Three Steps to Integrating Cybersecurity With Business Continuity

"Business continuity" and "cybersecurity" puzzle pieces
With cyber threats like ransomware routinely interrupting business operations around the globe, cybersecurity is not just an IT problem — it’s a business risk that needs to be accounted for in the business continuity plan.

But how do you go about doing that? That was the prevailing theme of the Q&A session during a webinar we participated in as part of the Disaster Recovery Journal Webinar Series. Here are some takeaways from the presenters, Eric Thompson, information security officer for Rentsys, and Michael Barrack, managing director at Accume Partners.

Gain Executive Support

The tone from the top drives the success of your business continuity and cybersecurity preparedness. If your organization is going to continually strengthen and insulate itself from all of the likely foreseeable — and sometimes even unforeseeable events — you need to get executive support.

It’s also important for executives to support a culture of collaboration. Business continuity owners, infosecurity officers and business units need to be transparent with each other. Sometimes that means admitting that a process under your control has to be improved. If executives support a culture of transparency, people will be more willing to reveal and troubleshoot problem areas in your organization’s processes. Down the road, this could help the organization mitigate a major vulnerability.

Evaluate Your Incident Response Plan

List of things business continuity and incident response plans should addressThe traditional way of looking at business continuity is looking at the inoperability of a facility or a
particular service or a function. It’s a worst-case scenario. Cyber threats have just added a whole new world of potential ways to take down a particular operation.

Does your organization have a detailed incident response plan that accounts for the various types of security incidents your organization could face? Start with looking at how detailed the incident response plan is. Many businesses simply tack on a brief incident response paragraph — maybe even a page or two — to their business continuity plan. Be advised: That is not a comprehensive incident response plan. Make sure the plan catalogs at least the top seven to 10 security incident types that could disrupt or halt business operations. It should provide for specific responses and procedures tied to those events.

You also need to determine what incidents will trigger the business continuity and incident response plans. For example, an email phishing scenario wouldn’t necessarily shut down access to critical data or affect your ability to service your customers. In that case, you might activate your incident response plan but not your business continuity plan. A ransomware attack, on the other hand, could actually take your systems offline. Since it would leave you without access to critical data and the ability to service your customers, you might classify that as an outage requiring a business continuity response.

Test Your Plan

Just as you test your business continuity plan for worst-case scenarios, you need to test scenarios that integrate business continuity and incident response. For example, you could walk through the process of responding to a Cryptolocker outbreak that encrypts a drive or data store and requires the restoration of that data to another platform. To work through how the plans play out in a particular scenario, start with a tabletop exercise before doing a functional test.

For more advice on integrating cybersecurity with your business continuity plan, listen to the webinar recording below.

Four Common Weaknesses of WFH for Workplace Recovery

“What will we do if our primary facility is inaccessible? Easy. Our employees will work from home.”

We hear this a lot. If your primary facility isn’t available, it makes sense to have employees work from home. Thanks to the cloud, a work-from-home (WFH) alternate workspace strategy is cheaper and more doable than ever before. But what happens when your entire workforce needs to work from home? It sounds extreme, but we’ve seen it happen.

Before writing off alternate facilities, think about how a WFH strategy would work for your entire business (or branch). Here are the top issues to consider.

Business Processes

For WFH to go smoothly, you must design business processes to accommodate remote work. The three principles of a successful WFH strategy are:

  • Communication
  • Coordination
  • Culture
During a business interruption, all departments must be able to communicate and solve unforeseen business challenges. Is WFH currently a strong part of your business culture? If not, trying to adapt to a remote work flow in the middle of a crisis will not go over well. Don’t forget about factors that might complicate WFH arrangements, such as supply chain interruptions or seasonal demands.

Factors to consider before having employees work from home during a business interruption

Clearing these obstacles with many employees working remotely could be tricky — especially if there are connectivity issues, which brings us to our next point.


How will you respond to each of the following contingencies?
No matter where they work, employees need to have access to the resources they need to do their jobs: voice and data communications, power, phones, computers, etc. After major “perfect storms” (which are becoming the new normal), cell phone, power and internet connectivity might not be available.

For example, after Hurricane Harvey hit Rockport, Corpus Christi and Port Aransas in Texas, wind damage knocked out power and communications. WFH wasn’t even an option for businesses in those areas.

In Houston, WFH seemed to be an ideal strategy. Countless roads closed, floodwaters lingered for days, and offices were destroyed. Although the city experienced record levels of flooding, the communications and power infrastructure proved resilient. For many companies, it just made sense to have employees work remotely. But many businesses hadn’t thought through the logistics of the entire company working remotely. The sudden influx of remote employees taxed company resources: VPN licenses, bandwidth availability of VPN concentrators at the home office, etc.

How would you handle your entire business working remotely? Think about how you’d respond to the following potential issues:

  • Employees might not have the right equipment, whether because they weren’t issued company-approved hardware in time or because it’s trapped inside the home office.
  • Internet connectivity in employees’ homes isn’t always reliable.
  • A significant increase in remote workers can overload the VPN.
  • Employees not used to working from home might have trouble logging in.
  • Company phone systems might not be compatible with employees’ personal devices.
  • Vulnerable network connections increase the risk of sensitive data exposure.
  • Employees are more likely to use personal devices without the appropriate security settings.
The higher your ability to address potential connectivity challenges, the more likely WFH is to succeed. But that’s only one part of the equation.

Employees’ Needs

Distracted employee
Some employees thrive on the solitude and familiarity of working from home. For others, it’s simply not a good fit. Maybe they’re too easily distracted by the piles of laundry that need to be folded, a loose doorknob that needs to be fixed or kids popping in to say hi every five minutes. In the aftermath of a catastrophic event, employees might not have much of a home to work from. After Harvey, for example, many of our clients in Houston had employees whose homes had been flooded. Imagine juggling your job and your search for a reasonable contractor, all while sitting in a room with no drywall and damp, exposed subfloor. Employees may not want to work from home in these scenarios.

After Hurricane Katrina, employees of one of our bank customers were thankful to have an air-conditioned Mobile Recovery Center to work from, because it still had air conditioning and many of their homes did not. You might have solid remote working processes in place and a plan for connectivity issues, but if the work ethic isn’t there, WFH isn’t going to, well, work. Make sure you consider the human side of business continuity and identify your employees’ needs ahead of time.


If employees aren’t a good fit for WFH or if business functions are better suited for in-person interaction, how long can you sustain remote working arrangements? Of our clients who had employees working from home following Harvey, they reported that WFH worked well for about a week. After that, internal processes began breaking down.

Consider all the factors we discussed above and the possibility that WFH might not be the only strategy you’ll have to implement. If your facility is inaccessible for a period of time that exceeds your ideal time frame for WFH, have a plan to transition to an alternative facility.

To be clear, WFH isn’t a bad strategy across the board. It’s just not always as simple as it seems, and it shouldn’t be the only alternate workspace strategy. For more about WFH, read this blog post.

Protecting Yourself Against Meltdown and Spectre Vulnerabilities

Meltdown and Spectre invaders find a breach in the shield
If you've been chewing your fingernails over the Meltdown and Spectre chip vulnerabilities that were revealed earlier this year, we don't blame you.

Here's a little refresher if you haven't seen the news: The Meltdown and Spectre vulnerabilities effectively give hackers an open door to almost every computer released in the last 20 years, including personal computers, laptops, cloud servers and mobile devices.

Sounds pretty scary, right? When you consider that the affected chips made by Intel, AMD and ARM over the last two decades are in virtually every device, that's terrifying.

Meltdown, which affects Intel and Apple hardware, breaks the isolation between user applications and the operating system. Hackers exploiting this vulnerability can gain access to a system's memory and any sensitive information such as passwords, encryption keys and personal data.

Spectre, which affects Intel, Apple, ARM and AMD platforms, breaks the isolation between different applications. This allows hackers to trick otherwise problem-free applications into revealing private data.

Older systems that aren't supported and don't receive patches remain vulnerable, but the good news is that some hardware has already been protected by updates.

Google, which discovered the vulnerabilities in 2017, quickly issued updates and steps to protect its products. Apple and Microsoft have also deployed mitigations. Intel's efforts to fix the issue have been rocky, but the chipmaker recently released a new update that is intended to improve system stability issues that came about form its first update.

The important thing is for you to deploy updates when they're available. Even if you have systems that receive and deploy updates automatically, double check that there isn't anything pending. Now that hackers are aware of the vulnerability, they'll be trying to exploit it.

For FAQs, information on patches and more, visit

[Webinar Recap] How Cybersecurity Trends Will Affect BC/DR in 2018

Cost of Cybercrime Presentation Slide
In 2017, traditional business continuity threats intensified. In fact, it was the costliest disaster year on record. As if that’s not challenging enough, cyber risk is adding more complexity to business continuity and disaster recovery (BC/DR) planning.

During a recent Disaster Recovery Journal (DRJ) webinar, Michael Barrack, managing director for Accume Partners, and Eric Thompson, information security officer for Rentsys Recovery Services, discussed some of these challenges. They made the following predictions:

  • An increase in billion-dollar weather events will give criminals more opportunities for cyber crime. 
  • Ransomware will continue to target backups.
  • More executives will be held personally responsible for breaches.
  • There will be more collaboration between private and public sectors.
  • Businesses will rethink how they collect and handle data.
  • Cybersecurity talent shortages will exacerbate security challenges.

If you missed the webinar, you can view the recording to see how these trends will affect BC/DR. To read more about some of our predictions for the coming year, check out this post.

How to Plan for Ransomware in 2018

Heart monitors go off simultaneously. Doctors get error messages when trying to access patient records. Then all the computers in the facility go black. The following message appears in scrolling green text:

Currently, we control your hospital. We own your servers.”

The message demands 4,932 bitcoin — about $20 million in the show but over $71 million as of January 2, 2018 — for an encryption key to unlock the medical records. The records will be destroyed if the ransom isn’t paid in a timely manner.

Ransomware concept
If you’re a “Grey’s Anatomy” fan, you’ll recognize this scenario as the plot of the series’ dramatic winter finale. While the writers take some artistic license with the technical details of the attack, the show clearly portrays the ethical dilemma businesses often face during a ransomware attack: Do they risk extended downtime and/or data loss while they try to recover their data? Or do they give in and pay the ransom, encouraging future attacks?

How will you respond when ransomware targets your business? We say “when” because 71 percent of cybersecurity experts believe there’s a moderate to extreme possibility their organizations will experience ransomware attacks in the next 12 months.

Here are our top recommendations for protecting your data against ransomware in 2018.

Prepare for Ransomware in the Cloud

Ransomware in the cloud concept
Nearly 44 percent of the malware found in the cloud is carrying ransomware, and in 2017, attacks against cloud storage increased. This threat is exacerbated by the fact that cloud applications are available on demand. Any employee can go online, sign up for a free service and download infected software. If they share a service with other employees, the infection can rapidly spread to other systems, thanks to the sync-and-share functionality that’s common to many cloud applications.

Your risk increases if employees access data stored in the cloud using personal devices that aren’t properly maintained, patched and updated. To reduce ransomware threats from shadow IT, make sure you have a bring-your-own-device (BYOD) policy in place, look for unusual activity on the network and follow the rest of our tips below.

Patch Everything

"Many of 2017's ransomware attacks could have been mitigated simply by patching systems."
The WannaCry attack infected more than 200,000 computers in 150 countries — all by exploiting
vulnerabilities in older Microsoft operating systems. In fact, as Webroot’s VP of cybersecurity and engineering points out, many of 2017’s ransomware attacks could have been mitigated simply by patching systems. It’s worth noting that the colossal Equifax breach — although not a ransomware attack — was reportedly caused by an employee’s failure to apply a software patch.

To thwart criminals exploiting known vulnerabilities in trusted applications, the solution is simple (though admittedly easier said than done): Patch everything. Patch your applications, software, hardware and connected devices as soon as updates are available.

Train Employees to Look for the Latest Phishing Scams

Phishing concept
Timely employee training is one of the most effective ways to combat ransomware, as it typically enters the organization through an employee opening a compromised email attachment, falling for a phishing email or visiting a compromised website.

It’s getting harder to spot scams because scammers are skilled at harvesting data from social networks and other online researchers to spoof an email from a well-known brand or impersonate trusted content. In fact, spoofing and impersonation comprise 67 percent of successful phishing attacks. Spammers are also hijacking legitimate domains, which they use to create phishing pages. The sites’ good reputations allow the newly created phishing pages to slip past anti-phishing filters.

However, these are only two examples of a growing list of phishing tactics. That’s why it’s important to regularly train employees how to look for the telltale signs of phishing attacks. Training should be mandatory, but to fully engage employees, communicate the message that they’ll learn valuable cybersecurity skills to apply in their personal lives. After all, phishing and ransomware target individuals too.

Maintain Backups and Test Your Restore Process

If all else fails and your data is encrypted, having current backups is the best defense against ransomware. By restoring from backups, you can avoid paying the ransom. That’s why, unfortunately, some strains of ransomware are now going after backups, especially if they’re stored in the same environment as your production systems.

WannaCry, for example, deleted volume shadow copies, which Microsoft Windows automatically creates to allow users to easily recover their data. Network-attached backups are also at risk. After having its data encrypted by ransomware, one police station refused to pay the ransom, knowing that its data was backed up. Unfortunately, the backups were attached to the network and had also been encrypted.

To protect yourself, back up your data frequently and segregate it from your production environment. Be sure to monitor backups for completeness and accuracy as well.

Of course, a backup is only as good as the restore, so it’s important to routinely test your restore process. Include any disaster recovery vendors you work with in your tests to make sure they can restore your company’s data within your recovery time objectives (RTOs).

Know How You’ll Respond to a Ransomware Attack

While you’re working on restoring your systems after a ransomware attack, a comprehensive business continuity plan with a strong focus on cybersecurity can minimize the impact of downtime. For example, will you need to temporarily revert to paper-based processes? Will workflows need to be diverted? If so, know in advance when, how and where you’ll carry out the recovery. Finally, employees should be trained on any systems and procedures to be used during downtime.

"Just because we've lost our computers, we don't have to lose our minds." -- Miranda Bailey, "Grey's Anatomy"
While “Grey’s Anatomy” viewers will have to wait until the series returns on January 18 to see how Grey-Sloan Memorial resolves its ransomware attack, you might not have that long to prepare for an attack. Don’t waste any time creating a response plan. Get started now. For more tips, read “Five Ways to Thwart a Cybersecurity Nightmare.”

Three 2018 Business Continuity Predictions

From hurricanes Harvey, Irma and Maria to the WannaCry ransomware attack, business continuity planners around the nation had several opportunities to put their plans to the test in 2017. In 2018, three words will influence business continuity planning: community, reputation and collaboration. Here are three of our predictions for the upcoming year.

The Increase in Billion-Dollar Weather Events Will Require Businesses to Focus on Community

WildfireThe 2017 hurricane season proved to be the costliest one to date. Total property losses and economic impact from Harvey and Irma alone are expected to climb as high as $200 billion. The impact of California’s wildfire season isn’t much less — $180 billion — and even before December’s wildfires, 2017 has already made a record as the costliest and deadliest wildfire season in California’s history. According to predictions by Allianz, these billion-dollar disasters will be the new normal.

This new reality will force businesses to consider the impact of disasters on their communities and, in turn, the success of their organizations. If a disaster devastates a region, businesses will have to respond to the needs of the people living in that community — in some cases, both customers and noncustomers alike.

After Hurricane Harvey, for example, First Community Bank in Rockport, TX deployed a Mobile Banking Center, out of which it provided critical services like check cashing and internet access. The bank also met some more basic needs by providing water and meals. By contrast, other financial institutions in the same city remained abandoned, sending the message that they were not able to be there for their customers. Many of these customers, in fact, ended up at First Community Bank instead of driving to an alternate branch location.

In the long term, more businesses will need to look outside their own business continuity strategies and invest in community resilience. Jeff Schlegelmilch, the deputy director of the National Center for Disaster Preparedness at Columbia University’s Earth Institute (NCDP), says investing in community resilience "is not just a moral necessity. Spending on community resilience is also a sound business decision.”
Flooded town
In the wake of large-scale disasters, government agencies will not have the resources to facilitate recovery on their own. After 2017’s barrage of disasters, FEMA’s chief announced that staff were engaged in the longest activation in the agency’s history and were “tapped out.” FEMA’s administrator commented that FEMA was not designed to be the first or only agency responding to a disaster scenario — but it often is. In Canada, British Columbia’s public safety minister described a similar challenge. The government’s emergency systems worked well, but the “‘sheer scale’ of the spring floods and then forest fires overwhelmed the provincial government.”

As billion-dollar weather events increase, businesses will be forced to consider how they can contribute to the community’s resilience. By focusing on serving the community, businesses will in turn protect the long-term success of their organizations.

Customers Will Judge a Business’s Values by How It Responds to a Crisis

A business’s reputation has always mattered, but it matters now more than ever before. Customers expect businesses to take a stand for their values, and customers are scrutinizing them to make sure their actions are consistent with their messages. If there’s any discrepancy, social media will highlight that gap. Social media’s role in the rapid dissemination of information — both good and bad — is a key factor in shaping a business’s reputation.

Going forward, the odds of facing large-scale, highly publicized incidents, like hurricanes or data breaches, are increasing. In many cases, this means that executives and business continuity planners will be faced with an ethical dilemma when developing and evolving their business continuity strategies. They’ll have to ask themselves:

1. Do we do what’s best for the community, stakeholders and greater good?
2. Do we do what’s best for the bottom line?

Case in point: First Community Bank prioritized option 1, using its resources to help residents jumpstart the recovery process. The neighboring businesses chose option 2. They closed their doors, which left many residents without services they needed and ultimately negatively impacted the businesses' reputations and ROI.

"Values play a bigger role than ever before in corporate reputation. "When a business responds to a crisis like a devastating disaster or data breach, it reveals its core values — and that could make or break its reputation.

It’s not just the business reputation as a whole that matters, however. In a global survey of executives, respondents estimated that nearly half of a company’s value was attributed to the CEO’s reputation, and they expected this link to strengthen over the next few years.

When a business experiences a crisis such as a data breach, how the CEO responds will have a huge impact on consumers’ perception of the business. Plus, more executives will be held personally responsible for breaches. In fact, a bill has been proposed that could send executives to jail for up to five years for not reporting a breach in a timely manner — which certainly won't do any favors for a business’s reputation.

In the upcoming year, we’ll see businesses renewing their focus on communicating their values through reputation management and corporate social responsibility, though many will treat these as separate endeavors from business continuity. Forward-thinking businesses will bolster their reputations by treating business continuity and crisis management as strategies for building the business and protecting its future.

The Public and Private Sectors Will Collaborate More

Public-Private Sector CollaborationAs threats of all sorts — from the aforementioned billion-dollar weather events to cyber threats such
as ransomware and phishing attacks — target both private and public organizations, the two sectors will share resources and collaborate to mitigate threats affecting the nation. As the Department of Homeland Security says, “Neither government nor the private sector alone has the knowledge, authority, or resources to do it alone.”

Both sectors, in fact, have more in common than it might seem. Consider these words from Ron Ross, National Institute of Standards and Technology (NIST) fellow: “All of us are kind of in this shared space. We all use the same commercial products, whether they’re operating systems, database management systems, cloud services….” While Ross was speaking of IT infrastructure, the same concept applies to how organizations respond to events happening in the physical world, such as acts of terror or severe weather events. These events often affect a private-sector business (or businesses) but require public-sector resources, usually law enforcement and first responders.

NIST Special Publication 800-181 recommends the following:

“Establish relationships, if applicable, between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, public relations professionals).”

This advice is useful for both cyber and traditional business continuity interruptions. Earlier this year, we wrote about one practical way to engage the public sector in your business continuity and crisis management efforts. To improve cybersecurity across industries and sectors, the Department of Homeland Security has established public-private partnership councils and offers information on cybersecurity training and exercises.

In speaking about the aftermath of the 2017 hurricane season, Schlegelmilch (mentioned above), also called for public-private partnership, though he acknowledged that there are still some hurdles to be cleared. Cross-sector collaboration will be a years-long journey, but dialogue about forming
relationships across industry and public-private boundaries will continue into 2018.

To hear more predictions, tune in to our Disaster Recovery Journal (DRJ) webinar on January 24.

Webinar: How Cybersecurity Trends Will Affect BC/DR in 2018

Celebrating National Computer Security Day

It’s the holiday season, and we’re ready to celebrate. We’re not talking about turkey or reindeer, but something more critical to your business: National Computer Security Day. Since 1988, businesses worldwide have spent November 30 celebrating effective security measures and practices. While it’s a less recognized holiday, it’s one worth observing if you value cybersecurity.

In honor of National Computer Security Day, we’ve put together these tips and graphics for you to share throughout your organization.

Identify Phishing Emails

Over 75 percent of organizations reported becoming a victim of a phishing attack in 2016. There are some things you can do to help your business avoid joining this growing percentage. Pay close attention to emails that have any or all of the following:

  • Urgent or demanding calls to action
  • Vague greeting (e.g., “Dear Customer”)
  • Fake website links
  • Improper grammar
  • Unprofessional graphics

Use Strong Passwords

Almost all the passwords users create (90 percent) are vulnerable to hacking. Take the time to come up with unique passwords that aren’t easily guessed for each individual account. Use a combination of words, symbols and numbers, and change your password frequently.

Apply Patches

Seventy percent of successful cyber attacks exploited known vulnerabilities with available patches. Cyber attacks can happen in seconds, so update your systems and always be prepared for the worst.

Lock Your Computer

At least 1 in 3 employees says they leave their computer unlocked when away from their desk. Considering that 71 percent of employees have access to sensitive information, that’s a data breach waiting to happen. One of the easiest ways to reduce the risk of a breach is to simply lock your computer screen when you leave your desk.

Speak Up

If you notice any suspicious activity, report it to your management immediately. When it comes to cyber attacks, time is of the essence, especially if systems have been encrypted by ransomware or if you need to notify customers that their data has been breached.

We hope this holiday reiterates the importance of following security best practices within your organization. Please share our graphics as a way to wish everyone a happy National Computer Security Day!

Tip for avoiding phishing
Tip for creating secure passwords
Tip for avoiding cyber attack that exploits known vulnerabilities 

Tip for avoiding unauthorized access to sensitive data on computer

Need Business Continuity Buy-in? Present It As a Tool for Business Growth

Would you agree that in your organization, management views business continuity planning as a necessary hassle, much like filing taxes? It’s not going to build the business, but you need to do it. That’s one of the reasons business continuity owners constantly struggle to get management buy-in.

The key to getting management’s enthusiastic support for business continuity is to challenge a certain entrenched belief they have about business continuity. It’s mentioned in the previous paragraph, but you might have skimmed over it because it’s usually accepted as fact: Business continuity isn’t going to build the business.

In fact, your business continuity strategy can be used as a tool to build your company’s reputation and visibility in the marketplace. Most people won’t believe this statement at first, so share with them these insights about the connection between business continuity, disaster response and reputation.

Your Response to Disasters Affects Your Reputation

As you know, reputation is a key element of an organization’s success. According to the Reputation Institute, reputation is an emotional bond that ensures:

  • Customers buy your services
  • Policymakers and regulators give you a license to operate
  • The financial community invests in you
  • The media reports favorably on your company
  • Employees align with your corporate strategy

In conversations we’ve had with the Reputation Institute, they’ve revealed that there’s a big gap between what institutions say and what they do. Social media is bringing this gap to light. With the tendency for misinformation and adverse attention to spread rapidly on social media, consumers’ perception of an organization can change in an instant. That’s one of the reasons the Business Continuity Institute’s Horizon Scan 2017 ranked social media second in the top 10 trending issues affecting business continuity.

On the other hand, if your actions support your mission during a crisis situation, people will commend you for it. For example, after Hurricane Harvey devastated Houston, TX, local business owner Jim "Mattress Mack" McIngvale’s response went viral. While most other businesses in the area were closed, he opened up two of his mattress stores to flood victims, demonstrating the values he proclaims on his business website: God, country, family and hard work.

Business operating as a shelter in the middle of flooding

Talk is cheap — listing your values and mission on your website isn’t enough. Your stakeholders expect you to follow through.

Gaining the Benefit of the Doubt Requires a Good Reputation

54 percent of stakeholders would give reputable companies the benefit of the doubt in a crisis.
While a positive response to a disaster will positively impact your reputation, it’s important to create opportunities for reputation building prior to an event. According to Reputation Institute data, as many as 41 to 60 percent of consumers are crucial fence-sitters who can swing to a positive or negative perception of a company because they don’t have a clear understanding of what that company is doing to impact the environment and society. This reputation currency will be critical if a disaster ever impacts your business, as 54 percent of stakeholders would give reputable companies the benefit of the doubt in a crisis.

Prior to experiencing a business interruption, you need to demonstrate your involvement in the community to allow for maximum marketing exposure and help you build trust with your stakeholders. What if you could leverage your business continuity resources to meet that goal?

Here’s a practical example: In 2016, FEMA declared 103 disasters. That's 103 opportunities to make an impact. Imagine deploying a mobile workspace with your company’s branding to the affected area. You could offer needed support, whether it’s providing a free service or distributing food, water and other essential items to members of the community. Even routine business continuity tests can be opportunities for reputation building if you involve the community in crisis response exercises.

When business continuity becomes a way to build the business rather than just another box to check off, management will find a way to get the resources you need to enhance your business continuity program. In fact, we’ve even seen businesses tap into budgets from other departments to make it work.

By demonstrating that you can deliver on your mission in good times and bad, you'll strengthen relationships with your stakeholders and even increase your market share.

Banks: What If You Made These Common Cybersecurity Mistakes With Cash?

“Data is the new currency” is one of the new slogans of the digital transformation. Modern consumers recognize the value of their data, and 67 percent are willing to share more data with banks in exchange for new benefits. Surprisingly, banks don’t always afford sensitive data the same protections they do for physical currency. While PwC’s 2017 Risk in Review report reveals that the financial services industry has strong cyber risk maturity overall, there are a few common mistakes that could be leaving your institution vulnerable. To give you an idea of the gravity of these errors, think of your cybersecurity practices in terms of cash management and physical security.

Transmitting Unencrypted Data Is Like Sending Unsecured Bulk Cash Shipments

Easily Hackable Encryption Methods
Would you ever transfer a bulk cash shipment to a major customer without using their armored carrier service? Not a chance. You know that that decision would not only be a liability for your institution, but it would also put your customer’s assets at risk and breach their trust.

Unfortunately, banks don’t always provide the necessary protection for sensitive data that customers expect. Data must be securely encrypted in transit and at rest, but 30 percent of FIs say they struggle to protect personally identifiable customer information. Many banks use easily hackable encryption methods such as Blowfish, 3DES, SHA1 and MD5. Instead, use an advanced encryption algorithm such as AES.

Giving Unvetted Vendors Access to Data Is Like Handing Cash Over to an Unverified Armored Carrier

Going back to the bulk cash shipment scenario, imagine handing over currency to an armored carrier guard without first verifying their identity. This is an egregious security violation, wouldn’t you agree? Yet when it comes to sensitive data, many banks fail to vet third-party vendors they allow to access the sensitive data in their care. In fact, 41 percent of financial services respondents ranked assessment of security protocols and standards of third-party vendors as the top challenge to information security efforts.

The FFIEC’s guidelines for outsourcing technology services recommend a “comprehensive outsourcing risk management process to govern technology service provider (TSP) relationships.” Make sure you work with vendors whose operations are regularly examined by a third party. This ensures the vendor’s risk management and information protection practices adequately address data confidentiality and regulatory compliance.

Disregarding Network Alerts Is Like Ignoring Your Vault Alarm

What if you only investigated burglar alarms 56 percent of the time?
Would you be appalled if your vault alarm went off and your staff members ignored it? In a way, that’s what is happening with cybersecurity alerts. Institutions are only able to investigate 56 percent of security alerts they receive on a given day. Of those, only 46 percent of legitimate alerts are remediated. Granted, security operations managers see more than 5,000 security alerts per day — exponentially more than you’ll ever receive from your burglar alarm. However, the lack of resources for monitoring alerts is concerning.

With there being a security talent shortage, outsourcing can help your institution meet its overall strategic plan and corporate objectives. The FFIEC has specific guidelines for using a managed security service provider (MSSP). You might also consider using a fully managed cloud vaulting solution to move critical data off-site to protect yourself against ransomware.

Assuming Employees Know Cybersecurity Best Practices Is Like Expecting Them to Know Your Physical Security Policies Without Training

When hiring a new employee, what if you assumed they knew the proper cash handling guidelines, how to handle a holdup situation or how to respond to an active shooter event? That’s a disaster waiting to happen. Chances are, you invest countless hours on training employees in these areas. Even if someone has experience in the financial services industry, it’s imperative to make sure they understand your institution’s specific policies and procedures.

Three Cybersecurity Scenarios You Need to ExerciseUnfortunately, training is one of the top five cybersecurity challenges in banking. In fact, less than half of financial services organizations polled even have a formal information security policy. To reduce the risk of cybersecurity threats, it’s critical to create a security culture. The FFIEC recommends annual security training to reinforce guidelines for endpoint security, login requirements and password administration. The training should include the following three increasingly common scenarios:

• Phishing and social engineering
• Data theft through email or removable media
• Unintentional posting of confidential or proprietary information on social media

Improving your cybersecurity practices is not only the right thing to do, but the FFIEC, Gramm-Leach-Bliley Act and other regulatory agencies and regulations require it. If you’re unsure where to start, the FFIEC Cybersecurity Assessment Tool is a helpful resource for assessing your bank’s cybersecurity maturity.

[Webinar] Outsourcing Cloud Data Services

Is Outsourcing Cloud Data Services Right for You?

The IT landscape is being transformed by increasing regulatory burdens, consumer expectations of data security and reliance on data availability for service delivery. In our recent webinar with the Disaster Recovery Journal, Brandon Tanner, Rentsys senior manager, discussed how IT challenges are affecting highly regulated organizations.

With these challenges, is outsourcing cloud data services a good move for regulated businesses? For some, it is. In the webinar, Paul Arguinchona, CIO for Frontier Behavioral Health (FBH), a nonprofit provider of behavioral health services, explains how his organization has leveraged outsourced cloud data services to fulfill FBH’s mission and values.

To see what Brandon and Paul had to say, view the webinar on demand.

Popular Posts