As an industry professional, you're eligible to receive a printed copy of the journal.

Fill out your address below.

Please reset your password to access the new
Reset my password
Welcome aboard, !
You're all set. We've send you an email confirmation to
just to confirm you're you.

Welcome to DRJ

Already registered user? Please login here

Existing Users Log In

Create new account
(it's completely free). Subscribe

Industry Hot News

Industry Hot News (324)

Some folks see trees when they look up at clouds. For others, clouds may take the form of a rabbit. But when IT professionals stare at clouds, they can’t help but picture a hosted private cloud with micro-segmentation. And for good reason.

What IT professionals see when they look at clouds

An increasing number of organizations are moving to the cloud for its obvious benefits. But along with this transition comes a greater need for more advanced cloud security measures. Micro-segmentation is one of these measures.

Unlike traditional security defense strategies like firewalls and edge devices that protect the flow of north-south data by focusing on the perimeter, micro-segmentation focuses on the inside, isolating individual workloads to protect traffic that’s traveling east-west within a data center. So even if a bad actor manages to get past your perimeter security measures, micro-segmentation will prevent the attack from spreading.

Failing to adapt security to meet the growing needs of increasingly complex IT environments can be catastrophic.

With cloud security top of mind for IT professionals, it’s no wonder they’re seeing it everywhere they look.

Recently, the department for Digital, Culture, Media & Sports in the United Kingdom released the Cyber Security Breaches Survey 2019.

The survey discusses statistics for cyberattacks, exposure to cyber risks, the awareness and attitudes of companies around cyber risk, and approaches to cybersecurity. Here are the four takeaways from the survey (all statistics included in this briefing are part of the survey).

Charlie Maclean Bristol discusses whether you should consider likelihood when conducting a risk assessment as part of the business continuity process. Do you need to know how likely it is that a threat will become an actuality; or is knowledge of the impact of the threat enough?

Business continuity has always had a slightly uneasy relationship with risk management. In the 2010 and 2013 BCI Good Practice Guidelines (GPGs) we looked at threat assessments, whereas in the more recent 2018 GPG, we cover a threat and risk assessment. This issue of conducting a threat assessment instead of a risk assessment was driven by a certain character in business continuity circles who was very anti-risk assessment, and hence pushed the idea of threat assessment in the two earlier GPGs.

Nowadays, risk assessment is coming of age and it seems to be everywhere. You need a risk assessment for climbing up a ladder and you also need one for running a massive multinational organization.

This article was inspired by a talk given by Tony Thornton, ARM Manager for ADNOC Refining, which I heard at The BCI UAE Forum in February. During his talk on risk assessment, he focused on there being no point in looking at likelihood when you are doing a business continuity risk assessment. He said that having a 3x3 or even a 5x5 scale was meaningless in terms of likelihood. The point he was making was that if there was a possibility it could happen, then that was good enough: and how likely it was to happen didn’t really matter. He was more enamoured with impact, which he said was worth looking at, as well as differentiating between high, medium and low impacts.

‘Sea Turtle’ group has compromised at least 40 national security organizations in 13 countries so far, Cisco Talos says

A sophisticated state-sponsored hacking group is intercepting and redirecting Web and email traffic of targeted organizations in over a dozen countries in a brazen DNS hijacking campaign that has heightened fears over vulnerabilities in the Internet’s core infrastructure.

Since 2017, the threat group has compromised at least 40 organizations in 13 countries concentrated in the Middle East and North Africa, researchers from Cisco Talos said Wednesday.

In each case, the attackers gained access to, and changed DNS (Domain Name System) records of, the victim organizations so their Internet traffic was routed through attacker-controlled servers. From there, it was inspected and manipulated before being sent to the legitimate destination.

Steve Blow explains that while businesses must remain consistently focussed on digital transformation in order to not fall to the back of the pack, digital transformation efforts could be futile if businesses don’t address and improve their IT resilience.

The market as we know it has been changing dramatically over the last decade, with each digital development outpacing the other at every turn in the track. Companies that are too stuck in their ways are being overtaken by contemporary companies, unencumbered by legacy and real estate, which are in line with the latest developments in IT.

This said, almost every single business must remain consistently focussed on digital transformation in order to keep up with developments; taking on new digital initiatives to drive efficiencies, create new experiences, and ultimately, beat the competition. According to recent research (1), 90 percent of businesses see data protection as important or critical for digital transformation projects. However, the same research revealed that the proper technological provisions are not yet in place, in order for these same businesses, striving to achieve digital transformation, to deliver on demands of data protection assurance.

It has become increasingly clear that having the right foundations early on in any digital journey is a critical factor in the success of transformation initiatives. So, building data protection within a robustly resilient IT infrastructure will be of paramount importance for businesses. Not only will this be critical for businesses to succeed day-to-day, but also to ensure complete transformation, modernization and cohesion. From my experience, there are three recommendations that could be key to help businesses achieve this:

I occasionally find people mapping their SOC capabilities to the ATT&CK framework by checking off specific techniques that they have shown they are able to detect with the intent of measuring coverage within their SOC. In this blog post, I hope to clarify why this strategy may be misleading.

There Are No Bad Actions, Only Bad Behavior

It’s almost impossible to have a high-confidence indictment of a process based on a single behavior. Hypothetically, if there were such a thing as a purely malicious operation, the system would not have been designed with this capability, or it would have been patched out. While there are certainly exceptions (things you would absolutely want to know if they happen in your infrastructure), it’s important to understand ATT&CK techniques as the building blocks of a cyberattack and that they are not malicious in and of themselves.

Executive coach and strategic advisor Amii Barnard-Bahn provides guidance on how executives can prepare for a board appointment: Start by following the 10 steps outlined here.

A lifelong diversity advocate, I testified in multiple legislative committees on the successful passage of California’s SB826, the first law in the U.S. requiring corporate boards to include women. This legislation was designed to create more access for diverse and qualified candidates for public boards. “More access” is important because the role of the board has become critical to the long-term health of a company and the protection of its shareholders and employees. Creating a larger pool of seasoned professionals to guide and govern our corporate institutions is paramount in a time of TeslaPapa John’sTheranos and CBS debacles.

A board search can take many years, so it’s never too early to evaluate and cultivate the skills and network you need to establish yourself as a viable candidate.

Wall Street loves a digital business. These technology-driven innovators, which put customer acquisition, retention, and experience at the center, have a different way of looking at the world. They are rewarded with growth and investment.

And it’s not just digital natives. Digitally advanced incumbents, firms such as Accenture, Capital One, Microsoft, and Philips, also see the world through a technology opportunity lens. They are also rewarded.

What do digitally advanced companies look like? How are they different from companies just starting their digital transformation? To find out, we analyzed the digital maturity of 793 enterprises in North America and Europe. We found digitally advanced firms in every industry, from retail and consumer products to manufacturing and financial services.

Archived data great for training and planning

By GLEN DENNY, Baron Services, Inc.

Historical weather conditions can be used for a variety of purposes, including simulation exercises for staff training; proactive emergency weather planning; and proving (or disproving) hazardous conditions for insurance claims. Baron Historical Weather Data, an optional collection of archived weather data for Baron Threat Net, lets users extract and view weather data from up to 8 years of archived radar, hail and tornado detection, and flooding data. Depending upon the user’s needs, the weather data can be configured with access to a window of either 30 days or 365 days of historical access. Other available options for historical data have disadvantages, including difficulty in collecting the data, inability to display data or point query a static image, and issues with using the data to make a meteorological analysis.

Using data for simulation exercises for staff training

Historical weather data is a great tool to use for conducting realistic severe weather simulations during drills and training exercises. For example, using historical lightning information may assist in training school personnel on what conditions look like when it is time to enact their lightning safety plan.

Reenactments of severe weather and lightning events are beneficial for school staff to understand how and when actions should have been taken and what to do the next time a similar weather event happens. It takes time to move people to safety at sporting events and stadiums. Examining historical events helps decision makers formulate better plans for safer execution in live weather events.

Post-event analysis for training and better decision making is key to keeping people safe. A stadium filled with fans for a major sporting event with severe weather and lightning can be extremely deadly. Running a post-event exercise with school staff can be extremely beneficial to building plans that keep everyone safe for future events.

Historical data key to proactive emergency planning

School personnel can use historical data as part of advance proactive planning that would allow personnel to take precautionary measures. For example, if an event in the past year caused an issue, like flooding of an athletic field or facility, officials can look back to that day in the archive at the Baron Threat Net total accumulation product, and then compare that forecast precipitation accumulation from the Baron weather model to see if the upcoming weather is of comparable scale to the event that caused the issue. Similarly, users could look at historical road condition data and compare it to the road conditions forecast.

The data can also be used for making the difficult call to cancel school. The forecast road weather lets officials look at problem areas 24 hours before the weather happens. The historical road weather helps school and transportation officials examine problem areas after the event and make contingency plans based on forecast and actual conditions.

Insurance claims process improved with use of historical data

Should a weather-related accident occur, viewing the historical conditions can be useful in supporting accurate claim validation for insurance and funding purposes. In addition, if an insurance claim needs to be made for damage to school property, school personnel can use the lightning, hail path, damaging wind path, or critical weather indicators to see precisely where and when the damage was likely to have occurred.

Similarly, if a claim is made against a school system due to a person falling on an icy sidewalk on school property, temperature from the Baron current conditions product and road condition data may be of assistance in verifying the claim.

Underneath the hood

public safety historical weather dataThe optional Baron Historical Weather Data addition to the standard Baron Threat Net subscription includes a wide variety of data products, including high-resolution radar, standard radar, infrared satellite, damaging wind, road conditions, and hail path, as well as 24-hour rainfall accumulation, current weather, and current threats.

Offering up to 8 years of data, users can select a specific product and review up to 72 hours of data at one time, or review a specific time for a specific date. Information is available for any given area in the U.S., and historical products can be layered, for example, hail swath and radar data. Packages are available in 7-day, 30-day, or 1-year increments.

Other available options for historical weather data are lacking

There are several ways school and campus safety officials can gain access to historical data, but many have disadvantages, including difficulty in collecting the data, inability to display the data, and the inability to point query a static image. Also, officials may not have the knowledge needed to use the data for making a meteorological analysis. In some cases, including road conditions, there is no available archived data source.

For instance, radar data may be obtained from the National Centers for Environmental Information (NCEI), but the process is not straightforward, making it time consuming. Users may have radar data, but lack the knowledge base to be able to interpret it. By contrast, with Baron Threat Net Historical Data, radar imagery can be displayed, with critical weather indicators overlaid, taking the guesswork out of the equation.

There is no straightforward path to obtaining historical weather conditions for specific school districts. The local office of the National Weather Service may be of some help but their sources are limited. By contrast, Baron historical data brings together many sources of weather and lightning data for post-event analysis and validation. Baron Threat Net is the only online tool in the public safety space with a collection of live observations, forecast tools, and historical data access.

Flooding in large swaths of the Midwest has already claimed the lives of at least three people and has caused $3 billion in damages.

A combination of melting snow and rainstorms led to breaches in levees along the Missouri River and other bodies of water.

According to FEMA flood map data, 40 million people in the continental U.S. are at risk for a 100-year flood event; that’s three times more than previously estimated. Additionally, the amount of property in harm’s way is twice the current estimate.

With communities underwater and many more at risk, officials are asking themselves how response plans can be improved.

(TNS) — As the waves of runners left Hopkinton to run the 2019 Boston Marathon, a roomful of public safety officials watched their computers, monitored video screens and radios, and talked to one another as a rolling list of incidents appeared on a screen on a wall.

A runner fell and fractured an arm. A drone was detected. An unattended package was found and cleared.

On marathon day, as 30,000 runners and countless spectators take to the streets, the Massachusetts Emergency Management Agency runs a “unified coordination center” in MEMA’s underground bunker in Framingham.

The goal, said MEMA spokesman Christopher Besse, is to bring together local, state and federal public safety officials in one place so they can coordinate their responses to whatever the day brings — from weather to terrorism.

Don Boxley looks at some important questions that need to be asked to ensure that business continuity and data security are considered during digital transformation projects.

Whole industries are transforming with the help of IT and workforce digitization and as competition heats up across virtually every industry, the pressure to digitally transform escalates concurrently.

Whether you are in IT or are a business professional who is responsible for digitization, business continuity and/or security strategies, you need to be able to think on your feet about your new priorities in a world of ongoing change.

While there are numerous variables that organizations must consider as they move towards digital transformation, perhaps the most essential considerations are business continuity and data security. With more business than ever being conducted in the cloud and more third-party partners needing digital access to that data, failing to keep business continuity and data security at the top of your business’s priority list could instantly become a fatal mistake – after all, they are often inexorably linked.

In today’s cloud environments, one of the most important data security challenges relates to strategic partner data access and sharing. Your organization’s security safeguards are only as strong as the weakest link in your vendor and partner ecosystem. In other words, you may be inadvertently putting sensitive company data at risk every time you conduct digital business with a vendor that is granted access to your system.

(TNS) — As approximately 1,700 households and businesses remained without electricity in Mower and Freeborn counties Saturday morning, Minnesota Gov. Tim Walz said many in the state are likely unaware of the devastation caused by this week’s storm.

“If you have power at your house, the snow is going to be melted probably by tomorrow or whatever, so it appears like nothing really happened, but this was pretty catastrophic,” he said, noting power outages had wide-ranging impacts from personal medical needs to large-scale farming operations.

Walz was in Austin Saturday morning to meet with Minnesota National Guard members and sheriffs from Mower and Freeborn counties, as well as those tasked with returning power to the businesses and homes throughout the area.

The answer can lead to a scalable enterprise security solution for years to come

In early December 2018, several major corporate breaches were made public. As the news was shared and discussed around my company, one of my colleagues jokingly asked, “I wonder if I can gift some of this free credit monitoring to my future grandchildren.” It was a telling comment.

Today, every organization – regardless of industry, size, or level of sophistication – faces one common challenge: security. Breaches grab headlines, and their effects extend well beyond the initial disclosure and clean-up. A breach can do lasting reputational harm to a business, and with the enactment of regulations such as GDPR, can have significant financial consequences.

But as many organizations have learned, there is no silver bullet – no firewall that will stop threats. They are pervasive, they can just as easily come from the inside as they can from outside, and unlike your security team, who must cover every nook and cranny of the attack surface, a malicious actor only has to find one vulnerability to exploit.

(TNS) – A repeat of the most powerful earthquake in San Francisco’s history would knock out phone communications, leave swaths of the city in the dark, cut off water to neighborhoods and kill up to 7,800 people, according to state and federal projections.

If a quake like that were to strike along the San Andreas Fault today, building damage would eclipse $98 billion and tens of thousands of residents would become homeless.

Thursday marks the anniversary of the 1906 quake, a 7.9-magnitude event that turned San Francisco streets into waves, flattening much of the skyline and igniting fires that raged for almost four days. The quake ruptured 296 miles of fault line — from Cape Mendocino to San Juan Bautista.

Since 1906, the fault has remained locked from Point Arena through the Peninsula. The 1989 Loma Prieta earthquake hit 50 miles south of San Francisco, on a remote segment of the San Andreas Fault, and ruptured only 25 miles.

With regulations domestically and abroad changing constantly, the risk of noncompliance is ever present. Fenergo’s Rachel Woolley discusses how this will impact functions beyond compliance.

Regulatory activity has been ramping up recently, and it doesn’t look to be slowing down in 2019. In an era of hyper-regulatory scrutiny, financial institutions find themselves in a constant battle between impending regulatory deadlines and the risk of noncompliance. Add to this the complexity of cross-jurisdictional regulations that vary across different countries even within the same region. The Asia-Pacific region is a prime example; with over 40 regulators in the same region, each with slightly varied rules and requirements, adhering to cross-border regulatory requirements is extremely challenging.

But it’s not just the compliance teams who are affected. As the challenge of regulatory change management increases, divisions and activities beyond the compliance function may potentially be impacted, including data management, operations, client-facing teams, client experience and time-to-revenue. The process needs to be managed and measured methodically in order to manage wide-ranging regulatory change in line with available budgets and resources.

In a previous article, we discussed how personal insurance policies address communicable diseases and epidemics. In this article, we’ll look at how commercial insurance policies handle these issues.

Between 1918 and 1919 the so-called Spanish influenza pandemic* killed at least 50 million people worldwide and infected about 500 million people – or about 1/3 of the entire world’s population at the time.

While the Spanish flu’s destructiveness has been an outlier over the last several decades, epidemics and pandemics on a smaller scale do still happen (avian flu, swine flu, Ebola, etc.).

How could disease outbreaks impact commercial property and general liability insurance?

(TNS) – As approximately 1,700 households and businesses remained without electricity in Mower and Freeborn counties Saturday morning, Minnesota Gov. Tim Walz said many in the state are likely unaware of the devastation caused by this week’s storm.

“If you have power at your house, the snow is going to be melted probably by tomorrow or whatever, so it appears like nothing really happened, but this was pretty catastrophic,” he said, noting power outages had wide-ranging impacts from personal medical needs to large-scale farming operations.

Walz was in Austin Saturday morning to meet with Minnesota National Guard members and sheriffs from Mower and Freeborn counties, as well as those tasked with returning power to the businesses and homes throughout the area.

Consider the following: Baseball is the only team sport where the defense has control of the ball. The side currently in offense does not handle the ball as they would in any other sport. A player does not score in baseball by bringing the ball to the finish line or passing it through a goal, but by trying to beat the ball to a goal. This sets it apart from games like basketball, soccer, football, and many others, and adds an interesting complexity. For me, the internal mechanics of baseball are the most interesting, similar to the work that a business does to set up a Business Continuity Plan.

Situational awareness in the game relies on a player reading signs and signals from other players, both on their own team and on the opposing team. A player might need to decipher the intent of the opposing player on 2nd base, and then relay back to the batter what the next pitch may be. A player might also need to relay signs on what the next pitch is from the middle infielders to the outfielders, so that they know where to position themselves or in what direction to take their first step.

My passion for baseball comes from a love of the strategy involved. The same type of strategy that makes a chess game so intriguing to watch also makes baseball continually exciting. You should know your opponent, their tendencies, strengths, and weaknesses, and then capitalize on that knowledge with the proper timing, all while continually learning from mistakes and honing your strategies for the next opponent.

Friday, 12 April 2019 15:13

Playing Hardball

The last couple weeks have been an exciting time for the customer data platform (CDP) category. At long last, major marketing technology vendors formally declared their intentions to get serious about managing and activating data for marketing. For the CDP community, the entry of marketing clouds is a big deal, carrying equal parts excitement over the implied market validation and concern (nay, fear?) as competition intensifies.

The concept of CDPs originated about three years ago in response to the very real challenges of collecting and leveraging data for marketing. Since then, a broad range of vendors offering an equally broad variety of solutions claimed the label and have been marketing themselves as such. At their core, CDPs promise to unify corporate and customer data and make it accessible to marketers for analytics and campaigns. But Forrester believes that standalone CDPs aren’t equipped to solve this problem for enterprise B2C marketers. For these reasons, Forrester welcomes continued progress from CDPs as well as new solutions entering the market. The question about CDPs was never whether there’s a business problem to address but rather who would ultimately solve it.

It was nearly inevitable that large martech vendors would join the fray. Forrester made the call in 2018 that marketing clouds would enter this market and have solutions in place by the end of 2019. In our October 2018 report, we stated that: “Ultimately, CDPs’ greatest competitive threat is the marketing clouds, such as Adobe, Oracle, and Salesforce, that are already ingrained in most enterprise martech stacks and are investing in capabilities far more sophisticated than CDPs’.”

As consumers increasingly rely on cashless spending, the PCI SSC has identified a process to secure cardholder data. Acceptto CEO Shahrokh Shahidzadeh discusses why it’s time to replace password-based credentials.

According to a recent study by the PEW Research Center, consumers in the U.S. are relying less on physical currency. The report found that “roughly three in 10 U.S. adults (29 percent) say they make no purchases using cash during a typical week.” In addition, a generational trend shows that “Americans under the age of 50 are more likely than those ages 50 and older to say they don’t really worry much about having cash on hand.”

As American consumers increasingly rely on cashless spending, it is no wonder that the Payment Card Industry Data Security Standard (PCI DSS) arose to develop a set of requirements applying to companies of any size that accept credit card payments.

The Federation of European Risk Management Associations (FERMA) has expressed concern about the ISO/IEC 27102 ‘Information Security Management Guidelines For Cyber Insurance’ standard, which is currently under development.

FERMA says that the proposed standard is “Premature and inappropriate in its current form given the fast pace of technological development” and also states that “No other insurance product is the subject of an ISO standard”.

FERMA members, the UK risk management association Airmic, French association AMRAE and Belgian association BELRIM, and insurance industry representatives have also expressed concerns about the project.

FERMA has urged other member associations to help ensure their national standardization body is aware of the concerns of the whole insurance market.

Donna Boehme, the “Lion of Compliance” shares that true compliance SME is the first and most foundational element of a strong compliance program. An experienced CCO with true compliance SME earned in the field and in the profession understands on many levels the multidisciplinary nature of the work, the optimal way to educate and facilitate collaboration and what can realistically be achieved through each phase or cycle of a strong, effective compliance program that supports and is driven by a culture of ethical leadership.

In 2016, two researchers from the University of Michigan’s Stephen M. Ross School of Business published a report on their study “Why Don’t General Counsels Stop Corporate Crime?” The simple answer: “Because it’s not their job!”

This is precisely why true compliance subject matter expertise, earned in the field and with the profession successfully designing and managing compliance programs (“Compliance SME”), is the first and foundational element of the modern Compliance 2.0 model. The modern 2.0 model recognizes compliance as an independent profession, distinct from Legal, with the subject matter expertise (SME) needed by senior management to lead and advise its approach to the modern and existential issues of compliance, ethics, culture and reputation.

The modern Compliance 2.0 model takes the place of the failed Compliance 1.0 model that was based on a naïve and misinformed assumption by boards and CEOs that compliance should be structured as a captive subset of legal and thus driven solely by the legal mandate and mindset. That flawed model failed to accommodate the stark realities that compliance and ethics was emerging as a completely separate profession and SME from legal, with very different mandates, core competencies, practices and skill sets. At the same time, advocates for the in-house bar were sensing an opportunity to respond to the chaotic legal services market and claim the new role of Chief Compliance Officer for the legal field. Yet, in their zeal to claim the CCO role as nothing more than a “legal lieutenant” and a “process integrator,” these voices resulted in driving compliance into a flawed model destined to fail because it lacked true compliance SME and positioning to drive its distinct independent mandate.

Friday, 12 April 2019 15:05

What is Compliance SME?

Although a crisis communications manual might look to be a complex contraption to the untrained eye, what the manual needs to accomplish can simply be condensed to two important things: putting the processes in place for the communication with stakeholders during a crisis and organizing the internal processes that allow the first thing to happen smoothly.

The manual, just to give an example, will both make sure that the journalists receive the information they need to be able to report on the crisis, and that the person who communicates with the journalist has the right resources in place to provide them with timely and accurate information.

Over the years, I have audited a great many manuals and what I found is that very often the same mistakes are made. Here is a look at what will go wrong.

Recent events in the news as well as trends in my own work have reminded me of how important it is for business continuity professionals to help protect their organizations against the impact of cyberattacks. In today’s post, I’ll list some ways BC teams can help their companies fend off this rising threat.


The news this week contained stories reporting a serious recent malware attack against the City of Albany, New York. Malware attacks are a kind of computer extortion, where hackers encrypt an organization’s data and refuse to provide the key unless a ransom is paid.

One of the most concerning aspects of the story was that hackers reportedly obtained the personal banking data of some city employees and used it to raid those employees’ bank accounts.

This reminded me of how important it is for BC professionals to help their organizations fend off and recover from cyberattacks.

It’s a scenario no business wants to think about: an active shooter or violent offender on the premises. From 2000 to 2017, there were 250 active shooter incidents in the United States. These horrific acts of violence took place across industries and geographic locations. According to the Bureau of Labor Statistics, 2016 alone saw 500 workplace homicides in the U.S.

We now face an unfortunate reality: no company is exempt from the potential threat of an act of violence occurring at their organization. As a result, businesses must be proactive in order to protect their people, minimize injury and loss of life, and safeguard their establishment.

Preparation, effectively communicating with staff, and maintaining protocol are critical measures every business should take when dealing with workplace violence. There’s no such thing as “too safe” when it comes to protecting human life.

An organization’s weakest link is most often human, not technological. Moss Adams’ Francis Tam explains why, when it comes to cybersecurity, anomalies like daily logins, users and infrastructure changes should be an organization’s main concerns.

In today’s technology-driven world, information can be a company’s most valuable – yet vulnerable – asset. Data breaches continue to become more frequent and costly in recent years, with many high-profile cases like the Equifax breach in 2017 making headlines. It’s crucial, then, for companies to properly utilize data monitoring and cybersecurity audits to avoid breaches or having information stolen.

Breaches can cost companies an average of $3.9 million and an alarming 54 percent of companies will experience a cyberattack at some point. Full IT assessments can be time-consuming and costly, so companies often skip this crucial process or don’t make it a priority, leaving them vulnerable. Implementing data monitoring for your company’s cybersecurity can help prevent major breaches.

(TNS) — The National Park Service has awarded the territory a little over $10 million to assist in the restoration of hurricane-damaged historic sites.

The supplemental funding was granted to the Virgin Islands State Historic Preservation Office from the Historic Preservation Fund, which will allow for the repair of hurricane-damaged National Register-listed or eligible sites throughout the territory, according to a news release from the V.I. Department of Planning and Natural Resources.

The announcement comes 18 months after hurricanes Irma and Maria tore through the territory, causing serious damage to a number of historic sites and monuments.

All of the Virgin Islands’ historic resources were included on the 31st annual list of “America’s 11 Most Endangered Historic Places,” compiled by the National Trust for Historic Preservation in 2018.

Integrating cloud environments is anything but easy. Evaluating the security risks in doing so must be a starting component of an overall M&A strategy.

Mergers and acquisitions are an essential part of the enterprise business landscape. These deals foster innovation and create some of the biggest and most successful companies in the world.

But one of the largest potential pitfalls in any M&A transaction is mishandling IT integration and creating or failing to mitigate security risk. In the era of cloud computing, the cost of inheriting poor security can be massive and quickly destroy any value the transaction poses.

In addition, a common misconception is that if the two companies merging both operate in the cloud, integration will be easier. The reality is it’s actually harder due to the added complexity — no two cloud environments are identical, and the rate of change is so much faster compared with traditional IT. Post-acquisition IT integration used to take five to ten years, but these days, given the nonstop pace of innovation, organizations don’t have that luxury.

Thursday, 11 April 2019 15:00

Merging Companies, Merging Clouds

(TNS) – It’s tornado season in Oklahoma; that time every year when my neighbor shuffles the beloved baby portraits of her kids from the mantle to the storm shelter.

For businesses, the seasonal fear, of course, is that they’ll lose their most precious asset: data.

Oklahoma City-based Midcon Recovery Solutions has a precaution for that: two unmarked, double steel-reinforced, windowless concrete buildings in Oklahoma City and one in Broken Arrow in which the company hosts the data of hundreds of organizations — from energy and telecommunications companies to insurance agencies and banks. For $100 a month to several thousands of dollars, companies rent rack spaces of 1 ¾ inches to 200 square feet.

In my tech market forecasts, I am starting to see the intersection of two worrisome trends:

  • software subscription fees for multi-tenant SaaS or for single-instance hosted software are rising rapidly, with a growing percentage related to existing software as opposed to new, and with a high percentage having fixed annual fees or fees tied to metrics with little relationship with company revenues;
  • a small but rising risk of recessions, which could reduce company revenues by 5% or more.

The combination of these two factors could place CIOs in a bind where a significant portion of their tech budget is rising inexorably but the potential for their CEOs to ask them to cut tech budgets is also rising.  To see whether CIOs will face this situation, I would recommend that they ask and answer the following questions:

Gartner surveyed over 300 Chief Audit Executives (CAEs) in 2018 on their resource and time investments, priorities and challenges in 2019. Gartner VP Malcolm Murray examines the report’s key findings on the impact to the audit function.

Today’s audit leaders are grappling with a double-edged sword, according to our latest “state of the audit function” research survey at Gartner. Technology-driven change has the potential to drastically improve the efficiency of routine audit tasks, improve the quality and actionability of the insights audits provide to the business and deepen ownership of risk management in the business. At the same time, however, this shift is creating new risks and business models faster than audit and other assurance functions can keep up with.


Harnessing data analytics and robotic process automation technology to support audit’s workflow is critical, but it needs new skills. These skills, however, require financial investment. Yet budget growth fell to just 2 percent in 2018, down from 5 percent in 2016 and 2017; therefore, audit needs to get smart about how it uses its scarce skills.

With data and analytics experts in very high demand across all functions, industries and geographies, many audit leaders will struggle to transform their function with new capabilities to cope with higher-velocity business processes in the digital age.

The scarcity of critical skills could explain the rise in prevalence of co-sourced resources in audit functions, with its share of total audit budget creeping up from 8 percent in 2017 to 9 percent in 2018, and 67 percent of organizations saying they used co-sourced audit support in 2018, up from 62 percent in 2017. In any case, whether or not the audit function has the skills it needs, it seems clear that technology-related change will continue to disrupt and expand the range of business activities and processes for which audit must provide assurance.

Compliance officers eligible to participate in the SEC and CFTC whistleblower programs must navigate strict rules. Speaking up always carries risk, but – as Michael Filoromo and Zac Arbitman explain – the SEC, CFTC and various federal and state laws protect whistleblowers from retaliation.

The first article in this series provided an overview of the whistleblower award programs established by the Securities Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) and the eligibility criteria for compliance personnel to serve as SEC or CFTC whistleblowers. This article outlines the steps involved in submitting tips and claiming awards, as well as the anti-retaliation protections available to whistleblowers who speak up about wrongdoing.

Procedures for Submitting a Tip

To submit a claim under the SEC and CFTC whistleblower programs, an individual must file a tip, complaint or referral (TCR) form detailing their allegations. When preparing tips for submission to the SEC or CFTC, whistleblowers and their counsel should make sure that the TCR form and accompanying exhibits present the most comprehensive and compelling evidence. With the SEC and CFTC receiving a steadily increasing number of tips – 5,200 in 2018 alone – it is important that a first read of a whistleblower tip provide agency staff with a sound understanding of the alleged violations and, to the extent possible, a roadmap to investigate and prove the wrongdoing.

Whistleblowers should describe in detail the particular practices and transactions they believe to be unlawful, identify the individuals and entities that participated in or directed the misconduct and provide a well-organized presentation of whatever supporting evidence the whistleblower possesses. Under no circumstances, however, should whistleblowers give the SEC or CFTC information that is protected by attorney-client privilege, as the agencies cannot use privileged information in an investigation or enforcement action. The mere receipt of such information can interfere with and significantly delay the staff’s ability to proceed. This is a particularly important consideration for compliance personnel, who often work and communicate with in-house and external counsel.

Mocking new technology isn’t productive and can lead to career disadvantage

As security leaders, do we spend as much time trying to understand our businesses as we do trying to understand the threats we face? It seems that we focus intently on emerging threats, but what about emerging technology?

Successful adoption of emerging technology can lead to a competitive advantage. Yet we CISOs have a history of lambasting emerging technologies — cloud, mobile, machine learning, and now blockchain — discounting the value as “pure hype.” This practice of mocking new technology isn’t productive and can lead to career disadvantage.

Think about this scenario. A web application that is integral to a major new marketing campaign is about to launch and the security team is asked to assess it at the last minute. Sound familiar? As frustrating as this is, this scenario happens on a larger scale as a matter of course when it comes to emerging technology. Why?

In February, 31 State Attorneys signed a letter endorsing the identify theft rules and acknowledging the need for more secure authentication practices. OneSpan’s Michael Magrath discusses.

It is not every day that 62 percent of the state Attorneys General collaborate and present a unified response to the federal government. On February 11, 2019 31 AGs signed a letter to Donald Clark, Secretary of the Federal Trade Commission (FTC) in response to the FTC’s December 4 request for comment on the Identity Theft Rules, 16 C.F.R. Part 681 Project No. 188402.

The Identity Theft Rules (“the Rules”), known as the “Red Flags Rule” and the “Card Issuers Rule,” “require financial institutions and some creditors to implement a written identity theft prevention program designed to detect the “red flags” of identity theft in their day-to-day operations, take steps to prevent it and mitigate its damage.” Only these entities have the ability to stop a fraudulent account from being opened at their own place of business or to notify a consumer of a change of address in conjunction with a request for an additional or replacement card, which is a strong indicator that the account may have been taken over by an identity thief.

The AGs note that “the Rules complement the laws of states that have enacted laws requiring entities to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information.”

(TNS) — Flooding in several Minnesota towns could reach moderate to major stages in the coming week, according to National Weather Service forecasts.

For emergency managers and elected officials in many of those towns, though, it’s business as usual until the worst hits. And that’s if major flooding even materializes.

“It’s way too early to panic,” said Erika Martin, mayor of Oslo, Minn. “We have to watch, and it’s good to be prepared. But we take it day by day.”

Moderate flooding means some structures and roads near the Red River could become covered in water, while major flooding indicates “extensive inundation” of infrastructure, according to the service. The precise levels of river flooding varies by location.

In late March, Marsh announced the launch of a program with a number of leading cyberinsurance firms including Allianz, AXA, Beazley, XL, and Zurich to evaluate cybersecurity products and services. Products that meet a minimum standard of criteria receive the designation of “Cyber Catalyst” for their effectiveness in reducing cyber risk. The intent is for insurance premiums to decrease for companies using Cyber Catalyst products/services, though there is no indication of how much premiums will drop by. This is not the first time that cyberinsurers have announced partnerships with vendors in an attempt to sell more products and keep premiums down, but it is the most ambitious.

Giving a business continuity presentation to management is challenging at the best of times. If any of the people listening to you start acting out, it can become downright hairy.

Today’s post looks at some of the more common human-factor problems encountered in pitching your proposals to management and suggests solutions for dealing with them.

As a business continuity consultant, I’ve made hundreds of presentations over the years to upper management at organizations of all sizes and in a wide range of industries. Often these meetings are highly charged, especially when I’m advising management of critical exposures at their organization.

I know what it’s like to be a BCM manager presenting to management in order to obtain critical funding or approvals.

The New York Department of Financial Services (NYDFS) requires all regulated entities to adopt the core requirements of a cybersecurity program. Panorays’ Matan Or-El discusses the regulation’s impact on financial institutions.

The cybersecurity landscape is becoming increasingly volatile for financial institutions that are scrambling to fight off a barrage of cyberattacks like bots, credential stuffing, account takeovers and more. Those attacks are taking the form of banking Trojans along with ATM and mobile malware. With open banking on the horizon, financial institutions will increase their risks incrementally with the new services they offer. The protection of personal data, accounts and reputation is at stake.

With the deluge of breaches in the last year, it is a wonder that any personal data is left to protect that hasn’t already been sold on the dark web. These devastating trends have prompted lawmakers in New York State to institute the New York State Department of Financial Services Cybersecurity Regulation (NYDFS). This new regulation, which went into effect in March, outlines cybersecurity standards for financial institutions including credit unions, health insurers, investment companies, licensed lenders, life insurance companies, mortgage brokers, savings and loans associations, private bankers, offices of foreign banks and commercial banks.

The new regulation requires organizations to review their security risk and develop policies that meet compliance standards relating to data governance, classification, access controls, system monitoring and incident response. Organizations that are regulated are now required to adhere to these guidelines:

Attacks from insiders often go undiscovered for months or years, so the potential impact can be huge. These 11 countermeasures can mitigate the damage.

The fear of cyber breaches looms heavy for many businesses, large and small. However, many companies are so busy looking for bad actors throughout the world that they ignore the threat from within their own walls.

According to Verizon’s Insider Threat Report — which analyzes cases involving bad actors from the 2018 Data Breach Investigation Report — 20% of cybersecurity incidents and 15% of the data breaches investigated within the Verizon 2018 DBIR originated from people within the organization.

What’s scarier, these attacks, which exploit internal data and system access privileges, are often only found months or years after they take place, making their potential impact on a business significant.—threats/insider-threats/ignore-the-insider-threat-at-your-peril-/a/d-id/1334299

Monday, 08 April 2019 16:06

Ignore the Insider Threat at Your Peril

WinMagic’s Garry McCracken discusses the encryption capabilities that are built into Linux, the gaps in protection/compliance risks, and what companies can do to address them.

When it comes to server protection, many enterprises overlook physical security risks. The common myth is that because the servers are in a data center or otherwise behind lock and key, and because the data is in perpetual use, encrypting the drives is unnecessary, as the data is never at rest.

That’s particularly troublesome. All drives eventually leave the data center for repair or disposal, and having them encrypted is the best way to protect the data from unintentional exposure. And with the enormous number of breaches in the news and compliance regulations – GDPR, HIPAA and California’s Consumer Privacy Act and the like – the prudent advice is to encrypt everything, everywhere, all the time.

Linux has built in encryption for several years now. So why, then, are enterprises still struggling with their encryption efforts?

To answer this question, let’s review the disk encryption capabilities that are built into Linux:

It may not be the most interesting aspect of protecting your business but optimizing policy configuration for firewalls and other security devices is an important consideration. Asher Benbenisty examines four common security policy errors, and shows how organizations can avoid them.

As security threats become more and more advanced, managing your network’s defences / defenses correctly has never been more critical.  The effectiveness of firewalls and other security devices depends on the security policies which control how they operate.  These policies, which can comprise tens or even hundreds of thousands of firewall rules, dictate what traffic is blocked, what is allowed, and where it’s allowed to go to enable security, ensure compliance and drive business productivity.

It’s increasingly challenging to maintain these policies, so that the needs of the business are optimally balanced with the need to limit risk and be as secure as possible. In most organizations, business applications are being introduced or changed rapidly, to support more users or new functionality.  Organizations are also moving to virtualized and cloud infrastructures, which introduce new security controls and connectivity flows that must be managed if business applications are to remain secure and compliant at all times.  As such, it’s no surprise that Gartner estimates that 99 percent of firewall breaches are the result of simple misconfigurations.

So, what are the most common and harmful misconfigurations that can creep into firewall rulesets and security policies? Let’s take a look at some of the most prevalent, and what can be done to avoid them.


In June 2017 Continuity Central published the results of a survey which looked at whether attitudes to the business impact analysis and risk assessment were changing. Two years on, we are repeating the survey to determine whether there has been any development in thinking across the business continuity profession.

The original survey was carried out in response to calls by Adaptive BC for the removal of the business impact analysis and risk assessment from the business continuity process.

Please take part in the survey at


Read the results of the original survey.

You’ve just invested in an emergency notification system. You’re eager to get the software up and running to keep your people safe, informed, and connected. But you hit a brick wall: you’re told the training will take two weeks, support is already unresponsive and costs extra, and integrating employee data? A complete debacle.

In the world of emergency communication software, a provider’s customer success capability has powerful implications. Quick setup is essential when you’ve got people and assets to safeguard.

Some Common Onboarding Pain Points

Unfortunately, organizations often face onboarding hurdles when they purchase mass notification software. In part, this can be attributed to outdated software and a cumbersome user experience that doesn’t facilitate an easy setup process. Oftentimes, however, a lack of dedicated support and a customer success focus adds undue burden to new buyers. Here are some common pain points organizations face when interacting with a poor support model:

Successful, secure organizations must take an aggressive, pre-emptive posture if they want true data security

Cybercriminals are always works in progress. Their knowledge and ability to bypass security systems are constantly advancing. As they gain knowledge, they develop and implement sophisticated impersonation methods that are proving increasingly adept at evading detection and gaining access to secure data. This happens as many of their targets fail to adequately upgrade their security solutions to detect and protect against them. Currently, cybercriminals have many soft targets, and they know what to do to penetrate their systems. This climate that works in favor of the attacker underscores how organizations, as potential targets, need to rethink their approach to data and system security.

One of the most common approaches a cybercriminal takes is to present as an employee or friend of the organization under attack. This is the path of least resistance for introducing malicious code to a system disguised as a trusted application. In this way, and without the proper, updated security protocol in place, hackers fly under the radar to access sensitive information and even extract money. The cost can be steep for an enterprise that is breached in this way. A loss of assets can be crippling, as can the perceived loss of reputation. As these attacks become more common, organizations must prepare and have a modern, flexible security strategy in place that incorporates several layers of security.—threats/true-cybersecurity-means-a-proactive-response/a/d-id/1334276

Yesterday’s post about insurance-related Guinness World Recordsgot me thinking: what other weird insurance policies are out there?

If you know much about insurance, you know that the first place to inquire about weird insurance policies is Lloyd’s of London, legendary clearinghouse for the strange and unusual. (And innovative: they were the underwriters for the world’s first auto policy, the first aviation policy, and soon the first space tourism policy.)

Naturally, Lloyd’s has an entire webpage dedicated to what it (in what I imagine to be staid, Oxford-accented English) calls “innovation and unusual risks.” Some top hits include insurance coverage for David Beckham’s legs (£100 million), Keith Richards’ hands ($1.6 million), and cricketer Merv Hughes’ trademark mustache (£200,000).

My personal favorite is insurance for members of a Derbyshire Whisker Club who wanted coverage for their beards against “fire and theft.” Theft?

Thursday, 04 April 2019 16:12


(TNS) — FEMA has informed Ascension Parish government and area congressional officials that new flood insurance rate maps can proceed without controversial development restrictions along area waterways, a parish council member says.

Parish Councilman Bill Dawson wrote to the mayor of Sorrento on Friday that Federal Emergency Management Agency officials told him and others during a recent meeting that the restrictions, known as floodways, could be removed from the new maps expected to take effect May 15.

“They also told us since the request had come from the Town of Sorrento, The City of Gonzales and the Parish of Ascension, all would have to request the removal of the Floodways request,” Dawson wrote in an email shared with Town Council members Tuesday evening.

Dawson has been a primary proponent of the map changes as a way to lower flood insurance rates for residents south of Gonzales and in Sorrento and the Burnside area.

Oracle customers should renegotiate their commercial relationships with this important vendor, using adoption of Oracle’s SaaS products as an incentive and cancellation of maintenance as a credible threat. Oracle’s SaaS strategy seeks to pull customers forward, but it has also undermined the value of its maintenance offering for its legacy on-premises products. Both factors increase customers’ negotiation leverage.

Oracle is determined to increase adoption of its SaaS products. In its last earnings call, Larry Ellison stated that ERP Cloud is one of two strategic imperatives for Oracle (Oracle’s autonomous database is the other). ERP Cloud comprises various finance, procurement, and governance products and is one of five pillars in its SaaS portfolio (the others are CX, HCN, SCM, and manufacturing). There are several good reasons why you should take a serious look at Oracle’s SaaS portfolio:

Software developers and their managers must change their perception of secure coding from being an optional feature to being a requirement that is factored into design from the beginning

Fifth in a continuing series about the human element in cybersecurity.

Programmers are responsible for developing and releasing new systems and applications, and subsequently announcing vulnerabilities and developing updates and patches as vulnerabilities and bugs are discovered. It can take organizations months to apply patches which creates a window of opportunity for hackers. What steps can programmers take to minimize security flaws, reduce impediments to the patching process, and shrink this window?

Programmers — sometimes called software engineers, software developers, or coders — are the individuals who write code to build operating systems, applications, and software. They are also responsible for debugging programs and releasing patches to address code vulnerabilities after initial release. In this column, we consider programmers at commercial manufacturers and application/software providers, such as Microsoft or Adobe, and programmers responsible for custom internal applications.

Thursday, 04 April 2019 16:02

In Security, Programmers Aren’t Perfect

Bidle TrevorBy TREVOR BIDLE, information security and compliance officer, US Signal

World Backup Day purposely falls the day before April Fool’s Day. The founders of the initiative, which takes place March 31, want to impress upon the public that the loss of data resulting from a failure to back up is no joke.

It’s surprising to find that nearly 30 percent of us have never backed up our data. Even more shocking are studies stating that only four in ten companies have a fully documented disaster recovery (DR) plan in place. Of those companies that have a plan, only 40 percent test it at least once a year.

Data has become an integral component of our personal and professional lives, from mission-critical business information to personal photos and videos. DR plans don’t have to be overly complicated. They just need to exist and be regularly tested to ensure they work as planned.

Ahead of World Backup Day, here are some of the key components to consider in a DR plan.

The Basics of Backup

A backup creates data copies at regular intervals that are saved to a hard drive, tape, disk or virtual tape library and stored offsite. If you lose your original data, you can retrieve copies of it. This is particularly useful if your data became corrupted at some point. You simply “roll back” to a copy of the data before it was corrupted.

Other than storage media costs, backup is relatively inexpensive. It may take time for your IT staff to retrieve and recover the data, however, so backup is usually reserved for data you can do without for 24 hours or more.  It doesn’t do much for ensuring continued operations.

Application performance can also be affected each time a backup is done. However, backup is a cost-effectives means of meeting certain compliance requirements and for granular recovery, such as recovering a single user’s emails from three years ago. It serves as a “safety net” for your data and has a distinct place in your DR plan.

You can opt for a third-party vendor to handle your backups. For maximum efficiency and security, companies that offer cloud-based backups many be preferable. Some allow you to backup data from any physical or virtual infrastructure, or Windows workstation, to their cloud service. You can then access your data any time, from anywhere. Some also offer backups as a managed service, handling everything from remediation of backup failures to system/file restores to source.

Stay Up-To-Date with Data Replication

Like backup, data replication copies and moves data to another location. The difference is that replication copies data in real- or near-real time, so you have a more up-to-date copy.

Replication is usually performed outside your operating system, in the cloud. Because a copy of all your mission-critical data is there, you can “failover” and migrate production seamlessly. There’s no need for wait for backup tapes to be pulled.

Replication costs more than backup, so it’s often reserved for mission-critical applications that must be up and running for operations to continue during any business interruption. That makes it a key component of a DR plan.

Keep in mind is that replication copies every change, even if the change resulted from an error or a virus. To access data before a change, the replication process must be combined with continuous data protection or another type of technology to create recovery points to roll back to if required. That’s one of the benefits of a Disaster Recovery as a Service (DRaaS) solution.

Planning for Disasters

DRaaS solutions offer benefits that make them an attractive option for integrating into a DR plan. By employing true continuous data protection, a DRaaS solution can offer a recovery point objective (RPO) of a few seconds. Applications can be recovered instantly and automatically — in some cases with a service level agreement (SLA) based RTO of minutes.

DRaaS solutions also use scalable infrastructure, allowing virtual access of assets with little or no hardware and software expenditures. This saves on software licenses and hardware. Because DRaaS solutions are managed by third parties, your internal IT resources are freed up for other initiatives. DRaaS platforms vary, so research your options to find the one that best meets your needs.

A DR plan is basically a data protection strategy, one that contains numerous components to help ensure the data your business needs is there when it is needed — even if a manmade or natural disaster strikes.

Trevor Bidle is information security and compliance officer for US Signal, the leading end-to-end solutions provider, since October 2015. Previously, Bidle was the vice president of engineering at US Signal. Bidle is a certified information systems auditor and is completing his Masters in Cybersecurity Policy and Compliance at The George Washington University.

ERAU students generate forecasts with eye-catching daily graphics

Embry-Riddle Aeronautic University (ERAU) decided to amp up its broadcast meteorology classes with professional weather graphics and precision storm tracking tools that can be used to illustrate complex weather conditions and explain weather concepts to students. The customizable graphics platform enables the university to incorporate a range of other available weather data and create graphics that work well in the classroom environment. Providing daily weather graphics every day, including holidays, helps the university tell the most important national and regional weather story of the day. Expanding the tools student forecasters have on hand, the weather platform provides exceptional analysis and learning opportunities.

First used for broadcast meteorology classes, the new graphic system is now being used for weather analysis and forecasting, aviation weather, and tropical meteorology classes. ERAU continues to expand its use to create more content for the website and as a teaching tool for student pilots and a variety of other situations. And students are sitting up and taking notice. Enrollment in broadcast meteorology classes has more than doubled since they began using the new tools.

Explanations work better with good graphics

Robert Eicher, Assistant Professor of Meteorology, was searching around for a high quality instructional weather analysis and graphics system for his broadcast meteorology class. Before coming to ERAU, Eicher had worked as a television weather broadcaster for two decades. He knew the power of good graphics in explaining weather to audiences and was looking to extend that to his students.

“Lectures are usually accompanied by PowerPoint presentations with a lot of words,” Eicher explains. “As they say, a picture is worth a thousand words – it is easier to explain what’s going on if you have a good graphic. And animated graphics go a lot farther for illustrating what we are teaching about weather.”

Professor Eicher began shopping around for a weather analysis system that would fit into an instructional environment. After looking at available options, he eventually opted for Baron Lynx™, which combines weather graphics, weather analysis and storm tracking into a single platform. He had familiarity with Baron weather products, having used them at television stations in Orlando, Florida and Charlotte, North Carolina.

The Lynx platform includes several components. One area is dedicated to weather analysis, where students analyze the weather data cross the continental United States. Another area enables students to assemble and prepare the weather show and deliver it during a weather cast. The third is a creative component dedicated to weather graphics, and allows students to generate new weather graphics using existing graphical elements or by creating entirely new artwork.

Lynx was developed with the direct input of more than 70 broadcast professionals, including meteorologists and news directors. When introduced in 2016, Lynx garnered rave reviews for telling captivating weather stories and dominating station-defining moments. TV stations liked that Lynx offered them a scalable architecture that they could configure specifically to their own needs. With that came an arsenal of tools, including wall interaction, instant social media posting, forecast editing, daily graphics, and of course storm analysis. Integration across all platforms – on-air, online, and mobile – was another big plus for weather news professionals.

For Professor Eicher, the two deciding factors in favor of selecting Lynx were value for the money and customizability. “Compared to other options I looked at, you get a lot more for your money – a bigger bang for the buck. I also liked the customizability, which works well for our unique situation. As a university, we are already getting a ton of data from an existing National Oceanic and Atmospheric Administration (NOAA) data port. I like that Lynx allows us to incorporate the data we are getting and make good graphics with it. We can get in and tinker around and do some innovative things for the classroom environment.”

One unique example involved teaching aviation school students about the potential for icing. Eicher went into Lynx and adjusted contours at an atmospheric air pressure of 700 millibars (at 10,000 feet) to show only the 32 degree line, so the students could see where the freezing level was at 10,000 feet. He then adjusted the contours of relative humidity that were 75 percent and above. The result illustrated where the temperature and humidity combined to produce ice, showing the icing potential at that flying level. “It is a unique graphic that I don’t think anyone else has,” noted Eicher.

Baron4 3 1The program is being used for weather analysis and forecast and also enables broadcast meteorology students to publish their forecasts and make them visible to people outside the classroom. “In the past, students would have written their forecasts and only their professor would see it,” said Professor Eicher. “Now the class has a clear purpose. Student meteorologists use Lynx to prepare weather analyses and forecasts and publish the results to the ERAU website using the Baron Digital Content Manager (DCM) portal.”

While not a part of Lynx, the DCM is a web portal that communicates with Lynx. Using the DCM, meteorologists can update forecasts remotely and publish them across mobile platforms and websites. It is accessible to anyone who has credentials: students can log in from their home, lab, or class and enter the data. The DCM forecast builder feature allows users to populate their forecast, select weather graphics associated with specific forecast conditions using a spreadsheet-like form for the data entry, and publish them to the ERAU website. The forecast graphics and the resulting format are predefined during system setup.

On weekends, holiday breaks, or summer vacation, the DCM can be set to revert to the National Weather Service (NWS) forecast, solving the problem of what to do if students are not there to issue a forecast. Eicher considers this a feature that would be extremely useful for any university, because it means a current forecast will always appear on the website. According to Professor Eicher, “The ability to update the forecast via our web portal provided a solution for a need that had been unmet for five years or more.”

Baron4 3 2

Teaching Assistant Michelle Hughes uses Lynx to prepare weather analyses and forecasts and publish to the ERAU website.

In general, Eicher has found a lack of good real time weather instructional material, so he has turned to the Lynx program to develop better teaching tools. In addition to the original broadcast meteorology course, he and other instructors are also using the program for aviation weather and tropical meteorology classes. He anticipates it will soon be used to develop instructional graphics for an introduction to meteorology course. For example, Lynx will allow instructors to move beyond just a still image of information on upper level winds that show current wind patterns and then animate the winds with moving arrows. This type of animation clearly illustrates conditions and highlights areas where attention should be focused.

Baron4 3 3

ERAU is also using the program to develop other high quality instructional materials, including animated graphics that can be used to explain important regional and national weather events, for example, the recent California wildfires.

Positive feedback for new teaching tool

ERAU faculty and administration are extremely pleased with the availability of the new teaching tool for broadcast and meteorology students, and student pilots. Located in a broadcast studio that is part of the meteorology computer lab, Baron Lynx is accessible to the entire meteorology faculty and students, with output connected to adjacent classrooms. Enrollment in broadcast meteorology classes has more than doubled since ERAU obtained these new tools.

Support and training on the product have been provided at a high level. The Baron technical support staff is used to supporting televisions stations 24/7/365, so were not thrown off by students calling them on a Saturday afternoon with questions on how to produce graphics for their forecasts. The students showed off their new knowledge on a live Facebook stream the day before Thanksgiving on travel weather.

Eicher also gave high grades to the staff training provided. “The staff person brought in to train me on use of the program actually assisted with teaching the broadcast meteorology class, showing the students how to use the program directly.”

Customizable graphics product ideal for classroom environment

The customizable Lynx product enables the university to incorporate a range of other available weather data and create graphics ideal for the classroom environment.

The university is also looking into developing a range of other graphics for use on their new website, as well as creating more content using Lynx for educational purposes. Also in the planning stages is consideration of hooking in other camera sources like a roof/sky camera into the Lynx program, combined with weather data. “Word is getting out that we have a pretty unique opportunity,” concludes Professor Eicher.

Breaking up is hard to do.  Those are not my words.  They were said, or sang by a much more talented guy named Neal Sedaka.  He sang those lyrics back in 1976, but they are still true today.  Breaking up is hard to do.  You can watch a performance of the song here.  (Watching this video could result in physical distress for viewers born after the year 1970.)  Staying in a relationship is easier than breaking up even if staying is unhealthy.  One of the main reasons people stay in broken relationships is that however unpleasant and unhealthy the situation is, change can be even more difficult.   Clinical Psychologist, Dr. Samantha Rodman wrote the following in a recent blog post for a website called TalkSpace:

“A common example of fear of change is when a person stays in an unfulfilling romantic relationship because they are terrified of being single, or of the effort and risk involved in trying to find a different partner. People often coast along in unfulfilling relationships, even marrying a person about whom they feel ambivalent, just because they are so scared at the prospect of breaking up.”

Change is hard to do.  Change is at the heart of what is hard about breaking up for many people.  Change is especially tough when you are in love with Microsoft Office.

Wednesday, 03 April 2019 14:49

Breaking Up is Hard to Do

Nearly 20 years ago, I had the humbling privilege to be assigned as the donations manager for the state of New York following the Sept. 11, 2001, attacks on the World Trade Center.

I deployed from California to the New York State Emergency Operations Center in Albany via the interstate Emergency Management Assistance Compact. It was a cold, dreary first day in upstate New York. I entered Highway Patrol Headquarters, proceeded past the blast doors, and down into the Cold War fallout shelter in the basement. There was a buzz of subdued, chaotic efficiency. The New York State Emergency Operations Center was in full activation.

The State Emergency Management Office’s (SEMO) deputy director covered the initial ramp-up to the “second disaster,” a flood of well-intentioned but not always useful in-kind donations. Within the first few days of the disaster, well-meaning people and organizations sent truckloads of what donations managers call “stuff”. Stuff was piling up all over the streets of New York City and around ground zero. There were literally piles of stuff clogging the streets, impeding access to the disaster site, and getting in the way of first responders’ ability to respond.

Architects can, and do, choose a primary cloud service provider and/or Hadoop system to house their data. Moving, transforming, cataloging, and governing data is a different story, so architects come to me after throwing up their arms searching for solutions to tame the information fabric, thinking they must be missing something: “Isn’t there a single platform?” they ask.

Sadly, no. There are only best-of-breed tools or data management platforms in transition.

There’s history behind this. Data management middleware companies tend to be relatively small. Information management vendors such as IBM, Oracle, and SAP pick off smaller data management vendors and add their offerings as solutions to their overall platform portfolio to sell as enablers of their big data and cloud systems. Small vendors don’t have the funds to preemptively build capabilities as markets shift toward new architectures like big data and cloud. Big vendors solve the 80% rule of firms running their businesses on traditional reliable technology. Thus, data management and governance have lagged behind the big data and cloud trends. Ultimately, both vendors have had a wait-and-see strategy, building capabilities and rearchitecting solutions only when customers began to show higher levels of interest (it’s in the RFI/RFP).

(TNS) — Gov. Gretchen Whitmer denied declaring a state of emergency for Shiawassee County last week.

The damage done to the county after tornadoes ripped through its villages and towns on March 14 didn’t meet the state threshold for declaring a State of Emergency, according to Shiawassee County Commission Chair Jeremy Root.

In total 135 structures, 94 homes, four businesses, 16 barns and 22 RVs were damaged or destroyed in the wake of the storm. Approximately $10 million in damage was done to homes and businesses, Shiawassee Emergency Management Director Trent Atkins stated.

Three goats and a chicken were killed, but no people were injured or killed by the tornadoes, Atkins said.

The lines between agencies, consultancies, and tech services firms are continuing to blur. This convergence is driven in part by an acquisition-heavy strategy. Like in 2017, the last year of acquisitions saw cloud and agency capabilities as most in demand. But what does this mean for buyers? Your go-to boutique agency may (soon) be part of a larger firm. Or your managed services partner likely has a whole new set of intelligent solutions that weren’t even ideas yet when you signed the contract.

Services firms have been quick to buy to fill gaps in skill sets, solutions, or customer lists. SAP acquires CallidusCloud? Time for a new commerce specialist acquisition. Struggling with AI for NLP? There’s a startup for that. Still haven’t managed to convince the market that you can develop a modern digital strategy on top of implementation work? A midsized, industry-oriented consultancy might just get your foot in the door.

In 2018 alone, the services partners we track made over 100 acquisitions. In a recently published infographic, we break down the top trends in acquisitions and what that means for services buyers. Here’s a quick snapshot:

Wednesday, 03 April 2019 14:39

If You Can’t Beat ‘Em, Buy ‘Em

(TNS) — California’s hospitals are scrambling to retrofit their buildings before “The Big One” hits, an effort that will cost tens of billions dollars and could jeopardize health-care access, according to a newly released study.

The state’s 418 hospitals have a deadline from the state, too. They’re racing to meet seismic safety standards set by a California law that was inspired by the deadly 1994 Northridge earthquake, which damaged 11 hospitals and forced evacuations at eight of them.

By 2020, hospitals must reduce the risk of collapse. By 2030, they must be able to remain in operation after a major earthquake.

That could cost hospitals between $34 billion and $143 billion, according to a new report from Rand Corp.

The definition of emergency is “a serious, unexpected, and often dangerous situation requiring immediate action.” The key word here is “unexpected.” You can’t predict emergencies–but you can still plan for them if you understand your most likely threats. One crucial part of this planning process is creating emergency notification message templates. After all, even if you don’t know the exact nature or time of the next threat, you can be sure that you will be communicating with your employees. Having emergency notification message templates saves you precious time and bandwidth which you can allocate to more pressing needs.

The same goes for any emergency response strategy. Not every situation is predictable, but it’s wise to assess your current risks and make plans on how you would respond. That plan starts with message templates. In this post we will talk about the four most important types of emergency notification message templates–and even give you access to a few templates that we have built.

Last month, my colleague Dave Johnson and I published a report that shared a better way for companies to measure the quality of their employee experience. The Employee Experience Index rests on years of research by Dave and myself but also incorporates findings from academic studies that update what we know about what makes a great employee experience.

We now have two years of data back, and it’s clear what factors matter most to employees about their experiences working for a company. Companies must empower, inspire, and enable their employees. Think of factors like granting employees freedom to decide how to do their jobs, or inspiring belief among employees in the core mission and values of the company, or that the IT department helps them be productive. It turns out that these are some of the most important elements of an employee experience to get right.

Today’s sophisticated and ever-changing technologies have made the world smaller and opened up new ways of communicating. The publication of a revised International Standard ensures that we are all “talking” the same language when it comes to date and time.

We don’t take kindly to our sleep being disrupted in the wee hours by a selfie from friends sharing their latest updates from their holiday on a far-flung beach resort. But when it comes to doing business in today’s hyperconnected world, late-night grumpiness can leave you with serious egg on your face.

From making sure your online calendar is in sync for virtual meetings with colleagues in other time zones, to scheduling video conference calls, not to mention turning up for face-to-face meetings on the right day after a long-haul flight, if you want to be taken seriously in a highly competitive world, it is not acceptable to get the date and the time wrong.

It goes without saying that backing up data is one of the most important things a business can do, especially considering how data is now essentially the lifeblood of an organization. With this in mind, five IT industry professionals give their advice as to how business continuity professionals can keep up with the ever-evolving world of backup…

The era of ‘always-on’

In today’s business landscape, being ‘always-on’ is an essential. It can be demanding on an organization, especially when the pressure of having the most up-to-date backup technology is ever-present. As Rob Strechay, Senior Vice President of Product at Zerto comments, “From tape, to hard drive and now cloud, which is really tape in many cases, the target and management has changed, yet fundamentally it is still based on periodic snapshots of information. But in an ‘always-on’ business landscape, how can an organization feel protected with an antiquated backup strategy? The answer is it can’t.”

Monday, 01 April 2019 15:00

Backup – is your strategy evolving?

Compliance professionals still “own” too many risks that business units could manage more effectively. Gartner’s Brian Lee discusses one solution: moving ownership of compliance risks closer to their sources.

It’s a time of enormous change for organizations of every type. Gartner’s 2018 survey of CEOs shows that CEOs, who have been focused on growth for years, are now prioritizing firm plans to deliver it — plans that involve IT-related transformation and new corporate structures and cultures.

Over half the CEOs say their organizations are actively engaged in strategic digital transformation efforts. This development has greatly expanded the list of responsibilities (which often require technical expertise) for compliance professionals at a time when there is a notable talent shortage in key areas.

(TNS) – As Des Moines County goes through what is predicted to be a particularly long flood season, Des Moines County Emergency Management is reminding everyone to be safe.

“Do not go in the water,” says emergency management director Gina Hardin.

Hardin said in years past she has seen children playing in flood waters in flooded parking lot. While playing in the river may be fine when the river is normal, playing in elevated water can be dangerous for a number of reasons.

For starters, the river can moves fast while it is flooded. According to the National Weather Service, 6 inches of fast moving water is enough to knock an adult over.

The digital revolution is transforming our world. Protiviti’s Jim DeLoach shares how, over the next few years, many organizations will need to undertake radical change programs and – in some cases – completely reinvent themselves to remain relevant and competitive.

Is disruptive innovation sufficiently emphasized on the board agenda and in the C-suite?

Ask executives and directors what their company’s biggest threats are and, chances are, their answer will include the threat of disruptive innovation. As our latest global top risks survey indicates, many leaders are concerned about whether their existing operations and legacy IT infrastructure are able to meet performance expectations related to quality, time to market, cost, innovation and competitors – especially new competitors – that are “born digital,” with a low-cost base for their operations. Additionally, the rapid speed of disruptive innovation and new technologies and resistance to adapting operations in the face of indisputable change rank high on the list of top risks.

Don’t you hate it when one loud co-worker at the office takes all the credit and keeps the rest of the team out of management’s eye? Welcome to the world of Internet of Things (IoT) malware, where several families do their malicious worst — only to hear IT professionals droning on about Mirai, Mirai, Mirai.

Don’t be misled: Mirai is still out there recruiting low-power IoT devices into botnets, but it’s certainly not the only piece of malware you should be aware of. Mirai wasn’t even the first of the big-name IoT baddies — that distinction goes to Stuxnet — but the sheer size of the attacks launched using the Mirai botnet and the malware’s dogged persistence on devices around the world have made it the anti-hero poster child of IoT security.

Mirai has continued to grow through variations that make it a malware family rather than a single stream of malware. And it’s not alone: Malware programmers are much like their legitimate software development counterparts in their programming practices and disciplines, making code reuse and modular development commonplace. Each of these can make it tricky to say whether a bit of malware is new or just a variant. Regardless, security professionals have to stop all of them.

(TNS) — Columbine High School, Sandy Hook Elementary School, Las Vegas and Sutherland Springs.

These are just a small fraction of the number of mass shooting events seen at schools, churches and businesses that have made headlines over the past couple of years.

One local retired teacher wants to try to put a stop to these events.

While teaching in the classroom for 24 years at Cleburne ISD, Jackie Beatty said parents never had to worry about sending their children to school. That is not the case nowadays, she said.

She is encouraging local school districts, churches, law enforcement agencies and businesses to purchase the Safe Zone Gunfire Protection technology, which uses cloud-based machine learning to detect gunfire in a building.

Once you’ve identified the risks facing your organization, you need to consciously select a risk mitigation strategy for each one. In today’s post, we’ll explain the four possible strategies and share some tips to help you choose between them.


So you’ve completed a threat and risk assessment (TRA). Excellent. You now have a good idea of the main threats your organization faces, the likelihood that each will occur, and an estimate of the consequences to the organization if each did occur. (For more on TRAs, see this recent post.)

What do you do next?

Large donations by companies and family foundations provide the cornerstone for many prominent nonprofit organizations. But when those donations become shrouded in negative publicity, recipients must weigh their value against the damage to the organization’s own reputation.

A case in point is the wealthy and philanthropic Sackler family of Purdue Pharma, the maker of OxyContin. The recent deluge of opioid lawsuits is forcing a widespread reevaluation.

Several museums, including the Met’s Temple of Dendur, have been the targets of public protests with supposed overdose victims splayed on the ground surrounded by pill bottles and opioid prescriptions.

When public perception is at stake, does it matter whether the money came from illegal or controversial endeavors? Or is it just guilt by association? Either way, the optics are terrible.

How should an organization respond?

Thursday, 28 March 2019 19:56

When Donations Come Back to Haunt You

By Lynne McChristian, I.I.I. Non-resident Scholar and Media Spokesperson

Ah, spring! The season of renewal, of fresh beginnings, of flowers in bloom – and of fresh batteries in the smoke alarm. Yes, you probably overlooked that last item, so here’s a reminder to put it on the spring to-do list.

Checking (and changing) the batteries in the smoke alarm is a good springtime habit. Most homes have a smoke alarm, but if you don’t check it with regularity,  you can’t be sure it’s working. It is one of those out-of-sight, out-of-mind things, so here’s a reminder to put your home or business smoke alarm top of mind.

According to the National Fire Protection Association (NFPA), almost three of every five home fire deaths resulted from fires in homes with no smoke alarms or in homes where the smoke alarm was not working. NFPA also points to missing or disconnected batteries as the reason for inoperable smoke alarms. Dead batteries cause 25 percent of smoke alarm failures.

Many new business continuity programs start strong then slow to a crawl, sacrificing the benefits of getting up and running quickly. In today’s post, we’ll share some tips on how you can get off the blocks fast and sprint through the finish, getting your program going in twenty-four months or less.

Unfortunately, we see time and time again where BC programs get off to a strong start, with new people coming in with a lot of enthusiasm. But then for various reasons, they get bogged down. In such programs, even the biggest gaps never get covered and life is a never-ending slog.

It’s so much better if a program gets off to a strong start and then runs swift and true all the way to the finish line—defined as a program that is comprehensive, executable, and maintainable.

It was a balmy 67-degree day in New York on March 15, which prompted the inevitable joke that since it’s warm outside, then climate change must be real. The wry comment was made by one of the speakers at the New York Academy of Science’s symposium Science for decision making in a warmer word: 10 years of the NPCC.

The NPCC is the New York City Panel on Climate Change, an independent body of scientists that advises the city on climate risks and resiliency. The symposium coincided with the release of the NPCC’s 2019 report, which found that in the New York City area extreme weather events are becoming more pronounced, high temperatures in summer are rising, and heavy downpours are increasing.

“The report tracks increasing risks for the city and region due to climate change,” says Cynthia Rosenzweig, co-chair of the NPCC and senior research scientist at Columbia University’s Earth Institute. “It continues to lay the science foundation for development of flexible adaptation pathways for changing climate conditions.”

Thursday, 28 March 2019 19:52


The use of the Federal Emergency Management Agency’s (FEMA) Integrated Public Alert and Warning System (IPAWS) is continually growing among state and local jurisdictions across the U.S.

Now that IPAWS has many success stories attributed to its use, public safety officials are getting a better sense of just how effective this tool can be. The number of applications for Collaborative Operating Group (COG) approvals is increasing; in some states, 80-90% of county emergency management agencies are now IPAWS Alerting Authorities.

Even with such promising results, many public safety officials are still unclear about how effective IPAWS can be when used in combination with their existing mass notification systems. Although professional discretion is afforded through the FEMA-IPAWS Memorandum of Agreement (MOA), some agencies are still uncomfortable determining what should be considered an “imminent threat” worthy of initiating a Wireless Emergency Alerts (WEA) alert.

In today’s world where the technology of road vehicles is moving ahead at racing pace, it is important that these exciting new electronic features are safe. A series of International Standards for functional safety of electrical and electronic systems in road vehicles has just been updated to keep the automotive industry ahead of the pack.

Cars have come a long way from the days of internal combustion engines a century ago, or even manual wind-down windows. These days, it seems, everything is done by the touch of a button or through a simple voice command. Electronics are behind a mind-boggling array of vehicle functionalities and the technology just keeps on coming.

But with any powerful technology comes a set of risks. The purpose of the ISO 26262 series of standards is to mitigate those risks by providing guidelines and requirements for the functional safety of electrical and electronic systems in today’s road vehicles.

An emergency notification system empowers organizations to keep their people safe, informed, and connected through relevant, streamlined notifications during a critical event. Emergency notification systems automate and deliver messages so you can quickly and easily communicate with, or engage, your audience from anywhere, at any time, using any device. Your emergency notification system should monitor threats for you, assist you in identifying who might be impacted by a threat so you can effectively communicate, and ultimately help you improve outcomes.

Your emergency notification system should be incredibly user-friendly. Similarly, the process of understanding your vendor and how you would partner together should be just as easy.

From demo to implementation, the process should be painless. When evaluating emergency notification systems vendors and to ensure your success, it’s important to understand what you can expect from your partnership.

In January, BlackRock accidentally leaked confidential sales data by posting spreadsheets unsecurely online – certainly not the first time we’ve seen sensitive information “escape” an organization. Incisive CEO Diane Robinette provides guidance companies can follow to minimize spreadsheet risk.

Several weeks ago, the world’s largest asset manager, BlackRock, accidentally posted a link to spreadsheets containing confidential information about thousands of the firm’s financial advisor clients. As reported by Bloomberg News, the link was inadvertently posted on the company’s web pages dedicated to BlackRock’s iShares exchange-traded funds. Included in these spreadsheets was a categorized list of advisors broken into groups identified as “dabblers” and “power users.”

While BlackRock was lucky in the fact that there was no financial information included on these spreadsheets, they are still left to deal with reputational damage. For the rest of us, this breach brings an important issue — spreadsheet risk management — back into the spotlight.

Despite years of rumors predicting the demise of spreadsheets, they are still widely used by businesses of every size. And why shouldn’t they be? Beyond providing an easy way to categorize clients and business partners, spreadsheets continue to meet the analytical needs of finance and business executives. They are especially useful for analyzing and providing evidentiary support for decision-making and for complex calculations where data is continuously changing. Yet, as we’ve seen time and time again, spreadsheets represent continued exposure to risk.

Wednesday, 20 March 2019 15:37

Lessons from BlackRock’s Data Leak

The sharp decline follows an FBI takedown of so-called “booter,” or DDoS-for-hire, websites in December 2018.

The average distributed denial-of-service (DDoS) attack size shrunk 85% in the fourth quarter of 2018 following an FBI takedown of “booter,” or DDoS-for-hire, websites, in December 2018, researchers report.

Late last year, United States authorities seized 15 popular domains as part of an international crackdown on booter sites. Cybercriminals can use booter websites (also known as “stresser” websites) to pay to launch DDoS attacks against specific targets and take them offline. Booter sites open the door for lesser-skilled attackers to launch devastating threats against victim websites.

About a year before the takedown, the FBI issued an advisory detailing how booter services can drive the scale and frequency of DDoS attacks. These services, advertised in Dark Web forums and marketplaces, can be used to legitimately test network resilience but also make it easy for cyberattackers to launch DDoS attacks against an existing network of infected devices.—threats/ddos-attack-size-drops-85–in-q4-2018/d/d-id/1334197

Wednesday, 20 March 2019 15:35

DDoS Attack Size Drops 85% in Q4 2018

The #MeToo and #TimesUp movements brought the continuing problem of workplace misconduct onto the national stage, shining a light not only on the prevalence of harassment, but also on the dire need for effective processes to investigate when allegations are made. Clouse Brown Partner Alyson Brown discusses.

Confidential information
It’s in a diary
This is my investigation
It’s not a public inquiry.

— “Private Investigations,” Mark Knopfler/Dire Straits

It’s Friday. Thoughts are turning to the weekend ahead. The phone rings: We have a problem — I’ve gotten a complaint of sexual harassment against a senior VP. What do I do?

I’ve had variations of this call dozens of times. In the months since #MeToo and #TimesUp grabbed national headlines, the volume of calls about workplace complaints, especially those involving senior executives, has skyrocketed.

Employers and executives must act promptly when faced with these complaints. An effective workplace investigation can mean the difference between effective resolution and unwanted litigation. Moreover, in the current business environment, how employers investigate potential misconduct can affect that company’s reputation almost as much as the alleged conduct itself.

Consistent principles and procedures must be followed whenever allegations of misconduct are investigated. While volumes are written on how to ask questions and read body language, less guidance is available on the necessary pre-planning necessary for an effective investigation.

The automation, stability of infrastructure, and inherent traceability of DevOps tools and processes offer a ton of security and compliance upsides for mature DevOps organizations.

According to a new survey of over 5,500 IT practitioners around the world, conducted by Sonatype, “elite” DevOps organizations with mature practices, such as continuous integration and continuous delivery of software, are most likely to fold security into their processes and tooling for a true DevSecOps approach.

Throughout the “DevSecOps Community Survey 2019,” responses show that mature DevOps organizations have an increasing awareness of the importance of security in rapid delivery of software and the advantages that DevOps affords them in getting security integrated into their software development life cycle.

To make sure that homeowners are aware of the importance of flood insurance, the I.I.I. recently partnered with the Weather Channel.

A video posted to the Weather Channel’s Facebook page demonstrates just how destructive flooding can be; for example, in the video you can see the devastation from Hurricane Sandy wreaked on Breezy Point, a coastal community in Queens NY.

“What’s remarkable about flood insurance is that only 12 percent of people have it,” says Sean Kevelighan, I.I.I.’s CEO. One misconception that people have about flood insurance is that it’s included in a homeowners policy. But that’s not the case. A separate flood policy must be obtained. Flood insurance is mostly sold by FEMA’s National Flood Insurance Program, but some private insurers have begun offering it as well.

The latest twist in the Equifax breach has serious implications for organizations.

When the Equifax breach — one of the largest breaches of all time — went public nearly a year-and-a-half ago, it was widely assumed that the data had been stolen for nefarious financial purposes. But as the resulting frenzy of consumer credit freezes and monitoring programs spread, investigators who were tracking the breach behind the scenes made an interesting discovery.

The data had up and vanished.

This was surprising because if the data had, in fact, been stolen with the ultimate goal of committing financial fraud, experts would have expected it to be sold on the Dark Web. At the very least, they would have expected to see a wave of fraudulent credit transactions.


Wednesday, 20 March 2019 15:30

The Case of the Missing Data

(TNS) — Somerset County, Pa., will test its CodeRED emergency public mass notification system at 3 p.m. Tuesday, according to the county’s top emergency management official.

Joel Landis, director of the Somerset County Department of Emergency Services, said on Saturday that he urged business owners and members of the public to sign up prior to the test for the service, which is used to send notifications about emergency situations in the county by phone, email, text message and social media.

Landis said in an email that the “CodeRED system provides Somerset County public safety officials the ability to quickly deliver emergency messages to your landline or cell phone to targeted areas or the entire county.”

The CodeRED system is used to distribute information about emergencies such as evacuation notices, utility outages, water main breaks, fires, floods and chemical spills, according to information on Somerset County’s website.

A side-by-side comparison of key test features and when best to apply them based on the constraints within your budget and environment.

Crowdsourced security has recently moved into the mainstream, displacing traditional penetration-testing companies from what once was a lucrative niche space. While several companies have pioneered their own programs (Google, Yahoo, Mozilla, and Facebook), Bugcrowd and HackerOne now carve up the lion’s share of what is a fast-growing market.

How does crowdsourced pen testing compare with traditional pen testing, and how does it differ in methodology? Does this disruptive approach actually make things better? Read on for a side-by-side comparison…—threats/crowdsourced-vs-traditional-pen-testing/a/d-id/1334179

Wednesday, 20 March 2019 15:27

Crowdsourced vs. Traditional Pen Testing

While every tech vendor seems to lay claim to being an expert in digital transformation, it stands to reason that not all can be. For sure, there are many vendors with experience helping clients create new customer or employee digital experiences, but this experience doesn’t make them experts in digital business transformation.

For 20 years, Forrester has been extolling the virtues of improving customer experience – we’ve even proven the value of delivering world-class experiences, including digital experiences.

And over these years, many of our clients have successfully mapped customer journeys and improved touchpoints, all the while seeing gradual improvements in their Customer Experience Index (CX Index™) scores.

But what happens when everyone’s customer journeys are optimized and when all digital experiences begin to look similar? As customer expectations rise, you must invest to improve touchpoints just to remain competitive. Without a major shift in how your leadership thinks about digital, your firm will struggle to break out from the pack.

The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (the Banking Royal Commission, or BRC) has been in Australian media headlines since the Commission was established on December 14, 2017. On February 4, 2019, the widely anticipated final report from Commissioner Hayne was released.

While Australian banks were BRC’s focus, international institutions watched with keen interest and made submissions to ensure their voices were heard, anticipating that the resulting regulations for financial institutions would be far stricter and structured.

However, the impact is not limited to the financial sector. Commissioner Hayne recommended a change to the regulators’ enforcement approach, which may transform the perceived soft touch of the country’s principal corporate watchdog, the Australian Securities and Investments Commission (ASIC).

For overseas companies operating in Australia, these changes may impact future engagements with the Australian regulator and the prospects of global settlements where multiple regulators are involved.

When I started my career in marketing analytics almost 20 years ago, the biggest challenge was wrangling first- and third-party data, joining them together, and analyzing customer patterns. It was like mining for gold; we wanted to discover something unique about our customers, a nugget that our marketing counterparts could use to craft customized messages or target more effectively. It took a lot of time (this was before the ad- and martech boom), but it was fun spending hours programming and running models to understand customer behaviors.

Well, it was fun for me. My colleagues may not agree.

So when I was asked to take over data management platform coverage, I geeked out in excitement. It was my time to learn more about how data-specific technologies automate the mundane tasks that I had to do years ago, and with new, quickly changing data sources.

(TNS) — Efforts are underway to help residents in recovery mode after four tornadoes left behind a path of damage across two Michigan counties.

The National Weather Service confirmed a pair of tornadoes touched down in Shiawassee County and two in Genesee County that damaged homes, barns, splintered trees and downed power lines leaving thousands in the dark.

An informational meeting is set for 3 p.m. Sunday, March 17 in the cafeteria at Durand High School, 9575 E. Monroe Drive, with emergency management and government officials to address items such as recovery efforts, resident/business resources for relief, and short/long-term housing needs.

Shiawassee County Sheriff Brian BeGole confirmed a local state of emergency has been declared after 61 homes were damaged — 20 deemed uninhabitable or destroyed — as well as 16 barns and two businesses by the tornadoes, including an EF-2 with winds up to 125 mph from Newburg Rd/Bancroft Rd to M-71 just to the southeast of Vernon.

The stakes are getting higher for CROs and compliance officers. Brenda Boultwood of MetricStream details why it’s increasingly imperative that risk and compliance professionals work hand in hand to address ongoing risks and strengthen organizational GRC efforts.

While risk and compliance functions have run on parallel tracks for years, 2019 is likely to witness a new level of synergy between the two groups as they collectively seek to help their organizations drive performance while preserving integrity.

Partnering in this effort will be the Chief Risk Officer (CRO) who, by virtue of his or her bird’s-eye view of organizational processes and hierarchies, is well-positioned to understand how compliance ties back to risk, where key issues or concerns might lie and how risk frameworks can be integrated with compliance to optimize value.

Some large banks have organizationally integrated their operational risk management functions with their regulatory compliance functions (or are in the process of doing so), but this is less important than understanding the synergies.

With that in mind, here are four specific areas where I believe the CRO can impact compliance in 2019:

(TNS) – Across West Virginia at about 10:30 a.m. on Tuesday, sirens will blare, weather alert radios will activate and test emergency broadcast messages will interrupt television and radio programming as a statewide tornado test alert begins.

Federal, state and county emergency officials urge West Virginia families, businesses, hospitals, nursing homes, schools and government agencies to use the test alert to simulate what actions would be taken in the event of a real tornado emergency, and to update emergency plans as needed.

“Testing your emergency plan, whether with family members or co-workers, helps ensure we will all be ready for the next severe weather event in the state,” said Michael Todorovich, director of the West Virginia Division of Homeland Security and Emergency Management.

“This is the time to work through your emergency plans and to ensure you know what to do if an actual tornado occurs in Kanawha County,” said Kanawha County Commission President Kent Carper.

In the event of a real tornado warning, families are advised to gather in the basements of their homes, or in small, interior rooms with no windows on the home’s lowest level, until the warning ends. If traveling in vehicles when a tornado warning is issued, avoid parking below overpasses or bridges and choose a low, flat site to wait out the warning.

(TNS) – More practical — and perhaps more stylish — than the latest fashion handbag, a bright red emergency preparedness “go bag” distributed by the Department of Homeland Security might be even harder to land than next season’s Fendi.

These red backpacks containing items from packets of water to hand-cranked radios are limited in distribution to senior citizens and people with disabilities who attend emergency preparedness training workshops, such as the one put on Wednesday afternoon at the office of the Cape Organization for Rights of the Disabled on Bassett Lane.

But while not everyone can get their hands on one of the DHS go bags, every adult on Cape Cod can learn to develop a response for dealing with natural disasters and other emergencies, said Barnstable police Lt. John Murphy, who attended Wednesday’s program with Barnstable Police Sgt. Thomas Twomey.

“The most important thing is the preparedness part,” Murphy said. “Get the message out. That is the goal of these types of programs.”

Monday, 18 March 2019 15:32

Prepared for Disaster in Cape Cod

Gone are the days when the workplace was built around a fairly straightforward structure, consisting of employer, employee, customer. The winds of technological change may be sweeping away traditional models, but ISO 27501 is helping managers build a more sustainable one for the future.

From the advent of the Internet to what is now known as the Fourth Industrial Revolution, the latest cutting-edge technologies – among them robotics, artificial intelligence (AI), the Internet of Things – are fundamentally changing how we live, work and relate to each other. The issue for business in this new era is not so much about the bottom line, or even just corporate social responsibility, it is also about taking a human-centred approach to the future of work and finding the right tools to ensure that organizations are successful and sustainable.

The likes of AI are presenting a great opportunity to help everyone – leaders, policy makers and people from all income groups and countries – to lead more enriching and rewarding lives, but they are also posing challenges for how to harness these technologies to create an inclusive, human-centred future.

ISO 27501:2019The human-centred organization – Guidance for managers, can help organizations to meet these challenges. In this brave new world, organizations will not only have an impact on their customers but also on other stakeholders, including employees, their families and the wider community.

Geary Sikich explains why he believes that Brexit is a Black Swan event and describes various issues that enterprise risk managers should consider when assessing and managing Brexit risks.

In his book, ‘The Black Swan: The Impact of the Highly Improbable’, Nassim Taleb defines a Black Swan in the Prologue on pages xvii – xviii, xix, xx – xxi, xxv, xxvii.  I quote a few (what I consider) key points:

xvii: “What we call here a Black Swan (and capitalize it) is an event with the following three attributes:

First is an outlier, as it lies outside the realm of regular expectations, because nothing in the past can convincingly point to its possibility.

Second, it carries extreme impact.

Third, in spite of its outlier status, human nature makes us concoct explanations for its occurrence after the fact, making it explainable and predictable.

xxv: “The Platonic fold is the explosive boundary where the Platonic mindset enters in contact with messy reality, where the gap between what you know and what you think you know becomes dangerously wide.  It is here where the Black Swan is produced.”

xxvii: “To summarize: in this (personal) essay, I stick my neck out and make a claim, against many of our habits of thought, that our world is dominated by the extreme, the unknown, and the very improbable (improbable according to our current knowledge)…”

To summarize:

A Black Swan is a highly improbable event with three principal characteristics: it is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was.

Taleb continues by recognizing what he terms the problem: “Lack of knowledge when it comes to rare events with serious consequences.”

Lesley Maea suggests compliance today could take a cue from Marie Kondo in her Netflix hit, “Tidying Up.” To remain safe and secure, use an intranet as a single source of truth. Yes, you read that right: an intranet.

Put everything in one place. Then, you can see what you have and get rid of what you don’t need. That’s one of the organization methods Marie Kondo uses in her Netflix hit, “Tidying Up.”

Our organizational lives are like a lot of Marie’s clients. Your files are likely stacked up, spilling out or otherwise in disarray throughout your office. Some of you might be thinking, “You haven’t seen my office. I’m positively fastidious.” Well, then, let’s talk about your digital files.

Every organization — every department, even every computer — could use a little digital organization to increase compliance. Especially when it comes to employee handbooks, compliance training and policies and procedures, your employees likely don’t even know where to find the files. If they can find them, they’re probably out of date anyway.

So, let’s put everything in one place to provide employee access, keep it up to date and save your organization money.

Monday, 18 March 2019 15:28

Compliance Can Spark Joy, Right?

The DDoS threat landscape has developed rapidly leaving many organizations behind in both their perception of the risks and their actions to protect against them. Rolf Gierhard looks at the most dangerous and pervasive misunderstandings about DDoS attacks…

Most organizations understand that DDoS attacks are disruptive and potentially damaging. But many are also unaware of just how quickly the DDoS landscape has changed over the past two years, and underestimate how significant the risk from the current generation of attacks has become to the operation of their business. Here, I’m going to set the record straight about seven of the biggest misconceptions that I hear about DDoS attacks.

There are more important security issues than DDoS that need to be resolved first

When it comes to cyber attacks, the media focuses on major hacks, data breaches and ransomware incidents. DDoS attacks are growing rapidly in scale and severity: the number of attacks grew by 71 percent in Q3 2018 alone, to an average of over 175 attacks per day, while the average attack volume more than doubled according to the Link11 DDoS Report. The number of devastating examples is large. In late 2017, seven of the UK’s biggest banks were forced to reduce operations or shut down entire systems following a DDoS attack, costing hundreds of thousands of pounds according the UK National Crime Agency. And in 2018, online services from several Dutch banks and numerous other financial and government services in the Netherlands were brought to a standstill in January and May. These attacks were launched using, the world’s largest provider of DDoS-on-demand, which sold attack services for as little as £11. It costs a criminal almost nothing and requires little to no technical expertise to mount an attack, but it costs a company a great deal to fix the damage they cause.

What’s more, DDoS attacks are often used as a distraction, to divert IT teams’ attention away from attempts to breach corporate networks. As such, dealing with DDoS attacks should be regarded as a priority, not a secondary consideration.

GandCrab’s evolution underscores a shift in ransomware attack methods

Don’t be fooled by the drop in overall ransomware attacks this past year: Fewer but more targeted and lucrative campaigns against larger organizations are the new MO for holding data hostage.

While the number of ransomware attacks dropped 91% in the past year, according to data from Trend Micro, at the same time some 75% of organizations stockpiled cryptocurrency. The majority that did also paid their attackers the ransom, according to a Code42 study. Overall, more than 80% of ransomware infections over the past year were at enterprises, as cybercrime gangs began setting their sights on larger organizations capable of paying bigger ransom amounts than the random victim or consumer.

The evolution of the prolific GandCrab ransomware over the past few months demonstrates how this new generation of more selective attacks is more profitable to the cybercriminals using it – and underscores how the ransomware threat is far from over.

Monday, 18 March 2019 15:25

Ransomware’s New Normal

FEMA’s Integrated Public Alert & Warning System (IPAWS) now includes a new event code called Law Enforcement Blue Alert, or ‘Blue Alert’. 

The new BLU event code is available for selection with the IPAWS Emergency Alert System (EAS), with future plans to release it to Wireless Emergency Alerts (WEA).

The ‘Blue Alert’ provides officials with the ability to alert the public when a law enforcement officer has been injured, killed or is missing. The alert will push real-time information to the public, like the location of the incident and any identifying information – such as suspect or vehicle description – to help locate possible suspects.

Blue Alerts will be transmitted to television and radio stations with EAS and later to cellphones and wireless devices with WEA. Similar to current Amber Alerts for missing children, Blue Alerts enable agencies to rapidly disseminate information to other law enforcement agencies, the public and media outlets.

So you’ve just been put in charge of business continuity at your organization. What’s the first thing you should do? In today’s post, we’ll tell you—and also explain why it’s important and how to go about it.


Many people find themselves thrust into a business continuity (BC) role with little warning or preparation.

They frequently come from backgrounds in risk management, auditing, compliance, or IT.

It’s a daunting prospect to suddenly find yourself in charge of Business Continuity/Disaster Recovery (BC/DR) for even a small organization. It’s like being thrown in the deep end as a beginning swimmer.

Unless you have ice in your veins, or significant BC/DR experience elsewhere, you’re likely to feel overwhelmed. You will have to take time to educate yourself on your new responsibilities, and the learning never stops.

But the very first task is always the same.

Cybrary’s Joseph Perry shares the importance of corporate responsibility and how to navigate the operational and reputational challenges in response to a breach.

The rise of data breaches is well-documented, with thousands taking place every year and at least two or three annually for most organizations. In other words, it’s a question of when – not if – your organization will be affected.

With the element of surprise long gone, so too are any excuses for not having a strategy in place for managing these breaches. And in light of the fact that privacy and cybersecurity are now high-profile concerns in the public eye, it’s increasingly clear that any successful strategy will be built on a solid foundation of corporate responsibility.

Let’s take a closer look at why enhancing corporate responsibility is such an important – and often neglected – component of surviving a breach with your reputation intact. Then I’ll share four practical tips to help move the needle in that direction for your own company.

(TNS) — Residents in Lancaster and DeSoto had an unwanted wake-up call Tuesday when a malfunction set off warning sirens.

The sirens sounded around 2:20 a.m. and didn’t go silent until sometime after 3. But unlike Saturday morning, there was no severe weather in the area.

“The Emergency Outdoor Warning Sirens have malfunctioned and are automatically sounding. We are currently working to address the concern, and will provide follow-up as quickly as possible,” read a post on the city of Lancaster’s Nextdoor page. “Sorry about the inconvenience.”

At 4:11 a.m., the city of DeSoto issued a tweet that read, “Hopefully, by now they are all quiet.”

The city also alerted residents via its CodeRed notification system saying everything was all clear and there was no emergency.

Researchers have developed a new model which shows that the probability of a catastrophic geomagnetic storm occurring is much lower than previously estimated; but the risk still needs to be taken seriously.

Three mathematicians and a physicist from the Universitat Autònoma de Barcelona (UAB), the Mathematics Research Centre (CRM) and the Barcelona Graduate School of Mathematics (BGSMath) have proposed a mathematical model which allows making reliable estimations on the probability of geomagnetic storms caused by solar activity.

The researchers, who published the study in the journal Scientific Reports (of the Nature group) in February 2019, calculated the probability in the next decade of a potentially catastrophic geomagnetic storm event, such as the one which occurred between the end of August and beginning of September 1859, known as the ‘Carrington Event’. Such an event could create major issues for telecommunications and electricity supply systems across the Earth.

In 1859, astronomer Richard C. Carrington observed the most powerful geomagnetic storm known to date. According to this new research, the probability of a similar solar storm occurring in the following decade ranges from 0.46 percent to 1.88 percent, far less than the percentage estimated before.

(TNS) — A tornado was confirmed in Loving Tuesday night, as heavy wind, rain and hail moved through Eddy County and southeast New Mexico into West Texas.

Eddy County Emergency Manager Jennifer Armendariz said video footage confirmed the tornado touched down at about 5 p.m. in Loving in southern Eddy County.

She said no damage was reported despite accounts of golf-ball-sized hail, and after about two hours the storm had mostly cleared.

Multiple shelters were set up throughout the county and Armendariz said staff was sent home by about 7 p.m.

A unit from the Eddy County Office of Emergency Management was sent out to Loving to perform “recon,” Armendariz said, and assess the damage.

Where do I start?

This is a conversation and situation I’ve had many times with different people, and it may feel familiar to some of you. You’ve been tasked with developing a BC/DR program for your organization. Assuming you have nothing or little in place, and what you do have is so out of date that you’re feeling that it would be wise to start fresh. The question invariably comes up: Where do I start?

Depending on your training or background this may start with a Business Impact Analysis (BIA) in order to prioritize and analyze your organization’s critical processes. If you have a security or internal audit background you may feel inclined to start with a Risk Assessment. You may have an IT background and feel that your application infrastructure is paramount, and you need a DR program immediately. If you’ve come from the emergency services or military, life and safety might be at the foremost in your mind and emergency response and crisis management might be the first steps. I’ve seen clients from big pharmaceuticals that need to prioritize their supply chain as their number one priority.

The reality is that although there are prescribed methodologies with starting points outlined in best practices by various institutes and organizations with expertise in the field, there is only one expert when it comes to your organization. You.

Most organizations are doing all they can to keep up with the release of vulnerabilities, new research shows.

Security has no shortage of metrics — everything from the number of vulnerabilities and attacks to the number of bytes per second in a denial-of-service attack. Now a new report focuses on how long it takes organizations to remediate vulnerabilities in their systems — and just how many of the vulnerabilities they face they’re actually able to fix.

The report, “Prioritization to Prediction Volume 3: Winning the Remediation Race,” by Kenna Security and the Cyentia Institute, contains both discouraging and surprising findings.

Among the discouraging findings are statistics that show companies have the capacity to close only about 10% all the vulnerabilities on their networks. This percentage doesn’t change much by company size.—threats/there-may-be-a-ceiling-on-vulnerability-remediation/d/d-id/1334142

About this time each year – when the SEC’s Office of Compliance Inspections and Examinations (OCIE) releases its annual Examination Priorities – we are reminded of how complex compliance can be for SEC-registered firms. As Duff & Phelps’ Chris Lombardy explains, this year is no exception.

In its 2019 Examination Priorities, issued on December 20, 2018, OCIE has outlined six themes that it will primarily, but not exclusively, focus on in the coming months. One new theme, digital assets, joins the five priorities that repeat from 2018:

  1. Matters of importance to retail investors, including seniors and those saving for retirement
  2. Compliance and risk in registrants responsible for critical market infrastructure
  3. Select areas and programs of FINRA and MSRB
  4. Digital Assets (cryptocurrencies, coins and tokens)
  5. Cybersecurity
  6. Anti-money laundering

Wednesday, 13 March 2019 15:17

How Defensible Is Your Compliance Approach?

Attackers used a short list of passwords to knock on every digital door to find vulnerable systems in the vendor’s network.

The recent cyberattack on enterprise technology provider Citrix Systems using a technique known as password spraying highlights a major problem that passwords pose for companies: Users who select weak passwords or reuse their login credentials on different sites expose their organizations to compromise.

On March 8, Citrix posted a statement confirming that the company’s internal network had been breached by hackers who had used password spraying, successfully using a short list of passwords on a wide swath of systems to eventually find a digital key that worked. The company began investigating after being contacted by the FBI on March 6, confirming that the attackers appeared to have downloaded business documents.

Password spraying and credential stuffing have become increasingly popular, so companies must focus more on defending against these types of attacks, according to Daniel Smith, head of threat research at Radware.

Wednesday, 13 March 2019 15:15

Citrix Breach Underscores Password Perils

(TNS) – Next month marks the ninth anniversary of the British Petroleum Deepwater Horizon oil rig explosion off the coast of Louisiana that killed 11, injured 17 others, and spewed millions of gallons of oil into the Gulf of Mexico.

For those of us closest to the accident, the April 20, 2010, explosion will always be, first and foremost, a grave tragedy. But for analysts who study such things, the mishap is also something else: a case study yielding insights about how similar mistakes might be prevented in the future.

Or so we’ve been reminded by “Meltdown,” a 2018 book by Chris Clearfield and András Tilcsik that’s just been published in paperback. The subtitle of “Meltdown” is “What Plane Crashes, Oil Spills, and Dumb Business Decisions Can Teach Us About How to Succeed at Work and at Home.”

Clearfield is a former derivatives trader who lives in Seattle. Tilcsik, who researches organizational behavior, lives in Toronto. “Meltdown” is about a number of systems failures, including Deepwater Horizon, a crash on the Washington, D.C. metro, and an accidental overdose in a state-of-the-art hospital.

Flexible workspaces are saving companies time and money when disaster strikes, says Joe Sullivan, Head of Workplace Recovery Product at Regus

According to the 2019 WEF Global Risks Report, ‘extreme weather events’ are the biggest risk we face as an international community, with natural disasters, data fraud and cyber-attacks following close behind. Preventing the unpredictable is beyond our control. What we can manage, however, is our level of preparation when disaster strikes.

At Regus, we speak from experience. In September 2018, the effects of Hurricane Florence impacted some of our centres in North Carolina, South Caroline and Virginia. The devastation was felt by so many of our colleagues, clients and their friends and family. Thankfully, our North America teams were read to step in and help recover these facilities while taking care of our customers.

The financial cost of disasters such as this can be difficult to absorb. Since 2000, natural disasters have cost the global economy more than $2.4trn – more than $150m each year. But it’s not just the headline-grabbing incidents that affect businesses. It’s the everyday ones, too.  A burst water pipe in your office may not sound like much of a threat but, if it means your premises are unusable for a month, what’s your back-up plan?

A new guide from the Cloud Security Alliance offers mitigations, best practices, and a comparison between traditional applications and their serverless counterparts.

Serverless computing has seen tremendous growth in recent years. This growth was accompanied by a flourishing rich ecosystem of new solutions that offer observability, real-time tracing, deployment frameworks, and application security.

As awareness around serverless security risks started to gain attention, scoffers, and cynics repeated the age-old habit of calling “FUD” — fear, uncertainty and doubt — on any attempt to point out that while serverless offers tremendous value in the form of rapid software development and huge reduction in TCO, there are also new security challenges.

Wednesday, 13 March 2019 15:12

The 12 Worst Serverless Security Risks

Courtesy of Mail-Gard



drj 2019 previewMail-Gard has the opportunity to exhibit at many industry shows and conferences, but one of our go-to events is the DRJ Spring conference, which is being held March 24­–27 at the Disney Coronado Springs Resort in Orlando, FL. We can always count on the Disaster Recovery Journal (DRJ) to host an informative and invaluable conference that attracts speakers and attendees from all areas of the business continuity (BC), disaster recovery (DR), and risk management (RM) fields. For us, it’s a chance to connect with leaders and participants in our shared industry.

Risk Management is the Focus of DRJ Spring 2019

The theme of this spring’s conference is “Managing Risk in an Uncertain World,” and it’s certainly true that our world has become unpredictable in many ways. One of the things we’ve learned at Mail-Gard is that it’s truly impossible to plan for every possible emergency situation, but what we can do is to plan and prepare to manage the risks that we’re aware of and to refresh our recovery solutions on a regular basis so change and uncertainty become manageable, as well.

The DRJ Spring 2019 Conference gives us the opportunity to meet with current clients looking to polish up their DR plans while enhancing their industry knowledge by taking a few classes. In addition, we also get to talk to people who either don’t have a DR plan at all, or who have realized that their DR vendor isn’t working. In either case, this is where Mail-Gard shines, because our focus is helping companies achieve their risk management goals. We assist companies in designing print-to-mail recovery solutions or helping them fix what’s wrong with their current plan.

For Mail-Gard, another advantage of attending the DRJ Spring 2019 conference will be the opportunity to brush up on the latest trends in BC/DR, such as cyber security, which is a moving target for planning and updating procedures. In fact, DRJ states, “When it comes to business continuity, what worked a year ago will not be effective today,” which is why risk management is a never-ending job. As a print-to mail disaster recovery provider, Mail-Gard represents a different element within the larger BC/DR arena, but it’s a vital part of a successful BC/DR plan. In fact, we consider it the most important component, which is why it’s the sole focus of our business.

As a DR print-to-mail specialist, Mail-Gard has many advantages over our competition who offer DR mailing support as a sideline. Critical mailings are critical for a reason, whether financial or regulatory, and it’s surprising how often they’re overlooked or minimized in favor of the trending DR issues of the day. If you’re in Orlando during the last week in March, please stop by Mail-Gard Booth #706 at DRJ Spring 2019. The Mail-Gard group would welcome the opportunity to help you make sure that your DR plan is cleaned up, complete, and ready for spring.

MichaelHMichael Henry

Vice President of Mail-Gard with more than 30 years of experience in direct mail. Specializes in leading and directing operations teams by simplifying, staying focused, and being relentless. Proud to be part of an organization that cares about its people. Longtime Philadelphia Eagles season ticket holder who also loves the Phillies and Flyers, being near the water, and coaching his kids’ sports activities.

My colleagues J. P. Gownder, Craig Le Clair, and I just published the results of a year-long study to answer the question “What happens when digital business systems and physical-world processes come together?” The answer: Atoms get their revenge. By that we mean that so much of our attention has been focused on digital business over the past decade that we have almost forgotten where business happens — in the real world.

What about eCommerce, online trading, and digital platforms? Yes, they are digital, but at the end of the day, it is still humans —sitting at their desks, in hotels, on airplanes, in the plant, at ball games, or at conferences — that drive most of the decisions around who buys what and how much, even if they’re made by programming algorithms. And all of that happens in the world of atoms. A big takeaway from our report is that when algorithms start to act on the physical world, firms have the opportunity to change their relationship with their customers. In other words, algorithms plus atoms balance the power between customers and businesses. We see savvy businesses deploying algorithms in the real world to balance customer engagement and efficient operations.

Consider, for example, innovative startup DocBox. It makes a clinical process management solution for hospitals that promises to help clinicians eliminate medical mistakes, improve clinical workflows and processes, and free up time. At the heart of its solution is a “patient area network” that integrates data from bedside machines, making insights available to doctors. While that is good for doctor and patient engagements, providers are exploring how to drive intelligence into logistics and operations to ensure that high-value capital equipment is placed and used efficiently as well.

Evan Francen, CEO of FRSecure and Security Studio, makes the case for adopting a third-party information security risk management (TPISRM) program. He outlines how to get started and explains why the common excuses for ignoring the risks don’t hold water.

Third-party information security risk management (TPISRM*) is more critical today than it’s ever been. There is little doubt amongst information security experts that TPISRM is essential to the success (or failure) of your information security efforts, but the confusion in the marketplace is making it difficult to tell truth from hype. Ignoring the risks won’t make them go away, so something must be done. We just need to make sure it’s the right “thing.”

The Case for TPISRM

If the case for TPISRM isn’t obvious to you, you’re not alone. Only 16 percent of the 1,000 Chief Information Security Officers (CISOs) surveyed in a recent study claim they can effectively mitigate third-party risks, while 59 percent of these same CISOs claim their organizations have experienced a third-party data breach.

Third parties are implicated in up to 63 percent of all data breaches and regulators are increasingly scrutinizing how organizations handle third-party risks. Your organization can spend millions of dollars on a secure infrastructure, best-in-class training and awareness solutions and the most skilled professionals, but if you neglect to account for third-party risks, some or all of your investment is a waste.

Please let these numbers sink in for a moment. Logically, how do we deny the need for sound and cost-effective TPISRM when we know that it will decrease the likelihood and impact of a data breach? Logic says one thing, yet 57 percent of organizations don’t even have an inventory of the third parties they share sensitive information with.

It has been noted numerous times, in multiple studies, that building occupants often ignore or are slow to respond to standard fire alarm sounders: this is ‘bystander apathy’. This article looks at the issue and suggests some solutions.

Bystander apathy – a condition where people ignore an emergency when they believe someone else will take responsibility – is the social psychological phenomena that can affect the pre-movement phase of an escape, prolonging the time it takes before people react to an audible alarm.

“There are multiple explanations as to why we have a natural tendency to dismiss alarms and any delay could prove critical or at worst, catastrophic,” says Steve Loughney of Siemens Building Technologies.  “People respond to others around them and a collective position often emerges during emergencies i.e. if one person moves, there is a likelihood that others will follow with the reverse also true.”

“Doubts about the validity of warning sirens might also stem from loss of confidence we have in standard fire alarm systems. Nuisance alarms or false alarms have lulled us into a situation where blaring sounds or klaxons are often casually dismissed as non-emergency or non-life threatening,” continues Mr. Loughney.

This lack of urgency was echoed in studies by the International Rescue Committee when it found that less than 25 percent of occupants interpreted the sound of the fire alarm as a potential indication of a real emergency during mid-rise residential evacuation trials.

Coinhive has remained on top of Check Point Software’s global threat index for 15 straight months

Cryptominers continue to dominate the malware landscape, just as they did all of 2018. But a decision by cryptocurrency mining service Coinhive to shut down last week could change that soon, security vendor Check Point Software said in its latest malware threat report, released Monday.

Coinhive has topped Check Point’s global threat index for 15 straight months, including this February.

Coinhive’s software is designed to give website owners a way to earn revenue by using the browsers of site visitors to mine for Monero cryptocurrency. The software itself — like many other cryptominers — is not malicious. However, cybercriminals have been using Coinhive extensively to surreptitiously mine for Monero on hacked websites, making it a top threat to website operators globally in the process. Many websites that have installed Coinhive also have done so without explicitly informing site visitors about it.—threats/cryptominers-remain-top-threat-but-coinhives-exit-could-change-that/d/d-id/1334131

Industry leaders debate how government and businesses can work together on key cybersecurity issues

If money were no object, and you didn’t have to worry about bureaucracy or politics, what would you have your organization do to make a difference in the public-private sector discourse on cybersecurity? How would you improve tactics and techniques?

“The thing I’d love to be able to do is share in real time,” said Neal Ziring, technical director for the National Security Agency’s Capabilities Directorate. The question was posed to him, and two other panelists from the public and private sectors, in the RSA Conference panel “Behind the Headlines: A Public-Private Discourse on Cyber-Defense,” last week in San Francisco.

Ziring explained how if policy were not an issue, he would want to take NSA’s foreign intelligence and turn it into actionable warnings in real time. “That’s not easy. We’re trying to work in that direction,” he said, adding that there are “considerable policy obstacles to that right now.”

Defenders are overwhelmed with an onslaught of threat data, user error, poor endpoint protection tools, and myriad other factors making their jobs harder. This discussion brought together security experts to put the spotlight on which threats should be prioritized and how the government and private sector can better improve their relationships to address them.

(TNS) – The State Emergency Management Agency officially announced Thursday that the Federal Emergency Management Agency has awarded three Missouri school districts $3.5 million in grant funding to build tornado safe rooms.

These include the previously reported tornado shelter that will be added on to the Neosho School District’s new Goodman Elementary School, as well as a stand-alone safe room on the Miller School District’s high school campus in Lawrence County, and a safe room on the elementary and middle school campus of Christian County’s Sparta School District.

“This is the actual, final step that they put in writing and now we have the official agreement,” said Jim Cummins, Neosho superintendent. “What we (Neosho) had before was a verbal phone call from SEMA saying we had been approved for it, and now they have just put it in writing.”

The three safe rooms would be capable of sheltering a total of more than 2,250 people combined, according to a SEMA news release.

Applicants to three private colleges this week discovered just how steep the price of admission can run.

Hackers breached the system that stores applicant information for Oberlin College in Ohio, Grinnell College in Iowa and Hamilton College in New York and emailed applicants, offering them the chance to buy and view their admissions file. For a fee, the sender promised access to confidential information in the applicant’s file, including comments from admissions officers and a tentative decision. The emails demanded thousands of dollars in ransom from prospective students for personal information the hackers claimed to have stolen.

All three schools use Slate, a popular software system, to manage applicants’ information. Slate is used by more than 900 colleges and universities worldwide. The company is not aware of other affected colleges, said Alexander Clark, chief executive of Technolutions, Slate’s parent company. Officials from the affected schools declined to comment on the scope of the data breach.

There are a lot of ways that business continuity programs go off track. Here are some of the main ones, together with a list of what successful programs do to keep rolling along.

We are seeing an increase in the number of companies that recognize that a business continuity program is a must-have.

This is great, but it’s still the case that too many programs are floundering.

In on our experience working as BC consultants for firms of a range of sizes and industries, we see the same problems come up again and again.

If you’re just starting a program, do yourself a favor: Try not to make any of the mistakes listed below.

How do you create an insights-driven organization? One way is leadership. And we’d like to hear about yours.

Today, half of the respondents in Forrester’s Business Technographics® survey data report that their organizations have a chief data officer (CDO). A similar number report having a chief analytics officer (CAO). Many firms without these insights leaders report plans to appoint one in the near future. Advocates for data and analytics now have permanent voices at the table.

To better understand these leadership roles, Forrester fielded its inaugural survey on CDO/CAOs in the summer of 2017. Now we’re eager to learn how the mandates, responsibilities, and influence of data and analytics leaders and their teams have evolved in the past 18 months. Time for a new survey!

Take Forrester’s Data And Analytics Leadership Survey

Are you responsible for data and analytics initiatives at your firm? If so, we need your expertise and insights! Forrester is looking to understand:

  • Which factors drive the appointment of data and analytics leaders, as well as the creation of a dedicated team?
  • Which roles are part of a data and analytics function? How is the team organized?
  • What challenges do data and analytics functions encounter?
  • What is the working relationship between data and analytics teams and other departments?
  • What data and analytics use case, strategy, technology, people, and process support do these teams offer? How does the team prioritize data and analytics requests from stakeholders?
  • Which data providers do teams turn to for external data?
  • Which strategies do teams use to improve data and analytics literacy within the company?

Please complete our 20-minute (anonymous) Data and Analytics Leadership Survey. The results will fuel an update to the Forrester report, “Insights-Driven Businesses Appoint Data Leadership,“as well as other reports on the “data economy.”

For other research on data and analytics leadership, please also take a look at “Strategic CDOs Accelerate Insights-To-Action” and “Data Leaders Weave An Insights-Driven Corporate Fabric.”

As a thank-you, you’ll receive a courtesy copy of the initial report of the survey’s key findings.

Thanks in advance for your participation.

Friday, 08 March 2019 16:27

Data And Analytics Leaders, We Need You!

As more enterprise work takes place on mobile devices, more companies are feeling insecure about the security of their mobile fleet, according to a new Verizon report.

SAN FRANCISCO – As more enterprise work takes place on mobile devices, more companies are feeling insecure about the security of their mobile fleet. That’s one of the big takeaways from Verizon’s “Mobile Security Index 2019,” released here this week.

The report is based on responses from 671 enterprise IT professionals from a wide range of business sizes across a broad array of industries. The picture they paint in their responses is one where mobile security is a major concern that’s getting worse, not better, as time goes on.

More than two-thirds (68%) say the risks of mobile devices have grown in the past year, with 83% now saying their organizations are at risk from mobile threats. Those risks have changed in the year since the first edition of the “Mobile Security Index.”

“In the first iteration, organizations were more nervous about losing access to the device itself” through theft or accidental loss, said Matthew Montgomery, a director with responsibilities for business operations, sales, and marketing at Verizon, in an interview at the RSA Conference. This time, they are worried about ” … having a breach or losing access to the data, because the device became very centric to businesses in the way they work.”

Comforte AG’s Jonathan Deveaux stresses that while compliance with the GDPR is a worthy goal, adhering to the regulation doesn’t necessarily mean your organization is safe. Consider both compliance and security a journey, not a destination.

The European General Data Protection Regulation (GDPR) came into effect on May 25, 2018, ushering in a new era of data compliance regulation across the world. GDPR-like regulations have emerged in Brazil, Australia, Japan and South Korea, as well as U.S. states such as New York and California.

The GDPR was introduced to protect EU individuals’ personal information, collected by organizations, through regulation on how the data can be collected and used. Even though it is European law, the scope of the legislation effects organizations around the world.

Despite a two-year phase-in period (May 24, 2016 to May 25, 2018), many organizations around the globe remain noncompliant. A GDPR pulse survey by PwC in November 2017 revealed only 28 percent of U.S. companies had begun preparing for GDPR, and only 10 percent responded saying they were compliant.

Social engineering scam continued to be preferred attack vector last year, but attackers were forced to adapt and change.

The growing sophistication of tools and techniques for protecting people against phishing scams is forcing attackers to adapt and evolve their methods.

A Microsoft analysis of data collected from users of its products and services between January 2018 and the end of December showed phishing was the top attack vector for yet another year. The proportion of inbound emails containing phishing messages surged 250% between the beginning and end of 2018. Phishing emails were used to distribute a wide variety of malware, including zero-day payloads.

However, the growing use of anti-phishing controls and advances in enterprise detection, investigation, and response capabilities is forcing attackers to change their strategies as well. Microsoft said.

For one thing, phishing attacks are becoming increasingly polymorphic. Rather than using a single URL, IP address, or domain to send phishing emails, attackers last year began using varied infrastructure to launch attacks, making them harder to filter out and stop.

ERP Maestro’s CEO Jody Paterson discusses cybersecurity risk disclosure and compliance and how executives are being held more personally accountable for nondisclosure as outlined by the SEC.

Companies face a multitude of risks and threats. Reporting them to stakeholders and investors is a requirement, and serious consequences may ensue for a failure to do so – for the company and, increasingly, for business leaders. It’s a liability no company wants and a personal disaster no executive wishes to encounter. To prevent such catastrophes for the latter, individuals need to understand how they may be accountable.

For public companies, disclosing business risks has long been mandatory on periodic reports, such as annual reports, 10-K forms, quarterly 10-Qs and 8-K current incident reports as needed.

As technology has become not only the primary offering of many companies, but also the norm for business operations and financial management, external risks, such as security breaches and cyberattacks, have been included in in the Security and Exchange Commission’s (SEC) risk reporting requirements.

Over and over, clients tell us they just don’t get enough funding for the kind of privacy programs they want to create. In fact, many privacy budgets shrank in 2019, after firms were forced to spend more than they expected on GDPR compliance in 2018. But what if we told you that customer-centric privacy programs could actually drive a positive ROI — would your CFO find the budget then? We’re betting so.

That’s why we recently built a Total Economic Impact model on the ROI of privacy. We were convinced that there’s more to privacy investments than CYA, and we were right.

(TNS) — They started Alabama’s way from Louisiana as soon as word went out about Sunday’s deadly tornadoes in Lee County. It was the same when Hurricane Michael flattened Mexico Beach, Fla., last year. It’s been the same since 2016. People were in trouble, and they went on the road.

They’re called the Cajun Navy, but they’re not one organization. The Louisiana Secretary of State’s website lists 11 different organizations with “Cajun Navy” in their name. The best known, perhaps, is Cajun Navy 2016. It is named for the year it was founded by two friends in Baton Rouge after they had volunteered in the catastrophic flooding there.

“We’re the ones that have been to the White House multiple times,” Vice President Billy Brinegar said Tuesday. “We do things the right way. We try to get involved with the local EOCs (Emergency Operations Centers) or fire departments or whoever, just coordinate with them so they know we’re on the scene and we work together.”

Why Do Bots Fail to Scale Across the Enterprise?

The interest in RPA has skyrocketed, and company leaders are challenging their teams to find out more about the technology and its associated benefits.  With the increased interest in RPA, we have seen a significant uptick in teams testing the RPA waters by starting Bot development and implementation pilots.  What we have also found is that teams are struggling to move beyond the pilots due to some fundamental errors made during RPA Program Setup and Execution and Bot Development and Implementation.

RPA Program Setup and Execution

What we find is that there is a lack of an RPA enterprise strategy and foundation, and a lack of understanding about RPA, solution capabilities and where to focus efforts.

Whitefly is exploiting DLL hijacking with considerable success against organizations since at least 2017, Symantec says. 

Whitefly, a previously unknown threat group targeting organizations in Singapore, is the latest to demonstrate just how effective some long-standing attack techniques and tools continue to be for breaking into and maintaining persistence on enterprise networks.

In a report Wednesday, Symantec identified Whitefly as the group responsible for an attack on Singapore healthcare organization SingHealth last July that resulted in the theft of 1.5 million patient records. The attack is one of several that Whitefly has carried out in Singapore since at least 2017.

Whitefly’s targets have included organizations in the telecommunications, healthcare, engineering, and media sectors. Most of the victims have been Singapore-based companies, but a handful of multinational firms with operations in the country have been affected as well.

The failed Fyre Festival of 2017 serves as a cautionary tale to any who’d ignore warnings from trusted advisers and key stakeholders. Sandra Erez discusses how the Fyre Festival went so disastrously wrong – and the lesson compliance practitioners should take away.

The recent Netflix documentary “Fyre: The Greatest Party that Never Happened” revealed the 2017 fiasco to be a real “trip” – the kind that comes from bad LSD with lingering, long-term effects. Touted as a luxury music festival set on the balmy beaches of the Bahamas, this highly publicized would-be event tantalized millennials with the chance to live the elusive elite lifestyle for a weekend (and talk about it for the rest of their lives). Dangling ads of bikinied supermodels frolicking in the waves succeeded as the bait that would reel thousands of suckers in to this Titanic event – hook, line and sinker. Never mind that it all seemed to be too good to be true; everything is possible if you have the right app, the right hair, the right attitude and are in search of the perfect Instagram backdrop – real or not.

The Fyre Festival launch started off with a splash worthy of any jet ski – selling 95 percent of the costly tickets within 24 hours. Like moths to a flame, the target audience was enticed into the web spun with golden promises, thereby proving to founder Billy McFarland and his team that his idea was on fire. Now, totally pumped and egged on by their initial spectacular success, the staff and partners literally dug their heels (and unfortunately their heads) into the sand to get this show on the road.

Thursday, 07 March 2019 14:21

Liar, Liar, Pants on Fyre

Information travels more quickly than ever.

If a disaster occurs in your community, you will need to work quickly and decisively to ensure that the information that gets to the public is accurate, balanced and useful to the people who need it most. Good crisis communications is the result of a clear and well-developed media relations policy. If you want the headlines to reflect an accurate story, you will need to understand what drives them and how you can establish a beneficial and positive relationship with the press.

Good Crisis Communication Starts Before the Crisis

A good crisis communications plan will ensure that your organization is prepared to get information out in a way that is helpful to all stakeholders. While you cannot anticipate every potential crisis, most well-constructed plans are flexible enough to address a range of needs.

Begin by considering what sorts of crises are most likely in your community. What will be the potential impact on the people and businesses within your community? For instance, a city in the Midwest can expect periodic severe snow storms. These may cause power outages and leave roads impassable for a period of time. Cities in the southeastern part of the US should be prepared for hurricanes in the warmer half of the year. Areas throughout the country should have plans for manmade disasters that include mass shooter events.

Wednesday, 06 March 2019 15:34

What will your headline be?

(TNS) — The city of Dayton, Ohio received more than 12,000 phone calls during its nearly catastrophic water main break emergency that happened Feb. 13-15.

The cause of the break still isn’t known, since city crews still haven’t been able to inspect the line because of high river levels.

The city said it has been monitoring the river daily and would evaluate again Monday.

Though it wasn’t an especially long emergency, it was an intense time in Dayton.

In 72 hours, Dayton’s water dispatch center received 8,958 calls, or about 20 times the number it receives in a typical week at this time of year. Dispatch handled 393 calls in the last week of January and 463 in the first week of February.

“When this happened, our call centers were completely overwhelmed with phone calls,” said Dayton City Manager Shelley Dickstein.

Problem lies in the manner in which Word handles integer overflow errors in OLE file format, Mimecast says.

The manner in which Microsoft Word handles integer overflow errors in the Object Linking and Embedding (OLE) file format has given attackers a way to sneak weaponized Word documents past enterprises sandboxes and other anti-malware controls.

Security vendor Mimecast, which discovered the issue, says its researchers have observed attackers taking advantage of the OLE error in recent months to hide exploits for an old bug in the Equation Editor component of Office that was disclosed and patched in 2017.

In one instance, an attacker dropped a new variant of a remote access backdoor called JACKSBOT on a vulnerable system by “chaining” or combining the Equation Editor exploit with the OLE file format error.

When business continuity (BC) professionals hear that the Polar Vortex is collapsing, they aren’t simply worried about the inconvenience of cold temperatures — they are focused on the impact of severe weather to business operations and workforce safety.

Natural disasters and extreme weather resulted in approximately $160 billion worth of damage last year, and reinsurance company Munich RE forecasts this figure will be surpassed in 2019. Abnormal weather patterns — the type that can cause extended cold weather snaps as well as more frequent and intense winter storms — require that BC leaders properly plan for this new weather reality.

And it appears that organizations are acutely aware of the role workforce communications plays with winter weather. In the survey conducted by research firm DRG last year, 47% of decision-makers said severe and extreme weather events are their leading concern when it comes to emergency communications and response — outpacing other events such as active shooters (23%), cybersecurity attacks (13%), IT outages (10%), and workplace violence (6%).

With extreme and severe winter weather raising the stakes for business continuity, it also raises the probability of mistakes: requiring that employees commute into work in unsafe conditions or failing to communicate with your workforce in a timely fashion can elevate human and business risk. Organizations can’t change the weather, but they can mitigate its impact through proper preparation and communication before, during and after adverse winter weather hits. This starts with eliminating six common winter weather mistakes.

Last April, we outlined how the “Tech Titans” (Amazon, Google, and Microsoft) were poised to change the cybersecurity landscape by introducing a new model for enterprises to consume cybersecurity solutions. Security has long been delivered as siloed solutions located on-premises. These solutions were hard to buy, hard to use, and existed in silos. Security leaders were hampered by the technologies’ lack of connectedness, poor user interfaces, and difficulty of administration. Understaffed, stressed security teams struggled to balance the responsibilities of defending their enterprise while updating an ever-expanding toolset.

Cloud adoption by cybersecurity also lags other parts of the enterprise. Many of the security tools enterprises rely on are still deployed on-premises, even as more and more of IT shifts to the cloud. Running counter to other parts of the enterprise, most security teams incur the expense of pulling logs from cloud environments to then process and store them on-premises.

Security analytics platforms such as legacy security information management (SIM) systems struggled to keep pace with the increasing volume and variety of data they process. Unhappy users complained about the inability of their SIMs to scale and the volume of alerts they must investigate.

Enterprises struggling with the cost of data analysis and log storage turned to open source tools such as Elasticsearch, Logstash, and Kibana (ELK) or Hadoop to build their own on-premises data lakes. But then they were unable to glean useful insight from the data they had collected and realized that the expense of building and administering these “free” tools was just as great as the cost of commercial tools.

There are nine enterprise risk management (ERM) activities that at least nine-in-ten of the North American chief risk officers (CROs) we surveyed said that they perform in one way or another over the course of a year. None of these activities is necessarily strategic, but a strategic CRO can put a strategic spin on any of them.

And the more times CROs are heard speaking strategically about their work, the more likely they will be invited to play a role in the future strategic activities of the firm.

In general, the way to make any of these activities more strategic is to shift orientation away from focusing on separating information by risk and toward presenting the information in the context of strategy.  Easy to say, but the nuances of how to do that play out differently for each activity.

Let’s review these nine activities and see how the seemingly mundane can be strategic.

Slack, the cloud-based set of collaborative tools for teams, is taking over, and changing the way we work for good. Here’s what co-founder Stewart Butterfield has to say about the workplace of the future

Haven’t you heard? Email is dead. At least, that’s what Stewart Butterfield would have you believe. Launched in 2014, his cloud-based ‘virtual assistant’ (which provides team collaboration tools) is doing away with the need for time-consuming and inefficient electronic communication – and changing the way we work altogether.

He might be on to something. Slack is one of the fastest-growing business applications in the last decade. According to its latest figures, there are now more than eight million daily active users across more than 500,000 organisations that use the platform. The company has more than three million paid users and 65 per cent of companies in the Fortune 100 are paid Slack users. More than 70,000 paid teams with thousands of active users connect in Slack channels across departments, borders and oceans.

So when Butterfield and his team share their opinions on the future of work, it’s worth paying attention. Here are five of their predictions.

Monday, 04 March 2019 16:13

The Future of Work According to Slack

Charlie Maclean Bristol explains why developing a playbook for the main types of cyber attacks will help businesses response effectively when an attack occurs. He also provides a checklist covering the areas that such a playbook should include.

When I first thought about cyber playbooks I envisaged the playbook helping senior management or the crisis team make a key decision in a cyber incident, such as, whether or not to unplug the organization from the internet and prevent any network traffic on the organization’s IT network. As this is a critical decision for the organization and the consequences of making the wrong decision are huge, this type of playbook would help the team understand, at short notice, what factors they should consider and the impact of the different decisions they could make.

I was running a cyber exercise a couple of weeks ago and suddenly thought that there was a need for another type of playbook, which is basically a plan for how to deal with different types of cyber attack. As we know, the more planning we do the better prepared we will be for managing an incident, and thinking through how we would respond throws up questions and issues which we can work to solve, without the cold sweat and pressure of the incident taking place.

Cyber response should be in two parts. Firstly, you need an incident management team to manage the consequences of the cyber-attack. This team is separate from a cyber incident response team, who should deal with the technical response, and should concentrate on restoring the organization’s IT service. The organization’s incident management team can be the same as the crisis management team, as they are going to be dealing with the reputation and strategic impacts of the incident.

Oftentimes, responsibility for securing the cloud falls to IT instead of the security organization, researchers report.

Businesses are embracing the cloud at a rate that outpaces their ability to secure it. That’s according to 60% of security experts surveyed for Firemon’s first “State of Hybrid Cloud Security Survey,” released this week.

Researchers polled more than 400 information security professionals, from operations to C-level, about their approach to network security across hybrid cloud environments. They learned not only are security pros worried – oftentimes they don’t have jurisdiction over the cloud.

Most respondents say their businesses are already deployed in the cloud: Half have two or more different clouds deployed, while 40% are running in hybrid cloud environments. Nearly 25% have two or more different clouds in the proof-of-concept stage or are planning deployment within the next year.

Emergency Response? Crisis Management? Business Continuity? Disaster Recovery? How do you know which plan to use during an incident?

It’s often confusing which plan to activate, and who is in charge.

Each plan should clearly identify the scope and responsibilities for executing the plan and have distinct and disparate objectives. During the life-cycle of an incident, all of the plans may be activated – but often only some of them are.  Like many things “it depends”.

Let’s go into more detail on each of the plans and their purpose.

With famous CEOs and big-name proponents of a shorter working week getting their voices heard, Ben Hammersley finds out whether more time out of the office – with the same amount of work to do – really can be achieved

On the face of it, it’s kind of a classic line for a billionaire who owns a tropical island paradise to say. The sort of statement that, when read on a rainy commute home from another 60-hour week would usually result in the newspaper being tossed aside. But, when Sir Richard Branson opined in a blog post that flexible working, with unlimited holiday time, is the way to achieve happiness and success at work, he wasn’t just talking about senior management. It was about everyone. Further still, according to CNBC, he’s recommending even longer weekends:

“Many people out there would love three-day or even four-day weekends,” he reportedly said. “Everyone would welcome more time to spend with their loved ones, more time to get fit and healthy and more time to explore the world.”

Over a billion people around the world have some form of disability. Empowerment and inclusiveness of this large section of the population are therefore essential for a sustainable society, and make up the theme of this year’s International Day of Persons with Disabilities. The Day also contributes to the goals outlined in the United Nations 2030 Agenda for Sustainable Development, which pledges to “leave no one behind”. Many of ISO’s International Standards are key tools to achieving these goals, and there are many more in the pipeline.

From signage in the street to the construction of buildings, ISO standards help manufacturers, service providers, designers and policy makers create products and services that meet the accessibility needs of every person. These include standards for assistive technology, mobility devices, inclusivity for aged persons and much more. In fact, the subject is so vast, we even have guidelines for standards developers to ensure they take accessibility issues into account when writing new standards.

Developed by ISO in collaboration with the International Electrotechnical Commission (IEC) and the International Telecommunication Union (ITU), ISO/IEC Guide 71, Guide for addressing accessibility in standards, aims to help standards makers consider accessibility issues when developing or revising standards, especially if they have not been addressed before.

Summary FINRA is conducting a retrospective review of Rule 4370 (Business Continuity Plans and Emergency Contact Information), FINRA’s emergency preparedness rule, to assess its effectiveness and efficiency. This Notice outlines the general retrospective rule review process and seeks responses to several questions related to firms’ experiences with this specific rule.

To effectively defend against today’s risks and threats, organizations must examine their failings as well as their successes.

In life in general — and, of course, in security specifically — it is helpful to understand when I am the problem or when my organization is the problem. By that, I mean that it is important to discern when an approach to a problem is simply ineffective. When I understand that an approach doesn’t work, I can try different things until I find the right solution. This is the definition of repetition.

Redundancy, on the other hand, is when I (or my organization) keeps trying the same approach and nothing changes. It makes no sense to expect different results without a different approach. This, of course, is the definition of redundancy. What can the difference between repetition and redundancy teach us about security? An awful lot.–/a/d-id/1333983

(TNS) – This would be a first for California: state government buying insurance to protect itself against overspending its budget.

But before you start pelting the politicians and screaming fiscal irresponsibility, know that the budget-busting would be for fighting wildfires.

That puts it in an entirely different category from, say, controversial spending to help immigrants who are here illegally, or trying to register voters at the notoriously jammed DMV.

No sane person is going to gripe about overspending tax dollars to douse a deadly wildfire.

But it does amount to a sucker punch for state budgeters, who might be forced to grab money from other state programs to pay for the firefighting. Fortunately in recent years the robust California economy has been producing state revenue surpluses. So, little problem.

The Watchlist, which contained the identities of government officials, politicians, and people of political interest, is used to identify risk when researching someone.

A data leak at Dow Jones exposed the financial firm’s Watchlist database, which contains information on high-risk individuals and was left on a server sans password.

Watchlist is used by major global financial institutions to identify risk while researching individuals. It helps detect instances of crime, such as money laundering and illegal payments, by providing data on public figures. Watchlist has global coverage of senior political figures, national and international government sanction lists, people linked to or convicted of high-profile crime, and profile notes from Dow Jones citing federal agencies and law enforcement.

The leak was discovered by security researcher Bob Diachenko, who found a copy of the Watchlist on a public Elasticsearch cluster. The database exposed 2.4 million records and was publicly available to anyone who knew where to find it – for example, with an Internet of Things (IoT) search engine, he explained in a blog post.

(TNS) – One of the winter’s strongest storms brought flooding across Northern California’s wine country Wednesday, with no region hit harder than the town of Guerneville and the Russian River Valley, which has been inundated repeatedly over the decades.

Some 3,600 people in about two dozen communities near the river were evacuated Wednesday by the flooding, which prompted the Sonoma County Board of Supervisors to declare a local emergency. Authorities warned that those who chose to stay in their homes could be stuck there for days.

“We have waterfront property now,” said Dane Pitcher, 70, who watched from the third-story window of his bed and breakfast, the Raford Inn in Healdsburg, as rising water pooled to create a 100-acre lake in front of his property. “We’re marooned for all intents and purposes.”

The Russian River, which sat about 10 feet Monday morning, rose an extraordinary 34 feet over two days, said Carolina Walbrun, meteorologist with the National Weather Service in the Bay Area. By Wednesday afternoon, the river had swollen to 44.3 feet — more than 12 feet above flood stage. One rain gauge near Guerneville reported receiving nearly 20. 5 inches of rain in 48 hours by early Wednesday, turning the town into a Russian River island.

The Threat and Risk Assessment (TRA) is one aspect of business continuity that has come under criticism recently. In our opinion, this tool remains highly valuable, provided it is used correctly.

The complaints against the TRA are similar to those expressed about the Business Impact Analysis. People say it isn’t useful, that the information gathered tends to be of low quality, and that it’s too disruptive to the staff of other departments.

(TNS) – Dozens of emergency responders rushed Tuesday around the Capitol Federal building in downtown Topeka during an exercise simulating an active assailant incident.

The training was organized by the Shawnee County, Kan., Department of Emergency Management and included several area agencies.

“We like to think when it happens here, versus if — that way we have that mindset and we’re more prepared,” said emergency management director Dusty Nichols.

The rescue task force stems from the 1999 Columbine High School shooting and other mass casualty events.

Beware of These Risks to Build Resilience

Steve Durbin, Managing Director of the Information Security Forum (ISF), discusses some of the key risks to organizations today and provides guidance on how to steer clear of them while becoming more resilient.

Until recently, leading executives at organizations around the world received information and reports encouraging them to consider information and cybersecurity risk. Yet not all of them understood how to respond to those risks and the implications for their organizations. A thorough understanding of what happened (and why it is necessary to properly understand and respond to underlying risks) is needed by the C-suite, as well as all members of an organization’s board of directors in today’s global business climate. Without this understanding, risk analyses and resulting decisions may be flawed, leading organizations to take on greater risk than intended.

Cyberspace is an increasingly attractive hunting ground for criminals, activists and terrorists motivated to make money, get noticed, cause disruption or even bring down corporations and governments through online attacks. Over the past few years, we’ve seen cybercriminals demonstrating a higher degree of collaboration amongst themselves and a degree of technical competency that caught many large organizations unawares.

(TNS) – This weekend’s storm has meant long hours for emergency personnel as numerous stranded motorists were in need of rescuing.

According to Mower County, Minn., Sheriff Steve Sandvik, preliminary numbers indicate that over 150 vehicles were abandoned throughout Mower County during the storm.

Many of those vehicles contained people in need of rescue.

The severity of the storm became apparent after a deputy’s squad car and a snowplow sent to rescue a stranded woman and her grandchild both got stuck Saturday night six miles north of Austin. Sandvik had to call in a road grader to get them out.

Six years ago, I noticed a pattern in the inquiry calls I was fielding from clients. At the time, many of them centered around things like BYOD, whether to take away local admin rights from PCs, and other decisions driven by escalating fears of security or compliance risks. If I was able to answer their questions in less than 30 minutes, it gave me an opportunity to ask a question or two of my own: “So you have responsibility for the productivity of 10,000 people, yes?” Their answer was usually some variation of “I guess you could say that.” To which I would then ask: “OK, tell me what you know about how your decisions will impact their motivation or willingness to engage.” After a few moments of uncomfortable silence, their answer was often “I don’t know.” An opportunity was born.

Fast-forward to today, and I’m proud to be sharing with you the results of six years’ worth of research to better understand what really drives employee experience (EX). Spoiler alert: It’s not what you think it is. Ask any group of managers to rank in order of importance the factors they think are most likely to create a positive employee experience. They will say things like recognition, pay-for-performance, important work, great colleagues, or flexibility. Of course these things are important, but they’re not the most important. Psychological research shows that the most important factor for employee experience is being able to make progress every day toward the work that they believe is most important. But when presented with this option, managers will consistently rank it dead last. Clearly, we have a gap.

Thursday, 28 February 2019 15:06

The Employee Experience Index

In the cyber threat climate of the 21st century, sticking with DevOps is no longer an option

In 2016, about eight years following the birth of DevOps as the new software delivery paradigm, Hewlett Packard Enterprise released a survey of professionals working in this field. The goal of the report was to gauge application security sentiment, and it found nearly 100% of respondents agreed that DevOps offers opportunities to improve overall software security.

Something else that the HPE report revealed was a false sense of security among developers since only 20% of them actually conducted security testing during the DevOps process, and 17% admitted to not using any security strategies before the application delivery stage.

Another worrisome finding in the HPE report was that the ratio of security specialists to software developers in the DevOps world was 1:80. As can be expected, this low ratio had an impact among clients that rely on DevOps because security issues were detected during the configuration and monitoring stages, thereby calling into question the efficiency of DevOps as a methodology.

When developing their business continuity plans, office managers, IT leads and risk teams now have a new weapon in their arsenal – flexible workspace

According to a recent global study by Regus, a staggering 73% of respondents claimed that flexible workspace solutions have helped mitigate risks that could threaten the flow of business operations.

As Joe Sullivan, Regus’ Managing Director of Workspace Recovery observes: “Flex space has become a preferred choice when companies establish or upgrade their business continuity plans.

“Today we no longer assume that all the bad stuff happens to someone else,” observes Sullivan. Indeed, according to the 2019 WEF Global Risks Report, “extreme weather events” were cited as the number one risk facing countries globally, followed closely by natural disasters, data fraud and cyber-attacks.

The UK Government has published a new document which highlights some of the expected impacts of a no-deal Brexit on businesses, it concludes that ‘lack of preparation by businesses and individuals is likely to add to the disruption experienced in a no-deal scenario.’

Entitled ‘Implications for business and trade of a no deal exit on 29 March 2019’, the document summarises Government activity to prepare for no deal as a contingency plan, and provides an assessment of the implications of a no deal exit for trade and for businesses, given the preparations that have been made.

Some of the highlights from the document include:

Because many organizations tend to overlook or underestimate the threat, social media sites, including Facebook, Twitter, and Instagram, are a huge blind spot in enterprise defenses.

Social media platforms present far more than just a productivity drain for organizations.

New research from Bromium shows that Facebook, Twitter, Instagram, and other high-traffic social media sites have become massive centers for malware distribution and other kinds of criminal activity. Four of the top five websites currently hosting cryptocurrency mining tools are social media sites.

Bromium’s study also finds one in five organizations have been infected with malware distributed via a social media platform, and more than 12% already have experienced a data breach as a result. Because many organizations tend to overlook or underestimate the threat, social media sites are a huge blind spot in enterprise defenses, the study found.—threats/social-media-platforms-double-as-major-malware-distribution-centers/d/d-id/1333973

(TNS) – Aurora, Ill., police released audio of the 911 calls and emergency dispatch made during the Feb. 15 Aurora warehouse shooting at Henry Pratt Co. that left five employees dead.

Police communications detail the hour-long manhunt that injured six police officers, who were also identified by the department Monday.

The shooter — Gary Martin — began firing either during or shortly after a meeting where he was fired from the job he held for 15 years. He then retreated into the back of the 29,000-square-foot facility at 641 Archer Ave. and was eventually killed in a shootout with Aurora and Naperville police.

Five officers quickly responded to dispatch calls. One said “we are moving north through the warehouse. We haven’t heard anything yet,” when suddenly another officer screams that shots were fired outside in a bay area.

As more organizations move to the public cloud and to DevOps and DevSecOps processes, the open source alternative for host-based intrusion detection is finding new uses.

Used by more than 10,000 organizations around the world, OSSEC has provided an open source alternative for host-based intrusion detection for more than 10 years. From Fortune 10 enterprises to governments to small businesses, OSSEC has long been a standard part of the toolkit for both security and operations teams.

As more organizations move to the public cloud infrastructure and to DevOps and DevSecOps processes, OSSEC is finding new use cases and attracting new fans. Downloads of the project nearly quadrupled in 2018, ending the year at more than 500,000. Much of this new activity was driven by Amazon, Google, and Azure public cloud users.

While many security and operations engineers are familiar with OSSEC in the context of on-premise intrusion detection, this article will focus on the project’s growing use and applicability to cloud and DevSecOps use cases for security and compliance.

Wednesday, 27 February 2019 14:43

A ‘Cloudy’ Future for OSSEC

At least 21 individuals died during the 2019 Polar Vortex—including two university students.

The University of Vermont and the University of Iowa both experienced deaths suspected to be due to exposure to sub-zero temperatures. These universities are no strangers to severe winter weather, but these extreme weather conditions are becoming more common, and campuses must prepare.

It’s impossible to reliably predict every emergency. But weather events are one crisis that can be anticipated, based on your region and common weather threats experienced. Universities and college campuses are also often in the unique position of coordinating with internal safety officials and campus police along with community safety officials. A weather preparedness plan puts processes in place to protect your students, faculty, and institution. By having a weather preparedness plan ready for deployment, your campus can react swiftly to threats—and substantially reduce the risk of injury or even death.

Weather phenomenon isn’t the only concern when considering an emergency plan.

OSHA defines workplace emergencies as “an unforeseen situation that threatens your employees, customers, or the public; disrupts or shuts down your operations; or causes physical or environmental damage” which can include:

  • Floods
  • Hurricanes
  • Tornadoes
  • Fires
  • Toxic gas releases
  • Chemical spills
  • Radiological accidents
  • Explosions
  • Civil disturbances
  • Workplace violence resulting in bodily harm and trauma

Keeping employees safe during a critical event is the top priority for any company, so consider these five steps to ensure trauma is kept at a minimum.

The right to be forgotten is a fundamental aspect of both the GDPR and CCPA privacy laws; but its impact on personal information in data backups has yet to be tested. Bill Tolson explains the issue and provides some practical advice.

A great deal has been written about the GDPR and CCPA privacy laws, both of which includes a ‘right to be forgotten’. The right to be forgotten is an idea that was put into practice in the European Union (EU) in May 2018 with the General Data Privacy Regulation (GDPR).

The main trigger for this radical step came from the business practices of major Internet companies such as Google and Facebook (among others) around how they collect and use personal data they collect and subsequently sell to other companies for marketing and sales purposes. Additionally, as ‘fake news’ spread, those affected found it was almost impossible to get the Internet companies (including news publishers) to fix or remove the false data.  Because of this, the GDPR and CCPA were established to ensure end-user rights to know what data is being collected on them, how it’s being used, and if it’s being sold and to whom. The right to be forgotten includes the right to have privacy information (PI) fixed or removed, quickly.

There continues to be a debate about the practicality of establishing a right to be forgotten (which amounts to an international human right) due in part to the breadth of the regulations and the potential costs to implement. Additionally, there continues to be concern about its impact on the right to freedom of expression. However, most experts don’t foresee these new privacy rights disappearing, ever.

(TNS) – Cambria County officials are making efforts to ensure that first responders can communicate effectively and consistently with each other when it matters most – during emergency calls.

An overhaul of the county’s 911 radio system got rolling last March, when the Cambria County commissioners approved a contract with Mission Critical Partners – tasked with analyzing the current 911 network, and tracking immediate fixes and future design enhancements.

The $201,870 contract covers network design services, along with a $16,500 equipment allowance.

Robbin Melnyk, county 911 coordinator, said the coverage area of the current radio system has been affected by tree growth and the use of analog radios instead of digital units.

That has created situations in which first responders can’t communicate with dispatchers at the 911 center or with each other on emergency scenes.

Financial software company Intuit discovered that tax return info was accessed by an unauthorized party after an undisclosed number of TurboTax tax preparation software accounts were breached in a credential stuffing attack.

A credential stuffing attack is when attackers compile username and passwords that were leaked from previous security breaches and use those credentials to try and gain access to accounts at other sites. This type of attack works particularly well against users who use the same password at every site.

Despite the openness of the Android platform, Google has managed to keep its Play store mainly free of malware and malicious apps. Outside of the marketplace is a different matter.

In 2018, Google saw more attacks on users’ privacy, continued to fight against dishonest developers, and focused on detecting the more sophisticated tactics of mobile malware and adware developers, the Internet giant stated in a recent blog post.

Google’s efforts — and those of various security firms — highlight that, despite ongoing success against mobile malware, attackers continue to improve their techniques. Malware developers continue to find news ways to hide functionality in otherwise legitimate-seeming apps. Mobile applications with potentially unwanted functionality, so-called PUAs, and applications that eventually download additional functionality or drop malicious code, known as droppers, are both significant threats, according to security firm Kaspersky Lab.

For Google, the fight against malicious mobile app developers is an unrelenting war to keep bad code off its Google Play app store, the firm said.

The reports of the death of the field of business continuity have been greatly overstated. But those of us who work in it do have to raise our performance in a few critical areas.

For some time, reports predicting the imminent demise of the field of business continuity have been a staple of industry publications and gatherings.

The most prominent of these have been the manifesto and book written by David Lindstedt and Mark Armour. For an interesting summary and review of their work, check out this articleby Charlie Maclean Bristol on BC Training.

Friday, 22 February 2019 15:25

Business Continuity, R.I.P.?

Recommended best practices not effective against certain types of attacks, they say.

Automated online password-guessing attacks, where adversaries try numerous combinations of usernames and passwords to try and break into accounts, have emerged as a major threat to Web service providers in recent years.

Next week, two security researchers will present a paper at the Network and Distributed System Security Symposium (NDSS Symposium) in San Diego that proposes a new, more scalable approach to addressing the problem.

The approach — described in a paper titled “Distinguishing Attacks from Legitimate Authentication Traffic at Scale” — is designed specifically to address challenges posed by untargeted online password-guessing attacks. These are attacks where an adversary distributes password guesses across a very large range of accounts in an automated fashion.

Safe Web Use Practices for Investment Firms

Regulating web use for employees via compliance handbook and URL filters for blacklisted (bad) and whitelisted (good) online resources has failed to improve compliance. Authenic8’s John Klassen discusses how firms are increasingly turning to a centrally managed and monitored cloud browser to regain control, unobtrusively maximize visibility into employees’ web activities and ensure compliance without sacrificing productivity or risking an internal backlash.

Pressure from the SEC and state authorities has increased over the past two years to remediate areas of cybersecurity weakness. Yet regulators and compliance professionals agree that alarming gaps remain in how regulated financial services firms use the web.1  Many firms still struggle to effectively control, secure and monitor employee web activities.

So what’s the holdup?

Industry insiders point to the ubiquitous use of a tool that was conceived almost 30 years ago: the locally installed browser. Many firms still use a traditional “free” browser for all their web activities, its inherent architectural flaws and vulnerabilities notwithstanding. At the same time, CCOs and IT are also increasingly aware of the risks associated with local browser use:

UK businesses are most concerned about the susceptibility of 5G to cyber attacks according to EY’s latest Technology, Media and Telecommunications (TMT) research.

40 percent of respondents are worried about 5G and cyber attacks while a similar percentage (37 percent) were cautious over the security of Internet of Things (IoT) connectivity. The survey also found that while 5G investment is set to catch-up with Internet of Things spend over the next two years, doubts surround its readiness and relevance. Just over one third of respondents feared that 5G is too immature, while 32 percent believe it lacked relevance to overall technology and business strategy.

The survey of 200 UK businesses looked at attitudes towards the adoption of 5G and IoT technology as well as organizations’ expectations from tech suppliers.

The constant stresses from advanced malware to zero-day vulnerabilities can easily turn into employee overload with potentially dangerous consequences. Here’s how to turn down the pressure.

Cybersecurity is one of the only IT roles where there are people actively trying to ruin your day, 24/7. The pressure concerns are well documented. A 2018 global survey of 1,600 IT pros found that 26% of respondents cited advanced malware and zero-day vulnerabilities as the top cause for the operational pressure that security practitioners experience. Other top concerns include budget constraints (17%) and a lack of security skills (16%).

As a security practitioner, there is always the possibility of receiving a late-night phone call any day of the week alerting you that your environment has been breached and that customer data has been publicized across the web. Today, a data breach is no longer just a worse-case scenario; it’s a matter of when, a consequence that weighs heavily on everyone — from threat analyst to CISO.

tabletop exercisePreparing a business for the unknown requires a series of important steps to protect your employees and your operations. For many business owners, this foundation starts with an emergency plan and grows to include a business continuity plan, an inclement weather policy, and perhaps even a lone worker policy to keep employees safe.

So, you’ve made your emergency plans and identified the best people to lead your teams through each phase. Now, it’s time to practice with the low-cost but high-impact emergency planning event known as a tabletop exercise.

What You Need to Know for 2019 – and Beyond

In the fast-moving world of cybersecurity, predicting the full threat landscape is near impossible. But it is possible to extrapolate major risks in the coming months based on trends and events of last year. Anthony J. Ferrante, Global Head of Cybersecurity at FTI Consulting, outlines what organizations must be aware of to be prepared.

In 2018, cyber-related data breaches cost affected organizations an average of $7.5 million per incident — up from $4.9 million in 2017, according to the U.S. Securities and Exchange Commission. The impact of that loss is great enough to put some companies out of business.

As remarkable as that figure is, associated monetary costs do not include the potentially catastrophic effects a cyberattack can have on an organization’s reputation. An international hotel chain, a prominent athletic apparel company and a national ticket distributor were just three of several organizations that experienced data breaches in 2018 affecting millions of their online users — incidents sure to cause public distrust. It’s no coincidence that these companies were targeted — all store valuable user data that is coveted by hackers for nefarious use.

These events and trends should serve as eye openers for what’s ahead this year, as malicious actors are becoming more sophisticated and focused with their attacks. Consider these 10 predictions over the next 10 months:

Thursday, 21 February 2019 17:01

10 Corporate Cybersecurity Predictions

Companies think their data is safer in the public cloud than in on-prem data centers, but the transition is driving security issues.

More business-critical data is finding a new home in the public cloud, which 72% of organizations believe is more secure than their on-prem data centers. But the cloud is fraught with security challenges: Shadow IT, shared responsibility, and poor visibility put data at risk.

These insights come from the second annual “Oracle and KPMG Cloud Threat Report 2019,” a deep dive into enterprise cloud security trends. Between 2018 and 2020, researchers predict the number of organizations with more than half of their data in the cloud to increase by a factor of 3.5.

“We’re seeing, by and large, respondents are having a high degree of trust in the cloud,” says Greg Jensen, senior principal director of security at Oracle. “From last year to this year, we saw an increase in this trust.”

ASSP TR-Z590.5-2019 provides guidance from safety experts on proactive steps businesses can take to reduce the risk of an active shooter, prepare employees and ensure a coordinated response should a hostile event occur. It also provides post-incident guidance and best practices for implementing a security plan audit.

Active shooter fatalities spiked to 729 deaths in 2017, more than three times our country’s previous high. A business must know where its threats and vulnerabilities exist. Our consensus-based document contains recommendations on how a business in any industry can better protect itself in advance of such an incident. Based on the collaborative work of more than 30 professionals experienced in law enforcement, industrial security and corporate safety compliance, the report aims to drive a higher level of preparedness against workplace violence.

A new toolkit developed by the Global Cybersecurity Alliance aims to give small businesses a cookbook for better cybersecurity.
Small and mid-sized businesses have most of the same cybersecurity concerns of larger enterprises. What they don’t have are the resources to deal with them. A new initiative, the Cybersecurity Toolkit, is intended to bridge that gulf and give small companies the ability to keep themselves safer in an online environment that is increasingly dangerous.

The Toolkit, a join initiative of the Global Cyber Alliance (GCA) and Mastercard, is intended to give small business owners basic, usable, security controls and guidance. It’s not, says Alexander Niejelow, senior vice president for cyber security coordination and advocacy and MasterCard, that there’s no information available to the small business owners. He points out that government agencies in the U.S. and the U.K. provide a lot of information on cybersecurity for businesses.

It’s just that, “It’s very hard for small businesses to consume that. What we wanted to do was remove the barriers to effective action,” he says, and go beyond broad guidance to giving them very specific instructions presented, “…if at all possible in a video format and clear easy to use tools that they could use right now to go in and significantly reduce their cyber risk so they could be more secure and more economically stable in both the short and long term.”

Bankers around the world are rightly worried about the threats posed by digital disruptors getting in between them and their retail banking customers. But Forrester’s newest research reveals that executives should be just as worried — perhaps even more worried — about another market that is being upended: Small business banking.

Small and medium-sized businesses (also called small and medium-sized enterprises or SMEs) are crucial sources of revenues and profits at most banking providers, so the prospect of bank brands losing their relevance among SMEs should keep bankers awake at night.

Here are just a few of the insights you’ll find in our new research report:

New data from CrowdStrike’s incident investigations in 2018 uncover just how quickly nation-state hackers from Russia, North Korea, China, and Iran pivot from patient zero in a target organization.

It takes Russian nation-state hackers just shy of 19 minutes to spread beyond their initial victims in an organization’s network – yet another sign of how brazen Russia’s nation-state hacking machine has become.

CrowdStrike gleaned this attack-escalation rate from some 30,0000-plus cyberattack incidents it investigated in 2018. North Korea followed Russia at a distant second, at around two hours and 20 minutes, to move laterally; followed by China, around four hours; and Iran, at around five hours and nine minutes.

“This validated what we’ve seen and believed – that the Russians were better [at lateral movement],” says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. “We really weren’t sure how much better,” and their dramatically rapid escalation rate came as a bit of a surprise, he says.

Cybercriminals overall are slowest at lateral movement, with an average of nine hours and 42 minutes to move from patient zero to another part of the victim organization. The overall average time for all attackers was more than four-and-a-half hours, CrowdStrike found.

Navigating the Information Age Without Saving Everything

Data retention is a persistent challenge for in-house counsel, but developing workable information governance policies and procedures needn’t be a taxing exercise; in fact, they can generate measurable cost savings to the company. Here, Buckley LLP’s Caitlin Kasmar highlights the importance of being equipped with the right advice at the right time to save in-house counsel the stress of dealing with the challenges of document retention compliance.

The posture of in-house counsel toward information governance and data retention is in the midst of a noticeable and rapid shift from “are we retaining the right information?” to “please, please tell me I can get rid of some of this stuff.”

Those urgent pleas are fed not by data storage costs, which continue to decline, but by savvy in-house lawyers anticipating a subpoena or lawsuit, confronting a decade’s worth of retained emails and calculating compliance costs.

How are in-house counsel expected to advise their business clients on data retention when, in the typical company, numerous legal holds have piled up over time, executives may be effectively exempt from whatever retention/destruction policy is in place and no audit process exists to ensure records are actually deleted in compliance with the policy? The right advice at the right time can save in-house counsel the stress of dealing with these tricky — and, let’s face it, not particularly glamorous — issues.

Tuesday, 19 February 2019 15:25

‘Do I Really Need To Keep This?’

(TNS) – Peggy Wood kept sitting up in bed.

She snatched a legal pad and added to a scattered list of things she used to own.

She imagined she was at her old desk in the Driftwood Inn, and jotted what she saw. Six glaze brushes, an embroidery machine, dressmaker’s scissors. A Nikon camera. Lights for that camera, and a backpack. Perfume she spritzed on before going out to shoot photos.

Each item was a chain link in a new insurance filing after Hurricane Michael ruined the Inn she and her family spent four decades building.

The Woods had received a little more than $2 million in insurance payments by January, mostly from flood policies. They still hoped for at least another $1 million from wind coverage but did not know how much it would cost to rebuild the sprawling motel and its outbuildings, 24 units in all.

$3 million? $10 million?

Rich Campagna explores the security and compliance risks associated with data stored in – and accessible from – cloud applications, setting out best practices for assuring end-to-end protection.

With cloud adoption rapidly expanding across an immense range of industries, enterprises around the globe are eagerly embracing the benefits that can be gained from moving their mission-critical services to the public cloud.

Despite the fact that major cloud vendors invest heavily in security, with Microsoft alone dedicating more than $1 billion a year to internal security investments, companies need to understand the hidden risks associated with migrating to the cloud.

That entails senior company executives coming to grips with the security and compliance risks associated with data stored in – and accessible from – cloud applications, and who takes responsibility should the unthinkable occur.

Tuesday, 19 February 2019 15:22

Mind the gap: cloud security best practices

(TNS) – Cambria County Commissioners approved two contracts Thursday that will allow for new connections with other counties and improve existing ones when it comes to 911 communication.

During a regular meeting, the commissioners unanimously approved a 911 fund statewide interconnectivity grant with the Pennsylvania Emergency Management Agency (PEMA), for $439,653.

Robbin Melnyk, county 911 coordinator, said this money will be used to upgrade and renew licenses for two large pieces of equipment purchased by Cambria County and 14 surrounding counties a few years ago.

A second grant of $96,607 will go toward maintenance and monitoring of Cambria County’s software, connecting it with Blair and Somerset counties, Melnyk said.

Let’s be honest: Everything related to a traditional crisis is more likely to cause heartburn than joy.

When most people think of a traditional crisis plan, they envision something “comprehensive” that will prepare them for every conceivable situation. They think of an exhaustive process of research and planning and bulky binders filled with color-coded tabs.

The reality is far simpler. You cannot prepare for every situation. Trying to do so is a fool’s errand. The best plan provides a view from 30,000 feet. It defines the broad strokes of what to say and do (or not), determines who’s in charge of what, specifies who speaks for the organization and why it’s important not to talk out of school.

The main barrier to green-lighting a crisis plan is inertia. For two reasons. It seems arduous,  which causes procrastination. And you have so many other priorities competing for your attention and resources.

It’s time to change things up and declutter traditional crisis plans!

No longer can privacy be an isolated function managed by legal or compliance departments with little or no connection to the organization’s underlying security technology.

Recent advancements in machine learning and big data analytics have made data more important today than ever before. Companies are now investing heavily in protecting their customers’ data; for instance, Facebook has pledged to double its safety and security team to 20,000 people.

Since the introduction of Europe’s General Data Protection Regulation (GDPR) in 2018, data protection officers (DPOs) have become the subject of the latest hiring frenzy. Large organizations that are mandated to hire a DPO based on the GDPR’s criteria are struggling to find the right person for the job. But how does a DPO fit into the typical security organization?

At the end of the day, a DPO should report directly to top management on all regulation and privacy topics. As such, the perfect candidate must have in-depth knowledge of GDPR and other regulations. Your DPO should also view the responsibilities of GDPR compliance as an opportunity to drive your business forward.

Monday, 18 February 2019 16:56

Privacy Ops: The New Nexus for CISOs & DPOs

Preventing Legal Risks and Liabilities

The #MeToo movement has hammered home for employers the critical importance of keeping sexual harassment out of the workplace. However, a recent federal court case underscores how sexual harassment can occur in ways that defy what many employers might think of as the typical pattern. The ruling by the U.S. District Court for the Eastern District of Pennsylvania comes in a case that has nothing to do with a male boss or co-worker behaving inappropriately with a female colleague. It hinges instead on allegations that a supervisor failed to properly respond to sexual harassment of an employee by a non-employee.

That might bring to mind the Hollywood trope of a hardworking waitress forced to regularly endure catcalls or worse by a male customer, but Hewitt v. BS Transportation defies even this familiar scenario. It involves a lawsuit over alleged male-to-male sexual harassment in the world of big rigs and fuel refineries. In court documents, truck driver Carl Hewitt alleges that his supervisor at BS Transportation failed to take prompt remedial action in response to sexual harassment of Hewitt by a male worker at a fuel distribution company’s refinery. Hewitt routinely traveled to the Pennsylvania facility to pick up fuel bound for NASCAR racecars.

Businesses don’t have sufficient staff to find vulnerabilities or protect against their exploit, according to a new report by Ponemon Institute.

For enterprise IT groups, responding to the volume of new vulnerabilities is growing more difficult – compounded by a chronic lack of skilled cybersecurity professionals to deal with the issues.

That is one of the major conclusions reached in a new report, “Challenging State of Vulnerability Management Today: Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture,” published by Ponemon Institute and sponsored by Balbix.

When asked about the difficulties of maintaining an adequate security posture, 68% of the more than 600 cybersecurity professionals surveyed listed “staffing” as a primary issue. These staffing shortages don’t exist exclusively at small organizations, either, with 72% of those surveyed from organizations with more than 1,000 employees.

Backup technology has evolved over the years, but the time has come to take a completely fresh approach, says Avi Raichel. In this article Avi explains: Why backup is a CTO concern; What CTOs need to do to update the backup strategies in place; How CTOs can help the business become IT resilient.

It’s no secret that backup is one of the most important things that a business can invest in, and it’s because of this that the evolution of backup has been such a grand one. The very first computer backups were made on to large reels of magnetic tape (punch cards), and have consistently evolved – from tape, to spinning disk, and then on to flash. However, what hasn’t changed with backup is the central idea of creating ‘golden copies’ of data, to be used ‘just in case’.

This idea is now, arguably, archaic. These traditional backups that only provide a snapshot in time are no longer compatible with the modern times. In this age, businesses, particularly digital ones, need to be ‘always-on’ – 24/7, 365 days a year. Because of this, the requirement for recovery point objectives (RPOs) of seconds, and recovery time objectives (RTOs) of minutes is essential.

Essentially, a business needs to be able to recover as quickly as possible from the second it went down – not from a backup made the night before. This dependence on periodic backups, rather than continuous data protection, may be why nearly half of businesses have suffered an unrecoverable data event over the last three years according to the latest IDC State of IT Resilience report.

Steering Clear of Antitrust Pitfalls

Knowing how to engage in competitor interactions is often more art than science. There are few clear lines of conduct to guide information exchanges made for legitimate business reasons. But broad principles do exist to help you consider your options carefully. Vedder Price’s Brian McCalmon discusses.

Throughout the country, sales managers, supervisors and executives attend antitrust trainings with varying degrees of regularity and detail. Antitrust as a corporate and individual pitfall is familiar to most doing business in the United States and abroad. If asked, most sales executives and line personnel can list the most dangerous and easily spotted scenarios to avoid: Don’t ask competitors about their pricing plans; don’t talk to competitors about customers; if competitors begin to discuss forbidden topics in a trade association meeting, stand up, announce your departure for the record and abruptly exit. This is all Antitrust 101.

But there is an Antitrust 102 and 103, and situations calling for a deeper understanding of antitrust may be thrust upon senior executives before they have had time to digest the consequences of a bad choice in the moment. Some risks may be so unobvious that the executive may never see the antitrust consequences at all. And a healthy respect for the antitrust laws, coupled with a poor understanding of them, has led to the unnecessary stifling of potentially efficient corporate initiatives. A deeper understanding of how communications with competitors, suppliers and customers may violate competition law can reduce risk and allow more efficient and procompetitive arrangements to flourish.

What does a business continuity or disaster recovery plan consist of? In a nutshell, it’s what needs to happen in case you can’t continue normal operations or business due to an “activity” that may have affected your organization. I am not trying to minimize this in the least. That’s just the tip of the iceberg. We NEED plans. We need to know what to do so that when we have to make critical decisions, the information is as our finger tips (especially when it’s an automated tool). Building these plans is vital to the survival of the business, should something occur. Most of our organizations are regulated and required to have plans. It’s not only a type of insurance policy, but it makes us feel better knowing it’s in place…but what happens when you need to activate that plan? Just as critical as the plan itself are the people needed to respond and assist in the recovery efforts. People execute the plan. Someone needs to flip the switch. Without people, your effort, time and planning will not be much help.

With that said, we need to make sure we prepare our employees, so they know what to expect and what is expected. How do we do that? We teach them. We exercise the plans and involve those people.

Most organizations don’t do full-scale exercises with their entire staff. It costs a lot of money, resources and takes up a lot of time from the work day. This would be the most desirable type of exercise and something we should all aim to achieve. If you can conduct something like this, that’s fantastic! If not, consider starting by setting up a table top exercise to walk through what’s currently in place in your plans.

A wireless device resembling an Apple USB-Lightning cable that can exploit any system via keyboard interface highlights risks associated with hardware Trojans and insecure supply chains.

During a month-long hiatus between jobs, Mike Grover challenged himself to advance a project he’d been working on for over a year: Creating a USB cable capable of compromising any computer into which it’s inserted.

His latest iteration, the Offensive MG or O.MG cable, resembles an Apple-manufactured Mac USB-Lightning cable but incorporates a wireless access point into the USB connector, allowing remote access from at least 100-feet away, according to Grover. A video demonstration shows Grover taking control of a MacBook and opening up Web pages from his phone.

The cable takes advantage of a known weaknesses. To make keyboard, mice, and other input devices as easy to connect as possible, operating system makers have made computers accept the identification, through the Human Interface Device (HID) protocol, of any device plugged into a USB port. An attacker can use the weakness to create a device that acts like a keyboard to issue keystrokes, or a mouse to issue clicks.

(TNS) – It’s been a year since the Valentine’s Day murder of 17 students and staff members and the wounding of 17 others at Marjory Stoneman Douglas High School in Parkland, Florida.

Since then, schools around the country have taken steps to beef up security.

In this area, several schools have made great strides to improve the safety of the students and teachers.

Many of the improvements deal with how people enter school buildings.

“The number one thing that we’ve done: we put a kiosk system in where when you come in you have to bring your [driver’s] license in now. We know everybody who comes in and out of our building. So will that stop a shooting? No, but we actually have a better understanding of who is going to be in our building or not,” said Mel Rentschler, superintendent at Allen East schools.

Friday, 15 February 2019 15:06

Preparing for the Next School Shooting

Doron Pinhas looks at the common factors behind various high-profile technology outages in 2018 and proposes a practical approach which will help organizations reduce unplanned downtime in 2019.

Flying these days is almost never a pleasure, but in 2018, it was a downright nightmare with dozens of glitches and outages that kept planes grounded. 2018 wasn’t such a great year for other industry sectors as well. Financial service customers also had a rough year accessing their funds and performing urgent financial transactions. In the UK, for example, banks experienced outage after outage. Three of Britain’s biggest banks – HSBC, Barclays and TSB – all experienced outages on a single day, making online banking impossible, and there were dozens of other incidents peppered throughout the year.

And if your business lives on cloud platforms and SaaS, you might have found yourself running ragged at times trying to access your IT with all of the major cloud platforms suffering from outages throughout the year as well.

It may be 2019 now, but the fundamental gaps that led to those service disruptions haven’t been resolved, so we can expect more such outages this year, and probably every year until companies figure it out – which, if you’re a business continuity or IT professional, raises the question: what should I do to avoid outages?

Some have even turned to alcohol and medication to cope with pressure.

A quarter of chief information security officers (CISOs) suffer from mental and health disorders as a result of tremendous and growing work pressures, a new survey shows.

Contributing to the strain are concerns about job security, inadequate budget and resources, and a continued lack of support from the board and upper management.

Domain name registry service provider Nominet recently polled 408 CISOs working at midsize and large organizations in the United Kingdom and United States about the challenges they encounter in their jobs.

A whopping 91% of the respondents admitted to experiencing moderate to high stress, and 26% said the stress was impacting them mentally and physically. A troubling 17% of the CISOs who took Nominet’s survey admitted to turning to alcohol and medication to deal with the stress, and 23% said their work was ruining personal relationships.

Paul Barry-Walsh argues that as complexity increases in society, so do interdependencies. To prevent cascading disasters, organizations need to implement firebreaks which will ensure that they do not become the weak link in the supply chain.

There is a characteristic which is self-evident to the professionals in this field, that is, as we develop as a society, we become increasingly reliant on more and more suppliers delivering products or services. Should just one component of the supply chain be disrupted then this service or product cannot be delivered. This can result in chaos. This is simply a manifestation of Adam Smith’s contention that the increased division of labour allows increasing output. However, with ever more suppliers, and the implementation of just in time production, the loss of just one small component disrupts the entire chain. This is as true for services as it is for manufacturing and after Adam Smith we should perhaps refer to this as ‘Adams Law’.

To illustrate this, imagine yourself to be a Venetian banker in the 16th century. He would need ledges quills and ink, possibly a desk and to operate in a secure environment, under the rule of law, but that’s about it. Now consider his modern counterpart. Just providing the most basic of modern day services the banker needs to operate both within and under the rule of law, she/he needs sophisticated computers, needs a base to operate from, needs communication devices and needs an army of people to run this operation: accountants, data entry, lawyers, compliance people and then HR to manage them.

That’s a complex web of people and products just to do the simplest banking operation. This complexity brings with it vulnerability; if staff are denied access to the office, if there is no electricity, (or water) then the organization cannot function. If you cannot function, there will be a knock-on effect for the counterparties, due to the interconnectedness of our society. If just one bank fails, this has a domino effect on other financial institutions and counterparties.

(TNS) — Garfield County, Okla., Sheriff’s Office is offering training in active-attack response to area schools and also will provide the course to employees at the county courthouse.

Acting Sheriff Jody Helm said this is the third year the sheriff’s office has offered training to county schools. Previous training topics concerned weapons in schools and drugs in schools.

“They’ve been really receptive,” Helm said.

Deputy Lloyd Cross presented the training, from the Advanced Law Enforcement Rapid Response Training at Texas State University, Wednesday to the staff of Kremlin-Hillsdale High School.

Cross said the goal was to present the information to administrators and teachers and not determine policy for the school system.

Many times when we talk abut communications plans and campaigns, we focus on the tactics. Which makes sense – there are the things we can see. The clever social media post, the direct mail piece, the slick website. But the true way to evaluate a communications plan or marketing campaign is through measurement.

My favorite way to illustrate the different types of measures and how they work comes from the book Effective Public Relations, Ninth Edition. This is the book I used to study for my Accreditation in Public Relations, and it’s still on my shelf, dog-eared and bursting with post-it notes. I have adapted their graphic into my own, which you can see here:

Friday, 15 February 2019 14:57

How to measure communications plan success

When each member of your security team is focused on one narrow slice of the pie, it’s easy for adversaries to enter through the cracks. Here are five ways to stop them.

Today, enterprises consist of complex interconnected environments made up of infrastructure devices, servers, fixed and mobile end-user devices and a variety of applications hosted on-premises and in the cloud. The problem is traditional cybersecurity teams were not designed to handle such complexities. Cybersecurity teams were originally built around traditional IT—with a specific set of people focused on a specific set of tools and projects.

As enterprise environments have grown, this siloed approach to cybersecurity no longer works. When each member of your security team is only focused on one narrow slice of the pie, it’s far too easy for adversaries to enter through the cracks. The following are critical steps chief information security officers (CISOs) must take in order to establish a dream team for the new age of cybersecurity.

Truth is, in most of the reports we write about how to prepare your company for the future, two major recommendations always come out: Get your C-level leaders on board, and cultivate a culture that can transform your business. The first is crucial yet obvious, and I’ve grown tired of writing it. The second, culture, is equally obvious, but it’s also huge. Yes, we have statistically measured the role of culture in successful digital transformations and found that culture is the strongest predictor of whether you’ll make it. But culture is enormous, and changing it can feel overwhelming.

Today we offer a lifeline of incredible value. Culture can encompass a myriad of things, but it is best measured at the level of individual employees. Do they like being there? Do they support the mission of the organization? Do they feel supported in trying to accomplish the goals of the company? All of these things matter, but today the responsibility for engaging employees is diffused across the org. HR helps but focuses on narrow metrics while not touching on the business strategy. Leaders occasionally try to motivate with enthusiasm, but they don’t rigorously account for the impact of their demands on the employee base. And when you add technology, it’s clearly not IT’s job to make sure people feel like the tech is helping them as much as it’s helping the customer. Drowning yet?

That’s where our lifeline comes in: “Introducing Forrester’s Employee Experience Index.” Rather than simply telling you to go engage your employees, we’ve systematized the process. We’ve spent two years surveying more than 13,800 employees in seven countries. Drawing from the best of three decades of organizational psychology research, we’ve constructed a tool that identifies what an engaged worker looks like and then worked backward from there to figure out what factors either help or hurt employee engagement. The result is a clear blueprint for inspiring, empowering, and enabling your employee base.

Did “data analytics” ruin baseball? Depends on whom you ask: the cranky old man in a Staten Island bar or the nerd busy calculating Manny Machado’s wRC+ (it was 141 in 2018, if you cared to know).

What is indisputable, though, is that the so-called “Sabermetrics revolution” rapidly and fundamentally changed how the game is played – this is not your grandpa’s outfield!

And data is eating the whole world, not just baseball. Now it’s coming for the legal profession, of all places. The Financial Times recently published an article on how law analytics companies are using statistics on judges and courts to weigh how a lawsuit might play out in the real world. One such company does the following (per the article):

Friday, 15 February 2019 14:53


Findings from Dun & Bradstreet

According to a report by Dun & Bradstreet, compliance and procurement professionals indicate that fraud tops the list of challenges, and technological advances exacerbate the problem. While technology is an enabler to these industries by creating the potential for improved efficiency and data management, in some instances, it may be putting organizations at greater risk for fraud if not implemented properly. Brian Alster discusses the approach compliance leaders should take to protect the organization.

Compliance professionals didn’t have it easy in 2018; significant regulations spanned industries globally – touching finance, trade and data in a big way. Among the related challenges of this business environment, the risk of fraud remains near the top of the list for many companies, a majority of whom have seen incidences of fraud negatively impact their business. Detection methods to combat fraud evolve over time, but so, too, do the fraudsters, turning the situation into a never-ending game of cat and mouse.

A majority (72 percent) of respondents to the second Dun & Bradstreet Compliance and Procurement Sentiment Report say fraud has had an impact on their company’s brand. In an effort to uncover the top issues and concerns among both compliance and procurement professionals, Dun & Bradstreet surveyed more than 600 professionals from the U.S. and U.K., delving into a range of questions about their roles, as well as their impressions of the industry overall. With this second report, we were able to measure changes in overall sentiment compared with the benchmark conducted earlier last year, and we dove deeper into fraud concerns and the use of technology.

Friday, 15 February 2019 14:46

Fraud A Top Concern For Compliance Leaders

Extra, extra! Read all about it!

TOPO declares that 86% of account-based organizations report improved close rates, and 80% say account-based strategies are driving increased customer lifetime value!

TribalVision channels the ITSMA when it reports that companies implementing account-based marketing (ABM) strategies typically see a 171% increase in annual contract value!

Really? Wow — huh, haven’t seen that way from where I’m standing.

From my (tenuous?) perch atop Forrester’s ABM research pile, it looks like FOMO* (more than anything) is driving marketers to take up the ABM banner. Our research, trends studies, and customer interactions show that ABM continues as a popular topic among B2B marketers and sellers. But many claims hit an almost hysterical note: Do this now or be left behind!

Online dating profiles and social media accounts add to the rich data sources that allow criminals to tailor attacks.

US-CERT and Cupid don’t often keep company, but this Valentine’s Day is being marked by new threats to those seeking romance and new warnings from the federal cybersecurity group.

A notice from US-CERT points to an FTC blog post about how consumers can protect themselves from online scams involving dating sites, personal messaging systems, and the promise of romance and companionship from online strangers.

The general warning comes as specific scams are being exposed by online researchers. For example, researchers at Agari Data have followed a Nigeria-based group dubbed “Scarlet Widow” since 2017 as they exploited vulnerable populations, moving from romantic “attacks” against isolated farmers and individuals with disabilities to business email compromises that raised the financial stakes.

Thursday, 14 February 2019 15:34

Scammers Fall in Love with Valentine’s Day

NEW YORK and SAN FRANCISCO — An authoritative legal-industry report on the current state of artificial intelligence (AI) in contract analysis and data extraction and its applications within the legal community was released today. Leading industry analyst firm Ari Kaplan Advisors was engaged by Seal Software to design and conduct unbiased research, the findings of which provide clarity on how legal departments at large corporations perceive and practically apply AI-driven contract analytics in a broad range of matters.

The report is derived from comprehensive interviews with professionals, predominately at Fortune 1000 organizations, whom exercise influence over the adoption and deployment of AI technology. Law department leaders from American Express (NYSE:AXP), Hewlett Packard Enterprise (NYSE:HPE), Nokia (NYSE:NOK), Novartis (NYSE:NVS), Atos (EURONEXT:ATO), Transocean Ltd. (NYSE:RIG), SI Group Inc., CyrusOne (NASDAQ:CONE), PagerDuty and Olympus Corporation of the Americas, among others, shared their views in the benchmarking study. All but one of the participants were lawyers, about two-thirds of which were with organizations that had more than $5 billion in revenue, and most worked at companies with more than 5,000 employees.

“It was a privilege to speak with so many industry leaders and I am proud to share their perspectives about the promise and practical application of this technology,” said Ari Kaplan, principal of Ari Kaplan Advisors. “I hope this report fuels a productive dialogue that drives the legal community forward.”

(TNS) – Bay County and the cities of Springfield and Callaway will begin their final passes of free Hurricane Michael debris removal on March 11.

Residents in the two cities and incorporated areas of the county are encouraged to have all debris on their curbs by March 10 to help with the pickup. The final wave of cleanup will last through mid-April, after which any debris will be removed at homeowners’ expense, officials said.

“We’ve got to get this place cleaned up,” said Philip Griffitts, chairman of the Bay County Commission. “We continue to see illegal dumping … we’ve got to set a date now or we’ll never get this done.”

While Springfield and Callaway decided to partner with the county on their final debris passes, other cities in the area still have their own schedules. Property owners in other cities can contact their local governments for information on when debris collection will end there.

In today’s school environment, effective communication is a complex undertaking. The average public school in America has more than 500 students.  Meanwhile, colleges and universities can easily have upwards of tens of thousands of students. On top of that, the different members of a school community—students, faculty, staff members, and parents—tend to have wildly different communication preferences and behaviors.

Administrators need to quickly send school-wide notifications about weather delays and closings. Teachers need to send classroom updates to all of their students’ parents. Parents and students also need to communicate effectively with teachers and administrators. Whatever the case, regular, well-executed communication is vital in a school setting. But how can schools most effectively and efficiently communicate to keep everyone safe, informed, and up to date? The key lies in a modern mass notification system for schools.

All data belonging to US users-including backup copies-have been deleted in catastrophe, VMEmail says.

An unknown attacker appears to have deleted 18 years’ worth of customer emails, along with all backup copies of the data, at email provider VFEmail.

A note on the firm’s website Tuesday described the attack, first reported by KrebsOnSecurity, as causing “catastrophic destruction.”

“This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can,” the note read. VFEmail was established in 2001 and provides free and paid email services, including bulk email services in the US and elsewhere.

The attack, described in a series of tweets from the firm, seems to have occurred on Monday and had targeted all VFEmail’s externally facing servers across data centers. Though the servers were running different operating systems and not all shared the same authentication, the attacker managed to access each one and reformat them all the same.

Digital intelligence (DI) – the practice of understanding and optimizing digital customer engagements – has been around for as long as the internet itself. But it has not remained stagnant. The practices and technologies needed to support DI have continued to be revolutionized by the digital disruption. And the means by which customers interact with a brand have skyrocketed in recent years showing no signs of slowing down. In a recent press release, IHS Markit estimated the number of internet-connected devices will grow to 125 billion by 2030, up from around 27 billion in 2017.

Understanding, and optimizing digital customer engagement in today’s environment demands a dizzying combination of DI tech.  Forrester recently analyzed the DI market to make sense of it. We published our findings in The Forrester Tech Tide™: Digital Intelligence Technologies, Q1 2019.

(TNS) — The strongest and potentially wettest storm of the winter season is bearing down on Southern California this week, threatening to unleash debris flows in burn areas in Orange and Riverside counties as the region’s wild winter continues.

The atmospheric river-fueled storm, packed with subtropical moisture, will take aim at large swaths of the already-soaked state beginning early Wednesday and lasting through Thursday.

The amount of precipitation from the storm will vary depending on the region, with San Diego, Orange and Riverside counties likely to be pounded with up to 2 inches of rain along the coast and up to 10 inches at higher elevations. This could create a dangerous situation for residents in recent burn areas, according to the National Weather Service.

Forecasters predict the Holy fire burn scar will see 2.5 to 6 inches of rain, while the area affected by the Cranston fire last year will likely experience 3 to 8 inches of precipitation through Thursday. That has the potential to trigger debris flows and flooding, according to the weather service.

(TNS) — A stubbed toe, a scraped knee, a twisted ankle.

Call 911 in Pinellas County, Fla., about any of those injuries and at least four people in two vehicles will show up.

But a new proposal — already implemented in Hillsborough County and across the country — that’s being considered by county government and some of the cities, including St. Petersburg, would reduce the response for certain minor medical issues.

The goal: “We preserve our resources for the most severe calls, and ultimately improve our response times on the most critical emergencies,” said St. Petersburg Fire Rescue Division Chief Ian Womack to City Council on Thursday. “The general principle is, if you over-resource low-priority calls, that unit is then committed to the low priority call.”

What does the term “digital transformation” mean to you?

Is it about digital customer experiences? Digital operations? Transforming business models? Leveraging software ecosystems? Is it a floor wax? A dessert topping?

Digital transformation (DT) as a term loses meaning when it involves everything under the sun. Over the past few years, we’ve seen companies label anything and everything as “digital transformation” — no wonder why DT initiatives meander and stall.

Companies that succeed with transformation initiatives keep a laser focus on using technology to deliver business results. How? Not with long cycles of business requirements and software implementations.