Fall World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 30, Issue 3

Full Contents Now Available!

Industry Hot News

Industry Hot News (627)

In our Data Center Destinations series, From the Racks takes a look at locations that are thriving hubs for data center innovation and construction. These places are grabbing the attention of data center providers and enterprises.

Previously, we’ve discussed the data center draw to Toronto and Ashburn, Virginia. For this spotlight, we’re looking at Chicago – one of the liveliest and most active data center markets in the U.S. 

What’s Driving Demand?

Because it is the third largest city in the U.S. and serves as headquarters for several Fortune 500 companies, it’s not a surprise that Chicago is a featured data center destination. And with so many large industries thriving in the area (e.g. financial services, telecom, healthcare, insurance, tech, etc.), minimal latency is a necessity. This, in turn, is driving both downtown and suburban expansion for data centers.



The Business Continuity Institute

The risk of a data breach is increasing in the retail industry as retailers accumulate more and more personal information on their customers as part of their ‘Big Data’ initiatives. As such, the number of retail businesses reporting data breaches to the Information Commissioner's Office has doubled in just one year, jumping from 19 in 2015/16 to 38 in 2016/17, says law firm, RPC.

The rise of online shopping, loyalty programmes, digital marketing and offering electronic receipts in store mean that even a small multiple retailer will be gathering exactly the kind of data that hackers will be looking for, and the retail industry is beginning to feel the pressure to invest more heavily in cyber security.

The regulatory burden and financial risks involved in a data breach will increase substantially when the General Data Protection Regulation (GDPR) comes into force in May 2018. These rules will make reporting breaches mandatory. As companies are not currently required to report every attack they suffer, the actual number of data breaches in the retail sector is likely to be even higher.

Jeremy Drew, Partner at RPC, comments: “Retailers are a goldmine of personal data but their high profile nature and sometimes ageing complex systems make them a popular target for hackers. There are so many competing pressures on a retailer’s costs at the moment – a rise in the national minimum wage, rates increases, exchange rate falls, as well as trying to keep ahead of technology improvements – that a proper overhaul of cyber defences can get pushed onto the back burner.”

Data breaches are already the second greatest cause of concern for business continuity professionals, according to the Business Continuity Institute's latest Horizon Scan Report, and once this legislation comes into force, bringing with it higher penalties than already exist, this level of concern is only likely to increase. Organizations need to make sure they are aware of the requirements of the GDPR, and ensure that their data protection processes are robust enough to meet these requirements.

Jeremy Drew added: “As the GDPR threatens a massive increase in fines for companies that fail to deal with data security, we do expect investment to increase both in stopping breaches occurring in the first place and ensuring that if they do happen they are found quickly and contained. No UK retailer wants to be in the position of some public examples who were forced to confirm that it took them nearly a year to close a data security breach.”

(TNS) - In anticipation of a large influx of visitors through the solar eclipse Monday, area emergency response organizations and health-care providers are finalizing areawide plans to respond to potential emergency situations.

“This is fairly unprecedented, uncharted territory,” said Brady Dubois, Mosaic Life Care medical center president. “We are absolutely hopeful that it’s a Y2K-type event and nothing ends up happening, but we know that if we don’t prepare for it, then we are not going to be able to handle it if it happens.”

Mosaic Life Care, Buchanan County, Mo., Emergency Management and other area health-care providers have spent almost the last year coordinating large-scale plans to respond to emergency medical situations through the end of the solar eclipse Aug. 21. Much of the additional response will start over the weekend.



The Business Continuity Institute

By 2100, two in three people living in Europe may be affected by weather-related disasters, according to a study published in The Lancet Planetary Health which sheds light on the expected burden of climate change on societies across Europe.

The study analyses the effects of the seven most harmful types of weather-related disaster - heatwaves, cold snaps, wildfires, droughts, river and coastal floods, and windstorms - in 28 European Union countries, as well as Switzerland, Norway and Iceland. The projected increases were calculated on the assumption of there being no reduction in greenhouse gas emissions and no improvements to policies helping to reduce the impact of extreme weather events (such as medical technology, air conditioning, and thermal insulation in houses).

"Climate change is one of the biggest global threats to human health of the 21st century, and its peril to society will be increasingly connected to weather-driven hazards," says lead author Dr Giovanni Forzieri of European Commission Joint Research Centre in Italy. "Unless global warming is curbed as a matter of urgency and appropriate measures are taken, about 350 million Europeans could be exposed to harmful climate extremes on an annual basis by the end of the century."

The study estimates that heatwaves would be the most lethal weather-related disaster, and could cause 99% of all future weather-related deaths, increasing from 2,700 deaths a year between 1981-2010 to 151,500 deaths a year in 2071-2100.

It also projects substantial increases in deaths from coastal flooding, which could increase from six deaths a year at the start of the century to 233 a year by the end of the century.

Comparatively, wildfires, river floods, windstorms and droughts showed smaller projected increases overall, but these types of weather-related disaster could affect some countries more than others. Cold snaps could decline as a result of global warming, however the effect of this decline will not be sufficient to compensate for the other increases.

Due to projected increases in heatwaves and droughts, the effect is likely to be greatest in southern Europe where almost all people could be affected by a weather-related disaster each year by 2100, projected to cause around 700 deaths per every million people each year.

Comparatively, in northern Europe, one in three people could be affected by a weather-related disaster each year, resulting in three deaths per every million people each year.

Climate change is likely to be the main driver behind the potential increases, accounting for 90% of the risk while population changes such as growth, migration and urbanisation account for the remaining 10%.

"This study contributes to the ongoing debate about the need to urgently curb climate change and minimise its consequences. The substantial projected rise in risk of weather-related hazards to human beings due to global warming, population growth, and urbanisation highlights the need for stringent climate mitigation policies and adaptation and risk reduction measures to minimise the future effect of weather-related extremes on human lives." adds Dr Forzieri.

Adverse weather, which includes such events as heatwave, featured fifth in the list of concerns that business continuity professionals have, as identified in the Business Continuity Institute's latest Horizon Scan Report. Climate change is not yet considered an issue however, as only 23% of respondents to a global survey considered it necessary to evaluate climate change for its business continuity implications.

Politics in career progression, in investments, in enterprise projects – but in business continuity as well?

You might think that business continuity was immune to such ideas – Either a business is functioning properly (BC works) or malfunctioning, possibly to the extent of breakdown (BC needs to be fixed). Yet the planning and processes of business continuity itself are subject to internal political pressure. Here are a couple of things you might reflect on, so that at least you can BC manage around them, even if you can’t prevent them.

Long-standing business continuity vulnerabilities can be difficult to handle, when their longevity is due to senior managers deliberately turning a blind eye.

Putting such risks into the spotlight can be seen as a threat to the credibility and reputation of those who chose to ignore it. The only way to address such risks correctly may be to gather suitable data, and present it to those who need to know or who should know better, being ready to take it to higher levels if necessary.



(TNS) — An earthquake early warning system that could give residents up and down the West Coast precious extra seconds to prepare for impending shock waves has taken a step forward.

The U.S. Geological Survey has awarded $4.9 million to six universities and nonprofits governed by universities to support the ShakeAlert earthquake early warning system, according to a news release.

Also, the USGS purchased nearly $1 million in new equipment to expand and improve the system.

ShakeAlert is a product of the USGS Advanced National Seismic System, a federation of national and regional earthquake monitoring networks throughout the country, including networks along the West Coast and Nevada.



In the third piece of our Business Continuity 101 Series, we delve into why organizations invest in business continuity, dispelling common BC misconceptions, and explaining value-based BC investment.

A common point of confusion for new BCM practitioners is the why and how of implementing a business continuity (BC) program. What are, or should be, the drivers for implementation and on-going, continual improvement? Most organizations consider business continuity as a form of insurance or a cost to be minimized. We agree that BC is related to insurance; it is there to ensure that an organization remains whole during an emergency event. We would say that costs associated with BC should be appropriate. There is no reason to overspend on recovery solutions, but it is risky to underspend as well. BC should be implemented as any other function that is not profit generating.



BATON ROUGE, La. — A public-private partnership continues to help Louisiana communities recover from the August 2016 floods and become better prepared for future disasters.

The partnership includes members of the private sector, local and state governments and various federal agencies. Recovery accomplishments include:

  • The Louisiana Disaster Recovery Alliance created a guide of available resources to help families and communities recover from the August 2016 floods. The alliance is a group of philanthropic organizations and state and federal recovery partners.
  • The state created the Louisiana Supply Chain and Transportation Council to make the state’s transportation systems more resilient. The council consists of officials from state and federal agencies, academic institutions and private sector leaders.
  • The state also launched the Louisiana Housing Heroes initiative. This governor-championed initiative identifies landlords, property owners and managers in disaster-designated parishes who agree to make affordable homes, apartments and other housing units available to displaced flood survivors.  
  • Recovery partners continue to meet with communities to help them implement resiliency and recovery strategies.

The partnership’s various federal agencies work with communities to address recovery challenges. Specialists have coordinated with community leaders and recovery partners to find solutions to housing needs, rebuilding the economy and infrastructure, preserving heritage and maximizing resiliency.

Below are the federal agencies consulting with affected communities and what they’re helping with:

  • Community planning and capacity building, FEMA;
  • Economic recovery, U.S. Department of Commerce;
  • Health and social services issues, U.S. Department of Health and Human Services;
  • Housing, U.S. Department of Housing and Urban Development;
  • Infrastructure systems, U.S. Army Corps of Engineers; and
  • Natural and cultural resources, U.S. Department of Interior.


With just a few months remaining to become compliant with the Centers for Medicare and Medicaid Services (CMS) emergency preparedness regulations, healthcare providers and suppliers are ramping up their efforts to ensure their organizations will meet the CMS emergency preparedness deadline of November 15, 2017. Is your facility ready?

To be compliant with the new emergency preparedness guidelines, CMS requires that your plan consists of four integral parts:

  1. Emergency Preparedness
  2. Communications
  3. Policies and Procedures
  4. Training and Testing

This blog will focus on the communications section of these guidelines and how your organization can work towards compliance in a way that is most beneficial for your facility.



Security incidents within law firms have been growing as a threat because cybercriminals are recognizing the pivotal role firms play in housing sensitive client information for legal proceedings. Because of this, attackers have begun to target the legal industry with unprecedented force. Even the largest and most prestigious firms with best-of-breed cybersecurity solutions are no longer immune to intrusions.

Clients and auditors have recognized this increased attention on the legal industry, and have begun to pressure their law firms for more evidence of protection and recoverability. For example, a recent survey* of the legal industry found that 42% of respondents stated an increase in client concerns about IT operations and data retention, and 51% agreed that audits and regulations are an increasing pressure. Law firms must now provide proof to these constituents of a robust cybersecurity stance.

For this reason, Bluelock now offers a Cyber Threat Health Review, a professional service engagement for law firms seeking to mitigate risk from ransomware and other cyber threats. This review is a low-commitment, high-impact analysis of current data protection technology and policies designed to minimize data loss and operational downtime. It covers the core components of the firm’s threat protection, detection and recovery response strategies.

With over a decade of experience helping clients maintain and protect critical workloads, Bluelock’s expert team reviews existing security practices with a specific focus on how to respond to threats. Organizations that engage in the service receive face-to-face education and practical guidance to increase resilience and protect customer confidence.

The Cyber Threat Health Review process includes the following steps:

  1. Survey and Interviews: Relevant information is collected via surveys and phone interviews
  2. Onsite Education: Our team provides education to staff and executives for best practices
  3. Detailed Analysis: Our team reviews policies and technology for gaps and opportunities
  4. Onsite Delivery of Action Plan: Details risk profiles and action plan from our analysis

For more information, visit https://www.bluelock.com/cyber-health/.

* “2016 IT Disaster Recovery Planning and Preparedness Survey.” ALM and Bluelock, October 2016.



The Business Continuity Institute

When the United Kingdom exits the European Union, the four freedoms that currently exist will be no more. The free movement of goods, services, capital and people will probably be gone, and more restrictions will be placed on their movements across borders. The free movement of people is the primary reason that many people voted to leave the European Union in the first place.

With mainland Britain, it is relatively easy to be restrictive with what comes in and out of the country as there are no borders with another country so anything or anyone coming in or out is funnelled through a specific location – airport, port or station. In Northern Ireland however, which obviously will exit the EU, the situation is slightly more problematic as the country shares a land border with the Republic of Ireland stretching over 300 miles (or 500 kilometres depending on what side of the border you are on).

There are now many different possibilities for what could happen to this border in a post-Brexit world, and these range from the status quo with people free to cross without any restriction, to a hard border with checkpoints at all the crossings, although building a wall might be a little bit extreme. With the former, this undermines the whole point of Brexit which was to end the free movement of people between the EU and the UK, and so prevent too many people from entering the UK. With the latter, it will undermine the peace process brought about by the Good Friday Agreement that sought to remove border infrastructure and checkpoints that were symbolic of threat of violence that existed during The Troubles.

A middle option that has been suggested is a soft border between the north and the south, but a hard sea border. This would effectively keep Northern Ireland within the EU, but out of the UK, so is not likely to be a preferred option for any Unionists who will see this as a stepping stone toward reunification with the south.

A hard border between the north and the south may not be an issue for big businesses who I'm sure will find an adequate solution regardless of the outcome. The issue will mostly be with the small businesses situated near the border that rely on trade with the other side of the border – a local market in which the border, for now, is an irrelevance. Figures suggested that 80% of trade across the Irish border is carried out between SMEs.

Organizations on both sides of the border need to consider how the different options would affect them and then consider what measures they could put in place to lessen the impact. Organizations need to monitor the negotiations closely to see how the potential for disruption is developing to ensure that they are ready to face any challenges that come their way.

Of course it is also worth noting that this is not just an issue for the Irish border, it will also become an issue at the border between Spain and Gibraltar where people routinely cross on a daily to trade or work on the other side of the border. Arguably it will be more problematic in this situation as tensions are slightly greater between the two countries on either side of the border.

So what steps has your organization taken to prepare itself for Brexit?

Your thoughts, as always, are welcome.

David Thorp
Executive Director of the Business Continuity Institute

Wednesday, 16 August 2017 15:39

BCI: Controlling the Irish border after Brexit

The Business Continuity Institute

Such is the high calibre of the Business Continuity Institute’s research output, that its latest publication – the 2017 Cyber Resilience Report – is to be used as part of the teaching programme by Cranfield University, the UK’s only exclusively postgraduate university, and a global leader for education and transformational research in technology and management.

The BCI’s Cyber Resilience Report, a study of the cause and consequence of cyber disruptions affecting organizations across the globe, will be used as part of the teaching programme for the MSc in Cyber Defence and Information Assurance. The report will form the basis of in-class and online discussions as part of the degree’s focus on real-life issues.

Dr Ruth Massie MBCI, Programme Director for the Cyber Masters Programme and long standing Member of the BCI, said: “It’s important that students get the opportunity to understand not just the causes of cyber related interruptions but the size and scale of the consequences. This report gives students the opportunity to understand and discuss these issues in a leadership context.”

“This is an encouraging demonstration of the high regard with which our research is held,” said Deborah Higgins FBCI, Head of Professional Development at the BCI. “We know that people working in the industry value our research, but to have it featured within the teaching programme of such a prestigious university as Cranfield helps reaffirm our status as a thought leader in the field.”

Cranfield’s MSc in Cyber Defence and Information Assurance is designed to develop professionals who can effectively manage and exploit the threats and opportunities of cyberspace at the organizational level. The course specifically focuses on responses to serious present and emerging threats in the information domain, and is aimed at mid-career professionals who need a broad understanding of cyber leadership.

The Business Continuity Institute

The importance of managing internal threats to win at cyber security has been emphasised in a study by Haystax Technology and SANS which found that 40% of respondents to their survey rated malicious insiders (insiders who intentionally do harm) as the most damaging threat vector their companies faced.

Furthermore, Defending Against the Wrong Enemy: 2017 SANS Insider Threat Survey revealed that nearly half (49%) said they were in the process of developing a formal incident response plan with provisions to address insider threat. This further illustrates the urgency with which companies are moving to address this threat vector.

"We are encouraged to see organizations recognizing malicious insiders as the top threat vector, but we are not seeing the necessary steps taken to address it," said Haystax CEO, Bryan Ware. "Existing tools aren't smart enough, or don't have the context needed to identify malicious insiders. What's needed is contextually-smart, user behavior analytics that produce actionable intelligence for decision makers."

Despite the increased awareness of the threat from malicious insiders, many organizations continue defending against the wrong enemy by failing to implement effective detection tools and processes to identify these malicious insiders. A third of survey respondents (34%) have these tools and technology, but have not used them operationally and more than a third (38%) of survey respondents are in the process of re-evaluating internally to better identifying malicious insiders.

"It is misleading to see that 60% of respondents said they had not experienced an insider attack," said SANS instructor and survey report author, Eric Cole, PhD. "The rest of our data indicates that organizations still are not effective at detecting insider threats, so it's clear that most either didn't notice threats or attacks, or didn't realize those incidents involved malicious insiders, or outsiders using compromised insider credentials."

(TNS) — “I don't know where my husband is! Where is he?" screamed Kay Kay McDermott, blood streaming down her face from a large laceration as emergency responders helped her from the wreckage of a train at the Lamy train station one morning last week. Meanwhile, her husband, Stacy McDermott, gritted his teeth against the pain of a fractured leg; some of the bone had forced its way through the skin.

Fortunately, the injuries of the Edgewood couple were nothing more than special-effects makeup and the "wreckage" was actually a fully functional and intact Rail Runner Express car.

The pair were among around 100 actors that assisted with an emergency preparedness exercise involving the New Mexico, Ohio, Oklahoma and Louisiana National Guards and local, state and federal agencies in Lamy on Tuesday.



For Denali Advanced Integration, the stakes couldn’t be higher.

A massive former client – Columbia Sportswear Company – is accusing the Redmond, Wash.-based reseller and IT services provider of hacking into its systems to access emails and other data that Denali could use to win more business from the apparel maker.

Denali says that Columbia has yet to hand over enough information for the services provider to determine the scope of any intrusion.

If it did occur, Denali said, it was the work of a rogue former chief technology officer and that the company had no knowledge of what was going on.



Cutter Consortium Senior Consultant Pete Kaminski has been looking at the business risks posed by software, and how to mitigate them. He gives context to the issue this way:

“Driving business risk down is just smart business. Software-related business risk is an increasing portion of business risk, so knowing how to assiduously reduce software risk has become part and parcel of today’s business reality. Fortunately, there is an array of tools and methods that you can apply across your portfolio of software assets and development projects to manage software risk, which we’ll explore in this Executive Update. Industrializing software risk management is critical for organizations in the digital age. It unleashes the “smarts” in developers so that they can work on the difficult parts of building and delivering applications for the future, while ensuring current, past, and future risk is baked out of applications, putting both human intelligence and software intelligence to their best use.

“Risk can be measured and mitigated at two complementary levels: the component level and the overall system level. There are powerful static code analysis tools available for both levels. Choice of analysis type depends on where the system is within its development and operation lifecycle of the software portfolio.



People, products, processes, and partners are the four “P”s of IT service design in a lifecycle model for IT services, but is there something missing?

The IT service design stage is part of a lifecycle, such as the five-phase lifecycle of service strategy, service design, service transition, service operation, and continual service improvement.

At the design stage, needs and requirements (gathered during the previous strategy phase) are translated into corresponding IT services. But is there a mechanism to ensure that those services will then in turn satisfy the users for which they are destined? Designing in an additional “P” feature could help.

The idea for the additional “P” feature comes from the world of supply chain. When enterprises make and ship goods and services to end-customers, they may use the “perfect order rate” as a measure of success.



The Agile methodology has been touted for years as a software development approach. Since its inception, various industries have adopted Agile principles beyond that original scope.  For these not-so-traditional undertakings, each organization must apply Agile principles in the context of its organization and selectively jettison those characteristics of the method that aren’t fit-for-purpose.

Just as Agile practice has diverged from its origins, there has also been a shift in Analytics: specifically, predictive and prescriptive analytics from the Technology-to-Energy industries.  Where many industries  have utilized Big Data platforms and data science algorithms for years, oil & gas is only beginning to realize their power.



Tuesday, 15 August 2017 14:49

The Path to VICTORY: Agile for Analytics

Oracle is now offering its Exadata database technology on bare-metal servers available as a cloud service.

The Exadata Database Machine is an appliance that usually lives in the customer’s own data center. It integrates Oracle’s database software, servers, storage, and network connectivity, all meant to make it easier for enterprises to deploy and manage on-premises.

The company initially launched Oracle Exadata Cloud two years ago, allowing its customers to take advantage of Exadata as a cloud service. But over the course of the past year or so, it has upgraded, modernized, and expanded its cloud infrastructure, building a new cloud platform to improve performance and allow it to better compete against Amazon Web Services, Microsoft Azure, and other top cloud providers.

And today Oracle announced that Exadata Cloud is now available on this next-generation cloud infrastructure.



“I don’t know who you are. I don’t know what you want. If you are looking for ransom, I can tell you I don’t have money. But what I do have are a very particular set of skills, skills I have acquired over a very long career. Skills that make me a nightmare for people like you.” – Liam Neeson, Taken, 2008


The last few months have seen two serious and destructive “ransomware” attacks that significantly affected the operations of several major organizations worldwide. May’s “Wannacry” and June’s “NotPetya” attack affected millions of staff and caused significant damage – as was their intention.

Ransomware costs for 2017 are estimated in the billions, with a “B”. Not to mention the danger posed by critical systems being down at organizations such as health systems and nuclear power plants.

The attacks are becoming more frequent and more sophisticated with each incident. We will never be able to stop the criminals from striking, so it is imperative that we use all the skills at our disposal to thwart them. What can we do?



The Business Continuity Institute

Organizations are now less confident in their ability to recover from an incident, according to a new study conducted by Databarracks, which suggests that contributing factors include a lack of testing, budgetary constraints and the growing cyber threat landscape.

The Data Health Check report found that almost one in five organizations surveyed (18%) "had concerns" or were "not confident at all" in their disaster recovery plan; an increase from 11% in 2015 and 15% in 2016. Organizations are increasingly making changes to their cyber security policies in response to recent cyber threats (36 per cent this year, up from 33% last year), yet only a quarter (25%) have seen their IT security budgets increased. Small businesses are particularly affected with just 7% seeing IT security budgets increase. 

Financial constraints (34%), technology (24%) and lack of time (22%) are the top restrictions when trying to improve recovery speed. Fewer organizations have tested their disaster recovery plans over the past 12 months – 46% of respondents had not tested in 2017, up from 42% in 2016.

Peter Groucutt, managing director of Databarracks, commented on the results: "It isn't surprising that confidence in disaster recovery (DR) plans is falling. We have seen major IT incidents in the news regularly over the last 12 months, which has raised awareness of IT downtime and we have seen what can go wrong if recovery plans aren't effective.

"What is surprising is that fewer businesses are testing their DR plans. The number of businesses testing their DR plans increased from 2015 to 2016 but has fallen this year. We know that testing and exercising of plans is the best way to improve confidence in your ability to recover. The test itself may not be perfect, few if any are and there are always lessons to be learned. Working through those recovery steps, however, is the best way to improve your preparedness and organizational confidence.

Validation is one of the six main stages of the BCM Lifecycle according to the Business Continuity Institute's Good Practice Guidelines, and is essential for ensuring an effective business continuity, and by extension - disaster recovery, programme. By regularly exercising your programme, you can find out where any vulnerabilities are and make improvements, and you can help ensure that people know what is expected of them.

The Business Continuity Institute

6 in 10 organizations view their employees as the biggest threat to successful GDPR adherence and 4 in 10 believe that their current IT systems could also pose compliance risks, according to a GDPR awareness survey conducted by bluesource. The study also highlighted that, even though half (50%) are taking steps to prepare for GDPR compliance, nearly a third (30%) still believe that the regulations won’t affect them, and a fifth (20%) are not sure what to do next.

Over 80% of respondents stated that, with the deadline for GDPR compliance rapidly approaching, they are facing a major challenge, including increased security and governance around cloud environments such as Office 365 and shadow IT. 80% of those surveyed felt that big tech vendors have a responsibility to ensure that their own systems will meet GDPR regulations, as well as those of their customers, but are unsure how this will be achieved.

The increased financial impact of fines and the expected frequency of their enforcement, is a major concern for most surveyed. An overwhelming 90% indicated that a non-compliance fine would result in huge reputational damage for their organization and a loss of trust from customers, suppliers and staff.

Data breaches are already the second greatest cause of concern for business continuity professionals, according to the Business Continuity Institute's latest Horizon Scan Report, and once this legislation comes into force, bringing with it higher penalties than already exist, this level of concern is only likely to increase. Organizations need to make sure they are aware of the requirements of the GDPR, and ensure that their data protection processes are robust enough to meet these requirements.

On a more positive note, 45% of those surveyed have already nominated a member of a specific departmental function, including legal, compliance and IT security, to be solely dedicated to privacy and GDPR initiatives. However, 20% haven’t considered selecting a nominated person yet and 35% believe that finding a suitably qualified and experienced individual will be a challenge.

Sean Hanford, information governance consultant at bluesource, commented: " Our research across UK organizations indicates that there still remains a gap between GDPR awareness and action. There must be a swift attitude change towards data protection and staff clearly require better skills, so they become more data savvy."

With urban populations worldwide swelling, there’s an urgent need to calculate the sustainable performance of the buildings that we live and work in. But the variety and complexity of methods available can seem overwhelming. This is where ISO 21930:2017 comes into play. 

The latest edition of ISO 21930:2017, Sustainability in buildings and civil engineering works – Core rules for environmental product declarations of construction products and services, will help assess the eco-friendliness of a building or infrastructure projects using a common method for expressing environmental product declarations (EPD).

An EPD for a construction product is a transparent declaration of its life-cycle impact (incorporating raw material production, construction, operation, maintenance and decommissioning). This in turn provides the information needed to assess the environmental impacts of an entire building or civil engineering works. What’s key about EPDs is that they provide a transparent, independent and reproducible analysis of the environmental impacts of construction products and give detailed information with sound data and figures. As a “sustainability passport”, EPDs form the basis for designing green buildings and other civil engineering works.



Plenty of CEOs “check the box” on compliance. The drill goes something like this: Once a year, the CCO presents the written compliance plan at a board meeting or C-suite retreat. After scanning the checklist of do’s and don’ts, the CEO basically feels satisfied the bar has been met. Time to move on to the next agenda item.

But does checking the box truly protect the company from risk? Does it enhance its business or propel its growth strategy? The likes of Amazon, Apple and Dollar Shave Club have earned kudos for building cultures permeated by a sharp focus on customer service, right down to the smallest interaction. In the same way, regulated companies need to make sure that compliance permeates the organization. The benefits go beyond risk management: A true culture of compliance feels open and honest to everyone it touches; it leads to higher morale, easier recruiting and retention, happier customers and, ultimately, higher productivity. (If this sounds like an overstatement, imagine how it would feel to be at an outfit scandalized by endless sexual harassment claims or embroiled in accusations of “Enron accounting.”) Developing a culture of compliance requires effort, but the concepts are straightforward:



Friday, 11 August 2017 14:34

How the CEO Can Support Compliance

State and local governments are struggling to deal with a number of cybersecurity threats. Tight budgets, lack of talent in the workforce and the constantly evolving nature of threats are a few reasons why the challenge is mounting. But cybersecurity cannot go neglected. State and local agencies store massive amounts of sensitive constituent data such as Social Security numbers, health care records and driver license numbers. And without a secure infrastructure, the public transportation systems, electric grids and water plants powering our nation’s cities remain vulnerable.

Complex attacks like malware pose a particularly large risk for state and local governments. Such attacks could cast a wide net aimed to negatively impact as many people as possible, or they could be targeted threats designed to attack a specific individual or organization. Both the reputational and financial impact that a cyberattack can have on a state and local entity can cause irreparable damage.



The Business Continuity Institute

When a major flood event occurs it is often attributed to climate change, however, a single event is not proof, and so far it has been unclear whether climate change has a direct influence on large scale river flooding across Europe. A study conducted by TU Wien along with 30 European partners has now shown that the timing of the floods has shifted across much of Europe.

The study, led by Prof. Guenter Bloeschl from the Institute of Hydraulic Engineering and Water Resources Management at TU Wien, showed that climate change has had a real impact on flood events in some regions, and this has been seen by a shift in the timing of floods over the years, dramatically in some areas. Depending on the cause of the flood events, they occur earlier in some regions, and later in others.

"In flood research, we are often concerned with the annual probability of the occurrence of floods," says Prof Guenter Bloeschl from TU Wien. "By observing their magnitudes one can estimate a one hundred-year flood as a high-water event that occurs with a probability of 1% in any one year. If one only examines the magnitude of flood events, the role of the climate can be masked by other effects. Land use change by urbanisation, intensifying agriculture and deforestations are other factors affecting flood events."

In order to understand the connection between climate and floods, Bloeschl and his team looked closely at the timing of the flood events in different regions of Europe. "The timing of a flood provides information about its likely cause," says Bloeschl. For example, in much of north-west Europe and the Mediterranean, floods occur more frequently in the winter, when evaporation is low and precipitation is intense. In Austria, on the other hand, the highest magnitude floods are associated with summer downpours. In north-eastern Europe, the risk of flooding is at its highest in spring because of snow melt. The timing at which floods occur is thus much more directly related to the climate, in contrast with the absolute magnitude of the flood event.

Flood data from all over Europe have been meticulously compiled, screened and statistically analysed. These show that the floods in Europe have indeed shifted considerably over the last 50 years: "In the north-east of Europe, Sweden, Finland and the Baltic States, floods now tend to occur one month earlier than in the 1960s and 1970s. At that time, they typically occurred in April, today in March," says Guenter Bloeschl. "This is because the snow melts earlier in the year than before, as a result of a warming climate."

In parts of northern Britain, western Ireland, coastal Scandinavia and northern Germany, on the other hand, floods now tend to occur about two weeks later than they did a couple of decades ago. Later winter storms are likely to be associated with a modified air pressure gradient between the equator and the pole, which may also reflect climate warming. The study sheds light on the complexity of flood processes in north-western Europe; on the Atlantic coasts of western Europe, 'winter' floods in fact typically occur earlier, in the autumn, as maximum soil moisture levels are now reached earlier in the year. In parts of the Mediterranean coast, flood events occurring later in the season are aligned with the warming of the Mediterranean.

"The timing of the floods throughout Europe over many years gives us a very sensitive tool for deciphering the causes of floods," says Guenter Bloeschl. "We are thus able to identify connections that previously were purely speculative."

Adverse weather, which can lead to the conditions that can cause flooding, featured fifth in the list of concerns that business continuity professionals have, as identified in the Business Continuity Institute's latest Horizon Scan Report. Climate change is not yet considered an issue however, as only 23% of respondents to a global survey considered it necessary to evaluate climate change for its business continuity implications.

The growing average age of populations is not always a burden on society, it can be a rewarding opportunity to enrich communities and our world as a whole. Increasingly, governments and local authorities are seizing the gift of longevity to imagine social infrastructure differently – and new areas of standardization are in the pipeline ready to help.

We are not getting any younger and neither is the worldʼs population. The number of older people has exploded in recent years and we are approaching an era where words like “aged societies” are becoming a reality. In fact, by 2050 it is expected that many countries will be classed as “super-aged societies”, meaning that more than 21 % of the population is over 65; and by 2030, the number of people in the world aged 60 years and above will have grown by 56 %).

Adapting to this trend poses economic, social and political challenges and may increase the dependency of older citizens on those of working age. This regularly conjures up doomsday scenarios of workforce shortages, the financial collapse of pension and health systems, mass loneliness and insecurity.



Thursday, 10 August 2017 15:15

How to adapt to ageing societies

LITTLE ROCK, Ark. – Would you invest $400 for a chance to get back up to $250,000? How about $1,000 or $2,000? Still sound like a good deal?

Putting it another way, would you risk losing your $250,000 home in a flood because you didn’t buy a preferred or standard risk National Flood Insurance Program policy usually costing from $400-$2,000 a year? Just a few inches of water can cause thousands of dollars in damage to walls, floors, furniture, carpets and appliances.

Everyone lives in a potential flood zone. You do not have to live near water. Floods can also be caused by melting snow, hurricanes, water backups from overloaded sewage systems, or broken water mains.

For example, in January of 2008, an irrigation canal built in 1906 breached and flooded 400 homes in the middle of the Nevada desert not far from Reno. Many of the residents of the small town of Fernley learned of the canal’s existence the hard way.

Flood insurance can help you avoid the financial consequences of these events.

Some people are under the impression that FEMA will come in after a flood and fix everything. That isn’t what Congress designed FEMA to do. FEMA gives grants to provide essential repairs and replace essential items such as a water heater to make your house safe for occupancy.

The average grant from FEMA is less than $5,000. FEMA doesn’t replace your big screen TV, buy dishwashers and home entertainment equipment, or cover ceiling stains from roof leaks. FEMA may assist in repairing a disaster-damaged subfloor if it is not structurally sound, but flooring on its own may not affect habitability. FEMA may pay to replace a broken window, but does not cover blinds and drapes.

FEMA assistance comes after FEMA, state and local officials assess damage from storms. If there is enough damage, the state will ask the President to issue a Major Presidential Disaster Declaration. If approved, this opens the federal pocketbook to fund FEMA’s disaster assistance, which may include SBA low-interest disaster loans for businesses of all sizes, homeowners, renters and most private nonprofit organizations.

This process may take weeks from the storm event, but flood insurance policyholders don’t have to wait and can file claims for damage right away.

Policy limits for homeowners are up to $250,000 for the structure; for homeowners and renters, up to $100,000 for contents. Policies are available to condominium associations and unit owners, renters and business owners. Businesses can get up to $500,000 in coverage for structures and an equal amount for contents.

In Arkansas, National Flood Insurance Program policyholders were able to file claims beginning April 25, well in advance of the June 15 disaster declaration. NFIP immediately began making advance partial payments based on identified areas of damage and insurance adjuster estimates. For both pre- and post-declaration periods, advance payments now total more than $2.4 million, with more than $23 million paid out on 494 claims.

Some people believe in flood insurance, but start and stop it. Flood insurance has to be in place 30 days before a flood strikes, so policyholders hoping they can guess when that will be are taking a big risk. Weather can change quickly and insurance companies report they are seeing more frequent claims stemming from a variety of weather types.

Most homeowner insurance policies don’t cover flooding. Flood insurance kicks in when two or more acres of normally dry land, or two or more properties, (at least one of which is your property), are flooded.

Flood insurance premiums in moderate and low-risk areas may be only a few hundred dollars. A quarter of flood insurance claims come from consumers who live in those low-risk areas.

More than 85 private companies offer flood insurance backed by the federal government. Residents have to live in a community participating in the NFIP and maintaining floodplain ordinances regulating building in flood-hazard areas.

A FEMA Helpline is available for potential policyholders and those with policies to get answers to questions about flood insurance. Call 800-621-3362 and select Option 2. Multilingual operators are available. Persons who are deaf, hard of hearing or have a speech disability and use a TTY may call 800-462-7585. Users of the 711 or VRS (Video Relay Service), call 800-621-3362.

For updates on the Arkansas response and recovery, follow the Arkansas Department of Emergency Management (@AR_Emergencies) on Twitter and Facebook and adem.arkansas.gov. Additional information is available at fema.gov/disaster/4318.


FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

The Business Continuity Institute

More than one-third of businesses have experienced a ransomware attack in the last year, and more than one in five (22%) of these impacted businesses had to cease operations immediately, according to a study by Malwarebytes.

The Annual State of Ransomware Report found that the impact of ransomware on SMEs can be devastating. For roughly one in six impacted organizations, a ransomware infection caused 25 or more hours of downtime, with some organizations reporting that it caused systems to be down for more than 100 hours. Further, among SMEs that experienced a ransomware attack, one in five (22%) reported that they had to cease business operations immediately, and 15% lost revenue.

“Businesses of all sizes are increasingly at risk for ransomware attacks,” said Marcin Kleczynski, CEO, Malwarebytes. “However, the stakes of a single attack for a small business are far different from the stakes of a single attack for a large enterprise. Osterman’s findings demonstrate that SMEs are suffering in the wake of attacks, to the point where they must cease business operations. To make matters worse, most of them lack the confidence in their ability to stop an attack, despite significant investments in defensive technologies. To be effective, the security community must thoroughly understand the battles that these companies are facing, so we can better protect them.”

Most organizations make addressing ransomware a high priority, but still lack confidence in their ability to deal with it. 75% of organizations surveyed place a high or very high priority on addressing the ransomware problem. Despite these investments, nearly one-half of the organizations surveyed expressed little to only moderate confidence in their ability to stop a ransomware attack.

For many, the source of ransomware is unknown and infections spread quickly. For 27% of organizations that suffered a ransomware infection, decision makers could not identify how the endpoint(s) became infected. Further, more than one-third of ransomware infections spread to other devices. For 2% of organizations surveyed, the ransomware infection impacted every device on the network.

SMEs in the US are being hit harder than SMEs in Europe by malicious emails containing ransomware. The most common source of ransomware infections in US-based organizations was related to email use. 37% of attacks on SMEs in the U.S. were reported as coming from a malicious email attachment and 27% were from a malicious link in an email. However, in Europe, only 22% of attacks were reported as coming from a malicious email attachment. An equal number were reported as coming from malicious link in an email.

Most SMEs do not believe in paying ransomware demands. 72% of respondents believe that ransomware demands should never be paid. Most of the remaining organizations believe that demands should only be paid if the encrypted data is of value to the organization. Among organizations that chose not to pay cyber criminals’ ransom demands, about one-third lost files as a result.

Current investments in technology might not be enough. Over one-third of SMEs claim to have been running anti-ransomware technologies, while about one-third of businesses surveyed still experienced a ransomware attack.

With the infected computers or networks becoming unusable until a ransom has been paid or the data has been recovered, it is clear to see why these types of attack can be a concern for business continuity professionals. The latest Horizon Scan Report published by the Business Continuity Institute revealed cyber attacks as the number one concern.

“It’s clear from these findings that there is widespread awareness of the threat of ransomware among businesses, but many are not yet confident in their ability to deal with it,” said Adam Kujawa, Director of Malware Intelligence, Malwarebytes. “Companies of all sizes need to remain vigilant and continue to place a higher priority on protecting themselves against ransomware.”

Connectivity in the pockets of first responders and mobile team members

By Glen Denny, Baron Services, Inc.

One of the biggest challenges in weather forecasting has always been alerting people who are away from home of severe weather threats. The radio was for years the primary viable method of doing so, but a radio can only give listeners so much pertinent information, such as county-wide watches and warnings. This kind of information can be helpful to some degree for people who find themselves out and about when weather hits, as it can be used as a basic indicator of danger and the need for mobile listeners to find shelter in a safe place. However, there are numerous shortcomings to radio-delivered weather reporting. Radio’s main shortcoming, which is responsible for all of the missing links in radio-delivered weather, is the medium of the radio itself. Radio is a purely aural medium, for one. Radar, one of the most essential weather data tools, is practically irrelevant to the medium of radio, as radar obviously offers a purely visual delivery of weather data. Radio is also a non-specific medium. Via radio, a set amount and set kind of weather information is broadcast to a wide-ranging listening area. The amount and kind of information cannot be customized or altered in any way to fit the specific interests or needs of listeners located within a specific region of the listening area of the station.

The Mobile Solution to Weather

The solution to the problem of effective on-the-go weather forecasting came with the advent of smart phones and mobile radar apps. Smart phones are now a near ubiquitous technology in the United States (and most of the rest of the world, too), so the majority of people in the present day who find themselves out and on the go during a time when they need weather information can access that information on their smart phone. AccuWeather, the Weather Channel, and other weather data providers all have their own mobile apps which people can download and use to this end.

However, the current mobile weather application landscape is still not 100% effective. Weather apps like those provided by The Weather Channel and AccuWeather offer extensive data and radar, but, like most weather apps, they still mostly deliver non-specific, commodity data. Apps such as these can give the user a 10-day forecast, current radar and projected radar of their surrounding area, and of course, can send the user notifications of National Weather Service (NWS) watches and warnings as they occur. This kind of information is mostly sufficient for general users. However, users in areas of frequent inclement weather, or professional users involved in emergency response or planning for schools, hospitals, businesses, and governments will find this kind of limited weather data lacking for their purposes.

A New Class of Mobile Monitoring

Baron1A new generation of advanced weather apps, such as Baron’s Threat Net mobile app, are the kind of product these kinds of users need to do their jobs well and to keep safe. Apps in this new generation are focused on providing hyper-local, one-to-one critical weather intelligence to advanced users and lay-users alike. Baron’s Threat Net Mobile app, for example, features detailed data and visual monitoring on precipitation and forecasted road conditions and hazards, (a Baron-exclusive product featuring advanced data on severe weather threats such as damaging winds, hail, and flooding), a monitoring system that displays real-time cloud-to-ground lightning strikes at street level, and storm vectors enabling accurate storm tracking up to an hour in advance. These and other similarly advanced weather monitoring products have more value than commodity weather data in that they are in-depth, specific, and customizable. A good example of this is another feature of Baron’s Threat Net Mobile app called Critical Weather Indicators. This Baron exclusive product highlights to users in real-time the most dangerous storm situations near their location, effectively warning users of possible severe weather threats before they happen. The alerts from the NWS, while certainly valuable to many people, don’t work in this way. NWS alerts are aimed at the widest possible audience in order to ensure the safety of as many people as possible during inclement weather. Apps like Baron’s, however, are aimed at each individual’s safety and efficacy in keeping others in their area safe. For example, Baron’s mobile alerts will notify users who are in the actual path of a storm of its imminent arrival, will warn users of nearby lighting strikes, and could point out the possible flooding of a nearby river based on projected rainfall. Because these alerts are based on algorithms and aren’t required to be approved by at the NWS, they arrive well before the storm or other threat has, which is a feature commodity weather apps lack.

If we revisit the mediums of radio and commodity weather apps discussed earlier, we can see how large an advantage these advanced weather apps have on any other method of delivering weather data to people on the go. Imagine a severe storm is approaching a town. A mobile user in this town away from home using a radio to monitor the weather will not have much of an idea where a nearby severe storm is in relation to her exact location, and as a result will be able to do little in terms of creating a specific plan. A commodity mobile app user will be able to see where the storm currently is and where it might be in an hour, but she will have to pick herself out on the map (which likely displays a large area) and project the storm’s long-term path herself, planning accordingly based on this information. A user who has an advanced app, like Baron Threat Net mobile, will be notified of the storm in advance if it is heading towards and projected to hit her exact location. This user can also learn what kind of specific threats this imminent storm may bring to her exact location, such as high winds, hail, heavy rain, or a possible tornado (determined by Baron’s Critical Weather Indicators).

Advanced Apps are Perfect for Public Safety

The above description shows how much more pertinent information can be delivered via an advanced mobile app compared to other methods, which is what makes these advanced apps so appropriate for both professionals and laypeople, and also so appropriate for use by organizations such as schools, hospitals, businesses, and governments. Schools, for instance, could benefit largely from an advanced mobile app like Baron’s in many situations. If weather hits while students are being transported to an event off campus or even simply being brought home in the afternoon, having each bus equipped with an advanced mobile app could aid in coordination with the schools’ center of operations, and could allow school staff on the busses to make the right decisions to ensure the safety of the students being transported. Hospitals could use such apps in a similar way. A hospital operation center could, in times of severe weather, rely on its individual mobile employees, such as individuals driving ambulances or helicopters, to make decisions best for them and their patients while in the field during critical weather situations. For businesses and local governments, the same idea applies. The mobile parts of these organizations, if equipped with advanced weather apps like Baron’s, could be more reliably responsible for their own safety during severe weather, taking some of the burden off of their home bases, and most importantly, keeping themselves out of dangerous situations.

Advanced mobile apps like Baron Threat Net mobile are clearly the most effective medium through which to deliver important weather information in critical situations, because the data delivered via these apps is specific, hyper-local, in depth, and customizable. All of these characteristics added up equate to mobile apps which can be useful to anyone, and can be especially useful to professional users involved in public safety, such as in hospitals, schools, local governments, and businesses.

A common point of confusion for new BCM practitioners is the difference between business continuity and disaster recovery. Though people often think these are synonyms, the distinction is that business continuity relates to business functions and relocation efforts while disaster recovery relates to the technical recovery of applications or systems. Disaster recovery is a component of business continuity. Let’s look at how business continuity and disaster recovery provide solutions.



No colocation data center has been built in San Francisco since the early 2000s, when hosting company AboveNet (now defunct) built the city’s now famous data center at 365 Main Street. That building is now owned by Digital Realty Trust, and together with Digital’s other San Francisco facility, at 200 Paul Avenue, it is one of only a handful of commercial data centers in the city.

At least one property, close to 200 Paul, has been marketed for data center development by various real estate agents over the years, but no-one has bitten, and the building at 1828 Egbert Avenue remains a commercial storage facility.

San Francisco is a notoriously difficult city to build in and has some of the country’s highest electricity rates. It’s also difficult for PG&E, the utility that serves the area, to provide the kind of multi-megawatt energy feeders in the city a data center would require. Bay Area’s data center cluster is in Silicon Valley; that’s where virtually all of the region’s server-farm construction has taken place over the last two decades.



The Business Continuity Institute

Nearly all (96%) of small to medium-sized enterprises (100 to 499 employees) in the US, UK, and Australia believe their organizations will be susceptible to external cyber security threats in 2017, according to a study by Webroot. Yet, although businesses recognise the growing threats, 71% still admit not being ready to address them.

Cyber Threats to Small and Medium-Sized Businesses in 2017 showed that IT decision makers (ITDMs) at small to medium-sized businesses are most worried about new forms of malware infections (56%), mobile attacks (48%), and phishing attacks (47%). ITDMs estimate a cyber attack in which their customer records or critical business data were lost would cost an average of $579,099 in the US, £737,677 in the UK, and AU$1,893,363 in Australia.

Nearly two-thirds of ITDMs believe it would be more difficult to restore their company’s public image than to restore employee trust and morale.

Addressing the growing threat, 94% of ITDMs plan to increase their annual IT security budget in 2017, compared to 2016.

Businesses currently manage IT security in various ways. One-fifth of businesses have in-house employees whose responsibilities include IT security. 37% use a mix of in-house and outsourced IT security support, while only 23% have a dedicated in-house IT security professional or team.

The current cyber security landscape and lack of preparedness of small- to medium-sized businesses represent a big opportunity for managed security providers (MSPs). Among businesses who do not currently outsource IT security support, 80% will likely use a third-party cyber security provider in 2017.

Charlie Tomeo, Vice President of Worldwide Business Sales at Webroot, commented; “This study illustrates the general lack of preparedness for security around the globe. Small to medium-sized businesses face just as many threats as larger ones, but are often at a disadvantage because of their lack of resources. Given the recent spate of ransomware attacks, it is crucial for these companies to shore up their security and lean on the expertise of an MSP for a solution to combat threats from multiple vectors.”

To stay healthy, should you get your jabs or eat your vegetables?

While you may wonder what this has to do with business continuity, this question sums up emerging differences in approaches to keeping organisations running without interruption.

Specifically, resiliency engineering is the “eat your vegetables” approach, in which you prepare people, processes, and systems for general ongoing healthiness and as some would put it, “stretchiness” to accommodate surprises.

By comparison, business continuity preparations that are designed to protect against specific threats are more of a “get your jabs” (as in injections for vaccination) approach. So, does resilience engineering do better than specific “jabs” and if so how?



From Buzzfeed, a back-to-school headline you may not have considered: Is Your School In A Flood Zone?

For example, a Salt Lake City rainstorm just caused a flash flood that damaged many properties, including East High School where Disney’s High School Musical was filmed.

According to a report from the Pew Charitable Trusts and consulting firm ICF, some 6,444 public schools across the United States that serve nearly 4 million students are located in the 100 counties with the highest composite flood scores.



Tuesday, 08 August 2017 15:27

Back-To-School flood safety

Climate Report

After 9/11, I was asked by the Baltimore City Health Commissioner to help prepare the city for a radiation terrorism event, because my entire career up until that point had been in radiation-based medical imaging. I didn’t know anything about public health preparedness at the time, but I found it very fulfilling to work with the city health department and other first responders, especially fire and police. Public health preparedness science and research is more than multi-disciplinary, it’s trans-disciplinary, which is what makes it fun.

Master the Vocabulary

Connecting behavioral and social science

The Johns Hopkins Center for Public Health Preparedness has a particular interest in the mental and behavioral health challenges that people, organizations, and jurisdictions face during and after disasters. If you look at the disaster literature you will see references to dysfunction, which can be caused by either physical or psychological trauma. After a disaster, the number of people with psychological trauma exceeds the number of people with physical injury by as much as 40 to 1, but there is much more research and emergency response focus on the physical effects of a disaster rather than the psychosocial effects. Our interest and expertise in the behavioral science of disasters was the main reason that CDC’s Office of Public Health Preparedness and Response asked us to work on an innovative model and index to measure resilience in the United States.

Understanding resilience in disasters

You can think about resilience on two levels – on the individual level and at the community level. For individuals, we are interested in three things: psychological resistance before a disaster, resilience during a disaster, and recovery after the disaster. Resilience at this level reflects the ability of someone to spring back after experiencing trauma from a disaster. We think about community resilience like an ecosystem. In any ecosystem there is a minimum requirement for the system to successfully function and survive. The same is true for a community. So when we think about community resilience, we must not only think about the ability of a community to return to its pre-event level of functioning, but also assess how that community is working at its lowest point after a disaster and determine if that is a level where it can still function successfully – or even at all.

Modeling resilience

Example of COPEWELL model output showing overall pre-disaster resilience for all US counties.
Example of COPEWELL model output showing overall pre-disaster resilience for all US counties.

We approached our colleagues at the University of Delaware Disaster Research Center, who are experts in the sociological factors in disasters that lead to emergent collective behavior. This phenomenon refers to a group of every-day people coming together to aid the formal emergency response. The COPEWELL (“Composite of Post-Event Well-Being”) project was born out of this collaboration between experts in the psychological and sociological impacts of disasters on individuals and communities, along with experts in engineering, modeling, public health and healthcare, and other domains.

We realized that a static model with a single score for resilience would not capture the way a system changes over time and the many interrelated parts that make up a community. We came up with a system dynamics model, which allowed us to input different factors that characterize a community, including housing, communication, healthcare, and transportation. We then throw a disaster at the model and see how the community responds. Depending on the type of natural disaster or public health emergency, how a community functions plays out differently over time. For example, a pandemic usually builds slowly and reaches a peak before gradually decreasing, while a severe weather event spikes quickly and exponentially decreases. Different communities have different inherent characteristics that determine how well they can resist the negative effects of an event and how quickly they can recover. What is unique about COPEWELL is that it is a whole community model, not just a public health model, and looks at how the community functions over time, which allows you to derive a measure of resilience.

Putting the data to work

The COPEWELL model has been used to predict resilience after a disaster in all 3,100+ counties in the United States. We’ve also explored using the model at a more granular level, including at the neighborhood level in New York City. Experts are working on a web-based platform for the model that stakeholders such as government leaders and public health officials can use in their communities.

In addition to supporting the project, CDC has provided technical assistance and expertise to translate and apply the model in practice. Once more fully validated, the results from the model can be used to help identify and evaluate interventions to improve community resilience and accelerate recovery after a disaster.

Learn more

Posted on by Jon Links, Professor, Johns Hopkins Bloomberg School of Public Health

Another high-profile corporate hack puts cybersecurity back into the spotlight as thieves made off with 1.5 TB of data from HBO, including scripts of upcoming Game of Throne episodes.

The bad news for financial institutions is that this elevated focus on cybersecurity will make meeting their cyber-security regulatory mandates only more challenging as more jurisdictions ramp up their cyber-security requirements.

The laws are changing all the time as New York, Colorado, and Connecticut enhance their cybersecurity laws, said Chad Pinson, managing director at Stroz Friedberg during a panel discussion hosted by the US Securities and Exchange Commission and FINRA. “It is hard to keep up with what those different states require.”



Tuesday, 08 August 2017 15:18

Cybersecurity Compliance Gets Tougher

The Business Continuity Institute

Ransomware attacks continued their rise in the first half of 2017, up by 50% over the first half of 2016. Hacking and malware attacks (of which ransomware attacks form a growing part), continue to be the leading cause of breaches, accounting for 32% in a study conducted by Beazley.

However, the Beazley Breach Insights also found that accidental breaches caused by employee error or data breached while controlled by third party suppliers continue to be a major problem, accounting for 30% of breaches overall, only slightly behind the level of hacking and malware attacks. In the healthcare sector these accidental breaches represent, by a significant margin, the most common cause of loss at 42% of incidents.

This continuing high level of accidental data breaches suggests that organizations are still failing to put in place the robust measures needed to safeguard client data and confidentiality. Since 2014, the number of accidental breaches reported to Beazley’s team has shown no sign of diminishing. As more stringent regulatory environments become the norm, this failure to act puts organizations at greater risk of regulatory sanctions and financial penalties.

Unintended disclosures caused 26% of breaches during the first half of 2017 in the higher education sector. While slightly down on the 28% recorded in 2016, this still represents a quarter of all breaches which could be mitigated through more effective controls and processes. Hacks and malware accounted for nearly half of higher education data breaches in the first six months of 2017 (43%), roughly even with the 45% of breaches caused by hacking in the same period in 2016. Of these, 41% were due to phishing.

It is findings like these, and the disruptive impact that a cyber security incident can have on an organization, that demonstrate why cyber attacks and data breaches are such major concerns for business continuity and resilience professionals. The Business Continuity Institute's latest Horizon Scan Report identified them as the top two threats to organizations with 88% and 81%, respectively, of respondents to a global survey expressing concern about the prospect of such an event occurring.

Unintended disclosure such as misdirected faxes and emails or the improper release of discharge papers continued to drive the majority of healthcare losses, leading to 42% of industry breaches during the first half of 2017 equal to the proportion of these breaches in the industry in 2016. Hacks and malware accounted for only 18% of healthcare data breaches in the first six months of 2017, compared to 17% in 2016.

At first glance, professional services firms appear to have greater internal controls in place with unintended breaches accounting for 14% of all incidents, well below the average for the period in question. However, the trend is tracking adversely, up from 9% on the first half of 2016. Firms in the sector were not immune to hacking and malware attacks, with these incidents accounting for 44% of breaches in the time period compared to 53% in the forst six months of 2016.

Katherine Keefe, global head of BBR Services, said: “Unintended breaches account for one-third of all data breach incidents reported to Beazley and show no signs of abating. They are a persistent threat and expose organizations to greater risks of regulatory sanctions and financial penalties. Yet, they can be much more easily controlled and mitigated than external threats. We urge organizations not to ignore this significant risk and to put more robust systems and procedures in place.”

Keeping online payments secure is a vital concern for businesses dealing with valuable company data on a daily basis. These B2B transactions have traditionally required a lot of time and resources to manage effectively, so it is not surprising that we have recently seen a shift towards VAN (Virtual Account Number) payments led by Online Travel Agencies (OTAs). This digital travel transformation is simplifying, streamlining and increasing security for B2B payments between OTAs and their suppliers, boosting industry growth and changing the way it operates for the better.

What is a Virtual Account Number?

A VAN is an automatically generated, 16-digit card number, created at the point of sale or booking. It operates in exactly the same way the account number on the front of a plastic credit card does and is accepted anywhere that currently supports online Mastercard payments. However, the difference between a VAN and a credit card number is that with VAN payments, a new, unique number is generated for each individual transaction, making it a highly secure method of payment. Companies using VAN payments can place restrictions on its usage, limiting spending, time frame and supplier choice, giving the business a greater amount of control over its finances.

The benefits of VAN payments

The benefits that virtual account numbers bring to B2B payments are threefold. The most important of course being the increased data security offered by choosing such a method. Whilst traditional account numbers may be used by multiple OTAs, memorised by numerous individuals and stored unsafely on devices, leaving companies exposed to the threat of data theft, the one-off randomisation of a generated VAN keeps data secure throughout the sales process, reducing the risk of fraudulent behavior or supplier default.

The second benefit addresses company control. VAN payments allow transaction data to be customised and tracked throughout the booking process, giving businesses a clear audit trail without additional interruptions to the payment interface. Because VAN payments are universal to most suppliers, all payments can be traced on the same system and integrated into existing workflows making it easy to find detailed information on each transaction.

Finally, and perhaps most transformative when it comes to company operations, is the benefit of simplicity. VANs simplify payments online by offering automatic reconciliation meaning payment delays are a thing of the past. Manual reconciliation of purchases and payment statements can be a drain on company time and resources, not to mention the threat of human error. By removing this aspect from the payment process, VANs can keep suppliers happy and free up admin time for better uses, helping to streamline the business.

How OTAs have embraced this digital transformation

Given the benefits of virtual accounts, it is easy to see why OTAs are one of the leading industries when it comes to using VAN payments. Booking holidays online has become the norm for many people around the world with online travel sales projected to grow from $530 billion+ in 2015 to $760 billion+ by 2019. This 2015 figure accounts for 53% of all travel bookings globally and that number will only go up. OTAs are a booming industry, acting as an intermediary between customers and suppliers and by using VAN payments, they are able to ensure the transaction is secure and seamless for all parties involved. VANs are used for booking airline flights, hotels and car rentals as well as many other travel purchases, and the VAN payment method ensures that the needs of these multiple customers and suppliers are met with guaranteed immediate payment processing, faster transaction times and to-the-minute offers. The reduced administration of using virtual account numbers facilitates the industry growth as there are less IT security staff required, saving companies time and money.

It is doubtless that VAN payments are the future of B2B online transactions, so much so that there is currently a push for future developments that incorporate even more flexibility in the process. They are transforming the digital landscape for industries like Online Travel Agencies and it is likely this influence will spread to other B2B organisations operating multiple supplier transactions in the near future.

Monday, 07 August 2017 14:27

VAN Payments Improve Data Security

(TNS) - When wildfires, floods, tornadoes and terrorist events disrupt cellphone communication systems at the moment they are most needed, that’s when a more than 100-year-old technology still holds its own.

Amateur radio operators, often called “ham radio operators” regularly volunteer their skills and expertise to coordinate responses in emergencies like the Boston Marathon bombing and when Hurricane Katrina devastated New Orleans.

There are more than 725,000 licensed amateur radio operators in the United States. Those that were providing support for the 2013 Boston Marathon became a key communication link when cellphone systems became overloaded after bombs exploded near the finish line killing three and injuring hundreds.



Both clients and regulatory bodies now expect an always-on law firm, and with this comes the challenges of remaining competitive and performing due practice in cybersecurity. Modern availability and resiliency expectations demand a comprehensive approach to mitigate the threats of downtime, yet this is easier said than done.

The Problem with Insurance

In many recent legal publications, cyber insurance in particular has been getting a lot of attention due to the increased prevalence of security breaches. However, this specific form of insurance isn’t fully mature yet and policies need to be reviewed carefully. Be sure to ask what the insurance provider will cover and under what circumstances, since there’s no need to invest in something that won’t benefit your firm, especially in a time of crisis.



The Business Continuity Institute

Almost one in six (16%) SMEs have fallen victim to a cyber attack in the last 12 months, equating to more than 875,000 nationwide, according to the findings of a study conducted by Zurich. Businesses in London are the worst affected with almost a quarter (23%) reporting that they have suffered a breach within this period.

The SME Risk Index found that, of businesses that were affected, more than a fifth (21%) reported that it cost them over £10,000 and one in ten (11%) said that it cost more than £50,000.

Yet, despite the volume of attacks and potential losses, the survey of over 1,000 UK SMEs showed that business leaders are not committing to investing significantly in cyber security in the coming year. Almost half (49%) of SMEs admitted that they plan to spend £1,000 or less on their cyber defences in the next 12 months, while almost a quarter (22%) don’t even know how much they will spend.

The results show that for businesses of all sizes robustness of cyber security defences is now a genuine concern for winning and maintaining business contracts. A quarter (25%) of medium sized businesses (between 50 and 249 employees), reported that they have been directly asked by a current or prospective customer about what cyber security measures they have in place. This was also true of one in ten (11%) small businesses (less than 50 employees).

As a result, business leaders are reporting that strong cyber security is providing an opportunity to stand out from competitors with as many as one in 20 (5%) claiming to have gained an advantage over a competitor because of stronger cyber security credentials.

Small businesses are not exempt from the disruptions that all organizations face, and the latest Horizon Scan Report published by the Business Continuity Institute highlights that organizations of all sizes generally share the same concerns.

Paul Tombs, Head of SME Proposition at Zurich, comments: “While recent cyber attacks have highlighted the importance of cyber security for some of the world’s biggest companies, it’s important to remember that small and medium sized businesses need to protect themselves too. The results suggest that SMEs are not yet heeding the warnings provided by large attacks on global businesses.

“While the rate of attacks on SMEs is troubling, it also shows that there is an opportunity for businesses with the correct safeguards and procedures in place to leverage this as a strength and gain an advantage.”

...but it’s not as easy as you think



Whether for functional need, budgetary alignment, or due to top-down pressure, all companies will move to the public cloud at some level. If an organization has less than, say, 50 terabytes of data to manage, it’s easy to move everything there. For those of you in this boat, you can stop reading this article and proceed directly to the cloud, and collect $200.

For those with hundreds of terabytes, even petabytes, of data this is challenging and unrealistic. The business value of public cloud infrastructure is desirable, but when there are such large volumes of data, it’s hard to get there. “Lift and shift” strategies to mimic on-site infrastructure in the cloud are not often viable when petabytes of data are involved, and many businesses need to keep at least some data on the premises. Luckily the utilization of public and private infrastructure does not have to be an either/or decision.


Figure 1: The business dynamics of public infrastructure are desirable, but with so much data to manage, it’s hard to figure out how to get there.

Fortunately, you can realize many of the business benefits of the public cloud in your own data centers. Elimination of silos, data that’s globally accessible, and pay-as-you-grow pricing models are all possible on-premises, behind your firewall. The “hybrid cloud” approach is not simply having some apps running in your data center and other apps running in Amazon or Google. Workflows do not have to wholly reside within either private or public infrastructure – a single workflow can take advantage of both. True hybrid cloud is when public and private resources can be utilized whenever it’s best for the application or process.

Here are four key steps to accelerate your journey to the cloud.

Step 1: Go Cloud-Native

Storage is the primary inhibitor preventing movement towards the public cloud and cloud architectures in general. Data is siloed – stuck in separate repositories – and locked down by specific access methods required by specific applications. This makes it impossible, or at least extremely expensive, to effectively manage, protect, share, or analyze data.

“Classic” applications use older protocols to access data, while newer cloud-native applications use unique interfaces. Converting everything to cloud-native format will save much time, money, and headache in the long run. This does not have to be a massive project; you can start small and progress over time to phase out last generation’s technology.


Figure 2: Start on your journey to the cloud by leveraging cloud-native storage on-premises.

Once you’re cloud-native, not only is your data ready to take advantage of public cloud resources, but you immediately start seeing benefits in your own environment.

Step 2: Go According to Policy


Figure 3: Use policies to place data where it’s needed, across private and public cloud.

On-premises data on cloud-native storage can be easily replicated to the public cloud in a format all your applications and users can work with. But remember, we’re talking about hundreds of terabytes or more, with each data set having different value and usability.

Data management policies in the form of rules help decide where data should be placed based on the applications and users that need it – parts of your workflow behind your firewall and other parts in the public cloud. For example, you may be working with hundreds of terabytes of video, but would like to take advantage of the massive, on-demand processing resources in Google Cloud Platform for transcoding jobs instead of local hardware. Set a policy in your cloud storage software to replicate that on-prem video to the public cloud, then let Google do all the work, and set a policy that says move the transcoded assets back down when complete for the next step in the flow.


Don’t worry – the cloud data management software “views” the entire infrastructure as a single pool, universally accessible, regardless of the kind of storage or location.

Step 3: Go Cloud to Cloud

Policies help automate and orchestrate services to your applications based on business requirements (e.g. cost, capacity, performance, and security), according to the different capabilities of your on-premise or cloud resources. This also means data is efficiently discoverable and accessible across multiple clouds – the cloud data management platform considers the differences in services provided by the different clouds and moves or copies data to the right one.


When data is organized by storage silo or tracked by databases that only a single application has access to, the data can most often only be utilized that single application or a small number of users. Instead start to use metadata as the organizing principle for your data, which is enabled by cloud-native storage. When metadata sits right alongside the data it’s representing, it can be globally indexed and made available to many applications and groups of users.

As an example, data may be generated in a research lab that you manage, but the analysis can occur in Google Cloud platform. Then, the data is synched to Amazon Web Services when the results are ready to be shared to outside researchers and customers.

Step 4: Go Deep

When data placement policies enable a true hybrid cloud workflow, not constrained by physical infrastructure, you can unlock more capabilities. You can start to use metadata – the data about the data – as what we call the organizing principle. Cloud-native data holds its own metadata right alongside it, not in a separate database only its own specific application can read. Your metadata can now be globally indexed and made available to many applications and groups of users. This allows you to perform large-scale analysis projects (etc., some examples needed).

Whether you like it or not, you will be in the cloud in some capacity. Follow these steps to not only make the transition to public infrastructure hassle-free, but to bring many of the business dynamics of cloud – pricing based on consumption, massive scalability, collaboration, etc. – into your datacenter and increase the value of your data.


Erik Pounds is head of product marketing at SwiftStack (www.swiftstack.com).

Friday, 04 August 2017 20:30

You WILL go to the cloud

Back in 2004 at the RSA Security Conference, Bill Gates was campaigning for the replacement of the password by two-factor authentication or some other secure mechanism. inar dapibus leo.

In 2012, the Trustwave 2012 Global Security Report indicated that 80% (four out of five) of security incidents were linked to the use of weak administrative passwords. In 2016, the aftermath of the breach of 500 million Yahoo accounts in 2014 was still being felt, as stolen access credentials were used to compromise other accounts for which the Yahoo account holders were using the same passwords and credentials. Why do passwords still exist?

In a word, it’s about convenience – passwords are easy (too easy) to handle and use. Even the more complicated ways of constructing passwords can be made relatively easy to use for the password owner.



There are so many conversations around cloud, moving to various types of cloud services, and how to leverage the power of hybrid. But, it’s important to note just how much cloud services – and hybrid, in particular, have been growing and where they are impacting your business. A recent WSJ article points out that CIOs are knitting together a new IT architecture that comprises the latest in public cloud services with the best of their own private data centers and partially-shared tech resources. Demand for the so-called hybrid cloud is growing at a compound rate of 27%, far outstripping growth of the overall IT market, according to research firm MarketsandMarkets.

Here’s the big factor to consider: The cloud will be distributed with 60% of IT done off-premises and 85% in multi-cloud by 2018.

So where are you on that journey? And how ready are you for a multi-cloud environment? Most of all, do you fully realize what the biggest benefits of moving into a hybrid architecture are?



Friday, 04 August 2017 15:01

Are You Ready for a Multi-Cloud Future?

The Business Continuity Institute

There is a continued challenge in securing our organizations from malicious attachments, dangerous file types, impersonation attacks, as well as spam, with nearly a quarter emails being delivered to users’ inboxes still being deemed 'unsafe'. This is according to a report published by Mimecast which indicates the need for organizations to enhance their cyber resilience strategies for email with a multi-layered approach that includes a third-party security service provider.

The Email Security Risk Assessment notes that the risks to email remain whether delivered to a cloud-based, on-premises, or to a hybrid email environment. Email remains the top attack vector for delivering security threats such as ransomware, impersonation, and malicious files or URLs. Attackers motives include credential theft, extracting a ransom, defrauding victims of corporate data and funds and in several recent cases, sabotage with data being permanently destroyed.

To date, Mimecast’s ESRA reports have inspected the inbound email received for 62,323 email users over a cumulative 428 days. More than 45 million emails were inspected, all of which had passed through the incumbent email security system in use by each organization and, of these, almost a quarter (24%) were deemed 'unsafe'. These assessments have uncovered more than 10.8 million pieces of spam, 8,682 dangerous file types, 1,778 known and 503 unknown malware attachments and 9,677 impersonation emails to date.

When the data was sliced by incumbent email security vendor, the report found that even some of the top email cloud players were missing commonly found advanced security threats, highlighting the need for a multi-layered approach to email security. Notably these cloud vendors are leaving organizations vulnerable by missing millions of spam emails and thousands of threats and allowing them to be delivered to the users’ email inboxes. Many organizations have a false sense of security believing that a single cloud email vendor can provide the appropriate security measures to ensure protection from email threats.

It is findings like these, and the disruptive impact that a cyber security incident can have on an organization, that demonstrate why cyber attacks and data breaches are such major concerns for business continuity and resilience professionals. The Business Continuity Institute's latest Horizon Scan Report identified them as the top two threats to organizations with 88% and 81%, respectively, of respondents to a global survey expressing concern about the prospect of such an event occurring.

“To achieve a comprehensive cyber resilience strategy, organizations need to first assess the actual capabilities of their current email security solution. Then, they should ensure there’s a plan in place that covers advanced security, data management and business continuity, as well as awareness training to the end user, which combined help prevent attacks and mitigate business impact,” said Ed Jennings, chief operating officer at Mimecast. “These quarterly Mimecast ESRA reports highlight the need for the entire industry to work toward a higher standard of email security.”

10 Considerations for Executives and Directors

When a good reputation is difficult to build and easy as pie to destroy, it’s a business imperative to manage the company’s reputation carefully. Jim DeLoach outlines five critical areas leadership must pay close attention to, and 10 factors total that can be critical in managing reputation risk.

With today’s electronic and social media, the news cycle reporting on the downward spiral of a once-proud organization that has suffered severe reputation impairment is not a pleasant one to watch. Unfortunately, such news events capture our attention all too frequently, leaving an indelible impression about a company’s reputation and brand image.

Applied to a business, “reputation” represents an interpretation or perception of an organization’s trustworthiness or integrity. While the truth ultimately prevails over the long term, reputation can be based on false perceptions in the near term. If accurate over time, reputation provides a barometer of how an organization is likely to respond in a given situation. However one defines reputation, everyone agrees it’s a precious enterprise asset and recognizes a reputation that has been damaged beyond repair.



Thursday, 03 August 2017 14:47

Managing Reputation Risk

Don’t get us wrong, simply telling somebody how wonderful he or she is unlikely to guarantee business continuity!

However, with the emphasis in business continuity so often laid on technology, tools, and processes, it’s worth pausing for a moment to consider the human aspect. Whereas machines and systems don’t need or respond to recognition of how well they’re doing, the situation is different for people.

Heavily quantified and codified approaches quickly break down when it comes to encouraging staff to make sure that resources are in place to meet business goals without interruption. Here are a few guidelines to help ensure continuity of human endeavour!

Unlike programs and formal processes for systems, flexible guidelines are a better bet for praising people. Indeed, effective employee recognition is more of an art than a science. It’s crucial to understand that praise, when deserved, sincere, and properly expressed, for contributions to business continuity can accomplish two things.



Thursday, 03 August 2017 14:45

The Use of Praise in Business Continuity

(TNS) - An independent analysis of San Jose’s (Calif.) response to the devastating Coyote Creek flood in February gives the city high marks in how it handled recovery efforts, but says an inadequate initial response indicates the city didn’t learn lessons from a similar flood two decades before.

The report — commissioned by the city and done by emergency management consultant Witt O’Brien — states that while “San Jose overall performed very well,” it “relied too heavily on flood projection data” from the water district and was “unnecessarily caught off guard, placing residents in a potentially dangerous situation.”

But Brad Gair of Witt O’Brien commended the city for taking responsibility for its early shortcomings and rapidly moving into recovery efforts. He praised the city’s assistance programs for “compassion, tenacity and ingenuity,” and for creating internal and external collaborations.



(TNS) - There was a common theme Tuesday morning at the Westport Marina public boat launch. There, the military was displaying the tactics, personnel and equipment to be used if, and when, the “big one” hits:

“Man, I hope we never have to use it, but I sure am glad it’s there if we do.”

An effective disaster relief plan has many moving parts. Personnel and equipment from the Army, Navy, Marines, U.S. Coast Guard and National Guard all come together to form a cohesive team that can provide anything from food, water and medical supplies to heavy construction equipment to clear roads in the aftermath of a disaster.



Many software companies today talk up the virtues of buying all the components of a primary business software platform from a single vendor. On the surface, this sounds like a reasonable approach. After all, with the entire solution coming from a single vendor one would expect that each component should integrate well with the overall platform and, if there is a problem, IT has that “one throat to choke.”

In some situations, buying the entire solution from a single vendor probably does make sense: If IT is looking for software to meet a relatively straightforward need, such as video conferencing or file sharing, an out-of-the-box, single vendor solution is typically a smart choice.

But if the organization is dealing with a complex problem – like running a real estate business or managing a global supply chain – there is no single silver bullet. Each organization needs a solution that meets its unique needs and, to achieve that, they need a platform that can incorporate innovation no matter who is producing it. In today’s fast-paced business environment, innovation gives organizations a serious competitive advantage and an open system is the only way to fully take advantage of it.



Thursday, 03 August 2017 14:43

The Rise of the Open Software Platform

According to a new SANS survey, 40 percent of respondents rated malicious insiders (insiders who intentionally do harm) as the most damaging threat vector their companies faced. Furthermore, nearly half (49 percent) said they were in the process of developing a formal incident response plan with provisions to address insider threat. This further illustrates the urgency with which companies are moving to address this threat vector.

“We are encouraged to see organizations recognizing malicious insiders as the top threat vector, but we are not seeing the necessary steps taken to address it,” said Haystax CEO, Bryan Ware. “Existing tools aren’t smart enough, or don’t have the context needed to identify malicious insiders. What’s needed is contextually-smart, user behavior analytics that produce actionable intelligence for decision makers.”

Despite the increased awareness of the threat from malicious insiders, many organizations continue defending against the wrong enemy by failing to implement effective detection tools and processes to identify these malicious insiders.



The Business Continuity Institute

40% of organizations say they are not able to measure incident response, and even Verizon was notably slow in responding to a potential data breach last month, according to a new study by Demisto.

The State of Incident Response 2017 is a study of how incident response teams investigate potential cyber attacks, and the results were not particularly encouraging. IT departments face a high volume of incidents – 350 per week on average – and one of the underlying factors for the lack of preparedness for these incidents is staffing. Approximately four in 10 (40%) respondents say they have more incidents than their staff can handle.

The vast majority of respondents (90%) say they struggle to find skilled security staff. Moreover, it takes an average of nine months to properly train new hires. All of that combines with a significant turnover of staff as one-third of security staff will leave within three years.

“One goal for this unique study was to gain better insights into how to address future threats by determining today’s major pain points for organizations,” said Rishi Bhargava, Demisto vice president of marketing “Incident response must continue to evolve to meet current and emerging threats. The key to effective incident response is having the right combination of people, technology and processes. However, this study revealed that many organizations are far from having this right combination.”

The study found that most companies do incident response in-house - 41% is fully in-house, while 42% is in-house with the help of consultants. Only one in 100 (1%) companies fully outsourced their security operations, while 15% partially outsourced.

Dallas Area Rapid Transit (DART) & STORServer



Organization: Dallas Area Rapid Transit 

Industry: Regional transit agency 

Location: Dallas, Texas, USA 

Size: Serves more than 220,000 passengers per day



  • Upgrade older data backup appliance and software
  • Platform stability and system supportability
  • Turnkey solution that includes installation, implementation, training and maintenance support
  • Seamless integration with existing data backup configuration for its radio and CAD/AVL bus dispatch system 



STORServer EBA852 enterprise backup appliance with Storwize® V3700 20TB Disk Storage IBM TS3100 tape library


Dallas Area Rapid Transit (DART) was ready to refresh its existing data backup appliance and software to take advantage of the newest IBM Spectrum Protect™ features and STORServer’s turnkey solution. 

Since the initial implementation STORServer completed for the regional transit agency in 2010, the features of the IBM Spectrum Protect, formerly IBM® Tivoli® Storage Manager (TSM), software have been greatly enhanced, including the change of the underlying software database to DB2®. The availability of this robust DB2 database, as well as IBM Spectrum Protect’s new deduplication feature designed to reduce backup storage requirements, prompted DART to upgrade its existing data storage configuration. 

It was imperative to select the right partner for its data backup needs, as DART relies heavily on the data collected and reported by its radio and CAD/AVL bus dispatch system. The data tracks important metrics like on-time performance, which is analyzed and used in planning for scheduling, route assignments, vehicle assignments and to make other critical decisions.

“Knowing our main priority was to ensure platform stability and system supportability, STORServer carefully considered our current needs while also recommending scalable solutions that will allow us to easily accommodate potential future needs as our data backup requirements change over time,” said David Bauchert, senior control systems programmer, Dallas Area Rapid Transit.

Because the existing configuration STORServer installed and implemented had worked seamlessly with the agency’s data backup needs for this dispatch system, DART’s IT team trusted STORServer’s recommendations for this upgrade. 


The Solution

STORServer helped DART implement a new backup appliance and transition an existing tape library to serve as the disaster recovery target for its backup data:


  • Primary BackupSTORServer EBA852 – This enterprise backup appliance with SSDs enabled the agency to take advantage of new features, like deduplication, now available in IBM Spectrum Protect. The IBM Spectrum Protect database is now housed on SSDs in the appliance with faster processing power. In this configuration, 20TB of Storwize® V3700 disk storage was included. The primary backup data is kept on disk for quick restore and to take advantage of Spectrum Protect’s deduplication feature, which reduces backup storage requirements. This configuration also includes IBM Spectrum Protect Suite licensing, which offers simplified pricing and licensing with a tiered per-terabyte metric. This licensing enables the agency to have access to a suite of backup software products, including database and mail agents, along with IBM Spectrum Protect™ for Virtual Environments, should the agency need to enable that in the future.
  • Disaster Recovery:  IBM TS3100 Tape Library – This entry-level tape library, which was previously installed by STORServer in 2010, is now used for disaster recovery copy purposes. Reusing this existing library provided flexibility and reduced the costs associated with the appliance server refresh. As part of the agency’s disaster recovery plan, the tapes are taken offsite every day. Incremental backups also take place daily. The appliance server and configuration recommended by STORServer allows DART to plan for future data growth, as additional external storage can be added as needed to the appliance server. With the newest Spectrum Protect and STORServer Console (SSC) versions included as part of this upgrade, DART can now manage and move its data more efficiently. Highly scalable to future-proof the agency’s needs, Spectrum Protect also reduces backup and recovery infrastructure costs. SSC is designed to let administrators configure and manage their Spectrum Protect environment with a single, intuitive user interface. It also helps users save time, reducing daily administration tasks to less than 30 minutes per day. 


The Results 

  • Fifty-nine percent data deduplication savings for a deduplication ratio of 3:1 
  • Even as DART experienced 40 percent data growth since the implementation, the deduplication capabilities enabled them to use 38 percent less storage. 
  • Reduced overall costs for data protection by removing redundant data 
  • Data is now moved more efficiently, allowing for best implementation of data protection business practices. 
  • Automated delivery of daily reports allows for easy review and confirmation that backups have completed successfully. These reports can be individually tailored and distributed to multiple levels within the organization.


“It’s been incredibly advantageous for us, both from a cost and time perspective, to have access to IBM Spectrum Protect’s deduplication capabilities. We’ve experienced substantial savings in storage since then. Previously, we were running at 100 percent of our disk capacity, and now we are only using 26 percent of it,” added Bauchert.



STORServer is a leading provider of data protection solutions and offers the only enterprise data backup appliance that is built to order. Each backup appliance solution is tailored to the customer’s unique environment to simplify management of complex backup, archive and disaster recovery needs. STORServer’s appliances feature enterprise class data backup, archive and disaster recovery software, hardware, services and U.S.-based customer support. STORServer is proud to now offer SoftLayer® containers and DRaaS in SoftLayer virtual machines. Companies of all sizes trust in STORServer’s proven appliances to solve their most complex data protection problems. For more information on STORServer, please visit storserver.com.

storserver.com (800) 550-5121 Copyright 2017 STORServer, Inc.

IBM, IBM Spectrum Protect, DB2, Storwize, IBM Spectrum Protect Suite, IBM Spectrum Protect for Virtual Environments are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. SoftLayer is a registered trademark of SoftLayer, Inc., an IBM Company.

If you’re new to disaster recovery or risk mitigation, you might be overwhelmed with business continuity terminology. To start, what is business continuity? If you’re not sure, don’t worry. We’re going to cover the definition of business continuity, what business continuity planning is, what’s included in a business continuity management program, how to manage a continuity plan, and the four-step business continuity process.

If you are still reading this, then business continuity or risk management is a topic of thought or concern for you. Perhaps a recent audit has revealed that your organization may be vulnerable during a crisis or emergency event. No matter the reason, having some type of business continuity planning in place is appropriate for all organizations regardless of revenue, size or industry. The planning and level of effort may vary depending on your needs, but you should make every effort to have something in place. So, what is business continuity and where do you start?



Getting the most out of ISO 26000, the world’s first and most widely used International Standard for social responsibility, is the aim of a new guidance document just published.

In its seven years of existence, ISO 26000 has become one of the key references for implementing social responsibility practices in any organization. It has been adopted nationally in 80 countries across more than 20 languages and was one of the sets of guidelines upon which the European Commission built its corporate social responsibility (CSR) strategy.

Now, a newly published International Workshop Agreement – IWA 26, Using ISO 26000 guidance on social responsibility in management systems – helps organizations reap even greater benefits from the standard using the management systems standard (MSS) approach.

With ISO 26000 being developed before the introduction of ISO’s “high-level structure” for MSSs, designed to bring consistency among all management systems within an organization, this IWA will help users of management systems standards more effectively integrate social responsibility into their business.



The new European General Data Protection Regulation goes into effect next May and applies to any company, anywhere in the world, that collects sensitive data about European customers or employees. GDPR also comes with onerous breach notification requirements and high penalties for failing to comply, and data center operators may become prime targets for regulators’ enforcement efforts once the new rules kick in.

“Data center providers are an important piece in the GDPR compliance chain as they have ownership of the physical assets where information is stored,” said Jose Casinha, CISO at OutSystems, an enterprise software company based in Atlanta, Georgia.

“The data center is ‘where the rubber meets the road’ for many aspects of GDPR,” said Ken Krupa, enterprise CTO at MarkLogic Corp.

Often, it’s only the people who manage the infrastructure who really understand where all the copies of the data are, he said, especially when things like high availability, disaster recovery, and backups are taken into account.



The Business Continuity Institute

The UK lags behind many other major economies in the adoption of collaborative working technology, which could impact business productivity, according to a global study conducted by Polycom. Collaborative technologies include video and teleconferencing, instant messaging and file sharing tools.

The study found that 46% of UK workers use collaborative tools daily. This is far lower than many leading economies, including Russia (61%), Australia (55%), Singapore (54%), United States (53%), Canada (51%) and France (49%).

Emerging economies Brazil (82%) and India (72%) lead collaborative technology adoption, while a culture of presenteeism in Japan limits the ability to work remotely there.

The UK government enabled flexible working for all in June 2014. Despite the UK trailing in adoption of collaborative technology, there is clearly a demand for the ability to work remotely and business people well understand the benefits of such a culture.

Nearly two-thirds (64%) of the UK now works remotely at some point, Polycom finds, with 38% of people using email 'considerably less' in favour of the phone or instant messaging. Those aged 30-44 are most likely to ditch email, possibly because it is the format they have used most during their career and know how much time email can take to manage effectively.

"Embracing collaborative working technology and flexible working practices can benefit organizations from a business continuity and resilience perspective," said David Thorp, Executive Director of the Business Continuity Institute. "By having processes in place that allow people to work flexibly during 'business as usual', it makes it far easier to enable them to work flexibly during an emergency."

“In the UK, many organizations maintain a legacy ‘nine-to-five’ culture while others are going through a process of digital transformation, so may be exploring the viability of remote working for their workforce,” says Jeremy Keefe, UK&I and Benelux Area Sales Vice President, at Polycom. “To enable staff to work effectively from home, organisations need to equip staff with the technology that connects them with colleagues, generate working from home policies and update them as culture and technology evolves, and provide guidelines to staff.”

The Business Continuity Institute

More than a third (35%) of SMEs in the UK are increasingly concerned about their ability to gain funding in the run up to Brexit, a study by Hiscox has revealed. Recent economic and political uncertainty has adversely affected business confidence, and caused concern for the future as the UK’s withdrawal from the EU becomes nearer. This concern should come as no surprise, as 38% of the 500 businesses surveyed admitted to accessing EU funding.

Despite many funding options being made available to new businesses, 36% of business owners said a lack of choice was the most common single challenge they faced when looking for funding. Moreover, 28% of businesses cited a lack of eligibility as the reason holding them back from obtaining finance, and a further 25% said market competition was their key challenge.

Surprisingly, what emerged from the survey was that one in five businesses (20%) are still unaware of the variety of funding options available to them. Despite the arrival of new finance options for start-ups like crowdfunding and peer-to-peer loans, most small businesses still turn to banks. Three-quarters of businesses surveyed used bank loans for funding over the last five years. Other popular funding choices were EU funding and equity funding (both received by 38% of businesses over the last five years).

Almost a third (31%) of businesses surveyed said economic uncertainty had been the biggest factor impacting their growth in the last five years. In fact, 18% more businesses found economic uncertainty affected their growth than competition within their own industry (13%).

Steve McGerr, Head of Direct Commercial at Hiscox, commented: "With a Scottish independence referendum, election uncertainty and a vote on EU membership, it’s been a turbulent few years for the British economy. In light of this, it’s perhaps unsurprising that the unpredictability of Britain’s economic health has been a key issue for businesses."

Another cause of concern for the UK's businesses is the availability of skilled workers, with 10% of businesses facing obstructions to their growth due to a lack of skilled personnel. With the Institute for Public Policy Research finding that employers in Britain are currently spending over £6 billion less on training per year than the EU average, and the prospect of visa complications for foreign workers following Brexit, the growing skills’ gap could further hinder business growth in the UK.

LITTLE ROCK, Ark. — Many Arkansans lost important items in the severe storms between April 26 and May 19, including documents the Arkansas Department of Emergency Management and FEMA need to process disaster assistance applications.

If papers are gone – such as birth certificates, Social Security cards, driver’s licenses, tax records, insurance policies, etc.— many can be replaced by contacting sources of information, such as vital records offices, Social Security agencies, insurance offices and other organizations or agencies.

Disaster survivors need to provide proof of citizenship, proof of property ownership or rental occupancy, Social Security numbers and other personal information when registering for disaster assistance. But documentation can be submitted after applying for assistance. The deadline to register is only two weeks off—Aug. 14. Below are some sources to replace lost documents

  • Proof of address/residency: Contact your local utility company to obtain a recent bill.
  • Birth certificates: In Arkansas, contact the Arkansas Department of Health Vital Records. Go to healthy.Arkansas.gov for information, or call 501-661-2336 or 800-637-9314. The office has a high volume of requests; expect delays.
  • Copies of insurance policies: Contact your insurance agent or the insurance company.
  • State income tax records and replacement driver’s licenses or vehicle titles: Visit any state revenue office (Arkansas Department of Finance and Administration). Visit dfa.arkansas.gov online for downloadable numbers of each agency. Numbers vary by county.
  • Social Security cards: Call the U.S. Social Security office at 800-772-1213, Monday through Friday, 7 a.m. to 7 p.m. EDT. For TTY users the number is 800-325-0778, or log onto ssa.gov/ssnumber for more information.
  • Medicare cards: Phone: 800-772-1213 or go to ssa.gov
  • Federal tax records: Call the Internal Revenue Service at 800-829-1040, Monday through Friday, 7 a.m. to 10 p.m. EDT, or log onto irs.gov.
  • SNAP Card (Food Stamps): Arkansas Department of Human Services, 501-682-1001 or http://humanservices.arkansas.gov/Pages/default.aspx
  • Military Records: National Archives, 866-272-6272, Option 1, or archives.gov
  • National Archives Records: 866-272-6272, archives.gov/preservation/records-emergency/public.html
  • Green Card replacement: Phone: 800-375-5283 or go to uscis.gov/ Click on “green card” at left on the home page
  • Real Estate and property records (mortgage documents, deeds, etc.): Contact a real estate agent, escrow agent or your mortgage company.
  • Medical and prescription records: Medical and prescription records are tracked electronically; contact your doctor or clinic.
  • Saving family records: The National Archives (archives.gov) has detailed technical information on how to salvage flood-damaged records and other information of interest to disaster survivors.

To register with FEMA:

  • Call the FEMA Helpline at 800-621-3362. Multilingual operators are available. Persons who are deaf, hard of hearing or have a speech disability and use a TTY may call
    800-462-7585. If you use 711 or VRS (Video Relay Service), call 800-621-3362. The toll-free numbers are open daily from 7 a.m. to 10 p.m.
  • Go online to DisasterAssistance.gov (also in Spanish)
  • Download the FEMA mobile app (available in Spanish) at Google Play or the Apple App Store.
  • Help is available in most languages, and information on the registration process is available in ASL at fema.gov/media-library/assets/videos/111546.

There are three ways to apply to SBA after you register with FEMA:

  • Call SBA at 800-659-2955. Individuals who are deaf or hard of hearing may call
    800 877-8339.
  • Apply online using the Electronic Loan Application via SBA’s secure website at: https://disasterloan.sba.gov/ela.
  • Apply by mail: Complete a paper application and mail it to SBA at
    14925 Kingsport Road, Ft. Worth TX 76155-2243.

For updates on the Arkansas response and recovery, follow the Arkansas Department of Emergency Management (@AR_Emergencies) on Twitter and Facebook and adem.arkansas.gov. Additional information is available at fema.gov/disaster/4318.


FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

(TNS) - Gov. Rick Scott declared a state of emergency for 31 Florida counties including Broward, Palm Beach and Miami-Dade as Tropical Storm Emily made landfall on Florida’s Gulf Coast on Monday morning.

The storm, which formed suddenly on Monday morning just off Tampa, wasn’t expected to directly affect South Florida but forecasters said it could dump several inches of rain.

The state of emergency was in effect for 31 counties including Pinellas, Hillsborough, Manatee, Sarasota, Charlotte and Lee. The declaration “gives the state the flexibility to work with local governments to ensure that they have the resources they may need,” said a statement from Scott’s office.



The Business Continuity Institute

IT security professionals predict that DDoS attacks will get larger and more significant in the year ahead, and are already preparing for attacks that could disrupt the UK’s Brexit negotiations and cause outages worldwide, according to new research from Corero Network Security.

More than half (57%) of respondents to their survey believe that the UK’s Brexit negotiations will be affected by DDoS attacks, with hackers using DDoS to disrupt the negotiations, or using DDoS attacks as a camouflage technique while they seek to steal confidential documents or data.

Many in the industry expect to see a significant escalation of DDoS attacks during the year ahead, with some (38%) predicting that there could even be worldwide internet outages during 2017. But reassuringly, the vast majority of security teams (70%) are already taking steps to stay ahead of these threats, such as putting business continuity measures in place to allow their organizations to continue operating in the event of worldwide attacks.

Despite continued discussions about nation state attackers, security professionals believe that criminal extortionists are the most likely group to inflict a DDoS attack against their organisations, with 38% expecting attacks to be financially motivated. By contrast, just 11% believe that hostile nations would be behind a DDoS attack against their organisation.

This financial motivation explains why almost half of those surveyed (46%) expect to be targeted by a DDoS-related ransom demand over the next 12 months. Worryingly, 62% believe it is likely or possible that their leadership team would pay.

“Despite continued advice that victims should not pay a ransom, a worrying number of security professionals seem to believe that their leadership teams would still consider making a payment in the event of an attack,” said Ashley Stephenson, CEO of Corero Network Security. "Corporations need to be proactive and invest in their cyber security defences against DDoS and ransomware to protect themselves against such extortion.”

While high-bandwidth DDoS attacks continue to dominate the headlines, security professionals are also worried about the smaller, low-volume DDoS attacks of less than 30 minutes in duration. These ‘Trojan Horse’ DDoS attacks typically go un-mitigated by most legacy DDoS mitigation solutions but are frequently used by hackers as a distraction mechanism for additional attacks.

According to the survey results, less than a third (30%) of IT security teams have enough visibility into their networks to mitigate attacks of less than 30 minutes. A much larger volume of respondents (63%) are also worried about the hidden effects of these attacks on their networks, such as undetected data theft – particularly with the GDPR deadline fast-approaching, where organizations could be fined up to 4% of global turnover in the event of a data breach.

With websites being of such vital importance to many organizations, losing that website, even for a short period of time, can be severely damaging and could result in lost business. It is perhaps no surprise that business continuity professionals consider cyber attack to be their number one concern according to the latest Horizon Scan Report published by the Business Continuity Institute.

A Compliance Officer’s Role in Mitigating This Risk

Mobile computing presents a unique set of challenges to compliance officers. Our devices are truly omnichannel and not just dedicated to one aspect of our lives.  No organization can be fully compliant with data protection regulations when its staff carry personal devices with sensitive information on them; many of these devices are likely to be stolen or compromised at some point.

Mobile computing presents unique challenges to compliance officers in banking – challenges that may not be fully understood, in part because of the high number of factors involved and their potential for complex interaction.  Factors including multiple devices being used for both work and personal reasons; mixed use of corporate, private and public networks; and known vulnerabilities in mobile software and hardware.  A full list of all potential risks would be the product of all possible interactions of the factors.  Compliance officers have a big role to play in considering and dealing with the human, process and technological aspects of these risks and their mitigations.

People increasingly expect to be using their own devices for work – from connecting to corporate networks, systems and services via VPNs from home desktops and laptops to loading work email accounts onto personal smartphones to accessing other forms of work collaboration such as instant messaging, VOIP, portals, blogs, wikis, groupware, etc. from multiple devices, including tablets and wearables. The boundaries between work and personal are not just blurred, nor have they evaporated; instead, they are irrelevant.



Even as the fight against malware escalates, viruses, worms, Trojans, rootkits and ransomware lurk as threats every time we boot up or login.

For most small-business users, anti-malware software lives locally on each computer itself or as a suite on a local area network. A database of known malware definitions is a critical part of that software. That database resides with the software and needs to be updated to provide optimal protection.

To make computer- and network-based anti-malware protection operate effectively, solution providers need to:



The Business Continuity Institute

UK SMEs are under prepared to respond to a crisis scenario, despite their awareness that security threats are rising and 44% expecting to face some form of attack in the near future. This is the key finding of research commissioned by Arthur J. Gallagher that focused on evaluating business resilience.

Understanding security risks: how SMEs can build a culture of resilience revealed that 43% of respondents admitted to having no contingency plans for a crisis or not knowing what those plans were. Furthermore, only 30% have insurance in place that would respond to a security crisis - such as terrorism, cyber extortion, sabotage, product tamper or emergency repatriation - with a further 40% not knowing if they have insurance cover or not.

The research also highlighted a very clear gap in perception between the threats SMEs face and their level of preparedness. More than two thirds (68%) of SMEs questioned believe they are resilient and well-equipped to deal with a security crisis despite their planning and insurance protection levels showing otherwise.

There is, however, a widespread understanding that threat levels are growing, with one in five (19%) UK SMEs having faced an external security threat in the past two years while more than double that number (44%) believes they could face a threat in the coming 12 to 18 months. More than a quarter (27%) of those asked said they specifically expect to suffer cyber extortion in the near future.

When comparing responses between SME leaders and those of larger organizations, the research clearly showed that many SMEs feel they are too small to be targeted, with only 17% having tried to assess their exposure. But the nature and effect of today’s low frequency high impact security threats - such as terrorism and cyber extortion - is often non-targeted. Large security cordons, for example, prevent access to premises, while mass ransomware attacks mean smaller firms are often more vulnerable than large organizations.

Small businesses are not exempt from the disruptions that all organizations face, and the latest Horizon Scan Report published by the Business Continuity Institute highlights that organizations of all sizes generally share the same concerns.

Paul Bassett, Managing Director of Gallagher’s Crisis Management practice, said: “It is vital for SMEs to build a culture of crisis resilience. Their growing awareness of an overall increase in security threats needs to be matched by actions that will help them mitigate and manage their own vulnerability to those risks. Our research shows education is key; clearly, there is a disconnect between the current level of planning by SMEs and how resilient they believe themselves to be, creating a false sense of security.

“Many evidently feel they are too small to be targeted but today’s fast-evolving security threats are often not targeted at any particular company or industry. Exposure to the risk of non-damage business interruption - where no physical loss has been suffered but you aren’t able to trade - is a particular area of concern. That could be experienced because of proximity to a terrorist incident or an indiscriminate cyber extortion attack, for example.”

The Business Continuity Institute

Organizations across the globe mistakenly believe they are in compliance with the upcoming General Data Protection Regulation (GDPR), according to a study by Veritas.

The 2017 GDPR Report revealed that almost one-third (31%) of respondents said that their enterprise already conforms to the legislation’s key requirements. However, when those same respondents were asked about specific GDPR provisions, most provided answers that show they are unlikely to be in compliance. In fact, upon closer inspection, only 2% actually appear to be in compliance, revealing a distinct misunderstanding over regulation readiness.

The findings of the report show that almost half (48%) of organizations who stated they are compliant do not have full visibility over personal data loss incidents. Moreover, 61% of the same group admitted that it is difficult for their organization to identify and report a personal data breach within 72 hours of awareness – a mandatory GDPR requirement where there is a risk to data subjects. Any organization that is unable to report the loss or theft of personal data – such as medical records, email addresses and passwords – to the supervisory body within this timeframe is breaking with this key requirement.

Restricting former employee access to corporate data and deleting their systems credentials helps to stem malicious activity and ensure that financial loss and reputational damage are avoided. Yet, a staggering 50% of so-called compliant organizations said that former employees are still able to access internal data. These findings highlight that even the most confident organizations struggle to control former employee access and are potentially susceptible to attacks.

Under the GDPR, EU residents will have the right to request the removal of their personal data from an organization’s databases. However, Veritas’ research shows many organizations that stated they already are in compliance will not be able to search, find and erase personal data if the 'right to be forgotten' principle is exercised.

Data breaches are already the second greatest cause of concern for business continuity professionals, according to the Business Continuity Institute's latest Horizon Scan Report, and once this legislation comes into force, bringing with it higher penalties than already exist, this level of concern is only likely to increase. Organizations need to make sure they are aware of the requirements of the GDPR, and ensure that their data protection processes are robust enough to meet these requirements.

Of the organizations that believe they are GDPR-ready, one-fifth (18%) admitted that personal data cannot be purged or modified. A further 13% conceded that they do not have the capability to search and analyze personal data to uncover explicit and implicit references to an individual. They are also unable to accurately visualize where their data is stored, because their data sources and repositories are not clearly defined.

These shortcomings would render a company non-compliant under the GDPR. Organizations must ensure that personal data is only used for the reasons it was collected and is deleted when it’s no longer needed.

Veritas’ research also found that there is a common misunderstanding among organizations regarding the responsibility of data held in cloud environments. Almost half (49%) of the companies that believe they comply with the GDPR consider it the sole responsibility of the cloud service provider (CSP) to ensure data compliance in the cloud. In fact, the responsibility still lies with the organization, as the data controller, to ensure that the data processor (the CSP) provides sufficient GDPR guarantees. This perceived false sense of protection could lead to serious repercussions once the GDPR is enacted.

“The GDPR dictates that multi-national corporations take data management seriously. However, the latest findings show confusion over what’s needed to comply with the regulation’s mandatory provisions. With the implementation date looming ever closer, these misconceptions need to be eradicated fast,” said Mike Palmer, executive vice president and chief product officer, Veritas.

“With regulations like the GDPR you have to understand what data you have in your organization. But you must also know how to take action on it and how to classify it so that policy can be applied accordingly. These are the fundamentals of compliance and the findings today should be used to educate businesses about the mistaken beliefs that could put an organization out of business.”

Vigilant Assessment and Comprehensive Security Also Needed

According to Cybersecurity Ventures, the worldwide cost of cybercrime will grow from $3 trillion in 2015 to $6 trillion by 2021. This includes damage and destruction of data, stolen money, lost property, intellectual property theft and other areas. In an era where the likelihood of cyberattack is high, turning a blind eye can have disastrous consequences. Cyber insurance can soften the financial blows, but it works best in conjunction with an enterprise-wide culture of security, a comprehensive risk management program, and a carefully maintained security stance.

Public agencies and organizations around the world are making cyber risk their top priority. Insuring companies against data breaches is becoming a massive industry even as its promising role and impact in security operations continues to unfold. North American policyholders dominate the market, but Europe and Asia are expected to grow rapidly over the next five years due to new laws (e.g., EU data privacy regulations) and significant increases in targeted attacks, such as ransomware. Various experts predict the $3 billion global cyber insurance market will grow two-, three- or even four-fold by 2020.



Talk about the long arm of the law! The European Union’s General Data Protection Regulation, or EU GDPR for short, aims to protect the privacy of the personal data of European citizens, wherever that data is processed, or wherever the organisation collecting or processing the data is based.

So, for example, if your Sydney or Melbourne based ecommerce enterprise sells online to consumers resident in any of the European member states (there are 28 of them), you must respect the EU GDPR too. If you do not, the consequences could be serious.

The General Data Protection Regulation shows how thinking about data and security has evolved in the digital age. Geographical boundaries have been supplemented by digital boundaries. Personal data is a new virtual domain that straddles physical country borders and that carries with it its own rules of conduct.



(TNS) - On a typical day, students and teachers fill the halls of Shirley C. Heim Middle School in Stafford County. But on Wednesday morning, hordes of residents playing the role of survivors of an EF3 tornado strike filed off a bus and crowded into the school, which served as an emergency shelter for the day.

Volunteers greeted the survivors at the entrance, directed them to sign in and fielded numerous questions, including where to take those with life-threatening injuries and whether dogs could be taken into the shelter.

The events at the school were part of a countywide full-scale mass-care exercise involving more than 200 participants and multiple local and state agencies. County participants included the school system and departments including Human Services, Social Services, Fire and Rescue, Community Emergency Response Team, Stafford Emergency Management Communications, Sheriff’s Office, Animal Control, and Parks, Recreation and Community Facilities.



The Business Continuity Institute

While the majority of organizations in Singapore believe that cyber security is important and seek guidance from IT security experts, almost all (91%) of them are still at the early stages of security preparedness, according to a survey conducted by Quann and IDC. The survey identified significant gaps in security device deployment, cyber awareness, resources and preparedness for attacks, making these organizations vulnerable to cyber attacks.

Mr. Foo Siang-tse, Managing Director at Quann, said: “The findings are worrying but they don’t come as a surprise. Many companies are simply not investing enough in IT security, despite the obvious threats. The lack of investment in security infrastructure, professional services and employee training makes them extremely vulnerable. The recent WannaCry and Petya ransomware incidents are just the tip of the iceberg. Companies need to recognise that having a comprehensive security plan, comprising detection systems, robust processes and equipped individuals are critical in enabling them to detect threats early and mitigate their impact.”

The Quann IT Security End User Study 2017 found that, while basic IT security features such as firewalls and antivirus are widely deployed by Singapore organizations, more than half (56%) of them do not have Security Intelligence and Event Management Systems to correlate and raise alerts for any anomalies in a timely manner. 54% do not have a Security Operations Centre (SOC) or a dedicated team to proactively monitor, analyse and respond to cyber security incidents that are flagged by the systems. The lack of proper monitoring systems and processes means that anomalies picked up by security devices could go unattended and malware may reside and cause damage within corporate networks for long periods.

The survey also found that 40% of Singaporean respondents either do not have incident response plans to protect their organization’s networks and critical data in the event of a cyber attack. Only one-third (33%) of them exercise their incident response plans.

Cyber criminals usually target non-IT employees who are seen as the weakest link in cyber security. However, only 33% of the Singapore organizations require all employees from the CEO down to take part in IT security awareness training.

Many organizations (75%) do not have a dedicated IT security budget and planning process. Most respondents said that they have a security lead but they are not a dedicated resource and have other responsibilities at the same time. They also do not have round-the-clock security support, with 32% having security support only during work hours, and 25% only during the work week.

Cyber security is also a major concern for business continuity professionals, with cyber attacks and data breaches featuring as the top two threats yet again in the Business Continuity institute's latest Horizon Scan Report. 88% and 81%, respectively, of respondents to a global survey expressed concern about the potential for a disruption caused by one of these events.

With cyber attacks evolving at an unprecedented speed, there is a need for organizations to invest in security resources, increase the frequency and expand the reach of IT security training to keep pace with the cyber threats.

The survey also reveals a low level of engagement from senior leadership in formulating IT security strategies. The majority (91%) of respondents consult security executives, but only 16% of them will invite the executives to Board meetings and involve them in risk assessment.

Mr. Simon Piff, Vice President of IDC Asia/Pacific’s IT Security Practice, said: “Not all C-Suites in Asia are fully conversant with the fundamentals of a robust cyber security strategy and the appropriate investments. Cyber security investments are akin to military spending – we do it in the hope that we would never have to use the tools. They need to understand that this is not a business ROI with immediate, visible returns. However, the consequences of not taking a proactive approach now could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organization.”

The Business Continuity Institute

The NotPetya ransomware attack which struck a month ago, on the very day the Business Continuity Institute launched its Cyber Resilience Report, is still affecting many organizations, with the Federation of Small Businesses (FSB) reporting that it has serious concerns over the continuing impact on TNT's small business customers. The attack has been debilitating for some small firms who remain in the dark over when and if they can expect their goods to be delivered.

The share price of TNT's parent company - FedEx - fell last week when it announced that it expects a "material" financial impact as a result of the NotPetya cyber attack. FedEx said in a statement that “we cannot yet estimate how long it will take to restore the systems that were impacted, and it is reasonably possible that TNT will be unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted by the virus.”

The Guardian Newspaper highlighted the case of Peter Blohm, an antique dealer from Aberystwyth, who was one of those caught up the TNT chaos, and has been trying to find out what happened to a consignment of art that left Switzerland on the 11th July and was due to be delivered soon after.

Peter told the Guardian that “TNT tell me they have had no computer systems since the end of June and there is no estimate for when their systems will be fixed. This means there are many thousands of parcels which have, like mine, been waiting for weeks to be processed by hand with pen and paper. The staff sound harassed, but cannot estimate when my parcel will be delivered, because they simply do not know.”

Mike Cherry, FSB National Chairman, said: “There are small businesses in a total state of paralysis, a month on from the attack, because their business relies on transporting goods through TNT. For a small business, this kind of disruption can be crippling and threaten their survival. Small business customers need accurate, clear and frequent updates from TNT to help them with their own contingency planning and a commitment to provide redress to those small businesses who have lost out.

“This is a stark reminder of the danger posed by cyber crime and how it can strike down smaller businesses indirectly, having a much wider impact on the economy. It serves as a major wake up call on the need to tackle and prevent the growing threat of cyber crime right across the business community."

AlertMedia, the fastest-growing emergency notification system provider in the world, is pleased to announce that it has been named one of the Best Places to Work in the 2017 Small Business category by the Austin Business Journal.

The honorary award recognizes companies in four categories according to size. The awards are based on confidential feedback from employees and measure the following dimensions: communication and resources, individual needs, manager effectiveness, personal engagement, team dynamics, and trust in leadership. AlertMedia was ranked the 5th best workplace within its category.



For twelve years, Avalution has been laser focused on business continuity.  We’ve become the leading provider of business continuity software and consulting in the US.  We work with 10% of the Fortune 100, including the largest organization in 7 different industries.

We’ve become well known for delivering business continuity services that are connected to the strategy of the business, pragmatic, and reliably delivered.

Today, we are expanding into Information Security Management. 



A Primer on the New Global Privacy Law

For most organizations, the next year will be a critical time for their data protection regimes as they determine the applicability of the GDPR and the controls and capabilities they will need to manage their compliance and risk obligations. The GDPR has the potential to serve as a healthy, scalable, exportable regime that could become an international benchmark, but because of the effort required to report data breaches, it is absolutely essential that organizations prepare in advance.

The General Data Protection Regulation (GDPR) officially goes into effect in May of 2018 and will have an international reach, affecting any organization that handles the personal data of European Union (EU) residents, regardless of where it is processed. The GDPR adds another layer of complexity – not to mention potential cost and associated resources – to the issue of critical information asset management that so many organizations are struggling to come to terms with.

At the Information Security Forum (ISF), we consider this to be the biggest shake-up of global privacy law in decades, as it redefines the scope of EU data protection legislation, forcing organizations worldwide to comply with its requirements. This most certainly includes U.S.-based organizations. The GDPR aims to establish the same data protection levels for all EU residents and will have a solid focus on how organizations handle personal data. Businesses face several challenges in preparing for the reform, including an absence of awareness among major inner stakeholders. The benefits of the GDPR will create several compliance requirements, from which few organizations will completely escape.

However, organizations will benefit from the uniformity introduced by the reform and will evade having to circumnavigate the current array of often-contradictory national data protection laws. There will also be worldwide benefits as countries in other regions are dedicating more attention to the defense of mission-critical assets. The GDPR has the potential to serve as a healthy, scalable and exportable regime that could become an international benchmark.



Thursday, 27 July 2017 14:29

What the GDPR Means for Your Organization

In the last ten years, the workplace has transitioned from stationary to mobile. As technology has advanced it’s changed the way we work, where we work, and when we work. In fact, this report by Global Workplace Analytics discovered that employees are not at their desks as much as 50-60% of the time. Many employees change locations multiple times a day, and others frequently travel or do offsite work. With the rise of staff on the go, there is an increase in external risks in addition to those that occur in the office. So how do you keep your people safe? You need a system that can adapt to people’s changing location and the changing landscape around us.

Having access to your employees’ location data can improve your ability to respond to disaster in many ways.  Location improves your emergency plan by allowing the message to get to the right people in the affected area. A robust emergency notification system should quickly find the appropriate audience based on location, only reach the people who need the message, have geofencing capabilities, and give you extended map functionalities to see the proximity of emergencies to your users and notify them of the situation immediately.



The Business Continuity Institute

The electric grid is one of the most critical infrastructure systems for modern life, but it is also one of the most vulnerable, yet recent graduates of the Johns Hopkins University School of Advanced International Studies (SAIS) supported by Swiss Re have released a study that examines how extreme weather and other natural disasters are evolving in the Pacific Northwest, and the implications for electric infrastructure and potential economic disruption.

Lights Out: The Risks of Climate and Natural Disaster Related Disruption to the Electric Grid,” finds that climate change, expanding populations, and insufficiently diversified energy sources make the future of energy more unpredictable. The US insurance industry has already identified a $20–$55 billion annual financial loss from power outages caused by flooding, hurricanes, and extreme temperatures.

The group focused on the Pacific Northwest as an illustrative case study in climate and natural disaster related electric grid disruption. The region is prone to high-frequency, low-intensity natural disasters such as droughts and flooding, as well as being at risk of catastrophes like the Cascadian Subduction Zone (CSZ) event - an earthquake-tsunami combination that is expected to devastate the coastline from northern California to southern British Columbia. As climate change alters the seasonality of water runoffs in the Pacific Northwest, electricity generation, as well as the operation and maintenance of hydroelectric dams, face additional challenges.

“The cost of disasters has increased fourfold over the last 30 years. The total loss of $55 billion a year from unplanned electric outages in the US is more than the US government spends on all federal highways,” said Alex Kaplan, Senior Vice President of Global Partnership at Swiss Re. “We have to think not only about the physical destruction of these assets and the cost to replace them, but also the impact of the extreme weather and how it destroys economic productivity over the longer period of time.”

Adverse weather, one type of event that can lead to the disruptions outlined within this report, is the fifth greatest concern for business continuity professionals have, as identified in the Business Continuity Institute's latest Horizon Scan Report, with more than half (51%) of respondents to a global survey expressing concern about the potential of a disruption caused by such an event. Earthquakes and tsunamis were much further down in 18th place, with 25% expressing concern, although these types of event are much more region specific.

“Natural disasters and climate-related, severe weather events pose real risks to vulnerable communities and are currently costing billions in damages globally,” said Celeste Connors, a former White House official on climate change and Johns Hopkins SAIS faculty advisor. “Local governments are taking the lead in reducing this risk by investing forward in resilient infrastructure systems. New and innovative financing mechanisms and partnerships can play a key role in helping governments manage their risk.”

The Business Continuity Institute

Ransomware has soared since 2012, with criminals lured by the promise of profit and ease of implementation. The threat continues to evolve, becoming stealthier and more destructive, increasingly targeting organizations more than individuals because the potential returns are much higher.

The indiscriminate WannaCry attack in May affected more than a quarter of a million computers across 150 countries in its first few days, crippling critical infrastructure and organizations. Some organizations are still struggling to recover from NotPetya attacks in June.

The total number of users who encountered ransomware between April 2016 and March 2017 rose by 11.4% compared to the previous 12 months, from 2,315,931 to 2,581,026 users around the world.

To help combat the threat, the No More Ransom initiative was launched a year ago by the Dutch National PoliceEuropolMcAfee and Kaspersky Lab. Today there are more than 100 partners, as major ransomware attacks continue to dominate the news, hitting organizations, governments and individuals all over the world. The site now carries 54 decryption tools, provided by nine partners and covering 104 types (families) of ransomware. So far, these tools have managed to decrypt more than 28,000 devices, depriving cyber criminals of an estimated €8 million in ransoms.

The success of the No More Ransom initiative is a shared success, one that cannot be achieved by law enforcement or private industry alone. By joining forces, it has enhanced the ability to take on the criminals and stop them from harming people, organizations and critical infrastructure, once and for all.

Law enforcement globally, in close cooperation with private partners, has ongoing investigations into ransomware criminals and infrastructure. However, prevention is no doubt better than cure. Internet users need to avoid becoming a victim in the first place.

With the infected computers or networks becoming unusable until a ransom has been paid or the data has been recovered, it is clear to see why these types of attack can be a concern for business continuity professionals. The latest Horizon Scan Report published by the Business Continuity Institute revealed cyber attacks as the number one concern.

And How an Automated Solution Can Help You Overcome Them

In 2017, it’s time for many organizations to stop viewing risk management in silos and begin implementing a comprehensive enterprise risk management (ERM) program. Adoption is slow, however, due to some common challenges, especially when it comes to finding a consistent method of defining, assessing and reporting risk. A good automated ERM solution can help lessen the burden.

With 2017 in full swing, companies are finally beginning to abandon the historical practice of approaching risk management in silos.  Many are beginning the migration to a more integrated and consolidated enterprise-wide approach. The justification for this movement is clear: each area of risk management generates information that supplies insight to the other areas, and they have a collective impact on the technology, processes and people of an organization. Tackled individually, the requirements become unmanageable. But when carried out on a common platform, a company gains valuable perspective — the viewpoints of the board of directors and executive management become one and the same.

Despite the inefficiency of the siloed approach, many organizations have been slow to adopt a comprehensive enterprise risk management (ERM) program because of the challenges they face in doing so.  When enterprise risk management is carried out manually or even with software that isn’t efficient, the current workload consumes vast resources and time and energy.  Often, because of this, a transition to an automated system is resisted by management because it is viewed as being more difficult than simply keeping up with the current workload. Companies must change how they view the potential of their ERM and GRC systems.

Here are three of the most common challenges for chief risk officers and ERM teams, along with explanations for how an automated software solution can help your team overcome them:



Wednesday, 26 July 2017 14:16

The 3 Common Challenges of ERM

LITTLE ROCK, Ark. – The U.S. Small Business Administration is the largest source of federal recovery funds for disaster survivors and businesses, including those affected in the severe storms, tornadoes, straight-line winds and flooding between April 26 and May 19.

Low-interest disaster loans up to $200,000 are available to homeowners to repair or replace damaged or destroyed real estate. Homeowners and renters are eligible for up to $40,000 to repair or replace damaged or destroyed personal property.

Businesses of all sizes and private nonprofit organizations may borrow up to $2 million to repair or replace damaged or destroyed real estate, machinery and equipment, inventory and other business assets. SBA can also lend additional funds to businesses and homeowners to help with the cost of improvements to protect, prevent or minimize the same type of disaster damage from occurring in the future.

For small businesses, small agricultural cooperatives, small businesses engaged in aquaculture and most private nonprofit organizations of any size, SBA offers Economic Injury Disaster Loans to help meet working capital needs caused by the disaster. Economic injury assistance is available to businesses regardless of any property damage.

Interest rates on SBA loans can be as low as 3.215 percent for businesses, 2.5 percent for private nonprofit organizations and 1.938 percent for homeowners and renters, with terms up to 30 years. Loan amounts and terms are set by SBA and are based on each applicant’s financial condition.

To be considered for all forms of disaster assistance, survivors must first contact FEMA and register for disaster assistance. To register:

  • Call the FEMA Helpline at 800-621-3362. Multilingual operators are available. Persons who are deaf, hard of hearing or have a speech disability and use a TTY may call
    800-462-7585. If you use 711 or VRS (Video Relay Service) or require accommodations while visiting a center, call 800-621-3362. The toll-free numbers are open daily from
    7 a.m. to 10 p.m.
  • Go online to DisasterAssistance.gov (also in Spanish);
  • Download the FEMA mobile app (available in Spanish) at Google Play or the Apple App Store.

There are three ways to apply to SBA after you register with FEMA:

  • Call SBA at 800-659-2955. Individuals who are deaf or hard of hearing may call
    800 877-8339.
  • Apply online using the Electronic Loan Application via SBA’s secure website at: https://disasterloan.sba.gov/ela.
  • Apply by mail: Complete a paper application and mail it to SBA at
    14925 Kingsport Road, Ft. Worth TX 76155-2243.

Until Friday at 6 p.m., FEMA and SBA are providing one-on-one assistance to disaster loan applicants at State/FEMA Disaster Recovery Centers established in Conway (McGee Center), Faulkner County; Pocahontas (site of OLD Randolph County Nursing Center), Randolph County; and Fayetteville (Executive Airport), Washington County.

The Internal Revenue Service announced on its website certain tax relief provisions resulting from the disaster declaration, including extensions of filing deadlines for estimated tax payments. Those in the disaster area are automatically granted tax relief, but individuals and businesses not in the disaster designated counties impacted in the storm may call the IRS disaster hotline at
866-562-5227 to request relief, according to the agency’s website.

For updates on the Arkansas response and recovery, follow the Arkansas Department of Emergency Management (@AR_Emergencies) on Twitter and Facebook and adem.arkansas.gov. Additional information is available at fema.gov/disaster/4318.


FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Before taking on any new process automation or software, it’s important to consider the third party risk associated with the new approach.

Current market pressures and constrained resources, especially people resources, combined with the need for decreased processing and response times demand that organizations look to automation for improved efficiency. But, organizations need to take into consideration the business needs and risks associated with increased automation. The following four areas are a good place to start the analysis and assessment of process automation at your organization.



Wednesday, 26 July 2017 14:12

Balancing Automation with Third Party Risk

For the fourth time, Strategic BCP ResilienceONE® has been named a Leader in the 2017 Gartner Magic Quadrant for Business Continuity Management Program (BCMP) Solutions, Worldwide.  This position on the report is based on our completeness of vision and ability to execute.

In their report, Gartner states: “The BCMP market is one in which most vendors offer solutions that meet the needs of their respective customers and target markets. However, how they meet customer needs is based on the solution’s application architecture, which translates to ease of configuration, navigation and reporting. The better BCMP solutions have prebuilt/configured BCM functionality out of the box, rather than building BCMP functionality with every customer implementation, which takes too much effort, time and money on the part of the customer and vendor.”1

CEO Frank Perlmutter said, “Named a leader by Gartner is distinguished honor but we believe achieving recognition in every year of this Magic Quadrant is a tribute to our software innovators and staff. We share this success with our customers. It is their day-to-day insights that allow us to continually improve ResilienceONE and offer out-of-the-box functionality and value unmatched in the industry.”



Information Insight, Executive Alignment and Lower Costs

GDPR is rapidly approaching, and companies should begin to prepare for May 2018, when the regulations go into effect. Companies can actually benefit from early preparation to comply with GDPR—the benefits of which range from a competitive advantage through greater insight into data to greater alignment between business units and lower total costs. HPE’s Joe Garber explores three key benefits of preparing now for GDPR.

Early preparation for compliance with the European Union General Data Protection Regulation (GDPR) can deliver a wide range of benefits to organizations. These can range from securing a competitive advantage through greater insight into data to greater alignment between sometimes-competing business units to lower total costs.

At the core of GDPR – which becomes effective in May of 2018 – is the question of how organizations collect, manage and protect EU citizens’ and residents’ personal data.  Organizations are paying closer attention to GDPR than previous regulations of its kind because of the significant risks of noncompliance.  The most serious infractions, including not respecting the individual rights of data subjects, incur substantial fines (of the greater of 4 percent of global revenue or €20 million).  On top of this, there are also risks of legal action and lost customer confidence.



Wednesday, 26 July 2017 14:09

3 Hidden Values of Preparing Early for GDPR

In the wake of recent Cloud Service Provider (CSP) outages, what is your organization responsible for when it comes to complex IT architecture?

Many organizations today rely on complex IT infrastructure to support their operations, leveraging solutions ranging from internal hosting to cloud hosting to dependence on third-party systems. IT service delivery is getting more intricate, in large part due to the need to leverage different IT tools and services from a variety of providers. Cloud-based solutions, such as Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS), promise simplicity for the end user.  However, IT service delivery and management usually becomes much more difficult due to the complexities around architecture and integrations. Therefore, IT disaster recovery planning becomes more difficult, as it must account for these complexities and coordinate with various third parties to ensure adequate coverage. Bottom-line – simply defining who is responsible for what when it comes to disaster recovery planning can be difficult.

Information Technology Disaster Recovery (ITDR) managers are tasked with orchestrating and managing ITDR across the entire landscape of hosted solutions. At first, this may not seem too daunting, as it’s easy to think of SaaS and other cloud-hosted systems as “someone” else’s responsibility. However, over the past year, we’ve seen the world’s best cloud service providers experience downtime. The Amazon S3 service disruption on February 28, 2017 made nationwide news, even though the total downtime was less than six hours. Last October, dozens of popular, frequently-used websites were unavailable after hackers unleashed a DDoS attack on the servers of a major DNS host. The most recent and widespread ransomware attack forced many companies to rely on (or establish on the fly) workaround procedures for critical systems. Hundreds of organizations were impacted in some way by these outages.



Before Investing, Understand Compliance Risk

The life sciences industries attract all types of buyers, including many from other sectors.  With billions in liability at stake each year, understanding and mitigating compliance risk is critical to achieving desired returns.

If you are head of business development for a large life sciences company or you make portfolio decisions for a health care investment firm, you can’t afford not to understand compliance.  According to Public Citizen, federal and state fines and settlements cost drug makers $35.7 billion between 1991 and 2015 – nearly $13 billion of which was in just the last four years surveyed.  In 2016, the DOJ announced that Olympus would pay $646 million for making illegal payments to doctors and hospitals in the U.S. and abroad, the largest amount ever paid by a medical device company.  The enforcement landscape is evolving, and managing compliance risk is essential to making good deals.  Here are some examples where buyers could have been smarter about health care compliance before compliance problems reduced the value of investments.



(TNS) - Financial losses from fires in Oahu high-rises were more than 12 times greater in buildings without sprinklers than in buildings with them, according to Honolulu Fire Department data covering a decade of blazes.

While the actual damage amounts were relatively small, the dramatic difference in losses between the two types of buildings is likely to fuel the debate on whether the city should require old residential high-rises to install automatic sprinkler systems.

Mayor Kirk Caldwell proposed such a law following the recent Marco Polo fire, which claimed three lives and damaged more than 200 units in the 46-year-old building.



The Business Continuity Institute

In 2014, the UK experienced what was described as extensive flooding, and while the BCI’s Central Office wasn’t directly impacted, or at least water didn’t access the building, it did prove to be disruptive in terms of staff getting to work. Several employees were forced to work from home for a few days as the roads they would normally have taken to get to work were under water.

That winter a succession of storms hit the UK leading to record rainfall and flooding in many regions. The south-east was affected quite badly with many towns, particularly those along the River Thames, experiencing severe flooding. But it was the south-west that was worse hit as much of Somerset was underwater for over a month. December 2015 brought more bad weather to the UK when Storm Desmond hit the north-west causing widespread flooding and storm damage.

The Met Office in the UK claim that, by their very nature, extreme events like this are rare, but how rare are they exactly? The Met Office decided that a novel research method was needed to quantify the risk of extreme rainfall within the current climate, and came up with the UNprecedented Simulated Extremes using Ensembles (UNSEEN) method which has been used as part of the recent UK Government National Flood Resilience Review (NFRR)+ when the Met Office was asked to estimate the potential likelihood and severity of record-breaking rainfall over the UK for the next 10 years.

The good news is that we are now better able to predict the weather. The bad news is that the forecast isn’t very good. The research carried out by the Met Office found that, for England and Wales, there is a 1 in 3 chance of a new monthly rainfall record in at least one region each winter.

In the south-east there is a 7% risk of a monthly record extreme in any given winter during the next few years. Across the whole of England and Wales that risk rises to 34% chance of an extreme event happening in at least one of those regions each year. Furthermore, the research indicated that there was a 30% that these events could break existing records by up to 30%.

What does this mean for business continuity and resilience professionals? In the first instance it means that there’s a very good chance of an extreme weather event hitting somewhere in England and Wales, but where? The 2014 storms largely affected the south of country while the 2014 storms affected the north. So while one part of the country was badly affected, many other places were not.

How do business continuity and resilience professionals determine what level of investment is required to protect against the impact of such events? How do you balance the level of investment required with probability of the event occurring? Presumably similar discussions take place on the other side of the Atlantic. We know with a great deal of certainty that a hurricane will, in all likelihood, hit the eastern seaboard of the US each year, but where? Should you invest heavily when there is a very good chance that the severe weather won’t actually affect your region?

Of course the other argument is that organizations shouldn’t be preparing for specific events anyway and it doesn’t really matter whether a storm hits. What matters is that the organization has a plan in place to deal with loss of building, loss of IT, loss of staff etc, regardless of what the cause is.

What is for sure is that business continuity professionals should be using data like this to help inform their own horizon scanning process and get a get a clearer understanding of what their overall risk exposure is, which can then be incorporated into the development of their business continuity programme.

How does your organization prepare for such events and what tools do you use to assess the threat?

Your thoughts, as always, are welcome.

David Thorp
Executive Director of the Business Continuity Institute

Tuesday, 25 July 2017 14:37

BCI: Preparing for a storm

Nearly every day you read about a new malicious attack on computer networks of vital businesses around the world, and the attacks do not seem to be slowing down. 

According to reports, malware volume skyrocketed in 2016--more than 800 percent when compared to 2015--and that number coninues to rise.

The most recent attack, WannaCry, targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin currency. The attack reportedly locked hundreds of thousands of computers in more than 150 countries, and demanded a $300 payment to restore the encrypted files.



5 Key Changes on the Way

Although nearly a year away, the EU’s new General Data Protection Regulation (GDPR) is fast-approaching for multinational companies, and the clock is ticking to ensure compliance. The changes coming will have far-reaching implications for global businesses: any company operating in the EU must comply or face steep financial penalties.

It’s hard to believe that we’re now less than one year out from the implementation of a major change to data protection laws in Europe: The General Data Protection Regulation, or GDPR.  It is the result of four years’ work by the European Union (EU) to standardize privacy laws and protect residents of the EU from the misuse of their personal data and data breaches in an increasingly digital world.

Most of the personal data protection laws in the EU haven’t been updated since the 1995 Data Protection Directive. In 1995, only one percent of the European population was using the internet. Now, not only is the majority of the global economy digital, but many companies are operating globally and processing personal data across borders. The EU Parliament established the GDPR framework as a way to update and harmonize the laws specific to the usage of millions of individuals’ data.



Monday, 24 July 2017 15:15

What You Need to Know about GDPR

For retailers, the specter of big data is one that is constantly looming. Companies are working hard delving into the omni-channel arms race as they try to fend off behemoths like Amazon. Some companies are going so far as to deploy massive amounts of resources into developing their own big data solutions in an attempt to go toe-to-toe with the retail giant.

The natural question that retailers face is what exactly they need to build in-house vs. what they can, and probably should, outsource to vendors.

With the proliferation of the software-as-a-service (SaaS) model, it’s becoming increasingly simpler and faster to deploy new solutions in an enterprise setting. This naturally results in ever-increasing innovation in the industry, as old solutions are easily replaced with the more novel and more effective ones in mere weeks.



The Business Continuity Institute

Global economic losses resulting from natural disasters during the first half of 2017 were estimated at US$53 billion – 56% lower than the 10-year average of US$122 billion, and 39% lower than the 17-year average of US$87 billion. This is according to Aon Benfield's Global Catastrophe Recap: First Half of 2017 Report. Meanwhile, insured losses were preliminarily estimated at US$22 billion – 35% lower than the 10-year average of US$34 billion, and 12% lower than the 17-year average of US$25 billion.

According to the report, the severe convective storm peril was the costliest disaster type on an economic basis (nearly US$26 billion) during the first half of 2017, comprising 48% of the loss total. The majority of these losses (US$23 billion) were attributable to events in the United States. These types of events also caused the majority of insurance losses (US$17+ billion), comprising 78% of the loss total, and with nearly US$16 billion attributable to widespread hail, damaging straight-line winds, and tornadoes in the US.

Natural disasters claimed at least 2,782 lives during the first half of 2017, the lowest figure since 1986 and significantly below the long-term (1980-2016) average of 40,867. Flooding was the deadliest peril during the period, being responsible for at least 1,806 deaths.

Steve Bowen, Impact Forecasting director and meteorologist, said: "The financial toll from natural catastrophe events during the first six months of 2017 may not have been historic, but it was enough to lead to challenges for governments and the insurance industry around the world. This was especially true in the United States after the insurance industry faced its second-costliest first half on record following a relentless six months of hail-driven severe weather damage. In fact, nearly eight out of ten monetary insurance payouts for global disasters were related to the severe convective storm peril. Other events – such as Cyclone Debbie in Australia, flooding in China and Peru, wildfires in South Africa, and a series of windstorms in Europe – led to notable economic damage costs. As we enter the second half of the year, much of the focus will be on whether an El Niño officially develops. Such an event could have a prominent influence on weather patterns and associated disaster risks."

The report highlights that the US recorded 76% of the global losses sustained by public and private insurance entities during the first half of 2017, while EMEA (Europe, Middle East and Africa) and Asia-Pacific (APAC) each accounted for 10%.

Around 42% of the global economic losses during this time period were covered by insurance, above both the near- and medium-term average of 32% and due to the fact that the majority of losses occurred in the US However, insurance take-up rates continued to grow in other areas, notably Asia-Pacific (APAC) and the Americas.

Adverse weather has consistently been a top ten threat for business continuity and resilience professionals, according to the Business Continuity Institute’s annual Horizon Scan Report. In the latest edition, more than half of respondents to a global survey expressed concern about the prospect of this type of disruptive event materialising. When you analyse the results further to only include respondents from countries where these types of events are relatively frequent, countries such as the United States, the level of concern increases considerably.

The Business Continuity Institute

IT professionals believe that compliance and regulation and the unpredictable behaviour of employees will have the biggest impact on data security, according to a survey commissioned by HANDD Business Solutions.

The UK study found that 21% of respondents say regulations, legislation and compliance will be one of the two greatest business challenges to impact data security. The General Data Protection Regulation (GDPR) is causing real concern among professionals in their bid to be compliant by the deadline in less than 12 months. GDPR will not only raise the privacy bar for companies across the EU, but will also impose extra data protection burdens on them.

HANDD CEO and Co-Founder, Ian Davin, commented: “Companies must change their mindset and look at data, not as a fungible commodity, but as a valuable asset. Data is more valuable than a pot of gold, which puts companies in a challenging position as the stewards of that data. C-suite executives must understand the data protection challenges they face and implement a considered plan and methodical approach to protecting sensitive data.”

Worryingly, 41% of those surveyed assign the same level of security resources and spend for all company data, regardless of its importance. Analysing and documenting the characteristics of each data item is a vital part of its journey through an organization. A robust data classification system will see all data tagged with markers defining useful attributes, such as sensitivity level or a retention requirement and ensuring that an organization understands completely which data requires greater levels of protection.

While 43% of those surveyed think that employees are an organization’s greatest asset, more than a fifth (21%) believe that the behaviour of employees and their reactions to social engineering attacks, which can trick them into sharing user credentials and sensitive data, also poses a big challenge to data security.

Danny Maher, CTO at HANDD, commented: “Employees are probably your biggest asset, yet they are also your weakest link, and so raising user awareness and improving security consciousness are hugely important for companies that want to drive a culture of security throughout their organization.”

Storage is also a key problem area, with more than a third (35%) citing that ensuring data is stored securely, and whether it's on premise or in the cloud, as their biggest challenge and most likely to keep them awake at night. A data record’s classification will enable a company to make these decisions, automatically and definitively dictating its location and whether an encryption policy should apply.

Having stored data to comply with its security policy, an organization must ensure that an access management system is in place, which understands roles and responsibilities and allows users to see only the information that they need. In HANDD’s survey, less than half (45%) of IT professionals are confident that they have an identity access management process in place which dictates that users must have different privileges depending on their roles and responsibilities, while 15% have no access management system in place at all.

Data breaches, and the disruptive impact they can have on an organization, are the second greatest concern for business continuity and resilience professionals, according to the Business Continuity Institute's latest Horizon Scan Report. 81% of respondents to a global survey expressed concern about the prospect of a breach occurring, making it essential that organizations have mechanisms in place to reduce the chances of a breach occurring, and also have plans in place to respond to such an incident and help lessen its impact.

As large organizations continue to downsize and startups and SMBs look to make every IT dollar stretch, desktop as a service (DaaS) is set to take off. With some researchers forecasting 28.7 percent CAGR for DaaS, managed service providers (MSPs) should take a look at channel programs in this area of the market as it makes inroads into legacy enterprises. Many startups are already familiar with the Google suite of desktop applications, but other alternatives exist in the market, some of them more competitively priced and with better performance characteristics that would have more appeal to the traditional desktop market.

What do MSPs need to know about reselling these cloud apps to their customers? And what objections must they overcome when seeking to displace the gold standard Microsoft Office on-premises enterprise suite? Let’s look at how some other cloud office groupware stack up.



(TNS) - Lake County, Ill., Officials are warning residents who've been fighting floodwaters for more than week now that the fight isn't over yet.

"If you've sandbagged, don't take those out yet," said Mike Warner, executive director of the Lake County Stormwater Management Commission. "Let's get past the next rainfall and think about taking them out next week."

The National Weather Service told county officials they could get a range of 1 to 3 inches of rain through this weekend, with some areas hit with strong rains Wednesday night and into Thursday morning. The Des Plaines River could handle 1 inch without a problem, but 3 inches could spell more woes for nearby buildings and streets.



Our earlier post Working with nature to build resilience to hurricanes discussed how insurers look to natural infrastructure like coastal wetlands and mangrove swamps to mitigate storm losses.

The Mesoamerican Reef, which runs south for some 700 miles from the tip of the Yucatán Peninsula protects coastal communities and property by reducing  the force of storms, but its corals require continued repairs.

For every meter of height the reef loses, the potential economic damage from a major hurricane triples, according to The Nature Conservancy (TNC).



In business continuity management, should you start with what you want or with what you have? While business continuity is frequently a goal-driven activity, there is a contrarian point of view that says, “improve on what you have, rather than aiming for something you don’t have”.

Is either point of view superior to other? If so, which one should you choose?

There are “for and against” arguments to be made in both cases. In the objectives-driven case, you know where you want your organisation to be, and therefore anything that diverges from that happy state is an issue to be resolved. This assumes that you also have realistic, relevant goals, and ways of measuring how well you achieve them.



We’ve mentioned multiple times that implementing a BCM program can be challenging and at times painful. No one likes to point out their business’s vulnerabilities. Many times the investment of time and dollars to do just that can feel like a burden. We’ve seen our clients struggle with this during the implementation and maintenance of their programs. Many times the ongoing investment can be even more difficult. It helps to identify and assess both the tangible and intangible benefits of your initial and continuing investment in the BCM program. Identifying the benefits of a business continuity program helps you define benchmarks and see the light a the end of the proverbial BCM tunnel. We’ll take a look at the more commonly known benefits of a business continuity program. Then, we’ll walk you through some benefits you might not have thought of.



The Business Continuity Institute

An earthquake reaching a magnitude of 6.7 on the Richter Scale has hit the Aegean Sea between the Greek island of Kos and the Turkish resort of Bodrum. The earthquake, with its epicentre at a depth of about 10k according to the US Geological Survey, struck at 01:31 local time on Friday, and has reportedly killed two people and left hundreds of others injured.

Turkey’s Disaster and Emergency Management Presidency has reported at least 20 aftershocks since the initial earthquake, and at least five of those registered over 4.0, with the largest reaching 4.6.

According to the US Geological Survey, a earthquake of this magnitude (6.0-6.9 on the Richter Scale, classed as strong) can cause damage to a moderate number of well-built structures in populated areas, but earthquake-resistant structures should survive with slight to moderate damage. Poorly designed structures could receive moderate to severe damage. There will be strong to violent shaking in epicentral area, and it can be felt in wider areas up to hundreds of kilometers from the epicentre.

The region is no stranger to these types of events with an earthquake registering 7.6 occurring near Izmit in the north-west of Turkey in August 1999 killing about 17,000 people, while in September of the same year an earthquake registering 6.0 struck near Athens killing 143 people. In October 2011, an earthquake registering 7.1 occurred in eastern Turkey, near the city of Van, which left about 600 people dead.

Wow - terrifying to wake up to massively shaking room at 6.7 #earthquake on #Kos - thank god no one hurt, just shaken

— Tom Riesack (@QuietConsultant) July 20, 2017

While ensuring that employee and stakeholder safety is paramount, organizations need to ensure they are prepared for such events, certainly those in regions where earthquakes are a distinct possibility. Earthquakes may not feature highly in the Business Continuity Institute's latest Horizon Scan Report, partly because they are very region specific, but there were still a quarter of business continuity and resilience professionals who expressed a concern about the possibility of their organization being disrupted by one.

Organizations must consider what would happen if they are affected by an earthquake, or any other type of disruption, what impact could that disruption have, could anything be done to prevent or reduce the risk, and how would they respond and recover. Furthermore they need to consider how they would communicate with their employees and stakeholders to ensure they are kept informed, and kept safe.

The Business Continuity Institute


Canadian businesses are lagging in their risk management approach and are more vulnerable to disruption when compared to their global counterparts, according to a report published by PwC Canada.

Managing risk from the front line revealed that 66% of Canadian respondents (vs 75% globally) had mandatory ethics and compliance training for all employees. When new risks emerge, less than 33% of Canadian businesses (vs 50% globally) reported periodic staff education about new or existing potential risks.

The report also found that future areas of risk and disruption for Canadian businesses will be in technology advancements (70% disruption predicted to 55% disruption globally), human capital (49% compared to 40%) and operations (37% to 26%). 

While Canadian businesses acknowledged that a big part of addressing their vulnerability to risk can be accomplished by moving risk management to the 'front line', many business operations are keeping risk management at the 'second line' (risk management/compliance) or 'third line' of service (internal audit).Respondents indicated that a lack of sufficient resources (skilled people) is the primary factor in preventing a shift in risk management to the first line.

The report reiterates that risk management from the second and third line does not give upper management a clear understanding of their own vulnerabilities. This type of risk management structure has resulted in an inability to manage risks effectively and adapt over time. 

"While Canadian businesses have made some progress when it comes to risk vulnerability, there is still a lot of work that needs to be done in order to catch up with their global competitors," said Kishan Dial, Partner, Risk Assurance, PwC Canada. "By moving risk management to the front line, the organization's leadership will obtain a greater understanding of the risks to their operations and enhance their capacity to manage risks in an agile and proactive way." 

The report makes three key recommendations for addressing business vulnerability:

  1. Shift duties and assign responsibilities: Each line of service should have a defined role regarding risk decisions, monitoring, oversight and assessment of vulnerabilities.
  2. Define risk appetite: Organizations must define risk appetite and leverage the technical tools available to them, including aggregation tracking and reporting.
  3. Establish a risk reporting system: Reporting structures should enable the first line of service, but also require the second and third line to monitor the first line's effectiveness.

"In order to address current and future challenges, Canadian firms must commit to strong risk management structures and processes in order to excel in an ever-evolving economy of the future," adds Dial.

The Business Continuity Institute


UK business leaders identify far fewer risks affecting their businesses, when compared to Germany and France, according to research from the Gowling WLG, suggesting an overly optimistic picture among UK business leaders. UK respondents consistently identified between 2% and 25% less than non-UK respondents for each risk area analysed.

The Digital Risk Calculator revealed that external cyber risks (69%) are thought to be the most concerning category of digital threat for businesses across all countries surveyed. This risk is anticipated to grow even further, with 51% of respondents believing that it will increase within the next three years. 

Commenting on the research Helen Davenport, director at Gowling WLG, said: "The recent wide ranging external cyber attacks such as the WannaCry and Petya hacks reinforce the real and immediate threat of cyber crime to all organisations and businesses.

"However, there tends to be an "it won't happen to me" attitude among business leaders, who on one hand anticipate external cyber attacks will increase over the next three years, but on the other fail to identify such areas of risk as a concern for them. This is likely preventing them from preparing suitably for digital threats that they may face."

Other digital risks of concern to participants include customer security (57%), identity theft / cloning (47%) and rogue employees (42%). More than a third of respondents (40%) also believe that the lack of sufficient technical and business knowledge amongst employees is a risk to their business.

Additionally, one third (32%) of UK businesses feel that digital risks related to regulatory issues have increased during the past three years. However, less than a third (29%) believe that regulatory issues are a risk to their business.



With cloud providers IBM, Microsoft, and Google releasing their quarterly financials within the week, and Amazon soon to follow, the folks at Synergy Research Group have polished their crystal ball in order to determine where it’s all going. They predict good fortune for those in the cloud business, as well as for developers of software that runs in the cloud. The news isn’t quite so stellar for those selling hardware and software to private enterprise data centers, however.

In a report released Monday, Synergy said it expects worldwide revenues from cloud and SaaS services to grow at an average annual rate of 23-29 percent over the next five years and pass the $200 billion mark in 2020. This will come alongside an 11 percent annual growth in sales of infrastructure to hyperscale cloud providers.

Public clouds will see the strongest growth, with an average gain of 29 percent annually, followed by managed or hosted private cloud services at 26 percent and enterprise SaaS at 23 percent. APAC will be the highest growth region, followed by EMEA and North America. The highest growth areas will be databases and IoT-oriented IaaS/PaaS service.



Wednesday, 19 July 2017 16:47

Cloud Market Forecast to Hit $200B by 2020

(TNS) - Cherokee County, Okla., will soon boast a new program to keep residents informed when disaster strikes, after the Board of Commissioners approved a new mass communication system for Emergency Management.

CivicReady, a product of CivicPlus, will alert citizens with time-sensitive information, ensuring effective communications that could keep them safe. Tahlequah and Cherokee County EM Director Mike Underwood said he wishes the new system was in place last week.

"Last week, when we had the bomb threat here, that would have been a pretty good tool to not only take care of our citizens and let them know what was going on, but we could also have grouped in all of our employees," said Underwood. "With one phone call, it would taken care of pretty much everybody, instead of having to hunt and make sure you've got everybody."

In the past, Underwood has used Blackboard to spread the word about immediate emergencies. However, he said CivicReady will likely end up being cheaper at $7,000 annually, and will include extra features.



LITTLE ROCK, Ark. – Arkansas disaster survivors whose homes were damaged in the severe storms, tornadoes, straight-line winds and flooding between April 26 and May 19 do not have to wait for an insurance settlement to apply for federal assistance.

Survivors with insurance may register with FEMA for grants for temporary rental assistance, essential home repairs and other disaster-related needs not covered by insurance.

Registration is encouraged even if survivors have insurance coverage. Policies vary in coverage and may not pay for temporary housing or have other insurance gaps.

Once registered, applicants with insurance policies covering storm-related loss and damage are mailed a "Request for Information" as part of FEMA’s verification process to avoid duplicating insurance payments. By law, federal assistance cannot duplicate assistance provided by other sources.

Waiting on the insurance settlement may make a disaster survivor miss the FEMA deadline to apply and lose the opportunity to apply for federal disaster assistance.

Federal assistance is available to eligible individuals and households in 16 Arkansas counties: Benton, Boone, Carroll, Clay, Faulkner, Fulton, Jackson, Lawrence, Prairie, Pulaski, Randolph, Saline, Washington, White, Woodruff and Yell. Damage or loss from the severe storms, tornadoes, straight-line winds and flooding must have occurred between April 26 and May 19.

To register for FEMA disaster assistance:

  • Call the FEMA Helpline at 800-621-3362. Multilingual operators are available. Persons who are deaf, hard of hearing or have a speech disability and use a TTY may call
    800-462-7585. If you use 711 or VRS (Video Relay Service) or require accommodations while visiting a Disaster Recovery Center, call 800-621-3362. The toll-free numbers are open daily from 7 a.m. to 10 p.m.
  • Go online to DisasterAssistance.gov (also in Spanish);
  • Download the FEMA mobile app  (also available in Spanish) at Google Play or the Apple App Store.

If you are a homeowner or renter, FEMA may refer you to SBA. SBA disaster loans are the primary source of money to pay for repair or replacement costs not fully covered by insurance or other compensation. Homeowners may borrow up to $200,000 to repair or replace their primary residence. Homeowners and renters may borrow up to $40,000 to replace personal property.

There are three ways to apply to SBA after you register with FEMA:

  • Call SBA at 800-659-2955. Individuals who are deaf or hard of hearing may call
  • Apply online using the Electronic Loan Application via SBA’s secure website at: https://disasterloan.sba.gov/ela.
  • Apply by mail: Complete a paper application and mail it to SBA at
    14925 Kingsport Road, Ft. Worth TX 76155-2243.

Visit a Disaster Recovery Center for personal help. Locations are found at the FEMA DRC Locator or at SBA disaster loan.

For updates on the Arkansas response and recovery, follow the Arkansas Department of Emergency Management (@AR_Emergencies) on Twitter and Facebook and adem.arkansas.gov. Additional information is available at fema.gov/disaster/4318.


FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

(TNS) - Oakland, Calif., officials in this fire-ravaged city reacted with alarm Monday over a report by this news organization that almost 80 percent of firefighter referrals to inspect dangerous conditions went ignored over the last six years.

“It is horrifying,” Councilwoman Rebecca Kaplan said of the investigation’s findings. “In fact, one of the issues (the story) identified is how it gets decided who gets inspected.”

In early 2017, a few months after the Ghost Ship warehouse fire killed 36 people, Kaplan proposed reprioritizing which businesses get inspected. Kaplan said she had heard from residents who said their businesses received multiple inspections, while others were never inspected.



FedEx Corp has disclosed in a securities filing that its international delivery business, TNT Express BV, was significantly affected by the June 27 Petya cyberattack.

Apparently, the courier company did not have cyber insurance or any other insurance that would cover losses from Petya, according to this report by The Wall Street Journal, via the I.I.I. Daily.

A new emerging risk report from Lloyd’s and risk modeling firm Cyence notes that cyberattacks have the potential to trigger billions of dollars of insured losses, yet there is a massive underinsurance gap.



Wednesday, 19 July 2017 16:35

Cyber protection gap akin to nat cat

The Business Continuity Institute

There’s no point in saying “it will never happen to me” as disruptions are always just around the corner, regardless of what sector or location you are in. This reality was brought home to us overnight as thunderstorms with strong winds and heavy rain swept across the south of England. The problem was exacerbated by dry weather in recent months leaving the ground hard, so rain water could not easily soak away, resulting in flash floods.

The aftermath was plain to see this morning – standing water, trees down and debris brought by the flooding scattered everywhere. Last night there were reports of the urgent need for sandbags as water levels rose, and several local restaurants had to be evacuated as the water eventually did enter the building.

Of course there’s no reason to worry and BCI Central Office is in not in any danger of flooding. But it is a reminder that we, the BCI, along with every other organization, need to have a business continuity plan to deal with such events. What would have happened if flood water had entered the building, what would have happened if staff could not get to work because of travel disruptions, what would have happened if power had been cut off due to the storms? All these things need to be considered in advance if we are to remain a functional organization despite whatever disruption comes our way.

Thankfully we do have a business continuity programme in place, so should the worst happen then we will be prepared for it. For well over a year we have had a team made up of CBCIs and DBCIs working in Central Office, led by one of our Fellows and championed by a member of the Board.

The team have been working hard to ensure that threats and consequences are analysed, priority activities are declared, and processes are in place to make sure those priority activities can continue in the event of a disruption. To date it has worked, but we would never rest on our laurels and become complacent, rather we ensure it is an evolving process that continues to develop based on changes at Central Office, the result of actual disruptions, or the outcome of exercises.

This programme will be developed further as we are now recruiting for a dedicated business continuity professional to take it forward.

Business continuity is clearly important to our members, so it is vital that we practice what we preach and have a business continuity programme to be proud of, and we like to think we have achieved this.

David Thorp
Executive Director of the Business Continuity Institute



Earlier this year, the world recognized World Backup Day (WBD) as a reminder to everyone that data is important and has to be protected. As part of the WBD recognition, Barracuda ran a series of blog posts on the reasons why companies lose data even when they do almost everything right.

As a follow up to our WBD activities, Barracuda conducted a survey of general technologists whose responsibilities include data protection and recovery. To be blunt, some of these results are alarming. In this article, we are going to run through the results, explain what they mean, and take a look at how to resolve these issues of concern.


As you know, ransomware is a global epidemic and is expected to cost over $5 billion in damages in 2017. Ransomware is a dangerous attack because it doesn’t just make a system unavailable; it renders the data unusable. This has already caused a great deal of trouble for healthcare institutions, government entities, law enforcement agencies, and of course, businesses all over the world. If you’ve fallen victim to a ransomware attack, there are only two ways to get your data back without paying the ransom: get a free decryptor from a service like this one, or fall back on your data protection strategy and recover your data.

Some victims have no choice other than to pay the ransom or lose their data. This is an unfortunate situation, because even if the ransom is a small amount, there are a number of problems with this course of action:

  • Criminals know you are willing to pay a ransom and are more likely to target you again
  • There is no way to know that the criminals will or can decrypt your data
  • Decryption might not work properly and you may lose data anyway
  • Law enforcement agencies and other authorities discourage rewarding the criminal by paying the ransom

You can leave your data decryption and recovery up to chance, or deploy a comprehensive strategy before the attack.

Data Protection and Recovery

There are a number of definitions for “data protection,” but the common theme is that it requires more than running a backup. Proper data protection is included in the security planning: it includes business continuity and disaster recovery planning, as well as the many security practices involved in preventing unauthorized access. The Barracuda survey focused on data recovery, which is ultimately what system administrators are trying to provide for their companies. Comprehensive data recovery involves data availability and data accessibility at all times.

Availability vs Accessibility

Let’s start with a quick overview of what these are. When we talk about the availability of a data backup, we’re talking about the data that is stored as a backup. In the case of a tape-based or a disk-based system, the data that is backed-up is available on the tape or on the disk.

Data accessibility refers to how easily it can be accessed for recovery. In our examples above, the data is not accessible unless the tape or disk is with a compatible system. Accessibility for that system may be close to 100% for an administrator in a server room, but may be reduced to zero while the administrator is off-site or away from a designated computer. Meanwhile, the availability of the data remains the same.

When questioned on the importance of availability and accessibility, 70.3% of respondents say that these two are equally important. This indicates that our respondents understand the value of the data as well as the value of recovering the data quickly, possibly from a remote location or even a mobile device.

Protecting Multiple Locations

Perhaps one of the reasons that so many respondents value accessibility as highly as availability is that 53.4% are responsible for data recovery in more than one location. That means that the majority of the respondents are working remotely at least some of the time. Their data recovery systems have to be accessible from more than one location and probably by more than one method.

50.6% of respondents say that their backups are cloud-based, and 76% of respondents replicate their data backups in the cloud. These numbers suggest that the 77.4% who say they have a disaster recovery plan are using the cloud for redundancy and accessibility. Cloud based data recovery is generally performed through a web browser with no need for special hardware.

The Bad News

There are two data points that cause some concern among the Barracuda data protection professionals. The first is that 81.2% of respondents do not test their data protection strategies more than once per year, and about half of that number do not test them at all. This could be a major pain point for these respondents. As we mentioned earlier, data recovery may be the only way to avoid paying a ransom that may or may not result in the decryption of data.

Another point to consider is that it’s good business to test the company resources. If the company has invested in the technology and planning to protect the data, then these things should be tested on a regular basis. User files change in value, applications are added or replaced, data is moved … these are all reasons to be testing backups more than once per year. Perhaps an application upgrade uses a new database instead of the old flat files. Perhaps a new application was never added to the data protection plan.

The second point here deals specifically with Office 365.  Nearly 66% of Office 365 administrators are relying on the Recycle Bin for backup. Only about 1/3 of our respondents are using a data protection solution to protect their Office 365 deployments.

The Microsoft Recycle Bin is a nice feature, but it’s job is to help the organization safeguard against accidental data loss. It’s not meant to be a data recovery solution. It doesn’t offer the features necessary to protect Exchange, Sharepoint, OneDrive, and the other services. Default retention times are not standard across services, so administrators may not even have the minimal protection that they expected. Data is non-recoverable once it is deleted or ages out of the Recycle Bin. Companies that have to work within compliance frameworks and liability requirements may find that the native Microsoft tools do not meet the regulatory standards.

What Next?

If you find yourself in one of the scenarios that we identified as “bad news,” don’t worry too much. These are things that can be fixed quickly, and then improved upon as you go along. You can start right now by evaluating your current data protection and recovery plan. Do you have one? Who is responsible for the deployment and management of the plan? Is the plan being tested? Are there any gaps between your recovery objectives and the capabilities of your data recovery solutions?

One of the most important questions for you to consider is whether your data protection and recovery plans are part of your security strategy? If you work in an environment where data protection is separate from security, it’s time to bring those two functions together. In the age of ransomware, they cannot be separated.

Rod Mathews is SVP & GM, Data Protection Business at Barracuda Networks.  Connect with him on LinkedIn here

Wednesday, 19 July 2017 16:09

Data Recovery in the Age of Ransomware

The Business Continuity Institute

One in eight global business decision makers believe that poor information security is the ‘single greatest risk’ to the business, according to a study by NTT Security, which also found that 57% believe a data breach to be inevitable at some point.

The 2017 Risk:Value Report highlighted that the impact of a breach will be two-fold, with respondents expecting a breach to affect their long-term ability to do business, together with short-term financial losses. More than half (55%) cite loss of customer confidence, damage to reputation (51%) and financial loss (43%), while 13% admit staff losses and 9% say senior executive resignations would impact them.

56% of business decision makers say their organization has a formal information security policy in place, up from 52% in 2015. Just over a quarter (27%) are in the process of implementing one, while 1% have no policy or plans to do so. However, while the vast majority (79%) say their security policy has been actively communicated internally, a minority (39%) says employees are fully aware of it. Germany and Austria (85%) are above average in communicating the policy, together with the US (84%) and the UK (83%).

Less than half (48%) of organizations have an incident response plan, although 31% are implementing one. But just 47% of decision maker respondents are fully aware of what the incident response plan includes.

The study also found that many global business decision makers are still unaware of the implications of the forthcoming General Data Protection Regulation (GDPR), as well as other compliance regulations, with one in five admitting they do not know which regulations their organization is subject to. Just four in ten (40%) respondents globally believe their organization will be subject to the EU GDPR.

Coming into force in May 2018, the legislation leaves companies with less than a year to comply with strict new regulations around data privacy and security and could result in penalties of up to €20 million or 4% of global annual turnover, whichever is higher.

With data management and storage a key component of the GDPR, the report also reveals that a third of respondents do not know where their organization’s data is stored, while just 47% say all of their critical data is securely stored. Of those who know where their data is, fewer than half (45%) describe themselves as ‘definitely aware’ of how new regulations will affect their organization’s data storage.

Data breaches are already the second greatest cause of concern for business continuity professionals, according to the Business Continuity Institute's latest Horizon Scan Report, and once this legislation comes into force, bringing with it higher penalties than already exist, this level of concern is only likely to increase. Organizations need to make sure they are aware of the requirements of the GDPR, and ensure that their data protection processes are robust enough to meet these requirements.

“In an uncertain world, there is one thing organizations can be sure of and that’s the need to mark the date of 25 May 2018 in their calendars," according to Garry Sidaway, SVP Security Strategy & Alliances at NTT Security. “While the GDPR is a European data protection initiative, the impact will be felt right across the world for anyone who collects or retains personally identifiable data from any individual in Europe. Our report clearly indicates that a significant number do not yet have it on their radar or are ignoring it. Unfortunately many organizations see compliance as a costly exercise that delivers little or no value, however, without it, they could find themselves losing business as a result, or paying large regulatory fines."

The Business Continuity Institute

Employees at 40% of businesses across the globe hide IT security incidents in order to avoid punishment, according to a study conducted by Kapersky Lab, and the dishonesty is most challenging for larger-sized businesses. 45% of enterprises (over 1,000 employees) experience employees hiding cyber security incidents, with 42% of SMBs (50 to 999 employees), and only 29% of VSBs (under 49 employees).

The report - Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within - revealed that not only are employees hiding incidents, but also that the uninformed or careless employees are one of the most likely causes of a cyber security incident - second only to malware. While malware is becoming more and more sophisticated each day, the surprising reality is that the evergreen human factor can pose an even greater danger. 46% of IT security incidents are caused by employees each year - that’s nearly half of the business security issues faced triggered by employee behaviour.

Staff hiding the incidents that they have encountered may lead to dramatic consequences for businesses, increasing the overall damage caused. Even one unreported event could indicate a much larger breach, and security teams need to be able to quickly identify the threats they are up against to choose the right mitigation tactics.

“The problem of hiding incidents should be communicated not only to employees, but also to top management and HR departments,” said Slava Borilin, security education program manager at Kaspersky Lab. “If employees are hiding incidents, there must be a reason why. In some cases, companies introduce strict, but unclear policies and put too much pressure on staff, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies foster fears, and leave employees with only one option - to avoid punishment whatever it takes. If your cyber security culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will be obvious.”

Borilin also recalls an industrial security model, where a reporting and ‘learn by mistake’ approach are at the heart of the business. For instance, in his recent statement, Tesla’s Elon Musk requested every incident affecting worker safety to be reported directly to him, so that he can play a central role in change.

The fear businesses have of being put at risk from within is clear in the results of the survey, with the top three cyber security fears all related to human factors and employee behaviour. Businesses worry the most about employees sharing inappropriate data via mobile devices (47%), the physical loss of mobile devices exposing their company to risk (46%) and the use of inappropriate IT resources by employees (44%).

While advanced hackers might always use custom-made malware and high-tech techniques to plan a heist, they will likely start with exploiting the easiest entry point - human nature. According to the research, every third (28%) targeted attack on businesses in the last year had phishing/social engineering at its source. Sophisticated targeted attacks do not happen to organizations every day - but conventional malware does strike at mass. Unfortunately though, the research also shows that even where malware is concerned, unaware and careless employees are also often involved, causing malware infections in more than half (53%) of incidents that occurred globally.#

The human element of cyber security was the key focus of Business Continuity Awareness Week 2017, organized by the Business Continuity Institute, with the report published by the BCI identifying the simple steps that everyone can take in order to play a part in improving cyber security.

“Cyber criminals often use employees as an entry point to get inside the corporate infrastructure. Phishing emails, weak passwords, fake calls from tech support - we’ve seen it all,” said David Jacoby, security researcher at Kaspersky Lab. “Even an ordinary flash card dropped in the office parking lot or near the secretary’s desk could compromise the entire network - all you need is someone inside, who doesn’t know about, or pay attention to security, and that device could easily be connected to the network where it could reap havoc.”

The case of Code Spaces still echoes in cyberspace. Code Spaces offered cloud facilities to developers and had a successful business model, until it became the target of a cyberattack.

The attack started as a DDoS (distributed denial of service) attack. Strangely enough, Code Spaces was alerted by the attacker to the possibility of stopping the attack by messages that the attacker left on the Code Spaces internal console, showing that the attacker had already penetrated Code Spaces systems.

When Code Spaces attempted to oust the attacker, the attacker retaliated by deleting large portions of Code Space data, and causing irreparable and fatal damage to the company, whose backup strategy failed to save it. So, what went wrong?



4 Techniques for Auditors

Data analytics has been discussed by the audit community for decades. Auditors and other assurance professionals of a certain age might well remember “computer-assisted auditing techniques,” better known as CAATs. Data analytics and CAATs were supposed to revolutionize audit and usher in an era of greater efficiency and audit coverage. Yet, despite the hype, this revolution never seemed to materialize.

Now the hype has shifted to advanced analytics techniques, such as predictive analytics, and related areas such as machine learning and robotics. While these tools and techniques will surely become very important, today’s typical audit department needs to first focus on getting the basics right.

This is the year data analytics in audit is truly taking off. CEB, now Gartner, recently conducted a survey comprising more than 270 global audit departments. We surveyed analytics use in 34 risk areas, ranging from fraud to M&A, and found that while the average organization has been using analytics for a year or longer in just six of them, they plan to apply analytics in the remaining 28 over the next year. Furthermore, 2017 marks the first time a typical audit department will use analytics in most phases of the engagement process, as well as in audit planning and the annual risk assessment.



Tuesday, 18 July 2017 15:51

Data Analytics Becomes Reality

The watchword for business continuity (BC) now and in the coming years will be complexity.

Evolutions in technology, organizational structure, banking, leadership, the global economy, and practically every existing discipline have begun to outstrip traditional methods that hoped to address and contain such complexity. As our everyday work moves from simple and complicated contexts (as envisioned by Ralph D. Stacey and explicated by Snowden and Boone) into complex contexts, we must create new approaches to function within the complexity. The Agile framework for project management is one such example of a new approach that embraces and thrives within complex contexts.

BC has begun to struggle with the reality of increasing complexities. Detailed recovery scripts, time-consuming BIA data collection, binders of documentation, and a linear lifecycle relatively unchanged since Y2K seem inefficient and outdated in this “Agile Age” of rapid acquisitions, social media, blockchain, holacracies, and the internet of things. The stark unpredictability of disasters combined with the nearly unimaginable constitution of the near future should give pause to anyone who believes BC can be done properly by just anyone armed with an internet template.

There is a way for BC to evolve to meet these challenges. First, it must establish a robust, theoretical foundation for the discipline, moving beyond an ad hoc collection of “professional practices.” Second, it must identify and implement alternative approaches that are nonlinear, iterative, and adaptive. Third, practitioners must find new and better ways to share proven practices with each other, and to offer real critique of both new and old practices. Fourth, the best BC professionals will no longer frame their work in terms of plans, but now in terms of portfolios, an evolving collection of recovery capabilities that can be brought to bear in times of adversity and disaster.

In this lecture, I provide an approach to establish a Business Continuity Portfolio Management Office (BC PMO). While this very brief presentation covers a lot of material (perhaps too much), it contains almost all the necessary theoretical and practical elements to provide a proper foundation for those who will create the very first BC PMOs in the industry.

– David Lindstedt, PhD, PMP, CBCP

David Lindstedt is the founder of Readiness Analytics, an organization focused on metrics, measures, and KPIs for recovery capabilities. Dr. Lindstedt is the co-author (along with Mark Armour) of the "Adaptive BC Manifesto and the Adaptive Business Continuity." He is also the creator of several supporting web sites including AdaptiveBCP.org, ReadinessTest.com, and Jeomby.com. Dr. Lindstedt has published in international journals and presented at numerous international conferences. He taught for Norwich University's Master of Science in Business Continuity Management.

The Business Continuity Institute

In the context of the manufacturing industry, business continuity is about ensuring products continue to reach and be delivered to customers, regardless of any internal problems or issues as that arise.

Like all businesses, manufacturers need to identify their critical value adding business activities and processes, focus on keeping them operational or getting them back to full operational capacity in a set time frame, regardless of the issues. This will then maintain the product delivery to the end consumers.

The basic principle of a manufacturer is to convert inputs (raw materials, ingredients, chemicals) into an output/product for sale. This is achieved by inputs undergoing transformational processes along the production line which add value at each stage. Labour, machinery and other tools combine to produce this production capability and thus, by the end of the whole production line, there is a product ready for sale.

What does a manufacturer need to consider to ensure business continuity?

To run a manufacturing production line effectively, you need to avoid disruptions in three key areas;

  • Staffing
  • Materials/Inputs
  • Machinery


In manufacturing, staff are needed to maintain and control the production line, ensure it stays operational and to spot early warning signs of any problems. Staff are integral in keeping the production line functional.

Ensuring staff have the proper training needed is vital to operational success. Lack of training amongst staff will cause mistakes and cause disruptions anywhere along the production line. Investing time and money in preparing a training package for new and current staff will help minimize mistakes and disruption.

Cross-training should also be considered. Training staff across the full range of business activities will ensure business activity continues if at any time a vital member of staff were to leave, fall sick or take holidays at busy periods.

Efficient staff recruitment processes may also be of value. Losing a number of employees simultaneously will cause disruptions and increased pressure on remaining staff (again, highlighting the importance of cross-training). Having other options such as agency workers or temporary staff is much quicker and easier to implement in the short term, allowing business to continue until more permanent positions are filled.


Inputs and raw materials are particularly important for manufacturers because without inputs, there can be no final output which in turn means no sales.

If a manufacturer limits themselves to one supplier of a material, and that supplier is unable to supply the material needed, then the manufacturer is also unable to produce their products. Therefore, manufacturers should have a diverse supply chain. Sourcing multiple suppliers of raw materials will minimize the risk and impact on the manufacturing process. If the primary supplier is unable to supply, the manufacturer has secondary options and ensure business continues.

No business wants faulty goods as this may mean product recalls and tarnish the brand image. Faulty goods can be a direct result of poor quality materials or inputs. Therefore, manufacturers should implement a quality Inspection procedure upon receiving the materials. This will help to ensure the inputs are of the required standard the manufacturer desires and reducing disruptions further along the production process.

Other non-tangible aspects also must be considered. For example, electricity supply is paramount to a manufacturer as it powers the machinery and other processes. Without it, the whole business grinds to a halt. Having a back-up generator installed will ensure business and manufacturing activities continue despite of power shortages or prolonged power cuts.


It is essential that you have factory equipment and tools fully functioning to carry out the manufacturing process. As a result, maintaining and checking that equipment is safe to use to critical.

You need to spend enough to ensure your machinery and equipment meets regulatory standards, preventative maintenance is a must for all manufacturing businesses. Preventive maintenance works on the same principle as servicing your car, except that servicing factory machinery tends to be a lot more costly! This is very important. Waiting until the machine breaks means you’ve waited too long!

The harsh reality is that customers have little interest in understanding manufacturing problems. They react in the same way you react to your suppliers, all you care about is the fact that they’re late. Customers are the same, they need their products, and if they can’t get them from their chosen source they might just go elsewhere!

Michael Conway is a founding director of Renaissance Contingency Services since 1987. He established Renaissance as Ireland’s premier IT Security Distributor and leading Independent Business Continuity Consultancy provider.

The Business Continuity Institute

Despite the increasing number of data breaches and nearly 1.4 billion data records being lost or stolen in 2016, the vast majority of IT professionals still believe perimeter security is effective at keeping unauthorised users out of their networks, according to a study by Gemalto.

The Data Security Confidence Index showed that businesses feel that perimeter security is keeping them safe, with most (94%) believing that it is quite effective at keeping unauthorised users out of their network. However, 65% are not extremely confident their data would be protected, should their perimeter be breached, a slight decrease on last year (69%). Despite this, nearly 6 in 10 (59%) organizations report that they believe all their sensitive data is secure.

According to the research findings, 76% said their organization had increased investment in perimeter security technologies such as firewalls, IDPS, antivirus, content filtering and anomaly detection to protect against external attackers. Despite this investment, two thirds (68%) believe that unauthorised users could access their network, rendering their perimeter security ineffective.

These findings suggest a lack of confidence in the solutions used, especially when over a quarter (28%) of organizations have suffered perimeter security breaches in the past 12 months. The reality of the situation worsens when considering that, on average, only 8% of data breached was encrypted.

Businesses' confidence is further undermined by over half of respondents (55%) not knowing where their sensitive data is stored. In addition, over a third of businesses do not encrypt valuable information such as payment (32%) or customer (35%) data. This means that, should the data be stolen, a hacker would have full access to this information, and can use it for crimes including identify theft, financial fraud or ransomware.

"It is clear that there is a divide between organizations' perceptions of the effectiveness of perimeter security and the reality," said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. "By believing that their data is already secure, businesses are failing to prioritize the measures necessary to protect their data. Businesses need to be aware that hackers are after a company's most valuable asset – data. It's important to focus on protecting this resource, otherwise reality will inevitably bite those that fail to do so."

With the General Data Protection Regulation (GDPR) becoming enforceable in May 2018, organizations must understand how to comply by properly securing personal data to avoid the risk of administrative fines and reputational damage. However, over half of respondents (53%) say they do not believe they will be fully compliant with GDPR by May next year. With less than a year to go, businesses must begin introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption.

Hart continues, "Investing in cyber security has clearly become more of a focus for businesses in the last 12 months. However, what is of concern is that so few are adequately securing the most vulnerable and crucial data they hold, or even understand where it is stored. This is standing in the way of GDPR compliance, and before long the businesses that don't improve their cyber security will face severe legal, financial and reputational consequences."

The scale of the cyber threat is well known to business continuity and resilience professionals who identified cyber attacks and data breaches as their top two concerns, according to the Business Continuity Institute's latest Horizon Scan Report. It cannot be emphasised enough, just how important it is for organizations to have plans in place to respond to such incidents and help lessen their impact.

The Business Continuity Institute

3 in 10 (29%) travel managers report they do not know how long it would take to locate affected employees in a crisis, according to a new study by the GBTA Foundation, the research and education arm of the Global Business Travel Association, in partnership with Concur.

The study revealed that, overall, one-half (50%) of travel managers say, in the event of an emergency, they can locate all of their employees in the affected area within two hours or less. Additionally, three in five (60%) travel managers rely on travelers to reach out if they need help and have not booked through proper channels.

“Research reveals significant gaps in educating travelers about resources available to them and the existence of protocols should the unforeseen happen,” said Kate Vasiloff, GBTA Foundation Director of Research. “Failing to establish and communicate safety measures leaves travelers and organizations vulnerable. As both security threats and technology evolve, even the most robust protocols that once served companies well may now have weaknesses requiring immediate attention and modification.”

“With business travel and global uncertainties on the rise, companies today face more pressure than ever to ensure the safety of their travelers,” said Mike Eberhard, President of Concur. “If a crisis or incident occurs, it’s critical that businesses be prepared to quickly locate employees and determine who may need assistance.”

Travel managers play a key role in supporting travelers should disaster strike, which is why the vast majority (85%) of travel programmes include risk management protocols. Over the past two years, prevalence of domestic travel risk management protocols have increased to rival those of international travel. Despite this progress, there continues to be room for improvement as only three in five (62%) international travelers are given pre-travel information and even fewer (53%) are given information on local providers for medical and security assistance services before leaving the country.

Once it has been determined travelers are in an area experiencing a security threat, every minute spent trying to get in touch could be putting them in greater risk. Live personal calls (58%) and automated emails to business addresses (52%) are the most popular methods of communicating with travelers in an emergency.

Being able to communicate with employees during an emergency is a fundamental responsibility of the organization, either to ensure they are safe, or to pass on important advice. The Business Continuity Institute's latest Emergency Communications Report did deliver the encouraging news that most organizations (84%) do have some form of plan in place, although it did highlight that for those which don’t, two thirds (64%) felt that only a business-affecting event would incentivise them to develop one.

Creating Situational Awareness

Several prominent Wall Street firms are transitioning to a cognitive risk management environment. The changes they’ve made are significant, but there’s still work to be done. James Bone asserts that a more comprehensive approach is needed: one that includes intentional control design and machine learning – technology to help humans become more productive.

In my previous articles, I introduced human-centered risk management and the role cognitive risk governance should play in designing the risk and control environment outcomes you want to achieve.  One of the key outcomes was briefly described as situational awareness, which includes the tools and ability to recognize and address risks in real time.  In this article, I will delve deeper into how to redesign the organization using cognitive tools while re-imagining how risks will be managed in the future.  Before I explore “the how,” let’s take a look at what is happening right now.

This concept is not some futuristic state!  On the contrary, this is happening in real-time.  BNY Mellon, one of the oldest firms on Wall Street, has started a transformation to a cognitive risk governance environment.  Mellon is not the only Wall Street titan leading this charge.  JPMorgan, BlackRock and Goldman Sachs are hiring Silicon Valley talent among others to transform banking, in part, to remain competitive and to strategically reduce costs, innovate and build scale not possible with human resources.  The banks have taken a very targeted approach to solve specific areas of opportunity within the firm and are seeking new ways to introduce innovation to customer service and new product development and to create efficiencies that will have profound implications for risk, audit, compliance and IT now and in the foreseeable future.



IBM’s latest z Series mainframe, unveiled today, has a novel security feature the company says users have long wanted but couldn’t get: the ability to easily encrypt all their data, at rest or in motion, with just one click.

The 14th-generation mainframe, called IBM Z, introduces a new encryption engine that for the first time will allow organizations to encrypt all data in their databases, applications, or cloud services, with no performance hit, said Mike Perera, VP of IBM’s z Systems Software unit, in an interview with Data Center Knowledge.

“It’s a security breakthrough that now makes it possible to protect all the data, all the time,” he said. “And we’re really doing it for the first time at scale, which has not been done up to this point, because it’s been incredibly challenging and expensive to do.”



FDA late last year published new guidance documenting postmarket management of cybersecurity in medical devices. It seems prudent to recognize this guidance for exactly what it is: a wake-up call for the medical industry that we are in the 21st century and the potential for hacking any medical device, whether it is connected to a network or not, is a problem that must be taken seriously. In the guidance, FDA provides the means of demonstrating a risk-based management approach to cybersecurity and medical devices. The agency also provides mitigation and reporting requirements that are governed by other sections of the Code of Federal Regulations (CFR) pertaining to medical devices. So, while some may argue that this guidance has no teeth and cannot be enforced, if a patient is harmed or put at risk by a potential cybersecurity vulnerability, what company's attorneys are going to argue that their client chose to ignore potential cybersecurity impacts on their medical device because they felt the guidance “didn't have any teeth”?



Federal Emergency Management Agency (FEMA) officials today announced funding awards for the Fiscal Year (FY) 2016 Program to Prepare Communities for Complex Coordinated Terrorist Attacks (CCTA Program). The CCTA Program will provide $35.94 million to selected recipients to improve their ability to prepare for, prevent, and respond to complex coordinated terrorist attacks in collaboration with the whole community.

Terrorist incidents, such as those in London, England; Boston, Massachusetts; Nairobi, Kenya; San Bernardino, California; Paris, France; and Brussels, Belgium, highlight an emerging threat known as complex coordinated terrorist attacks. The FY 2016 CCTA Program is intended to enhance resilience and build capacity for jurisdictions to address complex coordinated terrorist attacks that may occur across the nation.

The selected recipients will receive funding specifically to develop and implement effective, sustainable, and regional approaches for enhancing preparedness for complex coordinated terrorist attacks, which include the following components: identifying capability gaps, developing and/or updating plans, training to implement plans and procedures, and conducting exercises to validate capabilities.

Applications were reviewed and scored independently by a peer review panel composed of subject matter experts representing federal, state, local, territorial and tribal organizations that have experience and/or advanced training in complex coordinated terrorist attacks. Awards were made on a competitive basis to applicants who presented an ability to successfully meet the requirements described in the NOFO, taking into how well the applicant demonstrated:

    • A need for funding support;
    • Effective, sustainable and regional approaches;
    • The proposed project’s impact that presents an increase in the jurisdiction’s preparedness and resilience to complex coordinated terrorist attacks once the project is implemented; and
    • A reasonable and cost-effective budget.


FY 2016 CCTA Program funding is awarded to the following recipients:

  • Arlington County Government (Va.): $1,244,890
  • City of Aurora (Ill.): $1,373,809
  • City of Chicago Office of Emergency Management and Communications (Ill.): $699,502
  • City of Dallas (Texas): $925,000
  • City of Houston (Texas): $1,759,733
  • City of Los Angeles Mayor's Office of Public Safety (Calif.): $1,223,225
  • City of Miami (Fla.): $723,260
  • City of Phoenix (Ariz.): $1,565,000
  • City of Winston-Salem (N.C.): $1,868,050
  • Durham County (N.C.): $931,500
  • East-West Gateway Council of Governments (Ill./Mo.): $1,474,716
  • Franklin County (Ohio) : $829,725
  • Galveston County (Texas): $976,896
  • Hawaii Department of Defense (Hawaii): $492,800
  • Illinois Emergency Management Agency (Ill.): $1,214,024
  • Indiana Department of Homeland Security (Ind.): $2,024,833
  • King County (Wash.): $1,516,723
  • Knox County (Tenn.): $536,250
  • Maryland Emergency Management Agency (Md.): $2,098,575
  • Metropolitan Washington Airports Authority (D.C./Va.): $595,098
  • Mid-America Regional Council (Mo.): $2,251,502
  • New York State Division of Homeland Security and Emergency Services (N.Y.): $1,379,048
  • San Bernardino County (Calif.): $1,334,751
  • South Carolina Law Enforcement Division (S.C.): $1,530,020
  • South East Texas Regional Planning Commission (Texas): $1,076,336
  • Texas Department of Public Safety (Texas): $659,556
  • Unified Fire Authority of Greater Salt Lake (Utah): $1,043,800
  • Virginia Department of Emergency Management (Va.): $2,001,568
  • Wisconsin Emergency Management (Wis.): $589,810

Follow FEMA online atwww.fema.gov/blog, http://www.twitter.com/fema, http://www.facebook.com/fema, and http://www.youtube.com/fema.

The Business Continuity Institute

A major global cyber attack has the potential to trigger $53 billion of economic losses, roughly the equivalent to a catastrophic natural disaster like 2012’s Superstorm Sandy, according to a scenario described in new research by Lloyd’s and Cyence.

Counting the cost: Cyber exposure decoded reveals the potential economic impact of two scenarios: a malicious hack that takes down a cloud service provider with estimated losses of $53 billion, and attacks on computer operating systems run by a large number of businesses around the world which could cause losses of $28.7 billion. By comparison, Superstorm Sandy, the second costliest tropical cyclone on record, is generally considered to have caused economic losses between $50 billion and $70 billion.

The study also revealed that, while demand for cyber insurance is increasing, the majority of these losses are not currently insured, leaving an insurance gap of tens of billions of dollars.

Inga Beale, CEO of Lloyd’s, said: “This report gives a real sense of the scale of damage a cyber-attack could cause the global economy. Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claims costs. Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality.

For the cloud service disruption scenario, average economic losses range from US$4.6 billion from a large event to $53 billion for an extreme event. This is the average in the scenario, because of the uncertainty around aggregating cyber losses this figure could be as high as $121 billion or as low as $15 billion. Meanwhile, average insured losses range from US$620 million for a large loss to US$8.1 billion for an extreme loss.

In the mass software vulnerability scenario, the average losses range from US$9.7 billion for a large event to US$28.7 billion for an extreme event. And the average insured losses range from US$762 million to US$2.1 billion.

The uninsured gap could be as much as $45 billion for the cloud services scenario – meaning that less than a fifth (17%) of the economic losses are actually covered by insurance. The insurance gap could be as high as $26 billion for the mass vulnerability scenario – meaning that just 7% of economic losses are covered.

The Business Continuity Institute

These days, most organizations that 'do' business continuity understand the importance of exercising and testing. Many have comprehensive exercising and testing programmes, which include crisis/incident management exercises, IT recovery tests and user relocation tests, amongst others.

It's not unusual for IT recovery testing to be done out of hours, in order to minimise any risk or impact to the business. The same is sometimes true of user relocation testing. But crisis or incident management exercises are almost always conducted during office hours.

The main reason is that exercising during office hours is more convenient, both for the participants and the facilitators, and there's usually (although not always) more chance of getting the key players to attend.

But exercising during the working day also has some distinct disadvantages. It doesn't, for instance, simulate in any meaningful way a situation where those key players have to deal with a major issue when they're already tired after a busy day's work. It doesn't test out of hours access to facilities or people. And out of hours is precisely when small incidents have a nasty habit of turning into bigger incidents, usually exacerbated by the fact that the right people aren't around to nip them in the bud.

Organizations with a mature crisis/incident management exercising programme should give serious consideration to carrying out the occasional out of hours exercise. This may be a little unpopular at first, until participants get the point, so rather than going the whole hog and starting your next exercise at 2am on a Sunday, perhaps a 7pm start on a weekday would be slightly more palatable.

There may be some moans and groans at first, but these are likely to be far outweighed by the resulting improvements to your crisis/incident management capability.

Andy Osborne is the Consultancy Director at Acumen, and author of Practical Business Continuity Management. You can follow him on Twitter and his blog or link up with him on LinkedIn.

Monday, 17 July 2017 14:01

BCI: All in good time

No one ever calls for outages, and yet they happen all the time.

They’re about as predictable as the weather. There are no patterns or seasons for server crashes and data breaches. And when they strike can be just as surprising as how they strike.

Squirrels could mistake wires for nesting material. Hackers could infiltrate data when your guard is down. Even unexpected traffic surges can take down your servers if you’re not prepared.

With all the unknowns out there, there are some things you can control. Make sure your disaster recovery plan works for you. Test it thoroughly and regularly, and update it as your IT systems and business evolves. And don’t forget to keep your employees up to speed on your plans and processes to minimize human error and confusion during an emergency.

The weatherman in our cartoon is right (for once). Be ready for outages at any time, and you won’t be blindsided by an unexpected event.

Feel free to share this cartoon, with a link back to this post and this attribution: “Cartoon licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License. Based on a work at blog.sungardas.com

Imagine closed schools, overwhelmed hospitals and people dying by the thousands — or even millions. That’s the nightmare scenario for a flu pandemic.

But how likely is a pandemic to happen — and if it does, to develop into this worst-case scenario?

Pandemics are “like earthquakes: You know it’s coming, but you’re not quite sure exactly when,” said Joshy Jacob, associate professor of microbiology and immunology at Emory University. “The seasonal flu appears predictably annually. Pandemics happen unpredictably and often catch you by surprise.”

There are reasons both for alarm and for optimism, experts say. Medical research could lead to breakthroughs that would mitigate a flu pandemic. And government and private entities can make preparations to help them get through a bad pandemic if it occurs. But there is much work to be done.



Did you know that car manufacturers tend to choose the letters for their car model references according to the type of buyer they want to attract?

For example, letters around the middle of the alphabet are used when aiming at the family market (like 340L or 570M).

On the other hand, letters towards the end of the alphabet are considered to spark more interest in buyers looking for performance, power, acceleration, and so on (690X, 88Z, etc.). So, what do you think “management” suggests in a business continuity context, and is this word really any basis for long term BC success?



The many automated “out of office” messages that return when I send emails each day are a sure sign that summer vacations are in full swing. Whether people are enjoying life unplugged or preparing for a seasonal destination, one topic seems to dominate thoughts and conversations: the leisure getaway.

The conversation that occurs between friends and colleagues is just a pale reflection of the summer-vacation-themed chatter unfolding online, as travelers turn to social media to plan their itineraries. Forrester Data’s Consumer Technographics® insights reveal that nearly a fifth of US leisure travelers referenced travel-focused blogs, communities, or review sites to research their recent flight tickets, rental cars, and hotel accommodations. In fact, data shows that parents of young children who are in the throes of last-minute vacation prep are especially reliant on social channels: 26% reference peer-generated content before booking accommodation, and over a fifth do so when reserving an airline ticket or renting a car.

So, what are the social-savvy summer vacationers talking about this year? Taking the pulse of social listening data reveals the most passionate elements of current conversations:



This is part 2 of a 4-part series on organizational transformation.

When embarking on any type of journey, preparation and readiness are prerequisites for success. Whether it is planning for a trip, training for an athletic event, or transforming a business, one must first assess whether all the necessary pieces are in place to execute the plan and achieve the desired objective. Without this type of assessment, a critical part of the equation might be overlooked, resulting in the intended result and benefits not being fully realized.

Consider the marathon runner. This type of athlete does not begin an effort of this scale without the proper focus. Is he or she following an appropriate training plan for this type of event? Does his or her diet align with what is needed for the required level of energy and stamina? And perhaps most importantly, is the athlete’s overall health sufficient to undertake this type of endeavor? If the runner is not focusing on these aspects, the outcome may be disappointing.

Just like the marathon runner, organizations that wish to embark on a journey as significant as transforming their business models or underlying strategies, must ensure they are focusing on all the necessary aspects to be successful. A digital transformation is a perfect example of a highly disruptive change effort that requires organizations to have a sharp focus and consider all variables at play, including people, processes, and technology. While implementing a digital transformation is a different type of marathon, it nevertheless requires a proper ‘health check’ to ensure overall readiness.



Alongside the National Flood Insurance Program (NFIP), a thriving private flood insurance market would provide wider and in many cases cheaper coverage options, according to a new study.

Consulting firm Milliman, in partnership with risk modeler KatRisk, looked at three states – Florida, Texas, and Louisiana – which combined account for 56 percent of NFIP insurance policies in-force nationwide.

Its analysis compared modeled private flood insurance premiums to those of the NFIP.



Early detection of fire and smoke are essential to save lives, property and the environment. Modern technology such as video fire detectors, especially in some high-risk places like tunnels, oil and gas environments, public buildings or storage areas, enable a fast response to a potential fire. A new ISO technical specification on video fire detectors helps ensure more efficient and reliable equipment.

According to the Center of Fire Statistics (CFS) of the International Association of Fire and Rescue Services (CTIF), among 31 countries representing 14 % of the world’s population, fire services reported 3.5 million fires, 18.5 thousand civilian fire deaths and 45.0 thousand civilian fire injuries in 2015.

Video detection technology detects, identifies and analyses smoke at the first sign of fire or flame. The equipment’s understanding of the behaviour and movement of smoke enables users, located on site or remotely, to raise the alert and take appropriate action early.



The Business Continuity Institute

One in three (32%) security professionals lack effective intelligence to detect and action cyber threats, according to a new study from Anomali, which also revealed that almost a quarter (24%) believe they are at least one year behind the average threat actor. Half of this sample admitted they are trailing by two to five years. This confirms that many organizations are not adequately mitigating cyber risks.

The survey also signals that organizations struggle to detect malicious activity at the earliest stage of a breach, or learn from past exposures, which leaves numerous vulnerabilities undiscovered. Almost one in five (17%) of respondents haven’t invested in any threat detection tools such as security information and event management (SIEM), paid or open threat feeds, or User and Entity Behaviour Analytics (UEBA).

The findings of this study also demonstrate the need for organizations to possess an effective business continuity programme. If security professionals aren't able to detect or prevent cyber threats, then organization must have plans in place to deal with those that do get through to ensure they are not disruptive to operations.

Successful cyber attacks are not 'smash and grab' type of events. Rather, cyber criminals typically lurk undetected inside enterprises’ IT systems for 200 days or more before discovery. During this time attackers gain access inside the network, escalate privileges, search for high value information, and ultimately exfiltrate data or perform other malicious activities. This ‘200 day problem’ is an ever-present danger, but survey respondents rarely examine historical records to discover whether a threat actor has entered their system. Just 20% consult past logs daily, 20% weekly, 14% monthly and 22% said never or don’t even know how often. This results in multiple missed opportunities to help prevent a breach.

“The ‘200 day problem’ arises from the fact that logs are produced in such massive quantities that typically only 30 days are retained and running searches over long time ranges can take hours or even days to complete,” says Jamie Stone, Vice President, EMEA at Anomali. “Detecting a compromise at the earliest stage possible can identify suspicious or malicious traffic before it penetrates the network or causes harm. It’s imperative to invest in technologies security teams can use to centralise and automate threat detection, not just daily but against historical data as well.”

The number of data centers have been continuously increasing since 2009, yet this is all about to change. Experts predict that after peaking at roughly 8.6 million data centers in 2017, the number of data centers will begin to decline. The driving factor of this decline is the migration from smaller, in-house IT centers to data centers operated by larger service providers. Although the number of data centers will decrease, the data center space itself will not, because data center capacity will continue to grow.

Due to the shift to larger service providers, the role of the corporate data center will change as well. In the past, corporate data centers solely supported operations. Today, they have a variety of functions, including: testing new business models; developing and improving new products and retaining lasting relationships with customers. Because a data center must now be able to support a variety of functions, its infrastructure must have the ability to continuously change. This is much harder to accomplish for smaller data centers, which is why you will see these smaller data centers disappear in the coming years. Today’s data centers need to be flexible, dependable and easily scalable.

The shift to larger data centers provides organizations with the infrastructure needed to adapt to a variety of different needs. It is predicted that over the course of the next five years, most organizations will stop managing their own data centers. This will result in the steady decline of in-house data centers, and lead to a higher demand for larger service providers. According to International Data Corporation (IDC), by 2018, ‘mega data centers’ will account for 72.6 percent of all service provider data center construction projects.



Given the recent rash of ransomware attacks, businesses are finding that now is a good time as any to reevaluate their data backup strategies.

Nearly a third (32 percent) of organizations have been hit by ransomware, found a study from Imperva. Costs accrued by downtime were described as the biggest business impact of a ransomware infection for a majority (59 percent) of respondents.

This week, Hewlett Packard Enterprise (HPE) Software is giving security-conscious organizations new reasons to consider its Adaptive Backup and Recovery Suite by adding additional protections that keep backup data safe. It's a collection of data protection products that includes HPE Data Protector, Backup Navigator, Storage Optimizer and VM Explorer.



Far too often, organizations consider the public a liability — something to be rescued in an emergency situation. The opposite is true. The public is one of our greatest resources in times of crisis and should be included as an important part of your resilience planning and training.
The reality of emergency management is this: The bigger the disaster, the less likely the government can provide the best response.

For smaller disasters, there are multiple organizations that can respond, from the Red Cross to the Salvation Army to our own National Guard. For larger disasters, there is so much demand for assistance that we invariably fall short. We cannot get to people fast enough. In those situations, the tendency is to tell the public to be passive and wait. That is not the best solution and increases the number of lives lost.

In the case of almost any disaster, the fastest response will be from your neighbor. There are countless examples of this:



Thursday, 13 July 2017 15:19

The Public as a Resource

With apologies for paraphrasing Mr. Twain, pundits have sounded VMware’s death knell for years. Whether it be the continuous pressure of public cloud offerings, potentially losing the management tools game, or tech professionals evolving past their current offerings, the company faces some very real, critical threats.

Even so, VMware continues to succeed. In its most recent quarter results, VMware announced year-over-year revenue growth of 9% to $1.74 billion and GAAP net income at $232 million.

How do they continue to be successful?



The Business Continuity Institute

A large proportion of businesses fail to adequately protect their networks from the potential threat posed by ex-employees, with IT decision makers surveyed as part of a study by OneLogin claiming that over half (58%) of former employees can still access the corporate network. The study also found that nearly a quarter (24%) of UK businesses have experienced data breaches by ex-employees.

Nearly all (92%) of respondents admitted to spending up to an hour on manually deprovisioning former employees from every corporate application. Half (50%) of respondents are not using automated deprovisioning technology to ensure an employee’s access to corporate applications stops the moment they leave the business. This deprovisioning burden may explain why over a quarter (28%) of ex-employee’s corporate accounts remain active for a month or more.

Also, the study revealed 45% of businesses don’t use a Security Information and Event Manager (SIEM) to audit for application usage by former employees, leaving vital corporate data exposed to potential leaks.

“The sheer level of data breaches revealed by our study, coupled with the revelation that many businesses are failing to put simple processes in place to promptly deprovision ex-employees, should raise serious alarm bells for business leaders,” said Alvaro Hoyos, Chief Information Security Officer at OneLogin. “Our study suggests that many businesses are burying their heads in the sand when it comes to this basic, but significant, threat to valuable data, revenue and brand image. There should be no excuse for this negligence, which will be brought further into the spotlight when the European Union’s General Data Protection Regulation (GDPR) comes into effect in 2018. GDPR makes data protection a legal requirement for organisations, which could face fines of up to €20 million or 4% of their annual turnover, depending on which is higher.”

“With this in mind, businesses should proactively seek to close any open doors that could provide rogue ex-employees with opportunities to access and exploit corporate data. Tools such as automated de-provisioning and SIEM will help close those doors with ease and speed, while also enabling businesses to manage and monitor all use of corporate applications. The first step is acknowledging the problem, which businesses now have done by confessing they are aware of the issue, they now need to take steps to fix this issue by utilising the available tools,” concludes Hoyos.

The Business Continuity Institute

“Trust takes years to build, seconds to break, and forever to repair,” or so the quote says. While there may be a degree of flexibility with those timings, the principle that it takes much longer to build a reputation than to break it is absolute. Reputation means a lot to organizations and constitutes a significant proportion of its value.

I have been reading a lot of articles recently about reputation and the number of organizations that have had their reputation damaged, sometimes through no fault of their own.

We published an article recently about false claims against travel operators and the affect these claims, however inaccurate they are, can have on the reputation of the business. Why would you go on holiday with a travel operator that has a high rate of sickness among its guests?

There was a story this morning published by the BBC that discussed how it will take a generation for Chelsea and Kensington Council to be trusted again following the Grenfell Tower fire. When people feel so let down by an organization, especially in a situation when lives have been lost, it is not easy to forget that and move on.

And we are inundated with stories of organizations that have experienced a data breach and consumers beginning to question why it cannot protect its data.

Damage to reputation can be devastating for an organization and perhaps the most famous story of all when it comes to reputation and the sudden loss of it, is that of Ratners, the high street jewellers. In his speech to the Institute of Directors, the chief executive of the company – Gerald Ratner – included the line:

"We also do cut-glass sherry decanters complete with six glasses on a silver-plated tray that your butler can serve you drinks on, all for £4.95. People say, "How can you sell this for such a low price?", I say, "because it's total crap."

The next day the share price plummeted and the company was on the brink of collapse.

It is this potentially disastrous impact that damage to your reputation can have that makes it a business continuity issue. Of course, that’s not to say that reputation management is the responsibility of the business continuity department, because clearly it’s not. But it is something that the business continuity department can play a role in.

Arguably loss of trust should be considered in the same light as loss of IT, loss of power, loss of building etc. The organization needs to consider what the potential impact could be, how the impact could be mitigated against, and what mechanisms could be put in place to ensure the organization continues to operate effectively and prevent it from being too disruptive

This is perhaps the perfect example of what we at the BCI have been speaking a lot about recently - management disciplines cannot work in silos any longer. On matters of reputation business continuity professionals should be engaging with communications professionals to ensure that crisis communications plans are in place and that the organization is prepared.

Is that easier said than done? Are we making progress in this respect? Your thoughts, as always, are welcome.

David Thorp
Executive Director of the Business Continuity Institute

Wednesday, 12 July 2017 15:56

BCI: Protecting your reputation

An ocean wave pulls away from the shore and then, as expected, it moves toward land again. But it keeps moving farther and farther inland. The water pushes over unsuspecting beachgoers, backyards and entire cities with startling speed. It leaves a wake of destruction in Indonesia that includes an estimated 230,000 deaths.

Several years later, a similar scene unfolds in Japan when ocean water flows onto land to submerge cars, homes and even a nuclear power plant that never again will return to functionality. That time, the flood waters claim approximately 16,000 lives.

The mind-boggling force of a tsunami is a horrifying spectacle, as the world witnessed in 2004 and 2011. Those disasters ingrained heart-wrenching images of water-borne tragedy into people’s minds around the world. For many Americans, though, such images depict a rare occurrence in far-off countries and not a phenomenon in the continental United States. But the reality is that a tsunami could happen here, and it would be equally devastating.



Wednesday, 12 July 2017 15:01

Surviving a Tsunami in the United States

With the increasing prevalence of IT hacks, intelligent business owners are becoming more aware of the importance of Business Continuity as a business skill. Staying resilient can determine the longevity of a business in today’s world. 

How many quotes about failing or falling have you heard?

“Every adversity, every failure, every heartache carries with it the seed of an equal or greater benefit.” – Napoleon Hill

“Our greatest glory is not in never falling, but in rising every time we fall.” – Confucius

“You drown not by falling into a river, but by staying submerged in it.” – Paulo Coelho



Today’s companies are often faced with the complex decision of whether to use public cloud resources or build and deploy their own IT infrastructures. This decision is especially difficult in an age of mounting data requirements when so many people expect limitless access and ultra-flexibility. For these reasons, cloud computing has become an increasingly popular choice for many organizations – though not always the right choice.

According to Right Scale’s 2017 State of the Cloud Survey, 85 percent of enterprises have a multi-cloud strategy.

Common reasons for using public cloud resources include scalability, ease of introductory use and reduced upfront costs. In many ways public cloud usage is considered the “easy button.”



We all know the frustration of phoning a call centre, only to be put on hold for an interminable amount of time or taken through a long and complex series of options before arriving at a dead end. And when we finally get hold of someone, it is usually to battle with the language barrier or be told to call back later – all while paying an extortionate rate for the call itself.

A survey amongst ISO members suggests that the general public is, on average, only mildly satisfied with customer contact centres, indicating there is much room for improvement. It is for this reason that two new International Standards on the subject have just been published.

ISO 18295-1, Customer contact centres – Part 1: Requirements for customer contact centres, specifies best practice for all contact centres, whether in-house or outsourced, on a range of areas to ensure a high level of service; these include communication with customers, complaints handling and employee engagement.



The Business Continuity Institute

Internet speeds are getting faster all the time with Internet Service Providers competing with each other to offer the fastest connections that can enable users to download entire videos in just seconds. But could that be about to change? Could ISPs have more control over the download speeds they offer? Ultimately, does this mean that ISPs could have more control over what we are able to download?

On the 12th July, tens of thousands of organizations will be joining a day of protest in support of net neutrality, the principle that ISPs treat everyone’s data equally, and they don’t get to vary the download speeds depending on the source of the data, or block sites altogether. The principle of net neutrality has often been described as 'first amendment of the internet' as it is about ensuring equality of access to online information.

In February 2015, during the Obama administration, the Federal Communications Commission (FCC) in the United States voted to strictly regulate ISPs and enshrine in law the principles of net neutrality. The vote reclassified wireless and fixed-line broadband service providers as title II 'common carriers', which gave the FCC the ability to set rates, open up access to competitors and more closely regulate the industry. Two years on however, and Trump’s new FCC chairman - Ajit Pai, previously a lawyer at one of the major ISPs, is attempting to overturn that decision.

Removing net neutrality could allow ISPs to create special fast lanes for content providers they have arranged deals with, or perhaps more of a concern is that they could slow down traffic from content providers who are considered rivals.

Even AT&T, previously opponents of net neutrality are claiming to support the protest. Bob Quinn, Senior Executive Vice President of External and Legislative Affairs at the telecoms giant, commented: "We agree that no company should be allowed to block content or throttle the download speeds of content in a discriminatory manner. So, we are joining this effort because it’s consistent with AT&T’s proud history of championing our customers’ right to an open internet and access to the internet content, applications and devices of their choosing."

Wednesday, 12 July 2017 14:15

BCI: Day of protest over net neutrality

The Business Continuity Institute

When it comes to new spending, IT departments have two rather clear priorities - secure their data and continue the transition to the cloud, according to the Computer Economics annual IT spending and staffing benchmarks study 2017/2018.

Given the constant array of new threats facing IT departments every day, it is no surprise that security is a major priority. Malware, ransomware, phishing attacks, and security breaches are a near constant in the media, with the cost of repairing the damage and regaining customer trust also increasing. At the same time, cloud applications and infrastructure not only improved security but also improve budget flexibility, which allows IT departments to more effectively respond to the needs of the business.

A net 70% of IT organizations reported increased spending on security/privacy. Not a single company reported a decrease in such spending. A net 67% of respondents reported increased spending on cloud applications. A net 52% and 51% reported increases in spending on cloud infrastructure and business intelligence, big data, and data warehousing, respectively.

The lowest priority for new spending was disaster recovery/business continuity, with a net of 38% reporting increases. Despite being the lowest priority, the study did report a noticeable increase in disaster recovery/business continuity spending growth. Only 33% of respondents last year reported increased spending in this area compared to 38% this year.

“We’re also seeing a modest increase in outsourcing spending,” said David Wagner, vice president, research, at Computer Economics. “A net of 27%, up from 20% last year, are increasing their spending on outsourcing. We’re also seeing outsourcing budgets as a total percentage of IT spending increasing.”

The Business Continuity Institute

A global survey of executives found that most view the world as increasingly risky, with many reporting a “significant operational surprise” over the past five years. However, the majority of executives also report that their organizations are not developing more robust risk management processes to help counter this increasing risk. This is according to a study published jointly by NC State’s Enterprise Risk Management (ERM) Initiative and the Association of International Certified Professional Accountants (AICPA).

The 2017 Global State of Enterprise Risk Oversight report revealed that approximately 60% of executives reported that the volume and complexity of their risks have increased over the past five years, though there was some variability across regions. 61% of executives in Europe and the UK reported an increase, 55% in Asia/Australasia, 76% in Africa/Middle East, and 59% in the US.

“These findings are particularly timely, given the political, economic and social uncertainties that businesses are facing in the United States and abroad,” says Mark Beasley, co-author of a report on the survey results and director of the Enterprise Risk Management (ERM) Initiative at North Carolina State University.

“The increase in risks, and the operational surprises, are tied to the dynamic global business environment,” Beasley says. “For example, Europe and the UK have seen issues ranging from the Brexit vote to immigration challenges, while Africa and the Middle East have dealt with a wide variety of challenges, such as disruptions caused by the ongoing war in Syria and conflicts with ISIS. The US has been comparatively stable, but we seem to have entered a period of domestic political uncertainty – which is not reflected in the survey – and of course issues abroad can have significant effects on US organizations.”

Given these widespread surprises and perceived increase in risks, one might think that executives are embracing ERM processes to better protect their organizations. But the survey found that the level of risk management oversight is relatively immature.

“All organizations engage in risk management, but conventional risk management is done in silos, whereas the ERM approach allows for a holistic overview of risks across silos,” Beasley explains. “In other words, it helps executives identify risks that span multiple silos, or that fall into blind spots that an organization might otherwise miss.”

However, few executives said that their organizations had put thorough ERM processes in place. For example, while 53% of executives in Europe reported increasing risks, only 21% reported having complete ERM processes in place. And only 24% of executives in the Africa region reported complete ERM processes, with the number rising to 26% in the US and 30% in the Asia region. In addition, 80% of executives surveyed reported that their organizations don’t conduct any formal risk management training for their executives.

“We’re seeing a major disconnect between how organizations perceive their challenges and how they are responding to them,” Beasley says. “However, we also found that boards of directors, especially outside the US, are calling for executives to be more proactive about addressing potential risks,” Beasley says.

Specifically, the survey asked executives whether their boards of directors were asking for “increased senior executive involvement in risk oversight.” 56% of executives in Europe said yes, with the number rising to 59% in the Africa region and 70% in the Asia region. But only 38% of survey respondents in the US reported the same pressure.

CEOs are becoming increasingly frustrated by organizations that over-emphasize the short term. And CECP — a coalition of CEOs that believes societal improvement is an essential measure of business performance — took notice. CECP is trying to redirect investor behavior to focus less on short-term events and more on corporate frameworks that are capable of generating long-term growth.

Daryl Brewster, CEO of CECP, talked with Deloitte Advisory’s Mike Kearney about the organization’s mission and how companies can create long-term value by being socially conscious. The win-win? Doing good can also be good for business. It can help build brand, engage employees and identify new markets.

“This isn’t just charity. This is about good investment. It’s not going to pay back in a month — but most good things don’t. But it can really have a positive and huge impact on the company.”



Acts of terrorism are on the rise globally. Over the past several weeks alone, the world has seen stabbings, shootings and bombings in Flint, Tehran, London, Kabul and Bogota.

We’ve spent the past several years researching how communities can prepare to provide urgent medical care to the large numbers of victims these events produce.

Given the persistent risk of terrorist attacks and large-scale accidents, it’s more critical than ever to learn from past incidents. That will ensure that first responders can work together effectively during the chaotic but critical minutes and hours after an incident.



Gary Wong is Director of Applications Engineering at Instor Solutions

Of all the natural disasters that can affect data centers, earthquakes are among the most damaging. Given the data center industry’s continued growth and expansion throughout California, these potentially catastrophic events are always top of mind for data center owners and operators.

With the passing of the 27th anniversary of the 6.9-magnitude Loma Prieta earthquake, centered within 10 miles of Santa Cruz, now is the time for data centers across California and other areas prone to seismic activity to reevaluate their earthquake disaster strategies and look at the availability of proactive protection plans.

Across the world, there are an estimated 500,000 detectable earthquakes each year; 10,000 in the area of Southern California alone. These sobering facts lead to some important questions: If an earthquake like the Loma Prieta were to strike again, how are data centers better protected now than 27 years ago? What would the projected loss be to your company and customers if a major earthquake hit? What is your company doing to protect the valuable data and physical assets in your facility?



It is no secret that the most successful companies are the ones that constantly refresh and energize their growth strategies to capitalize on new market opportunities and remain competitive –both during challenging economic times, as well as in periods of robust growth.  In addition to organic growth, leading companies also employ inorganic approaches to build and refine their portfolios, including mergers and acquisitions (M&A), divestitures, and carve-outs.

IT is often mismanaged as an M&A value lever.  The importance of IT integration cannot be overemphasized because it has the highest potential for mistakes, due to complexities, time constraints, and the need for unified mobilization across the organization.  This is compounded by leadership, employee, supplier, and shareholder concerns.

Effective IT integration is key in achieving cost and revenue synergies, which in turn, drive merger success.  Typical challenges for realizing IT synergies include duplicated applications and infrastructures, divergence of IT and business objectives, and the seemingly uphill task of merging two distinct IT organizations – each with its own processes, policies, and practices – to maintain service quality and control costs.



Ever since I got my first job in IT in the mid-1990’s, everyone has used a cloud in some form. Whether they referred to it as outsourcing, virtualization, central IT, or in some other way, the cloud existed and grew but it did little to stem the adoption of distributed computing. Yet at some point over the past few years, the parallel growth of these two technologies stopped and the cloud forged ahead. This shift indicates that companies have now fully embraced the cloud but remain unclear about how best and how soon to transition their IT infrastructure to the cloud and then manage it once it is there.

One of my first jobs in IT was as a system administrator at a police department in Kansas. During my time there, I was intimately involved in a project that involved setting up a cloud that enabled it along with other police departments throughout the state to communicate with state agencies. Setting this cloud up would enable our department along with others to run background checks as well as submit daily crime reports. While we did not at that refer to this statewide network as a cloud, it did provide a means to send and receive data and centralize store it.

However, the data that the police department sent, received, and stored with various state agencies represented only a fraction of the total data that the department generated and used daily. There were also photos, files, Excel spreadsheets, accident and incident reports, and many other types of data that officers and civilians in the police department needed and used to perform their daily duties. Since the state agencies did not need this data it was up to the police department to manage and house it.



The social responsibility movement started with debates about corporations having a responsibility to society – it is now recognized that people, planet and profit are mutually inclusive. Since these early discussions, the concept has seen many transformative moments, including the launch of ISO 26000, a standard which has gained traction and credibility in less than a decade.

“I thought I was the only one struggling to reconcile my career with the demands of family, but after this session, hearing from managers and other colleagues, I can see how it is possible to enjoy both raising children and my job!” Fujii is just one of a number of Japanese women working at global electronics company NEC Corporation, who attended an event supporting female career opportunities in a country where women’s active involvement in the workplace is sorely lacking.

To achieve its goal, NEC Corporation turned to ISO 26000, the world’s first voluntary standard on social responsibility, which has helped thousands of organizations operate in an environmentally, socially and economically responsible way. Since its publication seven years ago, ISO 26000 has been adopted as a national standard in over 80 countries (and counting!) and its text is available in some 22 languages. It is also referenced in more than 3 000 academic papers, 50 books and numerous doctorates, and is used by organizations of all shapes and sizes including Petrobras, Air France, British Telecom, NEC, NovoNordisk and Marks & Spencer, to name a few.



Monday, 10 July 2017 15:30

The rise of being “social”

While big data scientists are often perceived as the key to unlocking the potential value of big data, research conducted by the University of Kent indicates a different view.

Dr Maggie Zeng from Kent Business School, in collaboration with Professor Keith Glaister from the Warwick Business School, investigated the use of big data within five Chinese internet platform companies that have put big data at the heart of their operations.

They interviewed 42 individuals in senior management positions, including CEOs, at these firms, as well as conducting 34 interviews with partner firms and third-party developers, who work with these companies, to understand how they use big data internally and externally. They also analysed meeting minutes and business strategy documents to inform their research.

Their findings suggest that firms that hire many data scientists do not always generate better value creation opportunities. Rather, it was the process of data management where managers are able to ‘democratize, contextualize, experiment and execute’ around the use of big data that helped firms derive the most benefits.

This is based on four key areas that senior managers can facilitate:

Data democratisation: By allowing more employees to access and interpret data it gives firms a better chance of insights being derived and enables better cross-team collaboration to ensure the right questions are being asked and answered.

Data contextualisation: Ensuring other relevant business information is accessible to staff enables them to place the data they are working with in the wider context of the organisation and understand what the results they generate mean.

Data experimentation: Creating an environment where staff feel able to experiment with data on a ‘trial and error’ basis enables them to find new insights within the data that more rigid data analysis structures prevent.

Data insight execution: Managers must create a culture where insights derived from big data analysis can quickly be used to ensure the potential benefits the insights offer are realised.

The insights could help other businesses understand how to make better use of their ever-increasing data silos to enable strategic decision-making.

The research was published in a paper titled Value creation from big data: Looking inside the black box, in the journal Strategic Organisation.

The Business Continuity Institute

An ongoing internet outage in Somalia is costing the country $10m (£7.7m) each day, and sparking anger across the affected central and southern parts of the country, including the capital, Mogadishu. The outage is reported to have been caused by a commercial ship cutting an undersea fibre-optic cable more than two weeks ago, and is expected to go on for at least another week.

The post and telecommunications minister - Abdi Anshur Hassan - told a press conference that Somalia has lost more than $130 million so far.

Internet service providers have since resorted to using satellite communications to provide access the internet, however this remedy was described as weak and unable to cope with the huge demand.

Internet outages are a major concern for organizations across the world with the Business Continuity Institute’s latest Horizon Scan Report featuring it in third place on its list of threats. 80% of respondents to a global survey expressing concern about the prospect of an outage occurring. In Sub-Saharan Africa it was in second place on both the list of concerns and the list of actual disruptions.

After more than 20 years of conflict, internet usage is low in Somalia, with just 1.6% of the population online in 2014, according to estimates by the International Telecommunication Union.

The Business Continuity Institute

Plans to clamp down on bogus holiday sickness claims have been announced by the UK’s Ministry of Justice following concerns from the travel industry that more and more suspected false insurance claims for gastric illnesses like food poisoning are being brought by British holidaymakers.

Advice from the travel industry shows the upsurge of claims in this country – reported by the industry to be as high as 500% since 2013 – is not seen in other European countries, raising suspicions over the scale of bogus claims and damaging our reputation overseas.

Due to the reported increase in claims, and as many tour operators appear to settle them out of court, the costs to the industry are increasing. In addition to the high costs of settling these claims, the bogus complaints are also damaging to the reputations of those tour operators involved.

A major barrier to tackling the issue is that these spurious claims are arising abroad. Legal costs are not controlled, so costs for tour operators who fight claims can be out of all proportion to the damages claimed.

Ministers today said they want to reduce cash incentives to bring spurious claims against package holiday tour operators. Under these proposals tour operators would pay a prescribed sum depending on the value of the claim, making the cost of defending a claim predictable.

Justice Secretary David Lidington said: “Our message to those who make false holiday sickness claims is clear – your actions are damaging and will not be tolerated. We are addressing this issue, and will continue to explore further steps we can take. This government is absolutely determined to tackle the compensation culture which has penalised the honest majority for too long."

The Business Continuity Institute

Almost half a million people on the south western Japanese island of Kyushu have been advised to evacuate their homes after several days of torrential rain, brought on by a series of storms that followed Tropical Cyclone Nanmadol across the region. What was described as unprecedented levels of rain has resulted in mudslides, overflowing rivers and flooding.

The public broadcaster NHK reported that, since Wednesday, downpours of more than 550 millimeters were registered in Asakura City, in the Fukuoka Prefecture, which is about 50% more than usual for the month of July. The Meteorological Agency says some areas in the city of Iki, in the Nagasaki Prefecture, have had 'once-in-a-half century' downpours exceeding 300 millimeters over the previous 24 hours.

Poor road conditions prevented staff and deliveries from accessing the Daihatsu Motor plant in Oita, so all operations had to be stopped, and this is likely to be a scenario experienced by organizations across the region.

While ensuring that employee and stakeholder safety is paramount, organizations need to ensure that they are prepared for such events. Adverse weather came in at number five on the list of business continuity professionals' greatest concerns, according to the Business Continuity Institute's latest Horizon Scan Report, so it is something that needs to be prepared for.

Organizations must consider what would happen if they are affected by a flood, or any other type of disruption, what impact could that disruption have, could anything be done to prevent or reduce the risk, and how would they respond and recover. Furthermore they need to consider how they would communicate with their employees and stakeholders to ensure they are kept informed.

Tougher to do, and with tougher consequences if you get it wrong: these are the two big trends in IT risk management today.

While CIOs still lead as being the largest category of individuals responsible for ITRM, other categories like CEOs, CISOs, CFOs, and others also now stand at significant levels. Why?

Today’s business environment is also less forgiving than in the past. Operational glitches tend to be more severe, as do the business consequences. So, what could go wrong? And who in the organisation is responsible for mitigating the associated IT risk, other than the CIO?



China is a country of extremes, with well-developed industrialized cities flourishing while inhabited yet rugged and primitive regions struggle.

One of the remotest and historically poorest provinces in Southwest China—Guizhou—has come a particularly long way in a short time and is well on its way to becoming a hub for China’s push into big data. What resembled suburbia a decade ago has been converted into a new urban district complete with skyscrapers, a convention center, and data centers.

High-speed railways, bridges, tunnels, and added international flights linking it to domestic and foreign cities have lifted the province from isolation and connected it with the world.



The Business Continuity Institute

Photograph courtesy of Frank Schwichtenberg

There's a lot of prestige that comes with hosting a large international event like the G20 Summit - it puts the city firmly on the map and can position it as a major player on the international scene. That's not to mention the investment it brings in as leaders from the world's 20 most prosperous countries descend on it along with their various entourages, and the media circus that will inevitably follow.

Of course the positive side is not appreciated by all, and there will be people in Hamburg who are rueing the day it was picked to host one of the largest events on the international political stage.

The world leaders are still arriving, but already violence has broken out with a Porsche dealership burnt down. Windows are being boarded up and manhole covers sealed. The water cannons have been sent out to disperse demonstrators, 100,000 of whom are expected to turn up, and whose activities are only expected to intensify over the next few days.

It is always hoped that these events will have far reaching consequences in terms of the decisions made - migration, terrorism, climate change and trade will all be discussed at length, and it would be nice to think there will be some positive outcomes. Arguably resilience professionals should be keeping a close eye on these areas of discussion, as the outcomes could have implications for our organizations.

In the short-term however, there will also be far reaching consequences for organizations based in Hamburg, and the people who live there, who will experience severe disruption over the next few days as their city is put in lockdown.

Such is the disruption that these events bring, the German Foreign Minister - Sigmar Gabriel - has already suggested that, in future, they should be held at the United Nations Building in New York where security measures are already in place. At the moment the summit is hosted by the country that holds the rotating presidency, and security can cost in the region of €150 million.

Fortunately with events like this, organizations have plenty of time to prepare for them as they know they're coming. And as much as the violence that breaks out can be shocking, given previous experience, it shouldn't come as surprise. Most of us know exactly what to expect. Of course that doesn't offer any reassurance to the Porsche dealer. But for many, with some forward planning and stakeholder engagement, it should just be an inconvenience, rather than anything more destructive, as the city is temporarily put on hold.

Friday, 07 July 2017 14:52

BCI: When the circus comes to town

While watching the sun disappear below the horizon or stargazing at night from the deck are the staples of a cruise experience, vacationers also want to watch movies on-demand or browse the internet while in their cabins.

Much like a big hotel, a cruise ship usually has a data center onboard to provide digital services. While a data center on a ship is similar to one in a hotel – both have servers, storage, and networking gear to run software – there are some differences.

Cruise ships are mobile, speeding toward their next port of call in the Baltic Sea, the Mediterranean coast or the Canary Islands, and ensuring service availability means both primary and backup data center is usually on the same vessel, not miles apart.



If you ask cloud business leaders the key to growing in this industry you’ll get a lot of different responses. Any technology segment that’s growing so quickly is bound to shut out companies that don’t have the right strategy for getting their piece of the pie.

There are some clear keys to succeeding in the cloud, from being able to offer end users a wide range of products to having the financing in place to scale your business. Here are five ingredients for growing your cloud business:



A Digital Transformation

Increased sophistication in technology platforms, banking channels and digital initiatives has ushered in transformation in the banking industry. But these changes have also brought about increasingly sophisticated financial crimes. Bank fraud is now being committed by tech savvy criminals who find means to bypass the fraud detection rules bank platforms employ.


The last two decades have seen phenomenal transformation in the banking industry, through sophistication in technology platforms, banking channels and digital initiatives. Financial technology (FinTech) has brought about a complete revolution in the ease with which the common man does banking! From “brick” to “click,” banking today is not about visiting a bank’s physical branches as much as it is about conducting transactions online through the internet and mobile devices (mobile banking and digital wallets) at a click. Even ATMs are being reimagined to cater to a number of banking operations which could not be envisaged a decade ago!

This transformation has brought about enhanced agility, greater efficiency and flexibility in banking. But at the same time, there are widespread concerns about some complex problems banks are facing today, including sophisticated financial crimes, which are difficult to track using the regular rule-based financial crimes risk management systems. Bank fraud and money laundering are now being committed by tech savvy criminals who understand the systems and processes in place in banks to detect financial crimes and hence find means to bypass the detection rules to commit such crimes.

In this article, we try to explore the current fraud control frameworks in banks, the challenges faced by banks in fraud risk management and how emerging digital innovations can strengthen such frameworks, thereby reducing the risk of financial crime and ensuring improved regulatory compliance.



One of the most frequent discussions we here at MSPmentor have with managed services providers (MSPs) and vendors revolves around challenges in the relationships between the parties.

Many times it’s the MSPs complaining about vendors’ slow responses to support requests or disagreements about roadmap priorities.

Other times, it’s executives from vendors who voice frustration about MSPs’ unrealistic expectations or unwillingness to more fully utilize profit-generating features of their software products.

In an effort to foster greater understanding about such an important dynamic in the IT services provider ecosystem, MSPmentor will be exploring this topic during the second half of 2017 – and we want your help.



In so many ways IT operations has developed a military-style culture. If IT ops teams are not fighting fires they’re triaging application casualties. Tech engineers are the troubleshooters and problems solvers who hunker down in command centers and war rooms.

For the battle weary on-call staff who are regularly dragged out of bed in the middle of the night, having to constantly deal with flaky infrastructure and poorly designed applications carries a heavy personal toll. So, what are the signs an IT organization is engaged in bad on-call practices? Three obvious ones to consider include:


(TNS) - With the Atlantic hurricane season well underway, Lowndes County, Ga., officials don’t want folks to think “It can’t happen here.”

The county held its first public hurricane preparedness meeting last week at the James H. Rainwater Conference Center. On hand were county officials, representatives of volunteer organizations and experts on pet safety during evacuations, speaking in front of dozens of interested onlookers.

Home Depot assisted the county with the meeting by providing free five-gallon buckets to all who showed up. The buckets can be used for fast and easy emergency evacuation kits, said Ashley Tye, Lowndes County’s Emergency Management Agency director.



Thursday, 06 July 2017 15:25

Officials Urge Hurricane Readiness

Back at the dawn of the internet, data centers could be small and simple. A large ecommerce service could do with a couple of 19-inch racks with all the necessary servers, storage, and networking. Today’s hyper-scale data centers cover acres, with tens of thousands of hardware boxes sitting in thousands of racks. Along with the design changes, these mega-server farms have been built in new, remote locations, trading proximity to large population centers for cheap power.

As they automate data center operations, public clouds like Amazon Web Services or Microsoft Azure hire fewer and fewer highly skilled data center engineers, who are usually outnumbered by security staff and relatively low-skilled workers who do manual labor, such as handling hardware deliveries. Fewer staff managing more servers means monitoring the power and cooling infrastructure requires greater reliance on sensors, which we might now call Internet of Things hardware. They help identify issues to an extent, but there are many cases in which the experience of a seasoned facilities engineer is hard to replace with sensors. These are things like recognizing a sound that indicates a fan is about to fail or locating a leak by hearing the sound of water drops.

You need more than sensors to monitor modern data center infrastructure, and a new generation of applications aims to fill the gap by applying machine learning to IoT sensor networks. The idea is to capture operator knowledge and turn it into rules to help interpret sounds and video, for example, adding a new layer of automated management for increasingly empty data centers. The services promise “to predict and prevent data center infrastructure incidents and failures,” Rhonda Ascierto of 451 Research told Data Center Knowledge. “Faster mean time to recovery and more effective capacity provisioning could also reduce risk.”



More than $14 billion. That’s the expected insured loss from severe convective storms, thunderstorms, tornadoes, large hail and associated damaging winds in the United States in the first six months of this year.

From the Artemis blog, via Impact Forecasting, the catastrophe risk modeling center at Aon Benfield:

“The insurance and reinsurance industry faces more than $14 billion of losses after the first-half severe storm activity in the U.S., while the economic loss is set for $22 billion or higher, putting 2017 as the fourth most costly year for both economic and insured losses due to convective weather activity.”



Ah yes, agile, that buzzword that is being borrowed by so many parts of businesses! The word itself is full of promise, suggesting all kinds of good things, like flexibility, nimbleness, and adaptability.

Conversely, if you’re not agile, you’re clumsy, inflexible, and probably slated for disappearance in the near future. Some agile business continuity proponents borrow from the original agile manifesto drawn up by software developers to make a nifty, concise manifesto of their own.

Yet, while fossilised BC plans and attitudes have no place in successful BC management, we need to be careful not to slide the agile cursor too far over to chaos.



Last week we discussed combating insider threats, beginning with identifying them. This is such an important subject, that we want to help you identify some of the most common insider threats. As a reminder, insider threats are threats to a network, computer system or data that originates from a person with authorized system access. You should include mitigation practices for each of these in your Employee Security Policy as soon as possible. Why are we stressing this so much? Because cybercrime is too costly and prevalent to be ignored.

Intentional vs. Unintentional

Before we go into specific examples of insider threats, it’s important to make the distinction between intentional and unintentional threats.

Intentional threats or actions are conscious failures to follow policy and procedures, no matter the reason. People can act out of desire for revenge, theft, perceived justice, or even a well-intentioned need to work from home to complete a task. Unintentional threats or actions, such as misuse of access, neglect, or lack of diligence, can occur without forethought. Though we often think of a threat as something intentional and malicious, the most common events are those with unintentional results. That being said, a deliberate event can be the most devastating and long-lasting, especially when done with the intention of causing harm to the organization. As such, an Employee Security policy should be designed to protect your organization from both threat classifications.



Thursday, 06 July 2017 15:20

Common Insider Threats

It could be argued that digital technologies present more profound and disruptive opportunities and threats to established business models than anything that’s come before. In Digital Disruption of Business Models: The Mass Mitec Story, David Wortley charts the digital transformation of Mass Mitec, a UK-based small-to-medium enterprise, via a disruptive digital technology in the 1990s and uses the story to illustrate the potential and dangers of digital disruption.

Even though Mass Mitec had a very good understanding of the evolution of the technologies upon which its business models were based, and the organization had built a business development plan that reflected that evolution, it seriously failed to properly secure or exploit the business and contractual arrangements with its key partner.

The lessons David shares from this experience are relevant to today’s innovators and digital disrupters. These include:



The global cyberattack that has been wending its way across continents since Tuesday started creating real consequences at some businesses even as the virus’s spread seemed to be abating.

FedEx Corp. said it could suffer a “material” financial impact after the bug affected the worldwide operations of its TNT Express delivery unit. Danish shipping giant A.P. Moller-Maersk A/S shut down systems across its operations to contain the cyberattack and said the impact on its business is “being assessed.” The company’s APM Terminals unit closed its Port Elizabeth facility in New Jersey Wednesday and suspended gate operations Thursday.

Other companies were forced to resort to old-school business practices after taking corporate email offline to contain further contamination. Employees at global snack giant Mondelez International Inc. were working via cellphones, text messages and personal email, while law firm DLA Piper closed its systems as a “precautionary measure,” meaning clients couldn’t contact its team by email or land-line.



Across the globe, severe weather is a fact of life. The type of weather condition and its severity may vary from location to location, but it’s unavoidable and your organization will likely be impacted by it at some degree at least once. Hurricanes, tornadoes, wildfires, flooding, earthquakes, tropical storms, and much more have the potential to severely impact your business’ operations if you aren’t properly prepared.


Resiliency isn’t just about preparing your business continuity plan and checklist and having it in the hands of the managers and key stakeholders who need it, it’s about actively planning for the risks that may impact you and considering all possible outcomes. Once you’ve done all of that, a checklist can be developed to encompass what needs to be done regularly prior to a severe weather event, what needs to happen if a severe weather event occurs, and what needs to be done immediately following the natural disaster.

Without a team actively invested in the planning process, your business could face tremendous loss, not only in revenue but in work time, employees, etc. Severe weather events can, and often do, exact serious damage to assets, personnel, and day-to-day operations. More than that, your brand and the public perception of your organization are at risk, too. How you handle a natural disaster or crisis can make or break your place and/or reputation in the community.



Employees are a company's greatest asset, but also its greatest security risk.

"If we look at security breaches over the last five to seven years, it's pretty clear that people, whether it's through accidental or intentional introduction of malware, represent the single most important point of failure in terms of security vulnerabilities," said Eddie Schwartz, chair of ISACA's Cyber Security Advisory Council.

In the past, companies could train employees once a year on best practices for security, said Wesley Simpson, COO of (ISC)2. "Most organizations roll out an annual training and think it's one and done," Simpson said. "That's not enough."

Instead, Simpson said organizations must do people patching: Similar to updating hardware or operating systems, you need to consistently update employees with the latest security vulnerabilities and train them on how to recognize and avoid them



The Business Continuity Institute

If anyone has ever been to the west coast of Scotland, you'll be well aware that rain is an inevitability, even during the supposed summer months. It was therefore to my surprise that I read about an outdoor Green Day concert, due to be held last night in Glasgow, that had to be cancelled due to "adverse weather".

It does make you wonder about the lack of forethought that some people have. Clearly safety has to be paramount, and if it's not safe for the concert to go ahead then it has to be cancelled. But should this not be considered in advance? Should the concert organizers not have thought that it might rain on the west coast of Scotland, so put plans in place to remedy any impact of this?

As a result, several thousand music fans were sent home disappointed with only a few hours to go before the concert was due to begin. They may get their tickets refunded, but will they get their travel and accommodation refunded? Unlikely. Several hundred workers on zero-hour contracts were sent home unpaid. Can they afford to give up their time and not get compensated for it? Unlikely. And, of course, the organizer will lose out on the revenue they would have received from the event, not to mention the reputational loss.

At the Business Continuity Institute we publish our Horizon Scan Report each year which outlines the main threats that organizations face. This report sets the baseline for what those threats are, but it's essential that organizations conduct their own horizon scan in order to assess the threats relevant to them - their sector, their location, their size or their specific circumstances. If you're hosting an outdoor concert on the west coast of Scotland, then weather should have been picked up as a potential issue.

The organizer should have considered that rain was a strong likelihood and then thought through the potential implications of this. The organizer should have looked at what mechanisms could be put in place to prevent rain from becoming a health and safety issue.

Our organizations face disruptions all the time, but with some basic preparation in advance, we can make them ready to face those disruptions so they don't become damaging.

But, if we are to help make our organizations more resilient then we need to plan ahead. We need to think through our activities and what the potential risks are. Finally we need to take action to ensure that, should those risks materialise, we can still function normally, or as close to it as possible.

David Thorp
Executive Director of the Business Continuity Institute

Thursday, 06 July 2017 14:42

BCI: It always pays to plan ahead

The Business Continuity Institute

The UK remains an attractive place to live and work, but could face challenges in retaining large numbers of non-British workers, according to research by Deloitte, which also indicates significant changes in the UK labour market. Deloitte argues these changes will require a measured immigration approach, upskilling UK workers and making better use of automation for the UK to adapt successfully.

89% of non-British workers say they find the UK either quite attractive or highly attractive as a work destination and of those currently based outside the UK, 87% would consider moving to the UK if the right opportunity presented itself.

Highly-skilled non-EU citizens are the most likely to choose moving to the UK, 94% say they would move to the UK if they could, with 83% of highly-skilled EU citizens saying the same. Among less-skilled workers, 79% of EU nationals and 93% of non-EU nationals would consider moving to the UK.

For respondents based outside the UK, the UK ranked as the most desirable place to work with 57% of respondents placing it in their top three destinations, ahead of the US (30%), Australia (21%) and Canada (19%).

Respondents already in the UK were asked what attracted them to the UK. 51% put job opportunities in their top three choices, followed by cultural diversity (34%), better lifestyle (30%) and work-life balance (27%). For those outside the UK, 54% said job opportunities was a strength for the UK, followed by cultural diversity (43%) and work-life balance (40%). London was also cited by 37% of respondents as a strength, as was the UK’s global connections (30%).

Attitudes among non-UK citizens have shifted since the referendum on EU membership. 48% of migrant workers already in the UK see the country as being a little or significantly less attractive as a result of Brexit, compared to only 21% of workers outside the UK. Highly-skilled workers report the largest drop in the attractiveness of the UK. Of those currently living in the UK, 65% of highly-skilled EU workers and 49% of highly-skilled non-EU workers say the country is now less attractive. Among less-skilled workers, 42% of EU citizens and 25% of non-EU citizens say the country is now less attractive.

Overall, 36% of non-British workers in the UK say they are considering leaving the UK in the next five years, representing 1.2 million jobs out of 3.4 million migrant workers in the UK. 26% say they are considering leaving within three years.

Highly-skilled workers from EU countries are the most likely to consider leaving, with 47% considering leaving the UK in the next five years, versus 38% of highly-skilled non-EU workers. Among less-skilled workers, 27% of EU citizens and non-EU citizens say they are likely to leave in the next five years.

Overall, 58% of non-British workers say it will be difficult or very difficult to find a UK worker to replace them. This rises to 70% of highly-skilled EU workers and 56% of highly-skilled non-EU workers. Among less-skilled workers, 61% of EU workers, but only 33% of non-EU workers, say it will be difficult to replace them.

David Sproul, senior partner and chief executive of Deloitte North West Europe, said: “The UK remains a highly attractive place to work for people from around the world. Despite political and economic uncertainties, more people are attracted to live and work in the UK than anywhere else in the world. Nine out of ten overseas workers would consider moving to the UK if the right opportunity presents itself. The UK’s cultural diversity, employment opportunities and quality of life are assets that continue to attract the world’s best and brightest people.

“But overseas workers, especially those from the EU, tell us they are more likely to leave the UK than before. That points to a short to medium term skills deficit that can be met in part by upskilling our domestic workforce but which would also benefit from an immigration system that is attuned to the needs of the economy.”

Angus Knowles-Cutler, vice chairman and London senior partner, said: “The UK economy depends on migrant workers to plug gaps in both highly skilled and lower skilled jobs. If immigration and upskilling can help fill higher skill roles, automation can help to reduce reliance in lower skill positions. This will require careful consideration region by region and sector by sector, but there is a golden opportunity for UK workers and UK productivity if we get it right.”

The Business Continuity Institute

Staff at the Bank of England have voted overwhelmingly in favour of strike action in a ballot calling on their employer to give them a better pay deal. In the ballot, 95% voted for strike action which will be for the first time at the bank in over 50 years.

Unite has informed the Bank of England that its members working in the maintenance, parlours and security departments will be taking four days of strike action on 31st July, 1st, 2nd and 3rd August 2017. If both sides fail to resolve the pay dispute, the union will be consulting its members across other departments of the bank as part of the escalation plan.

"It is repeatedly said that staff are an organization's greatest asset, so if that is the case then we need to have plans in place to deal with their loss," said David Thorp, Executive Director at the Business Continuity Institute. "With the UK Government insistent that all public sector pay rises are to remain capped at 1%, it is likely that this will be the first of many strikes to be called across the country over the foreseeable future."

Unite regional officer Mercedes Sanchez said: “Staff at the Bank of England have made their anger clear by voting for strike action in July.  The result will be that the bank’s sites, including the iconic Threadneedle Street in the city of London will effectively be inoperable without the maintenance, parlours and security staff."

However, a spokesperson for the Bank of England responded that: "Should the strike go ahead, the Bank has plans in place so that all sites can continue to operate effectively.”

The Business Continuity Institute

As businesses increasingly become the target of sophisticated hacking attacks, there is a greater need for them to properly prepare themselves or face a hefty bill, including ‘slow burn’ costs such as reputational damage, litigation and loss of competitive edge. This is highlighted in a study by Lloyd's, produced in association with KPMG and DAC Beachcroft, which looks at the nature of the current cyber risk landscape as well as the top threats by industry sector.

Closing the gap – insuring your business against evolving cyber threats identifies ransomware – such as the WannaCry worldwide ransomware attack – as a rapidly increasing threat, together with distributed denial-of-service (DDoS) attacks and CEO fraud. The analysis also highlighted that financial services firms are the most targeted by organized cyber crime, but that retail is also increasingly being targeted.

Inga Beale, CEO of Lloyd’s, said: “The reputational fallout from a cyber breach is what kills modern businesses. And in a world where the threat from cyber crime is when, not if, the idea of simply hoping it won’t happen to you, isn’t tenable.

“To protect themselves businesses should spend time understanding what specific threats they may be exposed to and speak to experts who can help handle a breach, minimise reputational harm and arrange cyber insurance to ensure that the risks are adequately covered. By reacting swiftly to mitigate the impact of a cyber breach once it has occurred, companies will be able to minimise the immediate costs and their exposure to subsequent slow burn costs.”

Matthew Martindale, Director in KPMG’s cyber security practice, said: “Cyber risk has moved up in the business agenda and businesses are taking measures to prepare themselves. However, they are failing to factor in the long-term damage that a breach can cause and the cost implications of it. Dealing with things like reputational issues and litigation in the aftermath of a breach, can add substantial costs to the overall loss. Businesses really need to start thinking about the cyber risk holistically rather than one that is currently very short sighted.”

Hans Allnutt, Partner, Head of Cyber and Data Risk at DAC Beachcroft, said: “Whilst the immediate business impact of a breach could be significant for any organization, it may only be the tip of the iceberg when it comes to dealing with the legal consequences which may last months or even years. Once notified, it is not uncommon for regulatory investigations to take more than a year before they reach a conclusion. Subsequent litigation can take even longer, particularly because the law surrounding data security and privacy is a relatively evolving area. In one UK data protection case, it took three years and a failed appeal before the litigation was finally settled.”

The Business Continuity Institute

The nature and effects of the recent terrorist attacks in London and Manchester are broadening the industry's understanding of terrorism insurance, and could result in a permanent shift away from policies based on damage to property.

Traditionally, terrorism policies have tended to kick in when there is damage to the property of the insured. But the real damage caused by the 'lone wolf'-style tactics adopted by the attackers at Westminster, Manchester Arena and London Bridge was loss of life, injuries and significant disruption to local businesses. So-called 'denial of access' cover, for example, tends still to be linked to property damage.

Insurers must therefore focus on how business interruption cover is being extended beyond the realm of property damage. The development of contingent business interruption cover in response to recent earthquakes and floods that have affected global supply chains is a good example of an alternative approach, although even here there has to be an element of damage to the supplier of a business, if not to the business itself.

We are seeing the growth of business interruption products such as those available in the cyber market in relation to data breaches that lead to loss of profits and other intangibles. However, these products are still in the relatively early stages and need further development.

A recent report by Pool Re, the UK's government-supported terrorism risk reinsurer, described as "unprecedented" the three recent attacks in the UK.

Pool Re's analysis found that the attacks had many common features. All of them were undertaken by Islamist extremists and have been claimed by Daesh, although the claims have not yet been corroborated. All three attacks took place in crowded places, including tourist locations and social venues, where civilians were going about their day to day lives. The attacks seemed to be timed to maximise casualties, and civilians were indiscriminately targeted regardless of age, gender or nationality.

Attacks of this nature would have been completely unforeseeable when Pool Re was established in 1993, in response in part to the IRA bombing of the Baltic Exchange in London in April 1992. That attack, which killed three people, destroyed the Exchange building and caused huge property damage in the centre of the City of London.

In those days, terrorists used bombs and sophisticated weapons and acted together. As a result, insurers continue to view terrorism risk as the risks of an organised plot or threat for doing damage to property. The result is a recognised 'insurance gap' for business interruption arising for non-property damage.

The recent examples show how substantial that gap could be. The Insurance Insider (registration required) has estimated the value of Ariana Grande's claim for cancelled tour dates in London and mainland Europe following the Manchester Arena bombing at £300,000. Take That, who had to cancel three shows due to take place at the Manchester Arena that same week, could receive between £500,000 and £1 million to cover the cost of rescheduling the shows, according to the same report. Although property damage to the arena itself is likely, the cost of business interruption - particularly due to the closure of Manchester Victoria train station for a week - will ultimately be far more significant.

The question now is how quickly insurers might be able to adapt to these new realities. However, the global insurance market is not renowned for its speed of movement. Theresa May's government has tried to be quick to shape its regulatory approach to the needs of the insurance market - see, for example, its move to make it easier to underwrite insurance linked securities (ILS) in London - but political uncertainty following the recent election result, and the pressures on the government to negotiate the terms of Brexit, is likely to impact on future initiatives.

Nick Bradley is an insurance law expert at Pinsent Masons, the law firm behind Out-Law.com.

The Business Continuity Institute

Local authorities in the UK perceive themselves to be vulnerable in the face of cyber attacks, particularly in the wake of the recent ransomware attack on the NHS, with just over half (53%) of local authorities claiming they are prepared to deal with a cyber attack, according to a new study carried out by PwC.

While the latest PwC Global CEO survey found that 76% of UK CEOs are concerned about cyber threats, The Local State We’re In revealed that only 35% of local authority leaders are confident that their staff are well equipped to deal with cyber threats. Demonstrating how real those threats are, almost all (97%) of UK CEOs surveyed say they are currently addressing cyber breaches affecting business information or critical systems.

A parallel study of consumers, which asked about the performance of their local authority, found that only a third (34%) of respondents trusted their council to manage and share their data and information appropriately while there was a growing appetite for council services to be available online.

The research also surveyed councils’ confidence in their ability to maintain existing levels of local service delivery. While the majority of councils (68%) were confident about maintaining service delivery over the next 12 months, a mere 1 in 6 (16%) believed they could make necessary cost savings while maintaining existing levels of services over the next five years.

Commenting on the findings overall, Jonathan House, PwC partner said: “As councils look ahead to the future there will be new risks to manage, from the shift away from the uncertainties of grant funding, to an ever more demanding public. The recent ransomware attacks, and other high-profile incidents impacting them show some of these challenges.

“However councils have proved before their resilience and ability to deal with any challenge they are faced with. The survey data suggest that Councils have taken cost out of their operations - now the challenge is to manage and grow their capabilities - to utilise technology as a force for growth and to deliver citizens’ expectations of a digital organisation.”

The Business Continuity Institute

A consequence of Brexit is that two European Union agencies currently hosted by the United Kingdom will need to be relocated elsewhere in the EU once the UK is no longer a member. In the next few years, both the European Medicines Agency (EMA) and the European Banking Authority (EBA) will need to find a new home, with 27 countries all vying for the privilege.

The European Council has drawn up a list of six essential criteria that any country considering hosting these agencies must meet, and, in recognition of the role that business continuity plays in enabling stability, and helping organizations to remain operational despite disruptive circumstances, this has been chosen as one of the criterion.

According to the procedure document published by the European Council, "This criterion is relevant given the critical nature of the services provided by the agencies and the need therefore to ensure continued functionality at the existing high level."

"It concerns amongst other things the ability to allow the agencies to maintain and attract highly qualified staff from the relevant sectors, notably in case not all current staff should choose to relocate. Furthermore, it concerns the capacity to ensure a smooth transition to the new locations and hence to guarantee the business continuity of the agencies which should remain operational during the transition."

All member states now have until the end of July to submit their bids and prove their business continuity capability, with a final decision to be taken in November.

When a crisis hits or your business is disrupted due to any unexpected event, the media will come a-knockin’. That’s why it’s so important to have a detailed, quality business continuity plan in place and to understand the role that the media play in the public’s perception of not only the crisis itself but how your organization handles it.


Making the media your ally is important in the immediate aftermath of a crisis or business disruption. The sooner you can respond with an official statement, the better off you’ll be, but the key with media is transparency. Your organization’s reputation is fragile in these moments and the public is quick to demand an honest, transparent response.

Remember, it is the media’s job to find the truth, so make their life and your recovery easier by being honest from the very beginning.



What Business Owners Need to Know as Governments Outsource Code Enforcement

Companies across virtually every industry are experiencing a rapid increase in regulation. Naturally, regulatory agencies are having a hard time keeping up with enforcement. That being the case, some state and local governments are turning to private companies and outsourcing enforcement. Compliance is always in a company’s best interest, but when regulators are able to spread the work around, any violations may be unearthed sooner.

Truck drivers delivering in Alabama a few years ago reported an uptick in code enforcement. Not only were they getting stopped along their routes across the state, they also were getting fined for not having the proper licenses to operate there.

But the inspectors knocking on their cabs weren’t employees of the state. They were hired guns, working for a third-party administrator brought on to enforce licensing laws within Alabama, where many jurisdictions require licenses for delivery companies, trucking services and other businesses that simply drive through the jurisdiction.

Like regulators in Alabama, state and local governments across the country are outsourcing their code enforcement operations, turning to private companies to boost efficiencies and improve compliance.



The recent IT outage at British Airways has been blamed on a power supply failure at the company’s data center, causing hundreds of flights to be delayed or canceled and affecting as many as 75,000 customers.

The outage should have been mitigated by backup generators and fail-safe mechanisms, but these appear to have been interconnected with the failed power supply, causing a system-wide shutdown which could end up costing the company up to $100 million.

This incident highlights the need for businesses to maintain effective backup and disaster recovery (BDR) technologies and processes, as IT systems and data have become mission-critical assets in virtually every industry today.



Thursday, 29 June 2017 15:23

The Seven Deadly Sins of BDR

Let’s face it, cyber-crime is a very real threat globally in today’s working world. From small businesses to large corporations, the risk is real and the impact can be great. Look no further than the latest WannaCry attack that has impacted more than 230,000 victims in over 150 countries since it began. The malware locked up the files in organizations as sensitive as hospitals and has shone a blindingly bright spotlight on the vulnerability in our digital security systems.

So the question moves from “well what if?” to “how do I prevent this when?” As the probability of cyber-attack increases, how do you keep your business safe? Here are a few key things to implement.



The Business Continuity Institute

We have just published the latest version of our Cyber Resilience Report and one of the conclusions of the report was that business continuity professionals need to collaborate more with their cyber/information security colleagues. The report noted that if expertise and resources are pooled then resilience can be built in a much more coordinated way. That seems eminently sensible.

Going beyond just IT, in my own foreword within the report I mentioned that cooperation is key to building cyber and organizational resilience, and that different disciplines must come together, share intelligence and start speaking the same language if they want to build a safer future for their organizations and communities.

Is that stating the obvious? Is that something that is already happening? The BCM Futures Report we published last year along with PwC showed that 90% of business leaders believe that resilience is greater when functions such as risk management, business continuity, ITDR and security are joined up, but only 37% believe that these areas are appropriately joined up at the moment. That’s a significant gap between the two, a gap that we all need to put more effort into reducing.

When devising your business continuity programme, do you engage with the IT department on issues relating to cyber security? Do you work with facilities management on the response to your building being out of action? Do you engage with the security department on your response to a terrorist incident? Do you talk to your communications department on reputational issues? There is so much crossover in the work of a business continuity professional, that we need to make that crossover is being addressed. Otherwise it could lead to duplication of effort, or incomplete response plans.

Our current research project on megatrends looks at this issue in further detail, asking those working in the industry whether the different departments collaborate on both preparing for potential threats and responding to those threats materialising. From experience, and from listening to people within the industry, I very much get the impression that silos still exist, management disciplines still work in isolation, and lots more needs to be done. The initial responses to the megatrends survey seem to be quite mixed so far, and perhaps this is a fair reflection of the profession.

My challenge to those people working in the industry is to make sure you are engaging with the other management disciplines on a regular basis to ensure you are all coordinated, and are working together to improve the overall resiliency of the organization. The BCM Futures Report I mentioned earlier showed that about half of business continuity professionals already see this has becoming more important in the future, but I think we need to start increasing that percentage.

As an Institute, we need to do our bit too, so my challenge to us is to engage more with other professional associations working in the resilience space, and build relationships with these organizations from across the world. By working in partnership with others it will enable us to provide those in the resilience community with access to the right training, education and thought leadership.

As always, I would welcome your feedback. Are we already doing enough? Can we, or should we, be doing more? Please do share your thoughts.

David Thorp
Executive Director of the Business Continuity Institute

Another global ransomware attack, dubbed Petya, has disrupted operations at major firms across Europe and the United States.

More than 100 companies and organizations across various industries were affected, including shipping and transport firm AP Moller-Maersk, advertising firm WPP, law firm DLA Piper, Russian steel and oil firms Evraz and Rosneft, French construction materials company Saint-Gobain, food company Mondelez, drug giant Merck & Co, and Pennsylvania healthcare systems provider Heritage Valley Health System.

Today’s Insurance Information Institute Daily, via The Wall Street Journal, reports that the attack has exposed previously unknown weaknesses in computer systems widely used in the West.

The U.S. cyber insurance market grew by 35 percent from 2015 to 2016, based on recent reports.



If you want to find major emitters of global carbon dioxide, look no further than your city’s skyline. Buildings account for more than one-third of all final energy consumption and half of global electricity use. And they’re responsible for approximately one-third of global carbon emissions.

According to the International Energy Agency, energy consumption in buildings needs to be reduced by 80 % by 2050 if we want to limit the world’s temperature rise to under 2 °C. But now there’s a solution to making our building stock more energy-efficient. Here’s introducing the new ISO 52000 series of standards!

With ISO 52000-1, Energy performance of buildings – Overarching EPB assessment – Part 1: General framework and procedures, as its leading document, the ISO 52000 family will accelerate energy efficiency in the world’s building market. From heating, cooling, ventilation and smart controls, to energy-using or -producing appliances, the series will help architects, engineers and regulators assess the energy performance of new and existing buildings in a holistic way – without overheating budgets – as the temperature rises.



An email provider being used by the perpetrators of a global ransomware attack today shut off the hackers’ access to the account, blocking the main avenue by which victims could regain access to their files.

Today’s attack marked the second time in as many months that hackers have launched sophisticated, international ransomware campaigns based on EternalBlue, an exploit purportedly stolen last year from the National Security Agency and leaked to the public.

The German firm Posteo published a blog entry this afternoon announcing its security specialists had identified one of their accounts which was being used by the hackers to collect on $300 (USD) ransom demands from each victim.



The security industry has an accountability crisis. It's time to talk about it, then fix it. Whenever a massive cyber attack occurs inevitably a chorus of voices rises to blame the victims.  WannaCry on 5/12 and Petya on 6/27 yet again kicked off the familiar refrains of:

“If users didn’t click on stuff they shouldn’t….”

“If they patched they wouldn’t be down….”

“This is what happens when security isn’t a priority….”

“Now maybe someone will care about security…”

I have yet to meet a single user that clicked a malicious link intentionally – beyond security researchers and malware analysts that is. I have yet to meet anyone that delights in not patching as a badge of honor. There are great reasons not to patch, and terrible reasons not to patch. As always context and situation matter.



More than ever, your users are the weak link in your network security. Mitigating insider threats isn’t just about thwarting the malicious action of a disgruntled employee; a careless insider can also cause catastrophic damage. If you are not already doing so, you need to train employees in your policies and best practices. Employees that have been conditioned to remain vigilant –  keeping security in mind during all activities – are far less likely to pose an insider threat. This method of mitigating insider threats is just one of the ways to protect your business.

First, let’s establish a simple definition of an insider threat as we discuss it in this article: an insider threat is a threat to a network or computer system that originates from a person with authorized system access. Insider threats are sometimes called insider risks or insider attacks.



The Business Continuity Institute

Despite ransomware being around for many years, with several high profile organizations suffering the consequences of such an attack, 57% of respondents to a survey carried out by Carbon Black said that WannaCry was their first exposure to how ransomware works.

Ransomware attacks have thrust cyber security onto the global stage in unprecedented fashion, with two recent attacks - WannaCry and NotPetya - rapidly spreading across the world and locking down thousands of networks. Organizations and individuals are now beginning to give greater consideration to how they would react if they were exposed to an attack, or if an organization they dealt with was exposed.

The Ransom-Aware Report noted that, while it’s never a good thing when 150 countries are simultaneously affected by a cyber attack, the increased awareness will only serve to incite positive action. Ransomware is certainly nothing new, but consumers are  increasingly turning to organizations with questions about how they are protecting sensitive data. Organizations, in turn, putting more effort into improving cyber security in order to protect their data and remain operational in the event of an attack.

For many consumers, losing trust in an organization could result in them taking their custom elsewhere. When presented with the statement: 'I would consider leaving my current financial institution / healthcare provider / retailer if my sensitive information was taken hostage by ransomware,' the study found that 72% of consumers said they would consider leaving their financial institution; 68% of consumers said they would consider leaving their healthcare provider; and 70% of consumers said they would consider leaving their retailer.

When respondents were asked if they would personally be willing to pay ransom money if their own computer and files were encrypted by ransomware, it was close to a dead heat with 52% of respondents saying they would pay and 48% saying they would not. Of the 52% who said they would pay: 12% said they would pay $500 or more, 29% said they would pay between $100 and $500, while 59% said they would pay less than $100 to get their data back.

The Business Continuity Institute's latest Cyber Resilience Report showed that two-thirds of organizations had experienced a cyber security incident during the previous year. With consumers giving a lot more attention to how organizations are responding to those incidents, it is essential that organizations have plans in place to respond effectively and prevent data being lost.

The Business Continuity Institute

On the day that the Business Continuity Institute launched its latest Cyber Resilience Report, the importance of ensuring our organizations are prepared for a cyber security incident has once again been demonstrated as a new ransomware attack is causing turmoil across the world.

The attack, dubbed NotPetya due to its similarities to a previous virus called Petya, has resulted in organizations worldwide having their data encrypted, with a demand made for the equivalent of about $300 to be paid in Bitcoin.

NotPetya uses the same exploit that allowed WannaCry to spread so rapidly, but is thought to have found additional ways to infect new systems. It is not yet known how computers originally became infected, but it does not appear to be via email.

This particular attack was first reported in Ukraine where the state power company and Kiev's main airport were both affected, but it has now spread to many other countries including the US, UK, France, Russia and India.

Business continuity can be key to minimising the impact of such an attack and can make a real difference during any kind of emergency, crisis or disruption. It is what makes an organization resilient, ready to respond and carry on, even amid difficult circumstances. Yet business continuity cannot be improvised. It requires specialised and trained staff as well, as the support of everyone within an organization.

Having specialised and trained business continuity staff with the ability and resources to develop, implement and maintain a business continuity plan, will help organizations identify the risks they face and key operational areas that need to be prioritised during a crisis.

"We need to learn from these experiences," said David Thorp, Executive Director at the BCI. "It is clear that the cyber threat is not going away any time soon, so organizations must do more to make sure they can respond to them effectively and prevent them from becoming a crisis."

The Business Continuity Institute

With phishing and social engineering maintaining their position as the top driver of cyber disruptions, there is a need for a stronger cyber resilience culture across organizations, and a focus on the human aspects of the threat.

This is one of the key findings of the Cyber Resilience Report, published today by the Business Continuity Institute, the world’s leading Institute for continuity and resilience, in collaboration with Sungard Availability Services ® (Sungard AS), a leading provider of information availability through managed IT, cloud and recovery services.

With the WannaCry ransomware attack still fresh in our minds, it is clear that the cyber threat is very real with this one attack affecting almost a quarter of a million computers across 150 countries. It is also clear that business continuity plays a key role in responding to an incident, and ensuring that the organization is able to manage through any disruption and so prevent it from becoming a crisis.

The Cyber Resilience Report found that nearly two-thirds of respondents (64%) to the global survey had experienced at least one cyber disruption during the previous 12 months, while almost 1 in 6 (15%) had experienced at least 10. Of those who had experienced a cyber disruption, over half (57%) revealed that phishing or social engineering had been one of the causes, demonstrating the need for users to be better educated about the threat and the role they can play in helping to prevent an incident occurring.

The study also found that:

  • A third of respondents (33%) suffered disruptions totalling more than €50,000, while more than 1 in 10 (13%) experienced losses in excess of €250,000.
  • 1 in 6 respondents (16%) reported a single incident resulting in losses of more than €50,000.
  • 1 in 5 respondents working for an SME (18%) reported cumulative losses of more than €50,000. These are significant losses considering 40% of SMEs involved in this study reported an annual turnover of less than €1 million.
  • Phishing and social engineering are the top cause of cyber disruption, with over half of those who experienced a disruption (57%) citing this as a cause.
  • 87% of respondents reported having business continuity arrangements in place to respond to cyber incidents, indicating that it is now widely accepted as playing a key role in helping to build cyber resilience.
  • 67% of respondents stated that their organization takes over one hour to respond to a cyber incident, while 16% stated that it can take over four hours.

The number of respondents reporting top management commitment to implementing the right solutions to the cyber threat increased to 60%, and this is likely due to a number of factors such as the intense media coverage of cyber security incidents, and the impending European Union General Data Protection Regulation, which is due to come into force in less than a year and will have an impact on any organization that holds data on EU citizens.

David Thorp, Executive Director at the BCI, commented: “Cooperation is key to building cyber and organizational resilience. Different disciplines such as business continuity, information security and risk management need to come together, share intelligence and start speaking the same language if they want to build a safer future for their organizations and communities.”

Keith Tilley, EVP and Vice Chair at Sungard Availability Services, said: “Brexit and the pending EU General Data Protection Regulation (GDPR) have thrown up even more questions about data laws and compliance, so data sovereignty is a focus. Companies need to demonstrate a holistic understanding of where their data is hosted, where it’s backed up, moved and recovered, as well as who can see it along the way. The fact that data laws are constantly subject to change, with region and country specific regulation, means a headache for large organizations. Establishing how to meet these regulations, as well as global needs will be vital, as will the ability to handle data access, residency, integrity and security.”

It’s hurricane season again, so hopefully you’ve prepared by updating your disaster recovery and business continuity plans to be ready for any disaster that might come your way.

While the character in our cartoon may have taken his boss’s request the wrong way, he had the right idea: Cover the essentials first. What’s the milk, eggs, and bread for your operation? Identify the data you need to stay up and running, and keep it safe and recoverable.

How solid and actionable will your IT disaster recovery plan be when a natural disaster hits? If you don’t have one or haven’t tested it in a while, it could mean lights out for your mission-critical data.

While we may not be able to exactly predict a hurricane’s course, you should chart your own course of action for when the unexpected happens. For a few more suggestions on how to batten down the hatches and ensure your business is disaster ready, check out this slideshow from CSO.

Hurricane preparedness cartoon

Feel free to share this cartoon, with a link back to this post and this attribution: “Cartoon licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License. Based on a work at blog.sungardas.com


US-CERT has received multiple reports of Petya ransomware infections occurring in networks in many countries around the world. Ransomware is a type of malicious software that infects a computer and restricts users' access to the infected machine until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.

Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate that the ransomware exploits vulnerabilities in Server Message Block (SMB). US-CERT encourages users and administrators to review the US-CERT article on the Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010 (link is external). For general advice on how to best protect against ransomware infections, review US-CERT Alert TA16-091A. Please report any ransomware incidents to the Internet Crime Complaint Center (IC3).

Whether your company is already operating in the European Union or has expansion plans there in the future, the upcoming GDPR rules will have a profound impact on how all organizations handle, manage and use consumer data.  Even if your website simply collects data on EU citizens, you must comply or face fines of up to €20 million or 4 percent of global annual turnover. Companies will face five common challenges on the path to compliance.

Though the GDPR implementation date is less than one year away, companies large and small are still struggling to comprehend what must be done to prepare. The General Data Protection Regulation (GDPR) seeks to improve privacy protection for consumers by changing the way businesses collect, use and transfer personal data. Companies purposely were given plenty of warning about the changing policies, but the vague language and complex structural changes mean a complete overhaul to anything remotely related to data in all companies – even for companies outside of the European Union and United Kingdom that do business with the U.K. and EU member states.

There are five main challenges companies need to address immediately in regard to data.

  1. Data Storage and Access
  2. Team Compliance and Training
  3. Data Subject Requests
  4. Data Notifications
  5. Adaptability and Scalability

GDPR does not only affect IT departments; instead, this new regulation reaches far and wide, from human resources to finance and anyone in between who touches data. Companies that address these five challenges will be more ready to face the GDPR’s implementation deadline of May 25, 2018.



You've heard a million times: there’s a robot coming for your job. I’ve written about it before. Several times.

New evidence suggests the reality is no joke.

The New York Times kicked the week off with a poignant story on the subject: “Indian Technology Workers Worry About a Job Threat: Technology.”

It punctuates a story on the raw numbers of tech workers who are losing their work to robots, chatbots, artificial intelligence (AI) and machine learning with some human stories. The article opens with something a good many American workers will relate to: a tale of a laid off tech worker who laments, “I have an 11-year-old child. My wife is not working. How to pay the home loans?”



Instructor and student practicing CPR on mannequin.

We observed CPR and AED Awareness Week at the beginning of June. I recently had the opportunity to sit down with Stacy Thorne, a health scientist in the Office of Smoking and Health, who is also a certified first aid, CPR and AED instructor.

Stacy Thorne, PhD, MPH, MCHES

Stacy has a history of involvement in emergency response and preparedness activities at CDC. She is part of the building evacuation team; a group of employees who make sure that staff gets out of the building in case of a fire; or shelters in place during a tornado. When she learned CDC offered CPR and AED training classes to employees, she couldn’t think of a better way to continue volunteering, while helping people prepare for emergencies.

Stacy became a CPR/AED instructor in 2012. She felt these were important skills to have and wanted to stay up-to-date with the latest guidelines. She said, “You have to get recertified every two years, so if I was going to have to take the class anyway why not teach and make sure other people have the skills to save a life.”

Practice makes perfect

Stacy teaches participants first aid, CPR, and AED skills and gives them an opportunity to practice their skills and make sure they are doing them correctly. The class covers first aid for a wide-variety of emergency situations, including stroke, heart attack, diabetes and heat exhaustion. Participants learn how to:

  • Administer CPR, including the number of chest compressions and the number and timing of rescue breaths
  • Use an Automated External Defibrillator, more commonly referred to as an AED, which can restore a regular heart rhythm during sudden cardiac arrest.
  • Splint a broken bone, administer an epinephrine pen for allergic reactions, and bandage cuts and wounds

In order to receive their certification, all participants must complete a skills test where they demonstrate that they can complete these life-saving skills in a series of scenarios.

Lifesaving skills in actionCardiopulmonary resuscitation, commonly known as CPR, can save a life when someone’s breathing or heartbeat has stopped. CPR can keep blood flowing to deliver oxygen to the brain and other vital organs until help arrives and a normal heart rhythm can be restored.

Stacy shared, “The most rewarding part of teaching is meeting the different people who come to take these classes and hearing the stories of how they have used their skills.” One of her students recalled how she used her CPR skills to save someone while she was out shopping. Her instincts kicked in and when she was able to get the person breathing again the people watching applauded.

Another student reflected, “While I hope I never am in a situation where I need to perform CPR, the notion that I am now equipped with these life-saving skills is reassuring and helps me feel prepared if I should find myself in that scenario.” Stories like these show how important it is for everyone to be trained in first aid, CPR, and how to use an AED. You can spend six hours in training, and walk out with a certification that can save someone’s life.

Always on alert

As the mother of a 6-year old daughter, Stacy is constantly on alert for situations where she might need to use her skills. The closest she has come to using her skills was when her daughter was eating goldfish crackers while laying down and started gagging; she was at the ready to perform the Heimlich maneuver. Her role as an instructor made Stacy feel confident that she could use her first aid, CPR, and AED skills in an emergency.


Posted on by Suzie Heitfeld, Health Communications Specialist, Office of Public Health Preparedness and Response

Tags , , ,

Tuesday, 27 June 2017 14:36

CDC: Teaching skills that save lives

WannaCry has hit again. This recent attack involved a Honda plant in Japan, shutting down production. As Nick Bilogorskiy, senior director of Threat Operations with Cyphort, told me in an email comment:

Automakers are especially vulnerable to network worms like WannaCry because they often use computers with older versions of Windows and those are vulnerable to security flaws. Unlike other businesses such as banks, automakers do not upgrade their factory floor hardware or software aggressively and may get behind in installing patches.

He went on to explain how devastating these attacks can be to an industrial site. Once a machine is infected, you have to decrypt files, power down all the machines so nothing else gets infected, and then re-image or re-install all infected machines, as that is the only safe method to avoid any back doors that have been dropped by WannaCry. Finally, you need to locate necessary backups and restore data from them and reset all your systems to pre-WannaCry state, and test that your applications are working as intended.



(TNS) - Fire Chief Steve Achilles acknowledged many city residents might not know Portsmouth's (N.H.) hazard mitigation plan exists.

"It's the kind of thing that they might never see, but people can take comfort knowing that we're thinking about these things," Achilles said this week.

City officials recently released the 2017 draft update of the plan, which was put together by several city officials, including Achilles, Deputy City Manager Nancy Colbert Puff and other fire, planning and Public Works staff.

"It's a document that the city has had for as long as I've been with the Fire Department and it gets updated every five years," Achilles said. "It's looking at how to reduce and mitigate hazards ahead of time to minimize the impact of natural disasters."

One key part of the plan is to identify what natural hazards Portsmouth could face, he said.



Cyber security software vendor Symantec today emerged as the only known western technology company to publicly refuse Russian government access to source code for its security products.

IBM, Cisco, Germany's SAP, Hewlett Packard Enterprise and McAfee are among the firms that allowed Russia to conduct source code reviews of products, including firewalls, anti-virus applications and other encrypted software, according to a new investigative report from Reuters.

The reviews – intended to protect Russia against cyber espionage – are conducted by the country’s Federal Service for Technical and Export Control (FSTEC), and the Federal Security Service (FSB), successor to the KGB and the agency blamed for attacking the 2016 U.S. Presidential election.



The enterprise has made great strides in curbing its appetite for energy over the past decade, but will this ultimately be a losing battle as demand for data continues to rise?

According to a recent report from the Lawrence Berkeley National Laboratory, the number of data centers coming online has seen a dramatic uptick in the past few years as organizations struggle to meet the always-on demands of an increasingly connected population. But the good news is that due to virtualization, low-power/high-density architectures and other developments, actual energy consumption has been flat. This is in stark contrast to the first decade of the new century, which saw energy demand jumping as high as 90 percent per year.

Still, leaders in the data center industry are concerned that the big gains in energy efficiency are over but the relentless demand for data, fueled in part by rapidly falling costs that are themselves the result of more efficient infrastructure, will put the industry on the fast track to dramatically higher consumption in relatively short order. At a meeting sponsored by DCD Energy this week, Donald Paul, of the University of Southern California’s Energy Institute, noted that once data centers approach a PUE of 1.0, there are no more gains to be had, since you cannot achieve more than 100 percent efficiency. And programs that encourage enterprises to reduce demands on the local grid also encourage the use of mostly diesel-power backup systems.



Many business continuity professionals can attest to the tension that often occurs between the business and IT when it comes to recovery capabilities. For example, Company X recently implemented a business continuity program, including determining recovery time objectives (RTOs) for key business processes. Like all well-established business continuity programs, the business impact analysis (BIA) considered the loss of technology and helped the company develop recommended recovery time (and recovery point) objectives for technology resources. The business documented and presented these RTOs to management following the initial BIA, but never followed up with IT to ensure that the capabilities could be met.

Meanwhile, IT leveraged its own application/system list and related recovery information to prioritize applications for recovery and drive the implementation of a disaster recovery solution that was cost-effective and aligned with IT’s conclusions of business requirements for recovery (created from data outside the BIA). Both the business and IT feel confident in their work; yet, neither have communicated with the other. Given that the groups have not undergone a joint exercise (or actual disruption), neither group is aware of the underlying gap: Recovery priorities and strategies are misaligned between the business and IT.



The Business Continuity Institute

Building resilience by improving cyber security, published by the Business Continuity Institute during Business Continuity Awareness Week, revealed that users are often choosing weak passwords and so leaving their IT networks vulnerable, and this vulnerability has now been realised at the UK Houses of Parliament. Over the weekend, Parliament experienced what was described as a sustained and determined cyber attack that forced remote access to be restricted for Members of both Houses, as well as their aides.

A senior spokesperson for Parliament commented: "We have discovered unauthorised attempts to access accounts of parliamentary networks users and are investigating this ongoing incident, working closely with the National Cyber Security Centre. Parliament has robust measures in place to protect all of our accounts and systems, and we are taking the necessary steps to protect and secure our network."

It was reported that the attack, which began last Friday, was specifically trying to identify weak passwords and gain access to users' email accounts. Ultimately this was successful with less than 1% of accounts, but this still amounts to about 90 people, and potentially results in sensitive data being exposed.

International Trade Secretary Liam Fox said: "We have seen reports in the last few days of even cabinet ministers' passwords being for sale online. We know that our public services are attacked so it is not at all surprising that there should be an attempt to hack into parliamentary emails. And it's a warning to everybody, whether they are in Parliament or elsewhere, that they need to do everything possible to maintain their own cyber security."

While the restriction of remote access seems to have abruptly and effectively ended the attack, it left many Parliamentarians and their staff without access to their emails over the weekend, a time when many of them attempt to catch up with constituency work.

The report published by the BCI highlighted several ways in which users can take responsibility for helping to improve cyber security, and this included the use of strong passwords that cannot easily be hacked or guessed. By doing so it means that everyone can play their part in building a resilient organization.

Jargon crops up everywhere, and business continuity is no exception. RTO, RPO, BIA, and others are often sprinkled liberally into conversations, plans, and reports.

Sometimes expanding the abbreviation makes things clearer to the uninitiated: for example, the terms “recovery time objective” (RTO) for an IT system and “business impact analysis” for BC planning give some hint of what lies behind them.

But what about “recovery point objective” (RPO), also one of the commonest terms used in defining a suitable disaster recovery/business continuity plan? Would we be better off if we banned the use of such jargon?

Banning probably wouldn’t work. For one thing, it would be the curtailing of free speech, and for another, like weeds, jargon would spring up again anyway. We need a better way of managing business continuity jargon, recognizing that it also has its uses.



We all want to know something others don’t know. People have long sought “local knowledge,” “the inside scoop” or “a heads up” – the restaurant not in the guidebook, the real version of the story, or some advanced warning. What they really want is an advantage over common knowledge – and the unique information source that delivers it. They’re looking for alternative data – or “alt-data.”

From the information age where everyone took advantage of easy access to information, we are now entering an age where everyone seeks alternatives: new sources of information and innovative ways of deriving unique insights.  This is the “Age of Alt.”

We know that business leaders want to better leverage data and analytics in their decision-making. But more importantly most decision-makers want to supplement their own data with external data; 81% tell us they want to expand their ability to source new external data.  Demand for data is exploding.



Many technologies are billed as hot, exciting and revolutionary. But which ones are really deserving of that moniker? Which ones are destined to change — or are changing — the storage universe?

Enterprise Storage Forum asked the experts.



Friday, 23 June 2017 15:35

5 Hot Storage Technologies to Watch

What comes to mind when you hear the word “compliance”? Do you shiver, sigh, break out into hives, or all three? Believe it or not, your compliance colleagues are crucial to your social marketing success. This is especially true for marketers in regulated spaces such as financial services, healthcare, and pharmaceuticals. I can share from personal experience that my social marketing success at American Express was in part due to the relationships I fostered with compliance, legal, and even outside legal counsel — in fact, I’m still in touch with those former colleagues. Given the importance of breaking down the marketing compliance silo, I partnered with my colleague Nick Hayes on a new report, . And though the intention of this report is to help marketers in regulated industries, Nick and I both agree that all marketers can benefit from it.



We all make mistakes, and CCOs are no exception. While CCOs are a creative and dedicated bunch, they are often susceptible to these five common mistakes. Probably unsurprisingly, the cure for these ills is more due diligence and more relationship building.

Chief Compliance Officers are fallible – I know that is not a controversial statement. To err is human, and CCOs are members of the human species.

With the enormous expectations placed on CCOs’ shoulders, they are bound to make some mistakes. I have seen CCOs who have run into difficulties, and occasionally they have contributed to the problem through their own behaviors.

I thought I would identify some of the common mistakes I have seen. It is hard to generalize, but I have observed some common themes.



Page 1 of 4