DRJ's Fall 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 31, Issue 2

Full Contents Now Available!

Industry Hot News

Industry Hot News (436)

The Business Continuity Institute

Employees at 40% of businesses across the globe hide IT security incidents in order to avoid punishment, according to a study conducted by Kapersky Lab, and the dishonesty is most challenging for larger-sized businesses. 45% of enterprises (over 1,000 employees) experience employees hiding cyber security incidents, with 42% of SMBs (50 to 999 employees), and only 29% of VSBs (under 49 employees).

The report - Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within - revealed that not only are employees hiding incidents, but also that the uninformed or careless employees are one of the most likely causes of a cyber security incident - second only to malware. While malware is becoming more and more sophisticated each day, the surprising reality is that the evergreen human factor can pose an even greater danger. 46% of IT security incidents are caused by employees each year - that’s nearly half of the business security issues faced triggered by employee behaviour.

Staff hiding the incidents that they have encountered may lead to dramatic consequences for businesses, increasing the overall damage caused. Even one unreported event could indicate a much larger breach, and security teams need to be able to quickly identify the threats they are up against to choose the right mitigation tactics.

“The problem of hiding incidents should be communicated not only to employees, but also to top management and HR departments,” said Slava Borilin, security education program manager at Kaspersky Lab. “If employees are hiding incidents, there must be a reason why. In some cases, companies introduce strict, but unclear policies and put too much pressure on staff, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies foster fears, and leave employees with only one option - to avoid punishment whatever it takes. If your cyber security culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will be obvious.”

Borilin also recalls an industrial security model, where a reporting and ‘learn by mistake’ approach are at the heart of the business. For instance, in his recent statement, Tesla’s Elon Musk requested every incident affecting worker safety to be reported directly to him, so that he can play a central role in change.

The fear businesses have of being put at risk from within is clear in the results of the survey, with the top three cyber security fears all related to human factors and employee behaviour. Businesses worry the most about employees sharing inappropriate data via mobile devices (47%), the physical loss of mobile devices exposing their company to risk (46%) and the use of inappropriate IT resources by employees (44%).

While advanced hackers might always use custom-made malware and high-tech techniques to plan a heist, they will likely start with exploiting the easiest entry point - human nature. According to the research, every third (28%) targeted attack on businesses in the last year had phishing/social engineering at its source. Sophisticated targeted attacks do not happen to organizations every day - but conventional malware does strike at mass. Unfortunately though, the research also shows that even where malware is concerned, unaware and careless employees are also often involved, causing malware infections in more than half (53%) of incidents that occurred globally.#

The human element of cyber security was the key focus of Business Continuity Awareness Week 2017, organized by the Business Continuity Institute, with the report published by the BCI identifying the simple steps that everyone can take in order to play a part in improving cyber security.

“Cyber criminals often use employees as an entry point to get inside the corporate infrastructure. Phishing emails, weak passwords, fake calls from tech support - we’ve seen it all,” said David Jacoby, security researcher at Kaspersky Lab. “Even an ordinary flash card dropped in the office parking lot or near the secretary’s desk could compromise the entire network - all you need is someone inside, who doesn’t know about, or pay attention to security, and that device could easily be connected to the network where it could reap havoc.”

The watchword for business continuity (BC) now and in the coming years will be complexity.

Evolutions in technology, organizational structure, banking, leadership, the global economy, and practically every existing discipline have begun to outstrip traditional methods that hoped to address and contain such complexity. As our everyday work moves from simple and complicated contexts (as envisioned by Ralph D. Stacey and explicated by Snowden and Boone) into complex contexts, we must create new approaches to function within the complexity. The Agile framework for project management is one such example of a new approach that embraces and thrives within complex contexts.

BC has begun to struggle with the reality of increasing complexities. Detailed recovery scripts, time-consuming BIA data collection, binders of documentation, and a linear lifecycle relatively unchanged since Y2K seem inefficient and outdated in this “Agile Age” of rapid acquisitions, social media, blockchain, holacracies, and the internet of things. The stark unpredictability of disasters combined with the nearly unimaginable constitution of the near future should give pause to anyone who believes BC can be done properly by just anyone armed with an internet template.

There is a way for BC to evolve to meet these challenges. First, it must establish a robust, theoretical foundation for the discipline, moving beyond an ad hoc collection of “professional practices.” Second, it must identify and implement alternative approaches that are nonlinear, iterative, and adaptive. Third, practitioners must find new and better ways to share proven practices with each other, and to offer real critique of both new and old practices. Fourth, the best BC professionals will no longer frame their work in terms of plans, but now in terms of portfolios, an evolving collection of recovery capabilities that can be brought to bear in times of adversity and disaster.

In this lecture, I provide an approach to establish a Business Continuity Portfolio Management Office (BC PMO). While this very brief presentation covers a lot of material (perhaps too much), it contains almost all the necessary theoretical and practical elements to provide a proper foundation for those who will create the very first BC PMOs in the industry.

– David Lindstedt, PhD, PMP, CBCP

David Lindstedt is the founder of Readiness Analytics, an organization focused on metrics, measures, and KPIs for recovery capabilities. Dr. Lindstedt is the co-author (along with Mark Armour) of the "Adaptive BC Manifesto and the Adaptive Business Continuity." He is also the creator of several supporting web sites including AdaptiveBCP.org, ReadinessTest.com, and Jeomby.com. Dr. Lindstedt has published in international journals and presented at numerous international conferences. He taught for Norwich University's Master of Science in Business Continuity Management.

The Business Continuity Institute

In the context of the manufacturing industry, business continuity is about ensuring products continue to reach and be delivered to customers, regardless of any internal problems or issues as that arise.

Like all businesses, manufacturers need to identify their critical value adding business activities and processes, focus on keeping them operational or getting them back to full operational capacity in a set time frame, regardless of the issues. This will then maintain the product delivery to the end consumers.

The basic principle of a manufacturer is to convert inputs (raw materials, ingredients, chemicals) into an output/product for sale. This is achieved by inputs undergoing transformational processes along the production line which add value at each stage. Labour, machinery and other tools combine to produce this production capability and thus, by the end of the whole production line, there is a product ready for sale.

What does a manufacturer need to consider to ensure business continuity?

To run a manufacturing production line effectively, you need to avoid disruptions in three key areas;

  • Staffing
  • Materials/Inputs
  • Machinery

Staff

In manufacturing, staff are needed to maintain and control the production line, ensure it stays operational and to spot early warning signs of any problems. Staff are integral in keeping the production line functional.

Ensuring staff have the proper training needed is vital to operational success. Lack of training amongst staff will cause mistakes and cause disruptions anywhere along the production line. Investing time and money in preparing a training package for new and current staff will help minimize mistakes and disruption.

Cross-training should also be considered. Training staff across the full range of business activities will ensure business activity continues if at any time a vital member of staff were to leave, fall sick or take holidays at busy periods.

Efficient staff recruitment processes may also be of value. Losing a number of employees simultaneously will cause disruptions and increased pressure on remaining staff (again, highlighting the importance of cross-training). Having other options such as agency workers or temporary staff is much quicker and easier to implement in the short term, allowing business to continue until more permanent positions are filled.

Materials/Inputs

Inputs and raw materials are particularly important for manufacturers because without inputs, there can be no final output which in turn means no sales.

If a manufacturer limits themselves to one supplier of a material, and that supplier is unable to supply the material needed, then the manufacturer is also unable to produce their products. Therefore, manufacturers should have a diverse supply chain. Sourcing multiple suppliers of raw materials will minimize the risk and impact on the manufacturing process. If the primary supplier is unable to supply, the manufacturer has secondary options and ensure business continues.

No business wants faulty goods as this may mean product recalls and tarnish the brand image. Faulty goods can be a direct result of poor quality materials or inputs. Therefore, manufacturers should implement a quality Inspection procedure upon receiving the materials. This will help to ensure the inputs are of the required standard the manufacturer desires and reducing disruptions further along the production process.

Other non-tangible aspects also must be considered. For example, electricity supply is paramount to a manufacturer as it powers the machinery and other processes. Without it, the whole business grinds to a halt. Having a back-up generator installed will ensure business and manufacturing activities continue despite of power shortages or prolonged power cuts.

Machinery

It is essential that you have factory equipment and tools fully functioning to carry out the manufacturing process. As a result, maintaining and checking that equipment is safe to use to critical.

You need to spend enough to ensure your machinery and equipment meets regulatory standards, preventative maintenance is a must for all manufacturing businesses. Preventive maintenance works on the same principle as servicing your car, except that servicing factory machinery tends to be a lot more costly! This is very important. Waiting until the machine breaks means you’ve waited too long!

The harsh reality is that customers have little interest in understanding manufacturing problems. They react in the same way you react to your suppliers, all you care about is the fact that they’re late. Customers are the same, they need their products, and if they can’t get them from their chosen source they might just go elsewhere!

Michael Conway is a founding director of Renaissance Contingency Services since 1987. He established Renaissance as Ireland’s premier IT Security Distributor and leading Independent Business Continuity Consultancy provider.

The Business Continuity Institute

Quite often with cyber security, the public sees what might appear to be a game of cat and mouse: the perpetrators (bad guys) attack, then the cyber security establishment (government, private companies, and so on; the good guys) defend and try to plug, patch, and repair the problem after the fact. What we are missing in this picture—what may not be reported, or underreported - is how many companies and organizations are unaffected, as well as those who may have been impacted but are hesitant to admit this and risk bad publicity.

The latest example of this is the WannaCry attack, which now looks like it came from the North Korean-affiliated Lazarus group. This attack would have been defeated if organizations simply allowed computers running Microsoft-based operating systems to install the update that would have fixed the vulnerability. With personal computers, most users allow this to operate automatically, but with corporate computers this task is generally taken care of by an IT department that often runs several versions of Windows behind.

It is interesting that, according to reports, this ransomware attack - which claims to encrypt all of users’ files and offers a payment-based decryption service to restore them - has only generated $50,000 in ransom. However, it is our guess that this number is severely underreported; we have found few people like to admit to having been a victim of this kind of attack, just as users affected by Nigerian scams often deny being victims. It’s also interesting to speculate whether people will continue to pay any ransom given that, according to reports, no one who’s paid the ransom thus far has had their files decrypted.

How can organizations break this vicious cat-and-mouse cycle? One way to effectively build and maintain organizational resilience on an enterprise level is creating a cyber security program that repels and recovers from cyber attacks, following the Four Rs of Resilience: Robustness, Redundancy, Resourcefulness, and Rapidity. For our purposes with regards to WannaCry, let’s focus on just two factors: Robustness and Redundancy.

Robustness is the ability of systems and elements to withstand disaster forces without significant degradation or loss of performance. The simple fix here is making sure all operating systems are updated, including any systems by vendors, home systems that may be used (or prevented from accessing corporate systems) and tertiary systems an organization relies on. More sophisticated solutions such as software defined perimeter would also have prevented the attack, by establishing a dark layer and credentialing process, restricting access.

Redundancy is the extent to which systems and elements or other units are substitutable or capable of satisfying functional requirements, if significant degradation or loss of functionality occur. Regular backups would remove the concern about having data encrypted or destroyed as users could just retrieve the same data from their backup.

So in short, what’s the best way to keep your personal and organizational data safe in the age of WannaCry? It may seem simple, but it’s the most basic cyber security advice for a reason: update and backup your files. Frequently.

Andrew Boyarsky and Douglas Graham are the academic director of the master’s program in enterprise risk management at the Mordecai D. and Monique C. Katz School of Graduate and Professional Studies at Yeshiva University and an advisory council member at the Katz School, respectively. The opinions expressed above are solely those of the authors and should not be attributed to Yeshiva University.

The Business Continuity Institute

Lax approaches to popular threats such as email attachments, and inadequate threat-awareness, poor work-practices and out-of-date technology, are exposing organizations to hacking, ransomware and zero-day attacks, says a report published by Glasswall Solutions.

Your employees won't protect you noted that the vast majority (82%) of respondents to a survey usually or always opened email attachments if they appear to be from a known contact, despite the prevalence of well-known sophisticated social engineering attacks. Of these respondents, 44% open these email attachments consistently every time they receive one, leaving organizations highly vulnerable to data breaches sourced to malicious attachments.

"Employees need to trust their emails to get on with their work, but with 94% of targeted cyber-attacks now beginning with malicious code hidden in an email attachment, the security of major businesses should no longer be the responsibility of individual office-workers," said Greg Sim, CEO of Glasswall Solutions. "Conventional antivirus and sandboxing solutions are no longer effective and relying on the vigilance of employees clearly leaves a business open to devastating cyber-attacks that will siphon off precious data or hold the business to ransom."

A large majority of workers could at least identify characteristics of a phishing attack, with 76% acknowledging that they had received suspicious attachments. However, the survey also found that 58% of respondents usually opened email attachments from unknown senders, while 62% didn't check email attachments from unknown sources, leaving businesses open to breaches from documents carrying malicious exploits hidden inside common file-types such as Word, Excel, PDFs and more.

These findings help demonstrate why cyber attacks and data breaches are such a concern for business continuity and resilience professionals, as highlighted in the Business Continuity Institute's latest Horizon scan Report. It also reinforces the theme for Business Continuity Awareness Week which highlights that cyber security is everyone's responsibility, and with a little more awareness on the right policies and procedures, we can all play a part in building a resilient organization.

"This research confirms anecdotal evidence that, although security awareness campaigns have their place, all too often they fail to equip workers with effective strategies for protecting data and systems," said professor Andrew Martin at the University of Oxford. "Technology that's fit for purpose reduces risks without placing added burdens on those simply trying to do their jobs."

This implicit trust in both familiar and unknown emails stands in direct contrast to the scale of threats delivered via email. Despite thousands of attacks launched every year against businesses, only 33% of respondents maintained that they had been victim of a cyber attack. And almost a quarter (24%) said they did not know if they had been attacked or not.

North American insurers lead the way in IT spending globally and will invest $73 billion in tech areas such as data analytics, cloud, and insurtech in 2017.

Digital Insurance reports that global IT spending by insurers is slated to reach $185 billion by the end of this year, according to the Celent “IT Spending in Insurance 2017” report.

After North America, insurer technology spending by region is as follows: Europe ($69 billion); Asia ($33 billion); Latin America ($5 billion); then a group of territories comprising Africa, the Middle East and Eastern Europe (around $5 billion collectively).

...

http://www.iii.org/insuranceindustryblog/?p=4962

There's a good chance you've considered the implications of machine learning for your security team. As data increases, the skill gap widens, and hackers' strategies get more complex, businesses struggle to detect and address cyberattacks.

Machine learning enables behavioral analytics and cognitive security to detonate attachments before they arrive in someone's inbox, or correlate types of activity across a network of thousands of users.

The ability to stop attacks before they occur is powerful, but how should security leaders start the process of making their systems smarter with machine learning?

...

http://www.darkreading.com/analytics/machine-learning-in-security-4-factors-to-consider/d/d-id/1328704

The Business Continuity Institute

Cyber espionage is now the most common type of attack seen in manufacturing, the public sector and education, warns Verizon's latest Data Breach Investigations Report. Much of this is due to the high proliferation of propriety research, prototypes and confidential personal data, which are hot-ticket items for cyber criminals. Nearly 2,000 breaches were analyzed in this year’s report and more than 300 were espionage-related, many of which started life as phishing emails.

In addition, organized criminal groups have escalated their use of ransomware to extort money from victims with this year’s report showing a 50% increase in ransomware attacks compared to last year. Despite this increase and the related media coverage surrounding the use of ransomware, many organizations still rely on out-of-date security solutions and aren’t investing in security precautions. In essence, they’re opting to pay a ransom demand rather than to invest in security services that could mitigate against a cyber attack.

“Insights provided in the DBIR are leveling the cyber security playing field,” said George Fischer, president of Verizon Enterprise Solutions. “Our data is giving governments and organizations the information they need to anticipate cyber attacks and more effectively mitigate cyber risk. By analyzing data from our own security team and that of other leading security practitioners from around the world, we’re able to offer valuable intelligence that can be used to transform an organization’s risk profile.”

Cyber security is also a major concern for business continuity professionals, with cyber attacks and data breaches featuring as the top two threats yet again in the Business Continuity institute's latest Horizon Scan Report. It is for this reason that it was chosen as the theme for Business Continuity Awareness Week 2017 with the intention of improving an organization's overall resilience by enhancing its cyber resilience, and recognising that people are key to achieving this.

“Cyber attacks targeting the human factor are still a major issue,” says Bryan Sartin, executive director, Global Security Services, Verizon Enterprise Solutions. “Cyber criminals concentrate on four key drivers of human behaviour to encourage individuals to disclose information: eagerness, distraction, curiosity and uncertainty. And as our report shows, it is working, with a significant increase in both phishing and pretexting this year.”

With 81% of hacking-related breaches leveraging either stolen passwords and/or weak or guessable passwords, getting the basics right is as important as ever before. Some recommendations for organizations and individuals alike include:

  1. Stay vigilant - log files and change management systems can give you early warning of a breach.
  2. Make people your first line of defence - train staff to spot the warning signs.
  3. Keep data on a “need to know” basis - only employees that need access to systems to do their jobs should have it.
  4. Patch promptly - this could guard against many attacks.
  5. Encrypt sensitive data - make your data next to useless if it is stolen.
  6. Use two-factor authentication - this can limit the damage that can be done with lost or stolen credentials.
  7. Don’t forget physical security - not all data theft happens online.

“Our report demonstrates that there is no such thing as an impenetrable system, but doing the basics well makes a real difference. Often, even a basic defence will deter cyber criminals who will move on to look for an easier target," concludes Sartin.

Sixty-four percent of security professionals doubt their organizations can prevent a breach to employees' mobile devices, a recent Dimensional Research survey [PDF] of 410 security leaders found.

The survey, sponsored by Check Point Software, also found that 20 percent of businesses have experienced a mobile breach, and another 24 percent don't know, or can't tell, whether they've experienced one.

Strikingly, 51 percent of respondents believe the risk of mobile data loss is equal to or greater than that for PCs.

"Perhaps the high level of concern is based on the frequency of mobile device loss or theft, as well as the limited security measures companies use to protect enterprise mobile devices," the report states.

...

http://www.esecurityplanet.com/mobile-security/64-percent-of-security-pros-cant-stop-a-mobile-data-breach.html

The Business Continuity Institute

 

We have recently seen how quickly a crisis can impact on a business if not managed correctly by placing people at the heart of a crisis response.

The appalling treatment of a United Airlines passenger and the subsequent response from the company, showed a complete disregard for the very people who pay the wages, its customers. 

As crisis managers we all advocate the importance of plans and procedures to ensure that in the event of something going wrong, the crisis management teams responsible have a framework to guide them, however, at the heart of this has to be the right culture.

The power of the internet is immense and you only have one opportunity to set the tone of your response when something does go wrong. You should have clear processes, procedures and ways of working that staff fully understand, but most importantly you must have a culture that ensures that people are at the heart of what you do. 

If your customers are your number one priority, regardless of the nature of the incident, it is very likely your crisis managers will respond with that in mind.

I was reading an article during the past week written by Michael Balboni of Redland Strategies, and one of the keynote speakers at last year's BCI World Conference, where he highlighted the four key points to consider in your crisis communications. These points can be summarised as:

  1. Try to get out ahead of the story with statements like, "We are also concerned about the events as reported and are conducting an investigation."
  2. Whatever the message, be consistent. Changing statements leaves room for doubt on a whole bunch of aspects.
  3. Never attack the victim! Ever! The customer is the only reason that a business is in business, or a government official is in office.
  4. Respond to the internet firestorm with facts and apologies and a description of how you will try to prevent this situation from ever repeating. Never try to block people from commenting.

When you are next reviewing your ways of working and approach to crisis communications make sure you keep this in mind. Most importantly though remember: “It is not the employer who pays the wages. Employers only handle the money. It is the customer who pays the wages” --- Henry Ford.

Are you satisfied that your company culture sets the right tone to respond effectively to a major incident or crisis event?

Chris Regan is the Director of Blue Rock Risk Limited a specialist crisis and risk management consultancy. Chris works with both private and public sector clients to help them plan, prepare and respond effectively to a wide range of crisis and risk issues. Chris can be contacted by email at This email address is being protected from spambots. You need JavaScript enabled to view it. or by telephone 0117 244 0154.

The Business Continuity Institute

Ever wondered what all the different terms or acronyms relating to business continuity mean? Now the Business Continuity Institute has made it easier for you to find out with the creation of its joint BCI DRJ Glossary of Business Continuity Terms.

This new glossary is a result of merging the definitions from the ‘Business Continuity Glossary by DRJ’, the BCI’s Dictionary of Business Continuity Management Terms and the glossary in the Good Practice Guidelines.

The combined glossary contains all terms approved by the DRJ Editorial Advisory Board’s Glossary of Terms Committee, which includes representation from the BCI. This joint effort is evidence of the continuing and deepening partnership between DRJ and the BCI. The glossary is one of many resources available as part of our knowledge bank, and it can be downloaded from the BCI website.

The Business Continuity Institute

It seems impossible to think about preparedness planning without thinking about time. Time is often at the very heart of any discussion of business continuity and IT disaster recovery. Nonetheless, there are deep flaws in the continued attempts to incorporate it into preparedness planning. These flaws lead to frustrated participants, disengaged managers, wasted effort and dubious outcomes. However, these flaws are avoidable and correctable.

In the latest edition of the Business Continuity Institute's Working Paper Series, David Lindstedt asserts that time is not a target; rather, it is a constraint. While it has its place in preparedness planning, time does not warrant its central focus in our methodology or practice.

Deborah Higgins FBCI, Head of Professional Development at the BCI, commented: "I welcome this paper as it challenges our thinking associated with preparedness planning. I see this work as a fantastic opportunity for fellow professionals to share their own experiences and explore how the theoretical arguments posed in this piece translate into practice."

"I would be happy to get your feedback on this as your engagement will ultimately drive our profession forward – considering the thorny problems we face together and applying our collective expertise to improve current practice."

The paper concludes that, when considering time, "it depends” is now a perfectly acceptable answer from the planning participant, and accepting this answer allows the planning practitioner to be more receptive, adaptive, and effective. The approach enables participants to self-assess restrictions rather than relying on the practitioner to facilitate the assessment of time requirements, thus allowing the practitioner to engage at a more strategic level.

In practical terms, the professional avoids any potential confrontation with regard to discussions about time. In theoretical terms, the professional does not fall into any traps, as time is discussed only as a constraint to recovery activities, not a target that has to be set without the proper ability to do so. And in financial terms, the organization will not waste money preparing to hit targets of time that are arbitrary at best and misleading at worst.

Download your free copy of 'Our deep misunderstanding of time in preparedness planning' to understand more about the concept of time as a constraint rather than a concept when managing your business continuity management programme.

Fully 86 percent of small to medium enterprises (SMEs) have less than 10 percent of their total IT budget allocated to cyber security and 75 percent have between zero and two IT security staff members, according to the results of a recent EiQ Networks survey of more than 150 SME IT security professionals.

"One of the most striking results is how little SMEs are spending on cyber security as compared to the overall IT budget -- despite the very high risks they face daily from ransomware, phishing, and zero-day attacks, to name just a few," EiQ Networks founder and CEO Vijay Basani said in a statement.

"Without the IT security resources and expertise necessary to continually monitor, detect, and respond to security incidents, SMEs are simply exposing themselves to loss of revenue, brand equity, IP, and customer data on a daily basis," Basani added.

...

http://www.esecurityplanet.com/network-security/86-percent-of-smes-are-underfunding-cyber-security.html

By Louis Imershein, VP Products and Wayne Salpietro, Director of Marketing

Permabit Technology Corp

The cloud continues to dominate IT as businesses make their infrastructure decisions based on cost and agility. Public cloud, where shared infrastructure is paid for and utilized only when needed, is the most popular model today. However, more and more organizations are addressing security concerns by creating their own private clouds. As businesses deploy private cloud infrastructure, they are adopting techniques used in the public cloud to control costs. Gone are the traditional arrays and network switches of the past, replaced with software-defined data centers running on industry standard servers.

Efficiency features make the cloud model more effective by reducing costs and increasing data transfer speeds. One such feature, which is particularly effective in cloud environments is inline data reduction. This is a technology that can be used to lower the costs of data in flight and at rest. In fact, data reduction delivers unique benefits to each of the cloud deployment models.

Public Clouds

The public cloud’s raison d’etre is its ability to deliver IT business agility, deployment flexibility and elasticity. As a result, new workloads are increasingly deployed in public clouds.  Worldwide public IT cloud service revenue in 2018 is predicted to be $127B.  

Data reduction technology minimizes public cloud costs. For example, deduplication and compression typically cut capacity requirements of block storage in enterprise public cloud deployments by up to 6:1.  These savings are realized in reduced storage consumption and operating costs in public cloud deployments.   

Consider AWS costs employing data reduction;

If you provision a 300 TB of EBS General Purpose SSD (gp2) storage for 12 hours per day over a 30 day month in a region that charges $0.10 per GB-month, you would be charged $15,000 for the storage.

With data reduction, that monthly cost of $15,000 would be reduced to $2,500.  Over a 12 month period you will save $150,000.   Capacity planning is a simpler problem when it is 1/6th its former size.  Bottom line, data reduction increases agility and reduces costs of public clouds.

One data reduction application that can readily be applied in public cloud is Permabit’s Virtual Disk Optimizer (VDO) which is a pre-packaged software solution that installs and deploys in minutes on Red Hat Enterprise Linux and Ubuntu LTS Linux distributions. To deploy VDO in Amazon AWS, the administrator provisions Elastic Block Storage (EBS) volumes, installs the VDO package into their VMs and applies VDO to the block devices represented for their EBS volumes.  Since VDO is implemented in the Linux device mapper, it is transparent to the applications installed above it.

As data is written out to block storage volumes, VDO applies three reduction techniques:

  1. Zero-block elimination uses pattern matching techniques to eliminate 4 KB zero blocks

  2. Inline Deduplication eliminates 4 KB duplicate blocks

  3. HIOPS Compression™ compresses remaining blocks 

cloud1

This approach results in remarkable 6:1 data reduction rates across a wide range of data sets. 

Private Cloud

Organizations see similar benefits when they deploy data reduction in their private cloud environments. Private cloud deployments are selected over public because they offer the increased flexibility of the public cloud model but keep privacy and security under their own control. IDC predicts in 2017 $17.2B in infrastructure spending for private cloud, including on-premises and hosted private clouds.

One problem that data reduction addresses for the private cloud is that, when implementing private cloud, organizations can get hit with the double whammy of hardware infrastructure costs plus annual software licensing costs. For example, Software Defined Storage (SDS) solutions are typically licensed by capacity and their costs are directly proportional to hardware infrastructure storage expenses. Data reduction decreases storage costs because it reduces storage capacity consumption. For example, deduplication and compression typically cut capacity requirements of block storage in enterprise deployments by up to 6:1 or approximately 85%.

Consider a private cloud configuration with a 1 PB deployment of storage infrastructure and SDS. Assuming a current hardware cost of $500 per TB for commodity server-based storage infrastructure with datacenter-class SSDs and a cost of $56,000 per 512 TB for the SDS component, users would pay $612,000 in the first year. In addition, software subscriptions are annual, over three years you will spend $836,000 for 1 PB of storage and over five years, $1,060,000.

The same configuration with 6:1 data reduction in comparison over five years will cost $176,667 for hardware and software resulting in $883,333 in savings. And that’s not including the additional substantial savings in power cooling and space. As businesses develop private cloud deployments, they must be sure it has data reduction capabilities because the cost savings are compelling.

When implementing private cloud on Linux, the easiest way to include data reduction is with Permabit Virtual Data Optimizer (VDO). VDO operates in the Linux kernel as one of many core data management services and is a device mapper target driver transparent to persistent and ephemeral storage services whether the storage layers above are providing object, block, compute, or file based access.

VDO - Seamless and Transparent Data Reduction

cloud2

The same transparency applies to the applications running above the storage service level. Customers using VDO today realize savings up to 6:1 across a wide range of use cases.

Some workflows that benefit heavily from data reduction are;

  • Logging: messaging, events, system and application logs

  • Monitoring: alerting, and tracing systems

  • Database: databases with textual content, NOSQL approaches such as MongoDB and Hadoop

  • User Data: home directories, development build environments

  • Virtualization and containers: virtual server, VDI, and container system image storage

  • Live system backups: used for rapid disaster recovery

With data reduction, cumulative cost savings can be achieved across a wide range of use cases which makes data reduction so attractive for private cloud deployments.

Reducing Hybrid Cloud's Highly Redundant Data

Storage is at the foundation of cloud services and almost universally data in the cloud must be replicated for data safety. Hybrid cloud architectures that combine on-premise resources (private cloud) with colocation, private and multiple public clouds result in highly redundant data environments. IDC’s FutureScape report finds “Over 80% of enterprise IT organizations will commit to hybrid cloud architectures, encompassing multiple public cloud services, as well as private clouds by the end of 2017.” (IDC 259840)

Depending on a single cloud storage provider for storage services can risk SLA targets. Consider the widespread AWS S3 storage errors that occurred on February 28th 2017, where data was not available to clients for several hours. Because of loss of data access businesses may have lost millions of dollars of revenue. As a result today more enterprises are pursuing a “Cloud of Clouds” approach where data is redundantly distributed across multiple clouds for data safety and accessibility. But unfortunately, because of the data redundancy, this approach increases storage capacity consumption and cost.

That’s where data reduction comes in. In hybrid cloud deployments where data is replicated to the participating clouds, data reduction multiplies capacity and cost savings. If 3 copies of the data are kept in 3 different clouds, 3 times as much is saved. Take the private cloud example above where data reduction drove down the costs of a 1 PB deployment to $176,667, resulting in $883,333 in savings over five years. If that PB is replicated in 3 different clouds, the savings would be multiplied by 3 for a total savings of $2,649,999.

Permabit’s Virtual Data Optimizer (VDO) provides the perfect solution to address the multi-site storage capacity and bandwidth challenges faced in hybrid cloud environments. Its advanced data reduction capabilities have the same impact on bandwidth consumption as they do on storage and translates to a 6X reduction in network bandwidth consumption and associated cost.  Because VDO operates at the device level, it can sit above block-level replication products to optimize data before data is written out and replicated.

Summary

IT professionals are finding that the future of IT infrastructure lies in the cloud. Data reduction technologies enable clouds - public, private and hybrid to deliver on their promise of safety, agility and elasticity at the lowest possible cost making cloud the deployment model of choice for IT infrastructure going forward."

Global Economic losses from disaster events almost doubled in 2016 to $175 billion from $94 billion in 2015, according to the most recent Sigma Study from the Swiss Re Institute.

Insured losses also rose steeply to $54 billion in 2016 from $38 billion in 2015, the study found. This led to a “protection gap,” as the company calls it, of some $121 billion, the difference between economic and insured losses, a figure highly indicative of the opportunity for greater insurance penetration, according to Swiss Re. “The shortfall in insurance relative to total economic losses from all disaster events…indicates the large opportunity for insurance to help strengthen worldwide resilience against disaster events,” said the report. The gap was $56 billion in 2015.

Total economic and insured losses in 2015 and 2016:

...

http://www.riskmanagementmonitor.com/disaster-losses-climb-as-protection-gap-widens-sigma-study/

Gemalto yesterday released the findings of its Breach Level Index for 2016, which states that 1,792 data breaches worldwide led to the compromise of almost 1.4 billion data records last year, an increase of 86 percent over the previous year.

Identity theft was the leading type of data breach in 2016, accounting for 59 percent of all data breaches.

The second most common type of breach was account access based breaches, accounting for 54 percent of all breached records, a surge of 336 percent over 2015.

...

http://www.esecurityplanet.com/network-security/1.4-billion-data-records-compromised-in-2016.html

Wednesday, 29 March 2017 13:56

1.4 Billion Data Records Exposed in 2016

Not all emergency communication software is created equal. Here are four tips to help you choose the best system for your organization

There are several emergency notification software vendors who offer a variety of features and functionalities that organizations can leverage to improve their communication strategy. While many of these capabilities may seem beneficial, it is important to focus on the specific needs of your organization when evaluating technologies. Too many complex features can make the software overwhelming and difficult to use, slowing adoption and adding extra steps to the process of sending important communications. Ultimately, you want to find a reliable platform that can send quick and effective notifications to keep your people safe, informed, and connected.

Here are four key factors to consider when choosing the best emergency notification system for your organization:

Evaluate your needs and assess your risk

When designing an emergency communication plan, start by understanding what is at risk: your people, facilities, parts and products, intellectual property, technology, and automobiles and/or fleet. All of your assets, and the operations that depend on these assets, are at risk when an emergency arises.

Ask yourself, what are the emergencies that are most likely to occur? IT outages, weather-related incidents, power failures, and security lockdowns are the most common. Each location where your company operates, including home offices, may have different variables and risks to evaluate. Consider the weather and geological events prone in those areas, security and IT support in those facilities, the nearest emergency response organizations and hospitals, and the number of employees who may be affected.

Each facility likely differs as far as how buildings and workspaces are designed, evacuation routes, surrounding streets and neighborhoods, and even the demographics of the staff located in each building. Some locations may have handicapped employees, elderly, or even children in an office daycare. Are there elevators or stairwells? An easy route for emergency vehicles? Are there any hazardous materials stored at any of the locations? All of these factors may come into play during an emergency and you need to be equipped with the right technology to effectively communicate with your people. Thinking through all of the possible scenarios, and thinking through what communication steps will be required, will help you decide which software solution makes the most sense.
Look for software vendors that provide the features and functionality you need.

Emergency communication platforms differ greatly and the ideal product will be customized to your organization’s specific needs and requirements. Some of the key characteristics you will want to look for in an emergency communication system will include:

  • Intuitive user experience
  • Two-way communications
  • Multi-channel delivery
  • Compatibility with any device
  • Measurement tools, analytics, and reporting
  • Dedicated customer support

One of the most important features to look for in an emergency notification system is an intuitive user experience. When you are under time pressure or stress from an impending crisis, you need to know that you can quickly and accurately operate the system within seconds. Some solutions were built decades ago and have continued to add features to a legacy system. These often require time and effort to integrate with your existing systems. Instead, find modern software that was built during the smartphone era. Modern platforms will be much easier to adopt and maintain. In fact, the best solutions today are cloud-based so you never need to worry about maintenance. They can provide a more reliable and secure platform you know will be there when you need it most.

Two-way communication is relatively new and mirrors the expectations the audience has: to be a part of the conversation. Social media has changed our perceptions of how we should communicate and now more than ever, people insist on being a contributor and engaging in dialogue. Modern mass communication systems value employee feedback and input. In fact, it is the first-hand eyewitnesses that can often offer the most insight during a situation. The right system will allow your people to initiate communications, which makes sense since they may be the first ones to be witness to an incident.

Multi-channel communication options are critical, as employees are more mobile than ever, and as your people communicate in a greater variety of ways than ever before. A communication system needs to enable more than just phone and email communications. It must include any and all channels your employees are using, such as text messages, native apps, social media, Slack, and more.
Gone are the days of employees sitting at their desks from 8 a.m. to 5 p.m. Monday through Friday. We are constantly traveling, working remotely from home, an airport, a coffee shop, or a hotel. You need a system that can send notifications and alerts simultaneously across all devices, anywhere in the world. Not only will this ensure the highest receive rate, but it will also get the employees’ attention as all channels are activated at once.

Measuring the success of a notification is an important step in the process and the well-being of your people. A great communication system will give you the analytics you need to determine if your notification was effective, measuring how each delivery channel performed, open rates for notifications, response rates, and employee feedback. Using these metrics and additional detailed reports, you can help improve emergency plans, find gaps in message coverage, and identify areas for overall improvement.

And finally, the best emergency communication vendors provide you with dedicated customer support that you can access 24/7. From implementation to every day operations, it is important to know that you have a live resource at your fingertips to assist you or answer your questions.

Make sure the software is easy to implement

Adding a new communication system does not end with your software selection. The right software will offer you features and functionalities you did not have before, but those can only be effective if people are empowered to use them.

If your system of choice is intuitive and easy-to-use, then it will not require extensive training, and you can easily add new users who can access the platform and send messages during critical events without pause or confusion. Knowing when and how to use the system, knowing what situations are considered worth acting on, and knowing who is to receive the communications – this all takes planning, but you can soften those challenges by selecting the right partner. And the key to selecting the right partner is ensuring that they have a customer support representative dedicated to your account to walk you through each step of the process.

The most important step in implementing a communication system is to customize the software for your organization’s structure and geography. Every location will have its own list of employees, potential threats, and other considerations. The right communication system will automate much of this for you, particularly if it is integrated with your HR application. Setting up the directories should not take long but can save you invaluable time when a critical situation arises.

In our fast-paced world, you want to ensure that you can send messages on-the-go. One of your first priorities will be to download your vendor of choice mobile app on all of your devices to ensure you can send and receive notifications at all times.

You can further customize the software to include the channels you know are most prevalent in your organization. Does your company use two-way radios? Flashing lights? Whatever channel you want to include should be able to be easily added and modified at will using an Application Program Interface (API). Keep in mind that with the help of customer support, you can use an API to integrate all of your existing systems and any customized channels you will want to add to the communications software.

Look for a system that allows you to pre-build templates for every channel, as well as the ability to customize your messages. If you know of certain situations when an automated notification can be sent, such as weather alerts or schedule changes, go ahead and create it. Otherwise, learn how to build your own message on the fly quickly so you are familiar with the steps during an emergency event.

And finally, familiarize your organization with the system by sending a test message. Use the system to notify employees about the new system. Check to see if everyone received the notification, which channels delivered the notification, how long it took for the notification to be drafted and sent, and if the message sent was the right message.

Once a vendor is chosen do not be afraid to ask for help if you need it. The vendor should provide implementation and configuration support around the clock as part of the contract.

Consider other uses for the system

If you choose the right emergency communication system, you will quickly find that it is useful for a wide variety of other business needs. In fact, the system can be used in any situation where a large number of employees need critical or time-sensitive information.
Some of the more interesting ways a communication system can be used is with logistics and scheduling. Generally, organizations with scheduled shift workers and/or fleet drivers have to manage a lot of moving parts. Using the system to communicate back and forth with these employees can be much more efficient than most dispatch systems.

Event planning, guest communications, and volunteer coordination are all eased with a mass communication system. Again, because the system can engage people across channels and devices, messages, alerts, notifications, and tips can all be received more reliably. Some organizations are foregoing time-consuming email newsletters for instant notifications using a mass communication system.

Some common non-emergency uses of mass notification systems include:

  • Weather-related notifications that may impact classes, events, or games
  • Traffic alerts
  • Members-only notifications
  • Billing alerts
  • Venue changes
  • Event updates and reminders
  • Parking tips
  • Closings or delays
  • Shipping notifications
  • Appointment/reservation reminders
  • Guest, customer, or employee surveys

If you aren’t sure which system is best for your organization, see if the vendors you are considering offer demonstrations or trial periods. While you evaluate the technology, keep a close eye on the level of service. You want people who know not only communications, but your industry. They should provide around-the-clock support with real people answering the calls so you know in an emergency, you can talk to a live person.

No matter the size of your organization, you and your employees deserve to work in a safe environment. Once you have chosen a great solution, you will be able to take comfort in knowing you have something in place to keep everyone informed and connected. By doing your homework on the front end and choosing the right emergency notification vendor, you will greatly increase the odds of your organization getting through an emergency safely and with very little impact on operations.

brett1About the author
Brett Andrew is VP of Sales and Marketing for AlertMedia, the fastest-growing mass communications provider in the world, offering an easy-to-use software platform that combines multi-channel messaging and monitoring to keep people safe, informed, and connected. Brett can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it. or 800 826-0777.

The Business Continuity Institute

With an increasing volume of conversation taking place around the concept of ‘organizational resilience’, business continuity management professionals are taking advantage of this to expand their own remit and improve their career opportunities. These are the findings of a new report published jointly by PwC and the Business Continuity Institute.

The report – What does the future hold of business continuity management professionals? – was the outcome of a survey carried out by the BCI, as well as a breakout session held at the BCI World Conference. The findings showed that nearly two-thirds of respondents (62%) reported that their remit is expanding beyond traditional business continuity management, with over half (53%) noting that they’re working more closely with information security, just less than half (45%) with risk management and 4 out of ten (42%) with IT.

Why is increased collaboration important? The vast majority (90%) agreed that resilience is greater when the management disciplines are more joined up.

The growing interest in resilience is increasing career opportunities for business continuity professionals with more than half (56%) saying it opens up more options. As a result, 6 in ten (60%) want additional qualifications, and over a quarter already have a Masters degree.

Of course there were other insights into the profession that were revealed by the survey. Nearly three-quarters of respondents (72%) were male, and while this may not be an accurate reflection of the industry, it is indicative of a significant gender imbalance.

The report concludes that business continuity management continues to present an interesting and varied career that gives post holders a "spectacular understanding of their organization" and a "brilliant network of contacts within it." These conclusions are consistent with the BCI’s position statement on organizational resilience published in 2016 and is a positive reflection that the business continuity profession is still evolving with the business continuity management discipline itself is a key contributor to a more resilient society.

You can learn more about organizational resilience by taking the BCI's new course - Introduction to Organizational Resilience. This course will provide students with a practical approach to build on the foundation of their existing skills and knowledge in order to develop and enhance the resilience capability within their organizations.

Rumors had been flying for some time about SimpliVity needing additional funding, and that HPE had made an offer that was unacceptably low at $650 Million. Clearly, these were more than casually well-informed rumors, since HPE announced on January 17 that it would be acquiring SimpliVity for $650 Million in cash. Was this a fair price? That is hard to say. Since I’m not really an equity analyst, I will spend no more time on this other than to say that it is far short of the kinds of valuations that the industry was expecting. Competitor Nutanix’s current market capitalization is slightly over $4B, which is more than a bit rich for such a company. Despite its high growth rates, it has yet to turn a profit.

But pricing aside, was it a smart move for HPE? Absolutely. It’s , and certainly one that helps shatter the perception that HPE always overpays for its acquisitions, even when they are strategically sound. SimpliVity was essentially tied for first place in our recent Forrester’s recent Wave™ report on Hyperconverged Infrastructure Solutions, coming in substantially stronger than HPE’s own HC380 product.

The fit with HPE for SimpliVity’s solution is impressive because:

...

http://blogs.forrester.com/richard_fichera/17-01-23-hpe_acquires_simplivity_strong_tactical_move_with_strategic_ramifications_for_the_hci_landscape

Page 3 of 3