Don't Wait. Communicate.

Family looking at digital tabletSeptember is National Preparedness Month, and the timing couldn’t be better. The Predictive Services National Interagency Fire Center predicted a fire season of above-normal risk [PDF], and Hurricane Hermine made landfall on the Southeast coast on Friday.

When disasters like these strike, every second counts. That’s why the Red Cross has chosen “Don’t Wait. Communicate.” as the theme of this year’s National Preparedness Month. After all, you might have a perfectly plotted preparedness plan for responding to disasters, but that plan is useless if the right people don’t know the details of those plans. It’s also important for people to be able to communicate with each other in the midst of a disaster.

For tips on creating a family game plan, visit, and then check out this blog post for tips on how to include communications in your business continuity and disaster recovery plan.

How to Mitigate Knowledge Loss Due to Employee Turnover

Employee turnover is inevitable. In fact, in the last five years, employee turnover has risen from 14.4 percent to 16.7 percent and doesn’t seem to be slowing down. With the steady increase in turnover, organizations ought to be more concerned about knowledge loss, particularly when it comes to business continuity and disaster recovery (BC/DR) procedures.
Man confused because nobody wrote down the BC/DR plan

Here are a couple things you can do to help mitigate the ever-present risk of knowledge loss.

Recruit the Expertise of a Vendor

You might think it’s more efficient and cost-effective to manage all of your BC/DR processes in-house with a dedicated director or team of employees. This is true to a certain extent. Having one employee or even a small team in charge of your BC/DR is beneficial in that these employees are familiar with your business’s culture and processes as well as BC/DR best practices, which allows them to create a highly targeted BC/DR program. But what happens if any of those employees are unavailable during a business interruption or disaster? Or if one of the employees leaves the business? One of the ways to combat this risk is to outsource your BC/DR to a third party.

If you work with a vendor for BC/DR consulting and solutions, you can help reduce the impact of knowledge loss when employees leave your company. Because your vendor is immersed in the BC/DR industry on a daily basis, you don’t have to rehire or retrain a dedicated BC/DR staff member. While the vendor won’t be as intimately familiar with your internal processes as employees are, this isn’t necessarily a bad thing. When it comes to BC/DR, an objective third-party perspective can help you identify interdependencies or inefficient processes you didn’t realize existed.

In addition to helping prevent knowledge loss, you don’t have to worry about a vendor’s support being interrupted by the same power outage, natural disaster or cyber threat that’s affecting your business.

Document All Plans and Processes

Regardless of whether you keep your BC/DR in-house or outsource to a third party, documentation is critical. For one, your employees need to know what to do in case of a business interruption. If they’re in the dark about their roles in the recovery process, that will directly impact your recovery times. Ensure that all key employees — not just those responsible for the BC/DR program — have reviewed the documents and know where to access them.

If you’re outsourcing any aspect of your recovery process, documenting the recovery process eliminates any confusion about which parties are responsible for executing key recovery steps. Don’t forget to update your documentation any time your business experiences changes in objectives, technology or strategies. It’s crucial to keep an updated plan available so you don’t encounter gaps in your BC/DR program.

Employee attrition might be rising, but just because an employee leaves your business doesn’t have to mean your BC/DR effectiveness leaves with them.

Is Your BYOD Policy Prepared for Pokémon GO?

Young people using smartphones
The stories have been hard to miss. Hundreds to thousands of young people are gathering in places like New York City’s Central Park or even close to our headquarters to play the extremely popular smartphone and tablet game Pokémon GO. While the game has led to some scary real-life situations for users, it can also lead to something scary for businesses: the risk of a data breach.

While Pokémon GO creator Niantic has taken steps to make its game more secure and more respectful of users’ privacy, many other mobile apps that users might download don’t offer the same protections. That should be unsettling for any business that allows employees to connect to company email servers and networks with their personal devices — a practice known as bring your own device (BYOD).

Malicious apps that can access large amounts of confidential information or hold devices hostage with ransomware aren’t the only thing BYOD companies have to be concerned about. Here are some additional security risks of BYOD and how your company can prepare for them.

Do You Know Who's Prying?

Imagine this scenario: One of your sales reps is on the road, but she needs to access and update a contract that lives on your local network.  She stops at a coffee shop and connects to its public WiFi. Little does she know that WiFi hot spot is also the target of a hacker who is swiping unencrypted data from everybody who’s connected to that router. The data sent and received by your sales rep can be easily poached by the hacker and released to the public on the Internet, sold on the black market or held for ransom.

Public WiFi hot spots can be a scary place to connect, not because of the location but because you never know who is there to do more than check email. That’s why it’s important to have your employees use a virtual private network (VPN) to connect to the company network remotely. A VPN encrypts the data moving between the employee’s device and the company network, making it much more difficult for a hacker to access the data.

Do You Know Where Your Device Is?

Think you felt bad when you recently misplaced your iPhone? How do you think one Apple employee felt when he left an iPhone 4 prototype in a bar in 2010? Lost or stolen devices can give just about anybody instant access to company data if the devices aren’t properly secured. In fact, almost 70 percent of data breaches in the healthcare industry between 2010 and 2014 were caused by stolen devices. A $700 iPhone can feel pretty insignificant compared to millions of dollars in data recovery costs.

Personal and company-provided devices alike can easily go missing. A misplaced smartphone is practically inevitable. However, even minimal security practices can help keep devices from turning into goldmines for hackers. Locking functions such as the iPhone’s PIN code or the Android’s pattern lock can keep people out, while a remote memory wipe program can go a step further by deleting the device’s data from afar. Even if a hacker does gain access to the phone, there won’t be any data for them to corrupt or hold for ransom.

When Was the Last Time You Updated?

Unlock your iPhone and open the App Store. How many updates are waiting for you? Are you using the latest version of your operating system (OS)? Some of us obsess over getting everything updated as soon as possible, but not everybody is in a hurry when a round of updates appears in the queue. Many people resist updating apps and OSes because of functionality problems caused by past updates.

However, not updating OSes and apps can leave devices vulnerable to attack. Most updates exist to fix known glitches or close security vulnerabilities rather than to add or remove features. Even traditional PCs require occasional updates to improve security — smartphones, tablets and apps are no different.

If an OS update is released, have your IT department test it to make sure it doesn’t affect the functionality of any business-critical apps your BYOD employees use. If there are no issues, inform your employees that they need to run updates as soon as possible to help keep company data secure. Also remind employees to routinely update their apps to close any known security holes.

You Downloaded What?

Daniel was really interested in a particular smartphone app’s organizational features, so he didn’t pay much attention to the terms and conditions or the permissions he allowed when he downloaded it. Daniel unknowingly gave the app access to every bit of data on his phone — from web and search history to emails. What started as a quest to be more productive led to the risk of company emails with sensitive information landing in the wrong hands.

Apps that request broad permissions can be especially problematic if your employees access company email through their device’s built-in email app. These apps typically store email data locally on the device, meaning another app that’s been given access to that data can give hackers or malicious developers the ability to browse confidential corporate emails.

Your employees should always be careful about what they’re downloading to their personal devices, but you should have an acceptable use policy if they’re also accessing company emails or networks from the same devices. Require employees to double check the permissions and validity of every app they use. While it might be tedious and require the deletion of a much-enjoyed app, a security breach sourced from a remote personal device should be treated no differently than an on-site security breach.

Despite the risks, BYOD offers small- to medium-sized businesses an excellent way to avoid the costs associated with purchasing and servicing company-owned devices. However, without strict BYOD policies and procedures, you’re susceptible to data breaches that can turn into nightmares. 

How Should Your Business Prepare for the Internet of Things?

Smart city and wireless communication network, internet of things
The imminent rise of the Internet of Things (IoT) brings you the potential to give your customers the option to connect to online tools they use every day from a growing range of devices. 

But before your business can take advantage of the benefits of IoT, like new product opportunities and real-time data that can bolster operational efficiency, you need to make sure your core IT infrastructure can handle the demands of IoT.

A Pew Research Center report predicts that IoT will be thriving by 2025, which may present a danger to businesses that try to advance their products at the same pace as technological advancements — before updating the systems that support them. 

Here are a few suggestions on how to prepare your company infrastructure before it’s crippled by the demands of IoT technology.

Prevent System Downtime

Technological advancements have created a customer base that expects constant accessibility to applications. If your business plans to introduce applications that run on IoT technology, you want to be able to keep customers happy by offering reliable application uptime.

Your business can minimize system downtime by having a clear business continuity plan (BCP). When business interruptions occur, an off-site cloud recovery platform can protect your IT infrastructure and keep you connected to your data and applications. Constant connection with business data is already imperative, but when it comes to IoT applications, connectivity is invaluable.

Adapt to Fluctuating Data Demands

As IoT technology grows, data demands will only continue to increase. Built on cloud computing and a network of sensors that constantly gather data, IoT could potentially overload any company infrastructure that isn’t prepared to store an increasing amount of data.

The 2016 IBM report “Growing Up Hybrid: Accelerating Digital Transformation” notes that forward-thinking organizations are using hybrid clouds, which utilize public and private clouds, to gain a competitive edge in the implementation of IoT and accommodate its high data demands. Adopting a hybrid cloud model for data vaulting can give your company the ability to get ahead of the impending mass of data that your IoT applications may gather.

Protect the Perimeter

IoT offers you the benefit of leveraging data gathered from users in order to improve products or connect with customers more effectively. However, the increased number of devices connecting to your business network offers more entry points for cyber criminals. Your business can guard against the increased risk of hackers by implementing a strong network security system.

An effective network security strategy should include intrusion detection and prevention, deep packet inspection, port scanning, protocol inspection, perimeter anti-virus and malware blocking. To safeguard your business, look for a network security solution that doesn’t require the purchase of additional modules or applications. Having multiple separate security modules or applications can create gaps in your cybersecurity, making your business more vulnerable to cyber threats like malware and hackers.

Cyber crime has steadily risen in the past few years, and IoT technology promises to contribute to this growing threat. Before offering an application that runs on an IoT device, fortify your company infrastructure so the increased cyber risk doesn’t take you by surprise.

To fully capitalize on IoT, make sure your business has a clear BCP, an adaptable method for data vaulting and a strong network security solution in place.

How does your business plan to implement IoT? Let us know in the comments!  

How Can Cybersecurity Help Grow Your Business?

Business Success GraphAs cybercrime increases, cybersecurity is necessary for safeguarding a business, but the budgets allocated to it reflect that it’s not a spending priority. According to the 2015 Global State of Information Security Survey, cybersecurity budgets only rose by 24 percent from 2014, despite a 38 percent increase in detected information security incidents.

Now what if we told you that cybersecurity wasn’t just a cautionary expense but an investment?

With the growth of data analytics and the digitalization of business functions, businesses are able to offer online services that allow them to easily reach new markets. This digital growth requires an expanding computer network, which means higher cyber risk.

To take advantage of technical innovations that make growth possible while minimizing risk, your business should implement a dependable and easily adaptable approach to cybersecurity. This approach involves two key elements.

Centralized Security Platform

Centralizing your network security simplifies network management and increases network efficiency by integrating security applications like anti-virus, intrusion detection and protection, and Internet traffic monitoring rather than contracting several security solutions. Integrating these functions minimizes security gaps that occur when several applications are running on the same network.

When your company streamlines security applications, system updates are efficiently deployed across all security functions rather than updated individually. With more cohesive system updates, an integrated network security solution allows you to prepare for or respond more quickly to cyber threats. Focusing management efforts on an efficient cybersecurity platform can enable your business to grow into new markets without sacrificing functionality or risking confidential data.

Employee Training

Your business exposes itself to threats like ransomware if your employees aren't properly educated in simple cybersecurity practices. In the Global State of Information Security Survey, employees remain the most cited source of compromise at 22 percent. Promote a culture of security within your business by educating employees on how to avoid cyber threats in their everyday work activities.

Cybersecurity education teaches employees security best practices like how to create more secure logins and recognize phishing emails. Your employees should also know to report immediately to IT when they think a device is affected by ransomware. Investing in an interactive training program can improve employee cooperation to help protect your business from cyber attacks, which could impede your business’s growth.

Streamlining security management efforts and promoting a culture of security within the company serve as investments in business growth by making it possible to enter new markets without unnecessary exposure to cyber attacks.

To learn about how to prevent a cyber attack, read our post “Five Ways to Thwart a Cybersecurity Nightmare”.

[Webinar Recap] Cyber Breach Exercises: Bringing IT and the Business Together

Is Technology Alone Enough? Slide
Cyber attacks are one of the most prevalent forms of business interruption in today’s tech-friendly world. Currently, many businesses are fighting back by spending more on new technology to boost their cybersecurity. However, developing a sufficient response strategy to combat cyber attacks can be difficult since IT, BC/DR and crisis management have individual processes.

In our most recent webinar, Brandon Tanner, Rentsys senior manager, and Philip Bigge, VP of consulting services for Ripcord Solutions, provided insight on how to design exercises that help your business create a business-wide, cohesive cyber breach response strategy. Some tips from the webinar include:
  • Unify attendees in one location.
  • Separate attendees into teams with members of the same departments on separate teams (so every team has members from each department).
  • Create a balance of leaders and employees within each team.
To hear more, listen to the webinar here.

Cyber Insurance Is No Substitute for Business Continuity Planning

These days, the likelihood of a business experiencing a data breach or cyber attack like ransomware is at an all-time high, and this growing concern has led organizations to seek out solutions like cyber insurance policies to protect themselves against the threat.
Stamp of approval of insurance coverage

Although cyber insurance policies can cover some of the damage caused by a business disruption, they don’t always address some of the key issues that arise during a data breach, like the cost of reputation damage and loss of customers. In order to fully protect your business, a cyber insurance policy should be coupled with a thorough business continuity plan (BCP). Here are a few things to keep in mind about cyber insurance policies.

Payout Requirements

Before coverage can apply, businesses experiencing a breach have to meet certain requirements. In order to ensure that the incident isn’t something that happens frequently, many cyber insurance policies require businesses to wait six to 12 hours before the incident can be deemed a legitimate business disruption. Larger companies typically have to wait even longer due to the assumption that they can afford more loss before needing any aid.

Furthermore, cyber insurance policies don’t always provide reasonable coverage for ransomware attacks. Although this type of coverage — called “cyber extortion” coverage — varies, many times the policy deductible will cost more than the ransom amount. Others cover the cost of paying the ransom but require a business executive to agree to pay the ransom, which is strongly discouraged by the FBI.

Coverage Gaps

Every cyber insurance policy is different depending on the industry and size of the business, but the most common components of cyber coverage are errors and omission, media liability, network security and privacy. However, a few important areas that are not currently covered by cyber insurance are reputational harm, future revenue loss and the cost of IT system improvement.

Sometimes cyber insurance doesn’t even cover the full cost of a data breach. When the P.F. Chang’s restaurant chain was hacked in June 2014, the chain’s cyber policy only covered $1.7 million of the total cost. Due to some exclusions in the policy, the coverage did not apply to an additional $1.9 million that P.F. Chang’s reimbursed to Bank of America for charges made as a result of leaked credit card information.

Risk of Misinterpreting the Policy

If you have a cyber insurance policy in place, ensure that you understand what specifically is covered in the event of a data breach. Sometimes, even though a policy has cyber extortion coverage, it may not cover “first-party” costs like public relations expenses, profit loss during downtime and the cost of investigating the breach. Or in some cases, the policy will cover data breach costs only if the breach is committed by someone within the company’s walls or as a result of human error.

One example of a business misinterpreting its insurance policy occurred in April 2011, when Sony’s PlayStation network was hacked, causing Sony to lose $178 million in profits. Sony sought coverage from Zurich and Mitsui Sumitomo Insurance Company, which filed suit in New York state court, stating it was not obligated to cover the hack because Sony had misinterpreted a phrase in the insurance policy. The courts sided with Zurich, citing the fact that the policy requires the policyholder to commit the act, and Sony’s breach was committed by a hacker.

Cyber Insurance Works Best With a Business Continuity Plan

Although cyber insurance helps cover certain costs of a data breach, it’s not enough to completely support your organization in the event of a breach.

Business continuity planning requires you to identify weak points in your organization, such as out-of-date IT infrastructure, lack of an off-site data vaulting solution and employees who are uneducated about cyber security best practices. Proactively identifying these vulnerabilities ultimately helps reduce the chances of a cyber breach from occurring.

If your business is still affected by a breach despite your precautions, a business continuity plan helps mitigate the impact of areas cyber insurance doesn’t cover, like developing plans for managing the business’s public image after a breach, testing processes for getting systems back online and helping employees get back to work again.

What are you doing to improve cybersecurity in your business? Let us know in the comments.