Business Continuity 2016: A Year in Review

There was no shortage of challenges for business continuity professionals in 2016. As we move into a new year, we wanted to highlight some of the themes from last year, as we fully expect to see more of the same this year. Here are our top six observations.

Ransomware Was the Most Talked-About Cyber Threat

It’s responsible for shutting down transit systems. It’s cut off communications among hospital staff. It’s extorted millions of dollars from banks. “It” is ransomware — a type of malware that hackers deploy to encrypt data. The hacker then demands a ransom in exchange for a decryption key.

Back in March, the Los Angeles Times declared that 2016 was “shaping up as the year of ransomware.”  The prediction rang true — Kaspersky Lab confirmed that ransomware attacks against businesses increased threefold in 2016. Healthcare is by far the most targeted industry, with telecom and transportation trailing behind.

Ransoms can reach into the range of thousands of dollars. Hollywood Presbyterian Medical Center, for example, paid $17,000 worth of bitcoin to quickly regain access to its data. The FBI, however, has recommended against this strategy, saying that giving in to criminals’ demands only encourages further criminal activity and there’s no guarantee businesses will receive the decryption key after paying the ransom.

The best defense is the one the U.S. Department of Health and Human Services recommends: regularly back up data (so you can restore it in case primary copies are encrypted by ransomware), use security software and educate employees on cybersecurity best practices.

Data Breaches Continued Unabated

Data breaches have spent plenty of time in the spotlight during the past few years. Whether they involved a hacker exploiting a vulnerability while a client moves from one online services vendor to another; a healthcare vendor losing hard drives containing patient data; an employee falling for a phishing attempt and exposing employee W-2s; or a hospital employee accessing files without authorization over a period of several years, data breaches put countless Americans’ data at risk this year.

The exact cost is debatable, but the risks are clear: Businesses risk not only data loss but also intellectual property theft, exposure of company secrets, source code sabotage, investigations by regulatory authorities, reputation damage and costly litigation. The list of consequences goes on and on.

The top three sectors targeted in 2016 were government, healthcare and business. Businesses in the healthcare industry are a prime target, because unlike credit card numbers, personal data like Social Security numbers and medical records can’t be easily changed, so they fetch a premium on the black market.

Some businesses take out data breach insurance policies as protection, but this strategy is no substitute for business continuity planning.

Businesses Lack the Resources for a Well-Rounded Business Continuity Program

Companies aren’t always well equipped to deal with the business continuity threats they’re facing, especially when it comes to disaster recovery (DR) and cybersecurity.

Cybersecurity technology might be top of mind for the global C-suite, but finding the security talent to accompany it is another story. A combination of rapidly evolving cyber threats and inadequate education programs has led to a shortage in security talent. The security professionals that do exist command such high salaries that they’re inaccessible to SMBs and industries that don’t pay as much for cybersecurity talent as others (the financial services industry pays more than healthcare, for example).

Disaster recovery, on the other hand, simply isn’t a top priority for half of C-level execs. Perhaps this is because 65 percent of execs are already confident in their organizations’ DR plans. Problematically, only 31 percent of IT managers agree with this assessment.

Considering these shortcomings, it’s not surprising that only 51 percent of businesses report having a comprehensive business continuity plan.

Vendor Due Diligence Became a Larger Part of Compliance

As always, compliance plays a prominent role in business continuity. In 2016, businesses that are subject to guidelines set by the Federal Financial Institutions Examination Council (FFIEC) and the Health Insurance Portability and Accountability Act (HIPAA) saw their regulatory burden increase. Now, these businesses are being held responsible for performing due diligence on any outsourced service providers that provide essential technology services and/or handle protected health information (PHI) or personally identifiable information (PII). What’s more, they must also perform due diligence on any third parties and their subcontractors used to provide the contracted services.

HIPAA is especially strict — it holds business associates (i.e., subcontractors handling PHI and PII) directly responsible for observing HIPAA requirements. In fall 2016, the Office of Civil Rights (OCR) launched phase 2 of a round of audits, which resulted in the first penalty against a business associate.

The emphasis on vendor management is largely driven in part by the increasing number of cyber threats. The OCR issued an alert on the importance of cyber awareness, and the FFIEC issued a warning about cyber attacks.

The DRaaS Market Continued to Expand

The cloud market — particularly the disaster recovery as a service (DRaaS) market has continued to expand. In 2016, the DRaaS market was worth $1.68 billion and is expected to be worth $11.1 billion by 2021, growing at an estimated CAGR of 45.9 percent.

Data breaches are hastening the move to the cloud, and MSPs are realizing the vast revenue potential of offering DRaaS to their customers. It’s especially appealing to SMBs that lack the resources and expertise to manage a cloud solution, large enterprises that want their dedicated IT staff to spend more time on revenue-generating projects, and organizations that want to leverage multiple clouds (e.g., private and public).

New Weather Challenges Emerged

Data security garnered plenty of attention in the media during 2016, but unique weather threats and natural disasters put business continuity plans to the test as well.

For instance, this year’s hurricane season was a significant one on many levels. It boasted the most hurricane activity since 2012 (there were 15 named storms) and had the most major hurricanes (three) since 2011. Additionally, the Atlantic saw its first Category 5 hurricane in nine years. While hurricane season officially begins in June and ends in November, this season was extra long. Hurricane Alex made an early appearance in the Atlantic in mid-January, and Hurricane Otto showed up in the Caribbean on Thanksgiving. We can expect more of the same in years to come, as some say hurricane season could be extended by as much as a day every year.

NASA reports that fire seasons are getting longer and more frequent as well, with dry landscapes and hotter temps creating prime conditions for fires. To make matters worse, the Forest Service is underfunded and struggling to accommodate fire suppression efforts. The 2016 season included deadly fires such as the Clayton fire in California, which consumed 300,000 acres and destroyed 175 structures. In August, the National Interagency Fire Center reported that California ranked highest for the number, size and severity of wildfires in the West.

The Southeast also experienced significant wildfire activity, which is uncharacteristic of the region. As of November 20, forest fires had burned 119,000 acres across eight states. These numbers don’t include the deadly fires in Gatlinburg, TN — the worst the state has experienced in 100 years. Those blazes alone destroyed more than 2,400 structures and scorched 20,000 acres, killing 14 and injuring 175.

Outlook for 2017

Considering the threats we faced in 2016, our advice for 2017 is to be vigilant, as threats exist on all fronts, from natural disasters to cyber breaches. When planning for cyber threats, be sure you don’t neglect your physical infrastructure. With severe weather threats and natural disasters always on the horizon, you need to consider the impact of not having access to your primary facility. Train your employees well and invest in third-party help if your internal resources aren’t adequate for ensuring you’re protected.

[Webinar Recap] Lessons Learned: Call Center Recovery Testing

The Need for Call Center Continuity slide
Gone are the days of the call center being treated as a cost center. Both customer demands and compliance obligations are bringing the call center to the forefront in business continuity plans for businesses in many industries.

In a recent webinar with the Association for Continuity Professionals (ACP), Brandon Tanner, senior manager for Rentsys, discussed some industry trends that show the role call centers play in addressing customers’ expectations for on-demand service and in meeting compliance requirements for availability.

Brandon was joined by Rentsys customer Steve Hamilton, who’s the business continuity manager for Fiserv, a provider of technology solutions to the financial world. Steve explained the lessons his organization learned during a recent call center recovery test. These takeaways included the importance of manager participation in tests and making adjustments to daily operations when working in an alternate environment.

If you missed the live webinar, you can watch the recording here. Be sure to stick around for the Q&A session at the end. Attendees had plenty of questions about testing logistics, whether work-from-home strategies work for call centers and more.

Cybersecurity: Spend Big Bucks, Outsource or Be Hacked

When it comes to cybersecurity, businesses now have three choices:

    Blue cybersecurity concept
  • Pay a premium for full-time security talent
  • Outsource
  • Be hacked

These choices may sound extreme, but they’re the logical responses to a perfect storm of rapidly evolving cyber threats and inadequate education programs. This combination of factors has resulted in a shortage of skilled security talent for nearly 80 percent of organizations.

A recent article by NewsFactor painted this picture of the cybersecurity landscape, citing research by Intel Security with the Center for Strategic and International Studies (CSIS).

While several top universities offer cybersecurity programs, the curriculum is unable to keep pace with the evolution of security threats. When students leave these programs and enter cybersecurity roles, they’re unprepared to deal with current cyber threats, according to the vast majority (76 percent) of lT professionals.

It’s not surprising, then, that knowledgeable cybersecurity professionals are in high demand and that these positions pay an average of $6,500 more than other IT professions.

If you can’t afford in-house resources, outsourcing can give you access to the cybersecurity skills you require for functions such as ongoing risk assessment and mitigation, network monitoring and access management, and repair of compromised systems. You’ll be in good company — nearly 60 percent of organizations say they’ve outsourced cybersecurity work.

So what will it be for your organization: spend the money for full-time security talent, outsource or be hacked?

Don't Wait. Communicate.

Family looking at digital tabletSeptember is National Preparedness Month, and the timing couldn’t be better. The Predictive Services National Interagency Fire Center predicted a fire season of above-normal risk [PDF], and Hurricane Hermine made landfall on the Southeast coast on Friday.

When disasters like these strike, every second counts. That’s why the Red Cross has chosen “Don’t Wait. Communicate.” as the theme of this year’s National Preparedness Month. After all, you might have a perfectly plotted preparedness plan for responding to disasters, but that plan is useless if the right people don’t know the details of those plans. It’s also important for people to be able to communicate with each other in the midst of a disaster.

For tips on creating a family game plan, visit, and then check out this blog post for tips on how to include communications in your business continuity and disaster recovery plan.

How to Mitigate Knowledge Loss Due to Employee Turnover

Employee turnover is inevitable. In fact, in the last five years, employee turnover has risen from 14.4 percent to 16.7 percent and doesn’t seem to be slowing down. With the steady increase in turnover, organizations ought to be more concerned about knowledge loss, particularly when it comes to business continuity and disaster recovery (BC/DR) procedures.
Man confused because nobody wrote down the BC/DR plan

Here are a couple things you can do to help mitigate the ever-present risk of knowledge loss.

Recruit the Expertise of a Vendor

You might think it’s more efficient and cost-effective to manage all of your BC/DR processes in-house with a dedicated director or team of employees. This is true to a certain extent. Having one employee or even a small team in charge of your BC/DR is beneficial in that these employees are familiar with your business’s culture and processes as well as BC/DR best practices, which allows them to create a highly targeted BC/DR program. But what happens if any of those employees are unavailable during a business interruption or disaster? Or if one of the employees leaves the business? One of the ways to combat this risk is to outsource your BC/DR to a third party.

If you work with a vendor for BC/DR consulting and solutions, you can help reduce the impact of knowledge loss when employees leave your company. Because your vendor is immersed in the BC/DR industry on a daily basis, you don’t have to rehire or retrain a dedicated BC/DR staff member. While the vendor won’t be as intimately familiar with your internal processes as employees are, this isn’t necessarily a bad thing. When it comes to BC/DR, an objective third-party perspective can help you identify interdependencies or inefficient processes you didn’t realize existed.

In addition to helping prevent knowledge loss, you don’t have to worry about a vendor’s support being interrupted by the same power outage, natural disaster or cyber threat that’s affecting your business.

Document All Plans and Processes

Regardless of whether you keep your BC/DR in-house or outsource to a third party, documentation is critical. For one, your employees need to know what to do in case of a business interruption. If they’re in the dark about their roles in the recovery process, that will directly impact your recovery times. Ensure that all key employees — not just those responsible for the BC/DR program — have reviewed the documents and know where to access them.

If you’re outsourcing any aspect of your recovery process, documenting the recovery process eliminates any confusion about which parties are responsible for executing key recovery steps. Don’t forget to update your documentation any time your business experiences changes in objectives, technology or strategies. It’s crucial to keep an updated plan available so you don’t encounter gaps in your BC/DR program.

Employee attrition might be rising, but just because an employee leaves your business doesn’t have to mean your BC/DR effectiveness leaves with them.

Is Your BYOD Policy Prepared for Pokémon GO?

Young people using smartphones
The stories have been hard to miss. Hundreds to thousands of young people are gathering in places like New York City’s Central Park or even close to our headquarters to play the extremely popular smartphone and tablet game Pokémon GO. While the game has led to some scary real-life situations for users, it can also lead to something scary for businesses: the risk of a data breach.

While Pokémon GO creator Niantic has taken steps to make its game more secure and more respectful of users’ privacy, many other mobile apps that users might download don’t offer the same protections. That should be unsettling for any business that allows employees to connect to company email servers and networks with their personal devices — a practice known as bring your own device (BYOD).

Malicious apps that can access large amounts of confidential information or hold devices hostage with ransomware aren’t the only thing BYOD companies have to be concerned about. Here are some additional security risks of BYOD and how your company can prepare for them.

Do You Know Who's Prying?

Imagine this scenario: One of your sales reps is on the road, but she needs to access and update a contract that lives on your local network.  She stops at a coffee shop and connects to its public WiFi. Little does she know that WiFi hot spot is also the target of a hacker who is swiping unencrypted data from everybody who’s connected to that router. The data sent and received by your sales rep can be easily poached by the hacker and released to the public on the Internet, sold on the black market or held for ransom.

Public WiFi hot spots can be a scary place to connect, not because of the location but because you never know who is there to do more than check email. That’s why it’s important to have your employees use a virtual private network (VPN) to connect to the company network remotely. A VPN encrypts the data moving between the employee’s device and the company network, making it much more difficult for a hacker to access the data.

Do You Know Where Your Device Is?

Think you felt bad when you recently misplaced your iPhone? How do you think one Apple employee felt when he left an iPhone 4 prototype in a bar in 2010? Lost or stolen devices can give just about anybody instant access to company data if the devices aren’t properly secured. In fact, almost 70 percent of data breaches in the healthcare industry between 2010 and 2014 were caused by stolen devices. A $700 iPhone can feel pretty insignificant compared to millions of dollars in data recovery costs.

Personal and company-provided devices alike can easily go missing. A misplaced smartphone is practically inevitable. However, even minimal security practices can help keep devices from turning into goldmines for hackers. Locking functions such as the iPhone’s PIN code or the Android’s pattern lock can keep people out, while a remote memory wipe program can go a step further by deleting the device’s data from afar. Even if a hacker does gain access to the phone, there won’t be any data for them to corrupt or hold for ransom.

When Was the Last Time You Updated?

Unlock your iPhone and open the App Store. How many updates are waiting for you? Are you using the latest version of your operating system (OS)? Some of us obsess over getting everything updated as soon as possible, but not everybody is in a hurry when a round of updates appears in the queue. Many people resist updating apps and OSes because of functionality problems caused by past updates.

However, not updating OSes and apps can leave devices vulnerable to attack. Most updates exist to fix known glitches or close security vulnerabilities rather than to add or remove features. Even traditional PCs require occasional updates to improve security — smartphones, tablets and apps are no different.

If an OS update is released, have your IT department test it to make sure it doesn’t affect the functionality of any business-critical apps your BYOD employees use. If there are no issues, inform your employees that they need to run updates as soon as possible to help keep company data secure. Also remind employees to routinely update their apps to close any known security holes.

You Downloaded What?

Daniel was really interested in a particular smartphone app’s organizational features, so he didn’t pay much attention to the terms and conditions or the permissions he allowed when he downloaded it. Daniel unknowingly gave the app access to every bit of data on his phone — from web and search history to emails. What started as a quest to be more productive led to the risk of company emails with sensitive information landing in the wrong hands.

Apps that request broad permissions can be especially problematic if your employees access company email through their device’s built-in email app. These apps typically store email data locally on the device, meaning another app that’s been given access to that data can give hackers or malicious developers the ability to browse confidential corporate emails.

Your employees should always be careful about what they’re downloading to their personal devices, but you should have an acceptable use policy if they’re also accessing company emails or networks from the same devices. Require employees to double check the permissions and validity of every app they use. While it might be tedious and require the deletion of a much-enjoyed app, a security breach sourced from a remote personal device should be treated no differently than an on-site security breach.

Despite the risks, BYOD offers small- to medium-sized businesses an excellent way to avoid the costs associated with purchasing and servicing company-owned devices. However, without strict BYOD policies and procedures, you’re susceptible to data breaches that can turn into nightmares. 

How Should Your Business Prepare for the Internet of Things?

Smart city and wireless communication network, internet of things
The imminent rise of the Internet of Things (IoT) brings you the potential to give your customers the option to connect to online tools they use every day from a growing range of devices. 

But before your business can take advantage of the benefits of IoT, like new product opportunities and real-time data that can bolster operational efficiency, you need to make sure your core IT infrastructure can handle the demands of IoT.

A Pew Research Center report predicts that IoT will be thriving by 2025, which may present a danger to businesses that try to advance their products at the same pace as technological advancements — before updating the systems that support them. 

Here are a few suggestions on how to prepare your company infrastructure before it’s crippled by the demands of IoT technology.

Prevent System Downtime

Technological advancements have created a customer base that expects constant accessibility to applications. If your business plans to introduce applications that run on IoT technology, you want to be able to keep customers happy by offering reliable application uptime.

Your business can minimize system downtime by having a clear business continuity plan (BCP). When business interruptions occur, an off-site cloud recovery platform can protect your IT infrastructure and keep you connected to your data and applications. Constant connection with business data is already imperative, but when it comes to IoT applications, connectivity is invaluable.

Adapt to Fluctuating Data Demands

As IoT technology grows, data demands will only continue to increase. Built on cloud computing and a network of sensors that constantly gather data, IoT could potentially overload any company infrastructure that isn’t prepared to store an increasing amount of data.

The 2016 IBM report “Growing Up Hybrid: Accelerating Digital Transformation” notes that forward-thinking organizations are using hybrid clouds, which utilize public and private clouds, to gain a competitive edge in the implementation of IoT and accommodate its high data demands. Adopting a hybrid cloud model for data vaulting can give your company the ability to get ahead of the impending mass of data that your IoT applications may gather.

Protect the Perimeter

IoT offers you the benefit of leveraging data gathered from users in order to improve products or connect with customers more effectively. However, the increased number of devices connecting to your business network offers more entry points for cyber criminals. Your business can guard against the increased risk of hackers by implementing a strong network security system.

An effective network security strategy should include intrusion detection and prevention, deep packet inspection, port scanning, protocol inspection, perimeter anti-virus and malware blocking. To safeguard your business, look for a network security solution that doesn’t require the purchase of additional modules or applications. Having multiple separate security modules or applications can create gaps in your cybersecurity, making your business more vulnerable to cyber threats like malware and hackers.

Cyber crime has steadily risen in the past few years, and IoT technology promises to contribute to this growing threat. Before offering an application that runs on an IoT device, fortify your company infrastructure so the increased cyber risk doesn’t take you by surprise.

To fully capitalize on IoT, make sure your business has a clear BCP, an adaptable method for data vaulting and a strong network security solution in place.

How does your business plan to implement IoT? Let us know in the comments!