Specifically:
    1. Users use passwords with 10 characters or less. (From our research, aside from some very security focused organizations with very specific policy for admins, more than 90% of organization don’t require more than 8 character passwords.)
    2. MS password complexity is turned on.
  3. Attackers are able to obtain and exfiltrate password challenges to crack passwords. Attackers have many ways to achieve this (e.g. NTLM Relay). An overview of these techniques is a topic for another blog post.

We then tried to compute how much time would it take to crack a password with brute force, using standard off-the-shelf cracking hardware. We then created three password models:

  1. Low Complexity - only password length is enforced.
  2. Medium Complexity - password length and complexity is enforced. Users have common ULSD patterns (e.g. initial letter is capitalized, last letter is a digit).
  3. High Complexity - same as medium complexity, but users are aware not to use common ULSD patterns.

Time required to crack passwords (10 characters) using standard hardware

password complexity.png

As can be seen, results are astounding: Low complexity passwords can be cracked in less than a day, medium complexity passwords are cracked in less than a week and high complexity password are cracked in less than a month.

Now for security teams, do you know how many users in your organization have:

  1. Password with 10 characters or less?
  2. Passwords that follow conventional ULSD patterns?
  3. How often your users change their passwords?

In Summary

Here are some facts we’ve learned:

  • Password complexity isn't working - passwords can meet complexity and still be considered weak because of password dictionaries.
  • Passwords are not unique - people reuse passwords and newly leaked dictionaries contain previously leaked passwords.
  • Passwords follow patterns - in most cases, the top 100 patterns will crack the majority of passwords in an organization.
  • Password cracking is easy - depending on hardware resources, it can take only seconds to minutes to brute force most passwords.
  • Passwords are shared between users - people share passwords, use identical passwords and duplicate passwords between services.
  • Password expiration policy is not enforced - frequent password change policies are disabled, and many times specifically for executives (e.g. CEO) with highly sensitive profiles.

So, what does this mean? ULSD essentially doesn’t matter. It is important to educate employees, and individuals in general, about password strength and levels of risk following recent breaches. If you use the same username and/or login for multiple websites, you're putting yourself at significant risk. What else can you do?

  1. Use a password policy to enforce complexity and password expiration.
  2. Require longer passwords (8 bad, 10 ok, 12 good).
  3. Educate people to:
    1. Not share passwords with other employees.
    2. Not share passwords with other cloud services.
    3. Not use simple patterns, personal data or common words (make it unpredictable).
    4. Not repeat passwords when a password expires (enumeration included).
  4. Add additional factors to authenticate users. For example, on suspicious logins, you could send end users a simple email notification or push an immediate notification to their mobile device.
  5. Implement a context based solution - train and enforce password policy based on users activity.

Eran Cohen is Director of Product Management at Preempt.

Recovering from a ransomware attack is costly and time-consuming, so it's vastly preferable to avoid an attack in the first place. And the easiest way to prevent a ransomware attack is to understand how the malware works. The goal of ransomware authors is to get their malicious code onto potential victims' computers and other devices, and there are several methods that they employ to achieve this.

Malicious email attachments and links

Spam has been an Internet problem for years, but ransomware authors have adopted it as the attack vector of choice for their malicious code.

It turns out that there have been no great innovations in the way ransomware authors tempt users to open malicious email attachments: Many common strains of ransomware use email subjects relating to account suspensions, unpaid invoices, or packages that can't be delivered, to attract potential victims' attention.

...

http://www.esecurityplanet.com/malware/prevent-ransomware-attack.html

Tuesday, 21 March 2017 15:04

Making the Most of Available Storage

No matter how scaled-out, hyperconverged or abstracted data center infrastructure becomes, one element remains the same: Servers need high-speed access to vast amounts of storage.

This produces a paradox, however, because as more storage comes online, it takes longer to find and retrieve data locked somewhere within its volumes.

To counter this, platform developers are continuously tweaking their designs to make storage more responsive and more suitable to the cloud-facing data environments that are taking on more of the data load. And increasingly, this involves placing high-capacity solutions directly on the server itself.

Intel recently unveiled an addition to its Optane SSD line, the DC P4800X, which the company bills as an extended pooled memory solution suitable for scale-out, accelerated applications incorporating artificial intelligence and machine learning. Like many memory solutions, the Optane is designed to provide low latency and a means to alleviate data bottlenecks by improving CPU utilization. But the new device is also paired with Intel’s Memory Drive Technology that integrates the drive into the memory subsystem of the server to present it as DRAM to operating systems and applications. This allows for larger memory pools that enable the enterprise to consolidate workloads on fewer servers.

...

http://www.itbusinessedge.com/blogs/infrastructure/making-the-most-of-available-storage.html

Cybersecurity isn’t just about securing the data on the network. It’s about securing the data anywhere on any endpoint, on any device, on any application. An incident from last week put the importance of endpoint security front and center. A Secret Service laptop with extremely sensitive information stored on it was stolen, as ZDNet explained:

A thief broke into a Secret Service's car in Brooklyn and stole the laptop in the middle of the night. Taken in a backpack that was later dumped, the laptop contains information about Trump Tower, including floor plans and evacuation protocol, along with important files on Pope Francis and [Hillary] Clinton.

Sources are reporting that there is no risk to the data stored on the laptop, as the device has high levels of security. The device requires a code to be accessed, the files are encrypted, and allegedly, there is a remote wipe option. Cybersecurity efforts within government agencies have not been at high standards, as we’ve seen with so many recent breaches and other security incidents, including stolen laptops.

...

http://www.itbusinessedge.com/blogs/data-security/secret-service-laptop-theft-should-serve-as-security-wake-up-call.html

BATON ROUGE, La. – An additional $6.6 million will help schools devastated by the August floods move forward with repairs and rebuilding efforts. This brings the total to nearly $67 million FEMA has obligated for schools.

FEMA’s Public Assistance (PA) program will pay for such projects as temporary facilities, basketball court enhancements, fencing and team and maintenance equipment in Tangipahoa, Ascension, East Feliciana and East Baton Rouge parishes. Funding will also pay for emergency protective measures, building construction, remediation and utility assistance in these areas.

As of March 17, FEMA’s PA has obligated over $317 million to reimburse local and state governments as well as certain private nonprofits for the repair or replacement of disaster-damaged facilities and infrastructure. The funds also cover debris removal and emergency response activities in designated parishes.

In general, FEMA’s PA program helps to repair or replace critical infrastructure, such as roads, bridges, public buildings and schools. The program encourages protection of damaged facilities from future events by providing assistance for certain hazard mitigation measures. PA offers supplemental financial assistance on a cost-sharing basis. FEMA typically reimburses 75 percent of eligible PA expenses. However, FEMA will reimburse applicants 90 percent of eligible PA expenses given the magnitude of the August floods.

While large enterprises and high-tech startups instigated the SaaS infrastructure revolution and primarily benefited from it, many mainstream small-and-medium-size businesses (SMBs), sole proprietors and “mom-and-pop” retailers may feel like they got left behind by cloud computing. However, the story remains more complicated. Strategic-thinking SMBs from Main Street have also harnessed Web 2.0 to leverage their narrower HR power to appear virtually as large as the big boys.

With the rise of Amazon Web Services (AWS), Microsoft Azure and other public customer cloud platforms as well as B2B SaaS applications and more, even the solopreneurs among us can tap on-demand, online software.

“Now that SMBs and mom-and-pop shops don’t have to have their websites hosted on GoDaddy and can go live in the AWS Cloud, they have taken a giant leap forward,” says Shawn Moore, CTO, Solodev, a web experience platform. “But someone still needs to build, manage and optimize their websites. Enter the DIY CMSes like SquareSpace, Weebly, Wix and WordPress. Now your local pizzeria can build its site in WordPress, host it free on AWS cloud computing and compete with Papa John’s and Pizza Hut.”

...

http://www.datacenterknowledge.com/archives/2017/03/20/saas-keeps-smbs-solopreneurs-falling-behind-cloud/

Tuesday, 21 March 2017 15:00

Spring-Ready With Flood Insurance

It’s the first day of Spring and here in New Jersey we’re expecting a balmy 50 degrees Fahrenheit. Rising temperatures + snowmelt = flooding.

NOAA’s Spring Outlook calls for moderate to major flooding in northern North Dakota and in the Snake River basin in Idaho and flags California, which saw extensive flooding in February, as susceptible to additional flooding in the coming weeks.

Spring also marks the start of severe weather season for many states. Resources on severe weather preparedness are available at the Insurance Information Institute ( I.I.I.) website and weather.gov.

Which brings us to this:

...

http://www.iii.org/insuranceindustryblog/?p=4866

Vendors like to go to the movies, meaning they like to see their products and logos in Hollywood productions, and are usually prepared to pay for the privilege.

Cars, computers, canned beverages, you can surely think of examples you’ve seen, as heroes, heroines, and villains chase each other on highways, crack codes, and generally show how cool they are.

By comparison, business continuity per se doesn’t feature much, or even at all. The simple reason is that good business continuity is more about avoiding drama and nail-biting tension than fostering it, which is no recipe for box-office revenues.

On the other hand, business continuity plays a major part in getting films made and distributed in the first place.

With even “small” film budgets easily in the millions of dollars, it’s clear that making a film must be a well-oiled, continuous process, with no unplanned interruptions.

...

http://www.opscentre.com/how-business-continuity-goes-to-the-movies/

Monday, 20 March 2017 14:40

Thriving Despite Cyber Risk

Privacy is a human right, and at the core of the privacy principles is Article 8 of the European Convention on Human Rights. In the new digital world, where information-sharing is prevalent, the need to protect individuals’ privacy is important, but we are seeing different views toward privacy with the advent of social media platforms. Protecting the rights of the individual is the most important aspect of privacy.

What are the legislative challenges in a global environment?

As a data protection officer across 27 countries, there are individual challenges to overcome when operating in a global environment. When looking globally, there are some practical summaries (e.g., the “practical law” guide in the Data Protection Global Guide). Canada, Russia and the European Union Privacy directive have evolving laws, requiring a professional to adapt to changing legislation. Russian law requires that all Russian citizens registering on a website should have their personal data stored securely within Russia, which may provide challenges for cloud-based HR systems (or any other cloud based-service).

The issue of consent is a focal point of Canada’s Anti-Spam Legislation (CASL) for commercial electronic messages (CEM). A CEM is only implicitly allowed if there is an existing business or non-business relationship, or if the recipients conspicuously publish their electronic contact information or voluntarily disclose it without indicating they don’t want to receive communications. Otherwise, explicit consent is required from the recipient. The business challenge here is maintaining a provable log of consent required to avoid the Canadian $10 million fine. Again, this provides a challenge to cloud-based services.

These are just two examples of recent changes in legislation that require adaptation by organizations.

The biggest change for any organization processing data of European citizens is the new GDPR, as European legislation is often used as a baseline for implementing privacy regimes globally.

...

http://www.corporatecomplianceinsights.com/thriving-despite-cyber-risk/

I don’t know about you, but this spring break is different in my family. My daughter, who has almost finished her first year at a liberal-arts college, came back for spring break with the big question “Mom, what major should I choose?” Of course, as an analyst in technology and — not to brag, but as a professional who has had many roles in IT (programmer, systems administrator, and computer and information systems analyst — my first initial thought was to suggest that she look into computer information systems or computer science. She has the ability; she is an excellent STEM student. So I told her that I would do some research and get back to her.

Here is what I found: According to the United States Bureau Of Labor Statistics, the employment of computer and information technology occupations is projected to grow 12% from 2014 to 2024, which is faster than the average (8%) for all occupations. I quickly put together a table summarizing the majority of professions and found the following:

...

http://blogs.forrester.com/eveline_oehrlich/17-03-18-a_spring_break_conversation_topic_with_your_college_kid

DENVER – Flooding is the most common natural disaster in the United States. Already there are reports of localized flooding in states across the Rocky Mountain region—and the upcoming snowmelt means there is potential for even more serious flooding.

The Federal Emergency Management Agency (FEMA) manages the National Flood Insurance Program (NFIP) that provides flood insurance policies that provide millions of Americans their first line of defense against flooding.  But those flood insurance policies are only one component of the program and just part of the protection NFIP provides to individuals and the American public at large.

For anyone to be able to purchase an NFIP policy, the only requirement is that they live in a participating community.  A participating community can be a town or city or a larger jurisdiction like a township or county that includes unincorporated areas.  It is up to the community to opt into the NFIP program for the benefit of its citizens.  When joining the program, the community agrees to assess flood risks and to establish floodplain management ordinances.  In return for taking these actions, residents are able to purchase federally backed flood insurance policies.

One of the cornerstones of the NFIP is the flood mapping program.  FEMA works with states and local communities to conduct studies on flood risks and develop maps that show the level of risk for that area, called a Flood Insurance Rate Map (FIRM).  The FIRM provides useful information that can assist in communities in planning development.  The area that has the highest risk of flooding is the Special Flood Hazard Area (SFHA), commonly called the floodplain.  The SFHA has a one percent chance of being flooded in any given year.  Because of the greater risk, premiums for flood insurance policies for properties in the SFHA are greater than for those for properties outside of it. 

Equally important to knowing the risks of flooding is having a game plan to address those risks.  This is role of floodplain management.  Local communities must comply with minimum national standards established by FEMA, but are free to develop stricter codes and ordinances should they choose to do so.  Key elements of floodplain management include building codes for construction in the floodplain and limitations on development in high risk areas.  Floodplain management is an ongoing process, with communities continually reassessing their needs as new data becomes available and the flood risk for areas may change.

The NFIP brings all levels of government together with insurers and private citizens to protect against the threat of flooding.  Federally sponsored flood maps and locally developed floodplain regulations give property owners the picture of their risk and ensure building practices are in place to minimize that risk.  As a property owner, purchasing a flood insurance policy is a measure you can take to further protect yourself.  To find out more about your individual risk contact your local floodplain administrator. For more information on flood insurance policies or to find an agent, visit www.floodsmart.gov or call 1-800-427-2419.

Monday, 20 March 2017 14:37

Sysadmins: You're All Developers Now

In a past life I was a system administrator, or "sysadmin". I enjoyed it, but even in those halcyon days of remoting into servers and driving to the office at 2 AM (hoping the server room wasn't on fire), I knew I had a limited shelf life. It wasn't until years later that I fully understood why:
 
Administrators are babysitters. The era of tech babysitters is over.
 
In the age of the customer, admins need to be just as dynamic as their developer brethren. That means a hard shift to software-defined infrastructure. It also means using the same tools and processes that accelerate business technology.
 
In other words, you need to become a developer.
 
The good news? You can do it. How do you start?
...

Cyber attackers have already waged attacks on Internet of Things (IoT) devices to build massive botnets and launch crippling distributed denial-of-service (DDoS) attacks, knocking websites and online services offline. IT security professionals now fear that the rise of the Industrial Internet of Things (IIoT) could open a dangerous new front in the cybersecurity war.

In a Tripwire survey of 403 technology professionals, administered by Dimensional Research, nearly all respondents (96 percent) said they expected an increase in security attacks aimed at the IIoT this year. Fifty-one percent admitted that they weren't prepared to defend against IIoT threats.

"Industry professionals know that the Industrial Internet of Things security is a problem today. More than half of the respondents said they don't feel prepared to detect and stop cyber attacks against IIoT,” said David Meltzer, chief technology officer at Tripwire, in a statement.

...

http://www.esecurityplanet.com/network-security/security-pros-brace-for-industrial-iot-cyber-attacks.html

Monday, 20 March 2017 14:25

IT Automation: Where, When and How?

The enterprise is anxious to automate as much of its data ecosystem as possible, starting with the cloud. But is automation the best solution for every challenge, and if not, how can enterprise executives determine what should be automated and what should remain under human control?

According to tech journalist Bill Kleyman, cloud automation is one of the key drivers of business innovation. Many organizations have found, in fact, that while the cloud alone is useful in overcoming the challenges of traditional infrastructure – things like lack of scale, poor resource utilization, and the prevalence of data silos ­– problems such as resource management, visibility and cost control persist. Automating management tasks and orchestrating the relationships between resources and workloads can alleviate these issues, plus it accelerates IT management to speeds required of the modern digital economy. So in the end, the enterprise becomes more agile and more responsive to the needs of its users.

A number of platforms have emerged in recent months promising to deliver these results for cloud-facing enterprises. CloudVelox recently updated its One Hybrid Cloud stack that aims to streamline workload mobility across internal and external resources. The system provides a new set of optimization tools, such as application-centric instance tagging, multiple security groups and role-based identity and access management (IMA), plus new system reporting and alert functions to verify successful migrations to the cloud. Additional features, due later this year, are expected to provide autoscaling and elastic load-balancing (ELB) across multiple instances.

...

http://www.itbusinessedge.com/blogs/infrastructure/it-automation-where-when-and-how.html

If you haven’t noticed lately, risk management is going through a global transformation wherever you look!

The COSO ERM framework is being revised with a new tagline, Enterprise Risk Management – Aligning Risk with Strategy and PerformanceDennis Chelsey, PwC’s Global Risk Consulting leader and lead partner for the COSO ERM effort recently stated, “Enterprise risk management has evolved significantly since 2004 and stands at the verge of providing significant value as organizations pursue value in a complex and uncertain environment.” Chelsey goes on to state, “This update establishes the relationship between risk and strategy, positions risk in the context of an organization’s performance and helps organizations anticipate so they can get ahead of risk and embrace a mindset of resilience.”

Additionally, the ISO 31000:2009 risk framework is being revised.  “The revision of ISO 31000:2009, Risk Management – Principles and Guidelines, has moved one step further to Draft International Standard (DIS) stage, where the draft is now available for public comment,” according to the International Organization of Standardization’s website.  As explained by Jason Brown, Chair of ISO’s technical committee ISO/TC 262, Risk Management, “The message our group would like to pass on to the reader of the Draft International Standard is to critically assess if the current draft can provide the guidance required while remaining relevant to all organizations in all countries.  It is important to keep in mind that we are not drafting an American or European standard, a public or financial services standard, but much rather a generic International Standard.”

...

http://www.corporatecomplianceinsights.com/risk-management-and-the-value-proposition/

This post is short and sweet, but very important. Most of us are drawn to new tech toys, but at the same time, we resist change. We want the latest and greatest, and yet a part of us resists the added security responsibility that comes with new technology. This is something we need to be very aware of in the cybersecurity sphere.

The shiny, new rules are basic: If you installed it, update it. Keep your software up-to-date to ensure vulnerabilities that have been patched by the vendor are patched in your environment.

If you did not specifically search a topic online and the topic is presented to you, ignore it. Cyber criminals create targeted topics to lure you down a path to malware.

If it’s too old for the owner/manufacturer to update it, it’s too old for you.

Use the principle of shiny and new to your advantage;  update and change your passwords, security questions and other features of identity-proofing frequently.

Interested in learning more? Download our new brief The Common Sense Approach to Cybersecurity.

 

http://www.mir3.com/cybersecurity-principle-3-watch-lure-shiny-new/

If you’ve been following my research, you know I like to divide the business world into three categories of company:

  • Digital Predators successfully use emerging digital technologies to gain market share and/or displace traditional incumbent companies (e.g., Amazon, Lyft, Priceline, Airbnb, Netflix).
  • Digital Transformers evolve a traditional business to take advantage of emerging technologies, creating new sources of value for customers and opening up new competitive strategies (e.g., Burberry, Nestlé, L’Oréal, Unilever, USAA, Ford, Delta).
  • Digital Dinosaurs struggle to leave behind their old business model. These companies are typically slow to change because they must defend large P&Ls, or they have a near monopoly position, or they simply don’t see the opportunity/threat (e.g., many retailers, taxi companies, manufacturing firms, legal firms, recruiters, construction firms).

...

http://blogs.forrester.com/nigel_fenwick/17-03-16-the_top_emerging_technologies_for_digital_predators

Cloud services are becoming the main part of the infrastructure for many companies. Enterprises should pay maximum attention to security issues, moving away from typical approaches used in physical infrastructures, which are often insufficient in an atmosphere of constantly changing business requirements. Although cloud providers do all they can to guarantee infrastructure reliability, some of them limit their services to standard security measures, which can and should be significantly expanded.

Typical Cloud Information Security Threats

According to the Cloud Security Alliance the list of the main cloud security threats includes the following:

...

http://www.esecurityplanet.com/network-security/iaas-security-threats-and-protection-methodologies.html

Friday, 17 March 2017 15:17

The Flaw in Ransomware

Ransomware has experienced a meteoric rise over the last two years, and I contend that it is due for a meteoric fall. Here’s why: As unlikely as it may seem, Ransomware relies solely upon trust.

Many of the criminals behind ransomware appear to have an “honor among thieves” mindset. There have been countless “successful” transactions where an organization or individual has paid the ransom and been given the private key to unlock captured their data. I have even read of situations where the group that created the ransomware had an informal helpdesk that walked victims through the process of paying the ransom, primarily through Bitcoins. Bitcoin is the preferred method of payment because it is a digital-only currency and is nearly untraceable, since it does not link to a bank account. After getting paid, this criminal helpdesk then assisted their victims with decrypting their data. Unheard of, right? This is where the idea of ransomware gets a little crazy: A victim must place their trust in a criminal, and in many cases, that trust pays off. Often, after paying the ransom, data is restored and each party goes their separate ways.

So here you have this perfect criminal balancing act. Someone’s data gets encrypted, they pay a fee, their data gets decrypted. As long as the victim upholds their end of the bargain (namely giving a criminal a Bitcoin), then the criminal gives the victim a private key to unlock their files. Easy money for a criminal, right? Because it appears to be that easy, many are jumping on the band wagon. This misguided perception of easy money will prove to be the beginning of the end for ransomware.

...

http://www.enaxisconsulting.com/beginning-of-the-end-the-flaw-in-ransomware/

Business Impact Analysis Relieves “Tempest in a Teapot” Syndrome

Do you ever use the term, ‘you are creating a tempest in a teapot’? It means, don’t make a big deal out of something that isn’t. Doing a little research, I found other similar phrases I thought were entertaining. They are:

  • ‘A storm in a teacup’ – Cicero; or ‘Billows in a ladle’ – translation of Cicero’s writings
  • ‘A storm in a glass of water’ – Netherland
  • ‘Tempest in a potty’ – Hungary
  • ‘A storm in a wash-hand basin’, or ‘A storm in a cream bowl’ – England

Of course my seven year old loved the ‘tempest in a potty’. Anyway, something these phrases all have in common is “business impact analysis”. Surprised? Let me explain.

Most organizations perform some type of risk management activities. They usually include identifying risks that could impact the organization and its reputation, profitability or strategies; or its key assets, business processes, IT systems and locations. Once the most potentially impactful risks are identified and analyzed, they are treated with controls and other mitigation activities to drive down the residual risk within the organization’s tolerable risk limits. This is all well and good, but what if the elements of the organization (e.g., business processes) that the risk could impact are not that critical and how do you know?

Let me give you a simple example. A cyberattack could potentially impact both an organization’s financial and non-financial systems. The financial system is probably more important to protect, right? Oftentimes, organizations have no reliable way to identify what is critical versus non-critical causing them to spend the same level of time, attention and resources to protect the less critical areas; this is the ‘tempest in a teapot’ syndrome.

It stands to reason that the organization should have a methodology to identify what is critical so that risks can be properly treated relative to what they might impact. Some impact areas and their importance are obvious, such as inputs into the organization’s most important product or service. However, there are so many moving parts to today’s complex enterprises that there must be a methodical way to identify, analyze and prioritize what is truly critical to protect. This methodology is a business impact analysis, or BIA.

A BIA is a way to catalog and prioritize business processes and assets, building context to connect risk issues to business impacts. It is a well-known methodology inside business continuity (BC) circles as these teams have performed them for decades to determine what business assets are most important to recover after a disruption. More broadly, the BIA needs to be a prominent part of the framework of a good risk management program. However, often it is not and this is a common problem many organizations’ risk management programs experience.

To strategically address business risk, enterprises need a well-rounded program. There are specific areas to include to create a healthy and sound foundation for growth. RSA has implemented the RSA® Archer Suite Ignition program to help organizations do just that – establish a solid risk management program foundation focusing on four fundamental capabilities:

  • A process for Issues Management to eliminate ‘churn’ around risk and compliance issues from audits, risk assessments, and internal compliance processes. Check out my Issues Management blog: Facing a Tsunami of issues
  • Business Impact Analysis framework to catalog and prioritize assets and build the context to connect risk issues to impacts to the business;
  • The ability to catalog and monitor risks to establish a strategic method to view and understand risk across the enterprise; and
  • The ability to identify and track third parties used by the business to understand the emerging ecosystem that affects business risk.

The RSA® Archer Suite provides a common platform to address these processes. You can learn more about the program here: RSA Archer Ignition Program.

The Duke of Ormond’s letters to the Earl of Arlington in 1678 put it best – “Our skirmish seems to be come to a period, and compared with the great things now on foot, is but a storm in a cream bowl.”

The Duke must have had a good BIA such that he did not have to worry that his risk management program would cause him a ‘tempest in a potty’ (that was for you Elly). For comments, contact me at This email address is being protected from spambots. You need JavaScript enabled to view it.

https://blogs.rsa.com/bia-relieves-tempest-in-a-teapot-syndrome/

From time to time, an anecdote comes across our desks that, as researchers, we find hard to leave alone. A few months ago, one of these opportunities appeared, and we thought it might be interesting to lift the hood, and show you how we dig into tough research hypotheses and decide if and when to write about them. Here's what happened.

******************

Over a period of a few days this winter, we heard from one colleague, then another – 20 in all -- that conversations they'd had IRL ("in real life") seemingly resulted in ads and sponsored posts in Facebook. Given the state of "surveillance marketing," we weren't that surprised, until we read Facebook's T&Cs. There, the company explicitly stated that it wouldn't use data collected from a user's microphone for ad targeting. That's when we got curious.

First, we looked to the obvious: had our colleagues searched for the advertised item after having had the conversation? Had they checked into the same place as friend, at the same time? Were they on the same network -- and thus sharing an IP address -- as someone who'd searched for the product or service? We rounded up the answers to these questions, and determined that "interest-by-proxy" was an unlikely cause.

...

http://blogs.forrester.com/fatemeh_khatibloo/17-03-16-is_facebook_listening_and_so_what_if_they_are

Thursday, 16 March 2017 15:19

Here’s the Number – Go Make it Happen!

Big Boss calls you into his office and gives you the quarterly revenue number he wants you to report.  He tells you “this is the number, now go make it happen.” What options do you have here and what consequences are you willing to accept in this situation?  -e-Factor!® scenario

Have you ever been told, “here’s the number, now go make it happen?” This is a real-life scenario that anyone in business could face. I’ve faced it myself. In the heat of the moment, do we know how to respond?

Let’s analyze this situation to see what choices – and potential consequences – we have available to us.  First, let’s identify the ethics issues here.  The scenario does not offer much detail, but the implication is clear: Big Boss has a number in mind.  Under what circumstances would this be an acceptable request? If we received direction for sales goals, production targets or the purchase price for a particular item, this would be fantastic communication, right?  If the number the boss wants to report is close to the actual financial result achieved, the request might even be reasonable.  Perhaps the boss has information we did not have access to and wants us to make corrections.  Still, no ethics issue here. However, if Big Boss’ number is nowhere close to the actual result, we have a conflict.

...

http://www.corporatecomplianceinsights.com/heres-the-number-go-make-it-happen/

Although most organizations have contemplated – to some degree – the what and how of
business continuity plans, including discussions about the stability of the IT system and
what to do if the company’s facilities or IT infrastructure are compromised, the who is often
overlooked. Assigning business continuity roles and responsibilities to each of your team
members and documenting that information in your plan will ensure that all the details are
handled in a timely and consistent manner. If your organization has no business continuity
plan in place, it’s fine to start out with a small team to lay the groundwork. Starting small is
better than not starting at all!

GAINING EXECUTIVE SUPPORT

No one person can, nor should, do it all when it comes to carrying out your business
continuity plan, but it is recommended that every organization identify a Business Continuity
Manager to lead the charge as it relates to the planning and preparedness process. In addition to organization-wide visibility, the Business Continuity Manager must have senior management support that would allow this individual to:

• Authorize budgets and financial support for BCM tools and team members;
• Dedicate time for team members to participate in planning, training, and drills;
• Emphasize the importance of business continuity planning and training across departments; and
• Mandate BCM plan adoption and nurture BCM culture throughout the organization.

...

http://www.missionmode.com/build-business-continuity-team-decision-authority/

(TNS) - Water pollution and mudslides could be the next major problems facing Gatlinburg three and a half months after a deadly firestorm swept through the city, according to two experts who spoke during the emotional public forum portion of a City Commission meeting Tuesday evening.

Gatlinburg residents who suffered losses in the Nov. 28 fire that killed 14 people and destroyed more than 2,000 structures filled the small City Hall meeting room and streamed out into the hallway.

Resident after resident stood before Gatlinburg Mayor Mike Werner, Vice Mayor Mark McCown, Commissioner Don Smith and City Manager Cindy Ogle and leveled questions about authorities’ failure to evacuate the tourist town and the city’s plan to avoid another tragedy in the future.

...

http://www.govtech.com/em/disaster/Gatlinburg-victims-raw-as-pollution-erosion-threaten-city.html

A recent KnowBe4 survey of more than 500 organizations found that 33 percent of respondents experienced a ransomware attack in the past year -- and 53 percent of organizations with multiple solutions in place to block ransomware still become victims.

Seventy-two percent of survey respondents downloaded a ransomware simulator that mimics 10 different infection scenarios in order to test their anti-virus' ability to detect and stop attacks. Only 52 percent of those organizations' current anti-virus solutions were able to detect the ransomware.

"Ransomware is primarily delivered via a phishing email, which means your users have to be trained to identify it in order to prevent it, making antivirus ineffective at stopping ransomware. ... An important layer in any company's security stack is the last line of defense -- the human firewall that can be trained to detect a phishing email," KnowBe4 CEO Stu Sjouwerman said in a statement.

...

http://www.esecurityplanet.com/malware/anti-virus-solutions-fail-to-protect-against-ransomware.html

Strategic BCP’s software innovators, enterprise consultants, customers, and partners will soon be heading to sunny Orlando for DRJ Spring World 2017 at Disney’s Coronado Springs Resort. We are proud sponsors of the conference.

At DRJ Spring World, we will be showcasing several new software enhancements in ResilienceONE including the integration of Everbridge—the industry’s top Emergency Management Notification System (EMNS). The integration adds powerful capability to Business Continuity and Crisis Management and does not require customization or configuration.

Strategic BCP and Everbridge will demonstrate its integrated capabilities in the “Coronado F” suite at the following times:

  • Sunday, March 26 at 5:30-7:00 pm
  • Monday, March 27 at 11:45 am-1:30 pm
  • Tuesday, March 28 at 11:45 am-1:30 pm

Private demos will also be available. Visit Booth 510/512.

See firsthand ResilienceONE’s extensive automation of manual work, powerful risk analytics, and its real-time enterprise command center. It provides a comprehensive, cost effective way manage business continuity, operational risk, vendor risk, and IT risk within one cloud-based solution.

Members of Strategic BCP’s world-class Professional Services organization will also be on-hand.

Not attending DRJ Spring World? Learn more or schedule a demo.

We hope to see you there!

http://www.strategicbcp.com/blog/resilienceone-demos-at-drj-spring-world-with-everbridge-integration/

(TNS) - York and Cumberland counties are under a blizzard warning as a massive nor’easter arrives in Maine with blustery winds and snow.

Snow started falling before dawn Tuesday in York County, part of a potentially crippling storm stretching from Washington, D.C., to Maine that will affect tens of millions of people by the time it moves out of the Northeast on Wednesday.

The National Weather Service placed all of coastal New Hampshire, York County and Cumberland County under a blizzard warning for Tuesday, meaning severe winter weather could create whiteout conditions that make travel extremely dangerous.

...

http://www.govtech.com/em/disaster/Noreaster-brings-blizzard-conditions-to-York-Cumberland-counties.html

Can you describe the differences and benefits of the BIA and Risk Assessment? Today’s short blog may help you provide answers when the questions arise.

You just spent time completing a Business Impact Analysis (BIA), taking 2 to 3 hours per department. Now you are asking for another hour or more to interview the same team for a risk assessment. “We just did this, why are we doing it again?” is the response from department leaders. Even BC program stakeholders ask why time and resources are being spent on the same activities. The Risk Assessment and BIA are both risk-based assessments, but have different purposes. BIAs are the “what” is impacted and Risk Assessments are the “how” impacts occur.

BIAs are the “what” is impacted and Risk Assessments are the “how” impacts occur.

...

https://www.mha-it.com/2017/03/bia-and-risk-assesment/

 

BATON ROUGE, La. — In the 12 months since the March severe storms pummeled and flooded much of Louisiana, the Federal Emergency Management Agency (FEMA) has helped thousands of people begin to recover.

Along with its federal and state partners, the agency has disbursed millions of dollars so people could start repairing their homes, cover disaster-related costs and stay in dry, safe lodgings as they did so.

FEMA’s Individual Assistance program has approved nearly $94 million in housing and other needs assistance. Its Public Assistance program has obligated more than $47 million to reimburse communities for emergency work and infrastructure repairs. The agency has approved nearly $20 million for disaster case management intended to help people who need extra assistance getting back on their feet.

The National Flood Insurance Program, administered by FEMA, processed 4,977 claims and paid out more than $239 million for flood claims stemming from that disaster. 

The U.S. Small Business Administration (SBA) has approved nearly $109 million in long-term, low-interest loans for homeowners and businesses. 

Some 198 volunteer groups helped flood survivors, providing services such as muck outs, hot meals, home repairs and rebuilds, and distributing water, cleaning supplies, diapers and other baby supplies.

Even as residents have done the difficult job of repairing and rebuilding their homes, communities throughout the state continue to outline how they want to rebuild.

FEMA set up offices in Baton Rouge and Monroe to identify emerging local and regional needs, coordinate with federal agencies in local recovery efforts and provide guidance on post-disaster recovery planning. The agency has facilitated a number of local, state and federal roundtable discussions and forums on housing, business, health and agriculture. These events led to identifying 88 high level needs for attention by subgroups under the National Disaster Recovery Framework, which provides the state with expertise from federal agencies involved in long-term recovery.

In affected communities in Ouachita Parish for example, the Recovery Support Function teams brought in disaster recovery specialists from more than 10 federal agencies such as the Environmental Protection Agency, Housing and Urban Development and the Commerce Department to develop technical assistance on disaster recovery projects. They looked to include proposals on green infrastructure, mitigation and ways to fight blight with in-fill construction.

This week marks the first Community Resilience Institute meeting for elected officials of parishes hit by the March floods. The institute is a result of FEMA’s partnership with NOAA Sea Grant and the LSU Coastal Sustainability Studio.
                                                                    ###

Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status.  If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-FEMA (3362). For TTY, call 800-462-7585.

The U.S. Small Business Administration (SBA) is the federal government’s primary source of money for the long-term rebuilding of disaster-damaged private property. SBA helps businesses of all sizes, private non-profit organizations, homeowners and renters fund repairs or rebuilding efforts and cover the cost of replacing lost or disaster-damaged personal property. These disaster loans cover losses not fully compensated by insurance or other recoveries and do not duplicate benefits of other agencies or organizations. For more information, applicants may contact SBA’s Disaster Assistance Customer Service Center by calling 800-659-2955, emailing This email address is being protected from spambots. You need JavaScript enabled to view it., or visiting SBA’s website at SBA.gov/disaster Deaf and hard-of-hearing individuals may call 800-877-8339.

For mitigation information visit www.fema.gov/Louisiana-Disaster-Mitigation.

DENTON, Texas ––New flood maps for Grant County will become effective July 18, 2017. County residents are encouraged to view the maps before the effective date to understand their flood risk.  

Most property insurance policies do not cover the effects of flooding. Anyone without flood insurance risks uninsured losses to their homes, personal property and businesses. Flooding is the most frequent natural disaster in the U.S. and only flood insurance covers these events.

Grant County residents are encouraged to contact their local floodplain administrator to learn if their community participates in the National Flood Insurance Program (NFIP). They can also review the new flood maps at the county floodplain administrator’s office. In addition, Federal Emergency Management Agency (FEMA) map specialists and flood insurance experts are available to answer questions. They can be reached by phone and online chat.

FEMA resources include:

  • Viewing a Preliminary Interactive Flood Map:  http://maps.riskmap6.com/AR/Grant/

  • Using the live chat service at http://go.usa.gov/r6C.  Click on the “Live Chat” icon.

  • Contacting a FEMA map specialist by calling 1-877-FEMA MAP (1-877-336-2627) or sending an email to This email address is being protected from spambots. You need JavaScript enabled to view it.

  • Calling the NFIP Helpline – 1-800-621-FEMA (3362). Press “2” for flood insurance questions.           

FEMA encourages non-participating communities to look at the benefits of joining the NFIP.

Businesses and homeowners who learn that their property has been newly mapped into a Special Flood Hazard Area may want to consider buying flood insurance before the maps become effective. Contacting a local insurance agent is the first step in getting information about insurance. Visit www.floodsmart.gov or call 1-888-379-9531 to locate an agent in your area.

The National Flood Insurance Program is a voluntary program administered by FEMA.

                                                                                                       ###

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. Follow us on Twitter at www.twitter.com/femaregion6 and the FEMA Blog at http://blog.fema.gov.

Passwords are the most common authentication tool used by enterprises, yet passwords are notoriously insecure and easily hackable. End users tend to be careless with passwords, frequently reusing or sharing their passwords.

This is true even among technologists, with a recent Centrify survey of IT professionals finding 26 percent shared passwords and 78 percent had fallen victim to a phishing email. A separate Forrester study, also sponsored by Centrify, of 203 enterprise IT security decision makers found two-thirds of organizations experienced an average of five or more security breaches in the past two years. The same study found hackers compromised over a billion identities in 2016 alone.

In recent years, more companies have turned to multi-factor authentication solutions to address their security and compliance concerns. In 2014, a survey of more than 350 senior IT decision makers worldwide found 37 percent of organizations surveyed used multi-factor authentication for a majority of employees, up from 30 percent in 2013.

...

http://www.esecurityplanet.com/mobile-security/multi-factor-authentication.html

New software for monitoring the probability of earthquakes in a targeted location could help energy companies determine where they can operate safely.

The free tool, developed by Stanford University’s School of Earth, Energy & Environmental Sciences, helps operators estimate how much pressure nearby faults can handle before rupturing, by combining three important pieces of information:

  • Location and geometry of the fault
  • Natural stresses in the ground
  • Pressure changes likely to be brought on by injections

“Faults are everywhere in the Earth’s crust, so you can’t avoid them. Fortunately, the majority of them are not active and pose no hazard to the public. The trick is to identify which faults are likely to be problematic, and that’s what our tool does,” said Mark Zoback, professor of geophysics at Stanford, who developed the approach with graduate student Rail Walsh.

...

http://www.riskmanagementmonitor.com/software-may-help-oil-companies-determine-a-locations-earthquake-probability/

Most likely snowfall for #Blizzard2017 in the NY/NJ metro area now looks like this, per the National Weather Service New York:

While major cities in the Northeast may have been spared blizzard conditions, a strong winter storm is still unfolding and inland areas are watching the snow pile up.

Wondering if you’re covered for winter storm damage? Here’s the lowdown from the Insurance Information Institute:

...

http://www.iii.org/insuranceindustryblog/?p=4849

Wednesday, 15 March 2017 14:30

BCI: Identity fraud reaches record levels

The Business Continuity Institute

Identity fraud has hit the highest levels ever with 172,919 identity frauds recorded in 2016, more than in any other previous year. The study by Cifas showed that identity fraud now represents over half of all fraud recorded in the United Kingdom (53.3%), of which 88% was perpetrated online.

The vast majority of identity fraud happens when a fraudster pretends to be an innocent individual to buy a product or take out a loan in their name. Often victims do not even realise that they have been targeted until a bill arrives for something they did not buy or they experience problems with their credit rating. To carry out this kind of fraud successfully, fraudsters need access to their victim’s personal information such as name, date of birth, address, their bank and who they hold accounts with. Fraudsters get hold of this in a variety of ways, from stealing mail through to hacking; obtaining data on the ‘dark web’; exploiting personal information on social media, or though ‘social engineering’ where innocent parties are persuaded to give up personal information to someone pretending to be from their bank, the police or a trusted retailer.

We have seen growing numbers of young people falling victim in recent years and this upward trend continued in 2016 with almost 25,000 victims under 30. In particular we saw a 34% increase in under 21s, and therefore Cifas is again calling for better education around fraud and financial crime and urging young people to be vigilant about protecting their personal data.

2016 also saw increases in victims aged over 40, with 1,869 more victims recorded by Cifas members.

Mike Haley, Deputy Chief Executive, Cifas said: “These new figures show that identity fraud continues to be the number one fraud threat. With nine out of ten identity frauds committed online and with all age groups at risk, we are urging everyone to make it more difficult for fraudsters to abuse their identity. There are three simple steps that anyone can take to protect themselves: use strong passwords, download software updates when prompted on your devices; and avoid using public wi-fi for banking and online shopping.

We all remember to protect our possessions through locking our house or flat or car but we don’t take the same care to protect our most important asset – our identities. We all need to take responsibility to secure our mail boxes, shred our important documents like bank statements and utility bills, and take sensible precautions online – otherwise we are making ourselves a target for the identity fraudster.

Commander Chris Greany, National co-ordinator for economic crime said: “With close to half of all crime now either fraud or cyber crime we all need to make sure we protect our identity. Identity fraud is the key to unlocking your valuables. Things like weak passwords or not updating your software are the same as leaving a window or door unlocked."

It is these same measures to improve cyber security that the Business Continuity Institute is trying to highlight as part of its Business Continuity Awareness Week campaign. There are simple steps that individuals can take to improve cyber security within our organizations, as well as our personal lives. They may not make our networks completely secure, but at least they make a cyber security incident more of a challenge for the perpetrator, rather than leaving the door wide open for them.

Omry Farajun first got into the online storage game before there really was much of an online storage game to speak of.

When he launched Toronto-based Storage Guardian in 1999, Farajun recalls how converting a sale meant convincing customers in the value of backing up data remotely and digitally.

“That was the big pushback to online backup: ‘Oh, I have a tape drive and that’s good enough for me,’” he said. “Fifteen years ago it was hard to convince companies to back up their data.

“We’re one of the original SSPs – storage service providers.”

...

http://mspmentor.net/managed-storage-services/storage-guardian-touts-msp-opportunity-business-continuity

HATTIESBURG, Miss. – If you’re a survivor of the severe storms and tornadoes in January, you have two weeks to register for possible disaster assistance and to return applications for low-interest disaster loans to the U.S. Small Business Administration.

The deadline for both is March 27.

FEMA urges everyone who sustained losses from the January tornadoes to register, including those who have insurance. Insurance may not cover all losses.

The four designated counties declared by the President for disaster assistance are Forrest, Lamar, Lauderdale and Perry.

FEMA disaster assistance for individuals and families can include money for rental assistance, essential home repairs, personal property and other serious disaster-related needs not covered by insurance.

FEMA can’t duplicate benefits from insurance, but you should still register as help may be available for under-insured or uninsured losses. Update FEMA once your insurance is settled.

After you register, you may be contacted by the SBA about a low-interest disaster loan. Complete the SBA application to keep the process moving.

SBA physical disaster loans are available to homeowners and renters for repair or replacement of disaster-damaged property, including contents and automobiles.  SBA loans are available to businesses of all sizes and nonprofit organizations, too.

SBA economic injury disaster loans are available for small businesses, small agricultural cooperatives, small businesses engaged in aquaculture and most private nonprofit organizations of all sizes having difficulties meeting ordinary and necessary financial obligations because of the disaster. The application deadline economic injury disaster loans is October 25, 2017.

SBA disaster loan interest rates are as low as 3.125 percent for businesses, 2.5 percent for nonprofit organizations and 1.5 percent for homeowners and renters, with terms up to 30 years.  Loan amounts and terms are set by the SBA and are based on each applicant’s financial condition.

Survivors who receive a low-interest disaster loan application from SBA after registering with FEMA should complete and return the application even if they do not plan to accept a loan. By completing the application, applicants may become eligible for additional grants from FEMA. By not completing and returning the applications, survivors could potentially be leaving “money on the table”. And, if you don’t complete and submit the loan application, you stop the FEMA disaster assistance process.

Register with FEMA online at www.disasterassistance.gov or call the FEMA helpline: 800-621-3362 or TTY 800-462-7585.

SBA disaster loan applicants may apply online using the Electronic Loan Application (ELA) via SBA’s secure website at disasterloan.sba.gov/ela. For more information or assistance with SBA disaster loans, call 800-659-2955. Individuals who are deaf or hard of hearing may call 800-877-8339.

For more information on Mississippi’s tornado recovery, go to fema.gov/disaster/4295 or visit the MEMA site at msema.org. Follow MEMA on Facebook facebook.com/msemaorg and on Twitter @msema.

###

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

All FEMA disaster assistance will be provided without discrimination on the grounds of race, color, sex (including sexual harassment), religion, national origin, age, disability, limited English proficiency, economic status, or retaliation. If you believe your civil rights are being violated, call 800-621-3362 or 800-462-7585(TTY/TDD).

FEMA’s temporary housing assistance and grants for public transportation expenses, medical and dental expenses, and funeral and burial expenses do not require individuals to apply for an SBA loan. However, applicants who receive SBA loan applications must submit them to SBA loan officers to be eligible for assistance that covers personal property, vehicle repair or replacement, and moving and storage expenses.

A recent CyberEdge survey of 1,100 IT security decision makers and practitioners across 15 countries found that fully 61 percent of respondents' organizations were victimized by ransomware last year.

Among those hit by ransomware, 33 percent paid the ransom to recover their data, 54 percent refused to pay but recovered their data anyway, and 13 percent refused to pay and lost their data.

In general, the report found the percentage of organizations being hit by successful cyber attacks continues to rise, from 62 percent in 2014 to 70 percent in 2015, 76 percent in 2016, and 79 percent in 2017. Three in five respondents believe a successful cyber attack is likely in the coming year.

...

http://www.esecurityplanet.com/malware/one-third-of-ransomware-victims-end-up-paying-the-ransom.html

Warning: this article may upset some conservative risk managers.

Risk management in modern nonfinancial companies is very different compared to, say, five years ago. The level of risk management maturity, for lack of a better word, has grown significantly.

As more and more companies across the globe are looking to implement robust risk management, the demand for risk management consultants is also growing. Unfortunately, not all risk consultants are able to generate long-term value for their clients. Here are three reasons why:

...

http://www.corporatecomplianceinsights.com/3-fatal-mistakes-most-risk-consultants-make/

With big data, analytics, social, mobility, cloud and IoT driving the move to Digital Transformation--also known as DT, digitalization, DX, DE (Digital Everything) and Industry 4.0--IT is moving from the back office to business enabler. However, all the things that make DT possible also make it more vulnerable. And with small and midsize businesses already facing a growing range of internal and external cybersecurity threats, combined with a shortage of skills and resources, partnering with an MSP becomes increasingly attractive.

That’s good news for MSPs, but how do you ensure you are profiting from this trend? How do you position your business to address the new realities that more than half of SMBs (55%) were victims of a cyber attack within the last 12 months and that 60% go out of business within six months of an attack?

The pundits talk about becoming an SMB’s business partner, strategic partner or trusted advisor, and all three terms make sense, as far as they go. However, I would argue that when you consider the vital importance that secure IT represents, much more is at stake than a partnership, strategy or trust. We’re talking about the success or failure of your client’s business, and that demands a more inclusive approach. This also happens to be good for you: The managed security service market, worth $17.02 billion in 2016, is expected to almost double by 2021 to $33.68 billion, at a Compound Annual Growth Rate of 14.6%.

...

http://mspmentor.net/blog/cybersecurity-essential-part-msp-toolkit

Enterprises looking to scale out their own data infrastructure quickly run into a problem: While more computing and networking capacity can be squeezed out of existing hardware, storage cannot.

Sure, you can make improvements to I/O, IOPS, management capabilities and the like, and even defrag drives and deduplicate data, but when it comes to storing a bit of data on a piece of magnetized metal or a solid state cell, the only way to increase capacity is to deploy more hardware.

So regardless of whether the goal is to build an internal cloud or a hyperscale analytics engine, the only solution to a lack of storage is to, well, add more storage. Fortunately, there are ways to do this without pushing the infrastructure footprint over the edge or breaking the capital or operating budgets.

One of the newest innovations comes from Facebook’s Open Compute Project, which recently introduced the “Bryce Canyon” storage solution that ups the density of hard disks in standard rack systems. It does this by placing the drives upright in the chassis, rather than laying them flat in the normal fashion. In this way, the enterprise can cram 72 drives into the same space that the previous architecture, “Honey Badger,” used for 60. While on the surface this would appear to increase the power and heat load in the rack as well, Facebook engineer Eran Tal explained to Datacenter Frontier that it also provides for better airflow from underneath the chassis using larger fans.

...

http://www.itbusinessedge.com/blogs/infrastructure/confronting-the-hyperscale-storage-challenge.html

When most people think of product contamination and recalls, the first thing that comes to mind is food poisoning cases from bacteria such as e-coli and listeria. Food and drug companies, however, are experiencing malicious and intentional product tampering that can be equally deadly and dangerous. Many of us can’t forget the 1982 cyanide Tylenol crisis, Johnson & Johnson’s worst nightmare as reported cases of death from their products came pouring in, causing recalls nationwide.

The Tylenol case was long ago, but unfortunately, decades later and despite modern day advancements in packaging and processes, there is still a steady flow of cases globally, where bad actors contaminate products. This can lead to possible danger for customers, recalls, lasting reputational damage and potentially huge financial losses.

For example, in 2013, unsafe levels of the insecticide malathion was found in a Japanese frozen food company’s product after customers reported a chemical smell coming from the products and almost 3,000 incidences of sickness from consuming them. As a result, the products were recalled and the company shut down, causing its stock to plummet.

...

http://www.riskmanagementmonitor.com/food-defense-initiatives-can-safeguard-your-company/

The Business Continuity Institute

Implementing a Business Continuity Management System which meets and exceeds ISO 22301 is a challenging, but important undertaking for an organization committed to business continuity. I have recently been leading a project for PlanB, where we helped a marketing/logistics firm achieve ISO 22301 (with one minor non-conformity!) This was achieved in a period of five months, and some lessons learned are shared below.

I would consider a good BCMS to operate like an octopus. It sits at the heart of the organization, but reaches into each and every function of the business. This of course requires collaboration from different parts of the organization.

Ultimately, embedding is key and this doesn’t just come from conducting awareness training, or ensuring that the policy and plan(s) are visible to employees and interested parties. Embedding comes from the octopus, connecting each function or department, back to the BCMS. Information should flow along the connectors (tentacles - if we follow the octopus theme!).

I will explain how this should operate below:

1. Key to embedding is how your staff interacts with the BCMS. Are they passively involved, or do they understand as much as possible? Staff may be instructed to attend a training session. However, you should consider involving as many staff as possible. This includes involving non-management staff at the Analysis (BIA) phase up to validation, where deputies should be included in exercising and tests.

2. The BCMS must interact with departmental functions. Critically, it should embrace and involve IT, not only with regards to disaster recovery, but also day-to-day operations. Related disciplines of cyber security and information security dovetail closely with the BCMS. Risk management is also crucial, with consideration given to how BC risks are considered in line with corporate risk registers. Lastly, the BCP should be written with the approval of health and safety, particularly with regard to site evacuation and incident notifications.

3. Externally, the octopus should reach to supply chain and critical suppliers. This can often be an afterthought for BC professionals, and seen as a more ‘mature’ element of business continuity. However, there will likely be huge dependency on suppliers if a BC incident occurs, therefore you must understand what suppliers can provide by way of continuity of operations. Raising awareness to interested parties of your BC arrangements can also help build resilience.

4. Post-incident acquisition is still possible as strategy; it is not always hot data centres and Work Area Recovery. However, exercising of post-incident acquisition is essential. And this strategy should complement other recovery strategies, which have been exercised and tested. Unless exercising occurs, we are working with untested assumption, which is the last thing you want in an incident!

The above is a brief overview of the observations I noted whilst proceeding through the ISO 22301 certification process. I have tried to keep the observations high-level, to ensure these are a starting point for others implementing a BCMS. So, when implementing a BCMS for the first time, remember the business continuity octopus!

Gordon Brown (AMBCI, MSc) is a consultant at PlanB Consulting, and leads on projects delivering business continuity, ISO 22301 and training and exercises.

(TNS) - Yellow fever has broken out in the jungles outside Brazil’s most densely-populated cities, raising a frightening but still remote possibility: an epidemic that could decimate that country’s population and spread throughout the Americas, including the United States.

In an essay rushed into print by the New England Journal of Medicine on Wednesday, two doctors from the National Institutes of Health warn that cases of yellow fever, which can kill as many as 10 percent of those infected, have seen an unusual spike in the last few weeks in several rural areas of Brazil.

Those outbreaks have been limited to places where there aren’t enough people or virus-spreading mosquitoes to fuel a rapid run-up in transmission. But they are on the edge of major urban areas where residents are largely unvaccinated, and where humans and insects are packed densely enough to accelerate the disease’s spread.

...

http://www.govtech.com/em/health/An-outbreak-in-Brazil-has-US-health-experts-wondering-if-yellow-fever-could-be-the-next-Zika.html

If you already belong to a high-performing DevOps organization and you are working on leveraging opensource for monitoring to drive feedback loops, or delivering better security with DevSecOps, or making sure you are understanding continuous testing then you don’t need to read the following – you can stop now.

However, if you are facing the challenges that your app dev team is developing faster than you can deliver or you realize that ITIL does not help you in increasing your speed and quality of deployment or your manual deployment capability do not scale or human error has caused some outage…don’t delay your shift your operating model towards DevOps. Our DevOps vision report gives I&O leader’s guidance on how to modify the operating model to focus on velocity and quality to deliver “great” customer experiences.

...

http://blogs.forrester.com/eveline_oehrlich/17-03-09-traditional_io_is_dead_the_devops_phoenix_rises

Everyone from the CEO to the mail room wants the same thing from IT—quality services, delivered reliably. More and more that means that IT operations must rely on automated tools to support ITSM processes within the organization.

Let’s take a look at making the case for a robust, flexible and full-featured automated notification tool to increase efficiency.

Why automated notification? Some of the most prevalent tools help with incident tickets, helpdesk issues, and so on, but in many cases, multiple ITSM tools are used to address some of the same issues. Translation: there’s often overlap, but usually not in the right places.

...

http://www.mir3.com/making-case-automated-notification/

The new data economy isn’t about data; it is about insights. How can I increase the availability of my locomotive fleet? How can I extend the longevity of my new tires? How can I improve my on-time-in-full rate? Which subscribers are most likely to churn in the near future? Where is the best location to build a new restaurant franchise or open a new retail outlet? Business decision-makers want answers to these kinds of questions, and new insights services providers are eager to help them.

A growing number of companies recognize the opportunity their data provides, and they take that data to market: 1/3 of firms report commercializing data or sharing it for revenue with partners or customers.  The recently published Forrester Report Top Performers Commercialize Data Through Insights Services discusses the new trends in data commercialization: who is buying, who is selling, and what offerings are available, from direct data sales to the delivery of data-derived insight services.

...

http://blogs.forrester.com/jennifer_belissent_phd/17-03-08-insights_services_drive_data_commercialization

Salt has been around since the beginning of time.  A preservative, a food enhancer and in early times was as valuable as precious metals and even drove humans to war!  And now, new research suggests that salt may be heading towards a new life…a star in the world on infection control and disease prevention.  Salted Doorknobs…Really!

Bugs such as Methicillin-resistant Staphylococcus aureus, or MRSA or drug resistant TB are increasing world-wide. These drug-resistant infections are responsible for more than 700,000 deaths globally each year, and come with an approximate annual cost of $20 billion in the United States alone.

How do you stop them? The usual things have been employed: frequent hand washing is the most common, followed by protective barriers such a gloves, masks and gowns. Another option is to coat those frequently fondled objects most likely to carry the bugs—doorknobs, bed rails, toilet handles—with a special anti-microbial surface. The use of copper is now increasingly popular to prevent the spread of disease however MRSA has been shown to survive even on copper for several hours.

...

https://ems-solutionsinc.com/blog/can-salted-doorknobs-prevent-infections/

The Business Continuity Institute

The impact of extreme natural disasters is equivalent to a global $520 billion loss in annual consumption, and forces some 26 million people into poverty each year, a new report from the World Bank and the Global Facility for Disaster Reduction and Recovery (GFDRR) reveals.

The report, Unbreakable: Building the Resilience of the Poor in the Face of Natural Disasters, warns that the combined human and economic impacts of extreme weather on poverty are far more devastating than previously understood.

In all of the 117 countries studied, the effect on well-being, measured in terms of lost consumption, is found to be larger than asset losses. Because disaster losses disproportionately affect poor people, who have a limited ability to cope with them, the report estimates that impact on well-being in these countries is equivalent to consumption losses of about $520 billion a year. This outstrips all other estimates by as much as 60%.

“Severe climate shocks threaten to roll back decades of progress against poverty,” said World Bank Group President Jim Yong Kim. “Storms, floods, and droughts have dire human and economic consequences, with poor people often paying the heaviest price. Building resilience to disasters not only makes economic sense, it is a moral imperative.”

The report assesses, for the first time, the benefits of resilience-building interventions in the countries studied. These include early warning systems, improved access to personal banking, insurance policies, and social protection systems (like cash transfers and public works programs) that could help people better respond to and recover from shocks. It finds that these measures combined would help countries and communities save $100 billion a year and reduce the overall impact of disasters on well-being by 20%.

“Countries are enduring a growing number of unexpected shocks as a result of climate change,” said Stephane Hallegatte, a GFDRR lead economist, who led preparation of the report. “Poor people need social and financial protection from disasters that cannot be avoided. With risk policies in place that we know to be effective, we have the opportunity to prevent millions of people from falling into poverty.”

Wednesday, 08 March 2017 19:59

Convincing Management To Do a BIA

Those of us with feet on the ground understand the value BIA (Business Impact Analysis) data brings when it comes to strategy development and prioritization, but how can we convince resource/financial decision makers and project stakeholders to approve a BIA?

Almost every BCM engagement will include performing a Business Impact Analysis . However, in many cases, this is an item that gets cut. It is often not seen as necessary or the cost/benefit does not meet management expectations. We know that a BIA is essential to the health of any solid BCM program, as is management support. We’re going to review some of the core benefits of a BIA so that you can convince the right people that conducting a BIA is beneficial to your entire enterprise.

Let’s go over some of the common questions asked or arguments made when proposing a Business Impact Analysis:

...

https://www.mha-it.com/2017/03/convincing-management-bia/

What used to be IT sourcing at the physical system level is turning into an exercise at the virtual cloud level, but with a new actor, the cloud broker.

In theory, the cloud solves many IT sourcing problems, of which one of the most obvious is the requirement for capital to buy physical systems that are never run to full capacity.

Pay-as-you-go turns CAPEX into OPEX, while previous luxuries like hot standby systems become an affordable reality.

Yet the cloud also opens new sourcing challenges of unknowns and inconsistencies.

Cloud brokers can help, at least while they themselves survive as a species.

...

http://www.opscentre.com/cloud-it-sourcing/

DURHAM, N.C. – Severe weather can happen any time of the year.  In North Carolina, the first full week of March is designated as Severe Weather Preparedness Week, a time when residents are urged to develop or review and update their family emergency plan.

An emergency plan should include how everyone will contact each other, where to go, how you will get back together and what to do in different situations. A good place to begin is Ready.Gov, the disaster preparedness website managed by the Department of Homeland Security and the Federal Emergency Management Agency. North Carolina Emergency Management operates another site, ReadyNC.org, which is available as an app for your phone.

These sites offer an array of resources such as forms to print out and fill in with contact information on each family member, phone numbers of out-of-town contacts, work locations and other important phone numbers.

Your plan also should include emergency plans for places where your family spends time, such as work, school and daycare.

Identify an out-of-town friend or relative as a contact person for your family members. During an emergency each member of the family will call the contact and let them know they are safe. An out-of-town contact may be in a better position to communicate among separated family members.

Decide where to go in an emergency. Plan and practice for different scenarios, such as where to go if there is a fire. What do you do if an emergency happens at night? Where in the home is the safest place if a tornado hits? If you live in an area susceptible to hurricanes, decide whether to evacuate or stay. Plan several evacuation routes, if possible, in case some roads become impassable. Identify where you will stay until it is safe to return home. If you have pets, find, in advance, places to board them or hotels and shelters that are pet friendly.

During a wide-scale disaster, such as tornado or hurricane, prepare for power outages. Keep fresh batteries for flashlights, keep cell phones fully charged. Consider purchasing a cell phone charger for your vehicle or a battery operated charger. Also, keep your gas tank full.

During hurricane season, keep a basic disaster supply kit of nonperishable food, water, first aid supplies, medicines, disposable diapers, formula and baby food (if necessary), plus extra food and water for pets. Don’t forget a manual can opener. Keep these items in a waterproof container and include enough food and water for up to three days.

A battery-operated weather radio or television will be invaluable in an emergency. The radios can be programmed to your local weather service office and will provide information on approaching severe weather. Heed their advice if you are directed to evacuate.

Keep enough cash on hand to get through several days. Banks will likely be closed and ATMs won’t function during a power outage.

Several government agencies work together to help you and your family stay safe. If you would like additional information, try these links:

For more information on North Carolina’s recovery, visit fema.gov/disaster/4285 and readync.org. Follow FEMA on Twitter at @femaregion4 and North Carolina Emergency Management @NCEmergency.

Wednesday, 08 March 2017 19:56

Most Organizations Deny Prevalence of Fraud

At a loss of more than $6 billion annually, experts have found fraud occurs in most organizations, but 80% of respondents to a recent survey by ACL believe their organization has “medium to no” exposure.

The 2017 Fraud Survey of more than 500 professionals in the United States and Canada found that “alternative facts” extend to the mentality among many businesses.

“As the phenomena of ‘fake news’ and ‘alternative facts’ permeate the U.S. landscape, it is interesting to see how disconnected many executives are from the true prevalence of fraud and corruption in their organizations,” said Dan Zitting, chief product officer at ACL, a risk management software provider. He added that companies increasingly discover they have had “numerous instances of potential fraud” that need to be investigated.

...

http://www.riskmanagementmonitor.com/most-organizations-deny-prevalence-of-fraud/

DENVER – There’s a hidden threat that strikes countless unprepared Americans each year – flooding.  Unlike fire, wind, hail or most other perils, flood damage is not covered by a homeowners’ policy.  An uninsured flood loss can undo a lifetime’s worth of effort and create a mountain of bills.  Fortunately, a National Flood Insurance Program (NFIP) policy provides the defense against such losses and can ensure that a flood doesn’t bring financial ruin.

Flooding is an ever present threat; it can happen at any time and in virtually any location.  While certain areas may be more prone to flooding – especially those in coastal areas or riverine environments – history has shown that almost no place is immune to flooding.  Flooding can have many causes: a quick heavy rainfall or rapid snowmelt can cause flash flooding, a blocked culvert or storm sewer drain can create flooding in a city neighborhood, or prolonged wet weather can swell streams and rivers.  Even dry conditions can pose a threat, as minimal rainfall in wildfire burn areas or drought stricken regions can create flash flooding when soils are unable absorb even slight precipitation.

Flood insurance is easy to get, the only requirement is that you live in a participating community (which might be a county or other jurisdiction for those living in unincorporated areas).  That’s right; you don’t need to live in a floodplain to purchase a policy.  In fact, if you live outside a floodplain you may be eligible for a preferred risk policy that has a much lower premium than for a policy in a higher flood risk area.  And in most cases you can purchase an NFIP policy with the insurance agent you already deal with for other insurance needs.  When that isn’t possible, NFIP can put you in touch with another agent that can get you a flood insurance policy.

One key difference of an NFIP policy from another insurance policy is the 30-day waiting period prior to the policy going into effect.  But that doesn’t mean anyone should view a policy like a lottery ticket, something purchased only if flooding appears imminent.  A policy should be viewed as protection against a continuing threat rather than a hedge against a singular event such as anticipated spring flooding or following a wildfire.

The average flood insurance premium nationwide is about $700 a year – less than $2 a day for financial protection from what could be devastating effects of a flood to one’s home or business. By purchasing a policy now, or keeping your existing policy, you have peace of mind.  As with any insurance, be sure to talk with your agent about the specifics of your policy – how much coverage you need, coverage of contents as well as structure and any other questions you might have.

Find out more about your risk and flood insurance at www.floodsmart.gov. To purchase flood insurance or find an agent, call 1-800-427-2419.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

For more information regarding flood preparedness and flood insurance, visit the FEMA Region VIII Flood Insurance Media Kit at www.fema.gov/r8flood.

BATON ROUGE, La. — If your home or business was substantially damaged in the August flooding, you may qualify for additional assistance, Increased Cost of Compliance (ICC), to elevate a structure to meet local floodplain-management regulations. Your National Flood Insurance Program (NFIP) policy may provide up to $30,000.

Substantial damage applies when the cost of restoring a structure equals or exceeds 50 percent of its pre-damage market value. Some communities have more restrictive regulations.

For mitigation purposes, homes and businesses may require changes. Structures that comply with floodplain management regulations have an enhanced ability to withstand storms and floods. Examples of ICC measures include elevation, relocation and floodproofing.

Increased Cost of Compliance Process

You will receive a substantial damage letter if your community determines the home or business was substantially damaged. From there:

  • A signed Increased Cost of Compliance (ICC) Proof of Loss form can then be submitted to your insurance company.
  • Provide a contractor’s estimate for the proposed ICC-eligible measures to your home or business and copies of construction permits. Your insurance company needs these to consider an ICC claim.
  • Request funds within 60 days after your home or business is declared substantially damaged. You have six years from the date of loss to complete the chosen and approved ICC measures.

Visit the Louisiana Department of Transportation and Development’s website at www.dotd.la.gov/lafloods/community_contacts.aspx to find your community’s floodplain administrator or permitting official to learn more about the substantial damage determination process.

U.S. Small Business Administration (SBA)

The U.S. Small Business Administration (SBA) may be another source of funds to make your home or business safer and stronger.

If your loan application is approved, you may be eligible for additional funds to pay for improvements that will protect your property against future damage. The funds would be in addition to the amount of the approved loan.

For more information, call the SBA at 800-659-2955 or TTY 800-877-8339. You may also go online to sba.gov/disaster.

Not all emergency communication software is created equal. Here are four tips to help you choose the best system for your organization

There are several emergency notification software vendors who offer a variety of features and functionalities that organizations can leverage to improve their communication strategy. While many of these capabilities may seem beneficial, it is important to focus on the specific needs of your organization when evaluating technologies. Too many complex features can make the software overwhelming and difficult to use, slowing adoption and adding extra steps to the process of sending important communications. Ultimately, you want to find a reliable platform that can send quick and effective notifications to keep your people safe, informed, and connected.

Here are four key factors to consider when choosing the best emergency notification system for your organization:

Evaluate your needs and assess your risk

When designing an emergency communication plan, start by understanding what is at risk: your people, facilities, parts and products, intellectual property, technology, and automobiles and/or fleet. All of your assets, and the operations that depend on these assets, are at risk when an emergency arises.

Ask yourself, what are the emergencies that are most likely to occur? IT outages, weather-related incidents, power failures, and security lockdowns are the most common. Each location where your company operates, including home offices, may have different variables and risks to evaluate. Consider the weather and geological events prone in those areas, security and IT support in those facilities, the nearest emergency response organizations and hospitals, and the number of employees who may be affected.

Each facility likely differs as far as how buildings and workspaces are designed, evacuation routes, surrounding streets and neighborhoods, and even the demographics of the staff located in each building. Some locations may have handicapped employees, elderly, or even children in an office daycare. Are there elevators or stairwells? An easy route for emergency vehicles? Are there any hazardous materials stored at any of the locations? All of these factors may come into play during an emergency and you need to be equipped with the right technology to effectively communicate with your people. Thinking through all of the possible scenarios, and thinking through what communication steps will be required, will help you decide which software solution makes the most sense.
Look for software vendors that provide the features and functionality you need.

Emergency communication platforms differ greatly and the ideal product will be customized to your organization’s specific needs and requirements. Some of the key characteristics you will want to look for in an emergency communication system will include:

  • Intuitive user experience
  • Two-way communications
  • Multi-channel delivery
  • Compatibility with any device
  • Measurement tools, analytics, and reporting
  • Dedicated customer support

One of the most important features to look for in an emergency notification system is an intuitive user experience. When you are under time pressure or stress from an impending crisis, you need to know that you can quickly and accurately operate the system within seconds. Some solutions were built decades ago and have continued to add features to a legacy system. These often require time and effort to integrate with your existing systems. Instead, find modern software that was built during the smartphone era. Modern platforms will be much easier to adopt and maintain. In fact, the best solutions today are cloud-based so you never need to worry about maintenance. They can provide a more reliable and secure platform you know will be there when you need it most.

Two-way communication is relatively new and mirrors the expectations the audience has: to be a part of the conversation. Social media has changed our perceptions of how we should communicate and now more than ever, people insist on being a contributor and engaging in dialogue. Modern mass communication systems value employee feedback and input. In fact, it is the first-hand eyewitnesses that can often offer the most insight during a situation. The right system will allow your people to initiate communications, which makes sense since they may be the first ones to be witness to an incident.

Multi-channel communication options are critical, as employees are more mobile than ever, and as your people communicate in a greater variety of ways than ever before. A communication system needs to enable more than just phone and email communications. It must include any and all channels your employees are using, such as text messages, native apps, social media, Slack, and more.
Gone are the days of employees sitting at their desks from 8 a.m. to 5 p.m. Monday through Friday. We are constantly traveling, working remotely from home, an airport, a coffee shop, or a hotel. You need a system that can send notifications and alerts simultaneously across all devices, anywhere in the world. Not only will this ensure the highest receive rate, but it will also get the employees’ attention as all channels are activated at once.

Measuring the success of a notification is an important step in the process and the well-being of your people. A great communication system will give you the analytics you need to determine if your notification was effective, measuring how each delivery channel performed, open rates for notifications, response rates, and employee feedback. Using these metrics and additional detailed reports, you can help improve emergency plans, find gaps in message coverage, and identify areas for overall improvement.

And finally, the best emergency communication vendors provide you with dedicated customer support that you can access 24/7. From implementation to every day operations, it is important to know that you have a live resource at your fingertips to assist you or answer your questions.

Make sure the software is easy to implement

Adding a new communication system does not end with your software selection. The right software will offer you features and functionalities you did not have before, but those can only be effective if people are empowered to use them.

If your system of choice is intuitive and easy-to-use, then it will not require extensive training, and you can easily add new users who can access the platform and send messages during critical events without pause or confusion. Knowing when and how to use the system, knowing what situations are considered worth acting on, and knowing who is to receive the communications – this all takes planning, but you can soften those challenges by selecting the right partner. And the key to selecting the right partner is ensuring that they have a customer support representative dedicated to your account to walk you through each step of the process.

The most important step in implementing a communication system is to customize the software for your organization’s structure and geography. Every location will have its own list of employees, potential threats, and other considerations. The right communication system will automate much of this for you, particularly if it is integrated with your HR application. Setting up the directories should not take long but can save you invaluable time when a critical situation arises.

In our fast-paced world, you want to ensure that you can send messages on-the-go. One of your first priorities will be to download your vendor of choice mobile app on all of your devices to ensure you can send and receive notifications at all times.

You can further customize the software to include the channels you know are most prevalent in your organization. Does your company use two-way radios? Flashing lights? Whatever channel you want to include should be able to be easily added and modified at will using an Application Program Interface (API). Keep in mind that with the help of customer support, you can use an API to integrate all of your existing systems and any customized channels you will want to add to the communications software.

Look for a system that allows you to pre-build templates for every channel, as well as the ability to customize your messages. If you know of certain situations when an automated notification can be sent, such as weather alerts or schedule changes, go ahead and create it. Otherwise, learn how to build your own message on the fly quickly so you are familiar with the steps during an emergency event.

And finally, familiarize your organization with the system by sending a test message. Use the system to notify employees about the new system. Check to see if everyone received the notification, which channels delivered the notification, how long it took for the notification to be drafted and sent, and if the message sent was the right message.

Once a vendor is chosen do not be afraid to ask for help if you need it. The vendor should provide implementation and configuration support around the clock as part of the contract.

Consider other uses for the system

If you choose the right emergency communication system, you will quickly find that it is useful for a wide variety of other business needs. In fact, the system can be used in any situation where a large number of employees need critical or time-sensitive information.
Some of the more interesting ways a communication system can be used is with logistics and scheduling. Generally, organizations with scheduled shift workers and/or fleet drivers have to manage a lot of moving parts. Using the system to communicate back and forth with these employees can be much more efficient than most dispatch systems.

Event planning, guest communications, and volunteer coordination are all eased with a mass communication system. Again, because the system can engage people across channels and devices, messages, alerts, notifications, and tips can all be received more reliably. Some organizations are foregoing time-consuming email newsletters for instant notifications using a mass communication system.

Some common non-emergency uses of mass notification systems include:

  • Weather-related notifications that may impact classes, events, or games
  • Traffic alerts
  • Members-only notifications
  • Billing alerts
  • Venue changes
  • Event updates and reminders
  • Parking tips
  • Closings or delays
  • Shipping notifications
  • Appointment/reservation reminders
  • Guest, customer, or employee surveys

If you aren’t sure which system is best for your organization, see if the vendors you are considering offer demonstrations or trial periods. While you evaluate the technology, keep a close eye on the level of service. You want people who know not only communications, but your industry. They should provide around-the-clock support with real people answering the calls so you know in an emergency, you can talk to a live person.

No matter the size of your organization, you and your employees deserve to work in a safe environment. Once you have chosen a great solution, you will be able to take comfort in knowing you have something in place to keep everyone informed and connected. By doing your homework on the front end and choosing the right emergency notification vendor, you will greatly increase the odds of your organization getting through an emergency safely and with very little impact on operations.

brett1About the author
Brett Andrew is VP of Sales and Marketing for AlertMedia, the fastest-growing mass communications provider in the world, offering an easy-to-use software platform that combines multi-channel messaging and monitoring to keep people safe, informed, and connected. Brett can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it. or 800 826-0777.

The Business Continuity Institute

The effects of ransomware attacks on organizations can cause unquantifiable financial cost and immeasurable data loss. Yet, despite this, there is a lack of awareness when it comes to being prepared. A study conducted by Timico and Datto found that two-thirds of UK businesses have no official ransomware policy to guide employees on what to do in the event of an attack.

The reality of ransomware found that two-thirds (68%) of respondents said the effects of an attack were almost instant with data systems going from fully functional to essentially useless within seconds and minutes. Nearly a quarter (23%) reported lockdown within just a few seconds, and 18% said that systems were down within a minute of the attack. A further 26% reported systems being blocked within a few minutes. for the majority (85%) of companies that have been victim to ransomware, systems were down for a week or more, causing £1,000s in financial damage a day to most businesses. A third (33%) had to endure their data down for more than a month, with 15% reporting their data as ‘unrecoverable.’

But retrieving data is becoming increasingly more difficult for organizations. The ransom fees, demanded by cyber criminals before they will unlock the victim’s computer system, are rapidly rising. Nearly a quarter (23%) of respondents paid over £5,000 to retrieve their data and 26% paid a fee of £3,000 to £5,000. Higher ransomware fees in large businesses were reported, with a third of corporate businesses paying over £5,000 to recover data compared to just half that number of SMEs (15%).

Knowing the extent of the cost of the attack on the business is often unknown. Nearly a third (29%) of those polled could not even estimate the overall financial cost to the business of the ransomware attack, deeming it ‘unquantifiable’. Over half (53%) of respondents estimated that the attack had cost the business between £1,000 to £2,000 per day in lost revenue, due to its data systems being down.

With the infected computers or networks becoming unusable until a ransom has been paid or the data has been recovered, it is clear to see why these types of attack can be a concern for business continuity professionals. The latest Horizon Scan Report published by the Business Continuity Institute revealed cyber attacks as the number one concern. A very good reason why cyber resilience has been chosen as the theme for Business Continuity Awareness Week.

Nabeil Samara, Chief Digital Officer at Timico says. “These research findings clearly show that the speed of a ransomware attack is almost instant, while the effects on the organization can be far reaching. It’s not just a case of the data loss and financial cost to the business. A ransomware attack can have a debilitating effect, with long-term consequences across the business, with the company even breaching terms of any regulatory bodies that the business holds themselves accountable to."

Timico's top tips to preparing for, and preventing, a ransomware attack:

  1. Get senior stakeholder buy in, so all company ransomware prevention and response policies are communicated and enforced from the top.
  2. Be proactive with your backup policy, and above all test on a regular basis.
  3. Educate your users not to open or click on suspicious looking emails or attachments.
  4. Up to date antivirus software should be considered essential.
  5. Don’t get complacent – audit your historic backups, imperative if you have a multi-vendor solution in place.
  6. Understand your Recovery Time Objective (RTO) i.e. how long can you afford to be down for?
  7. Understand your Recovery Point Objective (RPO) i.e. how much data can you afford to lose?
  8. Encourage your users to keep their work and personal data and apps separate.
  9. Don’t pay the ransom! It’s still highly unlikely you will get your data back, or if you do it will be in an unreadable format.
  10. Do report the crime to the police, many don’t and as such attacks go under the radar…don’t let cyber criminals get away with it!

BATON ROUGE, La. — The August floods that upended the lives of tens of thousands of families across 26 declared parishes also washed away the landmarks of their communities. Critical infrastructure like roads, bridges, public buildings and schools proved as vulnerable to flood waters as had the smallest bungalow.

As of March 1, FEMA’s Public Assistance (PA) program has obligated $304,315,474 to reimburse local and state governments as well as certain private nonprofits for the repair or replacement of disaster-damaged facilities and infrastructure. The funds also cover debris removal and emergency response activities.

Among the eligible applicants is the Louisiana Department of Health and Hospitals, which applied for more than $900,000 in FEMA grants. The Gonzales Environmental Enhancement Facility in Ascension Parish was deemed eligible to receive nearly $996,000, while the Louisiana Department of Wildlife and Fisheries will receive close to $596,000. Nearly $63,000 will go to parks and recreation facilities in East Baton Rouge, while additional funds have been earmarked for road repairs and public safety facilities in the declared parishes.  And a total of $60 million in grants has been obligated for repairing schools in eight parishes: Ascension, East Baton Rouge, Iberville, Lafayette, Livingston, St. Landry, Tangipahoa and Vermillion.

The Public Assistance program offers supplemental financial assistance on a cost-sharing basis for emergency work and the repair or replacement of disaster-damaged facilities in designated parishes. The PA program encourages protection of these damaged facilities from future events by providing assistance for certain hazard mitigation measures.

FEMA typically reimburses 75 percent of eligible PA expenses. But, because of the magnitude of the disaster, the agency will reimburse 90 percent of eligible expenses. FEMA pays the federal portion to the state which then disburses the funds to the applicants.

Hattiesburg, Miss. – While Mississippi survivors could not stop the January 20-21 severe storms and tornadoes from hammering Forrest, Lamar, Perry and Lauderdale counties, there is plenty those with losses can do – with the help of state and federal disaster assistance – to speed their personal recovery:

Register and File:

The first step is to contact FEMA and register for disaster assistance. Survivors can contact FEMA online at DisasterAssistance.gov, or by phone at 800-621-3362; TTY 800-462-7585.  Multilingual operators are available.

State and federal disaster assistance is meant to help people pay for necessities and start to get back on their feet. Disaster assistance may include grants to help pay for emergency repairs to damaged homes, temporary housing, or other serious disaster-related expenses not covered by insurance or other sources.

Register even if you are insured. Your insurance coverage may not be adequate to cover all of your losses. If you have insurance, it’s important to contact your insurance agent to begin filing an insurance claim. Also: remember to update FEMA once you receive the settlement from your insurance company.

While the deadline to register is March 27, the longer you wait to register to see if you qualify for disaster assistance, the more you delay your personal recovery.

After You Register:

Read all FEMA letters and documents. After registering with FEMA, you will get a letter telling you the outcome of your application. Make sure you read the letter completely and carefully.  At times, all that’s needed is for you to submit additional information.

Remember, you also have the right to appeal FEMA’s decision. 

Federal assistance may have to be repaid if it is duplicated by insurance or other assistance received.

Call the FEMA Helpline to keep your information up to date. Call 800-621-3362 to:

  • Ask questions about FEMA determination letters.
  • Learn how to appeal FEMA’s determination. All applicants have the right to appeal.
  • Inquire about the status of a registration.
  • Provide change of address, telephone and bank account numbers and insurance information to avoid disaster assistance processing delays.
  • Receive information about FEMA home inspections.
  • Get other questions answered about federal disaster assistance

If it’s offered, complete and return the SBA loan application (SBA loans are not just for businesses). If you are contacted by the U.S. Small Business Administration and given the opportunity to apply for a low-interest SBA disaster loan, you should fill out the application and return it as soon as possible. As of March 5, SBA had approved 88 loans for nearly $4.8 million.

Not everyone who applies qualifies for FEMA disaster assistance grants, so submitting the SBA loan application, is important. Even if you don’t think you need nor want a loan, an SBA loan may be the key to your recovery by helping you pay for repairs and replacement of lost possessions.

If you qualify, SBA will work with you to develop a loan that you can manage, possibly by combining your existing home loan with the SBA loan into a new home loan.

Homeowners and renters who don’t qualify for an SBA loan will be referred back to FEMA for possible consideration of other grants opportunities.  However, if you don’t submit the loan application, you halt the FEMA assistance process.

Be Smart In Your Recovery:

Choose a licensed contractor. Take time to carefully choose a contractor for repairs by demanding written estimates, following up with references and checking with local licensing authorities to see if the contractor is licensed in your community. Tips for persons seeking a licensed contractor and how to hire one are found at Mississippi State Board of Contractors under the Consumers tab or call 601-354-6161 or (800) 880-6161.

Ask for a written estimate. Make sure it includes everything you expect the contractor to do. Also, find out up-front if the contractor will charge a fee for that estimate.

Get a written contract. The contract should clearly state all work, costs and the payment schedule. Never sign a blank contract or one with blank spaces. It may also be worthwhile to have an attorney look at the contract before signing it.

For more information on Mississippi’s tornado recovery, go to fema.gov/disaster/4295 or visit the MEMA site at msema.org. Follow MEMA on Facebook facebook.com/msemaorg and on Twitter @msema.

###

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

All FEMA disaster assistance will be provided without discrimination on the grounds of race, color, sex (including sexual harassment), religion, national origin, age, disability, limited English proficiency, economic status, or retaliation. If you believe your civil rights are being violated, call 800-621-3362 or 800-462-7585(TTY/TDD).

FEMA’s temporary housing assistance and grants for public transportation expenses, medical and dental expenses, and funeral and burial expenses do not require individuals to apply for an SBA loan. However, applicants who receive SBA loan applications must submit them to SBA loan officers to be eligible for assistance that covers personal property, vehicle repair or replacement, and moving and storage expenses.

In this age of big data, business analytics are likely to form an increasingly large part of business continuity planning and management.

By querying different data sources, internal and external to an enterprise, BC managers can hope to identify current risk, opportunity, and business trends, predict what might happen tomorrow, and even generate recommendations about what to do about it today.

The potential of business analytics to help enterprises survive and thrive is clear.

What is less clear is whether there is any possibility to perform them without having to hire an army of IT specialists and data scientists. But advances in chatbot technology might offer a better solution.

...

http://www.opscentre.com/business-continuity-analytics-chatbots/

Recently, I have been attending quite a few meetings regarding contingencies required for the implementation of a large project initiative.  Because it’s a new initiative and many users aren’t even assigned an ID yet to use these new systems and applications, it’s a bit hard for them to know what contingency strategies are required for insertion into their Business Continuity Plan (BCP).    But that’s OK because there are still options at their fingertips.

In some instances, like the one noted above, you may have to wait for direction from the Crisis Management Team (CMT) or triage team or support team – whoever is managing the situation.  Until you receive that direction your immediate response – or contingency response – is to hold off on activities and wait.  It may seem odd but that is your short term contingency until provided other guidance.    Even though doing nothing isn’t usually an acceptable response sometimes it’s the only response available when you’re waiting for direction from the Crisis Management Team (CMT) or some other group that provides your area with direction and guidance.

Doing nothing is actually doing something.  You may not be able to process a payment or send a file on to its next destination but by doing either one of those, you are actually performing a task; you’re holding and waiting until you can continue.  But even if that is your option, it’ll only be for a short duration because if it turns out its going to be a longer outage, you may need consider additional activities to implement if you receive word your application and/or system will be done longer than the acceptable outage period.  So your BCP should contain short and long term contingency strategies.

...

https://stoneroad.wordpress.com/2017/03/05/bcmdr-bcp-strategies-from-nothing-to-business-as-usual/

Tuesday, 07 March 2017 16:22

BCI: Broadening exposure and horizons

The Business Continuity Institute

It has been just over two years since I was featured in the Business Continuity Institute’s20 in their 20s: The future of business continuity’ publication, so I thought it might be useful to look through what I wrote at the time, determine what is still relevant and understand what has changed.

At the time I wrote about what I considered to be some of the key challenges for business continuity professionals, and considered the following four areas:

  • Macro-economic environment instability
  • Increasingly unpredictable climate change
  • Lack of top management commitment
  • Failure to create a business continuity culture

Has the world changed?

While the world has changed in many ways over the last two years, the top two points above appear to still be as relevant now as they were when I first wrote my contribution.

While the UK economy has undergone somewhat of a recovery since 2015, and continues to do so, the challenges have now evolved due the period of uncertainty brought about by ‘Brexit’. The extent of the impact which will be felt by the UK economy and UK businesses over the next two to three years is currently not fully understood and cannot be predicted.

This uncertainty may put a squeeze on finances and potential investment, which will place emphasis on SMEs including those in business continuity roles to continue to find low-cost or cost-neutral solutions to mitigate identified risks. This challenge should drive us to be innovative with our solutions, as well as really pushing the value-add of business continuity to our leaders and managers.

The last couple of years have provided yet more weather extremes. Storm Desmond brought flooding to Cumbria in December 2015, with September 2016 providing an unusual heatwave followed by flash-flooding in some areas of the UK. As recently as February 2017, Storm Doris brought large disruption to airports and train lines as 100mph winds battered the country.

We as BC professionals will continue to plan to mitigate the impacts that adverse weather brings to our businesses, from denial of access due to snow, power cuts due to strong winds, or unavailability of staff due to public transport and road disruptions.

Broadening exposure and horizons

In the last two to three years, I have been fortunate enough to move roles a couple of times within Serco. From working in the Private Sector arm of the business, I moved to being a BC Consultant in our Local & Regional Government Division, giving me my first exposure to contracts outside of a contact centre environment.

I then moved on to become Business Continuity Manager for Central Government Division, with responsibility to the Risk Director for Business Continuity, Disaster Recovery and Crisis Management on all contracts in the Division, including on behalf of the Home Office, Ministry of Justice & Immigration, Transport Scotland and Transport for London.

This exposure to working practices in different environments, from prisons to councils, rail contracts to military bases, has benefitted me immensely. As a BC professional, early on in your career, it can be very easy to naively assume that providing you are following the best practice guidelines and are aligned to ISO22301, you are doing it right and therefore don’t need to widen your knowledge. While the basic principles remain the same for BC across any sector and any environment, lessons can be learned continuously by studying the good practice which inherently takes place, for example contingency planning in prisons and military bases. I now keep my eyes wide open to ensure my processes and plans are constantly re-developed.

Collaborative working

In my contribution to the ’20 in their 20s’ publication I stressed the importance of building a business continuity culture. I have learned over the last few years that this is not something that can be done alone as a BC professional, as cultural change is the hardest to bring about.

I have built a strong working relationship with the Emergency Planning College (EPC) in developing business continuity training and awareness products for the management teams across our Division. Investing in our managers and giving them the correct level of understanding and the right tools for the job plays a large part in fostering a more engaged culture. Recognising my limitations, and seeing the benefit of an independent body providing training, is already reaping benefits.

Equally, in order to foster a BC culture within a business, organizational resilience as a whole must be considered. Focusing purely on business continuity limits cultural change, and the resilience of a business requires contributions from various subject matters to be improved. As a result I now work much more heavily with colleagues from risk, security, information security, human resources, legal and facilities to ensure that we foster a more resilient culture in all activities, which will in turn encourage business continuity to be a day to day consideration and not a tick box exercise.

My thoughts of where business continuity sits, and its interactions with many other subject areas, has evolved over the last few years and I am sure it will continue to do so. As a subject matter BC touches so many areas of our business, and if those interactions are effective BC can be used as the glue that holds together all the moving parts within organizational resilience.

Nathan Doran AMBCI has filled a number of business continuity roles within Serco across Private and Local & Regional Government sectors over the last six years. He is currently the Business Continuity Manager for Serco’s Central Government Division, with responsibility for business continuity, crisis management and disaster recovery across Serco contracts throughout the UK, including those operated on behalf of the Ministry of Justice, the Home Office, the Ministry of Defence, and Transport for London. As well as the ’20 in their 20s’ article, Nathan has also contributed to Continuity Magazine.

Fully 47.48 percent of all phishing attacks last year were aimed at stealing victims' money, a 13.14 percent increase over 2015, according to Kaspersky Labs' Financial Cyberthreats in 2016 report.

Of almost 155 million attempts to visit phishing pages that Kaspersky detected in 2016, just under half were attempts to visit pages designed to steal financial data, such as account numbers for banking, credit accounts, Social Security numbers, and online banking login and password information.

"For the first time in 2016, the detection of phishing pages which mimicked legitimate banking services took first place in the overall chart -- as criminals sought to trick their victims into believing they were looking at genuine banking content or entering their details into real banking systems," the report states.

...

http://www.esecurityplanet.com/network-security/half-of-all-phishing-attacks-in-2016-targeted-financial-data.html

(TNS) - Nearly two years after a rash of earthquakes rattled the sensibilities of North Texas residents and state lawmakers, a meticulously designed network of seismographs is being rolled out to determine if the tremors are occurring naturally or can be linked to oil and gas industry production.

Researchers at the Texas Bureau of Economic Geology have installed 14 of 22 permanent seismographs and another 15 portable stations as part of the $4.5 million TexNet system approved by state lawmakers two years ago. The number of permanent seismograph stations has doubled in the last two months, officials said.

“It has taken some time, but to our thinking it is better to do this slower and more methodically and the state will greatly benefit, rather than us rushing in and picking sites that are not very good,” said Michael Young, associate director of the bureau. “We want to get the sensors in the ground, but in the right way.”

...

http://www.govtech.com/em/disaster/Earthquake-monitoring-system-being-rolled-out-in-North-Texas.html

Page 1 of 35