Millennials Are Tech-Savvy. Can Your Financial Institution Keep Up?

Millennials using technology
Millennials are now the largest consumer segment in the United States, and their buying behaviors are shaping every segment of the marketplace. Millennials’ expectations are influenced by technology giants like Apple, Google and Amazon. Even industries that have traditionally relied on face-to-face interactions — like education and healthcare — are being transformed by technology.

The financial industry is not immune. Financial institutions are being forced to adopt new technology that provides alternative financial models emphasizing automation and speed. As one article put it, banking for millennials is all about the apps. While big banks might have the wherewithal to adapt their service models to appeal to this tech-savvy generation, you’re having a harder go of it if you’re a small or midsized institution.

Part of the problem is that small IT teams tend to focus more on maintaining back-office technology rather than on new technology to drive the business forward. Sometimes this is out of necessity — compliance and cybersecurity challenges are also a priority, so IT spends time securing systems, servers and sensitive data.

If you don’t adapt to customer demands, however, you’ll lose market share to other, more tech-oriented companies. How do you keep up?

Bimodal IT

In 2014, Gartner coined the controversial concept of bimodal IT. It’s an IT service delivery model in which IT is divided into two separate, coherent modes:
Bimodal IT graphic

  • Stability: This mode involves the operational side of IT, including user support, data backup, etc.
  • Agility: This mode is focused on innovation. It involves experimentation with new technology.

The idea is that by having personnel dedicated to innovation, the business can keep the lights on with stable IT while developing new technology-driven products and services.

Fast and Innovative Business Technology

The concept of bimodal IT set the IT industry abuzz, but not everyone is singing its praises. Forrester, for example, did its own research that says bimodal IT can’t keep up with fast-changing customer and product life cycles. “There is no longer a place for slow IT,” said the principal analyst for the project. To support rapid innovation, everything must be up to date and fast: platforms, processes and personnel.

Gartner or Forrester: Who Has the Best Answer?

There will always be different perspectives on IT management, but in today’s world, there are a couple of principles that ring true across the board:

  • Customer needs must shape the business’s products and services on an ongoing basis.
  • Stable, or slow, IT should not interfere with responding to those needs.

As a smaller institution with limited IT staff, ensuring that technology keeps pace with customer demands is a challenge. Outsourcing basic maintenance functions such as data backup and recovery can help you prioritize meeting industry demands.

For example, a CIO in Spokane, WA realized that by outsourcing data vaulting and recovery, he could keep up with evolving technology, reduce cyber risk, meet his recovery time objectives and reduce costs. In fact, after doing a cost analysis of in-house management versus outsourcing, he found that keeping this function in-house was more expensive due to hiring, benefits, training, PTO and day-to-day maintenance. He also found that it was less efficient — he’d need 1.5 people to perform the outsourced functions.

As millennials continue to influence service delivery models, the question is not if you’ll respond to their demands, but how.

To read more about how millennials are impacting your business, read this post.

BCAW 2018: [INFOGRAPHIC] 10 Questions to Improve Organizational Resilience

A business continuity plan is only as good as its execution, right? But what happens when everyone is so immersed in their own worlds that your organization’s priorities aren’t clearly communicated and, as a result, aren’t reflected in the recovery strategy? What if everyone has different ideas about what organizational resilience means? What if they only care about the areas of your strategy that pertain directly to them?

The Business Continuity Institute is calling for a solution to these issues with the theme of Business Continuity Awareness Week 2018: “Working Together to Improve Organizational Resilience.” In keeping with that theme, we’ve created the infographic below to help you break down barriers within your organization. Use the 10 questions to start important conversations on how your business continuity strategy meets and reflects your organization’s goals and mission.

[INFOGRAPHIC] Breaking Down Silos: 10 Questions to Improve Organizational Resilience

Did you find the infographic helpful? If so, please share it on social media with the hashtag #BCAW2018.

Hurricane Preparedness: Has Your Business Done These Things?

Hurricane season starts June 1. Last year’s season proved to be the costliest one to date, and experts say the 2018 season is shaping up to be more active than usual. To make sure your business is ready, follow the tips below.

Involve Your Community

Business continuity isn’t just about your business. It’s about your community. That was especially evident after hurricanes Harvey and Irma, when businesses and private citizens alike banded together to help each other.

Check out the CDC infographic below for advice on making sure you and your community are prepared for a disaster.

Neighborhood Preparedness Infographic

Think About Your Employees’ Needs

Is your business continuity plan compatible with your employees’ and community’s needs? Employees who take pride in their employer are more likely to work hard and stick around for the long term. Similarly, customers are more likely to remain loyal to a business they trust. When planning for major disasters like hurricanes Harvey and Irma, remember the human side of business continuity.

Take First Community Bank, for example. After Hurricane Harvey last year, the bank’s employees jumped on board with serving their devastated community because they believed in their employer’s mission. Watch the video below to see how they responded to the aftermath of the hurricane.

Learn From Past Storms

Hurricane season 2017 is proof that you never really know what to expect from Mother Nature. Here are three business continuity lessons we learned from the storms that year:

  • Public-private sector cooperation is critical. Participating in cross-sector preparedness initiatives helps you familiarize yourself with first responder procedures and improve your disaster response protocol. Joining an LEPC is a good first step.
  • Little details make a big difference. No plumbing. Power outages. Permits not approved for alternate workspaces. Lack of fuel for generators. After Harvey, these are a just a few of the challenges affected businesses faced. Make sure to address these logistical issues in your business continuity plan.
  • People need food, water, shelter… and internet access. After a disaster, internet connectivity and cell service are often impacted, so providing internet access is an important way to help your employees and customers. For an idea of what technology you’ll need, check out the American Red Cross’s Disaster Relief Operation (DRO) Push Kit (flip to page 15).

By using lessons learned from past disasters, you increase your ability to successfully weather future disaster declarations.

For more tips, download our Hurricane Preparedness Checklist from our resources page.

Millennials and Business Continuity: Risks and Opportunities

Busy people graphic
Back in 2015, Pew Research found that millennials had surpassed Gen Xers as the largest generation in the U.S. workforce. By next year, millennials are expected to meet a new milestone: the nation’s largest living generation in terms of population.

With that being the case, it’s time to think about how the rise of millennials in the workforce affects your business continuity strategy. Below we’ll explore the risks and opportunities this generation presents.


Susceptibility to Fraud

Anyone with aging loved ones has likely worried about them falling victim to scams. They didn’t grow up with technology, so they’re more likely than young people to get taken advantage of, right? According to a report from the FTC, this belief isn’t as accurate as you might think. In fact, adults ages 20-29 were twice as likely to lose money to fraud than adults over the age of 70.

With the threat of sophisticated phishing and social engineering scams, you need to ensure you frequently train your employees on cybersecurity best practices. To keep millennials engaged in training, incorporate stories and include graphics among large amounts of text. Some companies are even gamifying their cybersecurity training.

High Turnover

A Gallup report reinforced the common stereotype of millennials being known as the “job-hopping generation.” The report found that 60 percent of millennials are open to new jobs, and only half strongly agree that they’ll be with their current company a year down the road. This high turnover comes at a high price to the U.S. economy: $30.5 billion each year.

High turnover is also a problem because it disrupts processes internally, as knowledge has to be relearned and processes have to be re-established. To reduce the impact of turnover, make sure critical processes are documented and stored in a central location that’s easily accessible to employees.

Pro tip: If the turnover is happening with business continuity and disaster recovery (BC/DR) roles, having a business continuity vendor who is familiar with your BC/DR plan helps reduce the impact of knowledge loss.


Desire for Corporate Social Responsibility

Most millennials (just over 92 percent) want to work for a company that is environmentally and socially responsible. As severe weather events and other business continuity threats expand their reach, businesses will need to consider how they can contribute to the community’s resilience. Help your employees see that your business continuity strategy is not just a way to protect your business but a way to preserve the community where employees and customers live and work. Once millennials understand how your business continuity plan impacts the community, they’re more likely to be more enthusiastic about engaging in business continuity tests and suggesting new ideas.

Fresh Perspectives

The Disaster Recovery Journal (DRJ) views the rise of millennials in the BC/DR profession as a resource, not just a challenge. The organization is specifically asking for the opinions of young business continuity professionals to help the DRJ team better understand the latest communication technology (e.g., Slack) and issues facing young professionals. They can then use this knowledge to foster positive growth and change within the industry. Consider a similar approach within your own business.

Although millennials change jobs frequently, they can bring with them new perspectives gleaned from the different industries, positions and departments they’ve worked in. They might even have some insight you can use to update a stale business continuity strategy. Plus, despite being more likely to fall for fraud, millennials tend to be up to date on the latest technology. Leveraging this knowledge can help you streamline your response during a disaster.

Whether you’re prepared for it or not, millennials are already affecting business continuity. After all, they are your business (or at least a large percentage of it). How will you respond?

FFIEC Update: Statement on Cyber Insurance and Risk Management

FFIEC Update graphicAs cyber attacks increase in volume and sophistication, does your financial institution need cyber insurance to reduce its risk? According to a statement from the Federal Financial Institutions Examination Council (FFIEC), financial institutions are not required to maintain cyber insurance. However, considering that traditional insurance policies might not cover data breaches, your institution might find value in a cyber insurance policy. Bear in mind, though, that insurance doesn't replace an effective risk management program.

For more information, read the FFIEC press release and get our take on how cyber insurance affects business continuity planning.

Perspectives on Cloud Versus Colocation for Disaster Recovery

Cloud vs. Colocation graphic
No one would argue that off-site redundancy is an essential part of an enterprise disaster recovery plan. Many enterprises — perhaps yours included — own and maintain data centers for this purpose. But as workloads grow, you might find that it’s more cost-effective to outsource disaster recovery through cloud, colocation or a combination of both. But which is the best approach? Here are some common perspectives you’ll find in the industry.

Cloud-First Does Not Mean Cloud Only — Add Colocation for the Ideal Balance

Data Center Frontier

"Hybrid IT architectures with colo as the foundation increase efficiency, lower costs, and mitigate risks when compared to environments with only in-house data centers."

Cloud vs. Colocation: Why Both Make Sense for the Enterprise Right Now

"Whatever approach an organisation opts for, the IT platform they choose has to adequately support the business in its aims. This is increasingly where a fully in-house facility/platform model is failing. As yet, the end game is not decided. Colocation and public cloud both have their parts to play in any system – just do not write one or the other off for any ivory tower reasons."

Gartner Says a Massive Shift to Hybrid Infrastructure Services Is Underway


" 'Organizations that adopt hybrid infrastructure will optimize costs and increase efficiency. However, it increases the complexity of selecting the right toolset to deliver end-to-end services in a multisourced environment.' "

How Data Center Colocation Benefits Businesses

Data Center Journal

"Although some organizations see the cloud as another viable alternative to colocation, it provides neither a fully auditable system nor full control of an organization’s infrastructure. When using a colocation provider, a company can avoid storage bills. Store information through a colocation service is drastically cheaper than doing so in the cloud. And although cost savings alone make colocation appealing, there are many additional benefits, including sustainability, scalability and security."

How an IT Business Continuity Plan Differs With Colocation vs. Cloud


"When building an IT business continuity plan, a cloud platform can offer a far more flexible and cost-effective approach than colocation. However, many colocation providers partner with cloud providers to offer a hybrid possibility."

As you can see, each side of the argument has its merits, and a hybrid approach is also very popular. We’d recommend that you consider these factors as well:

  • Think about how close you prefer your disaster recovery site to be.
  • Consider your compliance requirements and whether or not the cloud or colocation solution you’re looking at meets those requirements.
  • For colocation, consider the cost of the facility and maintenance costs as well as site security.
  • For cloud, consider service level agreements and bandwidth costs.
  • Consider bundling options like workspace seats to get more bang for your buck

When deciding between colocation and cloud (or both), there is no one-size-fits-all answer. The right solution depends on your organization’s budget, needs and future plans.

Happy World Backup Day!

Happy World Backup Day!
While browsing Reddit one day, digital strategist and research consultant Ismail Jadun came across a post from someone who had just lost their hard drive. The poster wished someone had reminded them to back up their data. Inspiration struck, and in 2011, Jadun created World Backup Day. Each year on March 31, the holiday encourages individuals and businesses to back up their data.

In honor of World Backup Day, here are our backup tips for your business:

  • Know your technology service provider well. Make sure your chosen vendor can meet your compliance requirements and provide the support you need.
  • Check the security controls. Your backup environment should match the security controls for your production environment.
  • Don’t forget about recovery. Backing up your data doesn’t necessarily mean you can easily recover it. Ensure you can recover specific data sets within your recovery time objectives (RTOs).
  • Know where your data lives. Some regulations prohibit cross-border data transfer. Additionally, the distance of your data can affect disaster recovery time frames.
  • Plan for ransomware. It’s becoming more common for ransomware to encrypt backups, so take the right precautions.

Just for fun, here’s a post from our archive that demonstrates why it’s important to back up your data. What stories or tips do you have? Share them with us on Twitter or LinkedIn.

Three Steps to Integrating Cybersecurity With Business Continuity

"Business continuity" and "cybersecurity" puzzle pieces
With cyber threats like ransomware routinely interrupting business operations around the globe, cybersecurity is not just an IT problem — it’s a business risk that needs to be accounted for in the business continuity plan.

But how do you go about doing that? That was the prevailing theme of the Q&A session during a webinar we participated in as part of the Disaster Recovery Journal Webinar Series. Here are some takeaways from the presenters, Eric Thompson, information security officer for Rentsys, and Michael Barrack, managing director at Accume Partners.

Gain Executive Support

The tone from the top drives the success of your business continuity and cybersecurity preparedness. If your organization is going to continually strengthen and insulate itself from all of the likely foreseeable — and sometimes even unforeseeable events — you need to get executive support.

It’s also important for executives to support a culture of collaboration. Business continuity owners, infosecurity officers and business units need to be transparent with each other. Sometimes that means admitting that a process under your control has to be improved. If executives support a culture of transparency, people will be more willing to reveal and troubleshoot problem areas in your organization’s processes. Down the road, this could help the organization mitigate a major vulnerability.

Evaluate Your Incident Response Plan

List of things business continuity and incident response plans should addressThe traditional way of looking at business continuity is looking at the inoperability of a facility or a
particular service or a function. It’s a worst-case scenario. Cyber threats have just added a whole new world of potential ways to take down a particular operation.

Does your organization have a detailed incident response plan that accounts for the various types of security incidents your organization could face? Start with looking at how detailed the incident response plan is. Many businesses simply tack on a brief incident response paragraph — maybe even a page or two — to their business continuity plan. Be advised: That is not a comprehensive incident response plan. Make sure the plan catalogs at least the top seven to 10 security incident types that could disrupt or halt business operations. It should provide for specific responses and procedures tied to those events.

You also need to determine what incidents will trigger the business continuity and incident response plans. For example, an email phishing scenario wouldn’t necessarily shut down access to critical data or affect your ability to service your customers. In that case, you might activate your incident response plan but not your business continuity plan. A ransomware attack, on the other hand, could actually take your systems offline. Since it would leave you without access to critical data and the ability to service your customers, you might classify that as an outage requiring a business continuity response.

Test Your Plan

Just as you test your business continuity plan for worst-case scenarios, you need to test scenarios that integrate business continuity and incident response. For example, you could walk through the process of responding to a Cryptolocker outbreak that encrypts a drive or data store and requires the restoration of that data to another platform. To work through how the plans play out in a particular scenario, start with a tabletop exercise before doing a functional test.

For more advice on integrating cybersecurity with your business continuity plan, listen to the webinar recording below.

Four Common Weaknesses of WFH for Workplace Recovery

“What will we do if our primary facility is inaccessible? Easy. Our employees will work from home.”

We hear this a lot. If your primary facility isn’t available, it makes sense to have employees work from home. Thanks to the cloud, a work-from-home (WFH) alternate workspace strategy is cheaper and more doable than ever before. But what happens when your entire workforce needs to work from home? It sounds extreme, but we’ve seen it happen.

Before writing off alternate facilities, think about how a WFH strategy would work for your entire business (or branch). Here are the top issues to consider.

Business Processes

For WFH to go smoothly, you must design business processes to accommodate remote work. The three principles of a successful WFH strategy are:

  • Communication
  • Coordination
  • Culture
During a business interruption, all departments must be able to communicate and solve unforeseen business challenges. Is WFH currently a strong part of your business culture? If not, trying to adapt to a remote work flow in the middle of a crisis will not go over well. Don’t forget about factors that might complicate WFH arrangements, such as supply chain interruptions or seasonal demands.

Factors to consider before having employees work from home during a business interruption

Clearing these obstacles with many employees working remotely could be tricky — especially if there are connectivity issues, which brings us to our next point.


How will you respond to each of the following contingencies?
No matter where they work, employees need to have access to the resources they need to do their jobs: voice and data communications, power, phones, computers, etc. After major “perfect storms” (which are becoming the new normal), cell phone, power and internet connectivity might not be available.

For example, after Hurricane Harvey hit Rockport, Corpus Christi and Port Aransas in Texas, wind damage knocked out power and communications. WFH wasn’t even an option for businesses in those areas.

In Houston, WFH seemed to be an ideal strategy. Countless roads closed, floodwaters lingered for days, and offices were destroyed. Although the city experienced record levels of flooding, the communications and power infrastructure proved resilient. For many companies, it just made sense to have employees work remotely. But many businesses hadn’t thought through the logistics of the entire company working remotely. The sudden influx of remote employees taxed company resources: VPN licenses, bandwidth availability of VPN concentrators at the home office, etc.

How would you handle your entire business working remotely? Think about how you’d respond to the following potential issues:

  • Employees might not have the right equipment, whether because they weren’t issued company-approved hardware in time or because it’s trapped inside the home office.
  • Internet connectivity in employees’ homes isn’t always reliable.
  • A significant increase in remote workers can overload the VPN.
  • Employees not used to working from home might have trouble logging in.
  • Company phone systems might not be compatible with employees’ personal devices.
  • Vulnerable network connections increase the risk of sensitive data exposure.
  • Employees are more likely to use personal devices without the appropriate security settings.
The higher your ability to address potential connectivity challenges, the more likely WFH is to succeed. But that’s only one part of the equation.

Employees’ Needs

Distracted employee
Some employees thrive on the solitude and familiarity of working from home. For others, it’s simply not a good fit. Maybe they’re too easily distracted by the piles of laundry that need to be folded, a loose doorknob that needs to be fixed or kids popping in to say hi every five minutes. In the aftermath of a catastrophic event, employees might not have much of a home to work from. After Harvey, for example, many of our clients in Houston had employees whose homes had been flooded. Imagine juggling your job and your search for a reasonable contractor, all while sitting in a room with no drywall and damp, exposed subfloor. Employees may not want to work from home in these scenarios.

After Hurricane Katrina, employees of one of our bank customers were thankful to have an air-conditioned Mobile Recovery Center to work from, because it still had air conditioning and many of their homes did not. You might have solid remote working processes in place and a plan for connectivity issues, but if the work ethic isn’t there, WFH isn’t going to, well, work. Make sure you consider the human side of business continuity and identify your employees’ needs ahead of time.


If employees aren’t a good fit for WFH or if business functions are better suited for in-person interaction, how long can you sustain remote working arrangements? Of our clients who had employees working from home following Harvey, they reported that WFH worked well for about a week. After that, internal processes began breaking down.

Consider all the factors we discussed above and the possibility that WFH might not be the only strategy you’ll have to implement. If your facility is inaccessible for a period of time that exceeds your ideal time frame for WFH, have a plan to transition to an alternative facility.

To be clear, WFH isn’t a bad strategy across the board. It’s just not always as simple as it seems, and it shouldn’t be the only alternate workspace strategy.

Protecting Yourself Against Meltdown and Spectre Vulnerabilities

Meltdown and Spectre invaders find a breach in the shield
If you've been chewing your fingernails over the Meltdown and Spectre chip vulnerabilities that were revealed earlier this year, we don't blame you.

Here's a little refresher if you haven't seen the news: The Meltdown and Spectre vulnerabilities effectively give hackers an open door to almost every computer released in the last 20 years, including personal computers, laptops, cloud servers and mobile devices.

Sounds pretty scary, right? When you consider that the affected chips made by Intel, AMD and ARM over the last two decades are in virtually every device, that's terrifying.

Meltdown, which affects Intel and Apple hardware, breaks the isolation between user applications and the operating system. Hackers exploiting this vulnerability can gain access to a system's memory and any sensitive information such as passwords, encryption keys and personal data.

Spectre, which affects Intel, Apple, ARM and AMD platforms, breaks the isolation between different applications. This allows hackers to trick otherwise problem-free applications into revealing private data.

Older systems that aren't supported and don't receive patches remain vulnerable, but the good news is that some hardware has already been protected by updates.

Google, which discovered the vulnerabilities in 2017, quickly issued updates and steps to protect its products. Apple and Microsoft have also deployed mitigations. Intel's efforts to fix the issue have been rocky, but the chipmaker recently released a new update that is intended to improve system stability issues that came about form its first update.

The important thing is for you to deploy updates when they're available. Even if you have systems that receive and deploy updates automatically, double check that there isn't anything pending. Now that hackers are aware of the vulnerability, they'll be trying to exploit it.

For FAQs, information on patches and more, visit

Popular Posts