Spring World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Spring Journal

Volume 30, Issue 1

Full Contents Now Available!

Industry Hot News

Industry Hot News (7047)

BLOOMINGTON, Minn. – As the FEMA registration deadline of Jan. 30 nears, Minnesotans affected by the September 2016 severe storms and flooding who have not registered for FEMA assistance need to call 800-621-3362 or register online at disasterassistance.gov.

Residents of Blue Earth, Freeborn, Hennepin, Le Sueur, Rice, Steele and Waseca counties who suffered damage during the September storms may be eligible for assistance but must register by the deadline.

Recovering from a disaster can be overwhelming. FEMA assistance is only one part of recovery efforts. Voluntary agencies, state and local officials, federal agencies and non-profit organizations all are instrumental in ensuring a community fully recovers.

Long-term recovery committees play an important role working with residents to solve their issues, concerns and needs. Lutheran Social Service of Minnesota is currently working in Waseca and Freeborn Counties to assist residents impacted by the flood get connected to long-term recovery committees. If you live in Waseca County, please call 507-308-4336. If you live in Freeborn County, please call 507-473-2718. If you need assistance with long-term recovery outside of those two counties, please call Lutheran Social Service of Minnesota at 651-969-2313.


FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

It seems like we are constantly talking about data breaches, but as a couple of recent studies show, we may be under-reporting their frequency and severity. The 2016 Data Breach Trends report released by Risk Based Security said 4,149 breaches were reported, compromising more than 4 billion records. That’s 3 billion more than exposed in 2013, the highest total before last year (and higher even than the so-called Year of the Data Breach in 2014).

Also, a study conducted by the Identity Theft Resource Center (ITRC) and CyberScout found that there were 1,093 reported breaches in the United States last year, another all-time high. However, according to eSecurity Planet, there may be a reason for these high breach numbers:

ITRC president and CEO Eva Velasquez said it's not clear whether the increase is due an actual surge in breaches or simply due to more states making the information available.



Each year at the end of summer, several members of Forrester’s Security & Risk research team look back at publicly reported breach events and data privacy violations of the previous 12 months to spot trends and identify cases to feature where we feel there are lessons learned for S&R pros. In 2016, this was a joint effort alongside my colleague Fatemeh Khatibloo from Forrester’s Customer Insights research team. Leading up to Data Privacy Day, I’d like to share some lessons learned from one of the five key trends we saw in our 2016 analysis.

The intersection of privacy and customer experience reminds us of the importance of collecting and managing consent, whether that involves collecting data to personalize an experience or marketing or another initiative we aim to pursue. We saw notable examples (Verizon Wireless! InMobi!) of how FCC and FTC actions in 2015 and 2016 converged on issues of consumer privacy and consent. In both cases, firms used tracking information to deliver targeted ads.



Imagine if you will a 48 hour DDoS attack at your organization.  How would you cope? How would you continue your business and service your customers? Ask Lloyds bank!

Lloyds Banking Group suffered 48-hour online attack this month as cybercriminals attempted to block access to 20m UK accounts. The denial of service attack ran for two days from Wednesday 11 January to Friday 13 January, as Lloyds, Halifax and Bank of Scotland were bombarded with millions of fake requests, designed to grind the group’s systems to a halt. Usually in a denial of service (DOS) attack the criminals demand a large ransom, to be paid in bitcoins, to end the onslaught.

However, no accounts were hacked or compromised during the attack, and Lloyds did not pay a ransom.



Thursday, 26 January 2017 17:30

Secrets revealed: implementing an EMNS

Turn on CNN, pick up a newspaper, or spend anything more than two minutes on the Internet and you’ll see—there’s not a day that goes by without some kind of threat to business as usual.

Severe weather events. Terrorist activity. Wildfires, earthquakes, and other natural disasters. Cybercrime. Power outages and widespread blackouts. School or workplace violence.

Most of these events arrive without warning. Even those you can plan for can be devastating, and their effects can be widespread.



Thursday, 26 January 2017 17:29

The Making of a Profession

Looking back 20 years, there were fewer people with emergency management titles and less clearly defined emergency management organizational structures. There were also fewer certification and training programs for emergency managers.

The profession has evolved along with people’s understanding that crisis management and the need to prepare for disasters is critical, said California Office of Emergency Services Director Mark Ghilarducci. The public, elected officials and private-sector CEOs started to grasp that it was a necessity to understand what risks exist and the challenges a region could face and develop a plan to move forward, he added.

Events such as the 9/11 attacks and Hurricane Katrina served as exclamation points. “Here in California, we recognized it long before the rest of the nation,” Ghilarducci stressed. “We had the Loma Prieta earthquake, the L.A. riots and the Oakland Hills fire — all catastrophic events that forced us to build a standardized emergency management infrastructure that talked about standards and resource coordination.” To get legislation passed and get the capability put in place, legislators and others had to have a good understanding of how important emergency management was, he said.



We spend time preparing for major data center or facility outages. We perform a risk analysis and write plans; we put in technologies to keep the business running and perform various tests. We report that we are ready. We feel confident our business can continue to run. But much of that could be considered what I call “Resiliency Theater” – because those activities do not prevent or address the most common or most probable events that may impact the organization.

Two very recent events demonstrate the concept of Resiliency Theater quite effectively.



(TNS) - Threats to the United States are sometimes made in people’s bathtubs or basements, according to members of the FBI who were in town Tuesday to educate the region’s emergency responders about how to identify potential dangers.

“The training assists first responders to identify hazards they may find during their usual duties,” Capt. Alexander Wild, medical operations officer for the 11th Weapons of Mass Destruction Civil Support Team in Waterville, said during a break in the two-day training at Eastern Maine Community College.

Areas of focus include “biological threats, explosive and toxic chemicals, drug lab identification, the emerging threat of agri-terrorism and lessons learned from the Boston bombing,” said Susan Faloon, spokeswoman for the Maine Emergency Management Agency, which hosted the event with the Maine Guard.



We included 11 vendors in the CRM Forrester Wave™ for midsize organizations. These 11 vendors reported a total of about 200,000 midsize customers. Compared to CRM vendors tackling the enterprise space, these vendors typically offer more streamlined - and sometimes simpler - capabilities. We saw some similar - and some strikingly different trends in this market segment. Midmarket customer demand:

  • Great user experiences that are affordable. These two factors are paramount for midsize organizations who don’t have large budgets, yet require the power of CRM. CRM must also be simple: simple to learn, simple use, simple to configure.
  • Single platform. Midsize organizations do not have the breadth and depth of IT and administrator resources that enterprise organizations have. They expect unified business and administrator tooling for their CRM. 
  • Cloud CRM. Midmarket organizations demand cloud as their primary deployment model. We expect that newer cloud solutions will replace most on-premises installations in the next five years.
  • Prescriptive advice over raw analytics. Midsize organizations manage large volumes of data. CRM users - whether in sales, marketing or customer service - all struggle to take the right next best step for the customer - for example to pinpoint optimal offers, discount levels, product bundles, and next conversation for better customer outcomes. Midsize organizations are increasingly using prepackaged analytics within CRM to prescribe advice in the flow of their work. 
  • Vertical editions. Midsize organizations demand vertical CRM editions with industry-best practices baked into them. They want industry specific templates, common process flows, data model extensions, and UI labels. Vendors are responding. In our Wave, we found that all vendors either offer a broad range of vertical solutions or have invested in deep domain expertise and a vertical go-to-market approach.
  • Packaged front- and back-office integration. Midsize organizations demand pre-integrated front- and back-office solutions from a single vendor to help with time-to-value and help manage the 360 degree view of the customer.

Have a look at the full CRM Suites For Midmarket Organizations, Q4, 2016 for more information about our research and analysis of midmarket CRM vendors. 


Thursday, 26 January 2017 17:25

Devastation Lies in the Wake of Sunday Tornado

(TNS) - Search and rescue workers continued the grisly task Monday of searching for victims of a deadly tornado that struck east Albany, Ga.,Sunday, leaving at least four dead and several neighborhoods in shambles.

Dougherty County Coroner Michael Fowler released the names of two of the victims late Monday afternoon.

“We have a positive identification of two victims so far that we have released to the funeral home,” Fowler said at a news conference in his office. “Oscar Reyna, 39, was killed in Paradise Village trailer park, and Paul Freeman, 82, lived on Newcomb Road in a brick home. The cause of death for both victims was multiple blunt force traumas because of multiple impact injuries caused by debris and structural collapse.”



Thursday, 26 January 2017 17:22

Understanding FEMA Verified Loss

BATON ROUGE, La. — Applicants without an insurance policy may be eligible for FEMA help to restore a home to a safe, sanitary and secure condition following a disaster.

FEMA assistance is not the same as insurance. Assistance only provides the basic needs for a home to be habitable, including toilets, a roof, critical utilities and doors. Examples of ineligible items may include cabinets and garage doors.

Home damage must be disaster-related. A home inspection is required to calculate the FEMA verified loss. Calculations are based on the general depreciation amount for items of average quality, size and capacity.

Safe, sanitary and secure homes meet the following conditions:

  • The exterior is structurally sound, including the doors, roof and windows.
  • The interior’s habitable areas are structurally sound, including the ceiling and floors.
  • The electricity, gas, heat, plumbing, and sewer and septic systems function properly.
  • The home is capable of operating for its intended purpose.

Safe, Sanitary and Secure Examples

Appliances: FEMA may assist in the replacement or repairs to disaster-damaged furnaces and hot waters heaters. Non-essential items like dish washers and home entertainment equipment will not be covered.

Ceiling and Roof damage: FEMA may assist to repair disaster-related leaks in a roof that damage ceilings and threaten electrical components, like overhead lights, but not stains from roof leaks.

Floors: FEMA may assist to repair a disaster-damaged subfloor in occupied parts of the home but not floor covering like tile or carpet.

Windows: FEMA may assist with disaster-related broken windows but not blinds and drapes.

FEMA verified loss calculations vary because every applicant’s situation is different. Expenses for repairs that exceed the conditions to make a home safe, sanitary and secure are ineligible.

Flood insurance coverage is more extensive. Policyholders may receive up to $250,000 for home damage and $100,000 for contents depending on the type and amount of coverage they bought. National Flood Insurance Program (NFIP) payments are not dependent on state or federal disaster declarations. The average annual cost of flood insurance is about $700.

Visit www.floodsmart.gov to learn more about any property’s flood risk, estimate an NFIP premium or locate an insurance agent who sells flood insurance.

For questions regarding FEMA verified loss please call 800-621-FEMA (3362).

We think of tornadoes as a spring and summer phenomena but all it takes is instability…weather instability that is and that is what winter tornadoes are all about.

Tornadoes form in unusually violent thunderstorms when there is sufficient (1) instability and (2) wind shear present in the lower atmosphere. Instability refers to unusually warm and humid conditions in the lower atmosphere, and possibly cooler than usual conditions in the upper atmosphere.

This past week, a massive storm system spawned dozens of tornadoes and caused extensive damage across a swath of the southern United States, from Texas to Florida. At least 19 deaths have been blamed on the storms so far, as emergency crews and first responders are still searching through wreckage for survivors.



According to a new report from the Identity Theft Resource Center (ITRC) and CyberScout, 2016 saw an all-time high of 1,093 reported data breaches, a 40 percent increase over the previous year's total of 780.

ITRC president and CEO Eva Velasquez said it's not clear whether the increase is due an actual surge in breaches or simply due to more states making the information available.

"For the 10 years, the ITRC has been aware of the under-reporting of data breach incidents on the national level and the need for more state or federal agencies to make breach notifications more publicly available," Velasquez said in a statement. "This year we have seen a number of states take this step by making data breach notifications public on their websites."



It’s increasingly challenging for marketers to earn loyalty as empowered consumers become entitled customers with more options than ever before. My latest report, Case Study: Max Factor China Rejuvenates Customers’ Loyalty With Social CRM, tells marketers how to leverage social CRM to define an effective loyalty strategy that spans the entire customer life cycle, across channels.

The US cosmetics brand Max Factor has been growing its business steadily since it entered the Chinese market in 2009. However, Max Factor has faced growing challenges in recent years:



Investors and financial institutions like to correlate business continuity risk with business continuity reward. If risk is greater in an investment, then the potential reward should be greater too.

Stock market investments are perceived to be riskier than bond investments, but are expected to give higher returns. However, some riskier investments are capped in their potential for reward, offering no more than less risky investments.

Similarly, spending more money to protect the business continuity of an organisation does not automatically guarantee a reduction in the level of risk. So why would organisations persist in thinking otherwise?



ATLANTA – The Federal Emergency Management Agency’s regional office in Atlanta, Georgia has activated its Regional Response Coordination Center to monitor the ongoing threat of severe weather, and gather damage reports from earlier storms in Mississippi, Alabama and Georgia. This center is open around the clock to maintain close coordination with state and tribal officials across the southeast. FEMA also has Liaison Officers at State Emergency Operations Centers in Alabama, Mississippi, Georgia, and Florida to provide support if requested. Additional teams are on alert for possible deployment if needed.

The National Weather Service Storm Prediction Center is reporting a high risk for severe thunderstorm and tornado outbreaks today across northern Florida and southern Georgia, with the significant severe threat expected to extend southward into central Florida and northeastward into South Carolina this evening.

According to the SPC, this is only the third High Risk threat, and the first in January, issued since 2000 that includes the state of Florida, and the first High Risk threat issued anywhere in the United States since April 28, 2014.

There is a threat for strong, long-tracked tornadoes across portions of south Georgia and north Florida. Large hail and damaging winds up to 75mph are possible as these storms move through.

FEMA urges residents to monitor weather conditions and follow the directions of their state, tribal, and local officials, and to download the FEMA mobile app. The app provides weather alerts, and safety tips, in English and in Spanish. Individuals can also use the app to customize a checklist of emergency supplies and weather alerts from the National Weather Service.

Now is the time to prepare for a tornado and plan where you will go if a tornado watch is issued in your community:

  • Storm cellars or basements provide the best protection.

  • If underground shelter is not available, go to an interior room or hallway on the lowest floor of a sturdy building.

  • Put as many walls as possible between you and the outside. Most injuries associated with high winds are from flying debris, so remember to protect your head.

  • Vehicles, trailers and mobile homes are not good locations to ride out a tornado. Plan to go quickly to a building with a strong foundation, if possible.

  • Plan to stay in the shelter location until the danger has passed.

Additional information on tornado preparedness is available at: Ready.gov/tornadoes


FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain and improve our capability to prepare for, protect against, respond to, recover from and mitigate all hazards.

Download the FEMA mobile app for disaster resources, weather alerts, and safety tips.

Rumors had been flying for some time about SimpliVity needing additional funding, and that HPE had made an offer that was unacceptably low at $650 Million. Clearly, these were more than casually well-informed rumors, since HPE announced on January 17 that it would be acquiring SimpliVity for $650 Million in cash. Was this a fair price? That is hard to say. Since I’m not really an equity analyst, I will spend no more time on this other than to say that it is far short of the kinds of valuations that the industry was expecting. Competitor Nutanix’s current market capitalization is slightly over $4B, which is more than a bit rich for such a company. Despite its high growth rates, it has yet to turn a profit.

But pricing aside, was it a smart move for HPE? Absolutely. It’s , and certainly one that helps shatter the perception that HPE always overpays for its acquisitions, even when they are strategically sound. SimpliVity was essentially tied for first place in our recent Forrester’s recent Wave™ report on Hyperconverged Infrastructure Solutions, coming in substantially stronger than HPE’s own HC380 product.

The fit with HPE for SimpliVity’s solution is impressive because:



There has been ongoing talk since 2002 that high power density data centers would replace low power density data centers. The theory is that a higher density will increase efficiency while reducing energy bills, however, with these benefits also comes the risk of cooling failures. Today, a data center where each cabinet consumes more than 10 kW is considered high power density. The density can also be measured by the amount of energy consumed per square foot, which is why many high power density data centers are built up rather than out. As rack densities continue to grow, data center manufacturers and designers are having to come up with more efficient cooling solutions to offset energy consumption.

The traditional data center design is unable to cool these higher density data centers, which has led to the development of cooling solutions, such as: CRAC units; racks featuring water-chilled, rear-door cooling units; and aisle containment structures. Unfortunately, more often than not, simply expanding an infrastructure and adding CRAC units (large computer room air conditioners), is not enough. Rear-door, cooling units and hot and cold aisle containment structures are the most popular and efficient cooling solutions.

Effective airflow management is a successful solution that prevents a data center from overheating, while also being cost-efficient. A rear-door, cooling unit utilizes liquid cooling technology to exchange hot air for cold air. The rear door holds cold water in a closed loop system, which offsets the heat generated by higher density racks. Basically, it is an air exchanger that requires no fans or moving parts.



(TNS) - A feared second round of severe weather did not appear in Middle Georgia early Sunday, but a watch remains for the afternoon.

Much of the area is under a severe weather watch from 1-6 p.m. Sunday, said Jimmy Williams, emergency management director for Houston County. He said most of the midstate is listed as having a moderate risk of severe weather during that period, including possible tornadoes, while the most southern part of the area has a high risk.

He said there was no weather damage in Houston early Sunday morning and emergency dispatchers in other area counties reported the same.



Data breaches and other information security threats are on the rise, and the cyber security skills gap is widening.

Many organizations, faced with limited in-house resources, are choosing to partner with managed security service providers (MSSPs) to handle all or specific areas of their information security needs.

Hiring an MSSP allows organizations to focus on their core competencies while benefitting from the expertise of skilled security experts who monitor the system around the clock, usually at a lower cost than hiring security analysts in-house.



Monday, 23 January 2017 15:26

Looking for Employment? FEMA is Hiring

SEVIERVILLE, Tenn. — Tennessee residents looking for temporary work following the wildfires in Sevier County have an opportunity to learn firsthand about the recovery process.

Workforce Tennessee, in conjunction with FEMA, is advertising open temporary positions in Sevier County.

Interested applicants can visit the Workforce Tennessee website at jobs4TN.gov. To find the available jobs, fill in the boxes under the section marked “Search for a Job,” being sure to enter your job title for “Keyword,” FEMA for “Employer Name” and Sevierville for “Location.” Leave the ZIP code box blank.

Positions being advertised are:

  • Human Resources Office Clerk
  • Travel Specialist
  • Logistics Specialist
  • Mitigation Office Clerk
  • Public Assistance Project Specialist
  • Photographer

More positions may be posted on the website as disaster recovery continues.

Candidates must be U.S. citizens 18 years of age or older. They must have a valid government identification card such as a driver’s license or military ID. Before hiring, selected candidates will be subject to a complete background investigation.

FEMA is committed to employing a highly qualified workforce that reflects the diversity of our nation. The federal government is an Equal Opportunity Employer. All applicants will receive consideration without regard to race, color, national origin, sex, age, political affiliation, sexual orientation, non-disqualifying physical handicap and any other non-merit factor.

Federal disaster assistance is available to eligible individuals and households who were affected by the Nov. 28 to Dec. 9 wildfires in Sevier County.

For updates on Tennessee’s wildfire response and recovery, follow @FEMARegion4 on Twitter and visit TNEMA.org/, MountainTough.org/ and fema.gov/disaster/4293.

# # #

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

The Business Continuity Institute

Far too many of the United Kingdom’s small and medium-sized enterprises (SMEs) are ill-prepared for the effects of bad weather and the disruption it could bring. Two-thirds (66%) of SMEs reported lost revenue, and almost a third (31%) have suffered weather-related property damage as a result of bad weather during the last five years, yet nearly half (44%) have no business continuity plan in place to ensure they can continue operating, while over two-thirds (69%) do not have any insurance cover to protect them.

The research conducted by Towergate found that SMEs were hit hardest by employees being delayed or prevented from reaching work (24%). Reduced demand for goods and services (16%) and disruption to their supply chain (15%) were also common problems caused by bad weather. Furthermore, on average, SME’s estimated that £523,934 of property and related assets could be at risk of damage caused by bad weather.

Overall, SMEs reported an average of 14.7 hours lost a year due to the weather, however some sectors lost much more. Engineering and building (20.8 hours), manufacturing and utilities (19.6 hours), and unsurprisingly transport (19.7 hours) lose around half a week each year due to bad weather.

Adverse weather has consistently appeared in the top ten list of threats featured in the Business Continuity Institute's Horizon Scan Report. The latest version put it in eighth place with more than half (55%) of respondents to a global survey expressing concern about the possibility of a disruption caused by adverse weather.

Commenting on the findings, Joe Thelwell from Towergate, said: “The UK’s economy depends on small and medium sized businesses. But far too many firms have left themselves exposed to the unpredictable and at times damaging British weather. The majority of SMEs do not have appropriate contingency plans or insurance to protect them against lost business and unexpected bills resulting from the havoc our weather can wreak.

With millions of people’s livelihoods depending on SMEs, it is crucial that these businesses take steps to better prepare for bad weather so they can get up and running as soon as possible. Practically, that could include backing-up computer systems and records, identifying contingency premises or taking out specific policies.

Rather than working to cure the IT security disease, too many companies are focused simply on treating the symptoms by adding layer after layer of security complexity. To get to the root of the malady, what they need to be focused on instead are data analytics, machine learning, and an understanding of individuals’ roles.

That was my key takeaway from a recent interview with Stan Black, chief security officer at Citrix Systems, who said that conclusion had been reinforced by the findings of a newly released IT security survey, commissioned by Citrix and conducted by the Ponemon Institute. Black addressed the layering phenomenon in the context of what he sees as the role of public cloud:



Months ahead of the 2017 presidential inauguration, security officials have been in high gear and pulling out all the stops to make the event a safe one. No other presidential inauguration has garnered so much debate, spurring officials to take this year’s inauguration to another level when it comes to security.

Among the precautions taken are what the Washington Post calls, “A virtual fortress of roadblocks, fences and armed police.” What does this entail?



Crowd safety is important to understand before heading out to a large public event.  This weekend there will be many events and marches.  Before you head out to any of them, know a bit about crowd safety before you go. First some basic concepts about crowds:

  • Reaching critical crowd density is a main characteristic of crowd disaster and is approached when the floor space per (standing) person is reduced to about 1.5 square feet or less.
  • At 5 sq. ft. per person, the maximum capacity of a corridor or walkway is attained, (i.e. exiting a stadium or theatre); at approximately 3 sq. ft. per person, involuntary contact and brushing against others occurs.
    • This is a behavioral threshold generally avoided by the public, except in crowded elevators and buses.
    • Below 2 sq. ft. per person, potentially dangerous crowd forces and psychological pressures may to develop.



The Business Continuity Institute

Two-thirds (66%) of financial executives in the US say their organization has been harmed by equipment failure during the last five years, 6 out of ten (60%) have been impaired by data breaches or cyber attacks, while more than half (52%) have had their operations affected by natural disasters. Yet the majority (54%) say their organizations have not developed or tested any formal loss recovery plans. This is according to a new study commissioned by FM Global.

Finance’s role in operational risk management: CFO research on building a resilient company also revealed a low level of preparedness for operational risk events as only a third (34%) of financial executives believe their organization was very well prepared to recover from an equipment failure. Just a third (33%) felt they were very well prepared to recover from a natural disaster, while merely a quarter (24%) were very well prepared to recover from a data breach/cyber attack.

It’s surprising the number of companies that have been harmed by operational risk events, coupled with the relatively low number of companies that feel they are very well prepared for a disruption event,” said Eric Jones, operations vice president and global manager of business risk consulting, FM Global. “The findings reveal the opportunity for financial executives to implement stronger plans with increased data, to help move resilience forward within their organizations.

There is also an increasing perception of risk as over two-thirds (70%) of financial executives are concerned that their revenues or earnings will become more vulnerable to operational risk over the next two years, and nearly 6 out of ten (60%) say the need to manage operational risks will make it more difficult to meet revenue and earnings targets over the next two years.

Some of these findings echo the results of the latest Horizon Scan Report published by the Business Continuity Institute which features cyber attacks, data breaches and IT/telecommunications failures as the top three concerns for business continuity professionals. Adverse weather features high on the list in eighth place, although other natural disasters such as earthquakes and tsunamis are not quite as concerning.

Overall, the study found a need for improved resiliency with 86% of respondents say their companies will need to be more resilient in the future.

Thursday, 19 January 2017 17:27

Too Many Amber Alerts?

DRJ LogoThe emergency community in Michigan may have fewer Amber Alerts to respond to this year, as the state implements new measures intended to pare back use of the emergency child-abduction notification system.

Michigan recently redefined its criteria for Amber Alerts to fix definitions that law enforcement officials say were drawn too broadly. The new guidelines fall more closely in line with U.S. Department of Justice guidelines and more closely fit the system’s original intent.

“If we adhered strictly to the old criteria, we could have put out an Amber Alert every single day in Michigan,” said Detective Sgt. Sarah C. Krebs, who heads Amber Alerts for the Michigan Department of State Police Missing Persons Coordination Unit.



DRJ LogoHyperscale cloud providers are sucking more and more customer workloads away from data center providers, while gobbling up more and more data center capacity to host those workloads, changing in a big way the dynamics in the global colocation data center market.

One big result is that growth in retail colocation is slowing, while growth in the wholesale data center market is accelerating, according to the latest report by Structure Research. The analysts project a growth rate of 14.3 percent for retail colocation from 2016 to 2017 and 17.9 percent for wholesale; retail colocation services currently have 75 percent market share, with wholesale responsible for the rest.

The global colocation market size reached $33.59 billion in 2016, including both retail and wholesale services, Structure estimates. The firm expects it to grow 15.2 percent this year.

Here’s how total colocation data center market revenue is split among regions (chart courtesy of Structure Research):



DRJ LogoNot long ago, European customers of the global public cloud vendors relied upon a single data centre ‘region’ for all their cloud computing needs. From Lisbon to Lviv, Kiruna to Kalamata, customers of Amazon Web Services (AWS) and Microsoft Azure sent everything to Ireland, and customers of the Google Cloud Platform (GCP) sent everything to Belgium. And, mostly, public cloud’s early adopters in Europe just got on with it.

For the majority of public cloud workloads, storing and processing data somewhere in the European Economic Area (EEA) really was — and is — good enough. Network latency was mostly low enough not to be a problem, and European regulations covered the main use cases well enough to appease all but the most cautious lawyers.

But connections can always be faster, and there are still use cases in regulated industries and government where keeping personal data inside specific geographic borders is either essential or encouraged. And, more and more often these days, customers just seem to feel happier when their data doesn’t leave the country. Mostly, no law requires it, and no regulation recommends it. But it’s still happening. We should all be pushing back against this odd trend towards data balkanisation, much harder than we are.



FEMA LogoDURHAM, N.C. –Edgecombe County area homeowners, renters and business owners whose properties were damaged by Hurricane Matthew flooding can find information and guidance on their next steps toward recovery at the Disaster Recovery Resource Fair in Tarboro.

The resource fair will be held from 10 a.m. to 3 p.m. Saturday, Jan. 21 at the Edgecombe County Administrative Building, 201 St. Andrews Street, Tarboro, NC 27886.

Bilingual interpreters and American Sign Language interpreters will be on hand.

Do you have a particular recovery issue that puzzles you? Specialists in disaster recovery will be available for one-on-one discussions and to answer your questions. Topics include:

  • Housing resources

  • Sheltering at home

  • Flood insurance

  • Foreclosure prevention

  • Housing counseling

  • Title issues/successions
  • Legal services

  • Disaster tax relief

  • Various types of loans and more.

Disaster Recovery Resource Fair Provides Advice on Hurricane Recovery

Participants include: North Carolina Emergency Management, North Carolina Legal Aid, U.S. Department of Agriculture, U.S. Department of Housing and Urban Development, U.S. Department of the Interior, U.S. Small Business Administration, American Red Cross, FEMA, National Flood Insurance Program and others.

For more information or directions, call 336-851-8058.

For more information on North Carolina’s recovery, visit fema.gov/disaster/4285 and readync.org. Follow FEMA on Twitter at @femaregion4 and North Carolina Emergency Management @NCEmergency.


Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-3362 or TTY at 800-462-7585.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. Follow FEMA on twitter at @femaregion4. Download the FEMA app with tools and tips to keep you safe before, during, and after disasters.

Dial 2-1-1 or 888-892-1162 to speak with a trained call specialist about questions you have regarding Hurricane Matthew; the service is free, confidential and available in any language. They can help direct you to resources. Call 5-1-1 or 877-511-4662 for the latest road conditions or check the ReadyNC mobile app, which also has real-time shelter and evacuation information. For updates on Hurricane Matthew impacts and relief efforts, go to ReadyNC.org or follow N.C. Emergency Management on Twitter and Facebook. People or organizations that want to help ensure North Carolina recovers can visit NCdisasterrelief.org or text NCRecovers to 30306.

The U.S. Small Business Administration (SBA) is the federal government’s primary source of money for the long-term rebuilding of disaster-damaged private property. SBA helps homeowners, renters, businesses of all sizes, and private non-profit organizations fund repairs or rebuilding efforts and cover the cost of replacing lost or disaster-damaged personal property. These disaster loans cover losses not fully compensated by insurance or other recoveries and do not duplicate benefits of other agencies or organizations. For more information, applicants may contact SBA’s Customer Service Center by calling (800) 659-2955, emailing This email address is being protected from spambots. You need JavaScript enabled to view it., or visiting SBA’s Web site at www.sba.gov/disaster. Deaf and hard-of-hearing individuals may call (800) 877-8339.

Thursday, 19 January 2017 17:21

Fraud Incidents Rise in 2016, Kroll Finds

DRJ LogoReports of fraud have risen in the past year. In fact, incidences of every type of fraud have reached double-digit levels, according to the Kroll Global Fraud & Risk Report 2016/2017. Overall, 82% of executives reported falling victim to at least one instance of fraud in the past year, up from 75% in 2015.

Theft of physical assets remained the most prevalent type of fraud in the last year, reported by 29% of respondents, up 7 percentage points from 22% of respondents in the last survey. Kroll reported that vendor, supplier, or procurement fraud (26%) and information theft, loss, or attack (24%) were the next two most common types of fraud cited, each up 9 percentage points year-over-year.

Kroll found that most threats come from within an organization, with current and ex-employees being the most frequently cited perpetrators of fraud, cyber, and security incidents over the past 12 months. External parties were also identified as active perpetrators.



FEMA LogoSEVIERVILLE, Tenn. — Survivors who registered for disaster assistance after the Sevier County wildfires are encouraged to stay in touch with FEMA to resolve issues, get updates on their applications or provide new information.

Survivors can call the FEMA helpline at 800-621-3362 for status updates on their applications or to check whether they submitted the correct documents. Applicants changing addresses, phone numbers or banking information should notify FEMA. Missing or erroneous information could result in delays in receiving assistance.

Callers to the helpline should refer to the nine-digit number they were issued at registration. This number is on all correspondence applicants receive from FEMA and is a key identifier in tracking assistance requests.

Survivors can also call the helpline to:

  • update insurance information
  • receive information on the home inspection process
  • add or remove the name of a person designated to speak for the applicant
  • find out if FEMA needs more information about their claim
  • update FEMA on the applicant’s housing situation
  • learn how to appeal an eligibility determination
  • get answers to other questions about their applications

Applicants may update their information the following ways:

  • Online at DisasterAssistance.gov (also in Spanish).
  • Download the FEMA mobile app (also in Spanish).
  • Call the FEMA Helpline at 800-621-3362 (FEMA). Persons who are deaf, hard of hearing or have a speech disability and use a TTY may call 800-462-7585. Toll-free numbers are open daily from 7 a.m. to 10 p.m. Help is available in many languages.

Monday, Feb. 13 is the deadline to register with FEMA for disaster assistance for the

Nov. 28 to Dec. 9 wildfires in Sevier County.

For updates on Tennessee’s wildfire response and recovery, follow @FEMARegion4 on Twitter and visit TNEMA.org/, MountainTough.org/ and fema.gov/disaster/4293.

# # #

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

DRJ LogoCostly Weather Disasters and Near Record Heat in 2016. It was the second hottest year in the U.S. as Alaska warmed dramatically and nighttime temperatures set a record.

The National Oceanic and Atmospheric Administration annual report noted that the U.S. also notched its second highest number of weather disasters that cost at least $1 billion in damage: 15 separate ones together caused $46 billion in damage and 138 deaths.

The regular tally of the nation’s weather year shows that even on a smaller scale — the U.S. is only 2 percent of the Earth’s area — climate change is becoming more noticeable even amid the natural variations that play such a large role in day to day weather.



BCI LogoThe Business Continuity Institute

30% of NHS Trusts in the UK have experienced a ransomware attack, potentially placing patient data and lives at risk. One Trust – Imperial College Healthcare NHS Trust – admitted to being attacked 19 times in just 12 months. These were the findings of a Freedom of Information request submitted by SentinelOne.

The Ransomware Research Data Summary explained that SentinelOne made FOI requests to 129 NHS Trusts, of which 94 responded. Three Trusts refused to answer, claiming their response could damage commercial interests. All but two Trusts – Surrey and Sussex, and University College London Hospitals have invested in anti-virus security software on their endpoint devices to protect them from malware and, despite installing a McAfee solution, Leeds Teaching Hospital had suffered five attacks in the past year. No Trusts reported paying a ransom or informed law enforcement of the attacks, all preferred to deal with the attacks internally.

Ransomware which encrypts data and demands a ransom to decrypt it, has been affecting US hospitals for a while now. The Hollywood Presbyterian Medical Center in Los Angeles notoriously paid cyber criminals £12,000 last February after being infected by Locky, one of the most prolific ransomware variants.

With the infected computers or networks becoming unusable until a ransom has been paid* or the data has been recovered, it is clear to see why these types of attack can be a concern for business continuity professionals with the latest Horizon Scan Report published by the Business Continuity Institute highlighting cyber attacks as the number one concern. A very good reason why cyber resilience has been chosen as the theme for Business Continuity Awareness Week.

These results are far from surprising,” said Tony Rowan, Chief Security Consultant at SentinelOne. “Public sector organizations make a soft target for fraudsters because budget and resource shortages frequently leave hospitals short changed when it comes to security basics like regular software patching. The results highlight the fact that old school AV technology is powerless to halt virulent, mutating forms of malware like ransomware and a new more dynamic approach to endpoint protection is needed. In the past NHS Trusts have been singled out by the ICO for their poor record on data breaches and with the growth of connected devices like kidney dialysis machines and heart monitors there is even a chance that poor security practices could put lives at risk.

*Note that the data isn't always recovered, even after a ransom has been paid.

Wednesday, 18 January 2017 16:24

Getting Hired as an Emergency Manager

DRJ LogoWhat does it take to become an emergency manager? First, emergency management is a white-collar, professional job. The days of the retired firefighter turned emergency manager are fading quickly, replaced by a new breed of highly credentialed, educated professionals whose main career field is emergency management or something very close to it. This is happening because of a combination of governments requiring certain education and experience levels for positions of responsibility, and an industry push toward a greater focus on standards and education.

What that means to the prospective emergency management job seeker is that the core competencies of an emergency manager are only slightly different from that of an engineer, an accountant or an attorney (so much so that many emergency managers started out as engineers, accountants and attorneys). Skills such as clear writing, oral communication, critical thinking, problem solving and project management are highly transferable and form the basis of a professional career. Conversely, if a candidate’s writing skills are poor or they can’t demonstrate the ability to brief a project plan during an interview, the odds of them being hired are marginal at best.

Writing, thinking and communication skills are inseparably linked to presentation, presence and attitude. These are skills and characteristics that should be perfected well in advance of submitting a resume or attending an interview. What do quality presentation, presence and attitude look like? Any decent job-seeking site will just call them the basics of a good interview. This includes showing up on time dressed in a suit and tie, shaking the hand of the person with whom you are interviewing, acting respectfully yet presenting your own ideas, and having a positive attitude about starting the job. Candidates need to look and act the part if they wish their future employer to take them seriously, especially if this is their first job.



Wednesday, 18 January 2017 16:23

Who Leased the Most Data Center Space in 2016?

DRJ LogoThe short answer is Microsoft. The second-largest cloud service provider signed six of last year’s largest wholesale data center leases with five landlords in five markets, according to the latest market report by the commercial real estate firm North American Data Centers.

Microsoft and to a lesser extent Oracle together were responsible for a 25-percent increase in leasing activity from 2015. According to NADC, that increase represents a “historical high.”

Cloud providers and other tech companies with hyperscale internet platforms have completely changed the dynamics of the data center services market in recent years in the US and beyond. As they race to expand capacity, the likes of Microsoft, Amazon Web Services, Uber, and Oracle have created supply shortages in top US markets, driving unprecedented growth in the wholesale data center business. Wholesale market growth now outpaces growth in retail colocation, according to a recent report by Structure Research.



  • DRJ Logo82 percent of executives surveyed worldwide experienced a fraud incident in the past year, compared to 75 percent in 2015, according to the Kroll Annual Global Fraud and Risk Report
  • 85 percent of executives reported at least one cyber incident and over two-thirds reported security incidents
  • Current and former employees were the most common perpetrators

Fraud, cyber and security incidents are now the “new normal” for companies across the world, according to the executives surveyed for the 2016/17 Kroll Annual Global Fraud and Risk Report1. The proportion of executives that reported their companies fell victim to fraud in the past year rose significantly to 82 percent, from 75 percent in 2015 and 70 percent in 2013, highlighting the escalating threat to corporate reputation and regulatory compliance.

Cyber incidents were even more commonplace, with 85 percent of executives surveyed saying their company has suffered a cyber incident over the past 12 months. Over two-thirds (68 percent) reported the occurrence of at least one security incident over the course of the year.



Wednesday, 18 January 2017 16:12

Determine your cybersecurity scope and assets

MIR3 LogoOnce you have your executives on board (see the previous post) the next step is to define the scope of your program and define your inventory of assets.

Your scope will encompass the entire company at some level, but you may have one scope for internal resources, a scope for customer resources, another scope for third-party resources, and other scope projects as well. Scope may be defined in terms of technology or business, application or process, people or buildings. Your executive sponsor can help define the scope of each program, the cybersecurity professional must help the executive sponsor understand the depth and breadth of the scope requirements.

Inventories may be tracked in simple Excel spreadsheets, maintained by accounting, or tracked in sophisticated asset-management software applications that include automated discovery and tracking mechanisms. Regardless if the starting inventory is simply hard assets (desk or desktop) or soft assets (operating systems or data), this inventory is a fundamental requirement for your cybersecurity program. Without it you don’t know what needs to be protected.



BCI LogoThe Business Continuity Institute

There have been several studies recently that have shown, or at least suggested, that cyber security incidents are often the result of human error, and we have been told again and again that one of the best ways to improve our cyber security is to use strong passwords. However, a study of 2016’s most common passwords found that nearly 17% of users were safeguarding their accounts with ‘123456’.

Keeper Security‘s study of 10 million passwords which had become public through data breaches that occurred during 2016 found that the list of most frequently used passwords had changed little over the last few years. This perhaps suggests that user education has its limits. While it is important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them.

Four of the top 10 passwords, and seven of the top 15, were six characters or shorter. This is stunning given that today’s brute-force cracking software and hardware can unscramble those passwords in seconds. The presence of passwords like ‘1q2w3e4r’ and ‘123qwe’ indicates that some users attempt to use unpredictable patterns to secure passwords, but their efforts are weak at best. Password crackers know to look for sequential key variations and, at best, this will only set them back a few seconds.

Cyber security is a hot topic for business continuity professionals at the moment with cyber attacks and data breaches yet again featuring as their top two concerns according to the Business Continuity Institute's latest Horizon Scan Report. It is with this in mind that cyber resilience was chosen as the theme for Business Continuity Awareness Week 2017 which has a particular focus on the actions that individuals can take to play their part in an organization's cyber security, and this includes effective password control.

Tuesday, 17 January 2017 21:33

Making Shadow IT Work for the Enterprise

DRJ LogoWhen it comes to shadow IT, the enterprise has three choices: It can accept it, fight it or ignore it. All too often, however, organizations choose the third option, which in most cases not only fails to satisfy individual or organizational needs but can place systems and data at risk.

Fortunately, new practices and new technologies are making it easier to accommodate shadow IT, and even use it to gain an advantage in today’s digital economy.

According to a recent report by cloud security expert Netskope, shadow IT can creep into the enterprise even when service deployment and usage policies are in place to prevent it. In its latest quarterly assessment, the company reports that half of all Box and Dropbox users maintain personal instances on these platforms along with the sanctioned presences established by their employer. This makes it extremely difficult to detect and mitigate practices like data exfiltration and file sharing between the enterprise and private instances. At the same time, the company says that upwards of 95 percent of services employed in the cloud are not enterprise-ready, with particular deficiencies when it comes to compliance with government mandates like the EU’s General Data Protection Regulation.



DRJ LogoWordfence researchers are warning of a new and unusually effective phishing scam designed to steal login credentials from Gmail users, though it's also been seen targeting users of other services (h/t The Register).

An email is sent to a target's Gmail account, often from someone they know whose account has been hacked using the same technique, including an image of an attachment the recipient will likely recognize from the sender.

"You click on the image, expecting Gmail to give you a preview of the attachment," Wordfence CEO Mark Maunder explains in a blog post describing the attack. "You glance at the location bar and see you accounts.google.com in there."



DRJ LogoDo you know how to actually execute a recovery using your defined disaster recovery strategy, or will your team have to figure it out? We’ve discussed developing a disaster recovery strategy at length, but what happens when it’s time to execute your strategy?

In his poem, To a Mouse, Robert Burns provides a well-known and insightful thought, “the best-laid plans of mice and men sometimes go awry.” We’ve seen how true this can be when we must perform an actual recovery that doesn’t go as smoothly as we might have hoped, even with all of our planning and document development.

Here are some ideas on providing training and validation of the execution of your DR strategy and plans.



SBCP LogoBuying a system that provides built-in intelligence reduces both deployment time and total cost of ownership. This results in a program that aligns with proven best practices, industry standards, and governing regulations to exceed your program’s resiliency goals.

Why try to reinvent the wheel? Why spend your time building an untested, unproven solution? The smart answer is to embrace the built-in intelligence of a tested software product. Spend your valuable time elevating your Business Continuity/Disaster Recovery (BCDR) program instead. Unlike software that you build from scratch with your vendor over the course of months or years, ResilienceONE® from Strategic BCP® provides a Business Continuity Management (BCM) solution that is ready right out of the box and instantly provides users with the following:



DRJ LogoFully 95 percent of cloud services in use in the average enterprise aren't enterprise-ready, according to the January 2017 Netskope Cloud Report.

Specifically, 82 percent of cloud services don't encrypt data at rest, 66 percent don't specify in their terms of service that the customer owns the data, and 42 percent don't allow admins to enforce password controls.

An average of 1,031 cloud services are now in use per enterprise, up from 977 in the previous quarter.



Monday, 16 January 2017 16:29

Gamification in Risk Management

DRJ LogoIn 2014, I collaborated with EY to develop Russia’s first risk management business game. It was great fun, and as a result, we created a pretty sophisticated business simulation.

Participants were split into teams of 10, each person receiving a game card that describes their role (CEO, CFO, risk manager, internal auditor, etc.). At the start of the game, teams must choose one of four industry sectors (telecom, oil and gas, energy or retail) and name their company. The game consists of four rounds, and in each round, teams must make risk-based decisions. Each decision has a cost associated with it and a number of possible outcomes. Teams must analyze and document the risks inherent in each decision they make. The riskier the decision, the higher the probability of adverse outcome. At the end of each round, computer simulation model chooses a scenario and the outcome is announced to each team. Each decision has consequences, and the outcome may either make money for the business or lose money.

The aim of the game is to increase the company valuation by properly weighing risks and making balanced business decisions. The winning team is the one that increases its company’s value the most after four rounds.



Monday, 16 January 2017 16:26

Weighing the Options for Disaster Recovery

DRJ LogoDespite the redundancy and resilience the enterprise has gained from virtualization and cloud computing, disaster recovery remains one of the most overlooked functions on the IT to-do list.

In many cases, organizations have established backup and recovery services for their primary applications, but without constant care and attention to the processes behind B&R, and the way they are affected by constantly evolving data loads and architectures, the reliability of these services is questionable at best. In the digital economy, it’s not enough to recover – you must recover quickly and thoroughly.

According to recent research from cloud recovery specialist Asigra, the typical enterprise recovers less than 5 percent of its data during the restore process, most of it from file systems. Most data recovery requests are the result of ransomware attacks and losses from cloud-based platforms like Office 365 and Salesforce, and more than half of all requests across multiple industry verticals are for previous generations of data. Only about 13 percent of recovered data was lost due to user error or accidental deletion. What this shows is that while only a small portion of data is typically needed to get applications and services up and running, many organizations still pay a premium for 100 percent backup of their online data.



Monday, 16 January 2017 16:25

Cloud-based Security Emerges

BC In the Cloud LogoCloud-based security continues to emerge as a key growth area. The main reasons for this growth is due to the overall ease of deployment and strong expertise of cloud security teams, and the reduction in investment in hardware/infrastructure required to support the business.  Businesses are no longer required to maintain equipment onsite that need a specialist to operate and maintain.

Cloud-based security solutions lower the operating cost because there is less need for upgrading software, monitoring and documenting software security activities. The cost of hardware and software is increasing dramatically which makes cloud-based security an attractive option for companies of all sizes.

According to PWC’s Key findings from The Global State of Information Security® Survey 2016, 79% said they use cloud-based cybersecurity services like real-time monitoring and analytics, advanced authentication, identity and access management. This survey included input from more than 10,000 IT professionals from around the globe.



AlertMedia LogoWith 2017 already underway, it’s a good time to look at what we think will be major drivers in the mass notification system market. One recent report estimates this market is to grow from $4.16 billion in 2016 to more than $9 billion by 2021. It appears the focus will be on business continuity strategies and IP-based notification devices. Let’s break those down a bit.

Business Continuity

When an emergency happens, its ripple effect can extend beyond the initial incident to produce plenty of collateral damage. Any interruption in service and/or operations will directly impact the bottom line as well as customer satisfaction, brand reputation, and other less concrete but equally important metrics. Companies can spend millions of dollars to recover and continue operating as quickly as possible, from repairs and rebuilding to marketing and PR strategies.

As more companies fear the worst, which would be prolonged or complete organizational shutdowns, they are getting smarter about their emergency response plans. In today’s 24×7 news and social media, one misstep can lead to irreparable damage. Consumers expect a rapid response, one that balances the potential personal loss of its key stakeholders (employees/customer/supplier/partner base) and community with recovery strategies to get the business up and running. Consumers’ patience is fragile.



Monday, 16 January 2017 16:22

6 Shocking Statistics on Disaster Recovery

RES Q LogoAccording to most experts, 2.5 quintillion bytes of data are being created each day, and 90% of the data that exists in the world today has been created in the last two years alone. By the year 2020, it is estimated that 1.7 megabytes of new information will be created every second for every human being on the planet.

More data brings more opportunities to businesses, but it brings new challenges with it, too. A specific challenge that many organizations are facing is safely storing and backing up the unprecedented amounts of data that they are finding themselves in charge of. Research shows that 60% of companies that improperly manage their data and lose it to a disaster will shut down within six months of the event. The importance of a proper disaster recovery plan is more critical than it ever has been before.

Here are six shocking statistics you may not know about Disaster Recovery. They might make you rethink the necessity of having a proven, tested plan in place should something go wrong.



DRJ Logo2016 Cyber breach: likely the greatest threat of our lifetime. Kaspersky Lab has released a summary of the major incidents of 2016 and has looked forward into 2017 as to what may happen.

In 2016, the world’s biggest cyber threats were related to three things:

  • Money
  • Information
  • Desire to disrupt.

The notable threats included the underground trade of tens of thousands of compromised server credentials, hijacked ATM systems, ransomware and mobile banking malware – as well as targeted cyber-espionage attacks and the hacking and dumping of sensitive data. These trends, their impact and the supporting data are covered in the annual Kaspersky Security Bulletin Review and Statistics reports.



DRJ-LogoA survey of more than 1,200 risk managers and corporate insurance experts in over 50 countries identified business interruption as the top concern for 2017. According to the sixth annual Allianz Risk Barometer of top business risks, this is the fifth successive year that business interruption has been seen as the biggest risk.



MIR3-LogoTo build any cybersecurity program, you need buy-in at the highest levels. Your C-suite and the board of directors all need to be on board for a successful cyber-program initiative. But how do you get their attention?

The key to getting and keeping the attention of those at the highest levels is to provide just the right amount of information in a clear, concise, educational format that ties directly to the business objectives.

Before asking for funding for your program, it’s important you show your executives the risk to the organization of not providing the funding. What damage to reputation or brand will occur if the company’s name is in the headlines due to a data breach? The old adage, “all publicity is good publicity,” is no longer true in the era of hacking, malware, ransomware and other cybersecurity threats.



BCI-LogoThe Business Continuity Institute

As companies embrace digitalization and increasingly interlink their equipment, processes and supply chain – the so-called ‘Internet of Things’ – the risk of financial losses rises exponentially, making cyber security and related issues fast emerging as the biggest risk for organizations, according to Allianz Global Corporate & Specialty SE.

The 6th annual Allianz Risk Barometer notes that the cyber threat now goes far beyond hacking and privacy, and data breaches and new data protection regulations will exacerbate the fallout from these for businesses. Time is running out for businesses to prepare for the implementation of the new General Data Protection Regulation across Europe in 2018. The cost of compliance will be high, and so could be related penalties.

In addition, inter-connectivity and increasing sophistication of cyber attacks pose risk for companies not only directly, but also indirectly through exposed critical infrastructure such as IT, water or power supply. Then there is the threat posed by technical failure or human error, which could lead to prolonged and wider business interruption. In today’s ‘Industry 4.0’ environment, failure to submit or interpret data correctly could stop production.

Worldwide, cyber concerns ranked third in the list of top risks, but second in Europe and the United States. Especially worried were respondents in the trade and information and communication technology industries. The report shows that smaller organizations may be underestimating their cyber risk, as those with revenue of less than €250 million rank cyber incidents as the sixth biggest risk. However, the impact of a serious incident could be much more damaging for such firms.

Business interruption remained the top fear globally for the fifth straight year, with multiple new triggers emerging, including non-physical damage disruptions caused by political violence, strikes and terror attacks.

Organizations are also facing potential financial losses as the changing political landscape - Brexit, US elections outcome and the upcoming polls in the EU, among others - raises fears of increasing protectionism and anti-globalization trends. Since 2014, there have been around 600 to 700 new trade barriers introduced globally every year.

Companies worldwide are bracing for a year of uncertainty,” says Chris Fischer Hirs, the CEO of AGCS. “Unpredictable changes in the legal, geopolitical and market environment around the world are constant items on the agenda of risk managers and the top management. A range of new risks are emerging beyond the perennial perils of fire and natural catastrophes which require re-thinking of current monitoring and risk management tools.

DRJ-LogoSometimes it is a good exercise to step back and review some basics. I was at a high school basketball game recently and the teams were running a pro-style offense. The difference, however, was one team was fundamentally sound – on target passing, effective ball movement and basic concepts – while the other team was not. You can guess the outcome of the game.

Similarly, we should be looking at the basics in our business continuity programs to ensure we are fundamentally sound. Today’s blog is related to the very basic and fundamental concept and requirements of Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Before you close this window or go somewhere else, take  two minutes to finish this short blog, then take another two minutes to consider the state of the RTOs and RPOs in your business continuity program. These provide the basic, and arguably most important, requirements in developing technical and business recovery strategies.



Emergency Notifications in the Healthcare Industry

AlertMedia-LogoOur blogs typically highlight the use of emergency mass notifications for companies, such as service organizations, manufacturing, and typical private-sector businesses with a medium to large and/or dispersed workforce. While this has been our focus, we believe it is critical for any organization across every industry to have an emergency plan in place, practiced, and periodically updated to include the latest technology. The plan must include, at its core, a sound emergency communications strategy and solution.

I stumbled upon a recent article talking about mass notifications in an industry we haven’t written much about, namely healthcare. We’ve mentioned how a mass communication system can be used in the healthcare industry for scheduling the many shifts involved in most healthcare organizations, but we haven’t touched upon the need for mass communications in the event of an emergency in a hospital or other patient care facility. Until now.



FEMA LogoVIRGINIA BEACH, Va. – It has been over two months since disaster assistance personnel from the Federal Emergency Management Agency (FEMA) deployed to Virginia in response to President Obama’s major disaster declaration of Nov. 2, 2016. The president’s signature on the decree made federal assistance available to eligible survivors affected by Hurricane Matthew in seven independent cities for individual assistance.

Although the deadline for registering for individual financial assistance from FEMA has passed, the recovery continues. Survivors affected by Hurricane Matthew, who have registered for FEMA assistance, still have access to the agency for information about temporary housing, help with insurance claims, questions about filing an appeal, and other disaster services and resources.

Registered individuals have access to FEMA’s toll-free Helpline, seven days a week, 7 a.m. to 10 p.m. EDT. Call 800-621-3362 (TTY users should call 800-462-7585). Multilingual operators are available.

Applicants receiving temporary rental assistance and who have a need for continuing housing assistance must apply to FEMA for approval. FEMA will evaluate the information to determine if the applicant qualifies for ongoing federal rental assistance, based on financial need. Contact the FEMA Helpline for information on how to apply.

FEMA urges registered individuals to “keep in touch” and notify FEMA of address or phone number changes, initiate appeals or reschedule inspection appointments. It is important to keep all contact information current to avoid delays in getting assistance.

As of the Jan. 3 deadline, 5576 Virginia homeowners and renters have applied to FEMA for disaster assistance. To date more than $7.4 million in individual housing assistance grants and nearly $1.6 million in other needs assistance have been approved for residents of the 7 designated cities: Chesapeake, Hampton, Newport News, Norfolk, Portsmouth, Suffolk and Virginia Beach.

Since the Nov. 2 disaster declaration, the U.S. Small Business Administration (SBA), one of FEMA’s partners in disaster recovery, has approved 399 low-interest disaster loans totaling nearly $13.4 million. SBA offers low-interest disaster loans to homeowners and renters who have applied for FEMA assistance, as well as to businesses of all sizes and private nonprofit organizations. SBA disaster loans may cover the cost of repairing, rebuilding or replacing lost or disaster-damaged real estate and personal property.

For more information about SBA loans, call SBA’s Disaster Assistance Customer Service Center at 800-659-2955. (TTY users should call 800-877-8339). Individuals and businesses may also email This email address is being protected from spambots. You need JavaScript enabled to view it., or visit http://www.sba.gov/disaster.

In addition to the FEMA grants, and SBA loans, the National Flood Insurance Program (NFIP) has paid out $46.8 million to 2263 claimants to settle Flood Insurance Claims. Several of the claims were outside of the Special Flood Hazard Area (SFHA) proving to be a good investment for homeowners who suffered flooding damages. Homeowners and renters who purchased insurance through NFIP were able to find affordable Preferred Risk Policies that cover homes not located in a SFHA. Flood insurance continues to be the best tool for recovering financially from a flooding disaster for both homeowners and renters.

The Commonwealth’s and FEMA’s 6 Disaster Recovery Centers (DRCs) served 3,051 visitors between Nov. 7 and Jan. 3, while FEMA-contracted housing inspectors have completed more than 4,052 inspections of disaster-damaged properties to verify damage.

The Public Assistance Program, which aids local governments and certain nonprofits was also approved for this disaster. Eligible projects are reimbursed not less than 75 percent of their costs for uninsured damages to infrastructure and certain emergency response costs. The eligible cities are Chesapeake, Franklin, Norfolk, Portsmouth, Suffolk, Virginia Beach, Hampton, and the counties of Isle of Wight and Southampton. The Virginia Department of Emergency Management is working closely with FEMA to develop costs for the eligible reimbursements. Applicants have six months from the date of the declaration to identify all projects for reimbursement consideration.


FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-3362 (voice, 711 or video relay service). TTY users can call 800-462-7585.

The SBA is the federal government’s primary source of money for the long-term rebuilding and recovery. SBA helps businesses of all sizes, private non-profit organizations, homeowners and renters fund repairs or rebuilding efforts and can cover the cost of replacing losses of disaster-damaged real estate and personal property. These disaster loans cover losses not fully compensated by insurance or other recoveries and do not duplicate benefits of other agencies or organizations.

DRJ-LogoForrester's clients frequently ask us how to build the business case for customer journey mapping, particularly for digital experiences and digital products. We have proven that better customer experiences drive revenue in industries with low switching costs. But what about investments in customer journey mapping?

Now that I've taken on Forrester's digital business and transformation playbook, I've been thinking a lot about the benefits of journey mapping, which I believe is the front end to any transformation initiative. I don't have a wealth of evidence yet to justify your investments in journey mapping (though my CX colleagues have a lot more to share for Forrester clients). But I have been developing a framework to measure the impact of better customer experiences. These metrics range from hard to squishy:



BCI-LogoThe Business Continuity Institute

This news item contains embedded media. Open the news item in your browser to see the content.

Economic inequality, societal polarization and intensifying environmental dangers are the top three trends that will shape global developments over the next 10 years, the  World Economic Forum’s Global Risks Report 2017 found. Collaborative action by world leaders will be urgently needed to avert further hardship and volatility in the coming decade.

While the world can point to significant progress in the area of climate change in 2016, with a number of countries, including the US and China, ratifying the Paris Agreement, political change in Europe and North America puts this progress at risk. It also highlights the difficulty that leaders will face to agree on a course of action at the international level to tackle the most pressing economic and societal risks.

Urgent action is needed among leaders to identify ways to overcome political or ideological differences and work together to solve critical challenges. The momentum of 2016 towards addressing climate change shows this is possible, and offers hope that collective action at the international level aimed at resetting other risks could also be achieved,” said Margareta Drzeniek-Hanouz, Head of Global Competitiveness and Risks, World Economic Forum.

The complex transitions that the world is currently going through, from preparing for a low-carbon future and unprecedented technological change to adjusting to new global economic and geopolitical realities, places even greater emphasis on leaders to practice long-term thinking, investment and international cooperation.

We live in disruptive times where technological progress also creates challenges. Without proper governance and re-skilling of workers, technology will eliminate jobs faster than it creates them. Governments can no longer provide historical levels of social protection and an anti-establishment narrative has gained traction, with new political leaders blaming globalisation for society’s challenges, creating a vicious cycle in which lower economic growth will only amplify inequality. Cooperation is essential to avoid the further deterioration of government finances and the exacerbation of social unrest,” said Cecilia Reyes, Chief Risk Officer of Zurich Insurance Group.

The propensity of the Fourth Industrial Revolution to exacerbate global risks also came under scrutiny in the Report’s Global Risks Perception Survey. Basing their analysis on 12 distinct emerging technologies, experts clearly identified artificial intelligence and robotics as having both the highest potential for negative consequences and also the greatest need for better governance. Notwithstanding its potential to drive economic growth and solve complex challenges, experts also named it as the top driver of economic, geopolitical and technological risks among the 12 technologies.

John Drzik, President of Global Risk & Specialties, Marsh said: “ Artificial intelligence will enable us to address some of the great issues of our age, such as climate change and population growth, much more effectively. With investment into AI now ten times higher than it was five years ago, rapid advances are already being made. However, increased reliance on AI will dramatically exacerbate existing risks, such as cyber, making the development of mitigation measures just as crucial.

BCI-LogoThe Business Continuity Institute

Global organizations are more confident than ever that they can predict and resist a sophisticated cyber attack, but are falling short of investments and plans to recover from a breach in today's expanding threat landscape. This is according to a new study conducted by EY.

The annual Global Information Security Survey (GISS) - Path to cyber resilience: Sense, resist, react - showed that half (50%) of those surveyed said they could detect a sophisticated cyber attack – the highest level of confidence since 2013 – due to investments in cyber threat intelligence to predict what they can expect from an attack, continuous monitoring mechanisms, security operations centres (SOCs) and active defence mechanisms. However, despite these investments, 86% of those surveyed say their cyber security function does not fully meet their organization's needs.

Business continuity professionals are well aware of the threat the cyber world poses to their organizations, as identified in the Business Continuity Institute's latest Horizon Scan Report. In this report cyber attack and data breach were ranked as the top two threats with the vast majority of respondents to a global survey (85% and 80% respectively) expressing concern about the prospect of them materialising.

Despite the report noting that business continuity and disaster recovery – which is at the heart of an organization's ability to react to an attack – was rated by respondents as their top priority (57%), along with data leakage and data loss prevention (57%), only 39% plan to spend more on business continuity and disaster recovery.

Paul van Kessel, EY Global Advisory Cyber Security Leader says: "Organizations have come a long way in preparing for a cyber breach, but as fast as they improve, cyber attackers come up with new tricks. Organizations therefore need to sharpen their senses and upgrade their resistance to attacks. They also need to think beyond just protection and security to 'cyber resilience' – an organization-wide response that helps them prepare for and fully address these inevitable cyber security incidents. In the event of an attack they need to have a plan and be prepared to repair the damage quickly and get the organization back on its feet. If not, they put their customers, employees, vendors and ultimately their own future, at risk."

This year's survey also shows that respondents continue to cite the same key areas of concern for their cyber security, such as the increased risks from the actions of careless or unaware employees (55% compared with 44% in 2015) and unauthorized access to data (54% compared with 32% in 2015). Meanwhile obstacles to their information security function are virtually unchanged from last year, including:

  • Budget constraints (61% compared with 62% in 2015)
  • Lack of skilled resources (56% compared with 57% in 2015)
  • Lack of executive awareness or support (32%, the same as in 2015)

Despite the connected nature of today's digital ecosystem, the survey found that 62% of global organizations said it was unlikely they would increase their cyber security spending after a breach that did not appear to do any harm to their operations. Also, 58% said it was unlikely they would increase their information security spending if a competitor was attacked, while 68% said it was unlikely they would increase their information security spending if a supplier was attacked. In the event of an attack that definitely compromised data almost half of the respondents (48%) would not notify customers who had been impacted within the first week. Overall, 42% of respondents do not have an agreed communications strategy or plan in place in the event of a significant attack.

When it comes to devices, organizations are struggling with the number of devices that are continuously being added to their digital ecosystem. Almost three-quarters (73%) of organizations surveyed are concerned about poor user awareness and behavior around mobile devices, such as laptops, tablets and smartphones. Half (50%) cited the loss of a smart device as a top risk associated with the growing use of mobile devices because they encompass both information and identity loss.

DRJ-LogoForrester’s business insights research team has had a busy 2016! We have been busy helping our business and technology clients lead their organization to become insights-driven - one of the key operating principles of customer-obsessed firms.

Our research in 2016 helped clients:

  • Organize And Operate As An Insights-Driven Business.  Insights-driven businesses harness and apply data and analytics at every opportunity to differentiate its products and customer experiences and they operate differently. For customer insights teams in particular, this means understanding the right organizational models to effectively turn insights into action.
  • Scale And Innovate With Data.  Business users want real-time trusted data to make accurate business decisions, while technology management wants to simplify administration and lower costs. Our big data fabric research helps organizations accelerate their big data initiatives, monetize big data sources, and ultimately create a data vision to make data relevant, timely, and impactful.



Tuesday, 10 January 2017 00:00

Ransomware Will Get Worse This Year

DRJ-LogoRansomware made a lot of (bad) news in 2016, and the year ahead is expected bring more of the same.

The security sector is reeling as the year begins. Rick Orloff, the vice president, chief security officer and chief privacy officer at Code42, began a column by reciting the numbers and pointing out that it “has caused absolute terror in nearly every industry.”

That has been written in different ways many times during the past year. Orloff adds to the total picture on ransomware by pointing out that one of the reasons that ransomware is popular among the darker forces is that the industry has done an admirable job of protecting itself against other kinds of attacks. Security forces in essence are victims of their own success:



DRJ-LogoPublic cloud is a good thing only when an appropriate strategy is applied to leverage it to the benefit of the business. While is can be less expensive for some workloads, it can be more expensive for others — without a thoughtful, strategic approach, it can destroy value rather than create it. In other words, “Public cloud doesn’t fix stupid.”

That’s the conclusion drawn by Jason Anderson, chief architect at Datalink, a cloud services provider in Eden Prairie, Minnesota, based on the findings of a recent IT optimization survey of U.S. IT executives that was commissioned by Datalink. In a recent interview, Anderson discussed the survey, and what Datalink gleaned from it, at some length. I asked him if the survey results prompted Datalink to change anything it had been doing in order to better serve its customers. He said the company has, in fact, changed its focus:

What we had been talking to customers about for quite a while was that they need to get a handle on their cloud strategy, and make sure that if you’re an IT executive, you want to be at the center of the cloud conversation, and be a broker of IT services. That had been our message. It’s not that we think that that is wrong, or was wrong. But what we learned from the survey was that a lot of IT executives get that message already, so we really don’t have to pound on that. Instead, we need to get them better armed with the how to do that. So we shifted our focus to really saying, “OK, the how is to focus on your workloads, and embrace the fact that you’re going to have multiple platforms.” What was clarified for us in the survey was that we really need to take a very workload-focused view of the world. Know going into it that, except for some very small organizations, or ones that are so specialized they only have a handful of applications, they’re going to have multiple platforms, and that both on-prem[ises] and public cloud are going to be a part of the mix.



DRJ-LogoThe Business Continuity Institute

A number of devastating earthquakes and powerful storms made 2016 the costliest twelve months for natural catastrophe losses in the last four years. This is according to a study by Munich RE which showed that losses totalling US$175bn, a good two-thirds more than in the previous year, and very nearly as high as the figure for 2012 (US$180bn). The share of uninsured losses – the so-called protection or insurance gap – remained substantial at around 70%.

The high number of flood events, including river flooding and flash floods, was exceptional and accounted for 34% of overall losses, compared with an average of 21% over the past ten years. Taking very small events out of the equation, 750 relevant loss events such as earthquakes, storms, floods, droughts and heatwaves were recorded in the Munich Re NatCatSERVICE database, and this is significantly above the ten-year average of 590.

After three years of relatively low nat cat losses, the figures for 2016 are back in the mid-range, where they are expected to be. Losses in a single year are obviously random and cannot be seen as a trend”, said member of the Board of Management Torsten Jeworrek. “The high percentage of uninsured losses, especially in emerging markets and developing countries, remains a concern.

While the digital threats may be seen as the greatest concern to business continuity professionals, according to the Business Continuity Institute’s latest Horizon Scan Report, that's not to say that threats of a more physical nature don't exist. Adverse weather featured as a top ten threat with more than half of respondents (55%) to a global survey expressing concern about the prospect of this threat materialising, while a quarter expressed concern about the possibility of an earthquake/tsunami.

Earthquake in Japan most expensive natural catastrophe of 2016

The costliest natural catastrophes of the year occurred in Asia where there were two earthquakes on the southern Japanese island of Kyushu close to the city of Kumamoto in April (overall losses US$31bn; proportion of insured losses just under 20%), and devastating floods in China in June and July (overall losses US$20bn; only some 2% of which were insured).

North America was hit by more loss occurrences in 2016 than in any other year since 1980, with 160 events recorded. The year’s most serious event here was Hurricane Matthew which had its greatest impact on the Caribbean island nation of Haiti, which was still struggling to recover from the 2010 earthquake. Matthew killed around 550 people in Haiti, and also caused serious damage on the east coast of the USA. Overall losses totalled US$10.2bn, with over a third of this figure insured.

Series of storms in Europe, wildfires in Canada

North America was also impacted by other extreme weather hazards, including wildfires in the Canadian town of Fort McMurray in May, and major floods in the southern US states in the summer. In Canada, the mild winter with less snow than usual, and the spring heatwaves and droughts which followed, were the principal causes of the devastating wildfires that hit the provine of Alberta, generating overall losses of US$4bn. More than two-thirds of this figure was insured. In August, floods in Louisiana and other US states following persistent rain triggered losses totalling US$10bn, only around a quarter of which was insured.

There was a series of storms in Europe in late May and early June and torrential rain triggered numerous flash floods, particularly in Germany, and there was major flooding on the River Seine in and around Paris. Overall losses totalled some US$6bn, around half of which was insured.

A look at the weather-related catastrophes of 2016 shows the potential effects of unchecked climate change. Of course, individual events themselves can never be attributed directly to climate change. But there are now many indications that certain events – such as persistent weather systems or storms bringing torrential rain and hail – are more likely to occur in certain regions as a result of climate change”, explained Peter Höppe, Head of Munich Re’s Geo Risks Research Unit.

The findings of this study, and the costly impact of natural catastrophes that it highlights, shows just how important it is for organizations to practice effective business continuity management. This won't negate the likelihood or consequence of such an event, but it will ensure that, should one occur, plans and processes are in place to enable the organization to manage through it, limit the impact and make sure that at least the priority activities can be carried out.

DRJ-LogoAccording to the results of a recent Osterman Research survey of 187 IT and/or HR decision makers, fully 69 percent of respondents have suffered significant data loss resulting from employees who left.

While 96 percent of respondents disable access to employees' mailboxes when they depart, 49 percent don't monitor access to every application and source of data the departing employee used, 47 percent don't delete data used by the departing employee, and 28 don't wipe corporate data from employee-owned devices when they leave the company.

"Whether it's premeditated or simply in error, many employees leave their employers with a wide variety of data types that can include confidential or sensitive financial data, customer information and/or product, sales and marketing roadmaps, as well as other business critical intellectual property," Osterman Research CEO and founder Michael Osterman said in a statement.



Monday, 09 January 2017 00:00

How Real Is the Multi-Cloud Environment?

DRJ-LogoEnterprises that have migrated workloads to the cloud are quickly coming to realize that even virtualized, third-party infrastructure does not in itself provide the flexibility needed to meet emerging data requirements. This is particularly true in single-cloud environments in which resources and configuration options are limited to what the cloud provider has developed for generalized consumption.

This is why multi-cloud architectures are expected to make a big play in the coming year. By distributing data and applications across varied infrastructure, the enterprise can better tailor resources to the appropriate workload and reduce the risk of stranding workloads in cloud-based silos.

The challenge, of course, comes in managing the multi-cloud environment. Hybrid clouds, by nature, are designed to provide portability and federation across disperse resource sets, but how advanced is this technology really? And does it provide the kind of seamless level of operation to truly propel data productivity to a new level?



Monday, 09 January 2017 00:00

BCI: Salary benchmarking survey

BCI-LogoThe Business Continuity Institute

Are you being paid what you deserve? Do you think others may be getting paid more than you despite having the same level of qualifications or experience?

It may be that for some people the job itself is reward enough. Most of us however, work for the salary we receive as without it we would struggle to survive. You may or may not agree that money makes the world go round, but you can't deny it is important.

We all like to feel we are being rewarded fairly for our endeavours, and this means being able to compare what we are paid with what somebody else in a similar position is paid, not to mention all the other benefits that you (or they) receive. It's also helpful to know what skills, experience or certifications could lead to a higher salary.

To help you with this, the Business Continuity Institute has just launched its annual Salary Benchmarking Survey, in order to develop a better understanding from those people working in the business continuity and resilience industry what the typical rewards are.

Please do complete the short survey (it will only take five minutes) and all respondents will be in with a chance of winning a £100 Amazon gift card (or the equivalent value in another currency).

DRJ-LogoServerless computing can make your cloud-based apps much more efficient. Wondering what serverless computing means, what the advantages and drawbacks are and how you can go serverless? Keep reading for a primer on serverless computing solutions.

Before diving into the details, let’s get one thing straight: Serverless computing does not mean computing without servers. In a serverless computing environment, you still host your apps on servers.



DRJ-LogoA recent survey of 4,000 representatives of businesses in 25 countries found that 16 percent of respondents are not protected from DDoS attacks at all, and 39 percent admit that they're unclear on how best to combat DDoS attacks.

The 2016 Kaspersky Lab Corporate IT Security Risks survey also found that 49 percent of respondents rely on built-in hardware for protection from DDoS attacks, and 40 percent assume that their ISP will provide protection from DDoS attacks.

Twelve percent of respondents believe a small amount of downtime due to a DDoS attack would not cause a major issue for their company.



DRJ-LogoYesterday, I noted that AT&T’s 2017 roadmap includes fixed wireless 5G trials. Such trials and early rollouts of 5G likely will lean heavily of fixed wireless, since it’s easier to hit a stationary target. The hard stuff, such as delivering 5G to a device speeding along the highway, can be saved for later.

That doesn’t mean that fixed wireless is not already out in the field and, in some cases, making money and serving real subscribers. The great attractions of the technique are those of wireless in general: No streets need to be dug up. The economics of fixed wireless improve as the coverage area’s footprint becomes less dense.

Today, WirelessWeek reported that U.S. Cellular is moving on non-5G fixed wireless; CEO Kenneth Meyers said at an investor conference that it will continue fixed wireless testing that it began last year with Nokia. A comment from Meyers indicates that the sweet spot for the service may be in rural areas where “the cable footprint stops.”

Despite the fact that both AT&T and U.S. Cellular are in test mode regarding fixed wireless, it’s already a very much proven technology. Starry and Rise Broadband are two good examples.



FEMA LogoCOLUMBIA, S.C. — In nearly every major disaster, as recovery efforts move into their final stages, rumors and misinformation find their way onto social networks and elsewhere. Hurricane Matthew is no different. Survivors with questions about the recovery in South Carolina should be wary of what they may read or hear. Always ask for clarification from official sources.

Straight answers and plain facts are available from Federal Emergency Management Agency experts on FEMA's Help Line. Call 800 621-3362 (voice, 711, video services) or 800-462-7585 (TTY). Or visit DisasterAssistance.gov.

Here are some common rumors you may have already heard:

RUMOR: If survivors receive FEMA assistance, it could reduce their Social Security benefits.

FACT: Disaster assistance does not count as income. FEMA assistance will not affect Social Security, Medicare or other federal and state benefits.

RUMOR: If you receive money from FEMA you have to pay it back.
FACT: FEMA grants do not have to be repaid.

RUMOR: Receiving a letter from FEMA stating the applicant is not eligible means the person will not get any assistance.
FACT: Receiving such a letter does not necessarily mean an applicant is not eligible for disaster aid, even when the letter states "ineligible" or "incomplete." It can be an indication that further information is needed, or that the applicant's insurance claim needs to be settled before disaster aid can be granted.

RUMOR: If you take FEMA assistance, they take your property.
FACT: FEMA has no authority to take property of any kind from anyone.
Appealing FEMA's Decision

RUMOR: Once FEMA determines that you are not eligible for assistance there is nothing you can do.

FACT: Every homeowner and renter has the right to appeal FEMA's determination decision. The first step in appealing the decision is reading your determination letter carefully. Sometimes FEMA just needs additional information. There may be issues with your application that can be resolved quickly and easily, enabling you to receive assistance.

RUMOR: You cannot get help from FEMA if your determination letter says that you are not eligible because you have insurance.
FACT: If your insurance coverage is insufficient to make essential home repairs, provide a place to stay or replace certain contents, FEMA can reconsider you. But you must provide documents from your insurance company that detail your settlement. Contact your insurance company if you need settlement documents and then provide that information to FEMA.

RUMOR: If you inherited your home and have lived there for years, but do not have the deed, you cannot receive assistance.
FACT: There are other documents besides a deed you can submit to prove home ownership, including mortgage, insurance documents or tax receipts. If you do not have a deed handy, speak to your local officials about obtaining a copy.

How to file an appeal

If you decide to appeal FEMA's decision, your appeal must be in writing and must be received within 60 days of the date on your FEMA determination letter. You may file your appeal documents by fax at 800-827-8112, or by mail to: FEMA National Processing Service Center, P.O. Box 10055, Hyattsville, MD 20782-7055.


RUMOR: People can donate money or items to FEMA to help flood victims.
FACT: Not true. FEMA does not accept donations of any kind. However, many legitimate organizations need donations. In South Carolina, the "One SC Fund" supports and directs funds to nonprofit organizations providing disaster relief and recovery assistance. For more information, visit yourfoundation.org/community-impact/one-sc-fund-sc-flood-relief/.

Survivors continuing to need help recovering from Hurricane Matthew, or are in need of food or clothing, should call 2-1-1 for assistance.

U.S. Small Business Administration (SBA)

RUMOR: Only businesses can get low-interest disaster loans from SBA.

FACT: SBA low-interest disaster loans are available to homeowners and renters, as well as businesses of all sizes (including landlords) and private nonprofit organizations, for disaster damages not fully covered by insurance or other compensation.

RUMOR: If you complete an SBA loan application, you have to take out a loan.
FACT: You are not obligated to accept a loan if you do not want one. However, if you are referred to SBA for a disaster loan application you should complete and return it. If the SBA is unable to approve a home loan, you may be referred back to FEMA for other needs assistance. You may be eligible for assistance that covers personal property, vehicle repair or replacement, and moving and storage

expenses. SBA low-interest disaster loans are available to homeowners and renters, as well as businesses of all sizes (including landlords) and private nonprofit organizations, for disaster damages not fully covered by insurance or other compensation.

Hurricane Matthew survivors should visit fema.gov/disaster/4286 or the South Carolina Emergency Management Division at scemd.org/recovery-section/ia to learn about

FEMA assistance and other useful recovery information. You may get information about the recovery from friends, neighbors, family members, or others that is wrong. Help yourself and others by checking it out on the website.


All FEMA disaster assistance will be provided without discrimination on the grounds of race, color, sex (including sexual harassment), religion, national origin, age, disability, limited English proficiency, economic status, or retaliation. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-FEMA (3362). If you have a speech disability or hearing loss and use a TTY, call 800-462-7585 directly; if you use 711 or Video Relay Service (VRS), call 800-621-3362.

FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. Follow us on Twitter at https://twitter.com/femaregion4 and the FEMA Blog at http://blog.fema.gov.

The SBA is the federal government's primary source of money for the long-term rebuilding of disaster- damaged private property. SBA helps businesses of all sizes, private non-profit organizations, homeowners and renters fund repairs or rebuilding efforts and cover the cost of replacing lost or disaster-damaged personal property. These disaster loans cover losses not fully compensated by insurance or other recoveries and do not duplicate benefits of other agencies or organizations. For more information, applicants may contact SBA's Disaster Assistance Customer Service Center by calling 800-659-2955, emailing This email address is being protected from spambots. You need JavaScript enabled to view it., or visiting SBA's website at www.sba.gov/disaster. Deaf and hard-of-hearing individuals may call 800-877-8339.

Thursday, 05 January 2017 00:00

Standardize your notifications and alerts

Why standardize messages?

By thinking beforehand about how you want messages to appear—each and every time you send one out—you can build a comprehensive set of notification templates that can be used by everyone who needs to create message content.

Building this kind of template is important. Without one in place, the haphazardness of your messages may dull their impact. But with one in use, you’ll give your initiators one less thing to think about in a crisis.

Here are factors to consider when standardizing your messages:



More than one-third of AT&T’s customer-facing network is now virtualized, which means the company can provision services for that portion of the network as simply as downloading them from an app store instead of buying and installing hardware appliances.

That’s according to John Donovan, AT&T’s chief strategy officer and group president, who reported on progress of the telco’s multi-year network virtualization project while speaking at an industry conference in Las Vegas in December, FierceTelecom reports.


“To hit 34 percent of our network functions in software really bodes well for us for 2017 to get the things done that we want to do,” he said.



Thursday, 05 January 2017 00:00

Making the Most of Bare Metal in the Cloud

DRJ-LogoVirtualization and the cloud were the dominant trends in IT infrastructure over the past decade, and there is no reason to think they won’t support a significant chunk of the enterprise workload going forward. But alternate solutions are starting to take hold as well, including that old stand-by: bare-metal servers.

In many cases, enterprises are pursuing mixed infrastructure solutions in order to maintain the diversity required of increasingly complex application and data loads. Bare metal in the data center, for instance, will likely hold out as long as the enterprise employs traditional productivity apps – which experts agree should be for quite some time. Alternatively, organizations are starting to see the benefits of bare-metal cloud solutions for critical workloads, even as the popularity of shared, virtual resources gains for nearly everything else.



Thursday, 05 January 2017 00:00

FEMA: Resolve to be Ready in 2017

By Nancy Dragani

FEMA LogoAs 2016 winds down, it is natural to reflect on what we’ve accomplished in the past and where we are headed in the future.  This year reinforced the threat of wildfires in the Great Plains and Rocky Mountains, brought severe storms and flooding to some of our communities and reminded us once again that winter can be a formidable foe.  Yet despite these threats to our communities, one of our strengths as Americans is our ability to face misfortune and challenges, pick ourselves up, dust ourselves off and get back to the business of living our lives.

While natural hazards are by their very nature unpredictable, that doesn’t mean we can’t learn from past experience.  It is how we know to be ready for subzero temperatures and snow storms in January and February, storms and flooding in the spring and summer, and wildfires potentially all year long.

For those living in this part of the country, the values of self-reliance and looking out for your neighbors have been instilled for generations. Today, they also serve as a cornerstone to building a culture of preparedness and readiness that serves all of our communities.  That culture starts in the home and community. At home, simple things such as family fire drills or assembling a home preparedness kit can make your family better prepared for any disaster.  Community events during National Preparedness Month in September brought communities big and small together to highlight actions that make us more resilient.  Next April will bring another National Day of Action to culminate America’s PrepareAthon.  You can learn more about these events and see how you can participate at community.fema.gov.

You can also become more prepared by ensuring that you and your family are aware of the hazards that can impact your home.  Start by checking that smoke, radon and carbon monoxide detectors in your home are functioning properly. Consider purchasing a NOAA weather radio or adding the FEMA app to your smartphone to keep you notified of severe weather in your area. Put together a personal disaster plan, assemble a supply kit and create a family communication plan.  If you are so inclined, join a Community Emergency Response Team or volunteer with an agency of your choosing. For more information on volunteer and training opportunities, contact your local or state emergency management agency.

We can’t prevent every disaster.  But we can be better prepared when disaster strikes.  Now is the time to make sure you and your community are ready.

Nancy Dragani serves as the Acting Administrator for FEMA Region 8, serving the states of Colorado, Montana, North Dakota, South Dakota, Utah and Wyoming.

BCI-LogoThe Business Continuity Institute



2016 was another busy year for the Business Continuity Institute, beginning with the announcement of our exciting new  partnership with Regus, a partnership that increases the value we offer our members by providing even greater benefits such as improved access to their worldwide facilities.

The first of many research reports to be published throughout the year was our annual Horizon Scan Report, a report that highlighted just how significant the digital threat can be as cyber attacks and data breaches filled the top two spots yet again. It also revealed that physical threats like terrorism are a growing concern, a concern that is unlikely to go away any time soon.

Demonstrating the truly global nature of the Institute, the BCI launched a new Chapter in February when the India Chapter was formed after much hard work by the Forums we already had in India. This brings the total number of Chapters to ten, not to mention over 60 Regional Forums that exist across the world.

With so much discussion being on organizational resilience in recent years, debate has focused on how it relates to the established business continuity management discipline. The BCI therefore decided to release a position statement noting that business continuity provides principles and practices that are an essential contributor for any organization seeking to develop and enhance its resilience capabilities.

During the first half of the year, much of the media was filled with stories about Brexit and the inconceivable possibility that the United Kingdom could vote to leave the European Union. Before the referendum took place, the BCI hosted a discussion forum where experts in the field of economics, human resources, supply chain and crisis management offered their views on the potential implications. An edition of the Working Papers Series was also published on horizon scanning post-Brexit. In the end the vote was in favour of leaving the EU so it will be very interesting to see what the challenges of Brexit will be from a business continuity perspective over the next few years.

In May we hosted our annual awareness week which was themed on return on investment and was designed to demonstrate the value of business continuity, and not just the obvious benefits that business continuity has in the event of a disruption. The report we produced highlighted that effective business continuity can result in savings and efficiencies within an organization, it can lead to reduced insurance premiums and can support contract negotiations. In 2017 (15th to 19th May) the theme for Business Continuity Awareness Week is cyber resilience so make sure you get involved and play yourpart in raising awareness of your industry.

While BCAW demonstrated the return on investment of business continuity, we also used the opportunity to demonstrate the return on investment of business continuity certification when we launched our first ever Salary Benchmarking Report, a report which revealed that those who had achieved one of the world’s leading credentials in business continuity earned more than their non-certified colleagues by up to 30%. A good a reason as any to study for your CBCI!

Partnering with Regus in order to improve the benefits we offer our members wasn’t the only partnership we announced during the year. In July we formed a new partnership with the Disaster Recovery Information Exchange that will improve access to networking opportunities to members across Canada.

Among a number of new research reports we published during the year was our Cyber Resilience Report, a topic that is clearly of great importance to business continuity professionals given the findings of our Horizon Scan Report. This report revealed that two thirds of organizations had experienced at least one cyber security incident during the previous year, and that 15% had experienced at least ten.

Our BCI World Conference in November was another great success with many visitors exploring the exhibition hall while delegates were captivated by Michele Wucker’s grey rhinos, Lewis Dartnell’s experiments and former New York Senator Michael Balboni’s insight into the US Presidential Election, an event that could also pose challenges to organizations over the coming years from a business continuity perspective.

BCI World wasn’t the only conference hosted by the Institute during the year. Following on from the inaugural BCI Middle East Conference in 2015, the BCI hosted a Netherlands and Belgium Conferencein May and an Africa Conference in September, not to mention the Australasian Chapter’s hugely successful Australasia Summit.

At BCI World we published our annual Supply Chain Resilience Report, which showed that one in three organizations had experienced cumulative losses of over €1 million during the previous year as a result of supply chain disruptions. We also published our first ever Workplace Recovery Report which revealed a disconnect between business continuity professionals and end users when it comes to workplace recovery. It is a busy time of year for our research department as this was followed soon after by our Emergency Communications Report which demonstrated why it is important to have arrangements in place to communicate with staff, particularly when those staff are geographically dispersed and often in high-risk countries.

In addition to all the research reports published during the year our research department had been busy with other projects such as the Working Paper Series which has seen four new editions on digital business continuityBrexitpandemic transmission speeds and desktop exercises. The research department has also been supporting the 20/20 Think Tank in its publications with papers on responding to the resilience challenge and the changing resilience landscape.

Throughout the year there has been lots to celebrate with eight award ceremonies taking place in North AmericaMiddle EastEuropeAsiaAfricaAustralasia and India before culminating in the final ceremony for the Global Awards held at a Gala Dinner following day one of the BCI World Conference. Congratulations once again to all those who won an award during the year, it was truly a tremendous achievement.

At the end of the year we said farewell to our outgoing Executive Director – Lorraine Darke – who had been at the Institute for 12 years, and in recognition of her achievements at the BCI she was awarded an Honorary Masters degree by Bucks New University. As a result of Lorraine’s departure, we welcomed in our new Executive Director – David Thorp – who joins the BCI from the Security Institute.

We also said farewell to David James-Brown FBCI whose two years as Chairman of the Institute came to an end. Of course it wasn’t a complete farewell as David will still have a very active role within the Institute. James McAlister FBCI became the new Chairman of the Institute, and Tim Janes Hon. FBCI was elected by his fellow members of the Global Membership Council to be the new Vice Chair.

As the above has shown, it was a very busy year for the BCI with plenty going on, but 2017 is destined to be busier still. With a new Executive Director and a new Chairman in place, both keen to make their mark, we can expect even more output from the BCI in order to better serve our members and the entire business continuity and resilience community.

Avalution-LogoThis perspective provides an overview of the Business Continuity Institute’s Professional Practice 6 (PP6) – Validation, which is the professional practice that “confirms that the Business Continuity Management (BCM) program meets the objectives set in the Business Continuity Policy and that the organization’s BCM program is fit for purpose”. Business continuity practitioners should perform validation activities after documenting response and recovery plans for their organizations (for more on planning, read our perspective on PP5 – Implementation). 


PP6 addresses three activities specific to the validation of BCM program assumptions. First, PP6 provides guidance regarding the development and execution of an exercise program, which validates the business continuity requirements gathered during the business impact analysis (BIA) and the strategies documented in the organization’s business continuity plans. Second and third, PP6 covers the principles and techniques necessary for performing both program maintenance activities and program reviews to identify improvement opportunities and increase organizational resilience. Let’s take a closer look at each activity.



Wednesday, 04 January 2017 00:00

Digital Insurance Success Demands New Metrics

DRJ-LogoDigital technologies are transforming the entire value chain of insurance, not only opening up new distribution opportunities, but also altering how insurers can assess, price, and manage risks, and creating new distribution and business models. At Forrester, we have done extensive research over the past year that involved speaking to incumbent insurers and insurance technology providers, as well as leveraging our consumer technographics data for our digital insurance strategy playbook. The playbook provides guidance that digital business strategy professionals need to formulate and hone their digital insurance strategy in the age of the customer.

We have recently published the executive overview, landscape, processes, assessment, and benchmark chapters.

For the performance management chapter specifically, we found that although digital insurance strategy executives depend on measurement to justify digital initiatives, many insurers fail to effectively and meaningfully measure the impact of digital insurance on wider business objectives. For example, while it's important to measure sales driven by individual digital touchpoints such as web and mobile, mobile-only and web-only sales metrics alone fail to demonstrate the value of customers who research insurance online but then buy through an agent, or vice versa. Futhermore, a focus on simple sales metrics ignores the importance of digital touchpoints in providing services that savvy customers value, such as being able to track the status of a claim.



SBCP LogoStrategic BCP’s innovative ResilienceONE business continuity management (BCM) software now offers new, pinpointed screens and clean navigation to complement its powerful and flexible functionality. It’s called Version 8.0 and its becoming the most simplified user experience in the Business Continuity and Disaster Recovery industry.

Version 8.0 includes:

IMPROVED PLAN DEVELOPMENT: With just one click, users can easily access their tasks, generate consistent plans, and route them through approval workflows—with no setup required. ResilienceONE’s new user interface makes things easy.

NEW DYNAMIC TASK WIZARDS: As tasks are assigned to users, customized planning workflow navigation is automatically created that takes users step-by-step through completing tasks. Administrators can easily customize the workflows with specific instructions that accompany each task.



Wednesday, 04 January 2017 00:00

Data Visualization 101: What, Why, How?

DRJ-Logo“A picture is worth a thousand words.” This old, English idiom could not ring more true than in today’s fast-paced, digital age – the big data age. At a time when we are creating 2.5 quintillion bytes (or 2.5 million terabytes) of data each day, executives and decision-makers across the globe are looking for ways to turn complex and voluminous data into comprehendible and comprehensive, actionable insights. Enter, data visualization.

What is Data Visualization?

The visualization of data for purposes of analysis is not a new concept. Finding their roots in Descartes’ Cartesian coordinate system, several graphical diagrams such as the line, area and bar chart were invented in the late 18th century by Scottish engineer and political economist, William Playfair. He was also the inventor of the once widely-popular, yet more recently denounced, pie chart.

Data Visualization sits atop the Big Data Analytics pyramid (Figure 1) and is often the only layer that is visible to executives and other decision-makers. Thus, the success or failure of a Big Data analytics program often depends on the success of the visualization layer. A company may have the most advanced data capture, storage, and transformation technology (and use the most complex algorithms and statistical models to analyze that data), but if the information isn’t displayed clearly, accurately and efficiently, the whole point of leveraging Big Data is lost.



DRJ-LogoHappy New Year to all! We at MHA wish you all a successful and happy year. We have been reviewing what we accomplished last year both personally and professionally and have identified goals for this year.

We’re continuing our efforts to reduce risk and prepare our organizations for potential issues in the new year. To that end, we’re providing a list of business continuity planning resources you may not have used before. You’re probably already familiar with some of these, but you might find it beneficial to review them again as you update strategies, perform risk assessments, or identify where to focus your business continuity program.



DRJ-LogoThe CRM market serving the large enterprise is mature. The market has consolidated in the past five years. For example, Oracle has built its customer experience portfolio primarily by acquisition. SAP, like Oracle, aims to support end-to-end customer experiences and has made acquisitions — notably, Hybris in 2013 — to bolster its capabilities. Salesforce made a series of moves to strengthen the Service Cloud. It used this same tactic to broaden its CRM footprint with the acquisition of Demandware for eCommerce in 2016.

These acquisitions broaden and deepen the footprints of large vendors, but these vendors must spend time integrating acquired products, offering common user experiences as well as common business analyst and administrator tooling — priorities that can conflict with core feature development.

What this means is that these CRM vendors increasingly offer broader and deeper capabilities which bloat their footprint and increase their complexity with features that many users can't leverage. At the same time, new point solution vendors are popping up at an unprecedented rate and are delivering modern interfaces and mobile-first strategies that address specific business problems such as sales performance management, lead to revenue management, and digital customer experience.



DRJ-LogoInfrastructure throughout the United States is in real trouble.  It is a regular occurrence to read about road collapses, bridge failures and sinkholes openings.  This massive sinkhole outside of Detroit is quite a hole indeed.

Last week residents were awakened about 6 a.m. by the sounds of crackling and cracking that kept getting louder and louder. People woke up and literally saw the ceiling splitting. Think about that for a moment.

The noise turned out to be the beginnings of a massive sinkhole opening up. It is 60 feet deep and has since spread to nearly the length of a football field prompting the evacuation of residents from 22 homes.

This could have just as easily been your business.



As the transition to a new Presidential administration unfolds, uncertainty abounds. Predictions made about the regulatory landscape made before November may not ring as true, as Republicans look to make good on promises about smaller government and regulatory reform, particularly in banking and finance. Likewise, the potential repeal of the Affordable Care Act and significant changes to Medicare will make waves in health care regulation. In times characterized by dramatic change and unpredictability, it’s important to refocus on what you know, what you can control and how you can create a more resilient business.

It’s important not to lose perspective: while many federal agencies (and their mandates) will be reshaped by new leadership or directed to change their priorities, state and industry regulations may not shift – or may react in opposition. Enterprise risk profiles and existing threat conditions may not be markedly affected by changes at the federal level. Organized cybercrime syndicates, for example, probably don’t care much about who’s in the White House.

Organizations that have been working to strengthen their cybersecurity stance, manage risk and protect customer data and privacy have no reason to pull back on those efforts; in fact, they should work to optimize their governance, risk and compliance programs as organized defense against threats to their goals and trusted status.



DRJ-LogoIf you believed everything you read, nothing would be correct.  The cloud, we’ve been told, will absorb resources and investment from enterprises, leading to smaller and fewer enterprise data centers.  Indeed, entire businesses will cease to exist as a result of a tremendous force of enterprise absorption, as predicted by former Cisco CEO John Chambers in 2015.

The cloud, we’re told, will rejuvenate enterprises and restore their faith in their ability to own and maintain their own infrastructure.  Indeed, entirely new businesses will bloom and prosper, as predicted by the contributors to the OpenStack Foundation, one of which is Cisco.

So what does the evidence tell us?  Last June, we reported the findings of the latest Uptime Institute survey for 2016.  Fewer respondents said their firms were building new data centers within the previous 12 months — which was fewer than the year before.  This would appear to have disproven a 451 Research report the previous year, which predicted that nine of 10 data center operators planned to build a new facility.



DRJ-LogoAfter we ran the list of the most popular stories that appeared on Data Center Knowledge this year, we couldn’t help pondering the reasons those stories resonated with so many people. The most obvious reason that applies to all of them is that they illustrate some of the biggest changes the data center industry is undergoing.

Here are our thoughts on what those changes are and how some of our stories illustrate those macro-level trends.

The Days of Cloud Doubt are Gone

In February, a short blog post by Yuri Izrailevsky, who oversees cloud and platform engineering at Netflix, notified whoever cared that the online movie streaming pioneer had completed its migration from own (or leased) data centers onto AWS. As it turned out, a lot of people cared. This was hands-down the most widely read story we ran this year.



Wednesday, 04 January 2017 00:00

Cyber Threats and Mass Communications Systems

Disaster Recovery and Business Continuity

AlertMedia-LogoA recent Ernst & Young survey of 1,735 C-level executives and IT professionals found 57 percent of them said they consider disaster recovery and business continuity as their top priority but only 39 percent plan to invest in improvement efforts. This is surprising since 42 percent said they do not have an agreed communications strategy or plan in place in the event of a significant cyber attack.

When we think of mass communications and emergency notification systems, we often think of weather-related events, power outages, fires, and other workplace emergencies. We don’t always jump to cyber security. Yet, cyber security is a big deal. It is estimated that cyber attacks cost businesses as much as $400 billion a year and is expected to reach $2 trillion by 2019.

Most of us have been victims of cyber security through the places we shop and banking systems we use. We all remember Home Depot, Target and more recently, Yahoo all being hacked. I personally received emails from all three of these companies warning me that my personal data may have been compromised.



DRJ-LogoA new way to get insider information…hack it! The WSJ reported this week that three Chinese hackers (traders) earned more than $4 million in illegal profits after they hacked into the computer systems of prominent U.S. law firms and stole nonpublic information on mergers and acquisitions. These hacks should be a loud wake up call for law firms, which have long been considered vulnerable to cyberattacks.

The traders bought shares of at least five publicly traded companies, including drug and chip makers, before the firms announced the deals, according to an indictment from the Manhattan U.S. attorney’s office. The traders learned about the deals by gaining access to email accounts of law-firm partners working on the transactions. The hackers reportedly took millions of documents from two law firms’ servers between April 2014 to late 2015.

Federal investigators were probing hacks of Cravath, Swaine & Moore LLP and Weil, Gotshal & Manges LLP, which represent Wall Street banks and Fortune 500 companies in matters including lawsuits and multibillion-dollar merger negotiations. The traders were arrested in Hong Kong on Sunday, and law-enforcement officials are seeking to have them extradited to the U.S. Manhattan U.S. Attorney Preet Bharara noted that his incident “should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals.”



Wednesday, 04 January 2017 00:00

Avoid Common Disaster Recovery Plan Pitfalls

DRJ-LogoDisaster Recovery planning can be painstaking.  There are so many nuanced areas of focus that it is easy to miss key information that could hinder or block restoring systems and data within the time frames required by the organization.  Exercising plans is essential to help illuminate these hidden risks.  Here are some items we frequently find missing even in very mature disaster recovery plans.



Wednesday, 04 January 2017 00:00

Disaster Recovery Trends for 2017

DRJ-LogoAs we begin a new year, many will review where they would like to improve or change. Fitness clubs will be full and we will try to eat better in January. And then the clubs will be back to normal, and I will be eating ice cream and cookies for dessert in February. As we look at our business continuity and disaster recovery programs, what areas need improvement or change? As you consider those areas, there are some trends and items we see for 2017. We hope this list will assist in your program and recovery planning.



BCI-LogoThe Business Continuity Institute

At the Disaster Recovery Journal Fall World Conference in September 2016, the Business Continuity Institute’s US Chapter and the US 20/20 Group had the opportunity and responsibility to organize and participate in the DRJ Advanced Track, specifically designed for the most seasoned attendees. The 20/20 Group's role in defining the agenda, securing the speakers and overseeing the DRJ Advanced Track underscores their role in providing leadership at the conference.

The session was largely focussed on the changing face of the professional in the business continuity industry. In the context of an ever-increasing focus on resilience and the engagement of multiple disciplines, what is the business continuity professional’s role? Do they take overall ownership for the response, recovery and resumption, coordinating the activities of others? Are they a facilitator, ensuring that the right people take the lead? Or are they simply a participant, bringing their business continuity skills with them, but taking their lead from someone else?

The discussion also looked at the top ten threats that featured in the BCI’s latest Horizon Scan Report and considered what role the business continuity professional may play in the response to each of those threats materialising.

From all this discussion, a new paper was published which suggested three major points that underscore the need to reposition the business continuity professional in the future:

  • Threats are real and expanding, leading to increased business risk.
  • These changes are leading to changes in our profession.
  • Our success will be based on our knowledge of the organization and its business environment, including customers and their expectations.

Patrick Alcantara DBCI, Senior Research Associate at the BCI, commented: “The movement towards resilience offers opportunities to business continuity professionals to upgrade their skills, engage with related management disciplines, and create more impact within the organization. This paper from the BCI US 20/20 Group affirms the contributions made by business continuity professionals and proposes a way forward with building resilient organizations as a goal. I would like to thank the BCI US 20/20 Group, Chaired by John Jackson FBCI, for distilling the latest thinking into a timely piece which contributes to our collective understanding of resilience.

Download your free copy of The changing face of the business continuity professional today in order to develop your understanding of the future of the profession.

BCI-LogoThe Business Continuity Institute

Despite the perception that hackers are an organization’s biggest cyber security threat, insiders, including careless or naive employees, are now viewed as an equally important problem, according to new research conducted by Dimensional Research on behalf of Preempt.

The growing security threat from insiders report found that 49% of IT security professionals surveyed were more concerned about internal threats than external threats, with the majority (87%) most concerned about naive individuals or employees who bend the rules to get their job done. Only 13% were more concerned about malicious insiders who intend to do harm.

Malware unintentionally installed by employees ranked as the top internal security concern with 73% of respondents claiming they were worried about it, ahead of stolen or compromised credentials (66%), snatched data (65%) and abuse of admin privileges (63%).

Internal threats are emerging as equally as important as external threats, according to respondents. This means that an employee cutting corners to get their job done more efficiently is viewed as potentially just as dangerous as a malicious external hacker,” said Diane Hagglund, founder and principal of Dimensional Research. “Yet these views aren’t reflected in the allocation of security budgets, which is traditionally focused on perimeter security.

In addition to concerns about insider threats, the report also analysed cyber security training and end user engagement programmes. While nearly all of the organizations surveyed (95%) provide end user security training, very few (10%) believe the training is very effective.

Cyber security is also a major concern for business continuity professionals, with cyber attacks and data breaches featuring as the top two threats yet again in the Business Continuity institute's latest Horizon Scan Report. It is perhaps for this reason that it was chosen as the theme for Business Continuity Awareness Week 2017 with the intention of improving an organization's overall resilience by improving cyber resilience, and recognising that people are key to achieving this

Intentional or not, insider threats are real,” says Ajit Sancheti, co-founder and CEO of Preempt. “From Snowden to the FDIC, headlines continue to emerge and we need to take a new approach to get ahead of insider threats. Without real-time prevention solutions and improved employee engagement, these threats will not only increase, but find more sophisticated ways to infiltrate and navigate a network. The future of security practices rely on the ability to not only understand users and anticipate attacks, but also how to mitigate threats as quickly as possible.

BCI-LogoThe Business Continuity Institute

We have recently been informed that Yahoo! has been hacked and has possibly lost up to 1 billion customer records. They have admitted that the information was lost in August 2013, but they are only informing their customers now. The impact and fallout of this incident is just starting. What can the business continuity manager do to stop this happening within their organization and secondly, how can we prepare for a similar event?

Yahoo! is on the slide, once synonymous with the internet and email, it is a shadow of its former self. For me they are a bit like a virus, using underhand tactics to infect your computer with their search engine. Only in certain circumstances do I get a Yahoo! to search for me and can’t work how to stop this happening. When you have to use these tactics to get in front of your potential customers, it does not show a company that is at ease with its brand and marketing.

The company is shrinking as they are losing customers through information security breaches. This cycle repeats itself with every breach and draws increasing attention to their non-vigilance in this highly sensitive area. There has been some talk in the papers about whether parts of the organization knew about the data loss but were reluctant to pass the information up to senior managers. When you have this type of culture going on within your organization, it is a struggle to manage an incident successfully. We all know that it’s not the initial incident that gets you, but the cover up.

So, what can the business continuity manager do? I think the first piece of advice I would give them, is if your organization is dysfunctional, on the slide, and does not take crisis management, resilience or business continuity seriously, your best option is to find yourself a new job! If you are knowledgeable and ambitious there are plenty of companies out there who would like to make use of your skills.

I have said time after time in my bulletins that one of the roles of the business continuity manager is to horizon scan and be aware of new threats which are not being sufficiently addressed. Senior managers may decide not to do anything to address the threat which is their prerogative, but yours is just to make them aware, qualify the impact and suggest appropriate mitigation measures.

With cyber events being in the news every week it is hard for any CEO to have missed the threat. What they may not know is their organization’s level of preparation and possible impacts. As the business continuity manager, you could suggest an independent audit against ISO 27001 perhaps, to determine your level of vulnerability.

Where I think you can add value is making sure your organization is prepared to respond to a cyber incident. Do you have a plan in place and has that plan been exercised? The techie guys, perhaps with outside help, will sort out the technical side of the response but the senior managers need to respond to the potential reputational damage an incident can cause. Possible scenarios can be played out in advance of difficult questions so those in the crisis team understand the implications of their actions. These could include whether to cut off connection to the outside world or pay a ransom.

The last area the business continuity manager can help in is ensuring appropriate responses are in place. Does the company have a contractor on standby or cyber insurance to ensure that experts can assist your own IT staff in responding to a hack? Do you have pre-formatted communications which you can send out to customers or staff, informing them of what they can do to protect themselves if their data is lost by your company?

Most business continuity managers are not experts in the technical aspects of a cyber response but we should be able to ensure that or organization is ready to manage a cyber-attack if it was to happen.

Charlie Maclean-Bristol is a Fellow of the Business Continuity Institute, Director at PlanB Consulting and Director of Training at Business Continuity Training.

MIR3-LogoCommunication is key to managing any kind of crisis, and a cyber event is no exception. As in so many business cases, an automated emergency notification system (EMNS) can ensure that the right message is delivered to the right people at the right time. A notification system should not be seen as an afterthought, but an integral piece of any comprehensive cybersecurity program.

As you work through a cyber event, communication is happening rapidly, both internally and externally. As we’ve mentioned in the past, notification of every person touched by a cyber event is often legally mandated and can be very specific. When choosing an automated a system, look for one that allows you to fulfill your legal communication obligations and to track and report all messages and responses.

As well as all your internal communications, your communication to outside counsel, forensics, other security experts and law enforcement should be fully integrated. After the event some industry agencies or regulatory bodies (and likely your cyber-security insurance provider) may require copies of the post-incident report—a good system will have those reports at your fingertips for you.



DRJ-LogoA new report demonstrates that the United States is still struggling with public health emergency preparedness. The report found that the nation is often caught off guard when a new threat arises, such a Zika or the Ebola outbreak or bioterrorist threat, which then requires diverting attention and resources away from other priorities. In Ready or Not? Protecting the Public from Diseases, Disasters and Bioterrorism, the report identifies ten key indicators of public health preparedness.

  • 26 states and Washington, D.C. scored a six or lower on 10 key indicators of public health preparedness.
  • In the report, Alaska and Idaho scored lowest at 3 out of 10, and Massachusetts scored the highest at 10 out of 10, with North Carolina and Washington State scoring 9’s.



Thursday, 22 December 2016 00:00

Emergency Alert Systems Both Then and Now

The Government’s Take on Alerts

AlertMedia-LogoI was surprised to learn that the federal Emergency Alert System (EAS) was only used at the local level until November 9, 2011 at 2 pm eastern. This date marked the first time FEMA ever tested the EAS nationwide. All of the television and radio test sirens you have ever heard were initiated by your local authorities.

The EAS was actually put in place in 1997 to replace the Emergency Broadcast System (EBS). Both were designed to give the President clear, uninterrupted access to thousands of television stations and broadcast radio stations across the U.S. and U.S. territories in the event of a national emergency. In essence, it ensures the President can address the nation quickly with real-time information. According to FEMA, “The EAS test plays a key role in ensuring our nation is prepared for all hazards and people within its borders are able to receive critical and vital information, should it ever be needed.”



Wednesday, 21 December 2016 00:00

Is Our Risk Management Mature?

DRJ-LogoWhenever there is a discussion about improving risk management, the subject of risk management maturity is often raised. The presumption is that the more mature a process is, the more effective it is. This article explores what that really means in the risk management realm.

Effective enterprise risk management (ERM) enables timely responses to the risks that matter. There are six elements of risk management infrastructure: (1) policies, (2) processes, (3) people and organization, (4) reports, (5) methodologies and assumptions and (6) systems and data. An effective risk response considers all of these elements. Once the six elements are in place for a given risk (or for a group of related risks), they pave the way for advancing the maturity of risk management.



Wednesday, 21 December 2016 00:00

How Cloudy is the Data Center’s Future?

DRJ-LogoThose of us who have been active in the IT industry for a while will recall when, in the early 1990s, a respected pundit opined that the last mainframe would be unplugged by the end of the first quarter of 1996.

The last time I looked – 20 years after that supposed termination – the great unplugging hasn’t yet come to pass.

Despite similar predictions of its impending supersession by cloud computing, the on-premise data center continues to show similar durability

At first blush, the persistence of the data center seems something of a conundrum, given the enticements of lower capital expenses and fast, flexible, on-demand access to IT capacity that the cloud delivers.



DRJ-LogoDuring a crisis is the worst time to find out that there are flaws in the communications portion of your disaster recovery/business continuity plan.

You’ve done everything right. You have an emergency notification provider that you will use to send out a message and ensure delivery to your recipients. And, of course, your employee contact information is all uploaded into the system. That’s great. But, have you really done everything?

We’ve seen the scenarios before.



DRJ-LogoWe are happy to share with you the results of our 2016 survey on the state of incident management we conducted among 152 IT professionals. It measures how often significant outages occur, how quickly their organizations can respond, and how much IT downtime costs their organizations.

It’s an eye opener to see that while companies have implemented service management for the most part (more than 90% of companies reporting that they have an IT Service Management system (ITSM), only 11% of companies stated that they have automated the process for organizing their response to IT outages and incidents.

This finding is significant because 47% of the companies reported having a major IT incident at least 6 times a year, the average cost of downtime is $8,662 per minute, and companies take 27 minutes on average to assemble an IT response team.



BCI-LogoThe Business Continuity Institute

Information security practitioners almost universally agree that human behaviour is their largest security threat, with 97% of security executives surveyed agreeing it was their organization's greatest vulnerability. This is according to a study by global technology company Nuix.

To counter the threat posed by human behaviour however, businesses are becoming less likely to use fear to convey important security ideas. Only 24% of this year’s respondents tried to scare people into improving security, compared to 39% last year. Instead, security leaders are using policies, awareness, and training to help people become part of the solution.

The Defending Data Report 2016 noted that while businesses were investing to develop broad and mature cyber security capabilities, many survey respondents were uncertain about the most effective technologies and capabilities to focus on. Nearly four in five respondents (79%) said they had increased spending on data breach detection in the past year, while 72% said they planned to do so next year. However, a majority of respondents (52%) said preventing data breaches was their top spending priority, while 42% said detection was their primary focus.

Cyber security is also a significant concern for business continuity professionals, with cyber attacks and data breaches featuring as the top two threats yet again in the Business Continuity institute's latest Horizon Scan Report. It is perhaps for this reason that it was chosen as the theme for Business Continuity Awareness Week 2017 with the intention of improving an organization's overall resilience by improving cyber resilience, and recognising that people are key to achieving this

Where this breaks down is that a large proportion of people, even after they’ve had security awareness training, will still put their organizations at risk by opening malicious attachments and visiting suspect websites,” said Dr Jim Kent, Global Head of Security and Intelligence at Nuix. “While the policies and training are crucial, we need to get better at ‘idiot-proofing’ our technology so that even if people do the wrong thing, the malware doesn’t run or doesn’t achieve its goals.

DRJ-LogoThe Asia-Pacific data center market is extremely diverse, and regional and country-level differentiation is one of its defining characteristics. Today, as more and more American and European data center and cloud providers and their customers are looking east, it is important to be aware of several nuances that define the competitive landscape and put the various outlooks for specific markets into context.

First, let’s identify the region’s sub-markets. Singapore, Australia, Hong Kong and Japan are properly considered mature markets, and this distinguishes them from other Asia-Pacific markets that are still emerging. It is also interesting that Singapore and Hong Kong are really just single-city markets, while Australia and Japan are each home to multiple markets of meaningful sizes. The area can also be thought of in terms of sub-regions. There is Southeast Asia, ANZ (Australia and New Zealand), South Asia, and East Asia, while China, Japan, and Korea all exhibit characteristics that make them perhaps best understood as standalone markets.



Tuesday, 20 December 2016 00:00

CDC: Looking Back: 5 Big Lessons from 2016

Looking through the rearview mirror while driving in the planes

Dr. Stephen Redd, Director, Office of Public Health Preparedness and Response

Dr. Stephen Redd, Director, Office of Public Health Preparedness and Response

CDC is always there – before, during, and after emergencies – and 2016 was no exception. Through it all, we’ve brought you the best and latest science-based information on being prepared and staying safe. Here’s a look back at 5 big lessons from a very eventful year. Follow the links to discover the full stories!

1. Expect the unexpected

Emergencies can devastate a single area, as we saw with Hurricane Matthew, or span the globe, like Zika virus. This year has shown us, once again, that we can’t predict the next disaster.

Zika virus was one of the top public health stories of 2016, and will continue to make headlines in 2017. CDC has worked hard since the start of the outbreak to make sure that people know how Zika is spread and how to protect themselves and their neighbors from the virus, including how to control mosquitos inside and outside the home.

This year, our Strategic National Stockpile was called on to locate and purchase the products to assemble ~25,000 Zika Prevention Kits for pregnant women in the U.S. territories. CDC also issued 180 Zika virus import permits so scientists could conduct research to develop better diagnostic tests, vaccine, and medicines. In any developing crisis, our mission is always to “conduct critical science to inform and communicate health information that protects our nation” against public health threats.

2. A health threat anywhere is a threat everywhere

Diseases like SARS and Ebola – and now Zika – compel us to focus on stopping outbreaks early and close to the source. As part of the Global Health Security Agenda, teams of international experts travel to countries, including the U.S., to report on how well their public health systems are working to prevent, detect, and respond to outbreaks. This assessment process is called the Joint External Evaluation.

In 2016, we worked at home and around the world to use the law to prepare for global health emergencies, train leaders from 25 countries in public health emergency management, and protect the health of those affected by humanitarian crises.

3. Kids and communities matter

Fred in bathtub

There’s a saying in emergency management that goes something like, “emergencies begin and end locally.” Truer words were never spoken. The minutes, hours, and days immediately following a disaster are the most critical for saving lives, and local communities are our first responders. Every community needs to be resilient and prepared to handle the unexpected.

Prepared communities look like the Georgia Department of Public Health, which conducted a statewide exercise to practice their response to a bioterrorist attack of plague, and New York City, which used lessons learned from West Nile virus to prepare for Zika.

Children are a particularly vulnerable part of our communities, and they have different needs than adults. Children need to be included and involved in planning and preparing for emergencies.

Fred the Preparedness Dog sets a great example by visiting schools across Kansas to teach kids to get a kit, make a plan, and be informed. Parents should also take steps to prepare themselves and their child in case they get separated during or after an emergency.

4. Words save lives

7 Things to Consider When Communicating About Health

In an emergency, the right message at the right time from the right person can save lives. When a crisis hits, communicators need to quickly and clearly inform people about health and safety threats. Communication is especially critical when disaster strikes suddenly and people need to take action right away, as in a flood or hurricane, or when we may not yet have all the answers, as happened with Zika virus.

To make sure people know what to do to protect their health, our trained communicators learn how to put themselves in others’ shoes: Who are the people receiving the message, what do they need to know, and how do they get information? We apply the principles of Crisis and Emergency Risk Communication in every emergency response.

5. Preparedness starts with you


Get a flu shotWash your handsMake a kit. Be careful in winter weather. Prepare for your holidays. Be aware of natural disasters or circulating illnesses that may affect you or those you care about.

There are many ways to prepare, and in 2016 we provided the latest science and information to empower every one of us to take action. Whether we talked about how to clean mold from a flooded home, how to wash your hands the right way, or how to use your brain in emergencies, our timely tips and advice put the power of preparedness in your hands. What you do with it is up to you. Our hope is that you’ll resolve to be better prepared in 2017.

Posted on December 19, 2016 by Dr. Stephen Redd, Director, Office of Public Health Preparedness and Response

Tuesday, 20 December 2016 00:00

Take Three Actions to Fight Flu

DRJ-LogoInfluenza (flu) is a contagious disease that can be serious. Every year, millions of people get sick, hundreds of thousands are hospitalized, and thousands to tens of thousands of people die from flu. CDC urges you to take the following actions to protect yourself and others and fight flu!



Tuesday, 20 December 2016 00:00

How Smartphones Can Save Lives

A Lifeline for Remote Workers

AlertMedia-LogoWhen we think of a company’s workforce, we often envision an office building full of cubicles or a factory of workers. Today’s workforce, however, is often dispersed across multiple locations, driving a fleet of trucks, or traveling much of their workday. This mobility can create challenges with communication, particularly when there is an accident, an emergency, or an urgent event.

The United States isn’t the only country struggling to keep up with the rapidly changing workforce ecosystem. The United Kingdom is facing similar issues. Lone worker safety is a serious consideration. In 2015/2016, the country reported 43 fatal injuries to construction workers. A recent UK article highlights the concern of construction organizations with ensuring the health and safety of lone workers. “While prevention is the ultimate goal, there must also be tools in place to provide rapid help when accidents occur. This means providing a means of consistent, reliable communication with management, team members, and emergency services.”



BCI-LogoThe Business Continuity Institute


For those who celebrate Christmas it can be a season of joy, happiness and goodwill to all, a season of festivities and living slightly to excess, but as the popular Band Aid song reminds us:

There’s a world outside our window
And it’s a world of dread and fear

For many people across the world, the devastation that 2016 has brought means that there will be no Christmas celebration this year. There won't be any celebrations. Their world has been turned upside down through no fault of their own, and their only thoughts now are on survival.

Haiti is one such place, a place that over the years has had more than its fair share of natural disasters, and earlier this year suffered the ravages of Hurricane Matthew. Back in October the Category 4 storm made landfall with wind speeds of up to 145 miles per hour, bringing with it torrential rain of up to 40 inches in some places.

It doesn't matter where in the world you are, or whether you're in a developed or developing country, the threat of natural disasters is everywhere. Italy and Tanzania are two other countries that experienced the sheer power of nature when earthquakes caused mass devastation and severe disruption.

It has been a long time since the Business Continuity Institute last sent out Christmas Cards, instead we prefer to use the money to support organizations that are in need. This year we have split the fund three-ways with a third each going to projects supporting the relief efforts in HaitiItaly, and Tanzania.

The donations to these projects will be made through Global Giving, the first and largest global crowdfunding community that connects non-profits, donors, and companies in nearly every country around the world. Though Global Giving, it possible for non-profits from Afghanistan to Zimbabwe to access the tools, training, and support they need to be more effective and make our world a better place.

So as you enjoy all the festivities that this time of year brings, remember to be thankful for everything you have, and spare a thought for those less fortunate.

The BCI wishes all our Chapter Leaders, Forum Leaders, the BCI Board, Global Membership Council and fellow business continuity and resilience professionals around the world, Seasons' Greetings and a healthy 2017.

Note that the BCI Central Office will be closed on the 26th and 27th December and the 2nd January 2017, re-opening on Tuesday 3rd January 2017. On the 28th, 29th and 30th December, the office will be staffed between 10am and 3pm only (GMT).

Monday, 19 December 2016 00:00

Enhancing Board Oversight of Cyber Risk

DRJ-LogoFollowing a presidential campaign dominated by talk of hacked email and unsecured servers, businesses are emphatically reminded of the potential cybersecurity danger no matter the business or industry.  Threats come from all directions.  Criminals and foreign hackers have grabbed headlines with personal financial data thefts from Target and Home Depot.  Yet a 2016 IBM-sponsored study concluded that 60 percent of all attacks come from internal sources, with the majority carried out with malicious intent and a quarter of the breaches resulting from error.  Compounding the problem, the damages caused by cyber breaches are skyrocketing: the average cost of a data breach is more than $4 million and growing annually, according to the IBM study.

As the risk grows, the board of directors role in identifying and managing the risk becomes more imperative.  The obligation to protect the business is the same as with other business risks, but in this case is overlaid with the obligation to ensure the business’s legal compliance.  The intersection highlights the opportunity – cybersecurity risk cuts across a business and requires oversight from a similarly multifaceted perspective.  The National Association of Corporate Directors’ Cyber Risk Oversight Handbook, published in 2014, identifies “enterprise-wide risk management” as an indispensable component of cybersecurity.  Boards must echo this viewpoint with a specific focus on the cyber risk management program.



DRJ-LogoI have a hunch that your to-do list is growing by the hour as we head into 2017, and I have an even stronger hunch that reviewing and updating the employee handbook hasn’t made it to the list. As much as I hate to say it, you’d be well-advised to add it.

I drew that conclusion after a recent interview with Rob Wilson, president of Employco USA, a human resources outsourcing firm in Westmont, Illinois. Wilson makes a compelling argument around the importance of the executive team — including the CIO — taking the time to ensure that the employee handbook is everything it needs to be. Wilson highlighted the areas that IT execs need to focus on as they carry out this exercise:

For the CIOs, one of the bigger areas for them would be electronic use — what your policy is on social media usage, as well as computer technology usage in the workplace. All of that has to be spelled out: Is it okay for people to be streaming movies at their desks? What’s your cell phone usage policy? Are they company phones or are they individual phones, and what’s the protocol for usage of each? In some companies, people use their own cell phones, and in other cases, you’re supplying them. There is a big difference between the two, and how you use them, and what the rules should be.



BCI-LogoThe Business Continuity Institute

The Business Continuity Institute's Good Practice Guidelines emphasize the importance of validating business continuity plans through exercising, maintenance and review. In fact, such is its important that the entire theme of Business Continuity Awareness Week 2014 was based on testing and exercising. It confirms whether a plan is fit for purpose, and it's far better to find out that it isn’t fit for purpose during an exercise rather than a live incident.

In the latest edition of the BCI's Working Paper Series, Luke Bird MBCI focuses on improving desktop exercises, and poses numerous challenges to business continuity practitioners, suggesting concrete, actionable recommendations to enable organizations to obtain more value out of these exercises. His paper contributes to practice as it focuses on the delivery of desktop exercises, enabling fellow practitioners to consider their own arrangements and introduce improvements.

In the paper, Luke notes that for many organizations, it could be argued that there is an unhealthy focus on the event itself and less so on the required planning, metrics and outputs. This begs the question: are we actually clear on how to get the most value out of these events? The paper explores some of the associated challenges with delivering the desktop exercise, including the absence of sector-specific methodology, data capture techniques, participation issues and exploring the culture of fear.

The paper concludes that there is certainly some scope for improvement in how to deliver a desktop exercise. Unfortunately, professionals in the industry are very limited with the available guidance because it is either cross-sector (too generic), niche (too specific) or not widely shared. There is also little in the way of available literature which helps to describe what ‘good’ is. As such, how can the exercise be truly benchmarked to assess improvement over time?

Download your free copy of 'The desktop exercise - a wasted opportunity?' to understand more about desktop exercises and the role they play in the validation phase of your business continuity programme.

It’s always an editorial dilemma – Do we start with the event with the biggest business continuity impact? The event that was the most unbelievable? For 2016, we have some difficult choices, including the massive cyberattack of the toasters, the most powerful man in the world (soon) trying to carve up the Internet, and a smartphone threatening the health of a national economy.

As you’ve probably already noticed, the common factor is technology. 2016 was rather quieter on the natural disaster front, but let’s go through the things that caught our attention over the last 11 or 12 months.



Friday, 16 December 2016 00:00

Yahoo Breach Redux

DRJ-LogoYou’ve probably heard this already, but the Yahoo breach is back in the news, and not in a good way. The original breach involved 500 million users. Now comes news of a separate breach that involved more than a billion accounts. This breach happened in August 2013. Let that sink in a moment. If you have an account with Yahoo servers, your information has likely been floating out there for more than three years without you knowing.

And there’s more, eSecurity Planet reported:

"Separately, Yahoo previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password," the company stated. "Based on the ongoing investigation, the company believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies."



MIR3-LogoYou’ve followed all the necessary steps to complete your cyber-response plan, and the call comes in that a breach has occurred … what do you do? It’s showtime!


Your security operation team will move into action as soon as an event is detected.


When an event is detected, it must always be recorded. Events do not always lead to incidents, and incidents do not always lead to breaches, but all breaches start with an event. Use your human intelligence; report who saw what, and when. The type of event will determine who is needed to take action and what action to take; this could range from a quick review to a much longer investigation.



DRJ-LogoThis series is dedicated to providing direction for applying Project Management principles to starting a Business Continuity or Disaster Recovery (BC/DR) Program.  This is the first installment of a multi-part series.  In this installment we will focus on the Project Initiation phase.  Subsequent segments will be aimed at additional phases of starting a BC/DR Program, on improving an existing BC/DR Program, and on elevating a mature program to a new level of efficiency and effectiveness.

Starting a Business Continuity Program

Launching a BC/DRBC/DR Program requires its own plan.  This is not a plan as in a recovery or response plan, but a plan in the sense of a project plan.  Starting a BC/DR is no different than starting any project, and success essentially hinges on your project management skills.  You may want to reach out to the Project Management Office (PMO) if you are fortunate enough to be part of an organization that has one.  The PMO may be able to provide an experienced project manager who can assist by applying current project management theory and techniques to the initiative.  If your organization does not have a PMO, or a resource is not available, then gaining a basic understanding of project management is the starting point.

There are many available information sources for project management principles.  The Project Management Institute (PMI) http://www.pmi.org/ is the leading authority in the field.  The PMI offers training and certification and most community colleges and universities offer courses in project management.



Thursday, 15 December 2016 00:00

Natural Catastrophe Losses Increase in 2016

DRJ-LogoTotal global insured losses from natural catastrophes and man-made disasters in 2016 rose to at least $49 billion in 2016, 32 percent higher than the $37 billion recorded in 2015.

Preliminary estimates from Swiss Re sigma put insured losses from natural catastrophe events at $42 billion in 2016, up from $28 billion in 2015, but slightly below the annual average of the previous 10 years ($46 billion).

Man-made disasters triggered an additional $7 billion in insurance claims in 2016, down from $9 billion the previous year.



Thursday, 15 December 2016 00:00

Travelling at the Speed of IT Security

DRJ-LogoEinstein, move over. There is a new universal constant now, one that governs all IT-driven activity, which by now is almost everything that goes on in the known world.

Forget about light and photons. We’re talking about the concept that no data travels faster than the speed of IT security.

Or perhaps that IT security can be made to keep up with the ever-increasing speed of information, which would certainly give it the drop on light. So, what is this new metaphysical marvel and how does it work?

The big change in IT security currently is the move from a boundary-oriented model to a boundary-less model.

Data no longer resides obediently within the corporate perimeter. Today, it’s out there in the cloud, on employees’ mobile devices, and travelling the worldwide web.



FEMA LogoBATON ROUGE, La. – Natural beauty, history and culture don’t immediately come to mind when people think of FEMA, but the agency’s disaster recovery efforts may affect natural and cultural resources.

Following August’s unprecedented flooding in Louisiana, FEMA’s Office of Environmental Planning and Historic Preservation has been working to ensure the state’s rich natural and cultural resources are taken into consideration as it recovers. EHP routinely evaluates impacts to historic structures, archaeological resources, wetlands, floodplains, threatened or endangered species, and air/water quality.

FEMA EHP provides the technical expertise to ensure legal compliance and informed decision making for the agency and the local community undergoing recovery. Compliance with laws and regulations ensures recovery efforts that affect resources are understood and avoided, minimized, or mitigated where possible. Several laws that EHP routinely complies with include the National Environmental Policy Act, the National Historic Preservation Act, the Endangered Species Act, and the Clean Water Act. In carrying out their duties, EHP collaborates with resource agencies such as the Louisiana Division of Historic Preservation, the U.S. Fish and Wildlife Service, and the U.S. Army Corps of Engineers Regulatory Division.

For more information about FEMA’s work, visit FEMA online at www.fema.gov, www.facebook.com/fema, www.twitter.com/fema and www.youtube.com/fema.

DRJ-LogoPut yourself in your employee’s shoes for a moment. You wake up in the morning to snow that has been steadily falling for the past few hours. You check Facebook and see that your friends are complaining about icy roads and walkways. The Weather Channel says several more inches are anticipated throughout the day. You are supposed to report to work at eight, but have no idea whether or not the office is open. You have no messages on your phone, and your calls to the office go to voicemail. What do you do?

This is a very real situation experienced by many employees, often with less-than-desirable outcomes for employees and businesses alike. In best case scenarios, employees safely report to work; the office is open; and the day proceeds as normal—albeit with icy return trips looming ahead.

Other scenarios, however, are not so simple. In some cases, employees may stay home because they assume the office is closed and end up missing a scheduled shift or important meeting. In others, employees may report to work only to encounter the frustration of a closed office upon arrival. And in worst cases, employees attempt to report to work, but end up getting into accidents on the way in.



Wednesday, 14 December 2016 00:00

Risk Limitation – Real World Examples

DRJ-LogoIn recent blogs we have discussed various aspects of risk mitigation, including risk acceptance, risk avoidance, risk limitation, and risk transference. This week’s blog will focus primarily on the area of risk limitation, the most common risk management strategy used by businesses.

You will recall that risk mitigation is defined as taking steps to reduce adverse effects. We have previously discussed the concepts of risk acceptance, risk avoidance, and risk transference.

Risk acceptance (a conscious decision to take no action to limit the risk) is the opposite of risk avoidance (the decision to take action that is intended to avoid any exposure to the risk). Risk avoidance is usually the most expensive of all risk mitigation options, while risk acceptance is typically chosen because the cost of other risk management options may outweigh the cost of the risk itself. Risk transference acknowledges the risk, but involves handing off that risk to a willing third party.



FEMA LogoTALLAHASSEE – Although the registration deadline for Hurricane Matthew ends on December 16, 2016, survivors are reminded that FEMA and the U.S. Small Business Administration (SBA) will still be available to answer questions and provide assistance to applicants with unmet needs or needs not met by insurance settlements.

While not everyone who applies for federal disaster assistance will qualify for aid, the appeals process will make sure you receive every bit of the federal disaster aid for which you are legally eligible.

An applicant has 60 days from the date on FEMA’s determination letter to file an appeal. The determination letter describes the amount and type of assistance being offered.

A determination letter may state the application is missing information such as verification of occupancy of the damaged property, documentation of disaster damage, proof of identity or what is covered under an insurance policy.

If addresses or phone numbers change they should be updated with FEMA as soon as possible. Missing or erroneous information could result in delays in getting a home inspection or receiving assistance.

If you disagree with FEMA’s decision or have questions about the appeals process call the FEMA helpline at 800-621-3362 (voice/711/VRS-Video Relay Service) (TTY: 800-462-7585). Multilingual operators are available (press 2 for Spanish). The toll-free lines are open 7 a.m. to 11 p.m. seven days a week until further notice.

More information on the FEMA appeals process can be found in the FEMA booklet, “Help after a Disaster: Applicant’s Guide to the Individuals & Households Program.” This free booklet is available in numerous languages for download at fema.gov/help-after-disaster.

The SBA is the federal government’s primary source of money for the long-term rebuilding of disaster-damaged private property, offering low-interest disaster assistance loans to businesses of all sizes, private nonprofit organizations, homeowners and renters.

FEMA Other Needs Assistance (ONA) grants may cover uninsured losses for furniture, appliances and other personal property, even vehicles. Survivors may not be considered for this type of assistance unless they have completed and returned an SBA loan application. Some types of ONA — medical, dental and funeral expenses — are not SBA dependent, and completing the loan application is not required.

Volunteer, faith- and community-based organizations may also be available to fill gaps in recovery. FEMA encourages you to contact these groups as they may provide essential long-term recovery resources through disaster recovery.

For more information on Florida’s disaster recovery, visit fema.gov/disaster/4283, twitter.com/femaregion4, facebook.com/FEMA, and fema.gov/blog, floridadisaster.org or #FLRecovers. For imagery, video, graphics and releases, see www.fema.gov/Hurricane-Matthew.


FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain,and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-3362 (voice, 711/VRS - Video Relay Service) (TTY: 800-462-7585). Multilingual operators are available (press 2 for Spanish).

The SBA is the federal government’s primary source of money for the long-term rebuilding of disaster-damaged private property. SBA helps businesses of all sizes, private non-profit organizations, homeowners and renters fund repairs or rebuilding efforts and cover the cost of replacing lost or disaster-damaged personal property. These disaster loans cover losses not fully compensated by insurance or other recoveries and do not duplicate benefits of other agencies or organizations. For more information, applicants may contact SBA’s Disaster Assistance Customer Service Center by calling 800-659-2955, emailing This email address is being protected from spambots. You need JavaScript enabled to view it., or visiting SBA’s website at www.sba.gov/disaster. Deaf and hard-of-hearing individuals may call 800-877-8339.

Over the years, the topics of business continuity and disaster recovery have become much needed strategies for all businesses alike. More and more businesses are realizing the positive contributions these strategies are providing to their business and revenue. Statistics prove that business continuity and disaster recovery are necessary in today’s ever-growing world of technology.



Wednesday, 14 December 2016 00:00

BCI: Communicating in a crisis

BCI-LogoThe Business Continuity Institute

In our globally connected world, most organizations have staff that travel overseas, making it more important than ever for those organizations to have an effective emergency communications plan in place in order to contact geographically dispersed staff during a crisis. This is especially important given that the latest Emergency Communication Report, published by the Business Continuity Institute, revealed that one out of three organizations (32 percent) report their employees travel to ‘high risk’ countries.

The Emergency Communications Report, supported by Everbridge, a global software company that provides critical communications and enterprise safety applications, did however deliver the encouraging news that most organizations (84 percent) do have some form of plan in place, although it did highlight that for those that don’t, two thirds (64 percent) felt that only a business-affecting event would incentivise them to develop one – most people would consider this too late.

With increasing physical security challenges experienced by organizations due to rising levels of concern surrounding workplace violence and acts of terrorism, as identified in the BCI’s latest Horizon Scan Report, being able to communicate effectively with staff may have the added advantage of increasing safety.

Further findings from the report include

  • One third of organizations (32 percent) report that at least 100 employees travel internationally
  • The top reasons for triggering emergency communications are: unplanned IT and telecommunications outages (42 percent), power outages (40 percent), adverse weather (39 percent), facilities management incidents (23 percent), cyber security incidents (22 percent), and natural disasters (22 percent)
  • The top processes used for emergency communications are: internal emails (79 percent), text messaging (70 percent), manual call trees (56 percent), emergency communication software (50 percent), and website announcements (46 percent)
  • More than half of organizations (55 percent) use 3 or more emergency communications processes
  • Around 3 out of 10 organizations (29 percent) do not have training and education programmes
  • Around 7 out of 10 organizations (69 percent) stated that their emergency communications plan had been activated during the last year, other than during an exercise
  • A tenth of organizations (10 percent) take more than 60 minutes to activate their emergency communications plan
  • More than 6 out of 10 organizations (62 percent) are not confident about their preparedness for a location-specific security incident (e.g. workplace violence, act of terrorism)
  • More than a tenth of organizations (11 percent) do not feel they have top management support when it comes to developing emergency communications plans

Patrick Alcantara DBCI, Senior Research Associate at the BCI and author of the report, commented: “A robust emergency communications capability is a crucial, often life-saving, component of incident response. This becomes more important considering ever changing threats which often impact on the physical safety and well-being of employees and customers. This timely study affirms how organizations strive to improve their emergency communications capability, as well as look at opportunities to ensure reliable messaging and response.

Imad Mouline, Chief Technology Officer at Everbridge, commented: “This year’s findings indicate that global businesses are increasingly aware that true resiliency is a company-wide initiative that involves taking accountability for the safety of all staff—whether they are located in the office, at home or on the road. While it’s not surprising to see shared interest in emergency communications across business continuity, IT, security, facilities and other disciplines, it’s clear that organizations are still seeking solutions to optimize their response plans for a mobile workforce, and for the growing frequency and complexity of critical events and security incidents.

Training, education and exercising are good ways to improve emergency communications plans, yet many organizations still have gaps in their training and education programmes related to emergency communications plans which serve as a barrier to embedding this capability. There are also gaps in exercising these plans.

The human element of emergency communications has a significant role in its success. Lack of understanding from recipients is the top reason in failing to deliver effective emergency communications. There is a need for organizations to plan their messages and deliver these in a concise and sustained way in order to raise response levels and direct recipients to perform required actions that may save lives during an incident.

If you would like to find out more about the 2016 Emergency Communications Report, or if you have any questions, then register for our webinar on the 17th January at 1430 GMT, when Patrick Alcantara (The BCI) and Owen Miles (Everbridge) will be discussing it in more detail. Click here to register.

BCI-LogoThe Business Continuity Institute

Organizations recognising the need for an emergency communications plan in order to initiate secure and reliable communications to geographically dispersed staff during a crisis

CAVERSHAM, UK –  In our globally connected world, most organizations have staff that travel overseas, making it more important than ever for those organizations to have an effective emergency communications plan in place in order to contact geographically dispersed staff during a crisis. This is especially important given that the latest Emergency Communication Report, published by the Business Continuity Institute, revealed that one out of three organizations (32 percent) report their employees travel to ‘high risk’ countries.

The Emergency Communications Report, supported by Everbridge, a global software company that provides critical communications and enterprise safety applications, did however deliver the encouraging news that most organizations (84 percent) do have some form of plan in place, although it did highlight that for those that don’t, two thirds (64 percent) felt that only a business-affecting event would incentivise them to develop one – most people would consider this too late.

With increasing physical security challenges experienced by organizations due to rising levels of concern surrounding workplace violence and acts of terrorism, as identified in the BCI’s latest Horizon Scan Report, being able to communicate effectively with staff may have the added advantage of increasing safety.

Further findings from the report include

  • One third of organizations (32 percent) report that at least 100 employees travel internationally
  • The top reasons for triggering emergency communications are: unplanned IT and telecommunications outages (42 percent), power outages (40 percent), adverse weather (39 percent), facilities management incidents (23 percent), cyber security incidents (22 percent), and natural disasters (22 percent)
  • The top processes used for emergency communications are: internal emails (79 percent), text messaging (70 percent), manual call trees (56 percent), emergency communication software (50 percent), and website announcements (46 percent)
  • More than half of organizations (55 percent) use 3 or more emergency communications processes
  • Around 3 out of 10 organizations (29 percent) do not have training and education programmes
  • Around 7 out of 10 organizations (69 percent) stated that their emergency communications plan had been activated during the last year, other than during an exercise
  • A tenth of organizations (10 percent) take more than 60 minutes to activate their emergency communications plan
  • More than 6 out of 10 organizations (62 percent) are not confident about their preparedness for a location-specific security incident (e.g. workplace violence, act of terrorism)
  • More than a tenth of organizations (11 percent) do not feel they have top management support when it comes to developing emergency communications plans

Patrick Alcantara DBCI, Senior Research Associate at the BCI and author of the report, commented: “A robust emergency communications capability is a crucial, often life-saving, component of incident response. This becomes more important considering ever changing threats which often impact on the physical safety and well-being of employees and customers. This timely study affirms how organizations strive to improve their emergency communications capability, as well as look at opportunities to ensure reliable messaging and response.

Imad Mouline, Chief Technology Officer at Everbridge, commented: “This year’s findings indicate that global businesses are increasingly aware that true resiliency is a company-wide initiative that involves taking accountability for the safety of all staff—whether they are located in the office, at home or on the road. While it’s not surprising to see shared interest in emergency communications across business continuity, IT, security, facilities and other disciplines, it’s clear that organizations are still seeking solutions to optimize their response plans for a mobile workforce, and for the growing frequency and complexity of critical events and security incidents.

Training, education and exercising are good ways to improve emergency communications plans, yet many organizations still have gaps in their training and education programmes related to emergency communications plans which serve as a barrier to embedding this capability. There are also gaps in exercising these plans.

The human element of emergency communications has a significant role in its success. Lack of understanding from recipients is the top reason in failing to deliver effective emergency communications. There is a need for organizations to plan their messages and deliver these in a concise and sustained way in order to raise response levels and direct recipients to perform required actions that may save lives during an incident.


  • Download a full copy of the report by clicking here.
  • Note to the online survey: This report features 661 responses from 71 countries.

About the Business Continuity Institute

Founded in 1994 with the aim of promoting a more resilient world, the Business Continuity Institute (BCI) has established itself as the world’s leading Institute for business continuity and resilience. The BCI has become the membership and certifying organization of choice for business continuity and resilience professionals globally with over 8,000 members in more than 100 countries, working in an estimated 3,000 organizations in the private, public and third sectors.

The vast experience of the Institute’s broad membership and partner network is built into its world class education, continuing professional development and networking activities. Every year, more than 1,500 people choose BCI training, with options ranging from short awareness raising tools to a full academic qualification, available online and in a classroom. The Institute stands for excellence in the resilience profession and its globally recognised Certified grades provide assurance of technical and professional competency. The BCI offers a wide range of resources for professionals seeking to raise their organization’s level of resilience, and its extensive thought leadership and research programme helps drive the industry forward. With approximately 120 Partners worldwide, the BCI Partnership offers organizations the opportunity to work with the BCI in promoting best practice in business continuity and resilience.

The BCI welcomes everyone with an interest in building resilient organizations from newcomers, experienced professionals and organizations. Further information about the BCI is available at www.thebci.org.

About Everbridge

Everbridge, Inc. (NASDAQ: EVBG), is a global software company that provides critical communications and enterprise safety applications that enable customers to automate and accelerate the process of keeping people safe and businesses running during critical events. During public safety threats such as active shooter situations, terrorist attacks or severe weather conditions, as well as critical business events such as IT outages or cyber incidents, over 3,000 global customers rely on the company’s SaaS-based platform to quickly and reliably construct and deliver contextual notifications to millions of people at one time. The company’s platform sent over 1 billion messages in 2015, and offers the ability to reach more than 200 countries and territories with secure delivery to over 100 different communication devices. The company’s critical communications and enterprise safety applications include Mass Notification, Incident Management, IT Alerting™, Safety Connection™, Community Engagement™, Secure Messaging and Internet of Things, and are easy-to-use and deploy, secure, highly scalable and reliable. Everbridge serves 8 of the 10 largest U.S. cities, 8 of the 10 largest U.S.-based investment banks, all four of the largest global accounting firms, 24 of the 25 busiest North American airports and 6 of the 10 largest global automakers. Everbridge is based in Boston and Los Angeles with additional offices in San Francisco, Beijing and London. For more information, visit www.everbridge.com, read the company blog, http://www.everbridge.com/blog, and follow on Twitter and Facebook.

Tuesday, 13 December 2016 00:00

The Future Of B2B Mobile Enterprise Services

DRJ-LogoBusiness-to-business (B2B) ecosystems facilitate the continuous exchange of information and collaboration. B2B ecosystems will play a central role for all businesses because they form the basis for redefining approaches toward innovation, knowledge management, supply-chain optimization, product development, sales, and marketing.

While the ultimate focus of these ecosystems is to create customer value, their more immediate effect is to drive operational agility in service of customers. Mobility will be a central enabler for these B2B digital ecosystems. Why?



FEMA LogoSAVANNAH, Ga. — Hurricane Matthew storm survivors applying for FEMA assistance may easily overlook a small detail that can result in a letter of ineligibility.

Common reasons for a determination of ineligibility include:

  • Lack of verification of occupancy of the damaged property;

  • Proof of identity;

  • No documentation of disaster damage;

  • Coverage by an insurance policy.

    In the case of an insurance denial, notify FEMA of the insurance settlement, and the case will be reviewed again. In other situations, provide the requested information.

If the letter says “Ineligible,” the letter will contain a code with an explanation for the denial. If the explanation is unclear, call the FEMA Helpline at 800-621-3362 (voice, 711 or Video Relay Service) or TTY 800-462-7585 for the deaf or hard of hearing.

An application’s status may also be checked at DisasterAssistance.gov. Click on the big “Check Status” link at the far right of the home page.

Letters indicate the amount of any approved grant and how the money should be used. Using the grant for purposes other than as indicated may prevent additional assistance.

Applicants from the 10 eligible Georgia counties have 60 days from the date on FEMA’s decision letter to file an appeal on ineligibility or amount of the grant. The letter must explain the reason for the appeal and include:

  • Applicant’s full name

  • Applicant’s FEMA registration number

  • Disaster number (4284)

  • Address of the applicant’s pre-disaster primary residence

  • Applicant’s current phone number and address

  • Documentation supporting the appeal, such as contractor repair estimates, insurance settlement letters, proof of residence and proof of ownership.

  • Applicants are strongly encouraged to include the following signed statement: “I hereby declare under penalty of perjury that the foregoing is true and correct.” Other options are to submit a copy of a state-issued ID card or to notarize the letter. However, be aware that if the notary stamp is embossed and not colored, it may not scan to be readable.

Mail or fax the letter as follows:

  • By mail:


National Process Service Center

P.O. Box 10055

Hyattsville, MD 20782-7055

  • By fax:


Attention FEMA

For updates on Georgia’s Hurricane Matthew response and recovery, follow @GeorgiaEMA and @FEMARegion4 on Twitter and visit gemhsa.ga.gov and fema.gov/disaster/4284.

DRJ-LogoYour digital intelligence strategy and implementation is struggling to keep up with your device-hopping customers.  You’re trying.   And it’s difficult – so many obstacles.   But you face the Digital Dilemma, introduced by colleague Nigel Fenwick:  your customers’expectations of digital experience keep rising.  When any digital experience they have with you doesn’t meet their expectations, their perception of the value your firm provides falls … which leads to risk of customers taking their business elsewhere.  Ouch.   So, tackle the Digital Dilemma head on.  Focus your digital intelligence strategy like a laser on the customer experiences that matter most to your business outcomes.  How?  With an actionable digital intelligence strategic plan.  Here are 3 of the key components your strategic plan must include.



DRJ-LogoThe retail industry is constantly evolving. So why wouldn’t a retailer’s risk function keep pace? Jackie Hourigan Rice, Chief Risk and Compliance Officer at Target, discusses the importance of flexibility, alignment and empathy in developing a risk program that helps the retailer be more resilient — no matter what the future may hold in store.

“You need to be flexible. It’s not about the process; it’s the impact.”



DRJ-LogoFor security to work most efficiently in any organization, everybody has to be on board. I don’t mean they have to simply support the idea of good security practices, rather, they must actually have awareness of the greatest threats and risks to the organization, recognize what security procedures are necessary to address those threats and risks, and understand how to prevent falling into security traps. I’d also say that the higher up the organizational ladder one goes, the more essential it is to know specific regulations and the direct impact of security violations. Turning a blind eye to security or willingly ignoring the consequences of a potential attack is inexcusable as we go into 2017.

Yet, a recent survey conducted by Liaison Technologies found that senior executives are uninformed about the security and privacy regulations that their organizations are required to follow; 47 percent admit they don’t even know what compliance standards are applicable to their specific organization or industry. Another 25 percent say they don’t know who within the organization is responsible for security matters. And this specific statistic really surprised me, as reported by CSO:

Just three percent of respondents said that PCI DSS applied to their organization, a number that Liaison says is "surprisingly small" because it is a security standard that "applies to all entities that store, process or transmit cardholder data."



DRJ-LogoOne of the major challenges for Business Continuity Management (BCM) professionals and organizations is ensuring that their Business Impact Analysis (BIA) is kept current and update to date.  The problem with keeping the BIA’s up to date is that there is no process that integrates the BIA into the existing organizational functions.  It’s something that is done once a year – a single point in time – and due to competing initiatives, is usually performed quickly by department representatives so they can focus on the activities they are responsible for and have direct impact upon their unit’s functions and direct reports.  Ultimately, they focus on the things that impact their year-end performance and BCM isn’t usually one of them.

BCM must meet with an organizations IT Change Management, Organizational Change Management and Project/Program Management Office (PMO) representatives to develop a process that ensure that a Business Impact Analysis (BIA) is incorporated into their processes.  This means that for each project in flight completes a BIA which details what the change is, what the impact is upon existing processes and what the end result will be once the change has been implemented.  This allows for BCM to review the proposed (and often confirmed) changes to perform an analysis to existing BCP contingencies and strategies, assumptions, resources requirements (people, facility, IT etc.) and any other item that may have an impact upon BCM plans and processes.



Monday, 12 December 2016 00:00

Control in the Chaos

Emergency Management Market Skyrockets

AlertMedia-LogoWhen we heard the report based on new market research that the incident and emergency management market is projected to reach $114 billion by 2021, we weren’t surprised. But what people may not realize is why the market is exploding. The report notes the growth is due to “changing climatic conditions, increasing government regulations and norms, extensive usage of social media to spread information, and increased threats of terrorist attacks.”

Pretty sobering. Every one of those key drivers are out of our immediate control. We don’t like to feel out of control. In fact, the feeling of being out of control is a leading cause of anxiety and depression. It can lead us to act irrationally or at the very least, make us irritable. The truth is, we feel safe when we are in control.



Monday, 12 December 2016 00:00

Becoming a Crisis Communications Champion

DRJ-LogoIf you’re an American football fan, it’s an exciting time of the year. The college playoff field is shaping up, ultimately leading to the championship game in January. Professional football teams in the National Football League are beginning to eye the ultimate prize—a Super Bowl win. It’s the time of year where excellence is on clear display.

Whatever your sport or passion, there are likely teams you admire because of their outstanding achievements or their ability to overcome adverse situations. Perhaps, during this season, we can take some inspiration from these “heroes” and apply them to our work in business resiliency and crisis communication. Consider these thoughts on what it takes to be a champion crisis communicator.



BCI-LogoThe Business Continuity Institute

In a survey about the experience of handling major losses undertaken Vericlaim and Alarm, more than half of respondents “rated the practical assistance offered by a BCP (Business Continuity Plan) following a major incident as one or two out of a possible score of five”. In other words, the BC Plans of the organisations responding to the survey were found to be not particularly helpful when responding to a major loss!

This finding seems to have been rather under reported by the business continuity community who are usually so forward in explaining the importance of having a BC Plan and extolling the virtues of BC in improving resilience. Personally, I find it a damning indictment of the BC profession.

One of the things that constantly both amuses and horrifies me is how far most BC Plans are from the description given in the Business Continuity Institute’s (BCI’s) Good Practice Guidelines. This states that a BC Plan should be “…focused, specific and easy to use…”, and that the important characteristics for an effective BC Plan are that is direct, adaptable, concise, and relevant.

Over the years I have had the pleasure of seeing hundreds, if not thousands, of BC Plans from a wide variety of organisations, and I can safely say that more than 90% of these plans do not fit in with this description. They tend to contain lots of information that is irrelevant to the purpose of responding to a major incident, and seem to be written more for the benefit of the organisation’s auditors than for use by people who need to take action to reduce the impact of the incident on the organisation.

As a BC consultant, I keep trying my best to improve BC Plans, but I’m constantly being knocked back by people who tell me that all sorts of things need to be put into their BC Plans, more often than not because of an audit or review undertaken by a third party.

For far too long this situation has been allowed to continue unchallenged. It cannot do so for too much longer without the BC profession losing credibility.

Mel Gosling FBCI is the Principal Business Continuity Consultant at Merrycon Ltd.

BCI-LogoThe Business Continuity Institute

Confidence among security practitioners in their organization's ability to asses cyber risk is in decline as global cyber security confidence fell six points over 2016 to earn an overall score of 70%, a 'C-' on the report card. This is according to a new study by Tenable Network Security,

The 2017 Global Cyber Security Assurance Report Card indicates that the overall decline in confidence is the result of a 12-point drop in the 2017 Risk Assessment Index, which measured the ability of respondents to assess cyber risk across 11 key components of the enterprise information technology (IT) landscape.

For the second straight year, practitioners cited the 'overwhelming cyber threat environment' as the single biggest challenge facing IT security professionals today, followed closely by 'low security awareness among employees' and 'lack of network visibility (BYOD, shadow IT)'.

Today’s network is constantly changing - mobile devices, cloud, IoT, web apps, containers, virtual machines - and the data indicates that a lot of organizations lack the visibility they need to feel confident in their security posture,” said Cris Thomas, strategist, Tenable Network Security. “It’s pretty clear that newer technologies like DevOps and containers contributed to driving the overall score down, but the real story isn’t just one or two things that need improvement, it’s that everything needs improvement.

It is clear from this why cyber attacks and data breaches rank as the top two concerns for business continuity professionals, as identified in the Business Continuity Institute's latest Horizon Scan Report, which revealed that 85% and 80% of respondents to a global survey expressed concern about these two threats materialising. It is perhaps for that reason cyber security was chosen as the theme for Business Continuity Awareness Week 2017.

2017 Overall Cyber Security Assurance Report Cards by Country

  • India: B (84%)
  • United States: C+ (78%)
  • Canada: C (75%)
  • France: C (74%)
  • Australia: C- (71%)
  • United Kingdom: D (66%)
  • Singapore: D (64%)
  • Germany: D- (62%)
  • Japan: F (48%)

2017 Overall Cyber Security Assurance Report Cards by Industry

  • Retail: C (76%)
  • Financial Services: C- (72%)
  • Manufacturing: C- (72%)
  • Telecom: C- (70%)
  • Health Care: D (65%)
  • Education: D (64%)
  • Government: D (63%)

DRJ-LogoCHICAGO – Dangerously low temperatures and snow are in the forecast and the U.S. Department of Homeland Security’s Federal Emergency Management Agency (FEMA) wants individuals and families to be safe when faced with the hazards of winter weather.

“Subfreezing temperatures and snowstorms can be dangerous and even life-threatening for people who don't take the proper precautions,” said Janet M. Odeshoo, acting regional administrator, FEMA Region V.  “It is important for everyone to monitor their local weather reports and have a plan now for how to stay safe in severe winter weather conditions.”

During snowstorms and extreme cold weather, you should take the following precautions:

  • Stay indoors as much as possible and limit your exposure to the cold.
  • Dress in layers and keep dry.
  • Check on family, friends, and neighbors who are at risk and may need additional assistance.
  • Know the symptoms of cold-related health issues such as frostbite and hypothermia and seek medical attention if health conditions are severe.
  • Bring your pets indoors or ensure they have a warm shelter area with unfrozen water.
  • Make sure your vehicle has an emergency kit that includes an ice scraper, shovel, blanket and flashlight – and keep the fuel tank above half full.

You can find more information and tips on being ready for winter weather and extreme cold temperatures at http://www.ready.gov/winter-weather.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. 


Follow FEMA online at twitter.com/femaregion5, www.facebook.com/fema, and www.youtube.com/fema.  Also, follow Administrator Craig Fugate's activities at twitter.com/craigatfema. The social media links provided are for reference only. FEMA does not endorse any non-government websites, companies or applications.

DRJ-LogoWASHINGTON, DC —The Federal Emergency Management Agency (FEMA) has issued a Notice of Funding Opportunity (NOFO) for the fiscal 2016 Program to Prepare Communities for Complex Coordinated Terrorist Attacks (CCTA Program).  The CCTA Program provides $35.94 million to state, local, tribal, and territorial jurisdictions to improve their ability to prepare for, prevent, and respond to complex coordinated terrorist attacks in collaboration with the whole community.

Selected state, local, tribal, and territorial jurisdictions will receive fiscal 2016 CCTA Program funding specifically to build and sustain capabilities to enhance their preparedness for complex coordinated terrorist attacks, by achieving the following: identifying capability gaps, developing and/or updating plans, training to implement plans and procedures, and conducting exercises to validate capabilities.

Awards will be made on a competitive basis to applicants who present an ability to successfully meet the requirements described in the NOFO.  FEMA encourages interested jurisdictions of various types, sizes, and capabilities to apply.

The application period will remain open until 11:59:59 p.m. EST February 10, 2017.  The fiscal 2016 CCTA Program Notice of Funding Opportunity (NOFO) is located online at: http://www.fema.gov/grants as well as on http://www.grants.gov Catalog of Federal Domestic Assistance (CFDA) number 97.133.


FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain and improve our capability to prepare for, protect against, respond to, recover from and mitigate all hazards.

Follow FEMA online at www.fema.gov/blog, www.twitter.com/fema, www.facebook.com/fema and www.youtube.com/fema.  Also, follow Administrator Craig Fugate's activities at www.twitter.com/craigatfema.

The social media links provided are for reference only. FEMA does not endorse any non-government websites, companies or applications.

DRJ-LogoLike the heavyweight classics Ali vs. Frazier and Tyson vs. Holyfield, a battle is raging between cloud storage and on-premise storage. Who will be left standing at the end? Which hand will the referee hold aloft in victory? Or will it forever be a disputed decision with fans demanding a rematch?

In this article, we'll look at eleven areas where public cloud storage offers an advantage.



In a new report based on research from UK national weather service the Met Office, Lloyd’s has found that extreme weather events may be modeled independently. While extreme weather can be related to events within a region, these perils are not significant correlated with perils in other regions of the world.

The study’s key findings include:



Thursday, 08 December 2016 00:00

Business Intelligence Skills

So you have gone through the Discover and Plan of your Business Intelligence (BI) strategy and are ready to staff your BI support organization. What skills, experience, expertise and qualifications should you be looking for?



COLUMBIA, S.C.--Two months after the presidential disaster declaration for storm and flood damage relief from Hurricane Matthew in South Carolina, federal assistance has climbed to $116.9 million.

That total includes:

  • More than $33.8 million in Individual Assistance disaster recovery grants from the Federal Emergency Management Agency (FEMA) for homeowners and renters. More than 44,700 individuals and households have applied for disaster assistance from FEMA.
  • More than $31.6 million in low-interest disaster loans from the U.S. Small Business Administration (SBA) for businesses of all sizes (including landlords), private nonprofit organizations, homeowners and renters.
  • More than $38.4 million in flood insurance payments from the National Flood Insurance Program (NFIP).
  • More than $13.1 million in Public Assistance obligations to reimburse local governments for eligible costs of responding to the floods and repairing or rebuilding public facilities.

Recovery highlights include:

  • The $33.8 million in disaster recovery grants from FEMA including more than $28 million in Housing Assistance to help homeowners and renters with temporary housing and essential home repairs and more than $5.8 million in Other Needs Assistance, including grants for the replacement of damaged vehicles and personal property, as well as reimbursements for serious disaster-related needs not covered by insurance.
  • The SBA has approved 922 low-interest disaster loans, including 865 home loans, 39 business loans and 18 Economic Injury Disaster Loans for small businesses. SBA disaster loans may cover repairs or rebuilding, as well as the cost of replacing lost or disaster-damaged real estate and personal property.
  • A total of the 24 Disaster Recovery Centers (DRCs) and Mobile Disaster Recovery Centers (MDRCs) have been opened by the State and FEMA. They have assisted more than 7,600 survivors. As of today, five DRCs remain open in Beaufort, Georgetown, Hilton Head, Mullins, and Sumter. To find a DRC location near you, and its hours, download the free FEMA app on your mobile device or visit asd.fema.gov/inter/locator.
  • In addition, the SBA opened three Business Recovery Centers to enable storm-impacted businesses to meet individually with SBA representatives and find out how a low-interest disaster loan can help them recover.
  • FEMA-contracted housing inspectors have completed more than 31,500 inspections of disaster-damaged homes to verify damage and eligibility for FEMA assistance.
  • A total of 202 Disaster Survivor Assistance (DSA) personnel visited nearly 55,000 homes in storm-damaged neighborhoods. They are equipped with laptop computers to register survivors with FEMA and to answer their questions about disaster assistance.
  • The NFIP, which is administered by FEMA, has paid out partial and advanced payments totaling $38 million to 6,610 policyholders.
  • Hazard Mitigation Community Education Outreach experts have advised more than 4,400 survivors how to rebuild their homes stronger and safer after the floods. They have been present at DRCs and MDRCs and at hardware and lumber stores.
  • To date, $13.1 million has been obligated in Public Assistance grants to reimburse local, state and tribal governments and certain private non-profits for 75 percent of their disaster-related expenses and repairs, providing financial relief for hard-hit communities. The state and the applicant split the remaining 25 percent.

Although Public Assistance funds go to local governments and certain nonprofits, they benefit everyone—communities, cities and the state. Those federal dollars help pay for efforts to keep people and property safe. Public Assistance funds also clean up disaster-related debris, put roads, utilities and public works back in order and repair or replace public structures. In many cases, local taxpayers would otherwise have to pay the costs that FEMA Public Assistance grants are covering.

More than 44,700 individuals and households have applied for disaster assistance from FEMA. Residents of 24 counties are eligible for Individual Assistance: Allendale, Bamberg, Barnwell, Beaufort, Berkeley, Calhoun, Charleston, Chesterfield, Clarendon, Colleton, Darlington, Dillon, Dorchester, Florence, Georgetown, Hampton, Horry, Jasper, Lee, Marion, Marlboro, Orangeburg, Sumter andWilliamsburg.

Those 24 counties also are eligible for Public Assistance, along with Kershaw and Richland.

Survivors can apply online at DisasterAssistance.gov or by phone at 800-621-3362 (voice, 711 or relay service) or 800-462-7585 (TTY). The toll-free lines are open 7 a.m. to 10 p.m. seven days a week until further notice. Multilingual operators are available.

Survivors who have questions about their flood insurance policies and coverage should contact the NFIP call center at 800-621-3362 between 9 a.m. and 7 p.m. Monday through Friday. Specialists can help with service claims, provide general information regarding policies and offer technical assistance to aid in recovery.

For more information about SBA loans, call SBA’s Disaster Assistance Customer Service Center at 800-659-2955, email This email address is being protected from spambots. You need JavaScript enabled to view it., or visit http://www.sba.gov/disaster. TTY users may call 800-877-8339. Applicants may also apply online using the Electronic Loan Application (ELA) via SBA’s secure website at https://disasterloan.sba.gov/ela.

For more information about the disaster recovery operation, please visit fema.gov/disaster/4286 or the South Carolina Emergency Management Division at scemd.org/recovery-section/ia.###

All FEMA disaster assistance will be provided without discrimination on the grounds of race, color, sex (including sexual harassment), religion, national origin, age, disability, limited English proficiency, economic status, or retaliation. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-FEMA (3362). If you have a speech disability or hearing loss and use a TTY, call 800-462-7585 directly; if you use 711 or Video Relay Service (VRS), call 800-621-3362.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. Follow us on Twitter at https://twitter.com/femaregion4 and the FEMA Blog at http://blog.fema.gov.

The SBA is the federal government’s primary source of money for the long-term rebuilding of disaster-damaged private property. SBA helps businesses of all sizes, private non-profit organizations, homeowners and renters fund repairs or rebuilding efforts and cover the cost of replacing lost or disaster-damaged personal property. These disaster loans cover losses not fully compensated by insurance or other recoveries and do not duplicate benefits of other agencies or organizations. For more information, applicants may contact SBA’s Disaster Assistance Customer Service Center by calling 800-659-2955, emailing This email address is being protected from spambots. You need JavaScript enabled to view it., or visiting SBA’s website at www.sba.gov/disaster. Deaf and hard-of-hearing individuals may call 800-877-8339.

Thursday, 08 December 2016 00:00

Why IT Strategy Fails and What to Do About It

IT strategy – hmm, that sounds good! It suggests you know what you’re doing, and that those invoices from your IT suppliers correspond to something of value to the business.

However, IT strategy and the plans that go with them sometimes don’t achieve the results you wanted. Here are 10 reasons why failure happens and 10 suggestions for avoiding it.



DURHAM, N.C. –FEMA has approved almost $82 million in federal assistance to help North Carolina survivors recover from the recent floods that followed Hurricane Matthew. While assistance is tax-free and you don’t have to repay grants, FEMA urges you to use the funds wisely and only for disaster-related expenses.

FEMA also encourages you to keep your receipts for three years to show how the funds were spent. After every major disaster FEMA conducts audits of disaster assistance payments to ensure taxpayer dollars were properly provided by the agency and appropriately used by recipients. It’s important to remember that federal law prohibits duplicating disaster assistance from other sources.

When you are awarded a grant FEMA will send you a letter listing the approved uses, including:

  • Home repairs (e.g., structure, water, septic and sewage systems).

  • Rental assistance for a different place to live temporarily.

  • Repair or replacement of a flooded essential vehicle.

  • Medical care for an injury caused by the disaster.

  • Repair, cleaning or replacement of clothing or specialized tools.

  • Necessary educational materials (e.g., computers, school books, supplies).

  • Moving and storage expenses related to the disaster.

  • Child care and funeral expenses.

You may spend your FEMA grant in any approved way that helps you achieve the goal of permanent, safe, sanitary and functional housing.

  • Rental assistance grants are provided for temporary housing when a disaster leaves your home uninhabitable or inaccessible.                                                                             
  • As a homeowner or renter, you can choose to rent an apartment, house, mobile home or some other temporary rental unit.
  • If you intend to seek continued rental assistance, you will need receipts to show you used the grant for rent.

You should not use disaster grants for regular living expenses – such as utilities, food, medical or dental bills not related to the disaster, nor for travel, entertainment or any discretionary expense not related to the disaster.

When you get any letter from FEMA, read it carefully. If you have any questions, call the FEMA Helpline at 800-621-3362 for voice, 711 and Video Relay Service. If you are deaf, hard of hearing or have a speech disability and use a TTY call 800-462-7585. You can also visit a Disaster Recovery Center. Find the nearest DRC by going online to www.fema.gov/drc.

For more information on North Carolina’s recovery, visit fema.gov/disaster/4285  and readync.org. Follow FEMA on Twitter at @femaregion4 and North Carolina Emergency Management @NCEmergency.

By now firms are deep into their big data investments — and frustrated. Too many new and rapidly evolving technologies are built on an open source and named after a bunch of zoo animals. The term insight platform has struck a chord with technology buyers exactly because it offers a path out of this mess. In fact, insight platform was the number-one emerging technology in terms of investment and interest in Forrester’s Q3 2016 Global State Of Enterprise Architecture And Portfolio Management Online Survey.



DevOps velocity mandates change velocity

Enterprises today are focusing on delivering applications faster to drive customer experiences and drive business transformation to meet rising expectations. For some, faster delivery is simply faster time to disappointment where the delivery process is shoddy and speed is the only metric. Speed without quality in an oxymoron – and extremely dangerous. The automation of the process known as Application Release Automation (ARA) is one of the critical impediments in the DevOps journey for I&O organizations today. ARA tools are designed to remove errors from manual processes by standardizing and automating the movement of applications with middleware and infrastructure – the critical final step in the delivery pipeline of applications to deliver customer value.



Thursday, 08 December 2016 00:00

FEMA: Private Nonprofits Encouraged to Apply

VIRGINIA BEACH, Va. – Private nonprofit (PNP) organizations in Virginia may be eligible to receive federal assistance in recovering from losses connected with Hurricane Matthew, officials of the Virginia Department of Emergency Management (VDEM) and the Federal Emergency Management Agency (FEMA) said. The deadline for applying is December 15, 2016.

Private nonprofits can request an application packet for disaster assistance by calling (804) 839-8992 or e-mail This email address is being protected from spambots. You need JavaScript enabled to view it. between the hours of 7 a.m. to 6 p.m. Monday through Friday, or file online at VirginaPA.org and submit a request for public assistance.

The Public Assistance program provides grant funds to eligible municipalities, government agencies and qualified private non-profit organizations for costs of debris removal, emergency protective measures, road repairs, repair of water control facilities, and restoration of buildings, utilities and recreational facilities. While public assistance is oriented to public entities and can fund the repair, restoration, reconstruction, or replacement of a public facility or infrastructure damaged or destroyed by a disaster, certain PNPs may qualify for help as well.

Eligible PNPs include educational, utility, irrigation, emergency, medical, rehabilitation, and temporary or permanent custodial care facilities (including those for the elderly and disabled), and other PNP facilities that provide essential services of a governmental nature to the general public.

PNPs that provide "critical services," which include power, water (including water provided by an irrigation organization or facility), sewer, wastewater treatment, communications and emergency medical care, may apply directly to FEMA for a disaster grant. All other PNPs must first apply to the Small Business Administration (SBA) for a disaster loan. If the PNP is declined for an SBA loan, or the loan does not cover all eligible damages, the applicant may re-apply for FEMA assistance.

The eligible cities are Chesapeake, Franklin, Norfolk, Portsmouth, Suffolk, Virginia Beach, and the counties of Isle of Wight and Southampton.

Thursday, 08 December 2016 00:00

Cyber Crime is Professional

In 2016, we have seen the largest cyber bank theft in history, hacking of emails in the U.S. presidential election and a massive denial-of-service attack linked to the Internet of Things.

Attackers – ranging from nation-states to organized criminal gangs – have moved well beyond crude, scattergun approaches to defeat weak security. Today they are skilled, determined and focused – and quite possibly already inside an organization’s network, either because they’ve breached it or because they are an employee or partner with access. They are varied in motivation, capability and tactics.

BAE Systems recently conducted a survey that reveals the majority of information technology professionals (97 percent) believe business security and defense is a priority for their organizations. Yet more than half (54 percent) admit they assess cyber threats just once a week or less. The recent survey of 200 IT professionals at U.S. organizations also revealed:



It’s a fact of life in modern business and industry: You’ll amass more data by the end of the month than you likely did over an entire 12 months just a few years ago. The bottom line is that data isn’t going away any time soon, and it grows in quantity and importance with each passing day. Managing that data has evolved as a crucial aspect of conducting business, akin to HR or R&D. How effectively you manage your organization’s data will dictate a lot about your business, impacting virtually every aspect of your enterprise, not least your level of productivity and your bottom line.

Traditional data storage systems have been useful — to a point. The operative term here being ‘traditional.’ Limitations on performance, scaling and efficiencies have made outmoded data filing cumbersome, ineffective, and costly. Enter the panacea: migrating existing servers and storage to a cloud-based storage environment. Managing data at the cloud level is analogous to exchanging a single-engine turboprop for a wide-bodied supersonic jet aircraft. The benefits are numerous, tangible, and once you’ve migrated, you’ll wonder how you ever managed your data up until now.

The first think you’ll notice with cloud data storage is a dramatic increase in productivity and performance. Faster, state-of-the-art storage translates to better response times over outmoded systems. It also means faster batch processing, allowing you to process more orders in less time more efficiently. In addition, you’ll experience faster search times and enhanced storage structures, giving customers faster access to information.



Millions were affected by the Dyn DDoS Attack a few weeks ago including service providers hosting on Dyn and their site's potential visitors. It was a lesson that showed many online services that they can't rely on a single provider for their authoritative DNS (domain name system) since outages can and do occur.

Maintaining uptime is critical since being unavailable online essentially equates to closing your doors in brick and mortar terms. No sales, no new customers, no "showroom." Not only does an outage hurt your revenue, it damages your brand in ways that aren't easily quantified. Customers can't get to your site to buy or view products/services and so forth.

As critical as DNS is, it's an underlying Internet technology that not many people pay too much attention to until it's not working. This graphic really sums up the importance of DNS and how it acts as the foundation of your online presence.

Think about your Internet presence as a house or building that contains your web server, email servers, FTP server, API, VOIP Phone system etc. This house relies on two things: your domain name and DNS before any other service can be setup.

Your domain name is just like the plot of land you build on - without your parcel of land, you have nowhere to build. The domain name must be registered and in good standing before anything will work. Once the domain name is secured, you need to build the foundation before you can build your house.

If your foundation is weak and unreliable, your house can crumble to the ground. This foundation is your DNS - a reliable way of answering queries to your domain name and pointing visitors to your online resources, including your web server. Without a strong DNS service in place, there's a risk of losing the entire house and all its contents. The true moral of the story is that companies should never skimp on their foundation when building their Internet house.

Here are a few additional steps to make sure your company's business has a solid DNS foundation.

1 - Don't Put All Your DNS Eggs in One Basket

Amazon, LinkedIn, Yelp, Paypal and many other smart online marketers realize that using a single DNS provider is simply too risky. They have added secondary and sometimes even tertiary DNS providers to increase reliability and decrease the chances of a DNS outage.

Secondary DNS isn't a cure all, but it spreads out your bandwidth across multiple managed providers to reduce the chances of prolonged downtime. In the event of an attack against a single DNS provider, your secondary and/or tertiary provider will still be serving up your DNS with virtually zero impact. This also can help if you experience a DDoS attack against your domain name since the larger DNS footprint will require a larger attack to take it all down.

2 – Essential DNS Features

If you are serious about your business, use a managed DNS provider. DNS hosting by your domain name registrar or Web hosting company is typically sub-standard and in many cases doesn't allow you to even enable DNS backup options such as Secondary DNS. Zone file exports and other ways to backup your DNS zones are also typically missing. Speed, uptime and expertise about DNS as well as advanced features such as Load Balancing, GEO DNS and others are also typically missing from these built-in DNS providers. When evaluating a potential DNS partner, you'll also want to inquire about their customer service. A great DNS company will have a group of experienced professionals available via multiple channels – ie. phone, chat, etc. – 24-hours a day.

3 - Monitor from multiple sources and use Smart IT Alerting

Some monitoring and alerting companies stopped sending out alerts when Dyn was attacked. The reason was because so many businesses and services were relying on Dyn that when it went down, the flood of monitoring alerts overwhelmed the system. There was a log jam that meant that none of Dyn's customers learned about the outage until its customers began complaining publicly. Monitoring platforms helps diagnose issues immediately and not receiving these messages extends the outage and makes troubleshooting more difficult. Using multiple monitoring services adds a level of redundancy in case one major DNS is taken down.

The efficacy of monitoring IT operations is measured by the speed in which notifications are sent and received. From there, the real work begins when employees start to diagnose and eventually take steps to remediate the issue. Alerting, reacting and fixing the problem is a logistical symphony and can often bottleneck the process. The success – or failure – of a company to address a critical issue often lies in those first few hours. Gaining immediate notice of a catastrophic downtime event can be the difference between a company being unavailable for an hour or days. IT leaders must install comprehensive policies and communications plans to rally critical employees quickly no matter what time of day or night. Simple items such as updated contact information for both mobile and landlines, secure conference call bridges and recorded voice alerts can reduce the time it takes to reduce the mean-time-to-fix and save the company millions in lost sales and decreased brand reputation.

The average cost of an outage can be upwards of $100,000 or more per hour depending on the size of the organization and online revenue stream. Attacks like the one we saw at Dyn are only the beginning of what we will see likely see on a more regular basis now that hackers are starting to take out their new IoT toys out for a spin. Businesses can help mitigate the risks of this new cyberattack type by distributing their DNS across multiple platforms and investing in smart monitoring and alerting platforms.


If your organization has never fired anyone, has never laid anyone off, has only single employees that have never been married or divorced, and have no significant others in their lives, then you don’t have to worry about Work Place Violence (WPV) or an Active Shooter. If your organization does NOT fit this profile, then you need to prepare for an Active Shooter. Management needs to understand that they are personally liable for not providing for the safety and security of their staff (OSHA 1910-34139). Several executives have been convicted under that statute and are serving time in jail.

Management needs to educate their staff regarding how to act during an active shooter incident. An employee needs to know:



The length of time victims wounded in school shootings and terror attacks must wait for help from an EMT could be minutes or hours—during which time they could bleed to death. This has happened in a number of cases, including a shooting at an Orlando nightclub in June, when a woman bled to death while waiting for help to arrive.

These incidents have prompted the Department of Homeland Security’s Stop the Bleed campaign, a nationwide initiative to empower individuals to act quickly and save lives in emergency situations. Bystanders are asked to take simple steps to keep an injured person alive until medical care is available. Security guards, custodians, teachers and administrators are being trained at schools and other places to administer first aid until help arrives.



Your organization's actual ability to respond to and recover from an event is directly related to employee readiness across the organization.

It is important to note that too many times we train only those directly involved in key recovery positions and do not train the lower levels of the organization. To determine employee readiness, or how well employees are prepared, ask people across the organization if they know what BCP is or what they are supposed to do in an emergency. If possible, ask not only individual contributors, but senior management as well.

It is important to note that too many times we train only those directly involved in key recovery positions and do not train the lower levels of the organization. To determine how well employees are prepared, ask people across the organization if they know what BCP is or what they are supposed to do in an emergency. If possible, ask not only individual contributors, but senior management as well.

Employee readiness must be heightened both at work and at home. If people are not available because of their personal situation, they cannot assist with any business recovery. Remember, individuals will be most concerned about themselves and their family (and rightfully so). If their personal situation is not safe or stable, they will be distracted at best, or unavailable at worst.



Wednesday, 07 December 2016 00:00

The Key Elements of the Hybrid Cloud

The hybrid cloud is evolving along a strange sort of dichotomy as the year comes to a close: It is getting easier to deploy but more challenging to optimize.

This is partly due to the fact that the enterprise itself is tasked with managing multiple types of workload – everything from traditional business applications to mobile computing and device-driven analytics. But it also points to the fact that the hybrid cloud is not a single entity but a collection of components that must work together near-flawlessly in order to provide the seamless data experience that users expect.

Tech writer Alan Joch noted on BizTech recently that the emergence of turnkey solutions and hybrid management tools is making it easier to deploy distributed cloud environments. Leading IT vendors have taken to leveraging both their home-grown systems portfolios and third-party contributions to craft hybrid architectures that can be easily launched and then quickly scaled to production-level environments. VMware’s Cross-Cloud Architecture, for example, provides for consistent deployment models, security policies and governance across multiple clouds and can be delivered under the company’s Cloud Foundation architecture that incorporates legacy platforms like vRealize, vSphere and NSX software-defined networking.



Having an adjuster with the National Flood Insurance Program (NFIP) come to your home isn’t the same as having your homeowner’s insurance agent or a FEMA inspector assess your damages.

FEMA Individual Assistance (IA), homeowners insurance and flood insurance are three different programs.

Homeowner and business insurance policies usually don’t cover flood damage. They generally do not. Disaster officials recommend:

  • If you have flood insurance, call your agent right away.
  • If you have homeowners insurance, call your agent right away.
  • If you had damages and haven’t registered with FEMA, do so right away.

Receiving a flood claim inspection, registering with your city’s emergency management agency, registering with the Virginia Department of Emergency Management (VDEM), the Red Cross, or with any other charitable organization is NOT the same as registering with FEMA or having a homeowner’s or flood insurance policy.

If you have dual insurance, you need to contact both your homeowners insurance and your NFIP flood insurance agent as well as register with FEMA to initiate individual recovery assistance. The deadline to register with FEMA is January 3, 2017. The deadline to file a flood-loss claim is February 7, 2017.

The deadline date for filing an NFIP flood insurance claim has been extended from 60 to 120 days from the date the flood damage occurred. After contacting your flood insurance agent, the claims process begins with your sending in ‘proof of loss’ paperwork. The flood claim process commonly follows this timeline: 

  • An adjuster will usually call you within 24 to 48 hours after you notify your agent about the flood damage.

  • Once contacted, a claims adjuster will visit to open the claim. In disasters such as Virginia, some adjusters may have hundreds of policy holders to service.

  • Policyholders have 120 days after the date of the loss to file proof of loss paperwork. This sworn statement may have to be notarized.

    • For instance, if you send in your proof of loss at 28 days, it can take at least 14 to 20 days more after that to review and process for payment.

    • It can take another 20 days to process the claim for payment—and at times only a partial payment can be made.

  • If you have a mortgage, regulations require that homeowner payment checks be issued in both the lender and homeowner’s name. Usually a bank or lender will require a construction contract or proof of pending repairs before releasing the money to you.

To date, NFIP in Virginia has received 2,231 claims with an estimated payout of nearly $25 million due to Hurricane Matthew.

Some damages not covered by your NFIP insurance may be eligible for coverage under your homeowners insurance, FEMA individual assistance program, or the U.S. Small Business Administration (SBA). You must be registered with FEMA to find out if you are eligible for additional assistance not covered by your insurance policies.

If you receive an SBA loan application, complete and submit it to the SBA, even if you don’t want a loan. Sometimes unanticipated expenses come up as your recovery process nears conclusion.

Information about claims, what to do, how to file, and what proof of loss is needed can be found in the NFIP online booklet “The NFIP Flood Insurance Claims Handbook” at http://go.usa.gov/x89kz. In most cases, there is a 30-day waiting period for a new flood insurance policy to take effect. To learn more about this program, contact your insurance agent or the NFIP at 888-379-9531, or visit www.floodsmart.gov.

Call the FEMA helpline to register, register online at www.DisasterAssistance.gov, or get additional information: 800-621-3362, or TTY at 800-462-7585. You can also visit your nearest Disaster Recovery Center (DRC). Location addresses can be found at www.FEMA.gov/DRC.

An unplanned outage is one of the worst things that can happen to a data center – and to your business  According to a 2016 Ponemon Institute study, a data center outage costs businesses an average of $8,851 per minute. The report also found that since 2010, the average total cost of a data center outage is up 38 percent – to $740,357. Although it’s impossible to completely eliminate outages, you can take steps to mitigate the consequences of downtime and ensure business continuity.

Here are nine ways to mitigate the risk of an extended data center outage and help ensure business continuity:



We know you know, but to save you the mental effort of fleshing these acronyms out into full-length descriptions, here’s what they stand for. BCM is business continuity management. ITSCM is IT service continuity management. And BIA is business impact analysis.

These three items are linked together by the need to keep organizations operational in adverse circumstances. You probably got that immediately.

But they are also linked by the need to trim expenses down to only what is necessary, a connection that is sometimes rather less obvious. Here’s how it works.

Let’s start with BCM. This is the overall management of continuity for the business, meaning the organization as a whole. As much of business is driven by IT, IT service continuity management is typically a major component of BCM



Would it surprise you to know that up to 90 percent of the U.S. workforce says they would like to telecommute at least part time? Some aren’t waiting for permission, but gradually changing the perception of what’s acceptable office protocol.

Plenty of companies are offering remote working options to their employees, but there are some stalwarts who believe the most productive employees “come” to work every day. Still, other companies draw the line at sales execs or field techs. IDC forecasts the U.S. mobile worker population will grow at a steady rate to nearly 106 million by 2020. Unless sales and field technician positions explode, this means many jobs will move from the traditional office locale to an alternative site or sites.

Some of the hesitation to open this can of worms is that employees will slack off if not under constant supervision. Data security and communication are other concerns, although these are becoming less of an issue thanks to modern technology, such as cloud computing and employee communication software. The key, however, is to leverage existing and emerging technologies, set expectations, communicate frequently, and devise a measurement benchmark to evaluate performance.



A survey of more than 1,400 risk professionals at large organizations in the U.S. or Canada that have purchased a commercial insurance policy from one of the profiled insurers or brokers throws up some interesting results.

It finds that as rates across the U.S. commercial property/casualty insurance market continue to decline, the key variables in driving overall commercial insurance customer satisfaction are insurer profitability and broker expertise.

The J.D. Power study, conducted in conjunction with RIMS (the risk management society), found a distinct correlation between customer satisfaction and insurer profitability, as measured by total commercial combined financial ratios.



The Business Continuity Institute - Dec 05, 2016 16:26 GMT

At the most recent meeting of the Business Continuity Institute's Board of Directors, James McAlister FBCI formally became the new Chairman of the BCI, taking over from David James-Brown FBCI whose two years in office has come to an end.

James is a former police officer with over 30 years of experience in business continuity, civil protection, emergency planning, security, firearms, public order and training. He has advised and contributed to many operations and exercises throughout the UK and internationally including political party conferences, major sporting events, VIP visits, counter terrorism operations, public order events and environmental / man-made emergencies. James has won a number of prestigious awards including the Public Sector Business Continuity Manager of the Year Award at the BCI European awards in 2014.

On taking up the post, James commented: "David James-Brown has left the Institute in a much better position than it has ever been in before. We are financially stable, have a wider global presence, offer more member services, and provide more research papers. Possibly his greatest legacy is yet to be realised in the Institute's new customer relationship management system which doesn't go live until next year. I would like to thank David on behalf of all the membership for his dedication, loyalty, hard work and leadership over the last two years and wish him well as he returns to his successful consultancy business."

As announced previously, Tim Janes Hon. FBCI now becomes the new Vice Chair of the BCI after being voted in by his fellow members of the Global Membership Council, and Roberto Grosso Ciponte MBCI becomes the new Membership Director, also voted in by those on the Global Membership Council.

To view the full Board of Directors at the BCI, click here.

RALEIGH, N.C.Survivors of the flooding that followed Hurricane Matthew should make or solidify a plan to move from temporary accommodations to more permanent housing as part of their recovery.

If you are living in a hotel paid by FEMA under the Transitional Sheltering Assistance program, remember this assistance is short-term. The program is scheduled to end Saturday, Jan. 7, 2017.

Two ways to search for housing online:

  • NCHousingHelps.org helps people displaced by Hurricane Matthew locate available, affordable rental housing. This free service can be accessed online 24 hours a day and through a toll-free, bilingual call center, Monday through Friday, 9 a.m. to 8 p.m., at 877-428-8844
  • The FEMA Housing Portal (https://asd.fema.gov/inter/hportal/home.htm) is intended to help individuals and families who have been displaced by a disaster find a place to live. The portal consolidates rental resources identified and provided by federal agencies, such as the U.S. Department of Housing and Urban Development, U.S. Department of Agriculture, U.S. Veterans Administration, private organizations, and the public to help individuals and families find available rental units in their area.

If you lived in public housing, or a multi-family Section 8 apartment, or had a Housing Choice Voucher before Hurricane Matthew:

  • You may be eligible for disaster assistance from U.S. Housing and Urban Development (HUD). Contact the housing provider that assisted you before the disaster and contact HUD at 336-851-8058 or email at This email address is being protected from spambots. You need JavaScript enabled to view it..

If you need homeowner information and assistance from HUD regarding foreclosure or questions about the next steps with your home:

  • Contact a HUD-approved housing counseling agency by calling 800-569-4287. You do not have to have a FHA loan to meet with a HUD-approved housing counseling agency, and there is never a fee for foreclosure prevention counseling.

The deadline for registering for FEMA’s Individual Assistance is Monday, Jan. 9, 2017. If you have not yet registered, you are urged to do so as soon as possible.

There are three ways to register with FEMA:

  • Online at DisasterAssistance.gov.
  • Call the FEMA Helpline at 800-621-3362 for voice, 711 and Video Relay Service. If you are deaf, hard of hearing or have a speech disability and use a TTY, call 800-462-7585.
  • Download the FEMA Mobile App and apply.

After you register with FEMA, the U.S. Small Business Administration may contact you. SBA is the primary source of funds for property repairs and replacing lost contents following a disaster. The deadline to apply for a low-interest disaster loan from SBA is also Monday, Jan. 9, 2017.

  • There is no requirement to take out a loan if one is offered from SBA. If you are approved for a disaster loan, you have 60 days to decide whether to accept the loan. If you are not approved for a loan you may be considered for certain other FEMA grants and programs that could include assistance for disaster-related car repairs, clothing, household items and other expenses.

Voluntary organizations in your community may be able to help you find a more permanent place to live. You may seek referrals for unmet needs by calling United Way at 211. You can find a list of organizations currently assisting survivors at North Carolina Voluntary Organizations Active in Disaster.

For more information on the North Carolina recovery, visit fema.gov/disaster/4285 and readync.org. Follow FEMA on Twitter at @femaregion4 and North Carolina Emergency Management @NCEmergency.

Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-3362 or TTY at 800-462-7585.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. Follow FEMA on twitter at @femaregion4. Download the FEMA app with tools and tips to keep you safe before, during, and after disasters.

Dial 2-1-1 or 888-892-1162 to speak with a trained call specialist about questions you have regarding Hurricane Matthew; the service is free, confidential and available in any language. They can help direct you to resources. Call 5-1-1 or 877-511-4662 for the latest road conditions or check the ReadyNC mobile app, which also has real-time shelter and evacuation information. For updates on Hurricane Matthew impacts and relief efforts, go to ReadyNC.org or follow N.C. Emergency Management on Twitter and Facebook. People or organizations that want to help ensure North Carolina recovers can visit NCdisasterrelief.org or text NCRecovers to 30306.

The U.S. Small Business Administration (SBA) is the federal government’s primary source of money for the long-term rebuilding of disaster-damaged private property. SBA helps homeowners, renters, businesses of all sizes, and private non-profit organizations fund repairs or rebuilding efforts and cover the cost of replacing lost or disaster-damaged personal property. These disaster loans cover losses not fully compensated by insurance or other recoveries and do not duplicate benefits of other agencies or organizations. For more information, applicants may contact SBA’s Customer Service Center by calling (800) 659-2955, emailing This email address is being protected from spambots. You need JavaScript enabled to view it., or visiting SBA’s Web site at www.sba.gov/disaster. Deaf and hard-of-hearing individuals may call (800) 877-8339.

RALEIGH, N.C. – North Carolina survivors who registered with FEMA for disaster assistance after Hurricane Matthew are encouraged to stay in touch with the agency to resolve issues, get updates on your application or provide additional information.

It is especially important for you to update FEMA with any insurance documentation information or settlements. FEMA disaster assistance covers only basic needs and cannot duplicate insurance payments.

You can also call the helpline to:

  • Receive information on the home inspection process

  • Add or remove a name of a person designated to speak for you

  • Find out if FEMA needs more information about your claim

  • Update FEMA on your housing situation

  • Get answers to other questions about your application

To update your status call the FEMA Helpline at 800-621-3362 for voice, 711 and Video Relay Service. If you are deaf, hard of hearing or have a speech disability and use a TTY, call 800-462-7585.

If you are changing addresses, phone numbers or banking information you should notify FEMA. Incomplete or incorrect information could result in delays in receiving assistance.

When calling the helpline you should refer to the nine-digit number you were issued at registration.  This number is on all correspondence you receive from FEMA and is a key identifier in tracking assistance requests.

For more information on the North Carolina recovery, visit fema.gov/disaster/4285 and readync.org. Follow FEMA on Twitter at @femaregion4 and North Carolina Emergency Management @NCEmergency.


Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-3362 or TTY at 800-462-7585.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. Follow FEMA on twitter at @femaregion4. Download the FEMA app with tools and tips to keep you safe before, during, and after disasters.

Dial 2-1-1 or 888-892-1162 to speak with a trained call specialist about questions you have regarding Hurricane Matthew; the service is free, confidential and available in any language. They can help direct you to resources. Call 5-1-1 or 877-511-4662 for the latest road conditions or check the ReadyNC mobile app, which also has real-time shelter and evacuation information. For updates on Hurricane Matthew impacts and relief efforts, go to ReadyNC.org or follow N.C. Emergency Management on Twitter and Facebook. People or organizations that want to help ensure North Carolina recovers can visit NCdisasterrelief.org or text NCRecovers to 30306.

The U.S. Small Business Administration (SBA) is the federal government’s primary source of money for the long-term rebuilding of disaster-damaged private property. SBA helps homeowners, renters, businesses of all sizes, and private non-profit organizations fund repairs or rebuilding efforts and cover the cost of replacing lost or disaster-damaged personal property. These disaster loans cover losses not fully compensated by insurance or other recoveries and do not duplicate benefits of other agencies or organizations. For more information, applicants may contact SBA’s Customer Service Center by calling 800-659-2955, emailing This email address is being protected from spambots. You need JavaScript enabled to view it., or visiting SBA’s Web site at www.sba.gov/disaster. Deaf and hard-of-hearing individuals may call 800-877-8339.

How could all those precisely formulated Information Technology Infrastructure Library recommendations lead to anything but success? Well, we can give you six possibilities right now.

They fall neatly into two categories with half of them being problems that could affect any organizational change, and half of them being issues more specific to ITIL.

First, let’s tackle the specific issues. Number one on our list is trying to implement ITIL as though it was a standard like ISO 27002 for security.



Thursday, 01 December 2016 00:00

An Orchestrated Cloud Is an Effective Cloud

In the old days, IT was tasked with managing infrastructure, primarily by controlling the physical devices that moved, processed and stored data. In the abstract cloud era, the name of the game is orchestration of the disparate systems and platforms that data invariably encounters as it makes the journey from raw information to valuable knowledge.

But while many of the actual orchestration processes will be automated using increasingly intelligent algorithms, IT still has a job to do in not only crafting the policies that will govern data and application movement but in selecting and provisioning a robust orchestration platform from an increasingly diverse set of vendor solutions.

According to Markets and Markets, the cloud orchestration sector is on pace to nearly triple by 2021, growing from $4.95 billion today to $14.17 billion, with a compound annual growth rate of 23.4 percent. The key driver, of course, is to craft the most efficient, effective use of cloud resources, although demand for self-service provisioning and high-speed application support is also part of the mix. As the digital economy unfolds, service fulfillment will come to dominate the IT landscape and companies that can provide rapid, reliable infrastructure at a moment’s notice will derive greater profitability with tighter margins and foster stronger brand loyalty among users.



Thursday, 01 December 2016 00:00

Atlantic Hurricane Season: The Long View

As the 2016 Atlantic hurricane season officially draws to a close just days after Hurricane Otto became the latest calendar year Atlantic hurricane on record to make landfall, the question on everyone’s lips is: are the seasons growing longer?

For if Otto, which struck southern Nicaragua as a Category 2 over Thanksgiving, is the last hurricane of the 2016 season, it will mark the end to the longest hurricane season on record the Atlantic Ocean has seen, according to NOAA.

The 2016 season had an early beginning—well ahead of its June 1 official start—when Hurricane Alex became the first Atlantic hurricane in January since Hurricane Alice in 1955.



The Business Continuity Institute - Dec 01, 2016 16:24 GMT

We have recently seen two significant cyber attacks on big businesses hitting the news, and these are just the ones we know about. The ability for hackers to gain access to systems through technical means is not to be underestimated, and specialists work tirelessly to build and maintain secure systems that are now integral to our business and personal lives.

What is often forgotten is the vulnerability of the very people who use and operate these systems, who by definition are often the easiest way for a hacker to secure the information they need to profit from their activity. People are the biggest weakness when it comes to cyber security and how many of us are regularly trained and updated on methods and the importance of protecting information?

Data security is vital to the success of your business, yet working practices in many organisations still demonstrate a lack of awareness and understanding:

How many of us have seen the ‘Post-it note’ approach to ensuring we don’t forget that important password stuck to the very computer terminal holding all the company data?

How many of us really understand the capability of hackers to contact our call centres and encourage our staff to release that extra bit of customer information?

There is no complete solution to this and we must all work on the basis that we will at one point or another be subject to a cyber attack, this is just a reality of the world we now live in and the risk versus reward for those who engage in this activity. To protect ourselves both personally and professionally, we must ensure that our organisations remain up to date and strong in terms of technical resilience, but just as important is ensuring our people are aware of the types of methods used by hackers to illicit information and build the resources for an attack.

We must have strong control measures in place for passwords and other access information and ensure our staff fully appreciate the potential impact if we get this wrong, but equally we must ensure our people understand the many other methods used, some of which are incredibly clever. The damage caused can be fatal for a business with complete loss of confidence from your hard earned customer base.

Chris Regan AMBCI is the Director of Blue Rock Risk Limited, a specialist crisis and risk management consultancy which runs a programme called Cyber Aware that focuses completely on the people side of cyber security. Chris works with both private and public sector clients to help them plan, prepare and respond effectively to a wide range of crisis and risk issues. Chris can be contacted by email at This email address is being protected from spambots. You need JavaScript enabled to view it. or by telephone 0117 2440154.

Wednesday, 30 November 2016 00:00

BCI: The maturing world of business continuity

The Business Continuity Institute - Nov 30, 2016 16:31 GMT

It’s been two years since winning the BCI Global Newcomer of the Year Award, and just as long since I featured in the Business Continuity Institute’s '20 in their 20s' publication, so I’ve decided to re-read my contribution to see what’s changed.

In 2014 it was clear to me that the academic world of business continuity was rapidly maturing. My undergraduate degree had a BC-specific module much like many other courses at the time. The BCI was also developing its very own diploma, and you only had to do a quick search online to realise the growing number of universities offering BC-dedicated postgraduate courses, and see just how popular the subject was becoming.

Add to this the emergence of the Business Continuity Management Academic Journal and it’s easy to see how some individuals were embarking on an exclusively theoretical BC journey for several years before ever even working a single day in the field. As a junior professional at the time I was becoming concerned about not having the right skills to take the next step in my career.

Professional immaturity and hindsight

So what has changed? On a personal level, my views on the development of junior professionals in our field has matured and I certainly see things differently now. At the time I remember being particularly frustrated by what felt like a lack of structured development and clear direction available to me. The BCI mentoring scheme was in its infancy at the time and I was probably one of the first to sign up along with the available mentors. My BC mentor wasn’t really sure what to do with me as the process was meant to be 'self-driven' by the mentee, and I wasn’t sure where to take it so I didn’t get very far with that. I’m pleased to say the mentoring framework by the BCI has made steady progress over the last couple of years and I have now signed up to the Mentor-Match scheme as a mentor should anyone wish to have me!

In 2014 I was also desperate for a competency self-assessment to help me understand exactly where to improve. I had already passed the CBCI with merit, but I still wasn’t any clearer on personal strengths and weaknesses other than that I could remember the contents of the Good Practice Guidelines. It’s because of this perceived lack of support, validation and long term development goals that I started to wonder if becoming a BC professional was even a real career.

I realise now of course that I rather naively expected the industry to mark out every inch of my career path and to explain to me at checkpoints how I was doing. I’ve since spoken to many undergraduates during my guest lectures over the last two years and I’ve come to realise that I’m not alone in this assumption. In fact, I get the impression that a number of people out there still have this level of expectation which I think needs to be levelled. This is a very self-driven process!

However, before even embarking on a career in BC/resilience, many students and graduates are looking to the industry for a solid step by step development structure, providing them with a warm cosy feeling that they have long term career journey ahead of them. I think this expectancy is partially driven by the current wealth of graduate recruitment schemes available which clearly offer this kind of structure (just take a look at the PwC, KPMG schemes etc). Although I’m yet to see any major firms offering a scheme specifically involving BC.

I also think the universities are partly responsible. They all look to reassure their students of life beyond the books by suggesting that there is a structure in place for them to develop which isn’t always the case. I’ve had some conversations with students who genuinely believe they will be guided by the hand through their career, which we all know simply doesn’t happen in the way they think.

I also expected too much from the BCI, senior colleagues and mentors. Their time and resources are extremely limited and so their efforts are essentially wasted if not used in the right way. Again, I fell into the trap of assuming the seasoned veterans would tell me exactly what I needed to do. I still believe we need to think smart and redesign the development journey for our members but that also requires us spell out what a BC professional actually looks like and how to get there. I think this alone is a major challenge given the emergence of popular concepts such as organizational resilience and cyber. We are still very much in the process of finding our place in that particular evolution so it might be a touch too difficult to fully define what is essentially a moving target.

More recently, there were some worthwhile discussions at BCI World 2016 during the #hire2retire session which looked at the business continuity career path. I would urge everyone to take a look. A very good insight from these discussions was captured by PwC’s Rebecca Robinson who recognises the need to remain flexible, but also to get out there and broaden your experience. Again this goes back to being a sell-driven professional.

Self-driven career positioning

If anything, the last two years have taught me the importance of self-driven career development. I needed to undertake some self-evaluation and decide on what direction I needed to take. My main aim for the future is to become a highly effective resilience manager with a good understanding of the threat landscape for the business in which I work. It’s because of this approach that I started to identify some seriously worrying knowledge gaps (namely IT security or cyber). I started to notice that more and more of my business disruptions/major incidents at work specifically related to IT/data breaches or threats thereof. I found myself constantly at the whim of the Chief Technology Officer and other technical staff to assure me that controls were in place, which of course found to be lacking when incidents really did occur.

I’ve spent the last year being immersed into cyber security so I can get ahead of the game. I’ve retrained in, CompTIA Security +, CSX – Cyber Security Fundamentals and CRISC and I now work closely on new and emerging technology in banking networks. I’m already stronger for the experience and I can comfortably challenge the views expressed by those in the business who are deemed technical who often try to bamboozle other management with 'tech-speak'. Ultimately this will make me a more effective resilience manager in the future when the right role comes my way. 

Luke Bird MBCI received the 2014 BCI Global Award for Best Newcomer and is a self published author in business continuity and has several articles published on the BCI and Continuity Central websites. He has successfully delivered and maintained a full programme of ISO 22301 certification and fully completed a series of major Work Area Recovery rehearsals around the UK . Luke is also widely known for his 'BlueyedBC' brand where he uses his online presence to share learning and experience among professionals in the industry and often attends universities to provide guest lectures to undergraduates studying the discipline.

Risk avoidance is the elimination of hazards, activities and exposures that can negatively affect an organization’s assets. Whereas risk management aims to control the damages and financial consequences of threatening events, risk avoidance seeks to avoid compromising events entirely.

When determining your risk mitigation strategies, don’t confuse the strategies of risk avoidance or risk acceptance with risk ignorance. Risk ignorance is a situation where the knowledge about the risk (and any underlying phenomena and processes) is poor. Just because there are no remediation strategies currently in place does not mean that a conscious decision has been made to accept the risk.

We perform assessments regarding risk and risk impact on a daily basis. We then use those assessments to determine our choice of action. A good example is wearing a seat belt. We might observe that experienced drivers are more likely to understand the risks inherent in car travel, and thus choose to wear seat belts, whereas the less experienced driver (think teenagers) may have to be reminded constantly of those risks– at least in my house. These are contrasting examples of risk avoidance (seat belt use) and risk ignorance (no seat belt use). Neither should be confused with risk acceptance (car travel is dangerous, but I don’t want to wrinkle my clothes, so I’m not going to wear my seat belt).



Today, many organizations are taking a look at cloud from a new lens. Specifically, organizations are looking to cloud to enable a service-driven architecture capable of keeping up with enterprise demands. With that in mind, we’re seeing businesses leverage more cloud services to help them stay agile and very competitive. However, the challenge revolves around uptime and resiliency. This is compounded by often complex enterprise environments.

When working with cloud and data center providers, it’s critical to see just how costly an outage could be. Consider this – only 27% of companies received a passing grade for disaster readiness, according to a 2014 survey by the Disaster Recovery Preparedness Council. At the same time, increased dependency on the data center and cloud providers means that overall outages and downtime are growing costlier over time. Ponemon Institute and Emerson Network Power have just released the results of the latest Cost of Data Center Outages study. Previously published in 2010 and 2013, the purpose of this third study is to continue to analyze the cost behavior of unplanned data center outages. According to the new study, the average cost of a data center outage has steadily increased from $505,502 in 2010 to $740,357 today (or a 38 percent net change).

Throughout their research of 63 data center environments, the study found that:



As the Atlantic, eastern Pacific and central Pacific 2016 hurricane seasons end today, NOAA scientists said that all three regions saw above-normal seasons.

For the Atlantic, this was the first above-normal season since 2012. The Atlantic saw 15 named storms during 2016, including 7 hurricanes (Alex, Earl, Gaston, Hermine, Matthew, Nicole, and Otto), 3 of which were major hurricanes (Gaston, Matthew and Nicole). NOAA’s updated hurricane season outlook in August called for 12 to 17 named storms, including 5 to 8 hurricanes, with 2 to 4 of those predicted to become major hurricanes.

Five named storms made landfall in the United States during 2016, the most since 2008 when six storms struck. Tropical Storm Bonnie and Hurricane Matthew struck South Carolina. Tropical Storms Colin and Julia, as well as Hurricane Hermine, made landfall in Florida. Hermine was the first hurricane to make landfall in Florida since Wilma in 2005. 

Atlantic hurricane season

Several Atlantic storms  made landfall outside of the United States during 2016: Tropical Storm Danielle in Mexico, Hurricane Earl in Belize, Hurricane Matthew in Haiti, Cuba, and the Bahamas, and Hurricane Otto in Nicaragua.

The strongest and longest-lived storm of the season was Matthew, which reached maximum sustained surface winds of 160 miles per hour and lasted as a major hurricane for eight days from Sept. 30 to Oct. 7. Matthew was the first category 5 hurricane in the Atlantic basin since Felix in 2007.

Matthew intensified into a major hurricane on Sept. 30 over the Caribbean Sea, making it the first major hurricane in that region since Poloma in 2008. It made landfall as a category 4 major hurricane in Haiti, Cuba and the Bahamas, causing extensive damage and loss of life. It then made landfall on Oct. 8 as a category 1 hurricane in the U.S. near McClellanville, South Carolina.

Matthew caused storm surge and beach erosion from Florida through North Carolina, and produced more than 10 inches of rain resulting in extensive freshwater flooding over much of the eastern Carolinas. The storm was responsible for the greatest U.S. loss of life due to inland flooding from a tropical system since torrential rains from Hurricane Floyd caused widespread and historic flooding in eastern North Carolina in 1999.

“The strength of Hurricane Matthew, as well as the increased number of U.S. landfalling storms this season, were linked to large areas of exceptionally weak vertical wind shear that resulted from a persistent ridge of high pressure in the middle and upper atmosphere over Caribbean Sea and the western Atlantic Ocean,” said Gerry Bell, Ph.D., lead seasonal hurricane forecaster at NOAA’s Climate Prediction Center. “These conditions, along with very warm Caribbean waters, helped fuel Matthew’s rapid strengthening.”

Eastern and central Pacific Hurricane Seasons

The eastern Pacific hurricane basin, which covers the eastern Pacific Ocean east of 140 degrees West, produced 20 named storms during 2016, including 10 hurricanes of which 4 became major hurricanes. July through September was the most active three-month period on record for this basin. NOAA’s eastern Pacific hurricane season outlook called for 13 to 20 named storms, including 6 to 11 hurricanes, 3 to 6 of which were expected to become major hurricanes.

Pacific hurricane season

The central Pacific hurricane basin covers the Pacific Ocean west of 140 degrees West to the International Date Line. This basin saw seven tropical cyclones (includes tropical depressions and named storms) during 2016. All seven became named storms, and included three hurricanes of which two were major hurricanes. Tropical Storm Darby made landfall on the Big Island of Hawaii, marking the first time in recorded history that two storms in three years struck the Big Island (Darby in 2016 and Iselle in 2014). NOAA’s central Pacific hurricane season outlook called for 4 to 7 tropical cyclones. That outlook did not predict specific ranges of named storms, hurricanes and major hurricanes.

NOAA's mission is to understand and predict changes in the Earth's environment, from the depths of the ocean to the surface of the sun, and to conserve and manage our coastal and marine resources. Join us on Twitter, Facebook, Instagram and our other social media channels.

In Henry IV Part 1, Owen Glendover, the leader of the Welsh rebels, joins the insurrection against King Henry. Glendower, a man steeped in the traditional lore of Wales, claims to command great magic. Therefore, mysterious and superstitious, he sometimes acts in response to prophecies and omens. In the play, Glendover boasts to Hotspur, “I can call the spirits from the vastly deep.” Hotspur deflates Gelendover with, “Why, so can I or so can any man; But will they come when you call them?”

Any business owner or senior leader can call the same spirits of strategy from the vastly deep, but business outcomes tattle. They tell us that too often the spirits don’t come. Or, they come, but no one knows what to do with them once they’re there. Successful leaders realize they can’t command magic, but they can create a magical alchemy to turn the raw materials of a strategy into gold and then tie the succession plan to it. Here’s how:



Can these two items coexist? Business continuity is about keeping things going, whereas business transformation is often about breaking things (figuratively, if not literally) to get out of a rut and into a new, more competitive mode of business.

The quick answer is to go beyond the superficial meaning of the word “continuity” and apply business continuity in a context of change, not stagnation. In practice, this means watching out for a number of challenges.

Because business transformation is seldom an option (every enterprise must go through it at some point), let’s consider four steps to making it happen and see how business continuity gets involved at each step.



(TNS) - As Ohio State University students and faculty dealt with a campus attack today, the Ohio Senate this week could pass a bill that would reduce the penalty from a felony to a misdemeanor for carrying a gun on a college campus.

House Bill 48, which passed the Republican-controlled House a year ago, 68-29, also would allow universities to adopt policies permitting people to carry concealed handguns on campus.

According to authorities, the man who unleashed an attack at Ohio State today used his vehicle to run people over, and then wielded a butcher knife. He was killed by a campus police officer.

The bill was already scheduled for a possible Senate committee vote on Wednesday morning, prior to the attack at Ohio State. It is set for two hearings this week, and the full Senate could take up the bill as early as Wednesday afternoon, if leaders so choose.



The Florida Keys Mosquito Control District voted to approve the use of genetically modified mosquitoes in a trial that will examine whether releasing the mosquitoes in Monroe County will reduce the area’s Aedes aegypti population.

I must confess, this makes me think of all of the “great” ideas that have gone bad over the years….invasive plants introduced in order to curb some other plant ( remember Kudzu??) or Eucalyptus trees in the west planted for railroad ties and now are major fire risks in many locations.  Not good….so what about a genetically modified mosquito…what could possibly go wrong?!?!?

The genetically engineered mosquitoes, referred to as self-limiting Friendly mosquitoes (Oxitec), are male mosquitoes modified to produce offspring that do not survive past the late larval or early pupal stage. A small survey conducted in 2015 showed that most respondents in Monroe County did not support the insect control method; however, residents voted on Nov. 8 to approve its use in the area.



A recent CTERA survey of 400 IT decision makers and IT specialists found that 36 percent of respondents said the loss of data in the cloud would be more catastrophic than their data center crashing, and 14 percent said it would cost them their jobs.

At the same time, 67 percent of respondents deploy more than 25 percent of their applications in the cloud, and 37 percent plan to grow their cloud use by 25 percent or more.

Fifty-four percent of respondents are using a hybrid cloud strategy that leverages both on-premises and cloud services.

Still, 66 percent of respondents say there's less focus on backing up cloud data due to an assumption that the cloud is inherently more resilient than on-premises applications.



(TNS) - Though there have been no reported cases of disaster relief money being used fraudulently in Brunswick, the Georgia Emergency Management and Homeland Security Agency (GEMHSA) issued a statement this week cautioning Hurricane Matthew survivors to use recovery assistance only for its intended purposed.

“FEMA and GEMHSA work together all year round in preparedness, response, recovery and mitigation,” said Robert Porreca, a FEMA spokesperson.

According to Porreca, officials are reminding Georgia Hurricane Matthew survivors that improperly using the money could be a violation of the declaration survivors sign to receive the grants and could result in denial of future assistance.

Once approved for disaster grants, those who apply and are approved for disaster assistance receive FEMA aid by way of a check or direct deposit to their checking account. The money is accompanied by a letter from FEMA about the grant and how it can be spent.



SAVANNAH, Ga. – Georgia disaster survivors living in the 10 counties affected by Hurricane Matthew do not have to wait for an insurance settlement to apply for federal assistance.

Survivors have until Dec. 16, only three weeks away, to register with FEMA.

Registration is encouraged even if survivors are uninsured or have policies that don’t cover temporary housing while they’re repairing or rebuilding their homes. Waiting for an insurance settlement could mean missing out on federal grants or other resources.

Even if a survivor is insured, the policy may not cover everything. Providing FEMA with insurance information could mean consideration for additional assistance.

Federal assistance is available to eligible individuals and households in Bryan, Bulloch, Chatham, Effingham, Evans, Glynn, Liberty, Long, McIntosh and Wayne counties. Damage or losses from Hurricane Matthew must have occurred Oct. 4-15.

Many of those with Hurricane Matthew damage have already filed claims through their insurance carriers. Recovery officials suggest they register with FEMA even while waiting for an insurance settlement.

Once registered, applicants with insurance policies covering storm-related loss and damage are mailed a "Request for Information" as part of FEMA’s verification process to avoid duplicating insurance payments. By law, federal assistance cannot duplicate assistance provided by other sources.

Applying for disaster assistance is a two-step process that ensures consideration for all FEMA programs and the U.S. Small Business Administration disaster loans. First, register with FEMA. Second, complete and return the SBA loan application, if one is offered. There is no charge to apply for the loan and if approved, no obligation to accept it.

Disaster survivors may register the following ways:

For updates on Georgia’s Hurricane Matthew response and recovery, follow @GeorgiaEMA and @FEMARegion4 on Twitter and visit gemhsa.ga.gov and fema.gov/disaster/4284

# # #

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Wednesday, 23 November 2016 00:00

FEMA: Coping with Holiday Stress after a disaster

TALLAHASSEE, Fla. – The holiday season can be a stressful time. For individuals and families looking to rebuild from recent disasters, the approaching holiday may be especially difficult. 

Taking care of yourself and staying in touch with your family and friends during the holidays is an important part of maintaining your physical and mental health as you continue to recover from the Florida hurricanes. 

Some signs of disaster-related stress may include: 

• Feeling sad during a holiday season when you are seeking a new home or dealing with memories of a lost loved one. 
• Feeling lonely, especially when holiday activities are reminders of happier times with those who will be missing from this year’s festivities. 
• Feeling physically and mentally drained. 
• Having difficulty making decisions or concentrating on tasks at hand. 
• Experiencing changes in appetite or sleep patterns. 
• Increasing alcohol or substance abuse. 
Establishing a comfortable routine is helpful, but takes time. Here are some actions to undertake: 
• Ensure that you have a safe place to stay. 
• Maintain a balanced diet and drink plenty of water. Too much holiday "cheer" can increase your stress. 
• Get adequate sleep and rest. 
• Stay positive. Remind yourself of how you have dealt successfully with difficulties in the past. 
• If you have children, be patient and give them extra time and affection. 
• Take each day one day at a time. Live in the present without burdening yourself with the things that you need to do in a week or a month. 

Ways to ease stress include: 

• Talk with someone about your feelings of anger, sorrow or other emotions, even though it may be difficult. 
• Seek help from professional counselors who deal with post-disaster stress.
• Do not hold yourself responsible for the disastrous event. 
• Use existing support groups of family, friends and religious institutions. 
• Honor your holiday traditions, but be flexible and prepare for new activities. 

Help can be found by visiting the Substance Abuse and Mental Health Services Administration (SAMHSA) Disaster Distress Helpline website at http://www.samhsa.gov/find-help/disaster-distress-helpline/contact-us, or by calling 1-800-985-5990 (press for Spanish). The national hotline is dedicated to providing year-round immediate crisis counseling for individuals experiencing emotional distress related to any natural or human-caused disaster. You can also Text "TalkWithUs" to 66746 (Spanish speakers, text Hablanos to 66746) to connect with a trained crisis counselor. 

For more information on Florida’s disaster recovery, visit fema.gov/disaster/4280, fema.gov/disaster/4283, twitter.com/femaregion4, facebook.com/FEMA, and fema.gov/blog, floridadisaster.org or #FLRecovers. For imagery, video, graphics and releases, see fema.gov/Hurricane-Matthew. 


FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. 

Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-3362 (voice, 711/VRS - Video Relay Service) (TTY: 800-462-7585). Multilingual operators are available (press 2 for Spanish

There’s saving money, and there’s really saving a lot of money.


The distinctions aren’t always clear to budget enthusiasts who may sometimes enjoy drilling a little too deep to achieve arbitrary percentages of cost reductions by only trying to make the tiniest of trims here and there.

For instance, it’s not hard to thinly slice away at a few employee perks, maybe not send as many people to conferences/networking events, or switch from occasional catered employee lunches to less frequent potlucks. Some companies have considered minor cuts to hours, based on the hope that productivity won’t change drastically at 32 hours a week instead of 40, and they won’t have to pay as much in benefits.



If your data recovery plans are lengthy, detailed, and/or “bare metal” based, requiring comprehensive operating system, database and application recovery steps, then they are almost certainly out of date and not functional. If that is the case, then you should probably revisit your recovery strategy and ensure that it meets your business needs (that is a topic for a different blog). Even if your plans are not “bare metal” based recovery, they are probably not functional.

With the current technologies (e.g., virtual servers, virtual storage, storage-based replication, application-based replication, disk to disk backup), data recovery plans should be very different from what they were even 10 years ago when these technologies were first becoming more common.

To make your data recovery plans functional, you should ensure that the following are items are included:



Tuesday, 22 November 2016 00:00

FEMA: How to Get Prepared for the Holidays

I don’t know about you, but right now all of my social media feeds are full of photos of early holiday decorations, descriptions of many communities’ first snows, and chatter over what stores are going to have the best sales on Black Friday. It’s the week before Thanksgiving and so these things have essentially become tradition.

That first snow? That just happened in places like my hometown in New York and in the southeast. Schools were closed or had delayed openings. It’s served as a rude awakening that it’s not summer anymore. (I know that I was definitely one of the people that were in denial about winter coming.)

With that inevitably happening and the holiday season about to start in just a matter of days, there are a few simple things that you can do right now to get yourself ready.

  1. If you’re heading out to visit family or friends, pack a few extra things like a first aid kit, a flashlight, and a spare charger for your phones or tablets. Those could come in quite handy in case of any kind of weather or delay in travel.
  2. If you’re the one preparing a delectable feast for Turkey Day (or any of the other upcoming holidays), make sure you’re being safe by keeping kiddos away from sharp objects and hot surfaces and cooking your bird all the way through. (Pro Tip: Our friends over at foodsafety.gov have some really helpful advice for making sure your meal is not only safe, but delicious as well.)
  3. Check out the Holiday Social Media Toolkit to help your friends and family be in the know about how they can have a safe and great holiday too.

This time of year is a wonderful one (even though many of us aren’t quite fans of the drop in temperatures) to spend with your friends, family, and loved ones. We would love to encourage you to do three more things: Be safe, eat well, and have a lovely holiday season.

--Jessica Stapf, Digital Storyteller at FEMA

https://www.usfa.fema.gov/prevention/outreach/cooking.htmlThanksgiving safety tip graphic

The Business Continuity Institute - Nov 22, 2016 17:03 GMT

The Business Continuity Institute is delighted to announce that Tim Janes Hon. FBCI will be the new Vice Chair of the Board of Directors at the Institute, as voted for by his fellow members of the Global Membership Council. Tim takes over from James McAlister FBCI who becomes Chair following the end of David James-Brown FBCI’s two years in charge.

Tim, a Director at Risk Management Design in Australia, has previously served as one of the Membership Directors on the BCI Board, and as the representative for Australasia on the BCI's Global Membership Council.

On taking up the new role, Tim commented: "This is an exciting time to be elected as the new Vice Chair of the BCI. We have a new Executive Director and great plans for enhanced member services and international growth. Recent world events have shown how political, social and economic ‘certainties’ can be overturned. I think these conditions together, will present many opportunities for our profession to show how we help organisations to manage through unfamiliar, disruptive challenges. My goal is to help the BCI to provide practical and effective support for all members in this dynamic global environment."

Sixty-six percent of the general population has been traumatized at some point. Eighty percent of workers feel stressed on the job. When you combine a traumatic experience and stress, the risk for adverse workplace behaviors can be high. To combat this, emergency managers can collaborate with leadership and human resources to improve resiliency components and decrease stress among their teams.

There are different definitions of trauma. For example, the University of Maryland defines trauma as “an experience that causes physical, emotional, psychological distress or harm. It is an event that is perceived and experienced as a threat to one’s safety or to the stability of one’s world.” The Substance Abuse and Mental Health Services Administration (SAMHSA) defines trauma as “experiences that cause intense physical and psychological stress reactions, which could be a single event, multiple events, or a set of circumstances experienced by an individual as physically and emotionally harmful or threatening, and have long lasting effects to the individual.”



Tuesday, 22 November 2016 00:00

Ethics and Your IT Sourcing Strategy

IT servers, enterprise applications, data centres and cloud services might seem world away from other sectors traditionally attracting attention in terms of a ethical sourcing strategy.

Yet many of the same issues like bribery, coercion, extortion, favouritism, and illegal sourcing are also potential risks in IT sourcing, both directly and indirectly.

Apple’s problems with Foxconn, its manufacturer of iPhones, illustrates the problem. Riots and suicides in the Taiwanese company’s workforce also tarnished Apple’s reputation. An IT sourcing strategy has to take ethical procurement into account if it wants to avoid similar problems.



An Example of What Not to Do

More organizations are realizing the benefits of mass communications and have implemented at least some type of solution to enable instant notifications with their  employees. With so many people using mobile phones, it’s obvious that these notifications must involve mobile communication. Text alerts are gaining in popularity but not all text notifications are helpful. In fact, some can be detrimental to public safety.

Take, for instance, the New York City and New Jersey bombings that occurred earlier this year. Kudos to the states for having an emergency alert system in place to notify its residents of such threats, but instead of celebrating its success, it has become a case study in how NOT to send out mass notifications.

The FCC’s Wireless Emergency Alert (WEA) system was used to send short text messages to cell phone users in the NYC area alerting them to watch out for a bombing suspect named Ahmad Khan Rahami. Can you spot why this text was completely ineffective and even dangerous?



Successful IT project teams require a good balance of resources with different skills and perspectives. The best technical SME’s are creative problem solvers with experience operating in complex and nuanced environments. Great business PMs foster trusted relationships with stakeholders and ensure that their technical counterparts are supported. A powerful business tool is created when a unified team dynamic is fostered between the two skillsets.

A poorly aligned team can not only be stressful to manage; it also exposes the business to higher levels of risk. In these situations, organizations are susceptible to the following negative outcomes, among others.

  • Rushed changes that don’t fully factor in people or technology impacts
  • Delayed delivery because risks are too high and ownership is unclear
  • Products that don’t focus on quality or usability



It's hard to believe Cyber Monday is only a week away. For many traditional and ecommerce retailers, Cyber Monday is the most significant online shopping day of the year. And it won’t stop there. Online shopping over the next few weeks will provide a significant boost to many companies’ bottom lines.

Monitoring and communicating information about IT outages and failures associated with online retail shopping can be a daunting task. At any time of the year, IT professionals are under intense pressure to safeguard the security of their organization’s data and physical facilities, and to ensure information continues flowing in the event of a disruption.



According to PhishMe Inc.'s 2016 Q3 Malware Review, the proportion of phishing emails that deliver some form of ransomware reached 97.25 percent in the third quarter of 2016.

Locky ransomware executables were the most commonly-identified file type in the third quarter, PhishMe found. "Locky will be remembered alongside 2013's CryptoLocker as a top-tier ransomware tool that fundamentally alterered the way security professionals view the threat landscape," PhishMe CTO and co-founder Aaron Higbee said in a statement. "Not only does Locky distribution dwarf all other malware from 2016, it towers above all other ransomware varieties."

And while just 2.75 percent of phishing emails delivered non-ransomware malware, the diversity of malware samples in those emails far exceeded that of the ransomware campaigns.



Monday, 21 November 2016 00:00

BCM & DR: Know Your Requirements!

Have you ever been in the situation where you ask your significant other what they want for dinner but receive the response that sounds non-committal and open ended?  They don’t care what it is; they’ll eat whatever you make only to say they weren’t in the mood for what it was you made for them?  It happens allot I’m sure, just as it happens in the BCM / DR world. 

Some IT groups (those responsible for IT Technology Recovery) just start throwing around ideas and thoughts of what they believe they need or want and start making determinations and decisions without fully investigating what it is they really need.  They start speaking for the clients and customers – their business – and moving forward based on what they believe if required only to get further down the path and find out that what they set up or have started in progress, doesn’t and won’t meet the need of their business.  They didn’t investigate the requirements; the very things that will determine what path they need to take in setting up a Technology Recovery Plan (TRP).



The Business Continuity Institute - Nov 21, 2016 16:35 GMT

Two thirds of organizations aren’t prepared to recover from a cyber attack, according to a new study by the Ponemon Institute on behalf of Resilient (an IBM Company), and only a third of organizations feel they have a high level of cyber resilience.

The Cyber Resilient Organization Study found that 75% of respondents admit they do not have a formal cyber security incident response plan (CSIRP) that is applied consistently across the organization. Of those with a CSIRP in place, 52% have either not reviewed or updated the plan since it was put in place, or have no set plan for doing so. Additionally, 41% say the time to resolve a cyber incident has increased in the past 12 months, compared to only 31% who say it has decreased.

"This year’s cyber resilience study shows that organizations globally are still not prepared to manage and mitigate a cyber attack," said John Bruce, CEO and co-founder of Resilient. “Security leaders can drive significant improvement by making incident response a top priority – focusing on planning, preparation, and intelligence.

The study also uncovered common barriers to cyber resilience. The majority – 66% – say “insufficient planning and preparedness” is the top barrier to cyber resilience. Respondents also indicate that the complexity of IT and business processes is increasing faster than their ability to prevent, detect, and respond to cyber attacks – leaving businesses vulnerable. This year, 46% of respondents say the “complexity of IT processes” is a significant barrier to achieving a high level of cyber resilience, up from 36% in 2015. 52% say “complexity of business processes” is a significant barrier, up from 47% in 2015.

It is perhaps this lack of preparedness that contributes to cyber attacks and data breaches featuring as the top two concerns for organizations according to the Business Continuity Institute's latest Horizon Scan Report. This report revealed that 85% and 80%, respectively, of respondents to a global survey expressed concern about the prospect of these two threats materialising.

The Cyber Resilience Report, also published by the BCI, revealed that two thirds of organizations experienced a cyber security incident during the previous year and 15% experienced at least 10. This shows that the cyber threat is very real and organizations must take it seriously and prepare themselves to combat against it more effectively.

While companies are seeing the value of deploying an incident response plan, there is still a lag in having the appropriate people, processes, and technologies in place,” said Dr. Larry Ponemon. “We are encouraged that this is becoming a more important part of an overall IT security strategy.

The Business Continuity Institute - Nov 21, 2016 09:49 GMT

This news item contains embedded media. Open the news item in your browser to see the content.

That unmistakable feeling that the world just got unstable is becoming a way of life in NZ, but you never get used to the nightmare that is an earthquake. It seems almost comical to chuck a Senior Business Continuity Consultant into an earthquake, then be evacuated due to a tsunami risk - exactly what we preach daily!

The one that hit our two-story house at Waikuku Beach just after midnight on Monday 14th November, felt like it was never going to stop. As a Crisis Management Consultant, I frequently talk about my experiences in the Christchurch 2010/11 earthquake and the stress that each aftershock brings, because you never really know how long it's going to last. This was no aftershock, this was the real deal and it just wouldn’t stop, 40 seconds of the ground turning to jelly then, 2-3 minutes of it trying to settle into its new bed beneath our feet. Remember in the 80's when those water beds came out and destroyed everyone's backs? Well, it felt like my home had been placed on one of those and we were told to brace.

Survival mode kicks in, following the standard drill; drop, cover, hold. A quick inspection for damage, a couple of broken ornaments but no rushing water, no cracks in the walls. Initial impact assessment complete. Time to get the incident team together, me and the wife! Sorry old habits die hard, processes just kick in and stuff gets done, yes I'm an incident nerd!

Things are not good, but are we in a crisis yet? If we are then this definitely has the characteristics of a sudden crisis:

  • Unpredictable, unexpected: Fast asleep in dreamland this was certainly unexpected.
  • High degree of instability: we were certainly all over the place for the first five minutes, is this really happening again after the five years of torment already?
  • The immediate potential for extreme negative results: Things seem OK in our world but we had no idea that most of NZ were feeling this one. My flight to wellington later in the day was looking doubtful.
  • Immediate management attention, time and energy: With the realisation of a real threat of tsunami, my attention was now focusing on our escape plan.
  • Often brings about organisation change: Living at the beach is losing its charm, my wife is looking for higher ground!

Being in the business and being an earthquake veteran the 'grab bag' is always ready to go. The basics in tow - torch, gas cooker, first aid kit, water, tins of beans, battery charger, sleeping bag etc, and of course, dog food! So when the tsunami alert was given we were ready to go. We had a plan and we were just about to put it into effect.

But planning and doing are two different things, again something I've spent many years trying to teach. The realisation when we drove out of our drive joining the rest of the fleeing villagers, that we might not see our house again, can't be simulated in an exercise. Not that I have made my wife practice our evacuation procedures, I'm not that much of a nerd! But I was working hard to recall my training on the human impact of a crisis. Magnified by the fact that our animal family was one short, the cat was nowhere to be seen! Despite trying to follow what you've been taught and what we know as professionals, emotions start to sink in. Driving away in the pitch black with our lovely, peaceful house fading into the background in my rear view mirror, not knowing whether it would handle the night ahead.

Impact assessment complete, the team assembled, communications complete to my son in Wellington and our recovery strategy initiated, we relocate to an alternate location. Classic 5 initial steps to managing your crisis.

Of course, these actions relate to recovering your business, but why not relate them to your own preservation too? Having a plan, any plan is always a good idea. In a night of unknowns and real stress, it certainly helped to focus my mind. After seven hours of sitting in our truck on a hill with the dogs, not knowing if the five-meter wave predicted was coming, it was a relief when we got the all clear to head home.

Time now to put my business continuity for my business into action. My clients in New Zealand (Wellington, Christchurch, Nelson and Tauranga) were dealing with their own issues, so our meetings were put on hold. But my Australian clients would still need attention. My Maximum Allowable Outage (MAO) 24 hours, for my critical process Respond to client enquiries and issues, was not under threat.

Lessons learned:

Every incident is different, this was real - not a test, but we can still learn from it. We can always do things better. My fuel tank on the truck had dropped below half full. Always keep it above half.

Don’t panic, it really doesn’t help. Your employees or your wife won't appreciate it, people need to be led by a strong confident leader.

Make a decision. The tsunami alarm didn’t work, some people stayed. The radio said leave because that was the advice from Civil Defense. Better to get ahead of the game, you can always come back if it’s a false alarm.

Have a good plan for the pets, they have to come and they don’t always want to. The cat needs a cat box, he will run off the first chance he gets.

Have your grab bag ready to go. Check it frequently, stuff can go out of date.

Have a plan, any plan. Remember the 7 Ps. Prior preparation and planning, prevents piss poor performance!

The gas cooker was on full noise on the tailgate of the Hilux 4x4 for the first brew of the day and I have internet connectivity, we are literally 'cooking on gas'. Normal business has resumed, even if I am standing in a paddock of cows overlooking the Canterbury Plains!

Until next time, Plan, do, check, act… (I should know!)

Brad Law MBCI is a Senior Business Continuity Consultant working for Risk Logic.

Friday, 18 November 2016 00:00

BCI: Political risks are on the rise

The Business Continuity Institute - Nov 18, 2016 16:36 GMT

There has been a dramatic increase in political risks according to a new study carried out by Sword Active Risk, and this has largely been attributed to the outcome of the UK Brexit vote and the US Presidential election.

In the UK, 44% of organizations cited the political situation, and subsequent implications, as the biggest potential challenge or unknown to their business, in stark contrast to last year when supply chain and cyber security were the most significant risks being faced by companies. In the US, this year a third of companies saw the domestic political situation and supply chain as the biggest risk, when last year it was geopolitical, and physical/construction risks that were seen as more important.

Keith Ricketts, Vice President of Marketing at Sword Active Risk commented; “While both of these events were on the horizon last year, no one predicted that they would turn out quite as they have done, with the UK voting to leave the EU, and Donald Trump becoming US President. After the financial challenges of 2008 and the global recession, there was a feeling that many markets were getting back to a more even keel. This is a stark reminder that unexpected events beyond the control of companies can come out of the blue and have a dramatic impact.

Political change featured as an emerging trend in the latest edition of the Business Continuity Institute's Horizon Scan Report, with 42% of respondents to a global survey identifying it as something for business continuity professionals to watch out for. However, this report was published prior to either of these events occurring so it will be interesting to see where it features in the 2017 report, the survey for which is currently live.

(TNS) - More than a month after Hurricane Matthew’s winds and waves sunk boats and destroyed docks and marinas, questions remain as to who is responsible for cleaning up debris in local waterways and marshland areas.

While Beaufort County, S.C., is partnering with local municipalities and state agencies on efforts to remove storm debris from roadways, that’s not yet the case for debris in the water.

“For marine debris, we are not as far along in the removal process as we are with debris along the roads,” county stormwater manager Eric Larson said earlier this week. “We are working with state agencies trying to determine who is going to take the lead on this.”



Friday, 18 November 2016 00:00

Is Data the New Oil?

Intel CEO Brian Krzanich recently made the controversial statement that data is the new oil. The implication is that data is trending and gaining in power. However, I’d argue that data has always had the potential to be more powerful than oil and that what is changing isn’t its value but our ability to make use of it. Regardless of how you approach this argument, Intel is in a good position to benefit from this change, but likely needs to play an even bigger role to assure its survival, and ours.

Let’s chat about that this week because I don’t think we talk about the downside of data enough to prevent it.



If you really want to be prepared for a cyber incident, you need to establish a response team (CIRT) ahead of time. Your team should be made up of everyone you can think of that can help detect, diagnose and isolate a incident. Your team members should be identified beforehand, but as each event is unique, your team may change depending on the type of incident. Your cyber-response team is different than your broader incident management team, though they do work together.

Members of your team should include:



Friday, 18 November 2016 00:00

BC & DR Pros, We Need Your Help!

Posted by Stephanie Balaouras on November 17, 2016


Each year, Forrester Research and the Disaster Recovery Journal team up to launch a study examining the state of business resiliency. Each year, we focus on a particular resiliency domain: IT disaster recovery, business continuity, or overall enterprise risk management. The studies provide BC pros, DR pros, and other risk managers an understanding of how they compare to the overall industry and to their peers. While each organization is unique, it's helpful to see where the industry is trending, and I’ve found that peer comparisons are always helpful when you need to understand if you’re in line with industry best practices and/or you need to convince skeptical executives change is necessary.

This year’s study will focus on IT disaster recovery or resiliency (my preferred term). We’ll examine the overall state of DR maturity including organizational trends, reporting lines, staffing levels, progress towards active-active data center configurations, adoption of advanced technologies for application failover and data replication, current recovery time and recovery point capabilities, and the most common causes of downtime. In our last three surveys, the number one cause downtime has been power outages, let’s see if the trend holds or if will see a new emperor of downtime like DDoS attacks.

For DRJ readers, the results and a summary analysis will be available on their website in January, and if you attend the upcoming DRJ Spring World 2017, I'll be there to deliver the results in person. For Forrester clients, myself and Naveen Chhabra will write a series of in-depth reports that will examine each of the survey topics in depth during the next several quarters. If you feel this data is valuable to the industry and you’re a DR, BC, or ERM decision-maker or influencer, please take 15 to 20 minutes to complete the survey. All the results are anonymous. We don’t even need your email address unless you’d like a complimentary Forrester report (and I promise we won’t use your email address for any other purpose).

Click here to take our survey.

The Business Continuity Institute - Nov 18, 2016 09:11 GMT

Incredible as it may seem to your average, dyed-in-the wool business continuity professional, the fact is that the majority of 'normal' business people don't find the subject of business continuity management particularly enthralling.

Why is this? There are, after all, some elements of the business continuity process that are, at the very least, vaguely interesting and, in some cases, actually quite challenging or thought-provoking.

One reason may be the way that it's usually packaged. How often do we see the person leading the process begin by a) spouting doom and gloom about all the terrible things that might befall our organisation and b) spending hours describing the business continuity lifecycle? You know the one. It usually comes with a diagram comprising a circle surrounded by words like analysis, strategy, plans, testing, maintenance and so forth. And many a seasoned business continuity professional has been known to rattle on about this process for hours on end.

Then there's the business impact analysis, usually the first activity, other than sitting through the aforementioned presentation, that the business people are asked to participate in. Unfortunately, most business impact analyses are about as exciting as watching paint dry. And when you consider that most people have an awful lot of other things vying for their time and attention, is it really any wonder that they don't fully engage with a programme that starts like this?

But it doesn't have to be like that. Whilst the various elements of the business continuity lifecycle have to be addressed in some form if the resulting capability is going to be worth anything, they don't have to be approached in a way that makes people switch off from the outset.

There are a number of things that can be done to make the business continuity programme more interesting and engaging. Examples include :

  • Starting with an exercise rather than a business impact analysis. And maybe using a format for the exercise that's entertaining or light-hearted, rather than doom-laden and pressurised. It might, for instance, include an element of competition, or the event might be structured like a game or a quiz show, rather than yet another meeting or navel-gazing session.
  • Using such games and competitions throughout the programme to stimulate discussions about important issues. You might, for instance, pit teams against each other and award points or prizes for the winners or those who correctly identify whatever it is that you want them to.
  • Engaging with the creative people in your marketing team to come up with some interesting, thought-provoking awareness materials or to create a 'brand' for the programme.

There's no law that says business continuity management has to be dull - it just happens that way in many organizations. Whilst the above suggestions won't necessarily result in a laugh-a-minute romp that people shun their other day-to-day activities to participate in (and, let's face it, what other business activities are like that?), it might make them more inclined to get involved.

So why not give it a go in your organization? All it requires is a bit of creativity. And, yes, there may be a bit more effort involved in the planning and preparation, but if you can engage people that effort will be repaid many times over in results compared with the more typical, same-old-same-old, dull-as-dishwater business continuity approach.

Andy Osborne is the Consultancy Director at Acumen, and author of Practical Business Continuity Management. You can follow him on Twitter and his blog or link up with him on LinkedIn.

Listen carefully. Do you hear it? That eerie hissing noise? It’s not a plumbing issue. It’s the sound of your data — growing exponentially by the nanosecond. With every breath and every blink of an eye, your data continues to grow, subtly yet inexorably. Think snow: The flakes fly, first one, and then another, and another, then grow to a torrent seemingly before your eyes. What was a clear, clean sidewalk has swiftly become a mountain of white stuff. It’s a lot like data: You know it’s collecting, yet when you turn your concentration to other things, suddenly you find you’re buried in information.

Whatever business you run, product or service you provide, data growth is a fact of your life. How it affects your life and your bottom line has everything to do with how you assess your data storage needs, and how effectively you respond to data expansion within your organization. Like snow, even the most accurate forecast won’t solve your shoveling problem unless you’re proactive about handling it.

How did it ever get this way with data? It’s simple, and it isn’t. First, almost every organization has an insatiable appetite for data. We crave it, create it, store it, scrutinize it, and continue to make more of it. In fact, the prestigious research company Gartner, Inc., points out that the average IT department’s data grows at the incredible rate of 40% per year. By this accounting, your storage capacity will need to double over the next year to 18 months!



Are you weighing the benefits of cloud storage versus on-premises storage? If so, the right answer might be to use both–and not just in parallel, but in an integrated way. Hybrid cloud is a storage environment that uses a mix of on-premises and public cloud services with data mobility between the two platforms.

IT professionals are now seeing the benefit of hybrid solutions. According to a recent survey of 400 organizations in the U.S. and UK conducted by Actual Tech, 28 percent of firms have already deployed hybrid cloud storage, with a further 40 percent planning to implement within the next year. The analyst firm IDC agrees: In its 2016 Futurescape research report, the company predicted that by 2018, 85 percent of enterprises will operate in a multi-cloud environment.

Hybrid has piqued interest as more organizations look to the public cloud to augment their on-premises data management. There are many drivers for this, but here are five:



Thursday, 17 November 2016 00:00

12 Reasons Risk Management Fails

Risk management has gained increased attention and interest in recent years, both from industry professionals and academics. The main focus of thorough risk management is the continuous identification and treatment of the potential risks. Its objective is to add maximum continual value to all the activities within the organization. In addition, in developed and emergent countries, capital markets have become more significant and as a result, nonfinancial corporations and banks have recognized that the number, type and extent of their threat landscape and inherent risks have increased significantly. Finally, a wave of unpredictable payment-related enhancements can be considered both a source of risk and a method to mitigate.

Risk management has also gained attention considering the ongoing and widely publicized failures having roots in its erroneous implementation. Risk management failures prohibit organizations from meeting their goals, thus determining repetitive – and sometimes of exponential magnitude – business and project failures. Although the risk management approach varies among firms, enterprise risk management is an organizational pivot point in achieving corporate goals. Risk and performance are inevitably connected. By establishing a reliable and controlled process for managing risks, organizations can determine the predictability of their outcome. Enterprise risk management enables enhanced decision-making, consequently enabling significant cost savings. Additionally, if properly implemented, risk management connects risks across various levels in the organization and, in leveraging other processes such as program management, enables threat-to-opportunity conversion.



Thursday, 17 November 2016 00:00

Your Incoming Text Messages Are Going to Change

Think you get a lot of emails? Your text messages are about to explode as well, at least that’s what I’m predicting. Why? Because more and more organizations are beginning to understand what you and I have known all along: texting is the quickest and easiest way to communicate.

Texting personal messages between friends, groups, and colleagues have become an American mainstay. I say “American” because countries like Japan and Korea rarely text. Instead, they prefer instant messaging apps. But that’s another blog for another time. The purpose of this blog is to help you understand that these interpersonal texts are most definitely going to become a little less personal.



Thursday, 17 November 2016 00:00

The Functional Business Impact Analysis (BIA)

Creating a functional Business Impact Analysis (BIA) can be a daunting task for any organization.  As a foundational requirement of any continuity program, it must be completed in order for you to understand risk and drive the development of plans, identification of recovery strategies, and implementation of solutions. 

As a company, MHA has conducted well over 2,000 BIA interviews. Our goal is to make sure that the information gathered and the process used are built around ensuring the functionality of the BCM Program.  Over the years, we have developed a highly-refined process to plan, conduct and report the results of a formal BIA.  That process allows for 3.5 to 4.0 hours of a business unit’s time to complete the BIA.  This includes 45 minutes to complete the pre-work, 2.5 hours or less for the interview, and 0.5 hours to validate the results.   Often, organizations are now asking us to finish interviews in as little time as possible – often in the 1 – 1.5 hours time frame!

We have learned that while it is possible to perform a BIA efficiently, it is still a time consuming process, especially when the data is significantly out of date ( > 2 years). Your questionnaire should be in compliance with best practices, but be tightly focused, have limited questions, and be objective. The goal is always a functional outcome, not just “checking the box.”



Stakeholders demand that companies grow, but at the same time, they expect growth to be managed to make sure the brand is not tarnished. That means enabling value as well as protecting value, which comes down to striking the appropriate balance between risk agility and risk resiliency.

For many years, risk management has focused on protecting the brand and keeping the company out of trouble. But if it’s done right, risk management is about playing not only defense but offense as well—it’s about value protection and value enablement.



The human and economic costs of extreme natural disasters on poverty are much greater than previously thought and insurance is one of the resilience-building tools that could help, according to new analysis from the World Bank.

In all of the 117 countries studied, the report finds that the effect of floods, windstorms, earthquakes and tsunamis on well-being, measured in terms of lost consumption, is larger than asset losses.

It estimates the impact of disasters on well-being in these countries is equivalent to global annual consumption losses of $520 billion, and forces 26 million people into poverty each year. This outstrips other estimates by 60 percent.



The Business Continuity Institute - Nov 17, 2016 11:33 GMT

How time flies, I cannot believe it’s been two years since I contributed to the Business Continuity Institute’s20 in their 20s’ publication. I’ve been in my current role for just over a year, working as a Payments Risk Manager. Whilst I no longer work with the business continuity team in Operational Resilience, BC still features as part of my remit and I am accountable for BC to the Payments Division. This includes ensuring our testing capabilities are mapped, mission critical activities are documented but also, starting to consider the resiliency of our payment services we offer as an organization.

I’d say my outlook on BC remains unchanged in the sense that I entirely value the importance of a good BCM framework and the responsibilities that support it. Equally, culture is something I massively champion in my current role and needless to say, ‘always on’ is the expectation which helps culture to evolve and mature. In my opinion, the financial services industry has responded brilliantly to the challenges faced by customer expectation, and resiliency is a key factor to ensuring we always meet those needs. Whether it be bolstering third party relationships with robust governance, to installing huge change programmes to improve IT and value chain resiliency, every financial services organization is switched on to protecting their corporate objectives as we move swiftly into the arena of innovation and digital payments.

I’ll always have a fond place in my heart for business continuity and maybe one day, I’ll find myself in a BC exclusive role again… but for now, I’m having too much fun in Payments!

Within an organization of size, you’re always going to struggle to get culture right for different initiatives. The general top down approach works well, but there’s a lot to be said for cross collaboration over different divisions and peer level interdependencies. The market also has a great stake in the corporate objectives, be it throwing the light on conduct and good customer outcomes or a competitor experiencing a widespread incident. Those ‘big ticket items’ will always prompt activity and focus and, in a way, the culture of the organization has no choice but to move with the times.

For BC in particular, it can be tough to get traction if the business has experienced calm waters for a while. The problem with that is, it doesn’t necessarily bring a call to action to the forefront of people’s minds and culture can suffer as a result. However, we’re in a different world now to where we were as an industry five years ago – IT estates are not only crucial but expectant to be fully resilient to ensure the customer expectation is met, and businesses have been purposefully carving out strategies to evolve business and IT resilience; within which, BC is a core component. In doing so, embedding the culture of business continuity becomes less cumbersome, more like a business-as-usual activity and a key part of everyone’s role.

Scarlett Morgan has worked for Nationwide Building Society for many years and in that time has worked in operations, transformation, business continuity, payments risk and technical services. In her new and current role, Scarlett works as a Development Specialist in Payments, driving process improvements and embedding corporate governance into the functions of the team.

Wednesday, 16 November 2016 00:00

Three Trends Driving Digital Business Innovation

The conventional paradigm for value creation is being abandoned, and IT organizations are struggling in the face of three major challenges. We need to look at how to extract value from an ever-growing mass of data spread across disparate sources. We must find strategies to cope with the impact and opportunity that the Internet of Things (IoT) brings. And, we need to adapt to evolving work habits and a mobile workforce.

The Promise of Big Data Analytics

This is the third generation of transformative change in IT in recent years. There’s been a shift from bespoke applications serving specific business purposes to enterprise resource planning (ERP) ushering in an era of more integrated software that helped us to better manage the execution of our businesses.

Now, with big data analytics, we’re looking for insights in all the wonderful transactional data we’ve been gathering for years. Failures in data governance and data model definition are making it difficult for analytics. In many cases, the data is simply too diverse and disparate. The full potential benefits will only be realized when we connect it together.



This week I read an article about Canada’s struggle to unify its emergency alert system. Major Canadian cities frequently use differing systems and often those systems are unintegrated, causing the mass alert system to be inefficient and even dangerous with its omissions. As the author put it, “…the audiences for those warning are often scattered across a vast region, and the organizations that broadcast them can differ as much as the methods they use to communicate.”

While this is speaking about Canadian cities, it struck me how similar their challenges are to just about any organization worldwide. Organizations, too, struggle to find an emergency alert system that works not just for some, but for all. With so many companies comprised of a dispersed workforce that use differing devices and channels, the issue becomes less about the emergency message and more about how to get it to every employee, near and far. Leaving even one employee in the dark could mean the difference between life and death.