archive

Security by the numbers

The issue of security continues to be a major industry topic and understandably, especially as this is is one area of BCM that tends to have the highest profile . Many of the issues are closely linked to the increasing complexity and interoperability requirements of applications across a wide variety of Platforms. These problems are also compounded by the generally poor practices of many IT departments and internal users who continue to be a very weak link in the security chain.

City streets flooded after deluge

Torrential rain and hail brought flash floods to Leeds on Tuesday - sparking hundreds of calls to the fire brigade.

Crisis And The Web

Managing a Digital Crisis


One thing is certain: A new scandal or crisis always seems to be around the next corner. Yet today, very few brands and celebrities know how to fully leverage the Internet when faced with a public relations crisis.

Recent PR nightmares for JetBlue, Turner Broadcasting, Dell Computers and KFC-Taco Bell demonstrate that as the "social Web" evolves, the focus for brands needs to be less on digital marketing and more on digital brand management.

Europe 'needs more time' to prepare for flu pandemic

Category Business Continuity Management Briefing BCM - BCM & Risk Management - H5N1


Director of European Centre for Disease Prevention and Control warning


Source FT

Europe needs at least two more years to be prepared adequately for a pandemic flu outbreak in humans, according to the head of the European Union agency in charge of tackling infectious disease.

In an interview with the Financial Times, Zsuzsanna Jakab, director of the European Centre for Disease Prevention and Control, said it would take two to three years to be "much better prepared to respond", even if the current political momentum could be maintained.

Speaking ahead of the launch of a report by her agency analysing pandemic planning across the EU, she warned that countries still needed to do much more to prepare for pressures beyond their health systems and to step up sharply co-operation with each other.

She said countries needed to make their written national plans operational so they worked at the local level; and ensure plans between and within countries worked in a co-ordinated fashion. "There are certain issues that cannot be solved by one country, and they have to work together across borders," she said, stressing she wanted to strengthen collaboration with the EU's close neighbours - including Turkey, Ukraine, Belarus, Moldova and Russia - in an effort to prepare for a pandemic.

Ms Jakab said the UK, France and Germany, as well as Slovenia and the Nordic countries, were better prepared, while EU accession states in central and eastern Europe presented "a bigger challenge". However, no European country had yet published a pandemic plan across all governmentdepartments, with most still focused on the health system, while only 14 nations had undertaken joint work with neighbouring countries.

She warned that while EU and national leaders had helped to provide significant support in recent months, there was a challenge to maintain efforts at a time when avian flu in Europe had been less significant. Just a few outbreaks of H5N1 in birds - notably in the UK and Hungary - have taken place in recent months within the EU, although the infection continues to be endemic in animals in parts of Asia and has killed 167 people and infected 274 worldwide.

A survey of 25 EU states plus Iceland and Norway to be released today analysing pandemic planning up until last October highlighted that just 13 had contingency plans for non-essential health services, and only 15 had conducted an exercise to test plans nationally in the health sector.

Ms Jakab called for increased efforts to tackle seasonal influenza, including greater use of flu vaccines, which would help prepare for a pandemic. Just 18 countries currently have a national pandemic vaccination strategy developed. 


End User IT Disaster Recovery Lessons Learned in Katrina's Wake

Practical lessons from a user perspective


On August 29, 2005, Hurricane Katrina blew through New Orleans. With the hindsight of 18 months, here are some changes we implemented, and ideas we expanded based on our experience. We hope they help you develop your firm's disaster recovery/business continuity plans.

REVIEW AND UPDATE

It's critical to keep your DR/BC plan current and realistic. An outdated plan, or one that assumes the impossible, won't help you in real life. We now review our plan every six months, which helps us revise it to incorporate new technology or ideas. For example, if a new application is added to your network, someone should ensure that the data it produces is replicated, and that the application itself will be available remotely, and at your "hot site". Should this be overlooked at the time the new application is installed, the periodic review, if done properly, will catch the oversight and make the DR/BC plan accurate again.

DESIGNATE A REMOTE OFFICE

I can't say enough of the value in having a remote office ready to set up shop in after a disaster. Even if that office isn't large enough to accommodate the entire staff, it's a start and is better than nothing at all. After Katrina, our Baton Rouge branch office instantly became our main office.

Other firms that only had an office in New Orleans were still scrambling to find floor space while we were wrapping up our network restore. You can bet during a regional disaster like Katrina, available space will go very quickly. If you have multiple offices, designate one as the expected backup main office, and consider making it a hot site where you can continuously replicate your data. Be sure that the remote office is not so geographically close to your main office that it might be equally hit by calamity.

Alternatively, if your firm doesn't have a secondary office, consider a co-location arrangement with a vendor who has a data center within a few hundred miles of your main office, or close enough to drive to within a few hours. (Again, factor in possible regional events).

You might also consider a "mutual aid" partnership with another firm in a different region, obviously not a direct competitor, in the event of a major regional catastrophe. Don't forget to incorporate remote access tools into your hot site, especially if you think people will be dispersed and not all working at the hot site.

TEST, REVISE AND RE-TEST

Post-Katrina, we now schedule tests of our hot-site systems at least twice a year, tied to the beginning and end of hurricane season. Our goal is to ensure that we can duplicate network operations as closely as possible and according to our established plan.

It is important to realize that a hot site likely won't be an exact twin of your production network. It's important to have critical applications and data current and available; however, from our users' perspective there will be subtle, noncritical differences such as invalid printer names, and invalid shortcuts to programs that are not available. Document these differences well enough and incorporate back into your plan. This will ensure that when a real failover occurs, everyone involved will know what to expect.

Throughout the year, we also continuously perform data integrity tests of our replication software. While we have faith in the reliability of our replication system, and monitor its status, it's very easy to fire up the hot-site databases and perform a quick query to just be sure everything is in sync.

In fact, the software allows us to automate that process completely, all without ever stopping the real-time replication. You don't want to come to discover that your hot-site data is actually six months out of date.

PEOPLE AND COMMUNICATIONS

Do not forget about the most important component of your firm: the people.

The best technology won't be worth a dime without the human resources. After Katrina, many of our staff lost everything and were scattered throughout the region. Those who could make it to our Baton Rouge office did so as quickly as their situation allowed, while others were in other nearby cities.

In preparing your own disaster plan, most specific details regarding human resources can't be ironed out in advance. However, you can develop a protocol about what the firm will expect of employees and what employees can expect of the firm following a disaster, for example, how will the firm contact employees, and vice versa? Keep employee data updated and keep a printed hard copy offsite. Be sure your management team always has a copy. Also remember to include the contact list in any type of disaster "hotbox" you create.

Given the annual threat of hurricane evacuations, we went one step further and asked that employees also provide contact information about where they might evacuate (e.g., friends and family.) We now hold biannual meetings to remind empoyees about emergency procedures.

One specific thing we have done to help maintain communications during and immediately following a disaster is to establish service with a Web-based SMS (text-messaging) service.

Post-Katrina, Gulf Coast residents quickly discovered that though cellular service was nearly nonexistent, text messaging generally worked flawlessly. We will use this to broadcast vital information to employee cell phones via a simple Web interface.

RISKS AND PLAN

Understand your firm's specific threats and plan for those scenarios first. Although our firm is vulnerable to other disasters, being located in New Orleans (and having gone through Katrina) our disaster planning revolves around hurricane scenarios.

I would imagine folks on the West Coast would likely plan for earthquakes and wild fires. But also consider disasters that may only briefly interrupt your operations, such as a defective sprinker system, as well those that can potentially keep you out of your office for extended time, or completely destroy your main site. Each day when you leave your office, stop and think about what you would do if the next morning you discover the main office was completely destroyed.

In addition, it is your job to get a new office running by the end of the day, or sooner. Do you have servers? Do you have tapes? Do you have a disaster plan?

James Zeller is network manager at Chaffe McCall, in New Orleans, and won an honorable mention in the 2006 Law Technology News Awards' IT Director of the Year competition.

END

If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599. 

SMB Companies ignoring web site disaster recovery

Research suggests organisations could lose revenue & customers


Many mid-sized firms risk losing revenue and alienating customers because they do not have a disaster recovery plan in place for their web sites, according to new research from hosting specialist NetBenefit.

The survey of 100 UK IT directors found that a third did not have a disaster recovery plan in place. Of the firms that did, only 38 percent said they tested their plans more than once a year.

Utilities network under threat

Major power failure would leave gas & electricity companies in jeopardy


Most gas and electricity companies rely on commercial mobile phone networks that would stop working in the event of a major power failure. Public mobile networks have limited battery back-up which, once exhausted, would leave engineers working to restore vital utilities unable to communicate.

The situation is not a result of mismanagement on the part of either energy companies or mobile phone network operators, but exposes the need for a high-level overview of interdependencies in the UK utility sector.

Every firm must have a system to manage risks - and crises

 
Would your business be able to cope during a Crisis?
 
Risk management should be an integral part of every company's strategic planning. Anticipating the threats and minimising the risks are the hallmarks of good business. As organisations establish networks that cross the globe, they become more vulnerable. Companies of all sizes find themselves doing business in markets where information is less accessible and less reliable. 
Even in the UK, reliable information that can influence decisions is sometimes hard to find. But I am continually surprised by how many organisations have not integrated this factor into their strategy. 
 
Companies enter deals without having conducted comprehensive due diligence. They fail to protect their information from competitors. They give a nod to anti-money-laundering regulations, but consider them a burden. And they think terrorism is something that happens to others. Every company faces a number of unique threats and has its own specific vulnerabilities. But every business will also find that it operates under the same two basic rules: one, if too little has been done to identify vulnerabilities, then the business will not cope with the difficulties it encounters; and two, when a business doesn't cope with difficulties, its senior management is held to account. 
 
I recently addressed a group of Scottish business leaders and discovered the increasing threats and worries in Scotland. We discussed the following questions: How confident are you that those within your organisation can be fully trusted? How confident are you that mechanisms are in place to prevent individuals within the organisation damaging the business? Do you have the right mechanisms to spot malpractice early? 
 
Figures from KPMG show the value of reported fraud in the UK in 2005 was £942 million, with management-level employees responsible for £421m, the same figure accounted for by organised crime. Employee fraud happens for a number of reasons, the most common being to finance extravagant lifestyles or pay off debt. However, the uncertain future of the pension market, frequent lay-offs in large corporations and greater job mobility mean that employees are now, more than ever, seeing corporate fraud as a form of insurance against future losses. The growth in employee fraud has led businesses to take steps to protect their assets by employing corporate security firms that work in tandem with forensic accountants. 
 
We are employed to find the chinks in the armour of security systems, whether physical, technological or personnel-related. Experience shows that it is very difficult to commit a major fraud without internal help. However, corporate fraud and espionage is not always about theft of funds. Employees can walk out with intellectual property, client lists and pricing information and deliver them to competitors for money. Companies need to work harder with accountants and corporate security firms to devise strategies to prevent employee fraud. These measures can include anything from CV-checking to ensuring that loopholes in security and IT systems are closed. Those IT systems have of course brought us all huge benefits, including massive efficiencies in business. But for every benefit that IT offers an organisation, there is added vulnerability. 
 
Companies face several threats through their IT infrastructure, from simple malicious damage through to theft of the organisation's data. People outside the organisation can get into internet-based networks by targeting websites or e-mails or through other means. Once in, they can alter, steal or destroy data and can plant malicious bugs. Of even greater concern, external entities can also gain access to internal networks through ill-secured firewalls, modems and other means - for example they can get in through using stolen or lost company laptops. And once into an internal network, it doesn't take an IT expert to imagine the damage that can be caused to a company. 
 
A few years ago the threat from al-Qaeda-type terrorism seemed quite distant for many in Britain. In 2005, the 7 July attacks - and the attempts later that month - brought the reality home: al-Qaeda terrorists are operating in the UK. But what does this threat mean for business? And particularly, what does it mean for Scottish businesses? The threat of terrorism has no geographic boundaries. It is definitely not just focused on London. And as London presents an increasingly difficult target, the terrorists will seek more vulnerable options elsewhere. 
 
The July 2005 attacks showed al-Qaeda's continuing focus on transport, and I have no doubt, for example, that Scotland's airports have been considered as potential targets. The terrorists are also focused on the energy sector. Osama bin Laden and others have regularly urged their followers to attack oil and gas facilities. Think what that means for Aberdeen: more than 40,000 people directly employed in the industry; a city with one of the highest GDP-per-head ratios in the UK. If we feel the effects of a small attack on an oil tanker off the coast of Yemen, imagine the impact of an attack on the industry here in Scotland. And it seems that the terrorists who are willing to carry out these attacks come from within our own towns, cities and communities. 
 
The case of James McLintock - who became famous as "the Tartan Taleban" - showed how a person from a perfectly ordinary background could find themselves in the presence of some very dangerous and influential individuals. He didn't subsequently turn to terrorism - but others do. And they return to the UK to do so. In fact, they are often ordered to. And we shouldn't underestimate the broader impacts of this threat. What processes does your company have in place to ensure that staff can cope with the psychological and emotional aspects of terrorism? Are tensions and divisions likely to emerge within our diverse workforces? What is your role in reassuring staff? 
 
An effective crisis management programme is imperative in this day and age. Shareholders are increasingly demanding that companies demonstrate what processes and procedures are in place to mitigate these risks, and boards are expected to take a close interest in the detail. Ultimately, directors will be held to account. 
 
Sir John Stevens, or Lord Stevens of Kirkwhelpington, was Commissioner of the Metropolitan Police until February 2005, and is now chairman of security group Quest. 
 
 If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please call on + 44 (0) 208 993 1599. 

CIR Industry Awards 2007

The 2007 Business Continuity Awards Gala Dinner will be held at the Grosvenor House Hotel in London's Park Lane from 7pm on Thursday 10th May 2007.

Nominations are now beingtaken for the following categories:

Business Continuity Manager of the Year

Business Continuity Strategy of the Year

Business Continuity Consultant of the Year

Most Innovative Product of the Year

Business Continuity Management Planning Software of the Year

Industry Newcomer of the Year

Business Continuity Service Provider of the Year

Industry Personality of the Year

Most Effective Recovery of the Year

Public Sector Business Continuity Manager of the Year

Lifetime Achievement

The judges this year are:

ANGELA HOBLEY Senior manager, business continuity, Bank of England
Angela Hobley is a senior manager at the Bank of England with responsibility for overseeing the Bank’s internal business continuity exercising strategies. She is also the Bank’s representative for Tripartite led external exercises. Angela led the planning and logistics and project office for the 2006 financial sector market wide exercise themed on influenza pandemics.

LIZ TAYLOR Director, Public Risk Management
With over 29 years experience in Risk Management, Liz Taylor is a veteran of the industry. A varied career has given her multinational and multi industry hands-on experience at operational and board level specialising in business continuity management and risk management. Liz chaired AIRMIC 1991/2 bringing it to corporate membership and initiated the set up of Pool Re. Previously chief executive of ALARM and then senior vice-president of Marsh, she now runs her own consultancy, Public Risk Management.

LYNDON BIRD Technical services director, the Business Continuity Institute
Lyndon Bird has a First Class Honours Degree in Chemistry and a Masters Degree in Management Sciences from the University of Manchester. He was an elected board member of the BCI for six years including nearly three years as chairman.

MALCOLM BROOKE Director of business continuity, EMEA, Credit Suisse
Malcolm Brooke is a director of Credit Suisse, based in London. He is head of European Business Continuity and is responsibile for the Bank’s business continuity programme in the EMEA region, including crisis management and disaster recovery planning and co-ordination.

MICHAEL BEWS Director, MSTA
Michael is a Member of the Business Continuity Institute and also a Chartered Engineer and corporate Member of the Institution of Engineering and Technology.

RUSSELL HUSBAND Assistant general inspector, John Lewis Partnership
He was shortlisted for CIR Business Continuity Manager of the Year 2004 and was awarded it in 2006. His final task prior to forthcoming retirement is to protect the Partnership’s principal hubs with diverse (third party and in-house) 400 seat work area recovery centres.

Revisit disaster plans, councils warned

Public sector IT systems at risk


By Steve Ranger Public Sector Magazine

Councils are missing chances to establish up-to-date disaster recovery plans for their IT services. Local government user group Socitm has warned its research from recent disasters that have impacted local authority IT services raises "serious concerns" as to whether councils understand the expectations of the Civil Contingencies Act and are sufficiently prepared to cope with threats to business continuity.

The research focuses on six case studies from local authorities that have experienced major disasters, from an arson attack to major flooding and the Buncefield oil storage depot explosion.

Brokers back business continuity

New initative pushes value of BCM to SME firms


Research commissioned by the British Insurance Brokers Association (BIBA) has revealed that millions of small and medium-sized enterprises (SMEs) across the UK are failing to protect themselves and their employees against the threat of emergencies such as fire, flood or acts of terrorism.

BIBA has launched a campaign to encourage SMEs to address business continuity issues. Government figures suggest nearly 20% of businesses suffer a major disruption every year.

Royal Society warning over Pandemic planning

Category Business Continuity Management Briefing BCM - BCM & Risk Management - Pandemic - H5N1


Experts call for better flu plans


Leading scientists say the UK government is failing to take advantage of scientific developments in the fight to prevent a flu pandemic. A report from the Royal Society and the Academy of Medical Sciences says it is inadequate to stockpile just one anti-viral drug.

Securing your IT continuity

Many organisations are dangerously unaware of the risks of not having an IT continuity plan in the event of disaster


Many organisations are operating under the dangerous illusion that they will never suffer a major loss of IT systems, or that such a loss will have a relatively low impact, research from the British Standards Institute has warned.

BSI's Publicly Available Specification (PAS) advisory paper, IT Service Continuity Management Code of Practice (reference 77:2006), paints a grim picture of the potential disaster facing ill-prepared organisations. It cautions that while many firms believe that they have invested in adequate systems resilience, in reality most do not have adequate plans to protect themselves from natural disasters or human error.

Continuity Planning ... a lesson from the US Army?

Building a learning culture to help performance, preparedness and resilience
 
Operations Orders are issued in the US Army to enable the co-ordinated execution of an operation, so why not use a similar procedure in your organisation?
 
The professional definition of BCM is “Business Continuity Management is a holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities". 
 
However, there is another older usage of the word Continuity, almost exclusively used by the US Army.
 

The Real Disaster: Inadequate Preparation

As risk of disruption rises hedging against fate is essential

In the past five years, businesses have had to deal with September 11, SARS, port strikes, hurricanes, and a possible pandemic. Though planning for low-probability, high-impact events is low on many executives' task list [only 32% have a plan], not planning isn't a strategy. 

Syndicate content

Business Continuity Forum creating Resilince and security

Creating Continuity... Building Resilience...