Fall World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 30, Issue 2

Full Contents Now Available!

Industry Hot News

Industry Hot News (589)

If you thought virtual reality (VR) and augmented reality (AR) were just gimmicks for people with too much time on their hands, you could be in for a surprise.

Both technologies have now progressed to a point where it is feasible to integrate them into business continuity management.

As a reminder, VR creates a virtual world for users to interact with, and is suited to training and simulations (not to mention gaming).

AR, on the other hand, overlays views of the real world with virtual elements, helping users interact better with the real world, by offering help, advice, explanations, and more, specifically targeted to what the user sees. Both VR and AR can help better deal with threats that affect business continuity.



Think about all the time and energy we spend preparing for emergency events. We develop strategies and plans, generate documentation, identify risks, and work to mitigate those risks. We’re going to help you answer those internal and external questions about how BCP provided concrete value or prevented an outage.  In this blog post, we’re offering you five real-life client examples where business continuity planning efforts have been utilized.



Netflix recently experienced a third-party breach. The data lost is Season 5 of Orange is the New Black, which is original Netflix content. Many are calling it the largest entertainment industry hack since Sony. I guess that is right, but how bad is it really?

First, here is what happened. Netflix transferred season five to their post-production third party in Los Angeles, Larson Studios, for sound mixing and editing. Larson does the post work for at least 25 episodics that run on Fox, ABC, IFC and Netflix. It was Larson Studios that was hacked and, according to thedarkoverlord (TDO), they made off with not just Netflix content but network content as well, putting at risk the release of Documentary Now, Portlandia, Fargo and many others.  TDO contacted Netflix and asked for a bitcoin ransom or it would dump their content for download. Netflix refused to be extorted and TDO made good on its threat.

That got me thinking…was Netflix right to not pay the ransom? What was the real impact of that decision? Can networks and studios do the same thing? Are they inoculated from third party damage because of their industry or their product? Let’s find out.



Most companies have accepted the new market reality: customers are in charge, having digital chops is table stakes, and disruption is becoming normal. 

Although most companies have accepted this reality, they also admit that they are not prepared for it. In our Customer Obsessed Assessment, 62% of companies identified as being behind the power curve addressing current customer demands and an additional 25% are slightly behind where they want to be.

The results are not terribly shocking; there’s a lot of work to do. But it doesn’t make it any less scary once you realize we’re in the early stages of change.

The large-scale market response is still playing out - and the cycle of far-reaching (and sometimes painful) change will be playing out for many years to come. Arguably the large-scale market response is still to come. For example:



(TNS) - Missouri state Rep. Bill Lant wanted to join Gov. Eric Greitens when he unveiled his plan to address flooding in the state.

But the ditches carved into the road in front of his Pineville home almost prevented him from doing that. He had been stuck the whole weekend while more than 10 inches of rain fell around him.

Lant said he planned to ask the governor for state assistance when it came to the devastation in his county.

“I’m fine, but there are parts of Noel, Anderson that have just had terrible flooding,” Lant said.

Although the state has expended all available resources to provide relief, many of those affected are hoping that President Donald Trump will declare Missouri a disaster zone.



It happens often in conversations with clients that I realize they have disjointed initiatives going on to support their digital transformation. The most dangerous parallel initiatives are those where, on one side, they are changing their development teams to become more Agile, but a separate initiative in the same enterprise exists where their Operations folks are running a development and operations (DevOps) transformation. The first thing I recommend to those clients is to unify or tightly connect those programs with an underlining common lean strategy. But I don’t want to dig in here about Agile+DevOps and how overused and abused the term “DevOps” is. I will just recommend to you some reports we’ve published explaining how “Agile” and “DevOps” are two sides of the same coin (see, for example, “Faster Software Delivery Will Accelerate Digital Transformation”).  The Modern Application Delivery playbook I’ve co-authored for years is all about what it means to adopt Agile+DevOps. Check that out too.

But the second and equally important thing I realize with these clients happens when I start querying them about their testing capabilities and approach during those journeys towards more agility and DevOps. And that opens the next can of worms. Why? Because if Agile disrupts how we test applications, continuous delivery, which DevOps is a core enabler of, represents unprecedented disruption of testing. I just published a report on the  continuous testing (CT) services providers landscape, where I provide my definition of what continuous testing means and is. I think the figure here makes it very clear.



The cloud is still growing by leaps and bounds, but not as fast as it was at the beginning of the decade. But it is unclear if this represents a long-term trend as the market reaches the front end of a traditional bell curve, or just a minor pause in the technology’s ultimate takeover of the enterprise data environment.

According to IDC, vendor revenue from the sale of cloud-based infrastructure products grew by 9.2 percent in 2016. This represents a healthy market of $32.6 billion, but it still represents a drawback of about $4.5 billion from what the company had predicted based on earlier growth data. The company suspects that part of this is due to a slowdown in the hyperscale market, but it can also be attributed to the fact that many companies have migrated some of their workload to the cloud and are seeing how it performs before moving forward. And it is important to note that cloud revenues are increasing while spending on traditional data center infrastructure is declining on the order of about 9 percent per quarter.

But this isn’t to say that the enterprise is ready to give up on the local data center just yet. According to a recent survey from the Uptime Institute, the percentage of workloads residing in enterprise owned and operated facilities has been stable at about 65 percent since 2014. To the institute, this means that regardless of what happens with the public cloud, local data center infrastructure will remain as a critical asset for most enterprises as they pursue digital-centric strategies.



Tuesday, 02 May 2017 15:40

Cloud Growth Slows, Slightly

Despite the challenges of a slowed economy in an election year, a shifting risk landscape as a result of technological advances, and a slow to negative growth rate in some sectors, 2016 saw the total cost of risk (TCOR) decline for the third consecutive year, according to the 2017 RIMS Benchmark Survey.

Even in the face of such uncertainties, the TCOR per $1,000 of revenue continued to drop, ending at $10.07 in 2016. The main drivers were declines in all lines excluding fidelity, surety and crime costs, according to the report. TCOR is defined in the survey as the cost of insurance, plus the costs of the losses retained and the administrative costs of the risk management department.

The survey encompasses industry data from 759 organizations and contains policy-level information from 10 coverage groups, subdivided into 90 lines of business.



(TNS) - Powerful storms that generated flooding and tornadoes across the south-central United States killed at least 12 people over the weekend.

The National Weather Service said multiple tornadoes ripped through central Texas on Saturday.

The town of Canton, located about 50 miles east of Dallas, was hit especially hard. Mayor Lou Ann Everett said Sunday that at least four people died and almost 50 others were injured, according to local media.

The fire department said the death toll could rise as people continue to comb through the debris. Dozens of cars were reportedly tossed in the air on the interstate that runs through town.



If data center managers thought virtualization and cloud computing were challenging in terms of big shifts in architecture, they better get ready for the next big thing. The Internet of Things is likely to give you far more headaches in terms of volume of data to store, devices to connect with and systems to integrate.

Long-term data center managers have certainly borne witness to immense change in recent decades. From mainframes to minicomputers and client/server, then virtualization and cloud computing. The pattern seems to be as follows: at first, their entire mode of operation is challenged and altered. After a few hectic years, life calms down, only for yet another wave of innovation to sweep the world of the data center off its axis.

And, here we go again with the Internet of Things (IoT). The general idea is that sensors and microchips are placed anywhere and is subjected to advanced analytics to give business a competitive edge, and provide the data center with greater capabilities in terms of infrastructure management and security.



Have you ever gotten to the end of your journey to find you’re not in the place you thought you’d be – or wanted to get to?  It’s that way for many projects and programs, including BCM/DR initiatives.  Sometimes what you intended to achieve isn’t what you end up accomplishing – if at all.

Developing and the maintaining a Business Continuity Management (BCM) / Disaster Recovery (DR) program means managing – and sometimes juggling – multiple components.  You could be juggling Business Impact Analysis (BIA) reviews while starting to plan the next major Simulation Exercise.  This is common and in project management terminology, it’s a bit of an Agile approach; not your traditional ‘waterfall’ approach (e.g. end one task before starting another).   When this occurs, you do run the risk of overlapping initiatives and sometimes, overlapping approvals being required.   But don’t think that your approvals can be delayed or rebuffed; they are important.



Monday, 01 May 2017 14:30

BCM & DR: Managing Expectations

BATON ROUGE, La. — There is still time to apply for 100 FEMA reservist positions for Public Assistance (PA) Site Inspector Specialists.  FEMA has extended the application deadline by a week to 5/6/2017 and is looking for construction managers, building inspectors and disaster recovery specialists to work in various locations.

This week the Baton Rouge Joint Field Office (JFO) also kicked off a national pilot program designed to convert FEMA’s local hires to reservist status.  A robust team of FEMA reservists need to be available and ready to respond to disasters at anytime, anywhere in the nation. 

FEMA provides help and support to people in the midst of an emergency situation and those dealing with the aftermath. Reservists are brought to the site to assist in federally declared disaster operations. PA specialists will conduct site inspections of claimed disaster-related damage.  Essential knowledge for these positions include: understanding and experience related to general engineering and construction practices for public infrastructure, experience inspecting and assessing damaged infrastructure and general knowledge of building codes and standards.

Preferred professional certifications: construction management, construction and building inspectors, disaster recovery specialists, sewage and waste water treatment experts, roads and bridge work and customer service experience. 

Those who sign up for the Reservist Program must be able to deploy with little or no notice to anywhere in the United States and its territories for an extended period of time.  While activated and deployed reservists will serve in a federal travel status and be entitled to lodging, transportation and per diem reimbursement for authorized expenses in accordance with travel regulations. Expected hourly rate will be up to $24/hour, depending on experience.

All applications must be sent via e-mail to: This email address is being protected from spambots. You need JavaScript enabled to view it. with the following subject line: 2401 – Public Assistance Site Inspector Specialist – PA.  Again, applications will be accepted through 5/6/2017. For more information visit www.laworks.net.

We heard two very different perspectives on the future of on-premise enterprise data centers from top executives on this week’s earnings calls by two of the world’s largest cloud providers.

Microsoft, which has a huge – and growing – on-premise data center software business in addition to a quickly growing cloud one, is continuing to pursue a hybrid strategy, pushing the idea that companies will want to continue using their internal data centers while augmenting them with cloud services.

Alphabet subsidiary Google, which never had the need for an on-premise software business, is playing up wholesale shift of enterprise workloads from corporate data centers to its cloud. Here’s Alphabet CEO Sundar Pichai on the company’s earnings call Thursday:



Over the years, I have had the opportunity to travel often for my career. Of all the cities I’ve visited, London is one of my favorites. On a recent visit, one thing became overwhelmingly clear; The city aims to build awareness in its citizens and visitors and to change their behaviors. How so? You have probably seen a version of the famous London Underground sign: MIND THE GAP.

If you aren’t familiar with it, this insignia is displayed at the edge of train platforms to remind passengers of the gap between the walkway and the train car. The purpose of the message is to boost awareness and ultimately, alter passenger behavior. Similarly, this is also the purpose of training in corporations – to increase the awareness of employees, to change their behaviors and increase their safety.

Over the last few decades, companies have reacted to legal and financial threats, as well as safety threats, by building a collection of mandatory training for their personnel. Following the founding of OSHA in the 70’s, we saw a rise in training around safety-related behaviors, both in the field and in the office. In the 80’s, sexual harassment was a hot topic, and even lawyers joined the business of training clients on both the law itself, and the behaviors that were and were not acceptable. Following major ethical lapses and the Enron failure in 2001, corporations set their sights on ethics training. Today, those training topics are the norm, and new topics continue to be added in, such as cultural sensitivity, and improving diversity in the workplace.



Business Intelligence (BI) pros continue to look for outside professional services. Forty-nine percent of decision makers say their firms are already engaging and/or expanding their engagements with outside data and analytic service providers, and another 22% plan to do so in the next 12 months. There are two main reasons for this sustained trend:

  • The breadth and depth of BI deployments cannot be internally replicated at scale. Delivering widely adopted and effective BI solutions is not easy. It requires rigor in methodology, discipline in execution, the right resources, and the application of numerous best practices. No internal enterprise tech organization can claim this wealth of expertise and experience; this only comes after delivering thousands of successful and unsuccessful BI projects — which we believe is solely the realm of management consultants and systems integrators. These partners have collectively accumulated such experience over many years and thousands of clients and projects.
  • Implementation partners help connect technology and business priorities. While business and technology pros ultimately work toward the same goal — improving their companies' top and bottom lines — they often use different approaches to get there. Business pros often have a preference for a particular BI tool and just want to get their jobs done quickly, efficiently, and effectively. It's not that they don't care about a single version of the truth, enterprise software standards, security, and procurement guidelines — it's just that getting their jobs done trumps everything else, while technology pros have different goals. Finding a middle ground between opposing priorities is tough. When all else fails, firms look for a reputable, well-respected professional services organization that can act as a referee and provide an objective road map to align business and technology management goals, objectives, and priorities.

Take a look at our recently published research report - The Forrester Wave™: Business Intelligence Platform Implementation Service Providers, Q2 2017 - where we review

  • Forrester recommended BI implementation service provider shortlisting and selection methodology and
  • Evaluate 13 top providers in this market


Today is World Day for Safety and Health at Work and the ideal time to consider a new International Standard due out early next year – ISO 45001 – ISO’s first standard for occupational health and safety management systems.

Latest estimates from the International Labour Organization (ILO) show that more than 6 300 people die each day (that’s over 2.3 million a year) as a result of work-related activities, and in total over 300 million accidents occur on the job annually. The burden to employers and employees alike is immense, resulting in losses to the wider economy from early retirements, staff absence and rising insurance premiums.

The ILO’s awareness-raising campaign, held annually on 28 April, is intended to focus international attention on the magnitude of the problem and on how promoting and creating a safety and health culture can help reduce the number of work-related deaths and injuries.



MSPs are tasked with keeping everything running. They have an around-the-clock, constant flow of information, accessible at any time from anywhere. Each and every single business depends in some way shape or form on that network of information flowing. However, we often consider only a small subset of what users actually interact with to be the MSP’s responsibility--for example, desktops, servers, laptops and maybe some simple network monitoring.

We need to expand what we consider fundamental to our monitoring responsibilities. Today’s customers are more comfortable than ever with technology. With that comfort, their expectations for availability, performance and quality have grown. Moreover, large telecom providers have made information flow easier, unlimited and available all over with faster speeds than ever before--changing users’ expectations outside of their work lives.

When users arrive in the office, expectations have already been set. Your role as an MSP and manager of that network of information comes front and center. Clients begin to engage with phones over the network, wireless access points, data in the cloud, virtualized applications running in the data center and, of course, hosted email.



WASHINGTON – The application period for the 2017 Federal Emergency Management Agency (FEMA) Individual and Community Preparedness Awards is now open. The awards highlight innovative local practices and achievements by honoring individuals, organizations and jurisdictions that have made outstanding contributions toward strengthening their community to prepare for, respond to, recover from, and mitigate a disaster.

FEMA and partners from the emergency management industry will review all entries and select the winners in each of the following categories:

  • Outstanding Citizen Corps Council
  • Community Preparedness Champions
  • Awareness to Action
  • Technological Innovation
  • Outstanding Achievement in Youth Preparedness
  • John. D. Solomon Whole Community Preparedness Award
  • Outstanding Private Sector Initiatives
  • Outstanding Community Emergency Response Team (CERT) Initiatives
  • Outstanding Citizen Corps Partner Program
  • Preparation in Action

Winners will be announced in the fall of 2017, and a series of webinars and local ceremonies will celebrate their achievements.

To be considered for this year’s awards, all submissions must be received by May 30, 2017, at 11:59 p.m. EDT, and must feature program activities taking place between Jan. 1, 2016, and May 30, 2017. Applications are accessed online and should be submitted to This email address is being protected from spambots. You need JavaScript enabled to view it..

More information about the awards is available at www.ready.gov/preparedness-awards


FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain and improve our capability to prepare for, protect against, respond to, recover from and mitigate all hazards.

Follow FEMA online at www.fema.gov/blog, www.twitter.com/fema, www.facebook.com/fema and www.youtube.com/fema. Also, follow Acting Administrator Robert Fenton’s activities at www.twitter.com/bobatfema.

The social media links provided are for reference only. FEMA does not endorse any non-government websites, companies or applications.

The world is changing fast, and bring-your-own-device (BYOD) and telecommuting are increasingly becoming the norm, not the exception. This increasingly mobile and flexible workforce creates new security challenges as more and different types of devices are being used in multiple locations. Security and risk professionals must ensure that only the right people get access to the right information at the right time and for the right reasons. Identity and access management (IAM) tools help evaluate who has authorized access to which resources and why.

In our recently published Forrester Data: World Identity And Access Management Software Forecast, 2016 To 2021 (Global), Forrester predicts that the IAM software market will grow to $13.3 billion by 2021, from $7.7 billion in 2016, implying an 11.5% CAGR.



North American insurers lead the way in IT spending globally and will invest $73 billion in tech areas such as data analytics, cloud, and insurtech in 2017.

Digital Insurance reports that global IT spending by insurers is slated to reach $185 billion by the end of this year, according to the Celent “IT Spending in Insurance 2017” report.

After North America, insurer technology spending by region is as follows: Europe ($69 billion); Asia ($33 billion); Latin America ($5 billion); then a group of territories comprising Africa, the Middle East and Eastern Europe (around $5 billion collectively).



There's a good chance you've considered the implications of machine learning for your security team. As data increases, the skill gap widens, and hackers' strategies get more complex, businesses struggle to detect and address cyberattacks.

Machine learning enables behavioral analytics and cognitive security to detonate attachments before they arrive in someone's inbox, or correlate types of activity across a network of thousands of users.

The ability to stop attacks before they occur is powerful, but how should security leaders start the process of making their systems smarter with machine learning?



The Business Continuity Institute

There is an alarming level of exposure for corporate and sensitive files across organizations, including an average of 20% of folders per organization open to every employee, according to a new study conducted by Varonis.

The Data Risk Report was the result of an analysis of 236.5 million folders containing 2.8 billion files, comprising 3.79 petabytes of data. Of that figure, 48,054,198 folders were open to 'global access groups', or groups that grant access to the entire organization. Nearly half (47%) of organizations had at least 1,000 sensitive files open to every employee, while one in five (22%) had 12,000 or more sensitive files exposed to every employee.

Failure to reduce the use of global access groups, lock down sensitive files and dispose of stale data exposes an organization to data breaches, insider threats and crippling ransomware attacks. A recent Ponemon study found that 62% of end users say they have access to company data they probably should not see, and a Forrester Consulting study found that 59% don’t enforce a need-to-know permissions model for sensitive files.

Business continuity professionals are all too aware of the damage a cyber security incident could cause, as identified in the Business Continuity Institute's latest Horizon Scan Report. In this report cyber attack and data breach were ranked as the top two threats with the vast majority of respondents to a global survey (85% and 80% respectively) expressing concern about the prospect of them materialising.

“In data breaches and ransomware attacks, files are targeted because they are high value assets and usually vulnerable to misuse by insiders and outsiders that transgress the perimeter. While organizations focus on outer defenses and chasing threats, the data itself is left broadly accessible and unmonitored,” said Ken Spinner, VP of Field Engineering at Varonis.

Some IT security attacks start from the most innocent mobile apps and in ways that let cyber-criminals simply pick up confidential communications without having to hack into anything at all.

While it may sound surprising, many mobile apps leak user data to anybody ready to receive it. While some free apps rely on being able to harvest and resell such user data, other paying apps, some of them from highly reputable brands, are simply careless about the user IDs, passwords, user profile information, and other information they ask for via mobile permissions. And even consumer user IDs and passwords can move hackers a step along to getting into business systems. Here’s why.

The danger of leaky mobile apps may be indirect, but it is still very real.



The bedrock of the insurance industry is quaking. For decades, large North American insurers got bigger by dominating distribution and methodically mastering information technology.  But the confluence of changing customer demands, hundreds of insuretech startups and non-traditional competitors sniffing around the business of insurance is messing up the long-standing insurance equilibrium.  Insurance carriers--and their agents and brokers--must go digital or go bust.  

During the second half of 2016, my fellow Forrester analyst, Oliwia Berdak and I interviewed digital business strategy executives with traditional insurers and hot startups around the globe to get their take on the role that digital will play in the business of insurance over the coming decade.  What were the big takeaways from our conversations?  Consider that:



Attention to America’s immigration policies has intensified recently, with politicians and citizens wrangling over whether and how to control the number of foreigners entering the country. Emergency managers, however, largely don’t believe immigration is their issue. Except, in a sense, it is.

“I don’t see why or how [immigration] really relates to emergency management, which is distinct from homeland security,” said hazmat and emergency management logistics lecturer Bob Jaffin. “Why would that even come up … in a situation that is an emergency?” 

That sentiment holds true when evaluating the black-and-white definition of emergency management, but shades of gray exist in a number of areas. Immigration affects emergency managers in roundabout manners; instead of focusing on direct involvement — such as enforcement or policymaking — they attend to indirect effects, such as language barriers and population shifts.



The Business Continuity Institute

Cyber espionage is now the most common type of attack seen in manufacturing, the public sector and education, warns Verizon's latest Data Breach Investigations Report. Much of this is due to the high proliferation of propriety research, prototypes and confidential personal data, which are hot-ticket items for cyber criminals. Nearly 2,000 breaches were analyzed in this year’s report and more than 300 were espionage-related, many of which started life as phishing emails.

In addition, organized criminal groups have escalated their use of ransomware to extort money from victims with this year’s report showing a 50% increase in ransomware attacks compared to last year. Despite this increase and the related media coverage surrounding the use of ransomware, many organizations still rely on out-of-date security solutions and aren’t investing in security precautions. In essence, they’re opting to pay a ransom demand rather than to invest in security services that could mitigate against a cyber attack.

“Insights provided in the DBIR are leveling the cyber security playing field,” said George Fischer, president of Verizon Enterprise Solutions. “Our data is giving governments and organizations the information they need to anticipate cyber attacks and more effectively mitigate cyber risk. By analyzing data from our own security team and that of other leading security practitioners from around the world, we’re able to offer valuable intelligence that can be used to transform an organization’s risk profile.”

Cyber security is also a major concern for business continuity professionals, with cyber attacks and data breaches featuring as the top two threats yet again in the Business Continuity institute's latest Horizon Scan Report. It is for this reason that it was chosen as the theme for Business Continuity Awareness Week 2017 with the intention of improving an organization's overall resilience by enhancing its cyber resilience, and recognising that people are key to achieving this.

“Cyber attacks targeting the human factor are still a major issue,” says Bryan Sartin, executive director, Global Security Services, Verizon Enterprise Solutions. “Cyber criminals concentrate on four key drivers of human behaviour to encourage individuals to disclose information: eagerness, distraction, curiosity and uncertainty. And as our report shows, it is working, with a significant increase in both phishing and pretexting this year.”

With 81% of hacking-related breaches leveraging either stolen passwords and/or weak or guessable passwords, getting the basics right is as important as ever before. Some recommendations for organizations and individuals alike include:

  1. Stay vigilant - log files and change management systems can give you early warning of a breach.
  2. Make people your first line of defence - train staff to spot the warning signs.
  3. Keep data on a “need to know” basis - only employees that need access to systems to do their jobs should have it.
  4. Patch promptly - this could guard against many attacks.
  5. Encrypt sensitive data - make your data next to useless if it is stolen.
  6. Use two-factor authentication - this can limit the damage that can be done with lost or stolen credentials.
  7. Don’t forget physical security - not all data theft happens online.

“Our report demonstrates that there is no such thing as an impenetrable system, but doing the basics well makes a real difference. Often, even a basic defence will deter cyber criminals who will move on to look for an easier target," concludes Sartin.

Ever since marketing figured out that companies could do better by asking customers what they wanted, rather than just trying to tell them, businesses have moved massively to the notion of working backwards from the customer.

Indeed, Jeff Bezos, founder of Amazon.com, declared, ‘‘We start with the customer and we work backward.

We learn whatever skills we need to service the customer.’’

It seems like business continuity planners could take a leaf out of the marketing playbook and ask customers what they would like to see in terms of their provider’s business continuity.

But is that enough?



Wednesday, 26 April 2017 16:25

Business Continuity by Working Backwards

A penetration test, when carried out by outside experts, is the best way to establish how vulnerable your network is from a malicious hacker attack.

But while thorough, third-party penetration testing can be expensive and is effectively out of date as soon as you make changes to your infrastructure or as new vulnerabilities that affect it are discovered.

One way to sidestep both of these problems is to carry out your own network penetration tests.

In this article, we'll discuss both how to do your own security testing and conduct internal penetration testing, and how to find the best third-party service should you choose to hire an outside pen tester.



A successful entrepreneur spends all the time necessary to plan, down to the smallest detail, the workings of his or her business. Staffing, marketing, inventory, equipment, investors, and location and more are all a part of the dynamic. One aspect missing from many business plans is a strategy and system for unexpected problems caused by a disaster that harms the company’s physical plant. Whether resulting from natural forces, mechanical breakdowns, or human error, damage to your place of business halts production and risks the ruin of your hard work and vision. What can ensure your business continues even in the face of tragedy?

Half of the commercial enterprises suffering the effects of water, fire, or other disaster close their doors to deal with the crisis and then never reopen. This shocking statistic is one no business owner dares ignore. Customers and clients need to know the services and products you offer are reliable, available without fail with no room for excuses. Business continuity is crucial to your company’s growth and survival in a competitive economy. If they are forced to look elsewhere to replace the unique product you provided before a mishap many of your leads never return. Even a short break in service can predict the downfall of your company



Wednesday, 26 April 2017 16:22

Survive And Thrive After Disaster

The Business Continuity Institute

Over 80% of security professionals identify ‘people’ as the industry’s biggest challenge, as opposed to technology and processes, according to the results of the second annual survey from the Institute of Information Security Professionals (IISP).

The survey also indicates that while 60% of respondents still feel that investment is not keeping pace with threat levels, there was a modest 5% increase in businesses that feel better placed to deal with a breach or incident if it happens. In real terms, spending does appear to be on the rise with 70% of companies seeing an increase in budget, up from 67%, and only 7% reporting a reduction, which is down from 12% last year.

While people have long been seen as the weakest link in IT security through lack of risk awareness and good security practice, the people problem also includes the skills shortage at a technical level as well as the risk from senior business stakeholders making poor critical decisions around strategy and budgets.

Cyber security is a hot topic for business continuity and resilience professionals with cyber attacks and data breaches yet again featuring as their top two concerns according to the Business Continuity Institute's latest Horizon Scan Report. It is with this in mind that cyber security was chosen as the theme for Business Continuity Awareness Week 2017 which has a particular focus on the actions that individuals can take to play their part in an organization's cyber security.

“Many of the figures in this year’s survey show a step in the right direction,” says Piers Wilson, author of the report and Director at the IISP. “The continuing high frequency of cases hitting the headlines and the regulatory pressures, including from GDPR, are leading to a corresponding increase in investment and a drive for increased skill, experience, education and professionalism. However, there is still a lot of work to do and we need to redouble our efforts to meet the challenge of increasingly sophisticated threats.”

The U.S. Justice Department recently announced that 32-year-old Roman Valeryevich Seleznev, known as "Track2," was sentenced to 27 years in prison for a series of cyber attacks that caused over $169 million in damages.

It's the longest prison sentenced ever given to a hacker in the United States.

Seleznev was convicted in August 2016 for hacking into point-of-sale (PoS) systems and installing malware designed to steal millions of credit card numbers from more than 500 U.S. businesses between October 2009 and October 2013. Approximately 3,700 financial instutitions were impacted by the attacks.

The stolen data was then transferred to servers under Seleznev's control in Russia, the Ukraine, and McLean, Virginia, after which Seleznev sold stole the credit card numbers on carding websites.

Among the businesses Seleznev targeted was Seattle, Washington's Broadway Grill, which was forced into bankruptcy following the attack.



Today’s threat environment is more complex than ever before, requiring that businesses be prepared to combat attacks from many different directions.

These days,  outages or issues are often the result of non-traditional concerns or events. As you think about each of the items below, remember that your first step will be to determine the potential risk. Once you understand the risk, you can identity the impact of an occurrence, and determine and implement an appropriate mitigation strategy.

Ask yourself the following questions to determine your potential threats and risks.



Efficient storage management includes migrating aging data through progressively less-expensive storage tiers. When data ends its migration at the cold storage stage, you can keep it for long periods of time at very low cost.

Cloud-based data storage generally falls into these four storage classes or tiers:

  • Hot storage is primary storage for frequently accessed production data.
  • Warm storage stores slightly aging but still active data. It costs less because the underlying storage systems don’t have the high performance and availability requirements, but it keeps data quickly accessible.
  • Cool storage houses nearline data, which is less frequently accessed data that needs to stay accessible without a restore process.
  • Cold storage is a backup and archival tier that stores data very cheaply for long periods of time. Restore expectations are few and far between. Security, durability and low cost characterize this tier.



I have a huge German Shepherd that ranks only slightly behind my human children when it comes to being spoiled and how much attention he gets.  I’ve been working on training him for nearly a year now, and he amazes me with how intelligent he is. He knows all the basics: sit, stay, here, lay down, etc. But he also picked up detecting scents very quickly and is learning to detect things with his nose that I can’t even see with my eyes. And he does all of these things faster than most kids learn to break the Netflix password.  

The other day, working with him on his training points, I thought to myself, “Woah, my dog speaks human.” Not just English either. He speaks German (that’s the language he's trained in), and he totally understands it. I realized the problem is that I don't speak “Dog.” My dog knows about 30 human words, and they are words in a language his master has no business trying to pronounce, mind you. But he knows what those words mean, and he gets the tasking or request down every time they're uttered. He could look at me for an hour and bark, growl, howl, yip, or yelp constantly, and he could be telling me the cure for cancer and I wouldn’t know it.  

OK that’s interesting, but what does it have to do with better communication among techies?



The debate over the efficacy of the hybrid cloud is likely to continue for as long as there are hybrid clouds. Pure-cloud advocates say hybrids are merely a marketing ploy by vendors looking to preserve their legacy platforms, while hybrid supporters say they are simply meeting the demands of the enterprise community.

But it seems that lost in the debate is one salient fact: that infrastructure, and even architecture, is quickly becoming a secondary consideration in the deployment of advanced data environments. Rather, many organizations are starting with the needs of the process they wish to support, and then working their way back to systems and applications. Sometimes this leads to a cloud-native solution, sometimes to a hybrid, and sometimes to physical, on-premises infrastructure.

In Microsoft’s recent State of the Hybrid Cloud report, the company noted that virtually all enterprises have either deployed a hybrid cloud or are planning to do so within the year. But what’s more interesting, says Redmond Channel Partner’s Jeffrey Schwartz, is the finding that nearly half of those who say they have yet to implement a hybrid actually already have one. Part of this is due to the confusion as to what constitutes a hybrid, but it also reflects the fact that IT deployment decisions are increasingly made by line-of-business managers these days, not IT, and they have little interest regarding the mechanics of their underlying infrastructure – they just want their processes to run.



The Business Continuity Institute


A worrying number of UK businesses have no formal plan to protect them from cyber attack and there has been no improvement from a year ago, according to a study conducted jointly by the Institute of Directors and Barclays.

The Cyber security: Ensuring business is ready for the 21st century report found that almost all companies (94%) think security of their IT systems is important, but only a little over half (56%) have a formal strategy in place to protect their devices and data.

The report shows that, despite a number of high-profile cyber attacks over the last year, more than one third (37%) of IoD members work in organizations without a formal cyber security strategy.

Given that the Business Continuity Institute's latest Horizon Scan Report identified cyber attacks and data breaches as the greatest concern to business continuity and resilience professionals, it is essential that organizations do more to protect themselves from such an incident, or equip themselves to respond to the likelihood that one should occur.

The new General Data Protection Regulation, which comes into effect in May 2018, will make organizations much more accountable for their customers' data, so the IoD and Barclays are urging business leaders to step up their preparations now. The IoD is calling on companies to increase cyber training for directors and employees, and run attack simulations, to make sure security systems are robust.

Stephen Martin, director general of the IoD, said: "This report has revealed that business leaders are still putting cyber security on the back burner."

The amount of energy Apple used in data centers it leases from third-party providers more than quadrupled over the last four years, going from about 38,550 MWh total in fiscal year 2012 to more than 180,200 MWh in fiscal 2016, according to the latest annual environmental responsibility report the company released this month. Leased footprint now consumes close to one-quarter of Apple’s total data center energy consumption.

Fiscal 2016 was the first year Apple started tracking its exact energy use in colocation facilities using meters and reporting it as part of the company’s global footprint in its environmental report, offering for the first time a glimpse into the scale of its leased capacity and how quickly that scale has increased over the years.

This rate of growth illustrates just how much hyper-scale cloud platforms still rely on leased data centers, despite also spending enormous sums on building out their own server farms around the world every year. In addition, Apple’s focus on energy supply of these third-party facilities is an example of the growing demand for colocation services powered by renewable energy, which many providers and their customers have been observing recently.



Delivering exceptional customer experiences and product for your business take speed and flexibility. More than ever before, speed and flexibility are required from every part of your organization, business and IT alike. DevOps provides your business leaders, enterprise architects, developers and I&O leaders a philosophy to achieve, not only the velocity that customers desire but also drive innovation and enforces quality. One example is ING. The company is undergoing a major digital transformation in which DevOps is a primary driver supporting their transformation. ING CIO Ron van Kemenade has initiated DevOps as the vehicle to aggressively support ING’s evolving customer needs. At ING, technology is the beating heart of the bank.



Monday, 24 April 2017 14:43

DevOps, Invest For Velocity And Quality!

More often than she would like, Carrie Simpson fields a call from a panicked managed services provider (MSP) desperate for new business after realizing their sales funnel is near empty.

The owner of Winnipeg, Canada-based Managed Sales Pros is an expert at finding small businesses that want to buy managed IT services, and scheduling them for appointments with salespeople at MSPs.

Making that happen is a product of smart, grinding work behind the scenes – after which Simpson and her team are powerless to guide sales tactics that ultimately determine whether a deal closes.



Analytics is becoming a crucial element in the enterprise data ecosystem. It is one of the key drivers of the Internet of Things (IoT), and will undoubtedly provide key competitive advantages as the digital economy unfolds.

But it doesn’t come cheap, and it is by no means an easy process to master. So as the enterprise finds itself between the rock of an increasingly data-driven business model and the hard place of having to create a highly sophisticated analytics environment, it is understandable that many organizations are willing to launch this particular endeavor on the cloud.

According to the Harvard Business Review, nearly 70 percent of organizations expect to have cloud-based analytics solutions up and running by the end of the year. The reasons vary from improved decision-making and forecasting to greater speed and efficiency, but underneath the operational benefits is a simple fact: The cloud offers the means to launch analytics infrastructure quickly and at the scale required of modern production environments. To be sure, issues like data migration and lack of customization exist in the cloud, but these are generally seen as secondary considerations to the need to put analytics to work quickly before business models are disrupted by a more nimble, data-savvy competitor.



Amid ongoing political upheaval in Venezuela and a volatile geopolitical landscape elsewhere, the need for political risk insurance is rising to prominence for multinational companies.

AP reports that General Motors just became the latest corporation to have a factory or asset seized by the government of Venezuela.

GM said assets such as vehicles were taken from the plant causing the company irreparable damage.

To protect themselves against loss or damage to physical assets caused by political action and instability, businesses should consider purchasing political risk insurance.



An annual assessment of the nation’s day-to-day preparedness for managing community health emergencies improved slightly over the last year—though deep regional inequities remain.

The Robert Wood Johnson Foundation (RWJF) has released the results of the 2017 National Health Security Preparedness Index, which found the United States scored a 6.8 on a 10-point scale for preparedness—a 1.5 percent improvement over the last year, and a 6.3 percent improvement since the Index began four years ago.

The Preparedness Index analyzes more than 130 measures—such as hazard planning in public schools, monitoring food and water safety, wireless 9-1-1 capabilities, flu vaccination rates, and numbers of paramedics and hospitals—to calculate a composite score that provides the most comprehensive picture of health security and preparedness available.



Sustainable purchasing can improve supplier relations – and your business. ISO 20400 for sustainable procurement has just been published to help organizations make sustainable purchasing a way of life.

Procurement plays a large role in any organization, large or small. Who an organization buys from has just as big an impact on its performance as what it buys. Ensuring suppliers have sound and ethical practices – across everything from working conditions and risk management to their environmental impact – has the potential to not only make businesses work better, but to improve the lives of everyone in the communities where they are situated.

Sustainable procurement entails making purchasing decisions that meet an organization’s needs in a way that benefits them, society and the environment. It involves ensuring that a company’s suppliers behave ethically, that the products and services purchased are sustainable and that such purchasing decisions help to address social, economic and environmental issues.

ISO 20400, Sustainable procurement – Guidance, is the world’s first International Standard for sustainable procurement and aims to help organizations develop and implement sustainable purchasing practices and policies.



The Business Continuity Institute

It’s important to keep our business continuity plans up to date. That almost goes without saying. But what, exactly, do we mean by keeping our plans up to date?

Most organisations with a business continuity plan will assign someone to review it periodically - in particular, to check that the names and contact details of the various team members are kept up to date. Which is an important activity. But there’s a bit more to it than that.

There are essentially two reasons for reviewing and updating our plans.

Firstly, to ensure the plans’ content - the names, contact details, checklists, etc - remains current.

Secondly, and just as importantly, to ensure that the strategies and solutions that underpin the plans remain fit for purpose and continue to enable us to meet our continuity objectives. Which implies that now and again we need to review those objectives and the strategies and solutions that support them.

Many organisations focus entirely on the operational detail of the plans and neglect the strategic elements. If that sounds familiar, you might consider adding a periodic strategic review to your plan maintenance programme. Otherwise, whilst you might be able to contact people without too much difficulty, it may well be to tell them that the plan doesn’t work!

Andy Osborne is the Consultancy Director at Acumen, and author of Practical Business Continuity Management. You can follow him on Twitter and his blog or link up with him on LinkedIn.

Monday, 24 April 2017 14:16

BCI: An objective review ...

Sixty-four percent of security professionals doubt their organizations can prevent a breach to employees' mobile devices, a recent Dimensional Research survey [PDF] of 410 security leaders found.

The survey, sponsored by Check Point Software, also found that 20 percent of businesses have experienced a mobile breach, and another 24 percent don't know, or can't tell, whether they've experienced one.

Strikingly, 51 percent of respondents believe the risk of mobile data loss is equal to or greater than that for PCs.

"Perhaps the high level of concern is based on the frequency of mobile device loss or theft, as well as the limited security measures companies use to protect enterprise mobile devices," the report states.



Enterprises are loading up their data centers with hybrid flash storage systems in increasing numbers, according to a new survey from ActualTech Media commissioned by storage array maker Tegile Systems.

More than half (55 percent) of the 700 IT professionals polled for the study said they were using hybrid flash storage systems, which typically use a combination of solid-state drives and traditional hard disk drives to speed up data services, in their environments. Last year, 47 percent reported the same.

Meanwhile, all-disk storage systems are steadily losing their appeal. Adoption rates dipped from 41 percent in 2016 to 37 percent in the first quarter of 2016. All-flash environments remain relatively rare with a mere two-percent penetration rate.



Customer service departments in all industries are increasing their use of chatbots, and we will see usage rise even higher in the next year as companies continue to pilot or launch their own versions of the rule-based digital assistant. What are chatbots? Forrester defines them as autonomous applications that help users complete tasks through conversation.
While Forrester’s Consumer Technographics® data reveals that 60% of US online adults already use online messaging, voice, or video chat services, there are challenges to widespread adoption. We reached out to our ConsumerVoices Market Research Online Community members to better understand consumer impressions of chatbots and found that our respondents had a difficult time identifying clear benefits to interacting with them. Many prefer to communicate with a representative who can show real empathy, address more complex needs, and offer them assurance.

(TNS) - Six months after dangerous Hurricane Matthew buzzed up Florida’s Atlantic coast, storm experts are still debating why some people didn’t evacuate in the face of what became the 10th most destructive storm in U.S. history.

A clutch of coastal condo dwellers and beachfront homeowners refused to budge despite mandatory orders and unusual public pleas from South Florida hurricane hero Bryan Norcross and National Hurricane Center Director Rick Knabb.

They got lucky when Matthew delivered only a glancing blow, but how to better convey potential storm risk was a theme at Wednesday’s National Hurricane Conference in New Orleans where forecasters lamented ineffective messaging.



I am pleased to announce that the new for infrastructure and operations professionals is now live! This Wave evaluation uncovered a market in which four providers — Sungard Availability Services, Bluelock, IBM, and iland — all emerged as Leaders, although their strengths differ. Another five providers — HPE Enterprise Services (now DXC Technology), Recovery Point, Plan B, Daisy, and TierPoint — are Strong Performers. NTT Communications is a Contender.

To evaluate these vendors, we developed a comprehensive set of criteria in three high-level buckets: current offering, strategy, and market presence. The criteria and their weightings are based on past research and user inquiries. In addition to typical user demands, this Forrester Wave™ evaluation also has a few thought-provoking criteria such as the provider’s capability to deliver security services, real-time views through a readiness score, automated change management, and orchestration-led enterprise application recovery.



The Business Continuity Institute

Not only are many employees likely to share confidential information, but they are doing so without proper data security protocols in place or in mind, according to a new study by Dell. Today's workforce is caught between two imperatives: be productive and efficient on the job, and maintain the security of the organization's data. To address data security issues, organizations must focus on educating employees and enforcing policies and procedures that secure data wherever they go, without hindering productivity.

The Dell End-User Security Survey indicates that among the people who work with confidential information on a regular basis, there is a lack of understanding in the workplace regarding how confidential data should be shared and data security policies. This lack of clarity and confusion is not without merit, there are many circumstances under which it makes sense to share confidential information in order to push business initiatives forward.

Three in four employees say they would share sensitive, confidential or regulated company information under certain circumstances for a wide range of reasons,with nearly half (43%) saying they would do so when directed by management. Four-fifths of employees in financial services (81%) would share confidential information, and employees in education (75%), healthcare (68%) and federal government (68%) are also open to disclosing confidential or regulated data at alarmingly high rates.

"When security becomes a case-by-case judgement call being made by the individual employee, there is no consistency or efficacy," said Brett Hansen, vice president of Endpoint Data Security and Management at Dell. "These findings suggest employees need to be better educated about data security best practices, and companies must put procedures in place that focus first and foremost on securing data while maintaining productivity."

The survey finds that when employees handle confidential data, they often do so insecurely by accessing, sharing and storing the data in unsafe ways. A quarter of respondents (24%) indicated they do so to get their job done and one-fifth (18%) say they did not know they were doing something unsafe. Only 3% of respondents said they had malicious intentions when conducting unsafe behaviours.

Further findings of the report include:

  • 45% of employees admit to engaging in unsafe behaviours throughout the work day
  • These behaviours include connecting to public wifi to access confidential information (46%), using personal email accounts for work (49%), or losing a organization-issued device (17%)
  • One in three employees (35%) say it is common to take corporate information with them when leaving a company
  • Employees take on unnecessary risk when storing and sharing their work, with 56% using public cloud services such as Dropbox, Google Drive, iCloud and others to share or back-up their work
  • 45% of employees will use email to share confidential files with third-party vendors or consultants

These findings help reinforce the theme for Business Continuity Awareness Week which highlights that cyber security is everyone's responsibility, and with a little more awareness on the right policies and procedures, we can all play a part in building a resilient organization.

The survey findings indicate that employees struggle with cyber security in the workplace because they do not want to see their organization suffer a data breach, but they also struggle with the limitations security programmes can put on their day-to-day activities and productivity.

"While every company has different security needs, this survey shows how important it is that all companies make an effort to better understand daily tasks and scenarios in which employees may share data in an unsafe way," says Hansen. "Creating simple, clear policies that address these common scenarios in addition to deploying endpoint and data security solutions is vital in order to achieve that balance between protecting your data and empowering employees to be productive."

Much ink has been spilled over United Airlines' latest public incident and social media's role in rapidly spreading video of a passenger being dragged off an airplane. Today's consumers are more polarized than ever and increasingly expressing their opinions and showing their own values in the way they spend their money. Brands worry about making missteps on social media and falling out of favor, prompting them to ask: "How can my brand respond to a social crisis?" In reality, the question they should be asking is: "How can my brand plan for any social crisis so that when it hits, our response is clear and automatic?"
Navigating today's social environment requires returning to crisis management basics. Brands with established and rehearsed crisis management plans — no matter the channel — will rise above the fray. In our latest Forrester report, "Social Crisis Management: Get Back To Basics," we discuss social crisis management 101:  

(TNS) - National Hurricane Center forecasts have evolved beyond the staid Saffir-Simpson wind scale that shoehorns tropical cyclones into tidy categories while ignoring flooding waters from sea and sky.

This hurricane season, an array of products will alert to killer storm surge, predict arrival time of damaging winds and show storm size.

One forecast map will warn of systems that have the potential for cyclonic wind-up, but have not yet developed into a storm.

It’s all in an effort to inform the public beyond Saffir-Simpson, but is the public ready to digest more than categories 1, 2, 3, 4 and 5?



According to a study by Indeed.com, conducted earlier this year, the severe shortage of skilled cybersecurity professionals continues. It’s estimated that a million security jobs are unfilled today, and that’s probably only going to get worse. This comes at a time when organizations are looking to increase their security spending and improve their security posture.

Yet, here is something that doesn’t make sense to me. Plenty of security talent is being developed in colleges and universities across the country. The National Collegiate Cyber Defense Championship held earlier this month highlighted that talent. From an original pool of 230 teams, a group from the University of Maryland, Baltimore County emerged as the winner after a final competition of the top 10 competitors. As CSO reported about the contestants of the cybersecurity event:

They have spent years honing their cyber skills, and some of the participants have some pretty interesting hacks ranging from an insulin pump and an electric car to a video surveillance camera in a school lab. Still others have hacked a connected avionics system that loads maps onto an airplane, an elevator, a McDonald's router, and even a beer kegerator.



The Business Continuity Institute


We have recently seen how quickly a crisis can impact on a business if not managed correctly by placing people at the heart of a crisis response.

The appalling treatment of a United Airlines passenger and the subsequent response from the company, showed a complete disregard for the very people who pay the wages, its customers. 

As crisis managers we all advocate the importance of plans and procedures to ensure that in the event of something going wrong, the crisis management teams responsible have a framework to guide them, however, at the heart of this has to be the right culture.

The power of the internet is immense and you only have one opportunity to set the tone of your response when something does go wrong. You should have clear processes, procedures and ways of working that staff fully understand, but most importantly you must have a culture that ensures that people are at the heart of what you do. 

If your customers are your number one priority, regardless of the nature of the incident, it is very likely your crisis managers will respond with that in mind.

I was reading an article during the past week written by Michael Balboni of Redland Strategies, and one of the keynote speakers at last year's BCI World Conference, where he highlighted the four key points to consider in your crisis communications. These points can be summarised as:

  1. Try to get out ahead of the story with statements like, "We are also concerned about the events as reported and are conducting an investigation."
  2. Whatever the message, be consistent. Changing statements leaves room for doubt on a whole bunch of aspects.
  3. Never attack the victim! Ever! The customer is the only reason that a business is in business, or a government official is in office.
  4. Respond to the internet firestorm with facts and apologies and a description of how you will try to prevent this situation from ever repeating. Never try to block people from commenting.

When you are next reviewing your ways of working and approach to crisis communications make sure you keep this in mind. Most importantly though remember: “It is not the employer who pays the wages. Employers only handle the money. It is the customer who pays the wages” --- Henry Ford.

Are you satisfied that your company culture sets the right tone to respond effectively to a major incident or crisis event?

Chris Regan is the Director of Blue Rock Risk Limited a specialist crisis and risk management consultancy. Chris works with both private and public sector clients to help them plan, prepare and respond effectively to a wide range of crisis and risk issues. Chris can be contacted by email at This email address is being protected from spambots. You need JavaScript enabled to view it. or by telephone 0117 244 0154.

The Business Continuity Institute

Businesses large and small are being urged to protect themselves against cyber crime after new Government statistics found nearly half of all UK businesses suffered a cyber breach or attack during the previous year.

The Cyber Security Breaches Survey 2017 reveals nearly seven in ten large businesses identified a breach or attack, with the average cost to large businesses of all breaches over the period being £20,000 and in some cases reaching millions. The survey also shows businesses holding electronic personal data on customers were much more likely to suffer cyber breaches than those that do not (51% compared to 37%).

The most common breaches or attacks were via fraudulent emails - for example coaxing staff into revealing passwords or financial information, or opening dangerous attachments - followed by viruses and malware, such as people impersonating the organisation online and ransomware.

These new statistics show businesses across the UK are being targeted by cyber criminals every day and the scale and size of the threat is growing, which risks damaging profits and customer confidence.

Cyber security is a hot topic for business continuity and resilience professionals at the moment with cyber attacks and data breaches yet again featuring as their top two concerns according to the Business Continuity Institute's latest Horizon Scan Report. It is with this in mind that cyber resilience was chosen as the theme for Business Continuity Awareness Week 2017 which has a particular focus on the actions that individuals can take to play their part in an organization's cyber security, and this includes effective password control.

The Government survey also revealed that, of the businesses which identified a breach or attack, almost a quarter had a temporary loss of files, a fifth had software or systems corrupted, one in ten lost access to third party systems they rely on, and one in ten had their website taken down or slowed.

Firms are increasingly concerned about data protection, with the need to protect customer data cited as the top reason for investing by half of all firms who spend money on cyber security measures.

Following a number of high profile cyber attacks, businesses are taking the threat seriously, with three quarters of all firms saying cyber security is a high priority for senior managers and directors; nine in ten businesses regularly update their software and malware protection; and two thirds of businesses invest money in cyber security measures.

Areas where industry could do more to protect itself include around guidance on acceptably strong passwords (only seven in ten firms currently do this), formal policies on managing cyber security risk (only one third of firms), cyber security training (only one in five firms), and planning for an attack with a cyber security incident management plan (only one in ten firms).

Ciaran Martin, CEO of the National Cyber Security Centre, said: "UK businesses must treat cyber security as a top priority if they want to take advantage of the opportunities offered by the UK’s vibrant digital economy The majority of successful cyber attacks are not that sophisticated but can cause serious commercial damage. By getting the basic defences right, businesses of every size can protect their reputation, finances and operating capabilities."

The firewall is the first line of defense for traffic that passes in and out of a network. The firewall examines traffic to ensure it meets the security requirements set by the organization, and unauthorized access attempts are blocked.

Firewall protection has come a long way in recent years. In addition to monitoring internet traffic, the latest firewall security products incorporate a wide range of additional features.

“The latest firewalls can neutralize an attacker’s ability to use stolen credentials for lateral movement and network compromise,” said Navneet Singh, product marketing director at Palo Alto Networks. “This is done by enforcing multi-factor authentication at the network layer.”



The ever-dependable Barb Darrow at Fortune reported late last week that the OpenStack Innovation Center (OSIC) is to shut down. Cue wailing, gnashing of teeth, and portents of doom. But this may not be quite so bad as it appears, because the OpenStack Innovation Center isn’t nearly so critical to the open source cloud computing project as its name might imply.

Before I joined Forrester I used to post a short thought (almost) every day, commenting on some piece of news that caught my interest. The last of these, on 24 July 2015, was concerned with the then-new OpenStack Innovation Center.

I was unimpressed.

You see, the OpenStack Innovation Center isn’t an initiative of the OpenStack Foundation. Despite the name, it was only a joint initiative of two contributors to the OpenStack project - Intel and (OpenStack co-founder) Rackspace. They set up some clusters, for developers to test code. And they did some work to make OpenStack more enterprise-ready. Both efforts were useful, for sure. But both of these things were already happening in plenty of other places.



Most people can sort out what tangibles they need for a solid BCM program, but the following critical steps can make or break an enterprise in times of crisis. Without functional crisis management and effective preparations, your organizational resilience will be impacted, resulting in more than just higher costs or lost sales (see Strategic Issues Surrounding Your Organization’s Resiliency).

1.  Clarify Roles and Responsibilities

Numerous teams are organized and active during crisis events: Crisis Management, IT Emergency Management, Individual Recovery, Business Recovery, Communications, and more. Often individuals participate on several teams. Due to multiple tasks and efforts, individuals must clearly understand their roles and responsibilities – these are not necessarily based on job title. Individuals should be trained in roles and responsibilities at least annually.



Wednesday, 19 April 2017 15:11

4 Key Steps on the Roadmap to Resilience

Focal Point Data Risk, LLC (Focal Point), one of the largest pure-play data risk consulting firms in North America, today announced the release of the inaugural Cyber Balance Sheet Report. This first-of-its-kind research study uses in-depth surveys and interviews with corporate board members and chief information security officers (CISOs) to conclusively identify specific cyber risk issues resonating in boardrooms. Equally important, the unprecedented research reveals how CISOs and boards can quickly improve communication and collaboration in this critical area.

The Cyber Balance Sheet Report was independently produced, after several months of intensive research, by the Cyentia Institute (Cyentia), a cybersecurity research firm, co-founded by Dr. Wade Baker, who is widely recognized as the creator of the Verizon Data Breach Investigations Report (DBIR). In the study, Focal Point and Cyentia conducted comprehensive interviews with more than 80 board members, CISOs and subject matter experts. The report’s findings offer a rare window into the cyber risk dialogue in the boardroom, contrasting with many years of assumptions and security vendor characterizations.

“For years pundits have been saying ‘Cyber needs to be a boardroom issue,’ but the Cyber Balance Sheet Report replaces this sound bite with the most illuminating look yet at where cyber issues are making headway with boards or falling off the table,” said Yong-Gon Chon, CEO of Focal Point. “The report reveals important indicators around cyber awareness at the top levels of governance. We have evolved from cybersecurity being a component of IT performance to becoming an issue that prompts broader questions about protecting valuable company data. Yet, as the report discloses, it’s the nature of these questions and how CISOs respond that determines how far oversight and accountability still have to evolve.”



Ransomware hits a particularly raw nerve because of its brazenness. A criminal breaks into a computing device and simply takes over, demanding money – usually paid in bitcoins – for providing the owner the privilege of accessing his or her own data.

The reality is that the ransomware story is more nuanced than the pure fear that idea engenders. Ransomware, according to experts, is not monolithic: There are levels of qualities to the malware and how it is delivered. The targets are far from helpless.

IT Business Edge sent emailed questions with important questions about ransomware to Jon Clay, the director of Global Threat Communications for Trend Micro; Chester Wisniewski, the principal research scientist at Sophos; and Kevin Haley, the director of Security Response at Symantec. The answers painted a picture of a very serious problem, but one that can be avoided if an organization uses best security practices.



(TNS) - Every spring, like azaleas at Pinehurst, questions begin blooming for Scot Brooks.

“It seems every year at about this time, people new to the area call and ask when they can expect us to test our tornado sirens,” said Brooks, the emergency management deputy director of Moore County, N.C.

“I explain to them that we don’t have sirens — at least not for tornadoes.”

Nor does any other county in the Cape Fear region. A check with emergency management directors in the region reveals that no countywide systems exist. In fact, none have ever existed, according to these directors.



Topping $5.7 billion. That’s the record cost of insured losses from severe thunderstorms and convective weather in the United States in the first quarter of 2017.

The latest figures come via Steve Bowen, director and meteorologist at Impact Forecasting, the catastrophe risk modeling center at Aon Benfield.

Here’s the chart (via @SteveBowenWx):



Wednesday, 19 April 2017 15:05

U.S. Thunderstorm Losses Add Up To Q1 Record

Over the last decade, huge growth in demand for Internet and mobile services has driven rapid transformation in digital businesses. This growth has been highly disruptive, and it has created new business opportunities and challenged the status quo.  In the data center, two forces have created much of this change:  the evolution of virtualization and the rise of cloud computing.

Latest-generation technologies in computing hardware and software platforms, including but not limited to unified computing, pervasive virtualization, containerization, new rack designs, disaggregation of compute resources, improved telemetry and analytics have all added to lowering the total cost of ownership (TCO) but also greater return on investment (ROI).  This has set the stage for agile infrastructure and a further explosion in the number and type of instrumentation metrics available to today’s data center managers.

Optimization, as applied to data centers, means always having the right amount of resources, to cost-effectively enable the business use of those data centers. Right resourcing means, in effect, enough to get the data center “job” done, but not so much as to waste money. Everything from enough power and floor space to enough “computes,” and everything else. Easily said, but increasingly challenging to accomplish.



NEW YORK, NY –  Duff & Phelps, the premier global valuation and corporate finance advisor, today highlighted research affirming that financial services professionals are poised to significantly accelerate resources dedicated to preventing and combating cyber breaches. The survey of nearly 200 senior financial services professionals included the following highlights:

  • 86% of financial services firms intend to increase the time and resources they spend on cybersecurity in the next year.  This contrasts with 2016, when less than 60% said they planned to spend more resources and time on cybersecurity planning and initiatives.
  • 31% of respondents expect cybersecurity to be the top priority for regulators this year - a 63% increase over 2016 when just 19% of respondents held this view.
  • 21% of respondents believe that Anti-Money Laundering and “Know Your Customer” considerations – which are increasingly converging with cybersecurity and technology – will be a top regulatory focus.



Our latest case studies in business continuity management and planning focus on banking customers.

PlainsCapital Bank—a subsidiary of Hilltop Holdings—is the sixth-largest bank in Texas. They maintain a statewide presence with approximately 1,500 employees and nearly 70 commercial and retail locations. Their diverse range of service includes commercial banking, treasury management, private banking, wealth management, and consumer banking. The Business Continuity Planning team includes Operational Risk Manager Jay Geppert and Operational Risk Analyst Jessica Camacho. They are responsible for the bank’s Business Continuity, Vendor Management, and Operational Risk programs. Together, they coordinate annual tests of critical departments and applications and work with business unit managers to update plans for their Business Continuity Committee, Information Systems Steering Committee, and other senior management officials. The company invested in ResilienceONE from Strategic BCP to help elevate planning to a strategic level within the organization. Planning has shifted to a functional approach in-line with overall corporate objectives. The system helps ensure consistency of the operational risk management framework, allows for effective implementation across business units, meets operational and regulatory requirements, and prepares the organization for future growth—all while adapting to the changing demands of a dynamic corporation. Read the full case study including the expanded benefits to the team and the organization.



Forty-one percent of enterprises have an encryption strategy applied consistently throughout the organization (up from 37 percent last year), according to the results of Thales' 2017 Global Encryption Trends Study.

The report, based on a Ponemon Institute survey of more than 4,800 people across several industry sectors, also found that 46 percent of respondents perform encryption on-premise prior to sending data to the cloud, and 21 percent encrypt in the cloud using keys they generate and manage on premises.

Surprisingly, 37 percent of enterprises turn over complete control of keys and encryption processes to cloud providers.



Scenario planning, in which you seek to identify higher risk and higher probability causes of business interruption, attracts both supporters and cynics.

One of the criticisms levelled at scenario planning is that it often results in business continuity plans that are hard to manage and keep up to date.

Complexity rises exponentially with the number of scenarios being considered.

On the other hand, viewing BC purely in terms of impacts to be avoided (effects rather than causes) calls for faculties of imagination and vision that may surpass what some organisations can muster.

The best way forward may be to combine the strengths of both and in parallel eliminate their weaknesses.



Security remains one of the biggest roadblocks for enterprises to move to the cloud, numerous studies and research firms have stated.

We often talk about security as one thing, but in actuality, it is quite multifaceted. That’s why it’s important to distinguish between layers of security in a public cloud environment — and why concerns about data security and public clouds must be taken seriously.

As 451 Research concluded in a recent report, leading public cloud providers, such as Amazon Web Services and Azure, have very good security. They have to. They are “secure by default because they have a vested business interest in being as durable as possible,” 451 says. Again, I agree. Public cloud providers do a great job of traditional network and operational security.

In today’s world, and especially in the cloud, that’s not good enough anymore. While the cloud environment may be secure, the data inside that environment may not be. If the database you’re using lacks comprehensive, hardened security, you’re still at risk. You can’t read the news without seeing numerous data breaches that underscore this fact.



Tuesday, 18 April 2017 16:12

Move to the Cloud, but Mitigate Risk

Data-centric protection and security focuses on the organization’s sensitive data (as opposed to its overall computer networks and applications). This is accomplished by locating, identifying, and cataloging sensitive data as well as by applying encryption, data masking, and policy-based data access controls (and end-user monitoring) to protect data residing across multiple enterprise environments.

To what extent are organizations adopting, or planning to adopt, data-centric protection and security practices? In a recent Cutter Consortium survey, Senior Consultant Curt Hall asked 50 organizations about their data protection practices to shed some light on this important question.

As shown in the figure below, more than a third (37%) of surveyed organizations currently have data-centric protection and security practices in place.



No. The buy side market is nowhere near maturity and will continue to be a greenfield opportunity to many BI vendors. Our research still shows that homegrown shadow IT BI applications based on spreadsheets and desktop databases dominate the enterprises. And only somewhere between 20% and 50% of enterprise structured data is being curated and available to enterprise BI tools and applications.

The sell side of the market is a different story. Forrester’s three recent research reports are pointing to a highly mature, commoditized and crowded market. That crowded landscape has to change. Forrester is making three predictions which should guide BI vendor and BI buyer strategies in the next three to five years.



(TNS) - Several communities in the mid-Hudson (N.Y.) are spending more than $40 million to get ready for the next weather disaster.

Sixteen municipalities have crafted plans to make their communities less vulnerable to the kind of devastation left behind by Hurricane Irene, Tropical Storm Lee and superstorm Sandy in 2011 and 2012.

Communities slammed by the storms picked up the pieces, and when New York state and the federal government offered help, they took it.

The state pulled together federal funding streams and channeled them through the Governor's Office of Storm Recovery into a program called the NY Rising and Community Reconstruction plan.



2017 has so far been a wild ride of change. Companies are navigating through a new U.S. administration, Brexit and cyber risks that are more daunting each day. We are bombarded with uncertainty and unchartered waters. Nevertheless, it’s a great time to be a risk manager.

This kind of disruption is the reason many of us got into the risk and insurance industry.  Addressing disruption is what we do best. According to a recent CNN report, in fact, Risk Management Director is the number-two Best Job in America for 2017. Recognizing the meaningful contributions and rewarding work of a risk manager, the report highlighted the role in “identifying, preventing, and planning for all the risks a company might face, from cybersecurity breaches to a stock market collapse.”

In the midst of a riskier environment, the insurance industry that serves risk managers faces highly competitive market conditions. The result is more choices and better services for the risk management community. Now is the time for the risk manager to take the lead.



Tuesday, 18 April 2017 16:08

It’s a Great Time to Be a Risk Manager

A consistent challenge that I have heard from Business Continuity Professionals over the past 20 years is mastering the art of getting buy in, and engagement, from their colleagues.  As business continuity practitioners, you have chosen a very rewarding career.  We all know how important your job is to the organization.  However, some of your colleagues don’t always recognize it and they must be constantly reminded of how important business continuity is.  You and I know that you’re the glue that keeps things together during an incident, however large or small.

You’re constantly engaging management teams in Human Resources, Safety & Security, Information Security, IT, Facilities, Property Management, Legal, Executive Management, as well as, Local Law Enforcement, Public Information Officers, and Social Media Administrators. Oh my goodness, if that is not enough to do, you must also ensure that your planners have updated their plans, prepared for audits, prepared for tests, and most importantly deal with real incidents that can happen at any time of day.



Tuesday, 18 April 2017 16:07

For Continuity Sake……

BATON ROUGE, La. — Louisiana schools will soon close for summer and the elimination of a normal routine may increase the need for crisis counseling for both adult and child survivors of the August floods.  Free disaster crisis counseling is available through Louisiana Spirit, a program administered by the state and funded by a FEMA grant.  If you wish to speak with the counselors call 866-310-7977.

Children should keep a routine and positive focus in the recovery process of disasters. Both are recommended by a number of children-focused organizations working on the Louisiana recovery.  Summer camps, sports and outdoor adventures are good options to keep your child active and engaged.

In Louisiana, FEMA has been working with federal partners, including the U.S. Department of Education, nongovernmental organizations, pediatric experts and external stakeholders to ensure the needs of children are considered and integrated into disaster related efforts initiated at the federal level. The work is underway and will continue for as long as it takes.

Louisiana Spirit crisis counselors also go door-to-door in disaster-affected areas to provide services for both adults and children. In Louisiana, the program is working side-by-side with the Metropolitan Human Services District in New Orleans, the American Red Cross and other organizations. For more information, visit dhh.louisiana.gov/index.cfm/page/201.

Eighty-six percent of financial services firms plan to spend more time and resources on cyber security in the coming year, a recent Duff & Phelps survey of 183 senior financial service professionals found.

That's a significant increase from 2016, when less than 60 percent of firms said they planned to do so.

Similarly, 31 percent of respondents said they expect cyber security to be the top priority for regulators this year -- a 63 percent over 2016, when just 19 percent expected it to be the focus.



Insurers are moving away from the rate cuts of 2016, according to online insurance exchange MarketScout’s take on the first quarter 2017 rate environment.

For the first time in 20 months, the composite rate index for commercial accounts in the United States measured a rate increase at plus 1 percent, MarketScout said.

Richard Kerr, CEO of MarketScout:

“The plus 1 percent composite rate index was driven by larger rate increases in commercial auto, transportation, professional and D&O rates. We also recorded small rate increases in the majority of coverage and industry classifications.”

Rates for business interruption, inland marine, workers’ compensation, crime, and surety coverages held steady in the first quarter. Rates for all other coverages either moderated or increased.



Monday, 17 April 2017 14:44

Commercial Insurance Prices Moving On Up

Cyberattacks have pretty much become a part of every day life.  Security firm ForeScout’s State of Cyber Defense Maturity Report found that more than 96 percent of organizations experienced a major IT security breach in the past year. One in six organizations had five or more significant security incidents in the past 12 months, and almost 40 percent had two or more incidents.

“The media reports of stolen information or compromised networks are almost a daily occurrence,” wrote Ray Boisvert, president of I-Sec Integrated Strategies. “The stories are increasingly alarming and the trend line is troublesome.”

How you respond, though, is the key factor. Here are several tips on how to disinfect your data center and beef it up against further attacks.



Monday, 17 April 2017 14:43

Tips for Disinfecting Your Data Center

The city of Dallas, Texas boasts 156 emergency weather sirens throughout the entire city charged with warning residents when there is an imminent threat from a tornado or other severe weather. On Friday, April 7, 2017 Dallas residents were startled awake when every siren in the city was activated at the same time. The sirens blared for more than an hour and half before city officials were able to manually turn them off. The reaction from the 1.3 million residents was predictable; over 4,000 calls to 911 flooded the city’s emergency response lines. Wide-spread panic eventually turned into irritation as residents were informed there was no danger, just a system malfunction. It wasn’t until later that an investigation revealed hackers had in fact manipulated the wireless radio system behind the alerting system, triggering these alarms.

In light of this discovery, a new concern has emerged surrounding the security of emergency communication protocols as evidenced by this hacker’s ability to override the security of the city’s critical infrastructure. This is not the only city where a breach like this has occurred, and the array of system infrastructure that can be impacted by such attacks raises serious concerns about the effectiveness of all emergency communication tools—with good reason.



Three very different brands with an unfortunate commonality: Each has recently incurred the wrath of a growing segment that Forrester calls the values-based consumer.

Last week at Forrester’s Consumer Marketing Forum, my colleague Jim Nail and I launched a new line of research. It helps marketers manage the trend of consumers looking beyond the direct, personal benefits they receive from a brand to also value the brand’s impact on society and the world. Paired with Anjali Lai’s powerful companion data report on how empowered consumers’ decision making is changing, this set of research represents a new dimension of Forrester’s overarching thesis on the age of the customer.

To be “customer obsessed,” brands need to do more than study their customers’ technology habits and the digital data they have about them, and even go beyond delivering extraordinary experiences. These are things all companies are trying to do today and will differentiate brands just until their competitors catch up. Increasingly, brands will be evaluated beyond the sum of their features, benefits, personality, and positioning. Tapping the increased transparency created by social technologies, consumers are able to choose brands that reflect their own beliefs on issues related to their personal interpretation of societal impact.



Increasing globalization and the growing world market presents employees with opportunities to travel and experience new countries and cultures. With travel comes risk, however. In the event of an unforeseen incident, it is an organization’s top priority to ensure its employees are safe and out of harm’s way.

By following proactive travel risk management strategies, employers can help ensure not only the safety of their employees abroad, but also the success of their businesses while avoiding major financial, legal and reputation costs. When developing travel policies, companies must consider the health, safety and security risks that their employees could encounter.



The Business Continuity Institute

Ever wondered what all the different terms or acronyms relating to business continuity mean? Now the Business Continuity Institute has made it easier for you to find out with the creation of its joint BCI DRJ Glossary of Business Continuity Terms.

This new glossary is a result of merging the definitions from the ‘Business Continuity Glossary by DRJ’, the BCI’s Dictionary of Business Continuity Management Terms and the glossary in the Good Practice Guidelines.

The combined glossary contains all terms approved by the DRJ Editorial Advisory Board’s Glossary of Terms Committee, which includes representation from the BCI. This joint effort is evidence of the continuing and deepening partnership between DRJ and the BCI. The glossary is one of many resources available as part of our knowledge bank, and it can be downloaded from the BCI website.

Does it sound strange that many organisations believe they are exposed to major problems with Internet of Things device security, yet few of them have taken any measures to resolve those problems?

IoT devices are increasingly part of business life, as businesses use them for the remote monitoring and control of industrial machines and systems, or they fall into the BYOD zone, where personal and professional data may coexist (for example, Apple Watches and other wearables).

A recent survey by Ponemon Institute showed how much of a problem there could be.

According to the survey results of over 500 IT and IT security practitioners:



United Airlines stock tumbled nearly 4% in early trading Tuesday morning before recovering late in the day as the company continued to deal with fallout after video surfaced showing a passenger being forcibly dragged from a United flight at Chicago’s O’Hare International Airport. United shares were down by as much as 6% in premarket trading Tuesday morning, according to MarketWatch.

Shocked viewers responded with universal outrage Monday to a video appearing to show a 69-year old man being brutally dragged off his flight by three uniformed officers from the Chicago Department of Aviation, one of which has since been placed on leave. The man’s face was bloodied and he appeared disheveled as officers dragged him along the narrow aisle of the plane.

“The incident on United flight 3411 was not in accordance with our standard operating procedure and the actions of the aviation security officer are obviously not condoned by the Department,” the agency said in a statement. “That officer has been placed on leave effective today pending a thorough review of the situation.”



Last month HPE announced its plans to acquire Nimble and double down on its move into “the fast-growing flash market” for the enterprise. Days later Dell EMC announced it would drop its DSSD flash offering for big data and HPC because the market is too small.

Although Dell EMC “found little market” for DSSD, don’t be deceived about whether or not there’s a market for big data flash storage. There is and it’s growing.  In the HPC space, where DDN Storage plays, we continue to see a clear and growing need for flashed-based innovation. DDN’s Infinite Memory Engine (IME) flash offering is seeing strong demand.

Alongside traditional labs such as the Joint Center for Advanced High Performance Computing (JCAHPC) and Oak Ridge National Laboratory, and the more traditional high-end academic high performance computing (HPC) research, there’s also growing interest within enterprise organizations who want to to speed up their HPC-like workflows.



Thursday, 13 April 2017 16:28

What’s Next for Big Data Flash Storage?

While the social media firestorm following the forcible removal of a passenger from a United Airlines flight highlights the importance of crisis and reputation risk management, it also underscores the potential liability airlines face from balancing duties to their customers, employees and to shareholders.

USA Today reports that three things govern a carrier’s relationship with its passengers: contracts of carriage, the U.S. Department of Transportation and laws approved by Congress:

United’s dispute with a passenger forcible removed from a Sunday flight shines a spotlight on the contracts that set rules and expectations between carriers and travelers.



(TNS) - Annapolis has hired a company to carry out design of flood mitigation plans in an effort to reduce nuisance flooding downtown at City Dock.

The design phase begins a multi-year process for a two-phase project along City Dock to reduce and prevent nuisance flooding. This flooding, primarily due to rising sea levels, is what causes City Dock to sometimes feel partially underwater as water bubbles up through storm drains and overtakes parking along Dock Street and other downtown areas.

Annapolis has an average of about 39 nuisance flooding days a year, according to data between 2007 and 2013 collected by the National Oceanic and Atmospheric Administration.



This is a bit concerning. Officials in Dallas said the city’s warning system was hacked late on Friday night, disrupting the city when all 156 of its emergency sirens sounded into the early hours of Saturday morning. The Dallas Emergency Sirens started going off around 11:40 p.m. Friday and lasted until 1:20 a.m. Saturday. This created a sense of fear and confusion, jarring residents awake and flooding 911 with thousands of calls. The sirens are meant to alert the public to severe weather or other emergencies, but was interpreted by some as a warning sign of a “bomb or something, a missile.” The city said that every time that they turned it off, it would sound again as the hacker kept bombarding the system.

The system was still down on Saturday afternoon, and officials said they hoped to have it functional again by the end of the weekend. They said they had pinpointed the origin of the security breach after ruling out that the alarms had come from their control system or from remote access.



Over the past few weeks, hackers have leveraged passwords exposed in high-profile breaches to compromise Amazon third-party sellers' accounts, the Wall Street Journal reports.

The attackers have stolen tens of thousands of dollars from sellers' accounts, and have also used the accounts to post nonexistent items for sale in order to steal more funds.

More than two million seller accounts on Amazon.com account for more than half of its sales, Fox Business reports, and over 100,000 of those sellers earn more than $100,000 a year.



NEW YORK — Employees and third-party services are most likely the weakest links in a company’s cyber security system, but regular risk assessments can help prevent information leaks, a financial services regulatory attorney said last week. 

“Employees are the sources of many compromises within companies, much more so than the Chinese hackings that we read about every day,” said Jeffrey Taft, a partner with Mayer Brown during a conference Wednesday at the firm’s New York office. “It’s probably 20 times more likely that somebody in this room will be penetrated by employee malfeasance or negligence than any Chinese hacker. There’s a heck of a lot more you can do to keep your employees from leaking information than the Chinese hackers.”

Mr. Taft gave the attendees an overview of the New York State Department of Finances Cyber Regulations, which became effective March 1.




LaPedis RonBy Ron LaPedis

I attended Spring World DRJ at Disney’s Coronado Springs Resort during the last week of March. Their 56th conference had over 60 sessions with 75 speakers, split between general sessions, breakout sessions, workshops, and a Senior Advanced Track which was sponsored by the Business Continuity Institute. Disaster Recovery Journal has morphed from an IT disaster recovery conference to an all-hazards business continuity training camp. Some of the most interesting sessions this year covered topics such as:

  • Linking cyber to business continuity
  • Lunch with your auditors
  • Effective risk management
  • Supply chain resiliency
  • Effective exercise design
  • Using the Incident Command System (ICS)
  • Active shooter incident response

My job at Micro Focus is to work with our sales teams so that they can have topical conversations about cyber security and risk management with their customers. At the end of the day, Micro Focus sells software and hardware. However, customers don’t buy software and hardware, they buy solutions to their problems – and unless I know what problems they are facing, I cannot help. This means open-ended questions and drilling down until I can understand the real problem – and not just the symptoms that the customer might think are his problems. Of course, as technology advances the problems evolve, which means I need to keep up with the latest trends.


Continuing Education Is Not Only a Good Idea, It’s the Law

DRJ2I have a lot of letters after my name. Most of them require me to earn continuing education units or CEUs every year. But earning CEUs is not the point; earning CEUs which add to my understanding of the business continuity and cyber fields is the point. One of my favorite presenters and authors is Regina Phelps, who is the queen of realistic tabletop exercises. Her latest book details how to develop a realistic cyber exercise. And just like real life, you may not come out of an exercise with the perfect solution – but it will make you think (and perhaps realize how far you need to come in your planning!)

Step Right Up to the Micro Focus Chalk Talks!

Have you checked out the Micro Focus chalk talks? These are a fun way to learn about our solutions to many of your organization’s problems to build, operate, and secure your computing infrastructure. They cover a handful of different solution areas and each runs about five minutes. This means that they are easy to fit in when you need a kicker to help ping your brain when you are trying to address one of your work problems.

And when you are ready to chat with us, we’ll have someone waiting by the phone ready to solve your hardest problems. As a FTSE 100 company, we have offices all over the world.

Republished with permission of Micro Focus at https://blog.microfocus.com/drj-spring-world-2017/.

Thursday, 13 April 2017 15:42

Preventing Disaster, One Attendee at a Time

The Business Continuity Institute

The vast majority of small to medium sized enterprises (86%) have less than a tenth of their total IT budget allocated to cyber security, while 75% have between zero and two IT security staff members, according to the results of a survey by EiQ Networks.

The survey also noted a significant drop in confidence over the past two years. In 2015, more than a quarter of respondents (27%) expressed confidence in their security posture, but in 2017 less than 15% said they feel confident that their currently deployed technologies will be successful in detecting and responding to attacks.

Vijay Basani, founder and CEO of EiQ Networks, commented "One of the most striking results is how little SMEs are spending on cyber security as compared to the overall IT budget, despite the very high risks they face daily from ransomware, phishing, and zero-day attacks, to name just a few."

"Without the IT security resources and expertise necessary to continually monitor, detect, and respond to security incidents, SMEs are simply exposing themselves to loss of revenue, brand equity, IP, and customer data on a daily basis."

Cyber security is as much of an issue for SMEs as it is for larger organizations with the Business Continuity Institute's latest Horizon Scan Report revealing that businesses of all sizes share the same concerns. A global survey identified the top three concerns for both SMEs and large organizations as cyber attack, data breach and unplanned network outage.

Further findings of the study were that just under half of respondents (45%) were breached or believe they were breached at least once in the past year, while just over half (56%) feel they're unprepared to identify and respond to a security incident. Three-quarters of respondents (75%) said they're concerned about protecting customer data, and two-thirds (67%) are concerned about protecting personally identifiable information.

Thursday, 13 April 2017 14:48

BCI: SMEs underfunding cyber security

It’s no secret that strategy and finance need to work together to encourage growth – in fact, last year, both corporate functions cited integrating their planning as a top priority. Yet new research suggests that they need a third partner, risk, to move beyond incremental earnings increases and achieve long-term efficient growth.

Why risk? Because risk is the essence of growth.

CEB recently investigated companies that have consistently outgrown their industry peers while making simultaneous margin improvements. Just 60 companies we studied demonstrated this kind of “efficient growth,” and the single biggest differentiator of these profitable growers was their ability to allocate capital to bigger, riskier bets. Their R&D portfolios were disproportionately weighted toward transformational innovation projects, and their M&A deals were 40 percent larger on average.



Wednesday, 12 April 2017 15:24

Rethinking Risk to Achieve Efficient Growth

OMG!  If you were ever going to want your crisis team to be “on it”… it would be in a case like this.  And of course, you already know, United apologized on Tuesday and said it would review its policies. Really…after videos showed a passenger being forcibly removed from a full plane to make room for its own employees, setting off public outrage. I understand the need to reposition staff but really?!?!?!

Oscar Munoz, the company’s chief executive, said in a written statement that United would take “full responsibility” for the situation and that “no one should ever be mistreated this way.” He committed to making changes to ensure that the situation would not repeat itself, adding that United would conduct “a thorough review of crew movement, our policies for incentivizing volunteers in these situations, how we handle oversold situations and an examination of how we partner with airport authorities and local law enforcement.

That’s it?  Really?



The long-time goal of first responders and the ecosystem supporting them to create a nationwide broadband network is close to fruition, though it likely will fall short of expectations.

On March 30, AT&T announced that it had been selected by the First Responder Network Authority (FirstNet) to build the network, which it said will cover “50 states, 5 U.S. territories and the District of Columbia, including rural communities and tribal lands in those states and territories.”

The rationale for a discrete network is simple: Today, first responders use commercial networks that tend to be overwhelmed when a crisis occurs. Work on the project is expected to begin later this year and create 10,000 jobs.



Data breaches don’t seem to attract our attention much these days; commonplace activities often lead to complacency. Remember that your organization will, if it has not already, have some type of data breach. Depending on the type and scope of the data breach, costs can quickly reach millions of dollars. This is an event you should have a specific plan for – at a minimum, you should include a detailed section in your Crisis Management Plan.

Here are the minimum items to consider:

1. Response Team

This is the team that will monitor and manage the event itself, not the individuals performing any investigative or forensic tasks. Often this team will be composed of senior leadership who have a corporate or organizational view of impacts. Others may be brought in to provide support or information. The roles to be filled for this team are:



Wednesday, 12 April 2017 15:19

Data Breach Response Planning: A Guide

Former Gen. Stanley McChrystal’s Team of Teams is an excellent book about leadership and the need to adapt to changing circumstances. In the book, he explains how the U.S. Special Operations Task Force in Iraq had to become a more nimble and networked organization to combat al-Qaida. Many of the lessons and strategies discussed are directly relatable to other disciplines, including emergency management.

The importance of networks within emergency management is not a new concept, as our thinking has evolved to embrace “whole community” partners, including the private sector and nonprofit organizations. Although a fair amount of effort has gone into the idea of networked emergency management, I would like to offer some additional perspectives on what it means to be a networked emergency manager. In doing so, it is helpful to consider the management consulting theory that organizational success stems from three factors: people, process and technology.    

In terms of people, the networked emergency manager must be willing and able to work with people and all types of personalities. Building and maintaining relationships takes time, but it is well worth the effort, particularly when you need to rely on other people for information or assistance during an emergency. Emergency managers also play an important role in helping to organize people and in bringing different groups and individuals together to tackle problems, often during a crisis. Investing in these people and relationships ahead of time will help build trust and increase the likelihood of success when it matters the most.



Wednesday, 12 April 2017 15:18

The Networked Emergency Manager

Dallas residents were wide awake and in a state of confusion late Friday night when the city’s outdoor emergency system was hacked, causing all of its 156 alarms to blast for an hour-and-a-half until almost 1:30 a.m.

With some interpreting the warning as a bomb or missile, a number of residents dialed 9-1-1, but the number of calls—4,400 in all—overwhelmed the system, causing some callers to wait for up to six minutes for a response, the New York Times reported.

The alarms blasted for 90-second durations about 15 times, Rocky Vaz, the director of the city’s Office of Emergency Management, told reporters at a news conference.

Mr. Vaz said emergency workers and technicians had to first figure out whether the sirens had been activated because of an actual emergency. And turning off the sirens also proved difficult, eventually prompting officials to shut down the entire system.



Millions of student, staff and faculty email addresses and passwords from 300 of the largest universities in the United States have been stolen and are being circulated by cyber criminals on the dark web, according to a recent report. 

Hacktivists, scam artists and even terrorists intend to sell, trade or just give away the addresses and passwords, said the Digital Citizens Alliance report. 

During eight years of scanning the dark web—the portion of the Internet not indexed for open searches, where criminals covertly operate—researchers from the security firm ID Agent discovered nearly 14 million addresses and passwords belonging to faculty, staff, students and alumni available to cyber criminals. Of those, 79 percent of the credentials were placed there within the last year.



Business no longer controls all its data, now that the data is spread out over systems that could be in-house, in the cloud, or in somebody’s pocket.

From the mainframe era when two people controlled everything (the person who knew about the mainframe and the person who had the key to get in), organizations are now faced with situations in which data could be here, there, or anywhere.

Part of this is deliberate: wider, more flexible access to data can help people do their jobs better, and different storage solutions can help cut costs. But as the following anecdote shows, business continuity needs to adapt too.

The story comes from IBM executive Michael Puldy who describes how he had a close brush with catastrophe in his article “The Importance of a Personal Business Continuity Plan”.



Between the need to protect corporate data and regulations requiring that consumer data be protected, organizations are under more pressure than ever to keep their data safe. Data loss prevention (DLP) technology can help.

And regulations like the EU General Data Protection Regulation (GDPR) are upping the stakes. GDPR assesses hefty fines – up to 4 percent of global revenues – for failing to adequately protect consumer information, especially medical and financial data.

With a deadline of May 25, 2018, it's a daunting task for companies to plug all the leaks in their information systems in time, and global companies are panicking, according to Angel Serrano, senior manager of advanced risk and compliance analytics at PwC UK in London, who's also a active in ISACA, a professional organization focused on risk management and information security.



Early 2017 Atlantic hurricane forecasts are predicting fewer storms, but here’s why coastal residents shouldn’t let their guard down.

Colorado State University’s (CSU) Tropical Meteorology Project: “Coastal residents are reminded that it only takes one hurricane making landfall to make it an active season for them, and they need to prepare the same for every season, regardless of how much activity is predicted.”

London’s TSR (Tropical Storm Risk): The precision of hurricane outlooks issued in April is low and large uncertainties remain for the 2017 hurricane season.

Forecasters believe development of potential El Niño conditions in the coming months will suppress storm activity.



About this time every year, Swiss Re publishes the data on the previous years total economic losses and global insured losses from natural catastrophes, man-made disasters.  Turns out that 2016 was the highest since 2012, reversing the downtrend of the previous four years.

Globally there were 327 disaster events in 2016, of which 191 were natural catastrophes and 136 were man-made. In total, the disasters resulted in economic losses of USD 175 billion, almost double the level in 2015.

In terms of devastation wreaked, there were large-scale disaster events across all regions, including earthquakes in Japan, Ecuador, Tanzania, Italy and New Zealand. In Canada, a wildfire across the wide expanses of Alberta and Saskatchewan turned out to be the country’s biggest insurance loss event ever, and the second costliest wildfire on sigma records globally.



Hybrid computing models are starting to infiltrate enterprise data environments as organizations seek to leverage both public and private cloud infrastructure. But while this may seem to diminish traditional in-house data centers, it’s actually the outsourcing industry that has reason to worry.

According to Gartner, hybrid infrastructure will feature prominently at 90 percent of data-driven organizations by 2020, leading to a nearly three-fold increase in the cloud computing market to $68.4 billion. At the same time, spending on data center outsourcing (DCO) is expected to contract from today’s $55.1 billion to $45.2 billion. At the moment, DCO and infrastructure utility services (IUS) make up about half of the $154 billion data center services market, but this is expected to drop to a third by 2020 as hosting and cloud-based IaaS models gain in popularity.

What this means is that while organizations continue to reduce their direct management of physical-layer infrastructure, they will reassume control of their higher-level data and services architectures. But this transition is not without its challenges. A recent study by 451 Research noted that management aspects like cost containment, data migration and security are top concerns in the hybrid cloud, and are producing the most divergent responses. Some organizations, for example, pursue multi-vendor strategies to address these difficulties while others say they have greater success with single-vendor solutions. As well, hybrid cloud adoption is being driven by distinct challenges within vertical industries and national boundaries, with some organizations vexed by erratic user demand while others are faced with limited compute and storage capacity.



Monday, 10 April 2017 14:41

Keeping Control of the Hybrid Enterprise

It’s typical for hyper-scale data center operators like Amazon to build their own infrastructure technology when it isn’t available on the market or when they feel they can make it cheaper on their own.

One piece of technology Amazon built in-house is meant to circumvent what one of the company’s top infrastructure engineers described as misplaced priorities in the way electrical switchgear vendors design their products.

It is this problem that likely caused last summer’s Delta data center outage that ultimately cost the airline $150 million, as well as the infamous 2013 power outage during Super Bowl. And John Hamilton, VP and distinguished engineer at Amazon Web Services, has seen this type of failure in data centers he has overseen during his career.



Identity and access management (IAM) are more important than ever in an age when passwords can be hacked in minutes, corporate data breaches are a daily occurrence and cybercriminals have successfully infiltrated many top government and large-scale enterprise systems. It requires only one hacked set of credentials to gain entry into an enterprise network, and that’s just too easy for the bad guys.

A study by security firm Preempt noted that 35% of the passwords linked to a recent recent LinkedIn breach were identical to those used for other accounts. The remaining 65% could be cracked with unsophisticated brute force cracking hardware. The challenge for organizations, then, is to go beyond mere passwords to encompass all aspects of identity and access control, and that's where IAM comes in.



Here’s a short post, ideal for illustrating the simple but not always easy principle of minimalism:

Whatever you have, chances are you don’t need it all. You don’t need all the data you may be asking for, or for that matter, giving out. Medical forms and even veterinary offices often ask for social security numbers, though there are few cases where a medical facility needs that information. Many forms ask for a driver’s license, though they have no need for that information.

Conversely, companies don’t always think through the data they collect on their websites, in their products or from their employees. Look at what you have, what you collect, and where you keep it and realize the following:



The Business Continuity Institute

Business Continuity Awareness Week is now only a little over a month away and we would really like you to get involved. To help incentivize you, this year we are launching two competitions, each one giving you the chance to win a £250 Amazon gift card.

What could I do to improve cyber security?

Our BCAW posters offer six simple tips on how individuals can improve cyber security within their organization. What we want from you are more suggestions on what each of us could do to help make our organizations more cyber secure.

Email your suggestions to This email address is being protected from spambots. You need JavaScript enabled to view it., and each submission will be in with a chance of winning a £250 Amazon gift card.

The winning tip will be chosen by our communication sponsor for BCAW - Everbridge.

My experience of a cyber security incident

For our second competition we are looking for something a bit more substantial - case studies.

Has your organization experienced a cyber security incident, how did you respond, what was the impact on your organization? It doesn't need to be a lengthy document and you can of course anonymise it if you wish.

Submit your case study to This email address is being protected from spambots. You need JavaScript enabled to view it. and again you will be in with a chance of winning a £250 Amazon gift card. The winner will be drawn at random.

(TNS) — Here's some welcome news for most Floridians: The upcoming hurricane season could be slightly below average.

In fact, we could see as few as four hurricanes.

An early forecast from scientists at Colorado State University's (CSU) Tropical Meteorology Project concluded that a weak or moderate El Niño is likely by the height of the Atlantic hurricane season, along with cooling temperatures in the tropical Atlantic and the North Atlantic Ocean. An El Niño weather pattern generally results in fewer hurricanes in the Atlantic basin, as it increases wind shear — strong winds that can break up hurricanes as they're forming.



Astute receivables leaders know how to identify issues and act on them before they become major problems – especially when it comes to compliance. The cost of noncompliance and damage to reputation can be debilitating, but preventive measures save resources by eliminating the cost of noncompliance and damage to reputation, helping to create new business and maintain advantage over the competition. For this reason, ARM agencies should work diligently to prepare for potential compliance audits from the CFPB or other regulatory authorities who oversee their operations. If they don’t, the risk of fines, penalties and legal actions may mount to an untenable extent if they aren’t avoided through mitigation actions.

Despite the warnings, many choose less favorable options, either ignoring the need for checks on their compliance tactics, hiring outside contractors who don’t know their business or simply absorbing the inevitable cost of noncompliance. Leaders take the proverbial bull by the horns, act immediately to avoid expenses and put their operations in a stronger position.

Immersing yourself in your own business and fearlessly seeking out issues that need correction brings your operation to heights you wouldn’t think possible. Here are 10 key components you need to avoid botching your compliance audit:



Friday, 07 April 2017 16:38

How to Conquer the Compliance Audit

A sophisticated global hacking operation emanating from China has compromised managed service provider (MSP) networks and is targeting additional MSPs in an effort to steal sensitive data and intellectual property from enterprise customers.

That’s the conclusion of a new joint report from PwC UK and BAE Systems, which details an intricate cyber espionage campaign by a well-known threat actor known as APT10.

So-called “Operation Cloud Hopper” has been in effect since at least last year, and has intensified during 2017, the researchers said.



Depression and mental health conditions are on the rise globally. Affecting more than 300 million people of all ages across the world, depression causes immense suffering to people and their families, as well as placing a great economic cost on society. Its consequences and solutions are highlighted in this year’s World Health Day on 7 April.

Mental health problems and stress-related disorders are a major health concern and the biggest overall cause of early death, according to the World Health Organization, which organizes World Health Day each year. Resulting from a complex interaction of social, psychological and biological factors, depression is often triggered by adverse life events such as unemployment, bereavement or psychological trauma. It can be debilitating for the affected person, who functions poorly at work, at school and in the family.

Some of the root causes of depression are related to living and working conditions. For example, the working environment is a powerful determinant of health and has a significant impact on the employee’s mood. In today’s context of economic globalization, the occupational environment is delivering increasing mental stress, which can lead to job dissatisfaction, reduced work performance, ill health and depression.



Since its inception last summer, the No More Ransom project, and anti-ransomware initiative formed by the Dutch National Police, Europol, Intel Security and Kaspersky Lab, has been growing by leaps and bounds.

In addition to raising awareness and keeping tabs on the ransomware scene, the group banded together to help victims of regain access to their files without having to pay their attackers. No More Ransom offers tools that can be used to decrypt files affected by popular strains of the malware.

"This collaboration goes beyond intelligence sharing, consumer education, and takedowns to actually help repair the damage inflicted upon victims," said Raj Samani, Intel Security's CTO for the EMEA region, in a July 2016 announcement. "By restoring access to their systems, we empower users by showing them they can take action and avoid rewarding criminals with a ransom payment."



Friday, 07 April 2017 16:35

Anti-Ransomware Decryption Toolkit Grows

DURHAM, N.C. – Hurricane Matthew left a $1.5 billion impact on North Carolina, according to National Oceanic and Atmospheric Administration, and the state has made significant progress on recovery. As the aftermath of Matthew fades, the accomplishments of those who survived the storm verify a basic truth about disasters: Recovery takes the Whole Community.

North Carolina has taken significant steps toward recovery following the aftermath of Hurricane Matthew. Affected communities and disaster survivors are repairing and rebuilding better, stronger and safer with the help of neighbors, friends, family members, voluntary groups, faith- and community-based organizations and local, county, state and federal governments.

The following highlights recovery progress made in the six months since the Oct.10 presidential disaster declaration, and how disaster survivors and affected communities are overcoming challenges:

The declaration made 45 counties eligible to apply for help under FEMA’s Individual Assistance (IA) program.

In addition, local, county and state government infrastructure and certain private nonprofit organizations in 50 counties became eligible to receive funding through FEMA’s Public Assistance (PA) program to repair and rebuild certain eligible disaster-damaged facilities. Local, county and state government expenses related to debris removal, saving lives, providing security, and managing the immediate response became eligible for reimbursement.

Hazard Mitigation Grant funds were made available statewide. Because North Carolina took proactive efforts in Emergency Management, the state mitigation funding amount is 5 percent more than those states that meet minimum requirements. This will bring millions of additional dollars to the state for recovery programs.

Big Disaster Takes Big Response

FEMA individual assistance to North Carolina has surpassed $96 million, with nearly 82,000 survivors applying for federal and state assistance for housing, personal property and other expenses.

  • 82,000 North Carolina residents registered with FEMA.
  • Nearly $67 million approved for housing assistance, including short-term rental assistance and home repair costs.
  • More than $29 million has been approved to cover other essential disaster-related needs, such as medical and dental expenses and lost personal possessions.
  • More than $97 million in low-interest disaster loans for homeowners, renters, businesses and private nonprofit organizations has been approved by the U.S. Small Business Administration.
  • 271 households are currently checked in the Transitional Sheltering Assistance (TSA) Program. 100 households have been licensed-in to Manufactured Housing Units. At the height of the TSA program, more than 1900 survivors approved for housing.
  • Nearly $188 million National Flood Insurance Program claims paid. Nearly 6,000 flood insurance claims received.
  • At peak operations, more than 1,300 federal employees worked the disaster in North Carolina.
  • The state and FEMA staffed and operated 38 Disaster Recovery Centers and Mobile Disaster Recovery Centers. Before establishing DRCs, more than 200 Disaster Survivor Assistance team members went from door to door and store to store in damaged areas to provide information on FEMA assistance. They also staffed Mobile Disaster Recovery Centers that went to busy areas to provide information.
  • Public Assistance, which funds the rebuilding of infrastructure, public structures and reimburses local government for emergency response during disasters have received nearly 450 applications with nearly 2,100 projects identified, totaling more than $413 million; 377 projects have been obligated for over $32 million (federal share).
  • FEMA’s Hazard Mitigation 406 program proposals can augment Public Assistance funding, as is the case in North Carolina. To date, mitigation staff identified 28 projects for additional mitigation funding, totaling nearly $1.6 million.
  • Hazard Mitigation’s Community Education Outreach counseled 9,020 survivors at 38 Disaster Recovery Centers and Mobile Recovery Centers and 3,000 individuals at building supply stores, municipal buildings, libraries and fire departments on the importance of incorporating mitigation measures into recovery building projects.
  • In partnership with the state, FEMA’s 404 Hazard Mitigation Grant Program staff have supported North Carolina Emergency Management in collecting more than 2,300 homeowner applications for acquisition, elevation or reconstruction of homes to reduce the risk of loss of life and property from future disasters.

Volunteers: The Backbone of long-term recovery

Recovery has significantly progressed because of voluntary, faith and community-based groups that are donating their time and skills to help survivors muck out, repair and rebuild their homes. These groups are always the first and last presence to help disaster survivors recover.

Voluntary organizations have served over 1.6 million meals and 284,292 snacks and provided over 200,000 goods and services to thousands of people –and pets –in need. Long Term Recovery Committees are established in some affected communities and forming in others to assist those who still have unmet needs.

Interagency Recovery Coordination

The IRC multiagency group brings the full force of the federal family to federally declared disasters to identify the tools and resources necessary to support the state on its path to a sustained recovery.

The key outcome is the acceleration of the recovery process after a disaster through collaborative and inclusive planning processes with federal, state, tribal and local partners. Efforts include coordinating with whole community partners, mitigating risks, incorporating continuity planning, identifying resources, and developing capacity to effectively manage the recovery process.

All six of the Recovery Support Functions were activated for North Carolina. Five remain active including:

  • Community Planning and Capacity Building - FEMA
  • Economic - U.S. Department of Commerce - Economic Development Administration
  • Housing - U.S. Department of Housing and Urban Development
  • Infrastructure Systems - U.S. Army Corps of Engineers
  • Natural and Cultural Resources - U.S. Department of Interior

The group has completed the Mission Scoping Assessment, a compilation of issues the recovery support functions found in North Carolina. The group is currently working on the Recovery Support Strategy, which will suggest actions to aid the state in recovery.

Whole community partners continue to collaborate to find solutions to enable North Carolinas recovery and will be here as long as it takes.

For more information on North Carolina’s recovery, visit fema.gov/disaster/4285 and readync.org. Follow FEMA on Twitter at @femaregion4 and North Carolina Emergency Management @NCEmergency.


Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-3362 or TTY at 800-462-7585.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from and mitigate all hazards. Follow FEMA on Twitter at @femaregion4. Download the FEMA app with tools and tips to keep you safe before, during and after disasters.

Dial 2-1-1 or 888-892-1162 to speak with a trained call specialist about questions you have regarding Hurricane Matthew; the service is free, confidential and available in any language. They can help direct you to resources. Call 5-1-1 or 877-511-4662 for the latest road conditions or check the ReadyNC mobile app, which also has real-time shelter and evacuation information. For updates on Hurricane Matthew impacts and relief efforts, go to ReadyNC.org or follow N.C. Emergency Management on Twitter and Facebook. People or organizations that want to help ensure North Carolina recovers can visit NCdisasterrelief.org or text NCRecovers to 30306.

The U.S. Small Business Administration (SBA) is the federal government’s primary source of money for the long term rebuilding of disaster-damaged private property. SBA helps homeowners, renters, businesses of all sizes, and private nonprofit organizations fund repairs or rebuilding efforts and cover the cost of replacing lost or disaster-damaged personal property. These disaster loans cover losses not fully compensated by insurance or other recoveries and do not duplicate benefits of other agencies or organizations. For more information, applicants may contact SBA’s Customer Service Center by calling (800) 659-2955, emailing This email address is being protected from spambots. You need JavaScript enabled to view it., or visiting SBA’s website at www.sba.gov/disaster. Deaf and hard-of-hearing individuals may call (800) 877-8339.

S17 1

S17 5ORLANDO, Fla. – Disaster Recovery Journal debuted a new conference format for Spring World 2017, adding 15 additional sessions to the business continuity industry’s premier event.

More than 800 attendees joined speakers, board members, and exhibitors from around the globe at Disney’s Coronado Springs Resort in Orlando, Florida, March 26-29, 2017. The three-day event featured 62 sessions, a concurrent exhibit hall with almost 100 booths, and numerous networking events.

“The new format allowed us to provide more sessions and more educational opportunities for our attendees,” said DRJ President Bob Arnold. “Everyone loved it. More options allowed our speakers to present the latest and greatest trends in the industry.”

Aside from the new sessions, DRJ’s 56th conference featured another one-day track for Senior Advanced Practitioners. This special track allows the industry’s most advanced planners to interact with C-level personnel and other advanced practitioners.

S17 7DRJ Spring World 2017 gold sponsor RSA hosted the Monday Night Hospitality event, featuring food, drinks, dancing, and giveaways. Silver sponsors included Deloitte, eBRP Solutions, Firestorm, Fusion Risk Management, IBM Resiliency Services, MIR3, Regus, and Strategic BCP. Co-sponsors included AlertMedia, Avalution Consulting, BC in the Cloud, ContinuityLogic, Kingsbridge Disaster Recovery, Quantivate, Recovery Planner, Rentsys Recovery Services, RES-Q Services, Ripcord Solutions, Veeam, and Virtual Corporation. Business partners include Business Continuity Institute (BCI), Forrester Research, International Consortium for Organizational Resilience (ICOR), and Public & Private Businesses Inc. (PPBI).

S17 6“I want to thank all of our sponsors and exhibitors for helping us provide so many networking opportunities with attendees and vendors,” said Arnold. “We were really happy with everyone who joined us for another great show in Orlando.”

In addition to several individual vendor drawings, attendees raked in 14 of the hottest technology items at the DRJ booth as part of the exhibit hall raffle. Grand attendance prize drawings also went to Michael Barrett, Marilyn Boatman, and Ramon Zulueta Wednesday morning before the final general session. All three attendees win a free pass to a future DRJ conference.


S17 8Check out the DRJ.com Live page for more photos, tweets, and other details from DRJ Spring World 2017.

DRJ is now preparing for its next conference, DRJ Fall World 2017, which will be held Sept. 17-20, 2017, in Phoenix. Potential speakers have until April 21, 2017, to submit a Call For Papers presentation.
To attend DRJ Fall World 2017, visit https://www.drj.com/fallworld2017/.


Hotels & Travel
Pre/Post Classes
Key Contacts
ROI Toolkit

When a credit bureau hired Kevin Mitnick’s company to test its security defenses, he went straight for the crown jewels. He decided he would try to get inside the bureau’s data center, physically, on his own two feet.

After spending the second half of the nineties in prison for a number of computer crimes, he did not quit hacking. Instead, the legendary former cybercriminal put together an entire team of hackers who break into organizations’ systems using his signature combination of in-person deceit (Mitnick is a top authority on social engineering) and technological exploits as a service, to help them identify security holes.

This week, on stage at the Los Angeles Convention Center during the annual Data Center World conference, Mitnick demonstrated in real-time an entire list of ways one could get proprietary and personal information, using both internet search skills and sophisticated technological exploits, from personal computers as well as corporate networks.



The Trump administration is already making good on its campaign promise to significantly roll back federal regulations. With change imminent, compliance and risk managers have found themselves in a fast-moving and unpredictable environment.

Regulatory reform poses a unique challenge for compliance and risk teams, who are responsible for keeping up with regulatory changes, ensuring personnel and third parties are aware of their responsibilities and understanding the complexity of risk management. Facing these mounting difficulties, many enterprises have realized they need to develop more mature governance, risk management and compliance (GRC) programs.

In late 2015, Gartner conducted a survey of its clients to understand how they are using GRC software to support enterprise risk management efforts. Nearly 40 percent of those surveyed were not using GRC software. In addition, 65 percent were not even familiar with the term “GRC.” However, in Gartner’s 2015 CEO survey, 65 percent of global CEOs and senior executives viewed the level of investment in risk management tools and practices as insufficient.



Thursday, 06 April 2017 14:31

A More Strategic Approach to GRC

If you’ve already moved all your systems and applications to the cloud, you may feel there is little left for you to manage other than your organisation’s data and your IT department’s skillsets.

But how about the behaviours and attitudes of the people in your IT team?

How about linking attributes like these to performance in achieving IT objectives and business goals?

Before you dismiss these ideas as “just HR stuff”, you might want to check out the following trends that could make this kind of people analysis directly relevant to IT, in more ways than one.



Thursday, 06 April 2017 14:30

IT Asset Management of Grey Matter

The modern enterprise is mobile and employees are no longer tethered to their corporate owned and provisioned computing equipment. As is the case in the wired world, mobile end-user devices need to be managed to improve employee productivity and to reduce enterprise security risks. That's the world that Enterprise Mobility Management (EMM) inhabits.

What is EMM?

The term Enterprise Mobility Management (EMM) is an evolution of the technology used to help control and manage mobile devices.

EMM is an evolution of the Bring Your Device (BYOD) phenomenon that has been going on for well over a decade in organizations around the world. The emergence of Apple's iPhone a decade ago was a real catalyst in the movement, as employees chose to use their own iPhones over corporate provided devices. The first generation of BYOD management platforms was known as Mobile Device Management (MDM) and originally focused largely on the hardware enrollment and access part of the BYOD challenge.



PHILADELPHIA – The Department of Homeland Security, Federal Emergency Management Agency (FEMA) will evaluate a Biennial Emergency Preparedness Exercise at the Three Mile Island Nuclear Generating Station. The exercise will occur during the week of April 10th, 2017 to assess the ability of the Commonwealth of Pennsylvania to respond to an emergency at the nuclear facility.

“These drills are held every other year to evaluate government’s ability to protect public health and safety,” said MaryAnn Tierney, Regional Administrator for FEMA Region III. “We will assess state and local emergency response capabilities within the 10-mile Emergency Planning Zone as well as the adjacent support jurisdictions within the Commonwealth of Pennsylvania.”

Within 90 days, FEMA will send its evaluation to the Nuclear Regulatory Commission (NRC) for use in licensing decisions.  The final report will be available to the public approximately 120 days after the exercise.

FEMA will present preliminary findings of the exercise in a public meeting at 10:00 a.m. on April 14th, 2017, at the Sheraton Harrisburg Hershey Hotel, 4650 Lindle Road, Harrisburg, PA 17111.  Planned speakers include representatives from FEMA, NRC, and the Commonwealth of Pennsylvania. 

At the public meeting, FEMA may request that questions or comments be submitted in writing for review and response. Written comments may also be submitted after the meeting by emailing This email address is being protected from spambots. You need JavaScript enabled to view it. or by mail to:

MaryAnn Tierney

Regional Administrator


615 Chestnut Street, 6th Floor

Philadelphia, PA 19106

FEMA created the Radiological Emergency Preparedness (REP) Program to (1) ensure the health and safety of citizens living around commercial nuclear power plants would be adequately protected in the event of a nuclear power plant accident and (2) inform and educate the public about radiological emergency preparedness.

REP Program responsibilities cover only “offsite” activities, that is, state and local government emergency planning and preparedness activities that take place beyond the nuclear power plant boundaries. Onsite activities continue to be the responsibility of the NRC.

Additional information on FEMA’s REP Program is available online at FEMA.gov/Radiological-Emergency-Preparedness-Program.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. FEMA Region III’s jurisdiction includes Delaware, the District of Columbia, Maryland, Pennsylvania, Virginia and West Virginia.  Stay informed of FEMA’s activities online: videos and podcasts are available at fema.gov/medialibrary and youtube.com/fema. Follow us on Twitter at twitter.com/femaregion3.

(TNS) - Oklahomans know tornadoes can be deadly, but we may not always know how to protect ourselves.

In 2013, 24 people lost their lives when an EF-5 tornado hit Moore a day after another tornado destroyed multiple homes in east Norman. The risk of severe weather events such as large hail, tornadoes and flooding are higher in April and May, said National Weather Service meteorologist Wayne Ruff, meaning residents should be especially aware of weather.

“Pay attention to the weather forecasts, not only for today, but for the next two or three days so you can prepare,” Ruff said. “On any given day where there is a forecast for severe weather, think about changing plans that would put you at risk.



Thursday, 06 April 2017 14:28

Experts to Residents: Be Weather Aware

Vendor management gets a lot of attention these days, but have you considered the risk associated with your vendors? When was the last time you conducted a vendor-related risk assessment? Is vendor risk management (VRM) even a part of your Business Continuity Program?

All organizations are interconnected. This is especially clear for large organizations with considerable numbers of vendors, particularly those with multiple locations or global operations, but even a small businesses with only local suppliers should consider the vendor-related risks to their organizations.

Definition of a critical vendor:

  • Any vendor/supplier whose missed commitments might cause the organization to be unable to achieve a stakeholder’s mission.
  • Any vendor/supplier crucial to recovering from a crisis event.
    • Key vendors may not be critical for day-to-day operations, but their criticality may increase during crisis events.



Thursday, 06 April 2017 14:23

Vendor Risk Management – Where to Start

The Business Continuity Institute

The International Organization for Standardization has recently published a new standard that provides guidance to enhance organizational resilience for any size or type of organization. This international standard - ISO 22316:2017 – Security and resilience -- Organizational resilience -- Principles and attributes - defines organizational resilience as: “the ability of an organization to absorb and adapt in a changing environment”. It is the result of a lengthy development process and represents the global consensus on the concept of organizational resilience.

The Business Continuity Institute is grateful to our many members around the world who contributed to the process, either by providing comments in the public consultation process or by taking part in national and international working groups. We recognise and understand that organizational resilience is not the same as business continuity, but requires a collaborative effort between business continuity professionals and with other related management disciplines.

The BCI issued a position statement in February 2016 that outlined our perspective on the subject. We have also published two white papers on what we believe the challenges are to the business continuity profession and the professional - the resilience challenge for the business continuity profession and responding to the resilience challenge.

The BCI are pleased to announce the new one day ‘Introduction to Organizational Resilience’ training course aimed at those interested in the subject and wishing to gain a greater understanding of how to build resilience capabilities through a collaborative approach between established management disciplines.

ISO 22316 is a welcome addition to the guidance available for our global community on this subject. BS 65000, the British standard that was published in 2014, provides guidance for organizational resilience and addresses implementation and assessment issues, and is regarded as complementary to ISO 22316. These two standards are different in many respects but are underpinned by shared concepts, principles, and general approach to build greater levels of resilience in organizations of all types, sizes, and sectors. There will likely be further alignment and revision in the future in this evolving field and the BCI will continue to be involved and contribute to a more resilient society.

Deborah Higgins FBCI is the Head of Professional Development at the Business Continuity Institute

The Business Continuity Institute

It seems impossible to think about preparedness planning without thinking about time. Time is often at the very heart of any discussion of business continuity and IT disaster recovery. Nonetheless, there are deep flaws in the continued attempts to incorporate it into preparedness planning. These flaws lead to frustrated participants, disengaged managers, wasted effort and dubious outcomes. However, these flaws are avoidable and correctable.

In the latest edition of the Business Continuity Institute's Working Paper Series, David Lindstedt asserts that time is not a target; rather, it is a constraint. While it has its place in preparedness planning, time does not warrant its central focus in our methodology or practice.

Deborah Higgins FBCI, Head of Professional Development at the BCI, commented: "I welcome this paper as it challenges our thinking associated with preparedness planning. I see this work as a fantastic opportunity for fellow professionals to share their own experiences and explore how the theoretical arguments posed in this piece translate into practice."

"I would be happy to get your feedback on this as your engagement will ultimately drive our profession forward – considering the thorny problems we face together and applying our collective expertise to improve current practice."

The paper concludes that, when considering time, "it depends” is now a perfectly acceptable answer from the planning participant, and accepting this answer allows the planning practitioner to be more receptive, adaptive, and effective. The approach enables participants to self-assess restrictions rather than relying on the practitioner to facilitate the assessment of time requirements, thus allowing the practitioner to engage at a more strategic level.

In practical terms, the professional avoids any potential confrontation with regard to discussions about time. In theoretical terms, the professional does not fall into any traps, as time is discussed only as a constraint to recovery activities, not a target that has to be set without the proper ability to do so. And in financial terms, the organization will not waste money preparing to hit targets of time that are arbitrary at best and misleading at worst.

Download your free copy of 'Our deep misunderstanding of time in preparedness planning' to understand more about the concept of time as a constraint rather than a concept when managing your business continuity management programme.

Fully 86 percent of small to medium enterprises (SMEs) have less than 10 percent of their total IT budget allocated to cyber security and 75 percent have between zero and two IT security staff members, according to the results of a recent EiQ Networks survey of more than 150 SME IT security professionals.

"One of the most striking results is how little SMEs are spending on cyber security as compared to the overall IT budget -- despite the very high risks they face daily from ransomware, phishing, and zero-day attacks, to name just a few," EiQ Networks founder and CEO Vijay Basani said in a statement.

"Without the IT security resources and expertise necessary to continually monitor, detect, and respond to security incidents, SMEs are simply exposing themselves to loss of revenue, brand equity, IP, and customer data on a daily basis," Basani added.



There’s certainly no shortage of options for expanding data center capacity these days. You can renovate an existing facility or add a modular unit onsite or offsite, build one from scratch, lease data center space, or move non-critical data and applications off your servers and into a cloud … and just about any combination of the above.

Which scenario is right for your company? Whatever makes the most sense for the business, said HPE’s Laura Cunningham during her Data Center World session, “Finding the Sweet Spot for Your Data Center.”

So, it’s imperative to know the future direction and financial preferences of your company before meeting face-to-face with a CIO, CEO or CFO to ask approval for any IT project.



Wednesday, 05 April 2017 15:10

Finding the Sweet Spot for Your Data Center

The Internet of Things (IoT) is taking shape at a rapid clip, but like any other cooperative technology initiative, the need for standards is starting to draw interest as well.

While it seems obvious that millions of sensors distributed around the globe would need some sort of interoperable framework, what about the rest of the IoT infrastructure? When we delve into wireless networks, backhaul and even analytics, where will standards help overall IoT functionality and where will they hurt?

At the recent Enterprise IoT Summit in Austin, Texas, InterDigital Executive Vice President Jim Nolan pointed out that when it comes to municipal IoT endeavors like smart cities, the need for standardization will be quite broad. Without commonality in M2M communications and other facets, the development of smart cities could see a collective cost overrun of some $341 billion, or about 30 percent of the cost of implementation, according to a recent study by Machina Research. When we consider that the World Economic Forum estimates that the IoT could drive some two-thirds of global GDP over the next decade, this represents a huge, and utterly avoidable, expense for the world economy.



Dr. Stephen Redd, Director, Office of Public Health Preparedness and Response
Dr. Stephen Redd, Director, Office of Public Health Preparedness and Response

One of the best parts of my job is the opportunity to learn from a wide range of experiences. We have an obligation to not only respond to emergencies today, but to prepare for tomorrow by learning from the past. Our work extends to households affected by disease, communities ravaged by disasters, and U.S. territories battling new and changing threats. In fact, all over the world – we try to get ahead of, and manage, complex responses that touch many lives through ever changing circumstances. In an ideal world the health in every community would be at a level that would make recovery and reliance easier. The reality is that emergencies happen in all kinds of environments and populations.

The Public Health Preparedness and Response National Snapshot is our annual report that gives us an opportunity to showcase the work that we and our state partners do. The report reminds us that no matter how big the emergency, we need to work together to respond to the best of our ability—with the cards we are dealt.

Here are 10 ways CDC’s Office of Public Health Preparedness and Emergency Response worked to keep people safer in 2016 that can inform our work going forward.

1) Four Responses at Once: An Unprecedented Challenge

CDC experts continue to provide 24/7 monitoring, staffing, resources, and coordination in response to natural disasters, terrorist attacks, and infectious disease threats. In early 2016, CDC managed four public health emergencies at the same time through our Emergency Operations Center :

  • Ebola
  • Flint, Michigan, Water Quality
  • Zika Virus
  • Polio Eradication

See us in action:

2) A Complex Threat: Zika Hits the U.S.

CDC scientists and responders were activated in CDC’s Emergency Operations Center, where they combed through research, developed and distributed diagnostic tests, and provided on-the-ground mosquito control and education to protect people at higher risk for the virus, including pregnant women and infants.

3) Right Resources, Right Place, Right Time

CDC’s Strategic National Stockpile is ready to send critical medical supplies quickly to where they are needed most to save lives. The stockpile is the nation’s largest supply of life-saving pharmaceuticals and medical supplies that can be used in a public health emergency if local supplies run out.

Last year, we helped conduct 18 full-scale exercises and provided training for 2,232 federal and state, local, tribal, and territorial emergency responders to ensure that systems for delivering medicines are functioning well before they are needed in an actual emergency. We continue to work with our federal, state, local, and commercial partners to make sure every step of the medical supply chain – from manufacture to delivery – is coordinated.

4) State and Local Readiness

CDC connects with state and local partners to provide support and guidance, helping every community get ready to handle emergencies like floods, hurricanes, wildfires, or disease outbreaks.

This year, we created a new process to evaluate how well state and local jurisdictions can plan and execute a large-scale response requiring the rapid distribution of critical medicines and supplies. Through this program, we conducted assessments of 487 state and local public health departments. The information from these assessments will be used to help improve the ability to get emergency supplies quickly to those who need them most.

5) Cutting-Edge Science to Find and Stop Disease

To protect lifesaving research, CDC experts in biosafety and biosecurity conducted approximately 200 laboratory inspections and thousands of assessments of those who handle dangerous select agents and toxins like anthrax, plague, and ricin to keep these materials safe, secure, and out of the hands of those who might misuse them.

CDC’s Laboratory Response Network (LRN)l also develops and deploys tests to combat our country’s most pressing infectious and non-infectious health issues, from Ebola to Zika virus to opioid overdose. The network connects over 150 labs to respond quickly to high priority public health emergencies.

6) Protecting Our Most Vulnerable

CDC supports efforts all across the country to help those who may not be able to help themselves when a crisis strikes. Some populations, like children, older adults, and others with functional and access needs may need extra help during and after an emergency.

From planning for the 69 million children who may be in school when disaster strikes to the millions of Americans who need to make sure prescriptions are filled, medical equipment is working, and help arrives even if power is out and roads are blocked, it’s up to us to protect our most vulnerable in emergencies.

7) Emergency Leaders: The Future of Incident Response

When every minute counts, we need people who have the knowledge to step in and take immediate action. Learning and using a common framework like the CDC Incident Management System helps responders “speak the same language” during an event and work more seamlessly together.

CDC experts train leaders from around the world—25 countries in 2016—through an innovative, four-month fellowship based at our Atlanta headquarters. Lessons learned from this course were put to work immediately to head off an outbreak of H5N1 influenza in Cameroon.

8) The Power of Preparedness: National Preparedness Month

Throughout September, CDC and more than 3,000 organizations—national, regional, and local governments, as well as private and public organizations— supported emergency preparedness efforts and encouraged Americans to take action.

The theme for National Preparedness Month 2016 was “The Power of Preparedness.” During our 2016 campaign , we recognized the successes of countries and cities who have seen the direct benefits of being prepared, looked at innovative programs to help children and people with disabilities get ready for emergencies, and provided tips for home and family on making emergency kits.

9) Health Security: How is the U.S. Doing?

As part of the Global Health Security Agenda, teams of international experts travel to countries to report on how well public health systems are working to prevent, detect, and respond to outbreaks. In May, a team made a five-day visit to the U.S. to look at how well we’re doing.

In the final report, the assessment team concluded that, “the U.S. has extensive and effective systems to reduce the risks and impacts of major public health emergencies, and actively participates in the global health security system.” They recognized the high level of scientific expertise within CDC and other federal agencies, and the excellent reporting mechanisms managed by the federal government.

10) Helping YOU Make a Difference

Get a flu shot. Wash your hands. Make a kit. Be careful in winter weather. Prepare for your holidays. Be aware of natural disasters or circulating illnesses that may affect you or those you care about. There are many ways to prepare, and in 2016 we provided the latest science and information to empower every one of us to take action.

Every person needs knowledge to prepare their home, family, and community against disease or disaster before an emergency strikes. Whether it’s how to clean mold from a flooded home, how to wash your hands the right way, or how to use your brain in emergencies, our timely tips and advice put the power of preparedness in your hands. From the hidden dangers of hurricanes to the heartbreaking dangers of flu, there are steps we can all take to stay safe every day as we work toward a healthy and protected future.

For more ways we are helping protect America’s health, check out the new National Preparedness Snapshot.

To find out more about the issues and why this work matters, visit our website.

Wednesday, 05 April 2017 15:02

10 Ways CDC Gets Ready For Emergencies

If the employees in your organization are spending the time, energy, and resources to develop your business continuity plan, your organization must be ready for any disruption, right? Possibly, but making this assumption isn’t going to help anyone during an emergency if the plan is not spot on! If you document your plan, but don’t share it with your team or train on it, it’s like not having a plan at all.


Even more critical to your business continuity program’s success is to run your BC team and your plan through regularly scheduled drills and exercises. Organizations that perform well-planned exercises get better results when they are faced with a real event. Not only will these planned tabletop, functional, or full-scale exercises exploit issues with your plan and its execution, but they will allow your employees the opportunity to become comfortable with their roles and assigned tasks before an unexpected business disruption requires them to execute these mission-essential functions and be on top of their game during a real event.



Wednesday, 05 April 2017 14:54

Testing Your Business Continuity Plan


Con los avances vertiginosos de la tecnología, (computación en la nube, virtualización, comunicaciones, nuevas tecnologías de replicación y mirroring para alta disponibilidad geográfica, etc.) surgen nuevas alternativas para mantener la resiliencia en las organizaciones y nuevos paradigmas deben ser contemplados en el caso de asegurar el “uptime” o disponibilidad de los servicios tecnológicos, especialmente aquellos clasificados como críticos por su alto impacto para la supervivencia de las organizaciones.

La Recuperación de Desastres (Disaster Recovery: DR) para atender eventos disruptivos no programados, entendida según el Glosario Internacional de Resiliencia del DRII, como la “Capacidad de una organización para recuperar y restablecer el componente TI después de una interrupción; es el aspecto tecnológico de la continuidad del negocio”, implica planear, diseñar, implementar y probar acciones que se activan ante un evento de interrupción/desastre no programado y para ello se debe disponer de un sitio alterno con los recursos necesarios, en el cual se recuperen los servicios tecnológicos de manera temporal, mientras se realizan acciones para restablecer la capacidad del sitio principal y así poder mantener, de retorno, la continuidad de las operaciones. Es decir, que bajo este modelo se requiere de fases típicas conocidas como Failover/Switchover y Fail back para los sistemas de información con sus plataformas, infraestructura básica, comunicaciones, bases de datos, almacenamiento, seguridad y demás componentes necesarios de las 7 capas del modelo OSI de la ISO.

Por otra parte, con las nuevas tecnologías, cada vez cobra más fuerza la denominada Disaster Avoidance (DA), que es una alternativa para mantener y asegurar la continuidad de los servicios de negocio de misión crítica, más centrada en la “resiliencia”, que en la recuperación y restauración de los servicios propios del DR.

En el caso de la DA, los servicios se mantienen de manera automática en dos o más centros activos (desaparece el concepto de centro de datos principal y secundario) manteniendo una replicación sincrónica prácticamente en tiempo real, y en la eventualidad de una interrupción programada o no programada, los servicios y funciones son asumidos en su totalidad por el (los) sitio(s) que no ha(n) sido afectado(s) por el desastre, mientras la operación se mantiene en estado normal de funcionamiento en los centros de datos que trabajan de manera cooperativa. Esta estrategia asegura que los datos están disponibles permanentemente y actualizados, es decir con un RPO aproximado a cero. En conclusión, bajo esta alternativa no existe pérdida de datos.

El DA significa una alternativa que puede generar más confianza a las organizaciones, en particular a aquellas que tienen servicios cuya disponibilidad es altamente crítica, casi inmediata, como aquellas que ofrecen las denominadas “infraestructuras críticas” para los países, servicios críticos financieros, servicios médicos de alto impacto por el riesgo de pérdidas humanas, la mayoría de los nuevos servicios relacionados con IoT (internet de las cosas), etc. cuyos tiempos objetivos de recuperación (RTO) y puntos objetivos de recuperación (RPO) deben ser muy cortos.

Como nada es totalmente perfecto. La estrategia DA requiere de una mayor inversión y costos de funcionamiento, ya que normalmente requieren múltiples, o por lo menos un centro de datos adicional, operando de manera continua, simultánea y cooperativamente entre sí. Esto también implica diferencias en el diseño, implementación, operación y desde luego en los costos en cuanto a infraestructura, personal, comunicaciones, bases de datos, almacenamiento, licenciamiento, monitoreo, etc. Adicionalmente, los equipos e infraestructura instalados deben ser similares en cuanto a capacidades, disponibilidad y tecnologías instaladas.

Ventajas y Desventajas: DR vs DA
  • Inversión y costos en los centros de datos y la tecnología de TI instalada según la estrategia

En Disaster recovery DR las alternativas para los centros de datos alternos clasificadas típicamente como Cold, Warm o Hot toman posición pasiva si no se presenta alguna situación de desastre y estos valiosos recursos permanecen normalmente ociosos.

Para las soluciones DA se exige que los múltiples centros de datos sean tipo Hot y coexistan permanentemente de manera activa para garantizar que los servicios tecnológicos críticos estén disponibles desde cualquier ubicación, independientemente de la situación e imprevistos. En el caso del DA las cargas de trabajo están balanceadas entre los centros de datos, si se trata de 2 sitios, estos deben tener capacidades similares y su carga debe estar a lo más cercana al 50%, lo que significa que también tienen recursos ociosos; por supuesto, están activos y en disponibilidad, pero en espera para cuando deban asumir la carga total de manera inmediata por la interrupción de su sitio replicado o espejo. Estas situaciones hacen de la alternativa DA mucho más costosa.

En el caso de la estrategia DR según los requerimientos de disponibilidad, se determina el tipo de centro de datos requerido, lo recomendable en la mayoría de los casos, según mi experiencia, es que el centro de datos principal tenga un nivel o Tier 3 (lo que significa una disponibilidad de 99,99) y lo ideal es que se cuente con un Tier 4 (disponibilidad 99,995). Para el centro de datos alterno lo apropiado normalmente debería ser un nivel 3.

En el caso de la alternativa DA se puede ser más flexible en el nivel de los centros de datos en la medida en que se gana en disponibilidad con la redundancia conseguida de los centros de datos operando mancomunadamente. Vistos los centros de manera individual, significa aparentemente una ventaja económica, por requerir una menor inversión en la construcción de cada uno de los centros propios con componentes internamente menos redundantes, o un menor valor en el caso de la contratación de estos servicios. Pero por el número de centros y la tecnología de TI instalada en cada uno de ellos y las comunicaciones para soportarlos, en suma, resulta mucho más costosa esta estrategia.

La distancia entre los centros de datos en soluciones DA, para un mejor desempeño de la replicación o mirroring y evitar posibles latencias, debe ser relativamente corta. La desventaja o condición especial está en que, para este tipo de soluciones, por buenas prácticas, los sitios no deben estar expuestos a los mismos tipos de riesgos, de ser así podría presentarse una situación de “outages” o caída simultánea de los centros de datos y no obrarían las ventajas que da la redundancia geográfica.

  • Atención de eventos de Desastre

Cuando ocurre una interrupción imprevista en soluciones DA, la afectación es muy parcial en la medida en que los servicios están distribuidos entre los centros de datos y los que permanecen activos asumen los servicios afectados del sitio impactado. Es decir, el riesgo está distribuido en el popular sentido que: “no todos los huevos están puestos en la misma canasta” y adicionalmente con la ventaja significativa que no implica una suspensión real de los servicios (el RTO es cercano a cero).

En el caso de DR, existe un período de tiempo de inactividad, hay procesos de valoración de daños de los equipos de respuesta, toma de decisiones para la activación del DR y las acciones necesarias para activar el sitio alterno y disponer efectivamente de la data, con viabilidad de pérdida de datos, (según sea la estrategia implementada para el RPO aprobado) y acciones para finalmente contar con el sitio alterno en operación.

En DA las acciones, procedimientos e intervención humana se ven reducidos y prácticamente los pasos de recuperación operan de manera automática y por definición: controlada.

En el caso de DR en interrupciones mayores con características de desastre existe un conjunto comúnmente complejo de acciones documentadas en planes, que deben ser realizadas de manera sincronizada con personal con las competencias y las capacidades necesarias, con prioridades establecidas y con la secuencia y responsabilidades debidas. Aun cuando un buen número de estas acciones son susceptibles de ser automatizadas, existe una mayor participación humana y mayor toma de decisiones, lo que demanda mayor capacitación y entrenamiento e incluso requiere una adecuada preparación para el personal que interviene en los momentos de emergencia, situaciones de crisis y atención del desastre.

  • Pruebas y Ejercicios

Las pruebas en DA, son relativamente más sencillas de efectuar, en teoría en cualquier momento se puede dar traslado de los servicios a un sitio y operar desde este, lo mismo que su retorno a las condiciones iniciales, o sea con las cargas distribuidas como se diseñó inicialmente. En DR se debe trabajar con todos los expertos en las tecnologías involucradas con actividades en el antes, durante y después para asegurar se efectúe de manera exitosa el traslado de la operación, el trabajo en continuidad y luego el retorno al sitio principal.

  • Mantenimientos

Para el caso de interrupciones programadas en soluciones DA para efectuar mantenimientos de infraestructura básica del centro de datos y/o de plataformas y equipos de TI se mantiene la prestación de los servicios, sin interrupción alguna, debido a que mientras se efectúan las actividades programadas dentro de la “ventana” de mantenimiento, las cargas de trabajo son asumidas y soportadas por los sitios cooperados sobrevivientes.

  • Gestión de servicios

Con DA debido a la carga compartida, se tiene una mejor utilización de los recursos, DA tiene una gestión relativamente más fácil, pero significa la gestión permanente de dos o más centros de datos activos simultáneamente. El proceso de diseño e implementación puede ser más complejo, pero la operación se simplifica y en eventos de desastre la gestión de la continuidad tecnológica es mucho más automatizada, lo que genera menor margen de error.


La determinación de la estrategia más apropiada depende de las necesidades específicas de cada empresa, de su apetito al riesgo y de la disponibilidad de recursos para determinar la estrategia y la inversión más apropiada.

En continuidad de negocio tecnológica, desde luego, siguen aplicando las mejores prácticas relacionadas con el ciclo del planear, hacer, verificar y actuar; es en la definición de estrategias y en la toma de decisiones sobre las soluciones pertinentes, a partir de los resultados del BIA y el Análisis de Riesgos, donde se establecen determinaciones acerca de lo más apropiado a implementar: DA o DR o, porque no, también es viable, un conjunto de soluciones mixtas.

Es posible implementar soluciones mixtas para abarcar un mayor abanico de servicios, teniendo soluciones DA para el top de aquellos clasificados como servicios de misión crítica de negocios y sus servicios conexos, involucrando siempre los aplicativos y sistemas de información interdependientes y DR para servicios críticos que no tienen RTOs tan extremadamente exigentes.

También es importante el fortalecimiento adicional de soluciones de alta disponibilidad locales y acciones preventivas, que prevengan y minimicen “in situ” la posibilidad de ocurrencia de desastres para todos los centros de datos involucrados, cualquiera sea la alternativa seleccionada.

El DA es una solución más resiliente y genera más confianza para los servicios tecnológicos críticos en la medida en que centros de datos redundantes y fácilmente accesibles desde cualquier sitio a través de medios y accesos redundantes, mantienen la continuidad de las operaciones, pero el costo de su inversión podría ser significativamente más alto.

Para una decisión apropiada, cobra vital importancia el conocimiento de la naturaleza del negocio y según la misma, se debe colocar en una balanza los tiempos y costos involucrados en el manejo del desastre y sus impactos versus los tiempos y costos de implementación, operación y mantenimiento de la solución. Un buen análisis permitirá determinar la estrategia más pertinente para la organización.

North Carolina State University’s ERM Initiative and Protiviti recently completed the latest survey of C-level executives and directors worldwide regarding the macroeconomic, strategic and operational risks their organizations face. The top risks for 2017 provide insight as to what’s top-of-mind currently among leaders around the globe.

Overall, 735 C-level executives — 55 percent of whom are based in the United States, with the balance distributed between Europe and Asia-Pacific — participated in this year’s study, which was conducted in September 2016. These executives revealed that their respective organizations face significant issues and priorities that vary by industry, executive position and company size and type. They indicated that the overall global business context is noticeably more risky than in the two prior years, with respondents in the U.S. indicating it’s about the same as in prior years. The overall risk scores for all of the top 10 risks are higher than prior years, suggesting that executives perceive the level of risk is increasing across several dimensions.

Note that this survey was conducted during the fall of 2016 and was completed just before the 2016 election results were in. It is a fair question as to whether the survey results might have been different had President Trump’s election been known. We believe that, if anything, the results might reflect even greater uncertainty, because many observers were of the view prior to the election that a Clinton administration would have continued the policies of the prior administration. Such is not the case with the Trump administration, which has promised tax and regulatory reform as well as an overhaul of the nation’s trade deals with selected countries. Accordingly, the implications of change in policy on the global outlook must play themselves out over time.



Tuesday, 04 April 2017 15:43

The Top Risks for 2017

The title of this blog post could almost have read “Never send a human to do a machine’s job."

While computerisation and automation may seem dehumanising at times, they can reliably and rapidly perform procedures without error, avoiding the mistakes that people make through inexperience or inattention when trying to apply disaster recovery routines.

However, human error is still a major risk, both in terms of causing IT disasters in the first place, and in causing DR procedures to fail afterwards.



Tuesday, 04 April 2017 15:41

Disaster Recovery and Human Error

Iron Mountain announced a major investment in renewable energy for its data centers, one week after President Donald Trump signed an executive order in an attempt to roll back Obama-era climate regulations.

The data center provider signed a 15-year agreement with a new wind farm in Ringer Hill, Pennsylvania, to use 25 MW of its capacity—enough to power Iron Mountain’s data centers in three states. Part of a strategy that combines wind and solar, the company said its data center business is now powered 100 percent by renewable energy.

Despite the possibility of loosening restrictions on coal power handed down from Washington, Iron Mountain joins mega-data center providers Equinix and Digital Realty in making investments in wind and solar. Being able to provide data center services to big customers, such as Amazon, Microsoft, Apple, and Google — all staunch advocates of renewable energy — may take precedence for service providers, regardless of what shape federal policy on climate takes.



BATON ROUGE, La. – A Disaster Recovery Resource Fair will be held at New Orleans East Hospital for flooding and tornado survivors on Saturday, April 8 from 9 a.m. until 3 p.m.

Local, state and federal agencies will gather as a one-stop-shop to assist survivors in their recovery. Legal services, flood insurance, mitigation advice, disaster tax relief and other recovery resources will be available.

Kids have a hand in recovery also, so there will be a Kids Corner with activities such as coloring and face painting. Admission is free.

The resource fair will be held at the following address:

New Orleans East Hospital
5620 Read Blvd.
New Orleans, LA 70127

April 8 is also the last Saturday day the Disaster Recovery Center will operate. DRC visitors that day may also attend the one-day Disaster Recovery Resource Fair across the street.



A new whitepaper just released by Intel will offer you some good guidance on how to deal with the insider threat. Insiders are responsible for almost as many losses, breaches, and thefts of sensitive and confidential data as cybercriminals. According to a recent Intel® Security data exfiltration study, more than 40% of data loss is caused by insiders, roughly half intentional and half accidental.

The latest insider thefts have even prompted the US Department of Defense to require affiliated companies to have a program that can “Gather, integrate, and report relevant and available information indicative of a potential or actual insider threat.”1 Whether you do business with the defense industry or not, tackling insider threats is not only a critical challenge to address, but it’s also a team effort, necessitating work in data classification, policy development, and incident response, backed by a strong set of data loss prevention tools.

The document peels back the issue into bite size valuable pieces.  Topics include:

  • Building a Defensive Formation
  • Focus on the Data
  • Coaching a Security Culture
  • Zone and Player Coverage
  • Profiling the Players
  • Building the Defensive Playbook

Finally, the human element is a fundamental part of insider theft that should be at the forefront of your planning. Social engineering and credential theft are much easier for internals than externals, so additional precautions and visible checks and balances are necessary to protect your most sensitive data. For example, multi-person controls make it much more difficult for a lone insider to access and exfiltrate restricted data. Or the simple mechanism of copying the manager as well as the user when a policy violation is detected.

You can’t totally eliminate the threat….but there is a lot you can do to improve your posture.




Britain’s airports and nuclear power stations have been told to tighten their defences against terrorist attacks in the face of increased threats to electronic security systems.

Security services have issued a series of alerts in the past 24 hours, warning that terrorists may have developed ways of bypassing safety checks.

Intelligence agencies believe that Islamic State of Iraq and the Levant (Isil) and other terrorist groups have developed ways to plant explosives in laptops and mobile phones that can evade airport security screening methods.



By Louis Imershein, VP Products and Wayne Salpietro, Director of Marketing

Permabit Technology Corp

The cloud continues to dominate IT as businesses make their infrastructure decisions based on cost and agility. Public cloud, where shared infrastructure is paid for and utilized only when needed, is the most popular model today. However, more and more organizations are addressing security concerns by creating their own private clouds. As businesses deploy private cloud infrastructure, they are adopting techniques used in the public cloud to control costs. Gone are the traditional arrays and network switches of the past, replaced with software-defined data centers running on industry standard servers.

Efficiency features make the cloud model more effective by reducing costs and increasing data transfer speeds. One such feature, which is particularly effective in cloud environments is inline data reduction. This is a technology that can be used to lower the costs of data in flight and at rest. In fact, data reduction delivers unique benefits to each of the cloud deployment models.

Public Clouds

The public cloud’s raison d’etre is its ability to deliver IT business agility, deployment flexibility and elasticity. As a result, new workloads are increasingly deployed in public clouds.  Worldwide public IT cloud service revenue in 2018 is predicted to be $127B.  

Data reduction technology minimizes public cloud costs. For example, deduplication and compression typically cut capacity requirements of block storage in enterprise public cloud deployments by up to 6:1.  These savings are realized in reduced storage consumption and operating costs in public cloud deployments.   

Consider AWS costs employing data reduction;

If you provision a 300 TB of EBS General Purpose SSD (gp2) storage for 12 hours per day over a 30 day month in a region that charges $0.10 per GB-month, you would be charged $15,000 for the storage.

With data reduction, that monthly cost of $15,000 would be reduced to $2,500.  Over a 12 month period you will save $150,000.   Capacity planning is a simpler problem when it is 1/6th its former size.  Bottom line, data reduction increases agility and reduces costs of public clouds.

One data reduction application that can readily be applied in public cloud is Permabit’s Virtual Disk Optimizer (VDO) which is a pre-packaged software solution that installs and deploys in minutes on Red Hat Enterprise Linux and Ubuntu LTS Linux distributions. To deploy VDO in Amazon AWS, the administrator provisions Elastic Block Storage (EBS) volumes, installs the VDO package into their VMs and applies VDO to the block devices represented for their EBS volumes.  Since VDO is implemented in the Linux device mapper, it is transparent to the applications installed above it.

As data is written out to block storage volumes, VDO applies three reduction techniques:

  1. Zero-block elimination uses pattern matching techniques to eliminate 4 KB zero blocks

  2. Inline Deduplication eliminates 4 KB duplicate blocks

  3. HIOPS Compression™ compresses remaining blocks 


This approach results in remarkable 6:1 data reduction rates across a wide range of data sets. 

Private Cloud

Organizations see similar benefits when they deploy data reduction in their private cloud environments. Private cloud deployments are selected over public because they offer the increased flexibility of the public cloud model but keep privacy and security under their own control. IDC predicts in 2017 $17.2B in infrastructure spending for private cloud, including on-premises and hosted private clouds.

One problem that data reduction addresses for the private cloud is that, when implementing private cloud, organizations can get hit with the double whammy of hardware infrastructure costs plus annual software licensing costs. For example, Software Defined Storage (SDS) solutions are typically licensed by capacity and their costs are directly proportional to hardware infrastructure storage expenses. Data reduction decreases storage costs because it reduces storage capacity consumption. For example, deduplication and compression typically cut capacity requirements of block storage in enterprise deployments by up to 6:1 or approximately 85%.

Consider a private cloud configuration with a 1 PB deployment of storage infrastructure and SDS. Assuming a current hardware cost of $500 per TB for commodity server-based storage infrastructure with datacenter-class SSDs and a cost of $56,000 per 512 TB for the SDS component, users would pay $612,000 in the first year. In addition, software subscriptions are annual, over three years you will spend $836,000 for 1 PB of storage and over five years, $1,060,000.

The same configuration with 6:1 data reduction in comparison over five years will cost $176,667 for hardware and software resulting in $883,333 in savings. And that’s not including the additional substantial savings in power cooling and space. As businesses develop private cloud deployments, they must be sure it has data reduction capabilities because the cost savings are compelling.

When implementing private cloud on Linux, the easiest way to include data reduction is with Permabit Virtual Data Optimizer (VDO). VDO operates in the Linux kernel as one of many core data management services and is a device mapper target driver transparent to persistent and ephemeral storage services whether the storage layers above are providing object, block, compute, or file based access.

VDO - Seamless and Transparent Data Reduction


The same transparency applies to the applications running above the storage service level. Customers using VDO today realize savings up to 6:1 across a wide range of use cases.

Some workflows that benefit heavily from data reduction are;

  • Logging: messaging, events, system and application logs

  • Monitoring: alerting, and tracing systems

  • Database: databases with textual content, NOSQL approaches such as MongoDB and Hadoop

  • User Data: home directories, development build environments

  • Virtualization and containers: virtual server, VDI, and container system image storage

  • Live system backups: used for rapid disaster recovery

With data reduction, cumulative cost savings can be achieved across a wide range of use cases which makes data reduction so attractive for private cloud deployments.

Reducing Hybrid Cloud's Highly Redundant Data

Storage is at the foundation of cloud services and almost universally data in the cloud must be replicated for data safety. Hybrid cloud architectures that combine on-premise resources (private cloud) with colocation, private and multiple public clouds result in highly redundant data environments. IDC’s FutureScape report finds “Over 80% of enterprise IT organizations will commit to hybrid cloud architectures, encompassing multiple public cloud services, as well as private clouds by the end of 2017.” (IDC 259840)

Depending on a single cloud storage provider for storage services can risk SLA targets. Consider the widespread AWS S3 storage errors that occurred on February 28th 2017, where data was not available to clients for several hours. Because of loss of data access businesses may have lost millions of dollars of revenue. As a result today more enterprises are pursuing a “Cloud of Clouds” approach where data is redundantly distributed across multiple clouds for data safety and accessibility. But unfortunately, because of the data redundancy, this approach increases storage capacity consumption and cost.

That’s where data reduction comes in. In hybrid cloud deployments where data is replicated to the participating clouds, data reduction multiplies capacity and cost savings. If 3 copies of the data are kept in 3 different clouds, 3 times as much is saved. Take the private cloud example above where data reduction drove down the costs of a 1 PB deployment to $176,667, resulting in $883,333 in savings over five years. If that PB is replicated in 3 different clouds, the savings would be multiplied by 3 for a total savings of $2,649,999.

Permabit’s Virtual Data Optimizer (VDO) provides the perfect solution to address the multi-site storage capacity and bandwidth challenges faced in hybrid cloud environments. Its advanced data reduction capabilities have the same impact on bandwidth consumption as they do on storage and translates to a 6X reduction in network bandwidth consumption and associated cost.  Because VDO operates at the device level, it can sit above block-level replication products to optimize data before data is written out and replicated.


IT professionals are finding that the future of IT infrastructure lies in the cloud. Data reduction technologies enable clouds - public, private and hybrid to deliver on their promise of safety, agility and elasticity at the lowest possible cost making cloud the deployment model of choice for IT infrastructure going forward."

The Business Continuity Institute

Cyber resilience has for a long time been a major issue for business continuity professionals, with the  Business Continuity Institute's Horizon Scan Report routinely featuring digital threats such as cyber attacks and data breaches as the greatest concerns.

Our news channels are often filled with stories of organizations that have had their services severely disrupted by these kind of events, and with the BCI's latest Cyber Resilience Report revealing that almost two thirds of organizations experienced a cyber security incident during the previous year, it is clear that the threat is very real. Such is the topical nature of cyber resilience that it was chosen as the theme for the annual Business Continuity Awareness Week campaign.

The question is, how does your organization perceive the threat? Have you suffered from some form of cyber security incident during the last year, and what impact did it have on your organization? Do you feel you have adequate measures in place to deal with such an event, and perhaps just as importantly, do you have the backing of senior management to put measures in place to deal with them?

These are some of the questions the BCI is asking in order to inform the Cyber Resilience Report 2017, to be published later this year in collaboration with  Sungard Availability Services. Please do take the time to complete the survey. It will only take a few minutes and each respondent will be in with a chance of winning a £100 Amazon gift card.

Mobile banking not only makes our life easier, it gives access to banking services to those that have none. A new series of standards just published will provide the platform for this technology to expand and grow, bringing robust and secure banking services to more people than ever before.

According to the World Bank, around two billion people worldwide are “unbanked”, meaning they have no access to a bank account. Cash is king and that can bring with it its own problems. However, more and more people, particularly in developing countries, have a mobile device, whose functionality in the financial world is growing daily, offering more and more services and transactions.

The ability of mobile devices to execute transactions between the large number of platforms and financial institutions is due to a robust interface and effective operability. A new series comprising International Standards and technical specifications has just been published. ISO 12812, Core banking – Mobile financial services, defines common terms and requirements for greater interoperability. It specifies the technical components and their interfaces and the role of the various parties so that everyone is on the same page.

Patrice Hertzog, Chair of ISO/TC 68/SC 7, the ISO technical subcommittee that developed the series, said that with more people having mobile phones than bank accounts in the world, developing this technology will bring secure financial services to a wider audience.



Can your company afford to lose $4 million? According to Ponemon Institute's 2016 Cost of a Data Breach Study, that's the consolidated cost of the average data breach. Even the smallest companies have to pay up after a cyberattack, and every compromised record containing sensitive or personal information costs a company about $158. That adds up quickly, and unfortunately for many businesses, it's a financial hit they are unable to survive.

Cyberattacks are a part of doing business in a digital world, and as many security experts warn, it isn't a matter of "if" a company will be attacked, but a matter of "when." And the smaller you are, the harder you'll fall. According to Small Business Trends, 43 percent of all cyberattacks are targeted at small businesses, and 60 percent of those businesses can't recover. While defending the network and data from threats by using multiple layers of security tools is absolutely necessary, many companies are now turning to cyber insurance as a way to limit post-incident damage.

Not surprisingly, the cyber insurance industry is growing and is predicted to reach $14 billion by 2022. That growth will be driven by three things:



This World Backup Day, businesses have some work to do on the data protection front.

After evaluating the results of a survey of 710 internet users, CloudBerry Lab, a provider of file management and cloud backup services for small and midsized businesses, gave enterprises a "C" grade for their data backup practices. According to the company, businesses are falling short on some critical fronts.

In email remarks sent to InfoStor, Alexander Negrash, director of marketing at CloudBerry Lab, noted that "only 24 percent of companies have 3 or more copies" of their data. "Most of the companies don't follow the best practices '3-2-1 backup' rule. A 3-2-1 strategy means having at least three total copies of your data, two of which are local but on different mediums, and at least one copy offsite."



Monday, 03 April 2017 15:54

Enterprises Earn a 'C' Grade in Backup

CHICAGO – Snowmelt may not be a significant concern this year, but severe storms and heavy spring rainfall could still cause flooding in the months ahead. Now is the time to prepare.

  1. Ensure you’re flood insured. A flood insurance policy could protect you from the devastating out-of-pocket expenses caused by flooding. Don’t wait until it’s too late. A policy takes 30 days to go into effect from application and payment. A typical homeowner’s insurance policy does not cover floods.
  2. Conduct a household inventory. Be sure to keep a record of all major household items and valuables. These documents are important when filing insurance claims. For help in conducting a home inventory, visit www.knowyourstuff.org.
  3. Protect important financial documents. Store copies of irreplaceable documents (such as birth certificates, passports, etc.) in a safe, dry place. Keep originals in a safe deposit box.
  4. Build an emergency supply kit. Food, bottled water, first aid supplies, medicines, and a battery-operated radio should be ready to go when you are. Visit www.Ready.gov for a complete disaster supply checklist.
  5. Plan for evacuation. Plan and practice a flood evacuation route. Ask someone out of state to be your “family contact” in an emergency, and make sure everyone in your family knows the contact’s address and phone number.

The spring season brings a heightened flood risk throughout our area in the coming months,” said FEMA Acting Regional Administrator Janet M. Odeshoo.  “Preparing now will help to ensure that you’re protected against the costly damage floodwaters can cause.”

Visit FloodSmart.gov or call 1-800-427-2419 to learn how to prepare for floods, how to purchase a flood insurance policy and the benefits of protecting your home or property investment against flooding. You can also contact your insurance agent for more information.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at twitter.com/femaregion5, www.facebook.com/fema, and www.youtube.com/fema. The social media links provided are for reference only. FEMA does not endorse any non-government websites, companies or applications.

Monday, 03 April 2017 15:53

FEMA: Spring Flood Risk: Are You Ready?

The Federal Trade Commission has a simple and quick posting on how to manage and deal with phishing. The weakest link we have in cyber attacks and incidents is our staff.  How do we educate them to be careful and think before clicking?  Here are some great tips to share broadly from the FTC.

What is Phishing?

When internet fraudsters impersonate a business to trick you into giving out your personal information, it’s called phishing. Don’t reply to email, text, or pop-up messages that ask for your personal or financial information. Don’t click on links within them either – even if the message seems to be from an organization you trust. It isn’t. Legitimate businesses don’t ask you to send sensitive information through insecure channels.

The FTC post gives you solid information on:



No matter the condition of your DR environment, you can make it better. Today’s blog provides ideas on how to improve an environment we hope to never use.

We emphasize one overriding principle, possibly the most important consideration in improving your DR environment – ensure that whatever you have in place will actually work. Once you’ve done this, how can you make it more functional?

Here are five things you should consider:



Monday, 03 April 2017 15:51

Build a Better DR Environment

Global Economic losses from disaster events almost doubled in 2016 to $175 billion from $94 billion in 2015, according to the most recent Sigma Study from the Swiss Re Institute.

Insured losses also rose steeply to $54 billion in 2016 from $38 billion in 2015, the study found. This led to a “protection gap,” as the company calls it, of some $121 billion, the difference between economic and insured losses, a figure highly indicative of the opportunity for greater insurance penetration, according to Swiss Re. “The shortfall in insurance relative to total economic losses from all disaster events…indicates the large opportunity for insurance to help strengthen worldwide resilience against disaster events,” said the report. The gap was $56 billion in 2015.

Total economic and insured losses in 2015 and 2016:



The U.S. and United Kingdom bans on personal electronics including laptops, ipads and tablets in the cabin of some flights from the Mideast and Africa have sparked concerns. Many are now worried about a midair fires storm from lithium-ion batteries stored in airplane cargo bins below.

Rechargeable batteries have raised concerns for years because poor packing or manufacturing flaws can occasionally cause catastrophic problems. Storing batteries in cargo raises worry because that’s where a fire could spread unnoticed.

An issue with checked luggage could cause a small fire, and trigger other flammable materials such as hair spray or nail polish packed in the luggage. A fire in the cargo space is nothing that anybody wants.



While data backup and replication have their similarities, they are not the same, and rather than competing with one another can be used as complimentary tools to maximise the efficiency of an IT environment.

Data backup is the process of taking a copy of data at a fixed point in time and storing it for a set time frame (retention) in an alternate location to its original source.

Backups are typically used to make sure regulations and compliance around data protection are being met, and to protect against data loss.

Data replication, also requires a copy of data to be taken and transferred to an alternate storage platform. Replication however, creates a synchronous or near synchronous copy usually designed to limit and reduce any potential down time should primary systems fail.

Data Backup

Backup is an essential tool for organisations of all sizes and goes some way to meeting legislation around data protection and industry compliance around data such as those in The School Financial Value Standards (SFVS), for schools in the UK, The Protection of Personal Information Act (POPI) in South Africa or The Patriots Act in America.

The ability to restore a file that has been lost, corrupted or deleted in an efficient way is a driver for organisations to invest in backup solutions whether these be onsite, offsite or hybrid.

If replication gives me an identical copy almost instantly why is it not an effective backup?

An instant, or close to, fail over will be most effective in the case of a full system failure or loss. A disaster situation such as a fire or flood on a primary site has the potential to cause significant financial loses if a business cannot continue to operate. Being able to fail over and keep systems such as web or mail servers online can allow businesses to keep trading.

If a file is corrupted or deleted on a primary system then this will be copied to the replicated system, so a historical version may be needed to access a usable copy of the data; a backup is one way of making sure there is an intact copy of the file.

Ransomware remains a threat to all organisations and comes in many forms and strains. Should a system become infected with ransomware, this will be replicated to the secondary copy and would also render that system unusable. However, as long as there is a secure off-site backup then the data can be restored back to the primary storage systems.

When is it best to use replication?

Replication has the ability to drastically reduce the Recovery Time and Recovery Point Objective’s (RTO, RPO) of an organisation due to its near instant copy and the ability to fail over to secondary systems.

  • The Recovery Time Objective (RTO) is the time limit set by the business to have recovered data and have systems running at a normal level. Sub-sets of data may have different RTO’s dependent on their importance or availability.
  • The Recovery Point Objective refers to the last available copy of data that can be recovered from and the maximum amount of time between these backup points. If the business can afford to lose a day’s work, this is likely to be set at 24 hours.

Replication as a tool for business continuity and disaster recovery is something that enterprise organisations have relied on for years. Traditionally this would involve a secondary data centre or storage platform being, identical to the primary, being provisioned and maintained at a significant additional cost to the organisation.

With the ability to utilise public cloud storage platforms, such as Microsoft’s Azure platform or Amazon’s Glacier platform, and the ability to run virtual machines in these environments replication is becoming more accessible to smaller organisations.

Replication is most effective as a tool for near-instant recovery but not for historical copies or to keep in line with legislation.

Which one should I use?

Whether replication should be used ultimately depends on the requirement of your organisation and the policies that are in place. Backup however, should always be used in one form or another.

If there is a requirement for high availability or an RTO of less than 12 hours, then replication is a good fit. However,  unless utilising cloud based infrastructures this can still be a very costly investment.


Gemalto yesterday released the findings of its Breach Level Index for 2016, which states that 1,792 data breaches worldwide led to the compromise of almost 1.4 billion data records last year, an increase of 86 percent over the previous year.

Identity theft was the leading type of data breach in 2016, accounting for 59 percent of all data breaches.

The second most common type of breach was account access based breaches, accounting for 54 percent of all breached records, a surge of 336 percent over 2015.



Wednesday, 29 March 2017 13:56

1.4 Billion Data Records Exposed in 2016

Sure, malware's a persistent pain. But IT security pros today have other things on their minds.

Carbon Black, a Waltham, Mass. security vendor, recently polled 400 cybersecurity researchers. The majority of them, 93 percent in fact, said that non-malware attacks posed a bigger danger to businesses than the current crop of commodity malware that's making the rounds on the internet.

"Non-malware attacks will become so widespread and target even the smallest business that users will become familiar with them," according to an unnamed survey participant. "Most users seem to be familiar with the idea that their computer or network may have accidentally become infected with a virus, but rarely consider a person who is actually attacking them in a more proactive and targeted manner."



Tens of thousands of policyholders caught in a disaster in 2016 were better able to recover from the losses and hardships inflicted thanks to insurance.

Global insured losses from catastrophes totaled around $54 billion in 2016 – the highest level since 2012, according to the latest report from Swiss Re sigma.

North America accounted for more than half the global insured losses in 2016, with insured losses from disaster events reaching $30 billion, the highest of all regions.



Is there a case for blockchain in your organization? Cutter Business Technology Journal contributing authors Steven Kurshand Arthur Schnure recently argued that companies should begin considering which parts of their organization might benefit from blockchain. Among their advice to CIOs and CTOs is to look for areas of friction when it comes to exchange of value or information that would benefit from a blockchain implementation and profit from a shared ledger system.

Write Kursh and Schnure, “Take a page from IBM, which announced in July 2016 that it plans to implement a solution to help its finance division resolve client and partner disputes. IBM believes the new system — one of the largest commercial rollouts of block­chain technology yet — will free up US $100 million in capital locked up in manual dispute resolutions. The company is beginning its journey to blockchain in a sector of its business where the benefits are real, yet the implementation is localized.”

“In the long run,” they continue, “blockchain technologies have the ability to enable cost savings, greater efficiency, more rapid transaction clearing, and greater cybersecurity. How­ever, the development and implementation costs at this stage are likely quite substantial. In addition, the greater energy requirements for a large-scale blockchain may be cost-prohibitive. Developing and implementing blockchain technologies in your organization will require resources and time. And as with most innovations, people and processes will need to change, potentially creating internal conflicts.



According to a recent Kaspersky Lab report, attackers who demand a ransom in return for not launching a DDoS attack (or to call off an attack in progress) can earn thousands of dollars in bitcoins, enabling the profitability of such attacks to exceed 95 percent.

"And the fact that the owners of online sites are often willing to pay a ransom without even checking whether the attackers can actually carry out an attack (something that other fraudsters have already picked up on) adds even more fuel to the fire," the report notes.

DDoS attacks, according to the report, can cost anywhere from $5 for a 300-second attack to $400 for a 24-hour attack.



While data backup and replication have their similarities, they are not the same, and rather than competing with one another can be used as complimentary tools to maximise the efficiency of an IT environment.

Data backup is the process of taking a copy of data at a fixed point in time and storing it for a set time frame (retention) in an alternate location to its original source.

Backups are typically used to make sure regulations and compliance around data protection are being met, and to protect against data loss.



“Give me your gut!” (as in “gut feeling”) has long been the cry of business continuity management in meetings, trying to make sense of complex situations or cut through to the essentials.

Gut feelings are nonetheless only as good as judgement and the experience used to make them. They may therefore be wrong, for any number of reasons, including incomplete information, personal prejudice, and faulty reasoning. In business continuity, as in other domains, organisations cannot afford to run on gut feelings when the risk of error is too high. But are data-driven decisions on business continuity a better option?

Business analytics are often suggested as the “cure” for gut feeling.

Instead of trying to deal with emotions or personal preferences, the idea is to use facts as the basis for decision.



As I’ve said many times, cybersecurity seems to be more about reacting than acting or being proactive. Now, a new study by 1E found that, in fact, IT professionals spend a third of their time reacting to emergencies.

Nearly 30 percent of the IT tasks are unplanned, which works out to be about 14 weeks of job time per year. More than half of the respondent admit that a problem that is found relatively quickly (within an hour) can take most of the day to resolve.

While this study looks at IT as a whole, it fits into the scope of security, as well. Think of the amount of downtime that is caused by a security incident and how long it takes you to get the company up and running properly again, or how long it takes to resolve that incident. Then ask yourself if you were prepared to address the security incident. Again, I think the formal statement that Sumir Karayi, founder and CEO of 1E, made is as applicable for security as well as overall IT functions:

We knew that IT teams spend a lot of time on unplanned incidents, but we didn’t think it was this high – one third of their time. That’s taking a huge toll on their ability to innovate.



More than 30,000 people in low-lying coastal areas have been urged to evacuate their homes ahead of powerful Cyclone Debbie, as it bears down on the Queensland coast in northeastern Australia.

With landfall expected early Tuesday, Cyclone Debbie is currently a Category 4 storm and could intensify to Category 5. A Category 4 storm on the Australian scale equates to wind gusts of more than 140 miles per hour, the New York Times said.

Storm surge poses the biggest threat as the cyclone strengthens, according to major weather forecasters and news outlets.



We have been a fan of the Incident Command System (ICS) since the 1990s. It was created in my fair state – California – to manage wildfires. Everyone realized early on, it had many more uses that just the fire service.  It it now required for all city, county, state and federal departments and agencies. What about a company?

Many companies fail to have a great Crisis Management Team because they lack four simple things. Are you developing or retooling the team you have? Then you should consider using ICS.

On Wednesday, March 29, I will be doing a general session at DRJ in Orlando with one of our clients,Salt River Project (SRP), who have embraced ICS.  We will both be speaking so you will learn from the “horses mouth” how SRP reorganized their team and the results.

The goal of this presentation is to help you create both a great team and a great process in order to manage incidents large and small. There are four key things that we often find missing in company teams and plans:

  1. A clearly defined structure
  2. Identified roles and responsibilities
  3. A formal assessment process and team
  4. The ability or knowledge to develop an Incident Action Plan (IAP)

You will learn how SRP has embraced the Incident Command System, refocusing their Crisis Management Team and their processes to be even more effective.

Topics Covered

  • Incident Command System – a powerful methodology.
  • Crisis Management Teams – Roles and responsibilities.
  • Initial Assessment Team – Who should be on the team.
  • Incident Action Plan (IAP) – How to write one.


  • Regina Phelps, EMS Solutions Inc.
  • Kenneth Lewis, Salt River Project, Principal Emergency Management Program Analyst


You lock your home—now lock your network. This means having a reliable and secure data center and following basic safety rules, like locking down ports, shutting off services, removing rights and privileges when no longer justified, and using firewalls. You’ll also need host and network intrusion detection and prevention (IDS/IPS) as well as physical access controls such as badge, PIN pad and biometrics etc., to ensure you let only the right traffic and the right people in.

The best way to keep a secret is to encrypt it. But what to encrypt? Encryption can occur at many layers—the network, the physical disk drive, the database, or individual fields. All encryption is not the same; algorithms have different key lengths, some are slower in performance than others and some have been compromised through the ages. Be aware, and keep current with encryption techniques.

At the application layer, strong authentication is key. Create a process for good passwords and keep it simple so people will use it, but make it strong to keep the bad guys out. Passphrases, account ID images and challenge questions are other techniques. A simple technique to use for challenge questions is to not respond with the answer to the question being asked. If the question is “What is your mother’s middle name” use a word like “chair” or “fish.” These red herring responses cannot be traced back to your Facebook or other social accounts.



A man drives a car into pedestrians on Westminster Bridge, keeps driving, crashes the car outside the Houses of Parliament, then tries to enter the complex armed with a knife. Four people are dead, including a policeman and the assailant, and at least 40 injured.

The investigation into yesterday’s terrorist attack in the heart of London is ongoing, as Westminster bridge reopens and Parliament gets back to work.

Small group and “lone wolf” terrorist attacks are seen as indicative of the shifting nature of terrorism, according to experts (here and here).



Back in 2015 the world was captivated by the Universal film “Jurassic World”. Viewers praised Chris Pratt’s performance in this science fiction thriller, but were more entertained by a different kind of hero. During a pterosaur attack causing resort guests to push, shove, and trample each other as they flee, a man is spotted grabbing two margaritas before seeking his own safety…or the safety of the second margarita’s owner. #priorities

Movies typically depict a crowd’s response to an emergency or disaster scenario as emotionally driven, almost irrationally selfish. It’s widely assumed that as mass hysteria and panic take hold of a crowd, people do whatever they can to better serve themselves. But does this actually occur off the screens? Are we really all the margarita man?

Social psychology says no. Research dating back as far as the 1950’s show that behavior in disaster response is generally pro-social and collaboratively altruistic. History backs this theory up.



Monday, 27 March 2017 20:38

Crowds in Crises

In theory, BYOD or bring your own device lightens the load in terms of IT sourcing, because it transfers the work (and cost) of acquiring a device to the user of that device.


Users are happy because they can use the devices they favour, while IT departments can free up time and budget to use elsewhere. Everyone is happy, end of story – or not quite.

Paranoid IT managers can over-compensate for the wide variety of different devices, going overboard on security and bandwidth investments.

On the other hand, unwary IT organisations can end up with more problems than they solve, if they fail to put IT management in place (which requires IT sourcing of its own) and users swamp out helpdesks with issues that mix personal and professional device usage.

Is CYOD rather than BYOD the answer?



Whether you’re looking to hire a business continuity expert, or you’re training to become one, this guide will help you determine the qualifications and experience that are required

Before we get into certifications or BCM specific qualifications, let’s review the important non-BCM skills that make an effective BCM professional.

  • Business function experience or technical IT experience. This is a must. Business Continuity is about business, and without basic business function knowledge and experience, guiding departments and interfacing with IT areas will be challenging.
  • Project management experience. You do not necessarily need a certified project manager, but you do need someone who is familiar with project management concepts and project organization. In the end, BCM is a program and requires organizational skills.
  • Interpersonal skills. Effective BCM programs must work with multiple levels of an organization, so the ability to communicate across all levels, as well as to understand and address concerns and pushback are necessary for success.
  • Flexibility and adaptability. Organizational needs change over time, and a demonstrated ability to be flexible in both process and problem solving will help identify solutions to BCM issues surrounding implementation, documentation, and governance.



Got data?  But more to the point, got the RIGHT data, and now?  Low-friction and fast access to data are top priorities for data/analytics and marketing professionals in 2017.  Here’s the picture of priorities:  It’s a high or critical priority for 70% of marketing pros to increase their use of data and analytics for marketing measurement and customer insights – their fourth highest priority.  Data and analytics pros’ highest priority – at 60% of data and analytics pros – is implementing or expanding their complete view of the customer across channels, and over 50% are providing self-service data preparation tools to business users.   Firms are stepping up the pace.

What can help with these priorities?  Data preparation tools.  To accelerate time-to-insights and therefore time-to-actions, business end users and analysts who today wrangle data in spreadsheets or other traditional tools need direct access to data and a significant power assist. Data preparation tools can provide this power, but they must balance features and functions to support different roles and use cases and enable appropriate manageability, security, and governance in today's enterprises — while at the same time delivering speed-to-value.



The concept of cyber threat intelligence is really not much different from other areas of the intelligence field. In national security, intelligence gathering techniques seek to detect potential situations and draw conclusions that enable people to take action before anything serious occurs. Similarly, cyber threat intelligence is only one tool in the security arsenal. Used well, it can warn companies that the bad guys are active inside their network and what they are looking for. It points out unusual patterns to look for in systems and other valuable data. But it won’t stop an attack. That takes human intervention and the deployment of the right technology tools to block or at least mitigate an attack.  

But as time goes on, the potential threat vectors are multiplying: servers, desktops, laptops, mobile devices, and now the Internet of Things (IoT), which could open enterprises to attacks via innocuous objects such as thermostats and a myriad of other devices that contain sensors and processors.

“Every device large or small becomes a source for cyber threat intelligence,” said Peter Tran, senior director of Worldwide Advanced Cyber Defense at RSA Security. “With the Internet of Things (IoT) projected to grow to over 50 billion connected devices by 2020, there is a real challenge ahead in terms of structuring effective threat analysis across massive volumes of smart connected devices.”



(TNS) — Communities across Ohio on Wednesday will be testing tornado sirens as part of a drill for the Emergency Alert System.

The sounding of the sirens, which is set for 9:50 a.m., is part of Severe Weather Awareness Week, which runs through March 25, according to the Ohio Emergency Management Agency.

The testing comes on the eve of Ohio’s tornado season, which runs April 1 through July 30.



DURHAM N.C. — If local building officials notified you that your home is substantially damaged, you may be able to receive funds to make your structure safer and stronger.

If you are rebuilding or repairing a substantially damaged home or business, your community may require you to elevate or make other changes. Substantial damage applies when the cost of restoring a structure equals or exceeds 50 percent of its pre-damage market value. However, some communities have regulations that are more restrictive. Check with your local building officials or community flood-plain administrator for more information.

If the substantial damage is solely from flooding, your National Flood Insurance Program (NFIP) policy may provide up to $30,000 to update your structure so it meets local flood-plain management regulations. To apply, you must first submit a signed Increased Cost of Compliance (ICC) Proof of Loss form to your insurance company.

To be considered for an ICC claim, your insurance company needs a contractor’s estimate for the proposed ICC-eligible measures to your home or business and copies of construction permits.

Structures that comply with flood-plain management regulations have an enhanced ability to withstand storms and floods. Mitigation measures eligible for ICC include elevation, relocation, demolition and flood proofing.

You have six years from the date of loss to complete the chosen and approved ICC measures.

The U.S. Small Business Administration (SBA) may be another source of funds if your home or business was determined to be substantially damaged.

If you applied for an SBA Home Disaster Loan or Business Physical Disaster Loan and your
application was approved, you may be eligible for additional funds to pay for improvements that will protect your property against future damage. The funds can be up to 20 percent of the amount of the approved loan.

For more information, call the SBA at 800-659-2955 or TTY 800-877-8339. You may also go online to sba.gov/disaster.

For more information on North Carolina’s recovery, visit fema.gov/disaster/4285 and readync.org. Follow FEMA on Twitter at @femaregion4 and North Carolina Emergency Management @NCEmergency.


Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-3362 or TTY at 800-462-7585.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. Follow FEMA on twitter at @femaregion4. Download the FEMA app with tools and tips to keep you safe before, during, and after disasters.

Dial 2-1-1 or 888-892-1162 to speak with a trained call specialist about questions you have regarding Hurricane Matthew; the service is free, confidential and available in any language. They can help direct you to resources. Call 5-1-1 or 877-511-4662 for the latest road conditions or check the ReadyNC mobile app, which also has real-time shelter and evacuation information. For updates on Hurricane Matthew impacts and relief efforts, go to ReadyNC.org or follow N.C. Emergency Management on Twitter and Facebook. People or organizations that want to help ensure North Carolina recovers can visit NCdisasterrelief.org or text NCRecovers to 30306.

The U.S. Small Business Administration (SBA) is the federal government’s primary source of money for the long-term rebuilding of disaster-damaged private property. SBA helps homeowners, renters, businesses of all sizes, and private non-profit organizations fund repairs or rebuilding efforts and cover the cost of replacing lost or disaster-damaged personal property. These disaster loans cover losses not fully compensated by insurance or other recoveries and do not duplicate benefits of other agencies or organizations. For more information, applicants may contact SBA’s Customer Service Center by calling (800) 659-2955, emailing This email address is being protected from spambots. You need JavaScript enabled to view it., or visiting SBA’s Web site at www.sba.gov/disaster. Deaf and hard-of-hearing individuals may call (800) 877-8339.

Passwords remain one of the most critical security controls widely used to protect and secure company infrastructure and data. While the need for strong passwords has long been discussed, they continue to be the difference between a secure infrastructure and a potential cyber catastrophe.

Last year was extremely busy in cybercrime, with more than 3 billion credentials and passwords stolen and disclosed on the internet. That works out to a rate of 8.2 million credentials and passwords each day or 95 passwords every second.

Passwords have always been a good security control, but password strength and how they are processed make a major difference in how secure they really are. For example, it is critical to choose an easy password to remember, keep it long, and use some complexity and uniqueness. In addition, how the password is processed and stored in an encrypted format plays a major role in password security.



The Business Continuity Institute - Mar 22, 2017 12:11 GMT

Password leaks from public breaches help us learn how people think, allow us to identify patterns and build dictionaries of passwords. As password cracking methods evolve, Upper characters, Lower characters, Special characters and Digits (ULSD) recommendations and password complexity mean less.

People reuse passwords. They rotate them. Add a digit to them. And even use identical or share passwords with others. As data scientists, it is our job to go deeper, and identify the common human behavior. For example, we’ve seen how local culture impacts passwords, where local football team names are commonly used as passwords.

The problem is that only about 1% of people care and are aware that passwords are based on patterns and these patterns can be tracked or broken.

People need patterns to remember things, and to feel more secure they use a combination of ULSD. But ULSD itself has its own patterns. Most common? Take a word. Capitalize it and add digits to the end. Sound familiar? The majority of people do this.

At Preempt we have taken this a step further and analyzed passwords as they relate to recent large account breaches at companies like LinkedIn, Yahoo, etc. We have found there is a common denominator with regard to passwords between breaches -- and it is much greater than you think.

Stats and Findings:

Many people use (very) weak passwords

Preempt researches worldwide user account compromise and large-scale account breaches. Let’s take for example the relatively recent high-profile LinkedIn breach. One thing is certain, any person that used the same password for LinkedIn as they did for their work account (or other account), is currently vulnerable within these other accounts. Unfortunately, there are many users that don’t make that connection. Their LinkedIn account was breached, so they just change their LinkedIn password, not realizing that if they are using that same password elsewhere, they are actually exposed in all of those places as well. For IT security teams, this is an unknown vulnerability they have to deal with.

We set out to answer the question: How many LinkedIn accounts were weak PRIOR to LinkedIn breach?

To answer this, we compared how many passwords in LinkedIn’s password dump were already known from previous password dictionaries that had been established. The results were staggering 63,588,381 (~35%) of accounts used previously known passwords to begin with. No matter how complex these passwords were, they are considered weak because they can be quickly cracked offline by matching against a wordlist of known (or previously used) passwords.

Most Passwords Can Easily Be Cracked

After we looked at password weakness, we wanted to determine how easy passwords might be to crack. To do this, we estimated the relative strength of account passwords within a general organization. To be as conservative as possible, we made the following three assumptions:

  1. Users are not sharing passwords between themselves or other accounts.
  2. Some variation of Microsoft password policy recommendations is in place. Specifically:
    1. Users use passwords with 10 characters or less. (From our research, aside from some very security focused organizations with very specific policy for admins, more than 90% of organization don’t require more than 8 character passwords.)
    2. MS password complexity is turned on.
  3. Attackers are able to obtain and exfiltrate password challenges to crack passwords. Attackers have many ways to achieve this (e.g. NTLM Relay). An overview of these techniques is a topic for another blog post.

We then tried to compute how much time would it take to crack a password with brute force, using standard off-the-shelf cracking hardware. We then created three password models:

  1. Low Complexity - only password length is enforced.
  2. Medium Complexity - password length and complexity is enforced. Users have common ULSD patterns (e.g. initial letter is capitalized, last letter is a digit).
  3. High Complexity - same as medium complexity, but users are aware not to use common ULSD patterns.

Time required to crack passwords (10 characters) using standard hardware

password complexity.png

As can be seen, results are astounding: Low complexity passwords can be cracked in less than a day, medium complexity passwords are cracked in less than a week and high complexity password are cracked in less than a month.

Now for security teams, do you know how many users in your organization have:

  1. Password with 10 characters or less?
  2. Passwords that follow conventional ULSD patterns?
  3. How often your users change their passwords?

In Summary

Here are some facts we’ve learned:

  • Password complexity isn't working - passwords can meet complexity and still be considered weak because of password dictionaries.
  • Passwords are not unique - people reuse passwords and newly leaked dictionaries contain previously leaked passwords.
  • Passwords follow patterns - in most cases, the top 100 patterns will crack the majority of passwords in an organization.
  • Password cracking is easy - depending on hardware resources, it can take only seconds to minutes to brute force most passwords.
  • Passwords are shared between users - people share passwords, use identical passwords and duplicate passwords between services.
  • Password expiration policy is not enforced - frequent password change policies are disabled, and many times specifically for executives (e.g. CEO) with highly sensitive profiles.

So, what does this mean? ULSD essentially doesn’t matter. It is important to educate employees, and individuals in general, about password strength and levels of risk following recent breaches. If you use the same username and/or login for multiple websites, you're putting yourself at significant risk. What else can you do?

  1. Use a password policy to enforce complexity and password expiration.
  2. Require longer passwords (8 bad, 10 ok, 12 good).
  3. Educate people to:
    1. Not share passwords with other employees.
    2. Not share passwords with other cloud services.
    3. Not use simple patterns, personal data or common words (make it unpredictable).
    4. Not repeat passwords when a password expires (enumeration included).
  4. Add additional factors to authenticate users. For example, on suspicious logins, you could send end users a simple email notification or push an immediate notification to their mobile device.
  5. Implement a context based solution - train and enforce password policy based on users activity.

Eran Cohen is Director of Product Management at Preempt.

Recovering from a ransomware attack is costly and time-consuming, so it's vastly preferable to avoid an attack in the first place. And the easiest way to prevent a ransomware attack is to understand how the malware works. The goal of ransomware authors is to get their malicious code onto potential victims' computers and other devices, and there are several methods that they employ to achieve this.

Malicious email attachments and links

Spam has been an Internet problem for years, but ransomware authors have adopted it as the attack vector of choice for their malicious code.

It turns out that there have been no great innovations in the way ransomware authors tempt users to open malicious email attachments: Many common strains of ransomware use email subjects relating to account suspensions, unpaid invoices, or packages that can't be delivered, to attract potential victims' attention.



No matter how scaled-out, hyperconverged or abstracted data center infrastructure becomes, one element remains the same: Servers need high-speed access to vast amounts of storage.

This produces a paradox, however, because as more storage comes online, it takes longer to find and retrieve data locked somewhere within its volumes.

To counter this, platform developers are continuously tweaking their designs to make storage more responsive and more suitable to the cloud-facing data environments that are taking on more of the data load. And increasingly, this involves placing high-capacity solutions directly on the server itself.

Intel recently unveiled an addition to its Optane SSD line, the DC P4800X, which the company bills as an extended pooled memory solution suitable for scale-out, accelerated applications incorporating artificial intelligence and machine learning. Like many memory solutions, the Optane is designed to provide low latency and a means to alleviate data bottlenecks by improving CPU utilization. But the new device is also paired with Intel’s Memory Drive Technology that integrates the drive into the memory subsystem of the server to present it as DRAM to operating systems and applications. This allows for larger memory pools that enable the enterprise to consolidate workloads on fewer servers.



Tuesday, 21 March 2017 15:04

Making the Most of Available Storage

Cybersecurity isn’t just about securing the data on the network. It’s about securing the data anywhere on any endpoint, on any device, on any application. An incident from last week put the importance of endpoint security front and center. A Secret Service laptop with extremely sensitive information stored on it was stolen, as ZDNet explained:

A thief broke into a Secret Service's car in Brooklyn and stole the laptop in the middle of the night. Taken in a backpack that was later dumped, the laptop contains information about Trump Tower, including floor plans and evacuation protocol, along with important files on Pope Francis and [Hillary] Clinton.

Sources are reporting that there is no risk to the data stored on the laptop, as the device has high levels of security. The device requires a code to be accessed, the files are encrypted, and allegedly, there is a remote wipe option. Cybersecurity efforts within government agencies have not been at high standards, as we’ve seen with so many recent breaches and other security incidents, including stolen laptops.



BATON ROUGE, La. – An additional $6.6 million will help schools devastated by the August floods move forward with repairs and rebuilding efforts. This brings the total to nearly $67 million FEMA has obligated for schools.

FEMA’s Public Assistance (PA) program will pay for such projects as temporary facilities, basketball court enhancements, fencing and team and maintenance equipment in Tangipahoa, Ascension, East Feliciana and East Baton Rouge parishes. Funding will also pay for emergency protective measures, building construction, remediation and utility assistance in these areas.

As of March 17, FEMA’s PA has obligated over $317 million to reimburse local and state governments as well as certain private nonprofits for the repair or replacement of disaster-damaged facilities and infrastructure. The funds also cover debris removal and emergency response activities in designated parishes.

In general, FEMA’s PA program helps to repair or replace critical infrastructure, such as roads, bridges, public buildings and schools. The program encourages protection of damaged facilities from future events by providing assistance for certain hazard mitigation measures. PA offers supplemental financial assistance on a cost-sharing basis. FEMA typically reimburses 75 percent of eligible PA expenses. However, FEMA will reimburse applicants 90 percent of eligible PA expenses given the magnitude of the August floods.

While large enterprises and high-tech startups instigated the SaaS infrastructure revolution and primarily benefited from it, many mainstream small-and-medium-size businesses (SMBs), sole proprietors and “mom-and-pop” retailers may feel like they got left behind by cloud computing. However, the story remains more complicated. Strategic-thinking SMBs from Main Street have also harnessed Web 2.0 to leverage their narrower HR power to appear virtually as large as the big boys.

With the rise of Amazon Web Services (AWS), Microsoft Azure and other public customer cloud platforms as well as B2B SaaS applications and more, even the solopreneurs among us can tap on-demand, online software.

“Now that SMBs and mom-and-pop shops don’t have to have their websites hosted on GoDaddy and can go live in the AWS Cloud, they have taken a giant leap forward,” says Shawn Moore, CTO, Solodev, a web experience platform. “But someone still needs to build, manage and optimize their websites. Enter the DIY CMSes like SquareSpace, Weebly, Wix and WordPress. Now your local pizzeria can build its site in WordPress, host it free on AWS cloud computing and compete with Papa John’s and Pizza Hut.”



It’s the first day of Spring and here in New Jersey we’re expecting a balmy 50 degrees Fahrenheit. Rising temperatures + snowmelt = flooding.

NOAA’s Spring Outlook calls for moderate to major flooding in northern North Dakota and in the Snake River basin in Idaho and flags California, which saw extensive flooding in February, as susceptible to additional flooding in the coming weeks.

Spring also marks the start of severe weather season for many states. Resources on severe weather preparedness are available at the Insurance Information Institute ( I.I.I.) website and weather.gov.

Which brings us to this:



Tuesday, 21 March 2017 15:00

Spring-Ready With Flood Insurance

Vendors like to go to the movies, meaning they like to see their products and logos in Hollywood productions, and are usually prepared to pay for the privilege.

Cars, computers, canned beverages, you can surely think of examples you’ve seen, as heroes, heroines, and villains chase each other on highways, crack codes, and generally show how cool they are.

By comparison, business continuity per se doesn’t feature much, or even at all. The simple reason is that good business continuity is more about avoiding drama and nail-biting tension than fostering it, which is no recipe for box-office revenues.

On the other hand, business continuity plays a major part in getting films made and distributed in the first place.

With even “small” film budgets easily in the millions of dollars, it’s clear that making a film must be a well-oiled, continuous process, with no unplanned interruptions.



Privacy is a human right, and at the core of the privacy principles is Article 8 of the European Convention on Human Rights. In the new digital world, where information-sharing is prevalent, the need to protect individuals’ privacy is important, but we are seeing different views toward privacy with the advent of social media platforms. Protecting the rights of the individual is the most important aspect of privacy.

What are the legislative challenges in a global environment?

As a data protection officer across 27 countries, there are individual challenges to overcome when operating in a global environment. When looking globally, there are some practical summaries (e.g., the “practical law” guide in the Data Protection Global Guide). Canada, Russia and the European Union Privacy directive have evolving laws, requiring a professional to adapt to changing legislation. Russian law requires that all Russian citizens registering on a website should have their personal data stored securely within Russia, which may provide challenges for cloud-based HR systems (or any other cloud based-service).

The issue of consent is a focal point of Canada’s Anti-Spam Legislation (CASL) for commercial electronic messages (CEM). A CEM is only implicitly allowed if there is an existing business or non-business relationship, or if the recipients conspicuously publish their electronic contact information or voluntarily disclose it without indicating they don’t want to receive communications. Otherwise, explicit consent is required from the recipient. The business challenge here is maintaining a provable log of consent required to avoid the Canadian $10 million fine. Again, this provides a challenge to cloud-based services.

These are just two examples of recent changes in legislation that require adaptation by organizations.

The biggest change for any organization processing data of European citizens is the new GDPR, as European legislation is often used as a baseline for implementing privacy regimes globally.



Monday, 20 March 2017 14:40

Thriving Despite Cyber Risk

I don’t know about you, but this spring break is different in my family. My daughter, who has almost finished her first year at a liberal-arts college, came back for spring break with the big question “Mom, what major should I choose?” Of course, as an analyst in technology and — not to brag, but as a professional who has had many roles in IT (programmer, systems administrator, and computer and information systems analyst — my first initial thought was to suggest that she look into computer information systems or computer science. She has the ability; she is an excellent STEM student. So I told her that I would do some research and get back to her.

Here is what I found: According to the United States Bureau Of Labor Statistics, the employment of computer and information technology occupations is projected to grow 12% from 2014 to 2024, which is faster than the average (8%) for all occupations. I quickly put together a table summarizing the majority of professions and found the following:



DENVER – Flooding is the most common natural disaster in the United States. Already there are reports of localized flooding in states across the Rocky Mountain region—and the upcoming snowmelt means there is potential for even more serious flooding.

The Federal Emergency Management Agency (FEMA) manages the National Flood Insurance Program (NFIP) that provides flood insurance policies that provide millions of Americans their first line of defense against flooding.  But those flood insurance policies are only one component of the program and just part of the protection NFIP provides to individuals and the American public at large.

For anyone to be able to purchase an NFIP policy, the only requirement is that they live in a participating community.  A participating community can be a town or city or a larger jurisdiction like a township or county that includes unincorporated areas.  It is up to the community to opt into the NFIP program for the benefit of its citizens.  When joining the program, the community agrees to assess flood risks and to establish floodplain management ordinances.  In return for taking these actions, residents are able to purchase federally backed flood insurance policies.

One of the cornerstones of the NFIP is the flood mapping program.  FEMA works with states and local communities to conduct studies on flood risks and develop maps that show the level of risk for that area, called a Flood Insurance Rate Map (FIRM).  The FIRM provides useful information that can assist in communities in planning development.  The area that has the highest risk of flooding is the Special Flood Hazard Area (SFHA), commonly called the floodplain.  The SFHA has a one percent chance of being flooded in any given year.  Because of the greater risk, premiums for flood insurance policies for properties in the SFHA are greater than for those for properties outside of it. 

Equally important to knowing the risks of flooding is having a game plan to address those risks.  This is role of floodplain management.  Local communities must comply with minimum national standards established by FEMA, but are free to develop stricter codes and ordinances should they choose to do so.  Key elements of floodplain management include building codes for construction in the floodplain and limitations on development in high risk areas.  Floodplain management is an ongoing process, with communities continually reassessing their needs as new data becomes available and the flood risk for areas may change.

The NFIP brings all levels of government together with insurers and private citizens to protect against the threat of flooding.  Federally sponsored flood maps and locally developed floodplain regulations give property owners the picture of their risk and ensure building practices are in place to minimize that risk.  As a property owner, purchasing a flood insurance policy is a measure you can take to further protect yourself.  To find out more about your individual risk contact your local floodplain administrator. For more information on flood insurance policies or to find an agent, visit www.floodsmart.gov or call 1-800-427-2419.

In a past life I was a system administrator, or "sysadmin". I enjoyed it, but even in those halcyon days of remoting into servers and driving to the office at 2 AM (hoping the server room wasn't on fire), I knew I had a limited shelf life. It wasn't until years later that I fully understood why:
Administrators are babysitters. The era of tech babysitters is over.
In the age of the customer, admins need to be just as dynamic as their developer brethren. That means a hard shift to software-defined infrastructure. It also means using the same tools and processes that accelerate business technology.
In other words, you need to become a developer.
The good news? You can do it. How do you start?
Monday, 20 March 2017 14:37

Sysadmins: You're All Developers Now

Cyber attackers have already waged attacks on Internet of Things (IoT) devices to build massive botnets and launch crippling distributed denial-of-service (DDoS) attacks, knocking websites and online services offline. IT security professionals now fear that the rise of the Industrial Internet of Things (IIoT) could open a dangerous new front in the cybersecurity war.

In a Tripwire survey of 403 technology professionals, administered by Dimensional Research, nearly all respondents (96 percent) said they expected an increase in security attacks aimed at the IIoT this year. Fifty-one percent admitted that they weren't prepared to defend against IIoT threats.

"Industry professionals know that the Industrial Internet of Things security is a problem today. More than half of the respondents said they don't feel prepared to detect and stop cyber attacks against IIoT,” said David Meltzer, chief technology officer at Tripwire, in a statement.



The enterprise is anxious to automate as much of its data ecosystem as possible, starting with the cloud. But is automation the best solution for every challenge, and if not, how can enterprise executives determine what should be automated and what should remain under human control?

According to tech journalist Bill Kleyman, cloud automation is one of the key drivers of business innovation. Many organizations have found, in fact, that while the cloud alone is useful in overcoming the challenges of traditional infrastructure – things like lack of scale, poor resource utilization, and the prevalence of data silos ­– problems such as resource management, visibility and cost control persist. Automating management tasks and orchestrating the relationships between resources and workloads can alleviate these issues, plus it accelerates IT management to speeds required of the modern digital economy. So in the end, the enterprise becomes more agile and more responsive to the needs of its users.

A number of platforms have emerged in recent months promising to deliver these results for cloud-facing enterprises. CloudVelox recently updated its One Hybrid Cloud stack that aims to streamline workload mobility across internal and external resources. The system provides a new set of optimization tools, such as application-centric instance tagging, multiple security groups and role-based identity and access management (IMA), plus new system reporting and alert functions to verify successful migrations to the cloud. Additional features, due later this year, are expected to provide autoscaling and elastic load-balancing (ELB) across multiple instances.



Monday, 20 March 2017 14:25

IT Automation: Where, When and How?

If you haven’t noticed lately, risk management is going through a global transformation wherever you look!

The COSO ERM framework is being revised with a new tagline, Enterprise Risk Management – Aligning Risk with Strategy and PerformanceDennis Chelsey, PwC’s Global Risk Consulting leader and lead partner for the COSO ERM effort recently stated, “Enterprise risk management has evolved significantly since 2004 and stands at the verge of providing significant value as organizations pursue value in a complex and uncertain environment.” Chelsey goes on to state, “This update establishes the relationship between risk and strategy, positions risk in the context of an organization’s performance and helps organizations anticipate so they can get ahead of risk and embrace a mindset of resilience.”

Additionally, the ISO 31000:2009 risk framework is being revised.  “The revision of ISO 31000:2009, Risk Management – Principles and Guidelines, has moved one step further to Draft International Standard (DIS) stage, where the draft is now available for public comment,” according to the International Organization of Standardization’s website.  As explained by Jason Brown, Chair of ISO’s technical committee ISO/TC 262, Risk Management, “The message our group would like to pass on to the reader of the Draft International Standard is to critically assess if the current draft can provide the guidance required while remaining relevant to all organizations in all countries.  It is important to keep in mind that we are not drafting an American or European standard, a public or financial services standard, but much rather a generic International Standard.”



This post is short and sweet, but very important. Most of us are drawn to new tech toys, but at the same time, we resist change. We want the latest and greatest, and yet a part of us resists the added security responsibility that comes with new technology. This is something we need to be very aware of in the cybersecurity sphere.

The shiny, new rules are basic: If you installed it, update it. Keep your software up-to-date to ensure vulnerabilities that have been patched by the vendor are patched in your environment.

If you did not specifically search a topic online and the topic is presented to you, ignore it. Cyber criminals create targeted topics to lure you down a path to malware.

If it’s too old for the owner/manufacturer to update it, it’s too old for you.

Use the principle of shiny and new to your advantage;  update and change your passwords, security questions and other features of identity-proofing frequently.

Interested in learning more? Download our new brief The Common Sense Approach to Cybersecurity.



If you’ve been following my research, you know I like to divide the business world into three categories of company:

  • Digital Predators successfully use emerging digital technologies to gain market share and/or displace traditional incumbent companies (e.g., Amazon, Lyft, Priceline, Airbnb, Netflix).
  • Digital Transformers evolve a traditional business to take advantage of emerging technologies, creating new sources of value for customers and opening up new competitive strategies (e.g., Burberry, Nestlé, L’Oréal, Unilever, USAA, Ford, Delta).
  • Digital Dinosaurs struggle to leave behind their old business model. These companies are typically slow to change because they must defend large P&Ls, or they have a near monopoly position, or they simply don’t see the opportunity/threat (e.g., many retailers, taxi companies, manufacturing firms, legal firms, recruiters, construction firms).



Cloud services are becoming the main part of the infrastructure for many companies. Enterprises should pay maximum attention to security issues, moving away from typical approaches used in physical infrastructures, which are often insufficient in an atmosphere of constantly changing business requirements. Although cloud providers do all they can to guarantee infrastructure reliability, some of them limit their services to standard security measures, which can and should be significantly expanded.

Typical Cloud Information Security Threats

According to the Cloud Security Alliance the list of the main cloud security threats includes the following:



Ransomware has experienced a meteoric rise over the last two years, and I contend that it is due for a meteoric fall. Here’s why: As unlikely as it may seem, Ransomware relies solely upon trust.

Many of the criminals behind ransomware appear to have an “honor among thieves” mindset. There have been countless “successful” transactions where an organization or individual has paid the ransom and been given the private key to unlock captured their data. I have even read of situations where the group that created the ransomware had an informal helpdesk that walked victims through the process of paying the ransom, primarily through Bitcoins. Bitcoin is the preferred method of payment because it is a digital-only currency and is nearly untraceable, since it does not link to a bank account. After getting paid, this criminal helpdesk then assisted their victims with decrypting their data. Unheard of, right? This is where the idea of ransomware gets a little crazy: A victim must place their trust in a criminal, and in many cases, that trust pays off. Often, after paying the ransom, data is restored and each party goes their separate ways.

So here you have this perfect criminal balancing act. Someone’s data gets encrypted, they pay a fee, their data gets decrypted. As long as the victim upholds their end of the bargain (namely giving a criminal a Bitcoin), then the criminal gives the victim a private key to unlock their files. Easy money for a criminal, right? Because it appears to be that easy, many are jumping on the band wagon. This misguided perception of easy money will prove to be the beginning of the end for ransomware.



Friday, 17 March 2017 15:17

The Flaw in Ransomware

Business Impact Analysis Relieves “Tempest in a Teapot” Syndrome

Do you ever use the term, ‘you are creating a tempest in a teapot’? It means, don’t make a big deal out of something that isn’t. Doing a little research, I found other similar phrases I thought were entertaining. They are:

  • ‘A storm in a teacup’ – Cicero; or ‘Billows in a ladle’ – translation of Cicero’s writings
  • ‘A storm in a glass of water’ – Netherland
  • ‘Tempest in a potty’ – Hungary
  • ‘A storm in a wash-hand basin’, or ‘A storm in a cream bowl’ – England

Of course my seven year old loved the ‘tempest in a potty’. Anyway, something these phrases all have in common is “business impact analysis”. Surprised? Let me explain.

Most organizations perform some type of risk management activities. They usually include identifying risks that could impact the organization and its reputation, profitability or strategies; or its key assets, business processes, IT systems and locations. Once the most potentially impactful risks are identified and analyzed, they are treated with controls and other mitigation activities to drive down the residual risk within the organization’s tolerable risk limits. This is all well and good, but what if the elements of the organization (e.g., business processes) that the risk could impact are not that critical and how do you know?

Let me give you a simple example. A cyberattack could potentially impact both an organization’s financial and non-financial systems. The financial system is probably more important to protect, right? Oftentimes, organizations have no reliable way to identify what is critical versus non-critical causing them to spend the same level of time, attention and resources to protect the less critical areas; this is the ‘tempest in a teapot’ syndrome.

It stands to reason that the organization should have a methodology to identify what is critical so that risks can be properly treated relative to what they might impact. Some impact areas and their importance are obvious, such as inputs into the organization’s most important product or service. However, there are so many moving parts to today’s complex enterprises that there must be a methodical way to identify, analyze and prioritize what is truly critical to protect. This methodology is a business impact analysis, or BIA.

A BIA is a way to catalog and prioritize business processes and assets, building context to connect risk issues to business impacts. It is a well-known methodology inside business continuity (BC) circles as these teams have performed them for decades to determine what business assets are most important to recover after a disruption. More broadly, the BIA needs to be a prominent part of the framework of a good risk management program. However, often it is not and this is a common problem many organizations’ risk management programs experience.

To strategically address business risk, enterprises need a well-rounded program. There are specific areas to include to create a healthy and sound foundation for growth. RSA has implemented the RSA® Archer Suite Ignition program to help organizations do just that – establish a solid risk management program foundation focusing on four fundamental capabilities:

  • A process for Issues Management to eliminate ‘churn’ around risk and compliance issues from audits, risk assessments, and internal compliance processes. Check out my Issues Management blog: Facing a Tsunami of issues
  • Business Impact Analysis framework to catalog and prioritize assets and build the context to connect risk issues to impacts to the business;
  • The ability to catalog and monitor risks to establish a strategic method to view and understand risk across the enterprise; and
  • The ability to identify and track third parties used by the business to understand the emerging ecosystem that affects business risk.

The RSA® Archer Suite provides a common platform to address these processes. You can learn more about the program here: RSA Archer Ignition Program.

The Duke of Ormond’s letters to the Earl of Arlington in 1678 put it best – “Our skirmish seems to be come to a period, and compared with the great things now on foot, is but a storm in a cream bowl.”

The Duke must have had a good BIA such that he did not have to worry that his risk management program would cause him a ‘tempest in a potty’ (that was for you Elly). For comments, contact me at This email address is being protected from spambots. You need JavaScript enabled to view it.


From time to time, an anecdote comes across our desks that, as researchers, we find hard to leave alone. A few months ago, one of these opportunities appeared, and we thought it might be interesting to lift the hood, and show you how we dig into tough research hypotheses and decide if and when to write about them. Here's what happened.


Over a period of a few days this winter, we heard from one colleague, then another – 20 in all -- that conversations they'd had IRL ("in real life") seemingly resulted in ads and sponsored posts in Facebook. Given the state of "surveillance marketing," we weren't that surprised, until we read Facebook's T&Cs. There, the company explicitly stated that it wouldn't use data collected from a user's microphone for ad targeting. That's when we got curious.

First, we looked to the obvious: had our colleagues searched for the advertised item after having had the conversation? Had they checked into the same place as friend, at the same time? Were they on the same network -- and thus sharing an IP address -- as someone who'd searched for the product or service? We rounded up the answers to these questions, and determined that "interest-by-proxy" was an unlikely cause.



Big Boss calls you into his office and gives you the quarterly revenue number he wants you to report.  He tells you “this is the number, now go make it happen.” What options do you have here and what consequences are you willing to accept in this situation?  -e-Factor!® scenario

Have you ever been told, “here’s the number, now go make it happen?” This is a real-life scenario that anyone in business could face. I’ve faced it myself. In the heat of the moment, do we know how to respond?

Let’s analyze this situation to see what choices – and potential consequences – we have available to us.  First, let’s identify the ethics issues here.  The scenario does not offer much detail, but the implication is clear: Big Boss has a number in mind.  Under what circumstances would this be an acceptable request? If we received direction for sales goals, production targets or the purchase price for a particular item, this would be fantastic communication, right?  If the number the boss wants to report is close to the actual financial result achieved, the request might even be reasonable.  Perhaps the boss has information we did not have access to and wants us to make corrections.  Still, no ethics issue here. However, if Big Boss’ number is nowhere close to the actual result, we have a conflict.



Thursday, 16 March 2017 15:19

Here’s the Number – Go Make it Happen!

Although most organizations have contemplated – to some degree – the what and how of
business continuity plans, including discussions about the stability of the IT system and
what to do if the company’s facilities or IT infrastructure are compromised, the who is often
overlooked. Assigning business continuity roles and responsibilities to each of your team
members and documenting that information in your plan will ensure that all the details are
handled in a timely and consistent manner. If your organization has no business continuity
plan in place, it’s fine to start out with a small team to lay the groundwork. Starting small is
better than not starting at all!


No one person can, nor should, do it all when it comes to carrying out your business
continuity plan, but it is recommended that every organization identify a Business Continuity
Manager to lead the charge as it relates to the planning and preparedness process. In addition to organization-wide visibility, the Business Continuity Manager must have senior management support that would allow this individual to:

• Authorize budgets and financial support for BCM tools and team members;
• Dedicate time for team members to participate in planning, training, and drills;
• Emphasize the importance of business continuity planning and training across departments; and
• Mandate BCM plan adoption and nurture BCM culture throughout the organization.



(TNS) - Water pollution and mudslides could be the next major problems facing Gatlinburg three and a half months after a deadly firestorm swept through the city, according to two experts who spoke during the emotional public forum portion of a City Commission meeting Tuesday evening.

Gatlinburg residents who suffered losses in the Nov. 28 fire that killed 14 people and destroyed more than 2,000 structures filled the small City Hall meeting room and streamed out into the hallway.

Resident after resident stood before Gatlinburg Mayor Mike Werner, Vice Mayor Mark McCown, Commissioner Don Smith and City Manager Cindy Ogle and leveled questions about authorities’ failure to evacuate the tourist town and the city’s plan to avoid another tragedy in the future.



A recent KnowBe4 survey of more than 500 organizations found that 33 percent of respondents experienced a ransomware attack in the past year -- and 53 percent of organizations with multiple solutions in place to block ransomware still become victims.

Seventy-two percent of survey respondents downloaded a ransomware simulator that mimics 10 different infection scenarios in order to test their anti-virus' ability to detect and stop attacks. Only 52 percent of those organizations' current anti-virus solutions were able to detect the ransomware.

"Ransomware is primarily delivered via a phishing email, which means your users have to be trained to identify it in order to prevent it, making antivirus ineffective at stopping ransomware. ... An important layer in any company's security stack is the last line of defense -- the human firewall that can be trained to detect a phishing email," KnowBe4 CEO Stu Sjouwerman said in a statement.



Strategic BCP’s software innovators, enterprise consultants, customers, and partners will soon be heading to sunny Orlando for DRJ Spring World 2017 at Disney’s Coronado Springs Resort. We are proud sponsors of the conference.

At DRJ Spring World, we will be showcasing several new software enhancements in ResilienceONE including the integration of Everbridge—the industry’s top Emergency Management Notification System (EMNS). The integration adds powerful capability to Business Continuity and Crisis Management and does not require customization or configuration.

Strategic BCP and Everbridge will demonstrate its integrated capabilities in the “Coronado F” suite at the following times:

  • Sunday, March 26 at 5:30-7:00 pm
  • Monday, March 27 at 11:45 am-1:30 pm
  • Tuesday, March 28 at 11:45 am-1:30 pm

Private demos will also be available. Visit Booth 510/512.

See firsthand ResilienceONE’s extensive automation of manual work, powerful risk analytics, and its real-time enterprise command center. It provides a comprehensive, cost effective way manage business continuity, operational risk, vendor risk, and IT risk within one cloud-based solution.

Members of Strategic BCP’s world-class Professional Services organization will also be on-hand.

Not attending DRJ Spring World? Learn more or schedule a demo.

We hope to see you there!


(TNS) - York and Cumberland counties are under a blizzard warning as a massive nor’easter arrives in Maine with blustery winds and snow.

Snow started falling before dawn Tuesday in York County, part of a potentially crippling storm stretching from Washington, D.C., to Maine that will affect tens of millions of people by the time it moves out of the Northeast on Wednesday.

The National Weather Service placed all of coastal New Hampshire, York County and Cumberland County under a blizzard warning for Tuesday, meaning severe winter weather could create whiteout conditions that make travel extremely dangerous.



Can you describe the differences and benefits of the BIA and Risk Assessment? Today’s short blog may help you provide answers when the questions arise.

You just spent time completing a Business Impact Analysis (BIA), taking 2 to 3 hours per department. Now you are asking for another hour or more to interview the same team for a risk assessment. “We just did this, why are we doing it again?” is the response from department leaders. Even BC program stakeholders ask why time and resources are being spent on the same activities. The Risk Assessment and BIA are both risk-based assessments, but have different purposes. BIAs are the “what” is impacted and Risk Assessments are the “how” impacts occur.

BIAs are the “what” is impacted and Risk Assessments are the “how” impacts occur.




BATON ROUGE, La. — In the 12 months since the March severe storms pummeled and flooded much of Louisiana, the Federal Emergency Management Agency (FEMA) has helped thousands of people begin to recover.

Along with its federal and state partners, the agency has disbursed millions of dollars so people could start repairing their homes, cover disaster-related costs and stay in dry, safe lodgings as they did so.

FEMA’s Individual Assistance program has approved nearly $94 million in housing and other needs assistance. Its Public Assistance program has obligated more than $47 million to reimburse communities for emergency work and infrastructure repairs. The agency has approved nearly $20 million for disaster case management intended to help people who need extra assistance getting back on their feet.

The National Flood Insurance Program, administered by FEMA, processed 4,977 claims and paid out more than $239 million for flood claims stemming from that disaster. 

The U.S. Small Business Administration (SBA) has approved nearly $109 million in long-term, low-interest loans for homeowners and businesses. 

Some 198 volunteer groups helped flood survivors, providing services such as muck outs, hot meals, home repairs and rebuilds, and distributing water, cleaning supplies, diapers and other baby supplies.

Even as residents have done the difficult job of repairing and rebuilding their homes, communities throughout the state continue to outline how they want to rebuild.

FEMA set up offices in Baton Rouge and Monroe to identify emerging local and regional needs, coordinate with federal agencies in local recovery efforts and provide guidance on post-disaster recovery planning. The agency has facilitated a number of local, state and federal roundtable discussions and forums on housing, business, health and agriculture. These events led to identifying 88 high level needs for attention by subgroups under the National Disaster Recovery Framework, which provides the state with expertise from federal agencies involved in long-term recovery.

In affected communities in Ouachita Parish for example, the Recovery Support Function teams brought in disaster recovery specialists from more than 10 federal agencies such as the Environmental Protection Agency, Housing and Urban Development and the Commerce Department to develop technical assistance on disaster recovery projects. They looked to include proposals on green infrastructure, mitigation and ways to fight blight with in-fill construction.

This week marks the first Community Resilience Institute meeting for elected officials of parishes hit by the March floods. The institute is a result of FEMA’s partnership with NOAA Sea Grant and the LSU Coastal Sustainability Studio.

Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status.  If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-FEMA (3362). For TTY, call 800-462-7585.

The U.S. Small Business Administration (SBA) is the federal government’s primary source of money for the long-term rebuilding of disaster-damaged private property. SBA helps businesses of all sizes, private non-profit organizations, homeowners and renters fund repairs or rebuilding efforts and cover the cost of replacing lost or disaster-damaged personal property. These disaster loans cover losses not fully compensated by insurance or other recoveries and do not duplicate benefits of other agencies or organizations. For more information, applicants may contact SBA’s Disaster Assistance Customer Service Center by calling 800-659-2955, emailing This email address is being protected from spambots. You need JavaScript enabled to view it., or visiting SBA’s website at SBA.gov/disaster Deaf and hard-of-hearing individuals may call 800-877-8339.

For mitigation information visit www.fema.gov/Louisiana-Disaster-Mitigation.

DENTON, Texas ––New flood maps for Grant County will become effective July 18, 2017. County residents are encouraged to view the maps before the effective date to understand their flood risk.  

Most property insurance policies do not cover the effects of flooding. Anyone without flood insurance risks uninsured losses to their homes, personal property and businesses. Flooding is the most frequent natural disaster in the U.S. and only flood insurance covers these events.

Grant County residents are encouraged to contact their local floodplain administrator to learn if their community participates in the National Flood Insurance Program (NFIP). They can also review the new flood maps at the county floodplain administrator’s office. In addition, Federal Emergency Management Agency (FEMA) map specialists and flood insurance experts are available to answer questions. They can be reached by phone and online chat.

FEMA resources include:

  • Viewing a Preliminary Interactive Flood Map:  http://maps.riskmap6.com/AR/Grant/

  • Using the live chat service at http://go.usa.gov/r6C.  Click on the “Live Chat” icon.

  • Contacting a FEMA map specialist by calling 1-877-FEMA MAP (1-877-336-2627) or sending an email to This email address is being protected from spambots. You need JavaScript enabled to view it.

  • Calling the NFIP Helpline – 1-800-621-FEMA (3362). Press “2” for flood insurance questions.           

FEMA encourages non-participating communities to look at the benefits of joining the NFIP.

Businesses and homeowners who learn that their property has been newly mapped into a Special Flood Hazard Area may want to consider buying flood insurance before the maps become effective. Contacting a local insurance agent is the first step in getting information about insurance. Visit www.floodsmart.gov or call 1-888-379-9531 to locate an agent in your area.

The National Flood Insurance Program is a voluntary program administered by FEMA.


FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. Follow us on Twitter at www.twitter.com/femaregion6 and the FEMA Blog at http://blog.fema.gov.

Passwords are the most common authentication tool used by enterprises, yet passwords are notoriously insecure and easily hackable. End users tend to be careless with passwords, frequently reusing or sharing their passwords.

This is true even among technologists, with a recent Centrify survey of IT professionals finding 26 percent shared passwords and 78 percent had fallen victim to a phishing email. A separate Forrester study, also sponsored by Centrify, of 203 enterprise IT security decision makers found two-thirds of organizations experienced an average of five or more security breaches in the past two years. The same study found hackers compromised over a billion identities in 2016 alone.

In recent years, more companies have turned to multi-factor authentication solutions to address their security and compliance concerns. In 2014, a survey of more than 350 senior IT decision makers worldwide found 37 percent of organizations surveyed used multi-factor authentication for a majority of employees, up from 30 percent in 2013.



New software for monitoring the probability of earthquakes in a targeted location could help energy companies determine where they can operate safely.

The free tool, developed by Stanford University’s School of Earth, Energy & Environmental Sciences, helps operators estimate how much pressure nearby faults can handle before rupturing, by combining three important pieces of information:

  • Location and geometry of the fault
  • Natural stresses in the ground
  • Pressure changes likely to be brought on by injections

“Faults are everywhere in the Earth’s crust, so you can’t avoid them. Fortunately, the majority of them are not active and pose no hazard to the public. The trick is to identify which faults are likely to be problematic, and that’s what our tool does,” said Mark Zoback, professor of geophysics at Stanford, who developed the approach with graduate student Rail Walsh.



Most likely snowfall for #Blizzard2017 in the NY/NJ metro area now looks like this, per the National Weather Service New York:

While major cities in the Northeast may have been spared blizzard conditions, a strong winter storm is still unfolding and inland areas are watching the snow pile up.

Wondering if you’re covered for winter storm damage? Here’s the lowdown from the Insurance Information Institute:



The Business Continuity Institute

Identity fraud has hit the highest levels ever with 172,919 identity frauds recorded in 2016, more than in any other previous year. The study by Cifas showed that identity fraud now represents over half of all fraud recorded in the United Kingdom (53.3%), of which 88% was perpetrated online.

The vast majority of identity fraud happens when a fraudster pretends to be an innocent individual to buy a product or take out a loan in their name. Often victims do not even realise that they have been targeted until a bill arrives for something they did not buy or they experience problems with their credit rating. To carry out this kind of fraud successfully, fraudsters need access to their victim’s personal information such as name, date of birth, address, their bank and who they hold accounts with. Fraudsters get hold of this in a variety of ways, from stealing mail through to hacking; obtaining data on the ‘dark web’; exploiting personal information on social media, or though ‘social engineering’ where innocent parties are persuaded to give up personal information to someone pretending to be from their bank, the police or a trusted retailer.

We have seen growing numbers of young people falling victim in recent years and this upward trend continued in 2016 with almost 25,000 victims under 30. In particular we saw a 34% increase in under 21s, and therefore Cifas is again calling for better education around fraud and financial crime and urging young people to be vigilant about protecting their personal data.

2016 also saw increases in victims aged over 40, with 1,869 more victims recorded by Cifas members.

Mike Haley, Deputy Chief Executive, Cifas said: “These new figures show that identity fraud continues to be the number one fraud threat. With nine out of ten identity frauds committed online and with all age groups at risk, we are urging everyone to make it more difficult for fraudsters to abuse their identity. There are three simple steps that anyone can take to protect themselves: use strong passwords, download software updates when prompted on your devices; and avoid using public wi-fi for banking and online shopping.

We all remember to protect our possessions through locking our house or flat or car but we don’t take the same care to protect our most important asset – our identities. We all need to take responsibility to secure our mail boxes, shred our important documents like bank statements and utility bills, and take sensible precautions online – otherwise we are making ourselves a target for the identity fraudster.

Commander Chris Greany, National co-ordinator for economic crime said: “With close to half of all crime now either fraud or cyber crime we all need to make sure we protect our identity. Identity fraud is the key to unlocking your valuables. Things like weak passwords or not updating your software are the same as leaving a window or door unlocked."

It is these same measures to improve cyber security that the Business Continuity Institute is trying to highlight as part of its Business Continuity Awareness Week campaign. There are simple steps that individuals can take to improve cyber security within our organizations, as well as our personal lives. They may not make our networks completely secure, but at least they make a cyber security incident more of a challenge for the perpetrator, rather than leaving the door wide open for them.

Wednesday, 15 March 2017 14:30

BCI: Identity fraud reaches record levels

Omry Farajun first got into the online storage game before there really was much of an online storage game to speak of.

When he launched Toronto-based Storage Guardian in 1999, Farajun recalls how converting a sale meant convincing customers in the value of backing up data remotely and digitally.

“That was the big pushback to online backup: ‘Oh, I have a tape drive and that’s good enough for me,’” he said. “Fifteen years ago it was hard to convince companies to back up their data.

“We’re one of the original SSPs – storage service providers.”



HATTIESBURG, Miss. – If you’re a survivor of the severe storms and tornadoes in January, you have two weeks to register for possible disaster assistance and to return applications for low-interest disaster loans to the U.S. Small Business Administration.

The deadline for both is March 27.

FEMA urges everyone who sustained losses from the January tornadoes to register, including those who have insurance. Insurance may not cover all losses.

The four designated counties declared by the President for disaster assistance are Forrest, Lamar, Lauderdale and Perry.

FEMA disaster assistance for individuals and families can include money for rental assistance, essential home repairs, personal property and other serious disaster-related needs not covered by insurance.

FEMA can’t duplicate benefits from insurance, but you should still register as help may be available for under-insured or uninsured losses. Update FEMA once your insurance is settled.

After you register, you may be contacted by the SBA about a low-interest disaster loan. Complete the SBA application to keep the process moving.

SBA physical disaster loans are available to homeowners and renters for repair or replacement of disaster-damaged property, including contents and automobiles.  SBA loans are available to businesses of all sizes and nonprofit organizations, too.

SBA economic injury disaster loans are available for small businesses, small agricultural cooperatives, small businesses engaged in aquaculture and most private nonprofit organizations of all sizes having difficulties meeting ordinary and necessary financial obligations because of the disaster. The application deadline economic injury disaster loans is October 25, 2017.

SBA disaster loan interest rates are as low as 3.125 percent for businesses, 2.5 percent for nonprofit organizations and 1.5 percent for homeowners and renters, with terms up to 30 years.  Loan amounts and terms are set by the SBA and are based on each applicant’s financial condition.

Survivors who receive a low-interest disaster loan application from SBA after registering with FEMA should complete and return the application even if they do not plan to accept a loan. By completing the application, applicants may become eligible for additional grants from FEMA. By not completing and returning the applications, survivors could potentially be leaving “money on the table”. And, if you don’t complete and submit the loan application, you stop the FEMA disaster assistance process.

Register with FEMA online at www.disasterassistance.gov or call the FEMA helpline: 800-621-3362 or TTY 800-462-7585.

SBA disaster loan applicants may apply online using the Electronic Loan Application (ELA) via SBA’s secure website at disasterloan.sba.gov/ela. For more information or assistance with SBA disaster loans, call 800-659-2955. Individuals who are deaf or hard of hearing may call 800-877-8339.

For more information on Mississippi’s tornado recovery, go to fema.gov/disaster/4295 or visit the MEMA site at msema.org. Follow MEMA on Facebook facebook.com/msemaorg and on Twitter @msema.


FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

All FEMA disaster assistance will be provided without discrimination on the grounds of race, color, sex (including sexual harassment), religion, national origin, age, disability, limited English proficiency, economic status, or retaliation. If you believe your civil rights are being violated, call 800-621-3362 or 800-462-7585(TTY/TDD).

FEMA’s temporary housing assistance and grants for public transportation expenses, medical and dental expenses, and funeral and burial expenses do not require individuals to apply for an SBA loan. However, applicants who receive SBA loan applications must submit them to SBA loan officers to be eligible for assistance that covers personal property, vehicle repair or replacement, and moving and storage expenses.

A recent CyberEdge survey of 1,100 IT security decision makers and practitioners across 15 countries found that fully 61 percent of respondents' organizations were victimized by ransomware last year.

Among those hit by ransomware, 33 percent paid the ransom to recover their data, 54 percent refused to pay but recovered their data anyway, and 13 percent refused to pay and lost their data.

In general, the report found the percentage of organizations being hit by successful cyber attacks continues to rise, from 62 percent in 2014 to 70 percent in 2015, 76 percent in 2016, and 79 percent in 2017. Three in five respondents believe a successful cyber attack is likely in the coming year.



Page 2 of 3