Spring World 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 30, Issue 3

Full Contents Now Available!

Industry Hot News

Industry Hot News (458)

Attention to America’s immigration policies has intensified recently, with politicians and citizens wrangling over whether and how to control the number of foreigners entering the country. Emergency managers, however, largely don’t believe immigration is their issue. Except, in a sense, it is.

“I don’t see why or how [immigration] really relates to emergency management, which is distinct from homeland security,” said hazmat and emergency management logistics lecturer Bob Jaffin. “Why would that even come up … in a situation that is an emergency?” 

That sentiment holds true when evaluating the black-and-white definition of emergency management, but shades of gray exist in a number of areas. Immigration affects emergency managers in roundabout manners; instead of focusing on direct involvement — such as enforcement or policymaking — they attend to indirect effects, such as language barriers and population shifts.

...

http://www.govtech.com/em/disaster/EM-Mag-Immigration-Implications.html

The Business Continuity Institute

Cyber espionage is now the most common type of attack seen in manufacturing, the public sector and education, warns Verizon's latest Data Breach Investigations Report. Much of this is due to the high proliferation of propriety research, prototypes and confidential personal data, which are hot-ticket items for cyber criminals. Nearly 2,000 breaches were analyzed in this year’s report and more than 300 were espionage-related, many of which started life as phishing emails.

In addition, organized criminal groups have escalated their use of ransomware to extort money from victims with this year’s report showing a 50% increase in ransomware attacks compared to last year. Despite this increase and the related media coverage surrounding the use of ransomware, many organizations still rely on out-of-date security solutions and aren’t investing in security precautions. In essence, they’re opting to pay a ransom demand rather than to invest in security services that could mitigate against a cyber attack.

“Insights provided in the DBIR are leveling the cyber security playing field,” said George Fischer, president of Verizon Enterprise Solutions. “Our data is giving governments and organizations the information they need to anticipate cyber attacks and more effectively mitigate cyber risk. By analyzing data from our own security team and that of other leading security practitioners from around the world, we’re able to offer valuable intelligence that can be used to transform an organization’s risk profile.”

Cyber security is also a major concern for business continuity professionals, with cyber attacks and data breaches featuring as the top two threats yet again in the Business Continuity institute's latest Horizon Scan Report. It is for this reason that it was chosen as the theme for Business Continuity Awareness Week 2017 with the intention of improving an organization's overall resilience by enhancing its cyber resilience, and recognising that people are key to achieving this.

“Cyber attacks targeting the human factor are still a major issue,” says Bryan Sartin, executive director, Global Security Services, Verizon Enterprise Solutions. “Cyber criminals concentrate on four key drivers of human behaviour to encourage individuals to disclose information: eagerness, distraction, curiosity and uncertainty. And as our report shows, it is working, with a significant increase in both phishing and pretexting this year.”

With 81% of hacking-related breaches leveraging either stolen passwords and/or weak or guessable passwords, getting the basics right is as important as ever before. Some recommendations for organizations and individuals alike include:

  1. Stay vigilant - log files and change management systems can give you early warning of a breach.
  2. Make people your first line of defence - train staff to spot the warning signs.
  3. Keep data on a “need to know” basis - only employees that need access to systems to do their jobs should have it.
  4. Patch promptly - this could guard against many attacks.
  5. Encrypt sensitive data - make your data next to useless if it is stolen.
  6. Use two-factor authentication - this can limit the damage that can be done with lost or stolen credentials.
  7. Don’t forget physical security - not all data theft happens online.

“Our report demonstrates that there is no such thing as an impenetrable system, but doing the basics well makes a real difference. Often, even a basic defence will deter cyber criminals who will move on to look for an easier target," concludes Sartin.

Ever since marketing figured out that companies could do better by asking customers what they wanted, rather than just trying to tell them, businesses have moved massively to the notion of working backwards from the customer.

Indeed, Jeff Bezos, founder of Amazon.com, declared, ‘‘We start with the customer and we work backward.

We learn whatever skills we need to service the customer.’’

It seems like business continuity planners could take a leaf out of the marketing playbook and ask customers what they would like to see in terms of their provider’s business continuity.

But is that enough?

...

http://www.opscentre.com/business-continuity-working-backwards/

Wednesday, 26 April 2017 16:25

Business Continuity by Working Backwards

A penetration test, when carried out by outside experts, is the best way to establish how vulnerable your network is from a malicious hacker attack.

But while thorough, third-party penetration testing can be expensive and is effectively out of date as soon as you make changes to your infrastructure or as new vulnerabilities that affect it are discovered.

One way to sidestep both of these problems is to carry out your own network penetration tests.

In this article, we'll discuss both how to do your own security testing and conduct internal penetration testing, and how to find the best third-party service should you choose to hire an outside pen tester.

...

http://www.esecurityplanet.com/network-security/penetration-testing.html

A successful entrepreneur spends all the time necessary to plan, down to the smallest detail, the workings of his or her business. Staffing, marketing, inventory, equipment, investors, and location and more are all a part of the dynamic. One aspect missing from many business plans is a strategy and system for unexpected problems caused by a disaster that harms the company’s physical plant. Whether resulting from natural forces, mechanical breakdowns, or human error, damage to your place of business halts production and risks the ruin of your hard work and vision. What can ensure your business continues even in the face of tragedy?

Half of the commercial enterprises suffering the effects of water, fire, or other disaster close their doors to deal with the crisis and then never reopen. This shocking statistic is one no business owner dares ignore. Customers and clients need to know the services and products you offer are reliable, available without fail with no room for excuses. Business continuity is crucial to your company’s growth and survival in a competitive economy. If they are forced to look elsewhere to replace the unique product you provided before a mishap many of your leads never return. Even a short break in service can predict the downfall of your company

...

http://nationaldisasterrecovery.org/survive-and-thrive-after-disaster/

Wednesday, 26 April 2017 16:22

Survive And Thrive After Disaster

The Business Continuity Institute

Over 80% of security professionals identify ‘people’ as the industry’s biggest challenge, as opposed to technology and processes, according to the results of the second annual survey from the Institute of Information Security Professionals (IISP).

The survey also indicates that while 60% of respondents still feel that investment is not keeping pace with threat levels, there was a modest 5% increase in businesses that feel better placed to deal with a breach or incident if it happens. In real terms, spending does appear to be on the rise with 70% of companies seeing an increase in budget, up from 67%, and only 7% reporting a reduction, which is down from 12% last year.

While people have long been seen as the weakest link in IT security through lack of risk awareness and good security practice, the people problem also includes the skills shortage at a technical level as well as the risk from senior business stakeholders making poor critical decisions around strategy and budgets.

Cyber security is a hot topic for business continuity and resilience professionals with cyber attacks and data breaches yet again featuring as their top two concerns according to the Business Continuity Institute's latest Horizon Scan Report. It is with this in mind that cyber security was chosen as the theme for Business Continuity Awareness Week 2017 which has a particular focus on the actions that individuals can take to play their part in an organization's cyber security.

“Many of the figures in this year’s survey show a step in the right direction,” says Piers Wilson, author of the report and Director at the IISP. “The continuing high frequency of cases hitting the headlines and the regulatory pressures, including from GDPR, are leading to a corresponding increase in investment and a drive for increased skill, experience, education and professionalism. However, there is still a lot of work to do and we need to redouble our efforts to meet the challenge of increasingly sophisticated threats.”

The U.S. Justice Department recently announced that 32-year-old Roman Valeryevich Seleznev, known as "Track2," was sentenced to 27 years in prison for a series of cyber attacks that caused over $169 million in damages.

It's the longest prison sentenced ever given to a hacker in the United States.

Seleznev was convicted in August 2016 for hacking into point-of-sale (PoS) systems and installing malware designed to steal millions of credit card numbers from more than 500 U.S. businesses between October 2009 and October 2013. Approximately 3,700 financial instutitions were impacted by the attacks.

The stolen data was then transferred to servers under Seleznev's control in Russia, the Ukraine, and McLean, Virginia, after which Seleznev sold stole the credit card numbers on carding websites.

Among the businesses Seleznev targeted was Seattle, Washington's Broadway Grill, which was forced into bankruptcy following the attack.

...

http://www.esecurityplanet.com/hackers/russian-hacker-sentenced-to-27-years-in-u.s.-prison.html

Today’s threat environment is more complex than ever before, requiring that businesses be prepared to combat attacks from many different directions.

These days,  outages or issues are often the result of non-traditional concerns or events. As you think about each of the items below, remember that your first step will be to determine the potential risk. Once you understand the risk, you can identity the impact of an occurrence, and determine and implement an appropriate mitigation strategy.

Ask yourself the following questions to determine your potential threats and risks.

...

https://www.mha-it.com/2017/04/todays-threat-environment-how-vulnerable-is-your-business/

Efficient storage management includes migrating aging data through progressively less-expensive storage tiers. When data ends its migration at the cold storage stage, you can keep it for long periods of time at very low cost.

Cloud-based data storage generally falls into these four storage classes or tiers:

  • Hot storage is primary storage for frequently accessed production data.
  • Warm storage stores slightly aging but still active data. It costs less because the underlying storage systems don’t have the high performance and availability requirements, but it keeps data quickly accessible.
  • Cool storage houses nearline data, which is less frequently accessed data that needs to stay accessible without a restore process.
  • Cold storage is a backup and archival tier that stores data very cheaply for long periods of time. Restore expectations are few and far between. Security, durability and low cost characterize this tier.

...

http://www.enterprisestorageforum.com/storage-services/the-cold-cloud-long-term-backup-storage-in-the-public-cloud-1.html

I have a huge German Shepherd that ranks only slightly behind my human children when it comes to being spoiled and how much attention he gets.  I’ve been working on training him for nearly a year now, and he amazes me with how intelligent he is. He knows all the basics: sit, stay, here, lay down, etc. But he also picked up detecting scents very quickly and is learning to detect things with his nose that I can’t even see with my eyes. And he does all of these things faster than most kids learn to break the Netflix password.  

The other day, working with him on his training points, I thought to myself, “Woah, my dog speaks human.” Not just English either. He speaks German (that’s the language he's trained in), and he totally understands it. I realized the problem is that I don't speak “Dog.” My dog knows about 30 human words, and they are words in a language his master has no business trying to pronounce, mind you. But he knows what those words mean, and he gets the tasking or request down every time they're uttered. He could look at me for an hour and bark, growl, howl, yip, or yelp constantly, and he could be telling me the cure for cancer and I wouldn’t know it.  

OK that’s interesting, but what does it have to do with better communication among techies?

...

http://blogs.forrester.com/chase_cunningham/17-04-24-for_better_security_operations_speak_to_the_pack_in_its_native_tongue

The debate over the efficacy of the hybrid cloud is likely to continue for as long as there are hybrid clouds. Pure-cloud advocates say hybrids are merely a marketing ploy by vendors looking to preserve their legacy platforms, while hybrid supporters say they are simply meeting the demands of the enterprise community.

But it seems that lost in the debate is one salient fact: that infrastructure, and even architecture, is quickly becoming a secondary consideration in the deployment of advanced data environments. Rather, many organizations are starting with the needs of the process they wish to support, and then working their way back to systems and applications. Sometimes this leads to a cloud-native solution, sometimes to a hybrid, and sometimes to physical, on-premises infrastructure.

In Microsoft’s recent State of the Hybrid Cloud report, the company noted that virtually all enterprises have either deployed a hybrid cloud or are planning to do so within the year. But what’s more interesting, says Redmond Channel Partner’s Jeffrey Schwartz, is the finding that nearly half of those who say they have yet to implement a hybrid actually already have one. Part of this is due to the confusion as to what constitutes a hybrid, but it also reflects the fact that IT deployment decisions are increasingly made by line-of-business managers these days, not IT, and they have little interest regarding the mechanics of their underlying infrastructure – they just want their processes to run.

...

http://www.itbusinessedge.com/blogs/infrastructure/to-hybrid-or-not-to-hybrid-is-that-the-right-cloud-question.html

The Business Continuity Institute

 

A worrying number of UK businesses have no formal plan to protect them from cyber attack and there has been no improvement from a year ago, according to a study conducted jointly by the Institute of Directors and Barclays.

The Cyber security: Ensuring business is ready for the 21st century report found that almost all companies (94%) think security of their IT systems is important, but only a little over half (56%) have a formal strategy in place to protect their devices and data.

The report shows that, despite a number of high-profile cyber attacks over the last year, more than one third (37%) of IoD members work in organizations without a formal cyber security strategy.

Given that the Business Continuity Institute's latest Horizon Scan Report identified cyber attacks and data breaches as the greatest concern to business continuity and resilience professionals, it is essential that organizations do more to protect themselves from such an incident, or equip themselves to respond to the likelihood that one should occur.

The new General Data Protection Regulation, which comes into effect in May 2018, will make organizations much more accountable for their customers' data, so the IoD and Barclays are urging business leaders to step up their preparations now. The IoD is calling on companies to increase cyber training for directors and employees, and run attack simulations, to make sure security systems are robust.

Stephen Martin, director general of the IoD, said: "This report has revealed that business leaders are still putting cyber security on the back burner."

The amount of energy Apple used in data centers it leases from third-party providers more than quadrupled over the last four years, going from about 38,550 MWh total in fiscal year 2012 to more than 180,200 MWh in fiscal 2016, according to the latest annual environmental responsibility report the company released this month. Leased footprint now consumes close to one-quarter of Apple’s total data center energy consumption.

Fiscal 2016 was the first year Apple started tracking its exact energy use in colocation facilities using meters and reporting it as part of the company’s global footprint in its environmental report, offering for the first time a glimpse into the scale of its leased capacity and how quickly that scale has increased over the years.

This rate of growth illustrates just how much hyper-scale cloud platforms still rely on leased data centers, despite also spending enormous sums on building out their own server farms around the world every year. In addition, Apple’s focus on energy supply of these third-party facilities is an example of the growing demand for colocation services powered by renewable energy, which many providers and their customers have been observing recently.

...

http://www.datacenterknowledge.com/archives/2017/04/24/apples-leased-data-center-energy-use-quadrupled-since-2012/

Delivering exceptional customer experiences and product for your business take speed and flexibility. More than ever before, speed and flexibility are required from every part of your organization, business and IT alike. DevOps provides your business leaders, enterprise architects, developers and I&O leaders a philosophy to achieve, not only the velocity that customers desire but also drive innovation and enforces quality. One example is ING. The company is undergoing a major digital transformation in which DevOps is a primary driver supporting their transformation. ING CIO Ron van Kemenade has initiated DevOps as the vehicle to aggressively support ING’s evolving customer needs. At ING, technology is the beating heart of the bank.

...

http://blogs.forrester.com/robert_stroud/17-04-22-devops_invest_for_velocity_and_quality

Monday, 24 April 2017 14:43

DevOps, Invest For Velocity And Quality!

More often than she would like, Carrie Simpson fields a call from a panicked managed services provider (MSP) desperate for new business after realizing their sales funnel is near empty.

The owner of Winnipeg, Canada-based Managed Sales Pros is an expert at finding small businesses that want to buy managed IT services, and scheduling them for appointments with salespeople at MSPs.

Making that happen is a product of smart, grinding work behind the scenes – after which Simpson and her team are powerless to guide sales tactics that ultimately determine whether a deal closes.

...

http://mspmentor.net/sales/finding-qualified-leads-msps-equal-parts-science-art

Analytics is becoming a crucial element in the enterprise data ecosystem. It is one of the key drivers of the Internet of Things (IoT), and will undoubtedly provide key competitive advantages as the digital economy unfolds.

But it doesn’t come cheap, and it is by no means an easy process to master. So as the enterprise finds itself between the rock of an increasingly data-driven business model and the hard place of having to create a highly sophisticated analytics environment, it is understandable that many organizations are willing to launch this particular endeavor on the cloud.

According to the Harvard Business Review, nearly 70 percent of organizations expect to have cloud-based analytics solutions up and running by the end of the year. The reasons vary from improved decision-making and forecasting to greater speed and efficiency, but underneath the operational benefits is a simple fact: The cloud offers the means to launch analytics infrastructure quickly and at the scale required of modern production environments. To be sure, issues like data migration and lack of customization exist in the cloud, but these are generally seen as secondary considerations to the need to put analytics to work quickly before business models are disrupted by a more nimble, data-savvy competitor.

...

http://www.itbusinessedge.com/blogs/infrastructure/is-the-cloud-the-best-place-for-analytics.html

Amid ongoing political upheaval in Venezuela and a volatile geopolitical landscape elsewhere, the need for political risk insurance is rising to prominence for multinational companies.

AP reports that General Motors just became the latest corporation to have a factory or asset seized by the government of Venezuela.

GM said assets such as vehicles were taken from the plant causing the company irreparable damage.

To protect themselves against loss or damage to physical assets caused by political action and instability, businesses should consider purchasing political risk insurance.

...

http://www.iii.org/insuranceindustryblog/?p=4948

An annual assessment of the nation’s day-to-day preparedness for managing community health emergencies improved slightly over the last year—though deep regional inequities remain.

The Robert Wood Johnson Foundation (RWJF) has released the results of the 2017 National Health Security Preparedness Index, which found the United States scored a 6.8 on a 10-point scale for preparedness—a 1.5 percent improvement over the last year, and a 6.3 percent improvement since the Index began four years ago.

The Preparedness Index analyzes more than 130 measures—such as hazard planning in public schools, monitoring food and water safety, wireless 9-1-1 capabilities, flu vaccination rates, and numbers of paramedics and hospitals—to calculate a composite score that provides the most comprehensive picture of health security and preparedness available.

...

https://ems-solutionsinc.com/blog/state-ready-health-emergency-many-still-lag-behind/

Sustainable purchasing can improve supplier relations – and your business. ISO 20400 for sustainable procurement has just been published to help organizations make sustainable purchasing a way of life.

Procurement plays a large role in any organization, large or small. Who an organization buys from has just as big an impact on its performance as what it buys. Ensuring suppliers have sound and ethical practices – across everything from working conditions and risk management to their environmental impact – has the potential to not only make businesses work better, but to improve the lives of everyone in the communities where they are situated.

Sustainable procurement entails making purchasing decisions that meet an organization’s needs in a way that benefits them, society and the environment. It involves ensuring that a company’s suppliers behave ethically, that the products and services purchased are sustainable and that such purchasing decisions help to address social, economic and environmental issues.

ISO 20400, Sustainable procurement – Guidance, is the world’s first International Standard for sustainable procurement and aims to help organizations develop and implement sustainable purchasing practices and policies.

...

https://www.iso.org/news/Ref2178.html

The Business Continuity Institute

It’s important to keep our business continuity plans up to date. That almost goes without saying. But what, exactly, do we mean by keeping our plans up to date?

Most organisations with a business continuity plan will assign someone to review it periodically - in particular, to check that the names and contact details of the various team members are kept up to date. Which is an important activity. But there’s a bit more to it than that.

There are essentially two reasons for reviewing and updating our plans.

Firstly, to ensure the plans’ content - the names, contact details, checklists, etc - remains current.

Secondly, and just as importantly, to ensure that the strategies and solutions that underpin the plans remain fit for purpose and continue to enable us to meet our continuity objectives. Which implies that now and again we need to review those objectives and the strategies and solutions that support them.

Many organisations focus entirely on the operational detail of the plans and neglect the strategic elements. If that sounds familiar, you might consider adding a periodic strategic review to your plan maintenance programme. Otherwise, whilst you might be able to contact people without too much difficulty, it may well be to tell them that the plan doesn’t work!

Andy Osborne is the Consultancy Director at Acumen, and author of Practical Business Continuity Management. You can follow him on Twitter and his blog or link up with him on LinkedIn.

Monday, 24 April 2017 14:16

BCI: An objective review ...

Sixty-four percent of security professionals doubt their organizations can prevent a breach to employees' mobile devices, a recent Dimensional Research survey [PDF] of 410 security leaders found.

The survey, sponsored by Check Point Software, also found that 20 percent of businesses have experienced a mobile breach, and another 24 percent don't know, or can't tell, whether they've experienced one.

Strikingly, 51 percent of respondents believe the risk of mobile data loss is equal to or greater than that for PCs.

"Perhaps the high level of concern is based on the frequency of mobile device loss or theft, as well as the limited security measures companies use to protect enterprise mobile devices," the report states.

...

http://www.esecurityplanet.com/mobile-security/64-percent-of-security-pros-cant-stop-a-mobile-data-breach.html

Enterprises are loading up their data centers with hybrid flash storage systems in increasing numbers, according to a new survey from ActualTech Media commissioned by storage array maker Tegile Systems.

More than half (55 percent) of the 700 IT professionals polled for the study said they were using hybrid flash storage systems, which typically use a combination of solid-state drives and traditional hard disk drives to speed up data services, in their environments. Last year, 47 percent reported the same.

Meanwhile, all-disk storage systems are steadily losing their appeal. Adoption rates dipped from 41 percent in 2016 to 37 percent in the first quarter of 2016. All-flash environments remain relatively rare with a mere two-percent penetration rate.

...

http://www.enterprisestorageforum.com/storage-management/hybrid-storage-becomes-the-go-to-application-performance-booster.html

Customer service departments in all industries are increasing their use of chatbots, and we will see usage rise even higher in the next year as companies continue to pilot or launch their own versions of the rule-based digital assistant. What are chatbots? Forrester defines them as autonomous applications that help users complete tasks through conversation.
 
While Forrester’s Consumer Technographics® data reveals that 60% of US online adults already use online messaging, voice, or video chat services, there are challenges to widespread adoption. We reached out to our ConsumerVoices Market Research Online Community members to better understand consumer impressions of chatbots and found that our respondents had a difficult time identifying clear benefits to interacting with them. Many prefer to communicate with a representative who can show real empathy, address more complex needs, and offer them assurance.
...

(TNS) - Six months after dangerous Hurricane Matthew buzzed up Florida’s Atlantic coast, storm experts are still debating why some people didn’t evacuate in the face of what became the 10th most destructive storm in U.S. history.

A clutch of coastal condo dwellers and beachfront homeowners refused to budge despite mandatory orders and unusual public pleas from South Florida hurricane hero Bryan Norcross and National Hurricane Center Director Rick Knabb.

They got lucky when Matthew delivered only a glancing blow, but how to better convey potential storm risk was a theme at Wednesday’s National Hurricane Conference in New Orleans where forecasters lamented ineffective messaging.

...

http://www.govtech.com/em/disaster/Experts-Debate-Whether-Hurricane-Matthews-Risks-Were-Understood.html

I am pleased to announce that the new for infrastructure and operations professionals is now live! This Wave evaluation uncovered a market in which four providers — Sungard Availability Services, Bluelock, IBM, and iland — all emerged as Leaders, although their strengths differ. Another five providers — HPE Enterprise Services (now DXC Technology), Recovery Point, Plan B, Daisy, and TierPoint — are Strong Performers. NTT Communications is a Contender.

To evaluate these vendors, we developed a comprehensive set of criteria in three high-level buckets: current offering, strategy, and market presence. The criteria and their weightings are based on past research and user inquiries. In addition to typical user demands, this Forrester Wave™ evaluation also has a few thought-provoking criteria such as the provider’s capability to deliver security services, real-time views through a readiness score, automated change management, and orchestration-led enterprise application recovery.

...

http://blogs.forrester.com/naveen_chhabra/17-04-20-check_out_the_new_forrester_wave_of_leading_draas_providers

The Business Continuity Institute

Not only are many employees likely to share confidential information, but they are doing so without proper data security protocols in place or in mind, according to a new study by Dell. Today's workforce is caught between two imperatives: be productive and efficient on the job, and maintain the security of the organization's data. To address data security issues, organizations must focus on educating employees and enforcing policies and procedures that secure data wherever they go, without hindering productivity.

The Dell End-User Security Survey indicates that among the people who work with confidential information on a regular basis, there is a lack of understanding in the workplace regarding how confidential data should be shared and data security policies. This lack of clarity and confusion is not without merit, there are many circumstances under which it makes sense to share confidential information in order to push business initiatives forward.

Three in four employees say they would share sensitive, confidential or regulated company information under certain circumstances for a wide range of reasons,with nearly half (43%) saying they would do so when directed by management. Four-fifths of employees in financial services (81%) would share confidential information, and employees in education (75%), healthcare (68%) and federal government (68%) are also open to disclosing confidential or regulated data at alarmingly high rates.

"When security becomes a case-by-case judgement call being made by the individual employee, there is no consistency or efficacy," said Brett Hansen, vice president of Endpoint Data Security and Management at Dell. "These findings suggest employees need to be better educated about data security best practices, and companies must put procedures in place that focus first and foremost on securing data while maintaining productivity."

The survey finds that when employees handle confidential data, they often do so insecurely by accessing, sharing and storing the data in unsafe ways. A quarter of respondents (24%) indicated they do so to get their job done and one-fifth (18%) say they did not know they were doing something unsafe. Only 3% of respondents said they had malicious intentions when conducting unsafe behaviours.

Further findings of the report include:

  • 45% of employees admit to engaging in unsafe behaviours throughout the work day
  • These behaviours include connecting to public wifi to access confidential information (46%), using personal email accounts for work (49%), or losing a organization-issued device (17%)
  • One in three employees (35%) say it is common to take corporate information with them when leaving a company
  • Employees take on unnecessary risk when storing and sharing their work, with 56% using public cloud services such as Dropbox, Google Drive, iCloud and others to share or back-up their work
  • 45% of employees will use email to share confidential files with third-party vendors or consultants

These findings help reinforce the theme for Business Continuity Awareness Week which highlights that cyber security is everyone's responsibility, and with a little more awareness on the right policies and procedures, we can all play a part in building a resilient organization.

The survey findings indicate that employees struggle with cyber security in the workplace because they do not want to see their organization suffer a data breach, but they also struggle with the limitations security programmes can put on their day-to-day activities and productivity.

"While every company has different security needs, this survey shows how important it is that all companies make an effort to better understand daily tasks and scenarios in which employees may share data in an unsafe way," says Hansen. "Creating simple, clear policies that address these common scenarios in addition to deploying endpoint and data security solutions is vital in order to achieve that balance between protecting your data and empowering employees to be productive."

Much ink has been spilled over United Airlines' latest public incident and social media's role in rapidly spreading video of a passenger being dragged off an airplane. Today's consumers are more polarized than ever and increasingly expressing their opinions and showing their own values in the way they spend their money. Brands worry about making missteps on social media and falling out of favor, prompting them to ask: "How can my brand respond to a social crisis?" In reality, the question they should be asking is: "How can my brand plan for any social crisis so that when it hits, our response is clear and automatic?"
 
Navigating today's social environment requires returning to crisis management basics. Brands with established and rehearsed crisis management plans — no matter the channel — will rise above the fray. In our latest Forrester report, "Social Crisis Management: Get Back To Basics," we discuss social crisis management 101:  
...

(TNS) - National Hurricane Center forecasts have evolved beyond the staid Saffir-Simpson wind scale that shoehorns tropical cyclones into tidy categories while ignoring flooding waters from sea and sky.

This hurricane season, an array of products will alert to killer storm surge, predict arrival time of damaging winds and show storm size.

One forecast map will warn of systems that have the potential for cyclonic wind-up, but have not yet developed into a storm.

It’s all in an effort to inform the public beyond Saffir-Simpson, but is the public ready to digest more than categories 1, 2, 3, 4 and 5?

...

http://www.govtech.com/em/disaster/Hurricane-information-overload-New-products-cause-some-concern.html

According to a study by Indeed.com, conducted earlier this year, the severe shortage of skilled cybersecurity professionals continues. It’s estimated that a million security jobs are unfilled today, and that’s probably only going to get worse. This comes at a time when organizations are looking to increase their security spending and improve their security posture.

Yet, here is something that doesn’t make sense to me. Plenty of security talent is being developed in colleges and universities across the country. The National Collegiate Cyber Defense Championship held earlier this month highlighted that talent. From an original pool of 230 teams, a group from the University of Maryland, Baltimore County emerged as the winner after a final competition of the top 10 competitors. As CSO reported about the contestants of the cybersecurity event:

They have spent years honing their cyber skills, and some of the participants have some pretty interesting hacks ranging from an insulin pump and an electric car to a video surveillance camera in a school lab. Still others have hacked a connected avionics system that loads maps onto an airplane, an elevator, a McDonald's router, and even a beer kegerator.

...

http://www.itbusinessedge.com/blogs/data-security/despite-cyber-skills-gap-security-graduates-struggle-to-get-hired.html

The Business Continuity Institute

 

We have recently seen how quickly a crisis can impact on a business if not managed correctly by placing people at the heart of a crisis response.

The appalling treatment of a United Airlines passenger and the subsequent response from the company, showed a complete disregard for the very people who pay the wages, its customers. 

As crisis managers we all advocate the importance of plans and procedures to ensure that in the event of something going wrong, the crisis management teams responsible have a framework to guide them, however, at the heart of this has to be the right culture.

The power of the internet is immense and you only have one opportunity to set the tone of your response when something does go wrong. You should have clear processes, procedures and ways of working that staff fully understand, but most importantly you must have a culture that ensures that people are at the heart of what you do. 

If your customers are your number one priority, regardless of the nature of the incident, it is very likely your crisis managers will respond with that in mind.

I was reading an article during the past week written by Michael Balboni of Redland Strategies, and one of the keynote speakers at last year's BCI World Conference, where he highlighted the four key points to consider in your crisis communications. These points can be summarised as:

  1. Try to get out ahead of the story with statements like, "We are also concerned about the events as reported and are conducting an investigation."
  2. Whatever the message, be consistent. Changing statements leaves room for doubt on a whole bunch of aspects.
  3. Never attack the victim! Ever! The customer is the only reason that a business is in business, or a government official is in office.
  4. Respond to the internet firestorm with facts and apologies and a description of how you will try to prevent this situation from ever repeating. Never try to block people from commenting.

When you are next reviewing your ways of working and approach to crisis communications make sure you keep this in mind. Most importantly though remember: “It is not the employer who pays the wages. Employers only handle the money. It is the customer who pays the wages” --- Henry Ford.

Are you satisfied that your company culture sets the right tone to respond effectively to a major incident or crisis event?

Chris Regan is the Director of Blue Rock Risk Limited a specialist crisis and risk management consultancy. Chris works with both private and public sector clients to help them plan, prepare and respond effectively to a wide range of crisis and risk issues. Chris can be contacted by email at This email address is being protected from spambots. You need JavaScript enabled to view it. or by telephone 0117 244 0154.

The Business Continuity Institute

Businesses large and small are being urged to protect themselves against cyber crime after new Government statistics found nearly half of all UK businesses suffered a cyber breach or attack during the previous year.

The Cyber Security Breaches Survey 2017 reveals nearly seven in ten large businesses identified a breach or attack, with the average cost to large businesses of all breaches over the period being £20,000 and in some cases reaching millions. The survey also shows businesses holding electronic personal data on customers were much more likely to suffer cyber breaches than those that do not (51% compared to 37%).

The most common breaches or attacks were via fraudulent emails - for example coaxing staff into revealing passwords or financial information, or opening dangerous attachments - followed by viruses and malware, such as people impersonating the organisation online and ransomware.

These new statistics show businesses across the UK are being targeted by cyber criminals every day and the scale and size of the threat is growing, which risks damaging profits and customer confidence.

Cyber security is a hot topic for business continuity and resilience professionals at the moment with cyber attacks and data breaches yet again featuring as their top two concerns according to the Business Continuity Institute's latest Horizon Scan Report. It is with this in mind that cyber resilience was chosen as the theme for Business Continuity Awareness Week 2017 which has a particular focus on the actions that individuals can take to play their part in an organization's cyber security, and this includes effective password control.

The Government survey also revealed that, of the businesses which identified a breach or attack, almost a quarter had a temporary loss of files, a fifth had software or systems corrupted, one in ten lost access to third party systems they rely on, and one in ten had their website taken down or slowed.

Firms are increasingly concerned about data protection, with the need to protect customer data cited as the top reason for investing by half of all firms who spend money on cyber security measures.

Following a number of high profile cyber attacks, businesses are taking the threat seriously, with three quarters of all firms saying cyber security is a high priority for senior managers and directors; nine in ten businesses regularly update their software and malware protection; and two thirds of businesses invest money in cyber security measures.

Areas where industry could do more to protect itself include around guidance on acceptably strong passwords (only seven in ten firms currently do this), formal policies on managing cyber security risk (only one third of firms), cyber security training (only one in five firms), and planning for an attack with a cyber security incident management plan (only one in ten firms).

Ciaran Martin, CEO of the National Cyber Security Centre, said: "UK businesses must treat cyber security as a top priority if they want to take advantage of the opportunities offered by the UK’s vibrant digital economy The majority of successful cyber attacks are not that sophisticated but can cause serious commercial damage. By getting the basic defences right, businesses of every size can protect their reputation, finances and operating capabilities."

The firewall is the first line of defense for traffic that passes in and out of a network. The firewall examines traffic to ensure it meets the security requirements set by the organization, and unauthorized access attempts are blocked.

Firewall protection has come a long way in recent years. In addition to monitoring internet traffic, the latest firewall security products incorporate a wide range of additional features.

“The latest firewalls can neutralize an attacker’s ability to use stolen credentials for lateral movement and network compromise,” said Navneet Singh, product marketing director at Palo Alto Networks. “This is done by enforcing multi-factor authentication at the network layer.”

...

http://www.esecurityplanet.com/network-security/network-firewalls.html

The ever-dependable Barb Darrow at Fortune reported late last week that the OpenStack Innovation Center (OSIC) is to shut down. Cue wailing, gnashing of teeth, and portents of doom. But this may not be quite so bad as it appears, because the OpenStack Innovation Center isn’t nearly so critical to the open source cloud computing project as its name might imply.

Before I joined Forrester I used to post a short thought (almost) every day, commenting on some piece of news that caught my interest. The last of these, on 24 July 2015, was concerned with the then-new OpenStack Innovation Center.

I was unimpressed.

You see, the OpenStack Innovation Center isn’t an initiative of the OpenStack Foundation. Despite the name, it was only a joint initiative of two contributors to the OpenStack project - Intel and (OpenStack co-founder) Rackspace. They set up some clusters, for developers to test code. And they did some work to make OpenStack more enterprise-ready. Both efforts were useful, for sure. But both of these things were already happening in plenty of other places.

...

http://blogs.forrester.com/paul_miller/17-04-18-demise_of_openstack_innovation_center_does_not_mean_demise_of_openstack

Most people can sort out what tangibles they need for a solid BCM program, but the following critical steps can make or break an enterprise in times of crisis. Without functional crisis management and effective preparations, your organizational resilience will be impacted, resulting in more than just higher costs or lost sales (see Strategic Issues Surrounding Your Organization’s Resiliency).

1.  Clarify Roles and Responsibilities

Numerous teams are organized and active during crisis events: Crisis Management, IT Emergency Management, Individual Recovery, Business Recovery, Communications, and more. Often individuals participate on several teams. Due to multiple tasks and efforts, individuals must clearly understand their roles and responsibilities – these are not necessarily based on job title. Individuals should be trained in roles and responsibilities at least annually.

...

https://www.mha-it.com/2017/04/4-key-steps-on-the-roadmap-to-resilience/

Wednesday, 19 April 2017 15:11

4 Key Steps on the Roadmap to Resilience

Focal Point Data Risk, LLC (Focal Point), one of the largest pure-play data risk consulting firms in North America, today announced the release of the inaugural Cyber Balance Sheet Report. This first-of-its-kind research study uses in-depth surveys and interviews with corporate board members and chief information security officers (CISOs) to conclusively identify specific cyber risk issues resonating in boardrooms. Equally important, the unprecedented research reveals how CISOs and boards can quickly improve communication and collaboration in this critical area.

The Cyber Balance Sheet Report was independently produced, after several months of intensive research, by the Cyentia Institute (Cyentia), a cybersecurity research firm, co-founded by Dr. Wade Baker, who is widely recognized as the creator of the Verizon Data Breach Investigations Report (DBIR). In the study, Focal Point and Cyentia conducted comprehensive interviews with more than 80 board members, CISOs and subject matter experts. The report’s findings offer a rare window into the cyber risk dialogue in the boardroom, contrasting with many years of assumptions and security vendor characterizations.

“For years pundits have been saying ‘Cyber needs to be a boardroom issue,’ but the Cyber Balance Sheet Report replaces this sound bite with the most illuminating look yet at where cyber issues are making headway with boards or falling off the table,” said Yong-Gon Chon, CEO of Focal Point. “The report reveals important indicators around cyber awareness at the top levels of governance. We have evolved from cybersecurity being a component of IT performance to becoming an issue that prompts broader questions about protecting valuable company data. Yet, as the report discloses, it’s the nature of these questions and how CISOs respond that determines how far oversight and accountability still have to evolve.”

...

http://www.corporatecomplianceinsights.com/focal-point-data-risk-publishes-inaugural-cyber-balance-sheet-report/

Ransomware hits a particularly raw nerve because of its brazenness. A criminal breaks into a computing device and simply takes over, demanding money – usually paid in bitcoins – for providing the owner the privilege of accessing his or her own data.

The reality is that the ransomware story is more nuanced than the pure fear that idea engenders. Ransomware, according to experts, is not monolithic: There are levels of qualities to the malware and how it is delivered. The targets are far from helpless.

IT Business Edge sent emailed questions with important questions about ransomware to Jon Clay, the director of Global Threat Communications for Trend Micro; Chester Wisniewski, the principal research scientist at Sophos; and Kevin Haley, the director of Security Response at Symantec. The answers painted a picture of a very serious problem, but one that can be avoided if an organization uses best security practices.

...

http://www.itbusinessedge.com/articles/how-to-fight-against-ransomware-its-hard-not-hopeless.html

(TNS) - Every spring, like azaleas at Pinehurst, questions begin blooming for Scot Brooks.

“It seems every year at about this time, people new to the area call and ask when they can expect us to test our tornado sirens,” said Brooks, the emergency management deputy director of Moore County, N.C.

“I explain to them that we don’t have sirens — at least not for tornadoes.”

Nor does any other county in the Cape Fear region. A check with emergency management directors in the region reveals that no countywide systems exist. In fact, none have ever existed, according to these directors.

...

http://www.govtech.com/em/disaster/No-Tornado-Sirens-in-Region-Despite-Top-10-Threat-of-Twisters.html

Topping $5.7 billion. That’s the record cost of insured losses from severe thunderstorms and convective weather in the United States in the first quarter of 2017.

The latest figures come via Steve Bowen, director and meteorologist at Impact Forecasting, the catastrophe risk modeling center at Aon Benfield.

Here’s the chart (via @SteveBowenWx):

...

http://www.iii.org/insuranceindustryblog/?p=4941

Wednesday, 19 April 2017 15:05

U.S. Thunderstorm Losses Add Up To Q1 Record

Over the last decade, huge growth in demand for Internet and mobile services has driven rapid transformation in digital businesses. This growth has been highly disruptive, and it has created new business opportunities and challenged the status quo.  In the data center, two forces have created much of this change:  the evolution of virtualization and the rise of cloud computing.

Latest-generation technologies in computing hardware and software platforms, including but not limited to unified computing, pervasive virtualization, containerization, new rack designs, disaggregation of compute resources, improved telemetry and analytics have all added to lowering the total cost of ownership (TCO) but also greater return on investment (ROI).  This has set the stage for agile infrastructure and a further explosion in the number and type of instrumentation metrics available to today’s data center managers.

Optimization, as applied to data centers, means always having the right amount of resources, to cost-effectively enable the business use of those data centers. Right resourcing means, in effect, enough to get the data center “job” done, but not so much as to waste money. Everything from enough power and floor space to enough “computes,” and everything else. Easily said, but increasingly challenging to accomplish.

...

http://www.datacenterknowledge.com/archives/2017/04/18/optimizing-todays-data-centers-metrics-matter/

NEW YORK, NY –  Duff & Phelps, the premier global valuation and corporate finance advisor, today highlighted research affirming that financial services professionals are poised to significantly accelerate resources dedicated to preventing and combating cyber breaches. The survey of nearly 200 senior financial services professionals included the following highlights:

  • 86% of financial services firms intend to increase the time and resources they spend on cybersecurity in the next year.  This contrasts with 2016, when less than 60% said they planned to spend more resources and time on cybersecurity planning and initiatives.
  • 31% of respondents expect cybersecurity to be the top priority for regulators this year - a 63% increase over 2016 when just 19% of respondents held this view.
  • 21% of respondents believe that Anti-Money Laundering and “Know Your Customer” considerations – which are increasingly converging with cybersecurity and technology – will be a top regulatory focus.

...

http://www.darkreading.com/risk/financial-services-firms-report-spike-in-cyber-preparedness-anticipated-regulatory-scrutiny/d/d-id/1328627

Our latest case studies in business continuity management and planning focus on banking customers.

PlainsCapital Bank—a subsidiary of Hilltop Holdings—is the sixth-largest bank in Texas. They maintain a statewide presence with approximately 1,500 employees and nearly 70 commercial and retail locations. Their diverse range of service includes commercial banking, treasury management, private banking, wealth management, and consumer banking. The Business Continuity Planning team includes Operational Risk Manager Jay Geppert and Operational Risk Analyst Jessica Camacho. They are responsible for the bank’s Business Continuity, Vendor Management, and Operational Risk programs. Together, they coordinate annual tests of critical departments and applications and work with business unit managers to update plans for their Business Continuity Committee, Information Systems Steering Committee, and other senior management officials. The company invested in ResilienceONE from Strategic BCP to help elevate planning to a strategic level within the organization. Planning has shifted to a functional approach in-line with overall corporate objectives. The system helps ensure consistency of the operational risk management framework, allows for effective implementation across business units, meets operational and regulatory requirements, and prepares the organization for future growth—all while adapting to the changing demands of a dynamic corporation. Read the full case study including the expanded benefits to the team and the organization.

...

http://www.strategicbcp.com/blog/new-business-continuity-case-studies-banking-industry/

Page 3 of 3