Three 2018 Business Continuity Predictions

From hurricanes Harvey, Irma and Maria to the WannaCry ransomware attack, business continuity planners around the nation had several opportunities to put their plans to the test in 2017. In 2018, three words will influence business continuity planning: community, reputation and collaboration. Here are three of our predictions for the upcoming year.

The Increase in Billion-Dollar Weather Events Will Require Businesses to Focus on Community

WildfireThe 2017 hurricane season proved to be the costliest one to date. Total property losses and economic impact from Harvey and Irma alone are expected to climb as high as $200 billion. The impact of California’s wildfire season isn’t much less — $180 billion — and even before December’s wildfires, 2017 has already made a record as the costliest and deadliest wildfire season in California’s history. According to predictions by Allianz, these billion-dollar disasters will be the new normal.

This new reality will force businesses to consider the impact of disasters on their communities and, in turn, the success of their organizations. If a disaster devastates a region, businesses will have to respond to the needs of the people living in that community — in some cases, both customers and noncustomers alike.

After Hurricane Harvey, for example, First Community Bank in Rockport, TX deployed a Mobile Banking Center, out of which it provided critical services like check cashing and internet access. The bank also met some more basic needs by providing water and meals. By contrast, other financial institutions in the same city remained abandoned, sending the message that they were not able to be there for their customers. Many of these customers, in fact, ended up at First Community Bank instead of driving to an alternate branch location.

In the long term, more businesses will need to look outside their own business continuity strategies and invest in community resilience. Jeff Schlegelmilch, the deputy director of the National Center for Disaster Preparedness at Columbia University’s Earth Institute (NCDP), says investing in community resilience "is not just a moral necessity. Spending on community resilience is also a sound business decision.”
Flooded town
In the wake of large-scale disasters, government agencies will not have the resources to facilitate recovery on their own. After 2017’s barrage of disasters, FEMA’s chief announced that staff were engaged in the longest activation in the agency’s history and were “tapped out.” FEMA’s administrator commented that FEMA was not designed to be the first or only agency responding to a disaster scenario — but it often is. In Canada, British Columbia’s public safety minister described a similar challenge. The government’s emergency systems worked well, but the “‘sheer scale’ of the spring floods and then forest fires overwhelmed the provincial government.”

As billion-dollar weather events increase, businesses will be forced to consider how they can contribute to the community’s resilience. By focusing on serving the community, businesses will in turn protect the long-term success of their organizations.

Customers Will Judge a Business’s Values by How It Responds to a Crisis

A business’s reputation has always mattered, but it matters now more than ever before. Customers expect businesses to take a stand for their values, and customers are scrutinizing them to make sure their actions are consistent with their messages. If there’s any discrepancy, social media will highlight that gap. Social media’s role in the rapid dissemination of information — both good and bad — is a key factor in shaping a business’s reputation.

Going forward, the odds of facing large-scale, highly publicized incidents, like hurricanes or data breaches, are increasing. In many cases, this means that executives and business continuity planners will be faced with an ethical dilemma when developing and evolving their business continuity strategies. They’ll have to ask themselves:

1. Do we do what’s best for the community, stakeholders and greater good?
2. Do we do what’s best for the bottom line?

Case in point: First Community Bank prioritized option 1, using its resources to help residents jumpstart the recovery process. The neighboring businesses chose option 2. They closed their doors, which left many residents without services they needed and ultimately negatively impacted the businesses' reputations and ROI.

"Values play a bigger role than ever before in corporate reputation. "When a business responds to a crisis like a devastating disaster or data breach, it reveals its core values — and that could make or break its reputation.

It’s not just the business reputation as a whole that matters, however. In a global survey of executives, respondents estimated that nearly half of a company’s value was attributed to the CEO’s reputation, and they expected this link to strengthen over the next few years.

When a business experiences a crisis such as a data breach, how the CEO responds will have a huge impact on consumers’ perception of the business. Plus, more executives will be held personally responsible for breaches. In fact, a bill has been proposed that could send executives to jail for up to five years for not reporting a breach in a timely manner — which certainly won't do any favors for a business’s reputation.

In the upcoming year, we’ll see businesses renewing their focus on communicating their values through reputation management and corporate social responsibility, though many will treat these as separate endeavors from business continuity. Forward-thinking businesses will bolster their reputations by treating business continuity and crisis management as strategies for building the business and protecting its future.

The Public and Private Sectors Will Collaborate More

Public-Private Sector CollaborationAs threats of all sorts — from the aforementioned billion-dollar weather events to cyber threats such
as ransomware and phishing attacks — target both private and public organizations, the two sectors will share resources and collaborate to mitigate threats affecting the nation. As the Department of Homeland Security says, “Neither government nor the private sector alone has the knowledge, authority, or resources to do it alone.”

Both sectors, in fact, have more in common than it might seem. Consider these words from Ron Ross, National Institute of Standards and Technology (NIST) fellow: “All of us are kind of in this shared space. We all use the same commercial products, whether they’re operating systems, database management systems, cloud services….” While Ross was speaking of IT infrastructure, the same concept applies to how organizations respond to events happening in the physical world, such as acts of terror or severe weather events. These events often affect a private-sector business (or businesses) but require public-sector resources, usually law enforcement and first responders.

NIST Special Publication 800-181 recommends the following:

“Establish relationships, if applicable, between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, public relations professionals).”

This advice is useful for both cyber and traditional business continuity interruptions. Earlier this year, we wrote about one practical way to engage the public sector in your business continuity and crisis management efforts. To improve cybersecurity across industries and sectors, the Department of Homeland Security has established public-private partnership councils and offers information on cybersecurity training and exercises.

In speaking about the aftermath of the 2017 hurricane season, Schlegelmilch (mentioned above), also called for public-private partnership, though he acknowledged that there are still some hurdles to be cleared. Cross-sector collaboration will be a years-long journey, but dialogue about forming
relationships across industry and public-private boundaries will continue into 2018.

To hear more predictions, tune in to our Disaster Recovery Journal (DRJ) webinar on January 24.

Webinar: How Cybersecurity Trends Will Affect BC/DR in 2018

Celebrating National Computer Security Day

It’s the holiday season, and we’re ready to celebrate. We’re not talking about turkey or reindeer, but something more critical to your business: National Computer Security Day. Since 1988, businesses worldwide have spent November 30 celebrating effective security measures and practices. While it’s a less recognized holiday, it’s one worth observing if you value cybersecurity.

In honor of National Computer Security Day, we’ve put together these tips and graphics for you to share throughout your organization.

Identify Phishing Emails

Over 75 percent of organizations reported becoming a victim of a phishing attack in 2016. There are some things you can do to help your business avoid joining this growing percentage. Pay close attention to emails that have any or all of the following:

  • Urgent or demanding calls to action
  • Vague greeting (e.g., “Dear Customer”)
  • Fake website links
  • Improper grammar
  • Unprofessional graphics

Use Strong Passwords

Almost all the passwords users create (90 percent) are vulnerable to hacking. Take the time to come up with unique passwords that aren’t easily guessed for each individual account. Use a combination of words, symbols and numbers, and change your password frequently.

Apply Patches

Seventy percent of successful cyber attacks exploited known vulnerabilities with available patches. Cyber attacks can happen in seconds, so update your systems and always be prepared for the worst.

Lock Your Computer

At least 1 in 3 employees says they leave their computer unlocked when away from their desk. Considering that 71 percent of employees have access to sensitive information, that’s a data breach waiting to happen. One of the easiest ways to reduce the risk of a breach is to simply lock your computer screen when you leave your desk.

Speak Up

If you notice any suspicious activity, report it to your management immediately. When it comes to cyber attacks, time is of the essence, especially if systems have been encrypted by ransomware or if you need to notify customers that their data has been breached.

We hope this holiday reiterates the importance of following security best practices within your organization. Please share our graphics as a way to wish everyone a happy National Computer Security Day!

Tip for avoiding phishing
Tip for creating secure passwords
Tip for avoiding cyber attack that exploits known vulnerabilities 

Tip for avoiding unauthorized access to sensitive data on computer

Need Business Continuity Buy-in? Present It As a Tool for Business Growth

Would you agree that in your organization, management views business continuity planning as a necessary hassle, much like filing taxes? It’s not going to build the business, but you need to do it. That’s one of the reasons business continuity owners constantly struggle to get management buy-in.

The key to getting management’s enthusiastic support for business continuity is to challenge a certain entrenched belief they have about business continuity. It’s mentioned in the previous paragraph, but you might have skimmed over it because it’s usually accepted as fact: Business continuity isn’t going to build the business.

In fact, your business continuity strategy can be used as a tool to build your company’s reputation and visibility in the marketplace. Most people won’t believe this statement at first, so share with them these insights about the connection between business continuity, disaster response and reputation.

Your Response to Disasters Affects Your Reputation

As you know, reputation is a key element of an organization’s success. According to the Reputation Institute, reputation is an emotional bond that ensures:

  • Customers buy your services
  • Policymakers and regulators give you a license to operate
  • The financial community invests in you
  • The media reports favorably on your company
  • Employees align with your corporate strategy

In conversations we’ve had with the Reputation Institute, they’ve revealed that there’s a big gap between what institutions say and what they do. Social media is bringing this gap to light. With the tendency for misinformation and adverse attention to spread rapidly on social media, consumers’ perception of an organization can change in an instant. That’s one of the reasons the Business Continuity Institute’s Horizon Scan 2017 ranked social media second in the top 10 trending issues affecting business continuity.

On the other hand, if your actions support your mission during a crisis situation, people will commend you for it. For example, after Hurricane Harvey devastated Houston, TX, local business owner Jim "Mattress Mack" McIngvale’s response went viral. While most other businesses in the area were closed, he opened up two of his mattress stores to flood victims, demonstrating the values he proclaims on his business website: God, country, family and hard work.

Business operating as a shelter in the middle of flooding

Talk is cheap — listing your values and mission on your website isn’t enough. Your stakeholders expect you to follow through.

Gaining the Benefit of the Doubt Requires a Good Reputation

54 percent of stakeholders would give reputable companies the benefit of the doubt in a crisis.
While a positive response to a disaster will positively impact your reputation, it’s important to create opportunities for reputation building prior to an event. According to Reputation Institute data, as many as 41 to 60 percent of consumers are crucial fence-sitters who can swing to a positive or negative perception of a company because they don’t have a clear understanding of what that company is doing to impact the environment and society. This reputation currency will be critical if a disaster ever impacts your business, as 54 percent of stakeholders would give reputable companies the benefit of the doubt in a crisis.

Prior to experiencing a business interruption, you need to demonstrate your involvement in the community to allow for maximum marketing exposure and help you build trust with your stakeholders. What if you could leverage your business continuity resources to meet that goal?

Here’s a practical example: In 2016, FEMA declared 103 disasters. That's 103 opportunities to make an impact. Imagine deploying a mobile workspace with your company’s branding to the affected area. You could offer needed support, whether it’s providing a free service or distributing food, water and other essential items to members of the community. Even routine business continuity tests can be opportunities for reputation building if you involve the community in crisis response exercises.

When business continuity becomes a way to build the business rather than just another box to check off, management will find a way to get the resources you need to enhance your business continuity program. In fact, we’ve even seen businesses tap into budgets from other departments to make it work.

By demonstrating that you can deliver on your mission in good times and bad, you'll strengthen relationships with your stakeholders and even increase your market share.

Banks: What If You Made These Common Cybersecurity Mistakes With Cash?

“Data is the new currency” is one of the new slogans of the digital transformation. Modern consumers recognize the value of their data, and 67 percent are willing to share more data with banks in exchange for new benefits. Surprisingly, banks don’t always afford sensitive data the same protections they do for physical currency. While PwC’s 2017 Risk in Review report reveals that the financial services industry has strong cyber risk maturity overall, there are a few common mistakes that could be leaving your institution vulnerable. To give you an idea of the gravity of these errors, think of your cybersecurity practices in terms of cash management and physical security.

Transmitting Unencrypted Data Is Like Sending Unsecured Bulk Cash Shipments

Easily Hackable Encryption Methods
Would you ever transfer a bulk cash shipment to a major customer without using their armored carrier service? Not a chance. You know that that decision would not only be a liability for your institution, but it would also put your customer’s assets at risk and breach their trust.

Unfortunately, banks don’t always provide the necessary protection for sensitive data that customers expect. Data must be securely encrypted in transit and at rest, but 30 percent of FIs say they struggle to protect personally identifiable customer information. Many banks use easily hackable encryption methods such as Blowfish, 3DES, SHA1 and MD5. Instead, use an advanced encryption algorithm such as AES.

Giving Unvetted Vendors Access to Data Is Like Handing Cash Over to an Unverified Armored Carrier

Going back to the bulk cash shipment scenario, imagine handing over currency to an armored carrier guard without first verifying their identity. This is an egregious security violation, wouldn’t you agree? Yet when it comes to sensitive data, many banks fail to vet third-party vendors they allow to access the sensitive data in their care. In fact, 41 percent of financial services respondents ranked assessment of security protocols and standards of third-party vendors as the top challenge to information security efforts.

The FFIEC’s guidelines for outsourcing technology services recommend a “comprehensive outsourcing risk management process to govern technology service provider (TSP) relationships.” Make sure you work with vendors whose operations are regularly examined by a third party. This ensures the vendor’s risk management and information protection practices adequately address data confidentiality and regulatory compliance.

Disregarding Network Alerts Is Like Ignoring Your Vault Alarm

What if you only investigated burglar alarms 56 percent of the time?
Would you be appalled if your vault alarm went off and your staff members ignored it? In a way, that’s what is happening with cybersecurity alerts. Institutions are only able to investigate 56 percent of security alerts they receive on a given day. Of those, only 46 percent of legitimate alerts are remediated. Granted, security operations managers see more than 5,000 security alerts per day — exponentially more than you’ll ever receive from your burglar alarm. However, the lack of resources for monitoring alerts is concerning.

With there being a security talent shortage, outsourcing can help your institution meet its overall strategic plan and corporate objectives. The FFIEC has specific guidelines for using a managed security service provider (MSSP). You might also consider using a fully managed cloud vaulting solution to move critical data off-site to protect yourself against ransomware.

Assuming Employees Know Cybersecurity Best Practices Is Like Expecting Them to Know Your Physical Security Policies Without Training

When hiring a new employee, what if you assumed they knew the proper cash handling guidelines, how to handle a holdup situation or how to respond to an active shooter event? That’s a disaster waiting to happen. Chances are, you invest countless hours on training employees in these areas. Even if someone has experience in the financial services industry, it’s imperative to make sure they understand your institution’s specific policies and procedures.

Three Cybersecurity Scenarios You Need to ExerciseUnfortunately, training is one of the top five cybersecurity challenges in banking. In fact, less than half of financial services organizations polled even have a formal information security policy. To reduce the risk of cybersecurity threats, it’s critical to create a security culture. The FFIEC recommends annual security training to reinforce guidelines for endpoint security, login requirements and password administration. The training should include the following three increasingly common scenarios:

• Phishing and social engineering
• Data theft through email or removable media
• Unintentional posting of confidential or proprietary information on social media

Improving your cybersecurity practices is not only the right thing to do, but the FFIEC, Gramm-Leach-Bliley Act and other regulatory agencies and regulations require it. If you’re unsure where to start, the FFIEC Cybersecurity Assessment Tool is a helpful resource for assessing your bank’s cybersecurity maturity.

[Webinar] Outsourcing Cloud Data Services

Is Outsourcing Cloud Data Services Right for You?

The IT landscape is being transformed by increasing regulatory burdens, consumer expectations of data security and reliance on data availability for service delivery. In our recent webinar with the Disaster Recovery Journal, Brandon Tanner, Rentsys senior manager, discussed how IT challenges are affecting highly regulated organizations.

With these challenges, is outsourcing cloud data services a good move for regulated businesses? For some, it is. In the webinar, Paul Arguinchona, CIO for Frontier Behavioral Health (FBH), a nonprofit provider of behavioral health services, explains how his organization has leveraged outsourced cloud data services to fulfill FBH’s mission and values.

To see what Brandon and Paul had to say, view the webinar on demand.

[INFOGRAPHIC] Is Your Data Secure?

In 2016, 77 percent of all breaches were caused by insiders. As more employees use their own devices for handling sensitive data, that risk will only go up. To see how bring your own device (BYOD) is contributing to data security risks, check out this infographic by Commvault (download the full version here):

"Is Your Data Secure?" Infographic

To learn more about creating a secure BYOD policy, read this post.

What You Can Do to Help Wildfire Victims

Map showing large fires in Washington, Oregon and California
ArcGIS Northwest Large Fire Interactive Map (Current As of 9.18.17)
While Texas and Florida have been dealing with catastrophic flooding from Hurricane Harvey and Hurricane Irma, the West Coast has been dealing with the worst wildfire seasons in the U.S. So far, over 8 million acres have been burned, with 2 million currently in flames. In some areas, including Portland, OR, public health authorities are recommending that people stay inside because the air quality is so poor.

To see how you can help some of the affected states, visit the links below :

Do you know of more ways to help? Let us know in the comments. 

Why FIs Need Resilient Call Centers in a Self-Service World

Call center employee with money
In a survey, 71 percent of consumers said they would use entirely computer-generated support for financial services. With the majority of consumers preferring self-service options, should your financial institution (FI) still prioritize traditional service delivery methods, including calls, in your business continuity program? In short, the answer is yes.

Here are two reasons you should.

Customers Prefer Phone Calls for Certain Situations

Self-service solutions work for everyday transactions, but customers still pick up the phone when they’re in the research phase of a major financial decision. For example, 65 percent of people are more likely to take out a loan from an institution they had spoken on the phone with. That number jumps to 73 percent for loans of $100,000 or more. In other cases, customers prefer to pick up the phone to get a quick answer without having to fill out a web form or to discuss a complex situation.

Paying attention to the wants and needs of consumers is crucial as customer loyalty drops. If your call center experiences an extended outage and you’re not available by phone when a customer needs you, they won’t hesitate to do business with a different organization.

There Are Compliance Requirements for Call Center Availability

In many cases, the accessibility of phone service is tied to compliance. The FFIEC, for example, requires FIs to perform vulnerability assessments for critical support areas and interdependencies such as telecommunications. It also stipulates that the backup site should mirror operational functionality, including call centers. To ensure the business continuity plan works in practice and not just on paper, the FFIEC recommends stress testing critical functions that might experience increased customer volume during a crisis. These functions include online banking, phone-based banking, ATMs and, of course, call centers.

If phone calls precede large transactions, that’s all the more reason to ensure you have agents ready to assist customers.  

A Quick List of Hurricane Irma Resources

In August, Texas was faced with the wrath of Hurricane Harvey, and now Florida is feeling the sting of Hurricane Irma. Already we’ve seen the community rally together to help those impacted by Harvey. We’re optimistic that we’ll see a similar response to Irma.

Google Crisis Response map of Florida
Google Crisis Response Map
 Whether you’ve been affected by Irma or looking for ways to help, here are some useful resources:

  • Airbnb — Locate a place to stay or open your home up to someone in need.
  • Federal Trade Commission — Get tips for avoiding scams when donating to relief efforts.
  • FEMA — Find a list of surrounding shelters that haven’t reached capacity by downloading the FEMA app or texting SHELTER + your ZIP code to 43362 (4FEMA). Avoid falling victim to misinformation and scams by visiting the Rumor Control page.
  • Google Crisis Response — Locate shelters, gas stations, evacuation routes and traffic patterns.
  • LifeSouth or American Red Cross — Find a blood drive near you.
  • Waze — Check for closed roads and accidents.
To get a peek at how communities and businesses are working toward recovery in the wake of Harvey and Irma, check out our ongoing storm coverage.  

[INFOGRAPHIC] From the Board Room to the Break Room

Every business has different priorities and challenges, but one thing all businesses have in common is the need for cybersecurity. While people tend to point the finger at hackers for security breaches, human error is one of the top causes. Unfortunately, there’s often a breakdown in communication between top-level executives and end users when it comes to basic security hygiene, which increases an organization's chance of a cyber attack. This infographic by Delta Risk offers practical tips for creating a culture of security within your business.

"From the Board Room to the Break Room" Infographic

For more information on how prioritizing cybersecurity helps your business, read our post “How Can Cybersecurity Help Grow Your Business?

In the News: Helping Flooded Businesses Get Back on Their Feet

Video still of Steve O'Neal speaking to Kathleen Witte
Steve O'Neal, Rentsys account executive, speaks to KBTX's Kathleen Witte.

In the aftermath of Hurricane Harvey and its catastrophic flooding, countless businesses are striving to get back on their feet. Business owners need to get back to serving their communities and customers. Employees need their next paychecks so they can start their families’ personal recoveries. Everyone affected by the storm just wants to get back to normal as soon as possible. Our goal is to help businesses do just that.

KBTX, a news outlet in College Station, TX, stopped by our headquarters yesterday to get a behind-the-scenes look at our Hurricane Harvey response efforts. To watch the video, visit KBTX's website.

Hurricane Harvey: How to Get Help or Get Involved

Over the weekend, Hurricane Harvey made landfall in Texas as a Category 4 hurricane, making it one of the worst disasters in Texas history. As Harvey lingers, the threat is still present. FEMA is predicting 30,000 people will be driven to shelters.

#HarveyRELIEF Map
#HarveyRELIEF Map

Whether you and your family have been affected by Harvey and need assistance or you're looking for ways to get involved in relief efforts, here are some helpful resources:

Our thoughts and prayers are with those affected by Harvey. If you know of additional opportunities to help, please let us know in the comments. 

Don’t Forget the Human Side of Business Continuity

Man grieving over destroyed house
When Hurricane Katrina struck, it left entire cities along the Gulf Coast devastated. Those who hadn’t evacuated were forced to find food when groceries and restaurants were closed, a cool place to sit when the AC was out in the sweltering South, and a place to bathe when there was limited to no running water. What are the odds of successfully implementing your business continuity plan after that? Surely employees aren’t going to work under those conditions, right? Not so for the employees of a bank branch in Pascagoula, MS.

The company’s building had flooded, so it had a Mobile Banking Center deployed. Employees showed up to work to help customers cash their FEMA checks. This service was critical to a community in need, and the branch was the only place in town providing it. The employees even brought their families to work to take advantage of the air-conditioned space. When your business experiences a regional disaster, how do you activate your business continuity plan if your employees are busy dealing with their own personal emergencies? Should you expect them to come to work? The human element of business continuity can’t be ignored.

To ensure your business continuity plan is compatible with your employees’ and community’s needs, make sure you know the answers to these questions:


  • Which of your services do they value most?
  • How can you help during a crisis?
  • Will you help a community in crisis even if your business is not in crisis?
  • If yes, what would that look like?


  • Which of your services do they value most?
  • How far are they willing to drive or wait to get this service if your community is in crisis?
  • How long would they wait for the service before they went to a different company?
  • Do they have any family who would be impacted as well?

The ideal business continuity plan will merge the goals of the business, community and employees to create a situation in which everybody wins. The bank in Pascagoula was able to successfully implement its business continuity strategy during a massive catastrophe because its business continuity planners weren’t just focused on the business’s goals — they knew what the bank’s employees and community needed and found a way to meet those needs. Employees were happy to come to work because they knew they were providing their neighbors with a critical service and offering a sense of stability in the midst of a volatile time. The bank was able to keep its doors open, the community received desperately needed FEMA money, and employees didn’t have to neglect their families to perform their duties.

Does your business continuity plan accomplish your goals as well as those of your employees and your community? Let us know in the comments.

This Underutilized Group Could Save Your Business in a Crisis

Disaster team discussion circle
Over 30 years ago, Union Carbide, a U.S.-owned pesticide plant in Bhopal, India, leaked 40-plus tons of a poisonous gas into the surrounding region, killing at least 3,800 people in their sleep and producing deleterious environmental effects. The incident — the worst industrial accident in history — led to the Emergency Planning & Community Right-to-Know Act (EPCRA) of 1986.

As part of this act, the Environmental Protection Agency (EPA) created Local Emergency Planning Committees (LEPCs) to help local communities improve their ability to respond to chemical emergencies. LEPCs require facilities to submit inventories of hazardous chemicals and develop emergency response plans in collaboration with local law enforcement, city officials and members of the media. Throughout the U.S., there are more than 3,000 LEPCs for each of the designated local emergency planning districts, which are determined by city or county boundaries.

Even if your business doesn’t deal with hazardous materials, though, don’t write off LEPCs as a valuable resource for your crisis response efforts. Here are three reasons to join your local LEPC.

LEPCs Aren’t Just for Chemical Plants Anymore

Although LEPCs were initially created to help reduce risks associated with toxic chemicals, many LEPCs are taking an all-hazards approach and addressing scenarios such as active shooter incidents. Involving local first responders in drills benefits both sides by opening the lines of communication, clarifying each party’s roles and ironing out wrinkles in the response strategy.

For example, one financial services company had a local SWAT team participate in an active shooter scenario involving over 60 victims. During the drill, the shooter took 15 employees as hostages and barricaded himself in a room. The organization has three individuals trained in hostage negotiations, so the drill gave these staff members the opportunity to practice their skills. Throughout the exercise, the SWAT team sat side by side with the negotiators and trained them.

The organization also worked with the police force’s IT team to link the station’s video cameras to the business’s system so live video could be broadcast to a command center. This integration allows the police force to assess events in real time when necessary. There are also plans to look into feeding video into the responding patrol cars so the police know what to expect as soon as they arrive on a scene.

Working in conjunction with local law enforcement to prepare for an emergency will not only improve your business’s crisis response plan, but it'll also help first responders do their jobs better since they’ll be familiar with your facility and plan.

Engaging the Community Builds Reputation Currency

When a crisis impacts your company, it’s critical to gain control of how your employees, customers, community, investors and regulators perceive the situation. To do so, it’s important to have an established reputation and demonstrate that you prioritize your community’s well-being. Joining your local LEPC is a visible way for your company to both gain reputation benefits and help the community.

Through attending LEPC meetings, you create critical relationships with first responders and even members of the media. If an event affects your facility, LEPC members will gladly state that your company was actively participating in the group to better the community and can provide letters of reference when auditors come calling. Good press at a bad time is crucial to protecting your reputation during a crisis.

But joining an LEPC doesn’t — and shouldn’t — benefit your company alone. In College Station, TX, where our headquarters is located, one of our staff members participates in the Brazos County LEPC. Thanks to the efforts of individuals representing several companies, the group recently received a $100,000 grant to purchase special firefighting equipment.

Getting involved in your local LEPC will expose you to countless opportunities for corporate social responsibility initiatives. The EPA, in fact, encourages community outreach by “empowering volunteers to create meaningful tasks,” such as providing local schools and nursing facilities with educational materials about emergency preparedness topics. LEPCs are intended to include not only first responders but also representatives from a range of demographics, organizations and community groups, so networking within LEPCs helps you develop an in-depth understanding of your community’s needs.

LEPCs Foster Public-Private Collaboration

For years, public and private entities have lamented the lack of collaboration when it comes to emergency preparedness. LEPCs pave the way for cross-sector partnerships. To develop a relationship with local first responders and the city officials, encourage your staff members to participate in LEPC meetings and public-sector exercises. When involving first responders in your own drills, prioritize making the event mutually beneficial by offering first responders the opportunity to practice processes and procedures of their own. The aforementioned financial services organization, for example, tested its local police department’s new inventory system.

Unfortunately, many LEPCs are now dormant or nonexistent. They work independently and are loosely connected through the EPA region liaisons, meaning the activity level and quality of each varies greatly. Because they don’t get the press they should, they tend to stay below the radar. We would like to see that change.

To jumpstart your crisis response strategy and improve your reputation, take advantage of these resources:
  • Find your local LEPC here.
  • If you’re already involved with your local LEPC, check out the EPA’s guide for energizing your LEPC.
  • Listen to this webinar for more information on why it’s important to involve the community in your crisis response efforts.
Taking the time to participate in a local LEPC will take time and commitment, but the long-term benefits to your business and the community where you live and work will be well worth the effort.

[Webinar Recap] How to Create a Crisis Response Strategy That Will Bulletproof Your Reputation

Tips for Involving the Public in Crisis Response PlanningIn today's social media-driven world, a company's actions during a crisis can make or break its reputation in an instant. According to a study from Deloitte, 87 percent of executives rate reputation risk as more important than other strategic risks. Equally compelling, 41 percent of companies that experienced a event with a negative impact on reputation reported a loss of brand value and revenue. Having a positive relationship with your community is a key way to boost your reputation, and forming your crisis response strategy with this in mind is crucial to the long-term success of your company.

In our most recent webinar, Rentsys Senior Manager Brandon Tanner delved into the importance of the public's involvement in a company's crisis response strategy and its correlation to reputation. Key takeaways from the presentation include:

  • Engage the public in all steps of your strategy — from planning to execution —
     to ensure you're meeting their needs and maintaining their goodwill.
  • Establish communication protocols in advance.
  • Gain executive buy-in through explaining the benefits of building relationships with the community to reduce reputation risk.

To hear more, listen to the webinar recording here.

Four Businesses Making Sparks Fly in their Communities for July Fourth

Concert with fireworks
What does the Fourth of July mean for your business? Maybe it’s a day off to allow employees to spend time with friends and family, an opportunity for a marketing campaign or just another day at work. Or maybe it’s an opportunity for employees to roll up their sleeves and get involved in the community.
Building relationships with the people you live and work with not only humanizes your business, but it also helps shape the public’s perception of your company and builds reputation currency. If your business ever experiences a crisis, a good reputation increases your ability to rebound from the incident.

Below are four examples of businesses making fireworks — literally, in some cases — in their communities this July Fourth.

6-Ton Hoagie Feast

You’re able to get a hot dog or hamburger just about anywhere on the Fourth of July, but where do you get a 6-ton hoagie? In Philly, that’s where. In honor of the men and women serving the city of Philadelphia and our country, convenience store Wawa hosted the 25th Annual Wawa Hoagie Day as part of the six-day Fourth of July celebration Welcome America. The 6-ton hoagie serves 20,000 Philadelphians and is loaded with 4,308 pounds of meats and cheese and 5,413 pounds of veggies, oregano and oil. The ingredients are packed onto 274 pounds of hoagie wrap by 250 chefs.

Double-the-Fun Celebration

Imagine your idea of the quintessential July Fourth celebration. Now double that. In Fairfax, IA, Fairfax State Savings Bank organizes Fairfax USA Days, a two-day community celebration of Independence Day. The event brings local families together for Ferris wheel rides, sports competitions, a 5K, live music, a street market, a charity fundraiser and a large fireworks display. Thanks to the support of local organizations, the event is completely free to the public. USA Days is so popular that it’s now celebrating its 25th year.

Barbecue Dinner Sing-a-Long

People like to spend Fourth of July sharing a good meal with their friends and family, but for residents of retirement homes, that’s not always possible. Nashville, TN-based asphalt paving and highway construction company Rogers Group, Inc. (RGI) is changing that for 200 elderly citizens. For five years, RGI has sponsored an Independence Day meal for residents of a local retirement home. Several corporate employees personally serve barbecued meat, potato salad, baked beans, coleslaw and watermelon. While fireworks are understandably not allowed in the facility, RGI volunteers lead the residents in a chorus of patriotic songs such as “God Bless America!”

Guide to Local Fourth of July Celebrations

Engaging your community doesn’t have to entail a significant investment of time or money. Central Ohio’s Heartland Bank compiled a guide to all local celebrations and posted it on the bank’s website with a brief message letting patrons know that the Heartland Bank team would “be right there with you, celebrating every step of the way.” Although the bank isn’t hosting any celebrations of its own, it took the time to express its appreciation for the communities it serves. 

Whether it’s a simple gesture such as putting together a resource the community can use or going all out and planning an event, these four businesses are making it clear that their communities are important to them. And if those businesses ever experience a crisis, the community will remember that and give the company the benefit of the doubt. After all, wouldn’t you be more understanding toward an organization that had fed your elderly parent a barbecue meal in the nursing home? 

FFIEC Update to Cybersecurity Assessment Tool

Man touching shield with lockThis week, the Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Assessment Tool to help financial organizations improve their cybersecurity preparedness and identify risks.

There are two key updates:

  • Revisions to Appendix A, which provides guidance for mapping baseline statements to the FFIEC IT Examination Handbook. The changes correspond to the latest versions of the handbook booklets.
  • Additional response options that allow financial institution management to include supplementary or complementary behaviors, practices and processes that represent the institution’s current cybersecurity activity assessment practices.
To read more about the update, click here

Business Continuity Awareness Week: Cybersecurity

cybersecurity awareness poster: password sticky note
The Business Continuity Institute (BCI) Business Continuity Awareness Week starts May 15. As this year's theme is cybersecurity, here are some of our favorite tips for building a strong cybersecurity plan.

Create Strong Passwords

"123456" or "QWERTY" may be easy to remember, but they make for easily guessed or hacked passwords. Yet they were two of the most common passwords used in 2016, according to Keeper Security's study of 10 million passwords leaked in data breaches last year.

Protect your company from data breaches by educating employees on creating strong passwords. Warn them of the dangers of reusing previous passwords, and require them to create new unique passwords on a frequent basis.

Evaluate Your Bring-Your-Own-Device Policy

Allowing employees to connect to your company network from their own personal devices can be a great way to cut down on costs, but it can lead to possible data breaches. Minimize this risk by developing a bring-your-own-device (BYOD) policy or by updating your existing policy.

A good BYOD policy should address application permissions, public Wi-Fi use, operating system updates, locking functions and other factors that may present security risks.

Don't Neglect the Internet of Things

While most people might be aware of the importance of a strong password, many don't realize their internet-connected devices are also prime targets for hackers. Ensure your cybersecurity policy accounts for all devices connected to your network, and have a clear business continuity plan in case of an attack or downtime.

Do you have any cybersecurity tips? Let us know in the comments!

Q&A: Black Knight Financial Services Talks BC/DR Testing on the Go

Four men sitting around table with TV screens in background
Black Knight Financial Services' BC/DR Test 
When most people attend the Disaster Recovery Journal (DRJ) Spring World conference, they plan to attend sessions to enhance their knowledge of business continuity and disaster recovery (BC/DR) best practices or browse through the exhibit hall to check out technological advances in the industry. The team at Jacksonville, FL-based Black Knight Financial Services had a more ambitious schedule — they decided to perform a BC/DR test between show activities. 

Black Knight, which is a customer of ours, had heard that we’d be deploying one of our Mobile Recovery Centers (MRCs) to DRJ Spring World to showcase our new Crisis Command Center configuration. With some test deadlines looming, Black Knight approached us about scheduling a test at the show. When we say we have a flexible testing schedule, we mean it, so we made it happen.

After the test, we had a chat with William Russ, Business Continuity Analyst for Black Knight, to talk about Black Knight’s experience with testing on the go. Here’s what he had to say.

Q: What was the objective of the test?
A: Our objective was to simulate a disaster in our primary facility requiring recovery of the enterprise business continuity office at a remote facility to direct crisis management operations and any critical business continuity support functions.

Q: Who participated?
A: Five business continuity specialists and one call center support manager participated in the exercise.

Q: What functions did you test?
A: The tested functions included:
  • VPN connectivity into our backup data center network
  • Network speed test — both Wi-Fi and cabled Ethernet
  • Emergency notification system activation
  • Five-way live video conferencing between Little Rock, AR; Jacksonville, FL; and Orlando, FL MRC locations
  • VoIP softphone capability
  • Logging in to five critical systems to verify data entry and reporting capability

Q: What did you learn from the test?
A: This was the first time most of the team had ever utilized an MRC and we were quite pleased with the facility, its capabilities and the Rentsys support team. 

Q: What was the most surprising thing the test revealed?
A: The most surprising thing about our exercise is that everything went off without even one hitch!  Also, we were impressed by the network speed back to our company network and the helpfulness of the Rentsys team.  

Quote from William Russ, Business Continuity Analyst, Black Knight Financial ServicesQ: What will you do differently next time?
A: While management was invited to participate in this exercise, a last-minute scheduling conflict required changing some of the participants. We will invite more management to participate next time for higher corporate visibility.

Have you had a unique BC/DR testing experience? We want to hear about it! Let us know in the comments. 

Do You Revoke Access Privileges After an Employee Leaves?

Application password
There were no auto dealership sales reps milling around when a man returned the red muscle car he'd been driving to the dealership's lot. Nobody was there to ask him what he thought of his test drive or to discuss the price. That's because it was 5 a.m. on a Sunday, and the dealership was closed. The man, a former employee of the dealership, never should have had access to the car in the first place.

Lingering access privileges for former employees is a growing problem across all industries. But not all privilege abuses are detected as easily as the dealership ex-employee's joyride — especially when digital assets are involved.

According to a recent study by Osterman Research [PDF], almost 90 percent of former employees retained login credentials for at least one business application, such as PayPal, WordPress or Facebook, after they left the company. Almost half still had access to confidential business data. Forgetting to reset passwords, disable accounts and revoke network access puts your business at serious risk of data and cybersecurity breaches.

An FBI warning to businesses issued in 2014 revealed that costs incurred due to data breaches involving disgruntled or former employees ranged from $5,000 to $3 million. No matter the size of your business, can you afford to risk that much by allowing former employees to retain data access after they leave?

Here are three organizations that had to deal with data breaches at the hands of disgruntled, retiring or former employees and tips for what you should do to avoid a similar breach.


What Happened: In 2010, an employee of fashion brand Gucci created a fake VPN token in the name of a nonexistent employee and later tricked Gucci's IT staff into activating the token after he was fired. He used the access to do about $200,000 worth of damage to the Gucci network, deleting data and shutting down servers.

What You Should Do: Perform regular reviews of employee access privileges. If something seems fishy — such as an account for a fake employee — or if a real employee has access to something that isn't needed for their job duties, terminate the account or the access. You should also terminate all accounts associated with a former employee or contractor and change passwords to group accounts immediately after their departure.

Office of the Comptroller of Currency

What Happened: The U.S. Office of the Comptroller of Currency (OCC), which supervises all national banks, was sent scrambling in 2016 when it discovered that a former employee had downloaded a large number of files onto two removable memory devices prior to retiring from the bureau the year before.

Though the data was encrypted and was not believed to have been misused, the OCC still considered it a major incident. The former employee had misplaced the memory devices, meaning the unrecovered files could still fall into the wrong hands.

What You Should Do: The OCC didn't discover the incident when it happened because it didn't have a policy concerning the use of external media devices. Even when employees feel like they're downloading harmless data such as personal photos, they can still represent a risk. Consider implementing a policy that prevents the download of information to a removable device without supervisor approval. Regularly reviewing what data is being downloaded can also help you react quickly to potential breaches.

Houston Astros

What Happened: A former St. Louis Cardinals employee was recently sentenced to 46 months in prison for his part in hacking into the Houston Astros' player information database. The employee had left to be the Astros general manager and used a similar password between the two teams, giving the hacker an open door to the Astros' confidential research.

What You Should Do: When hiring new employees, be sure you educate them on password security and encourage them to not reuse a password they've used for any other employer or personal application. Implement a policy that requires unique passwords that are frequently changed to combat the possibility of a password falling into the wrong hands.

Unrestricted network access and poor password security aren't the only things that can cause security breaches. The use of personal devices such as smartphones and tablets for business purposes can represent another major security risk for businesses. Read our post "Is Your BYOD Policy Prepared for Pokémon GO?" to find out the importance of a bring your own device (BYOD) policy.

[Webinar Recap] The Cure for Your HIPAA Headache

Culture of Compliance screenshot
As of February 2017, there are more than 1,800 healthcare providers listed on the breach portal — known as the “wall of shame” in the healthcare industry — maintained by the U.S. Department of Health & Human Services Office for Civil Rights (OCR). In 2016, cyber attacks against healthcare organizations increased by 63 percent. These numbers are symptomatic of a growing problem in the healthcare industry: ever-evolving cyber risks and a struggle to adhere to Health Insurance Portability and Accountability Act (HIPAA) security requirements.

In a recent webinar with the Disaster Recovery Journal, Robert Felps, CEO/CISO for compliance and risk management firm Third Rock, and Brandon Tanner, senior manager for Rentsys Recovery Services, discussed what healthcare providers can do about this “HIPAA headache.”

To discover the cure, check out the recording of the webinar here.

Business Continuity 2016: A Year in Review

There was no shortage of challenges for business continuity professionals in 2016. As we move into a new year, we wanted to highlight some of the themes from last year, as we fully expect to see more of the same this year. Here are our top six observations.

Ransomware Was the Most Talked-About Cyber Threat

It’s responsible for shutting down transit systems. It’s cut off communications among hospital staff. It’s extorted millions of dollars from banks. “It” is ransomware — a type of malware that hackers deploy to encrypt data. The hacker then demands a ransom in exchange for a decryption key.

Back in March, the Los Angeles Times declared that 2016 was “shaping up as the year of ransomware.”  The prediction rang true — Kaspersky Lab confirmed that ransomware attacks against businesses increased threefold in 2016. Healthcare is by far the most targeted industry, with telecom and transportation trailing behind.

Ransoms can reach into the range of thousands of dollars. Hollywood Presbyterian Medical Center, for example, paid $17,000 worth of bitcoin to quickly regain access to its data. The FBI, however, has recommended against this strategy, saying that giving in to criminals’ demands only encourages further criminal activity and there’s no guarantee businesses will receive the decryption key after paying the ransom.

The best defense is the one the U.S. Department of Health and Human Services recommends: regularly back up data (so you can restore it in case primary copies are encrypted by ransomware), use security software and educate employees on cybersecurity best practices.

Data Breaches Continued Unabated

Data breaches have spent plenty of time in the spotlight during the past few years. Whether they involved a hacker exploiting a vulnerability while a client moves from one online services vendor to another; a healthcare vendor losing hard drives containing patient data; an employee falling for a phishing attempt and exposing employee W-2s; or a hospital employee accessing files without authorization over a period of several years, data breaches put countless Americans’ data at risk this year.

The exact cost is debatable, but the risks are clear: Businesses risk not only data loss but also intellectual property theft, exposure of company secrets, source code sabotage, investigations by regulatory authorities, reputation damage and costly litigation. The list of consequences goes on and on.

The top three sectors targeted in 2016 were government, healthcare and business. Businesses in the healthcare industry are a prime target, because unlike credit card numbers, personal data like Social Security numbers and medical records can’t be easily changed, so they fetch a premium on the black market.

Some businesses take out data breach insurance policies as protection, but this strategy is no substitute for business continuity planning.

Businesses Lack the Resources for a Well-Rounded Business Continuity Program

Companies aren’t always well equipped to deal with the business continuity threats they’re facing, especially when it comes to disaster recovery (DR) and cybersecurity.

Cybersecurity technology might be top of mind for the global C-suite, but finding the security talent to accompany it is another story. A combination of rapidly evolving cyber threats and inadequate education programs has led to a shortage in security talent. The security professionals that do exist command such high salaries that they’re inaccessible to SMBs and industries that don’t pay as much for cybersecurity talent as others (the financial services industry pays more than healthcare, for example).

Disaster recovery, on the other hand, simply isn’t a top priority for half of C-level execs. Perhaps this is because 65 percent of execs are already confident in their organizations’ DR plans. Problematically, only 31 percent of IT managers agree with this assessment.

Considering these shortcomings, it’s not surprising that only 51 percent of businesses report having a comprehensive business continuity plan.

Vendor Due Diligence Became a Larger Part of Compliance

As always, compliance plays a prominent role in business continuity. In 2016, businesses that are subject to guidelines set by the Federal Financial Institutions Examination Council (FFIEC) and the Health Insurance Portability and Accountability Act (HIPAA) saw their regulatory burden increase. Now, these businesses are being held responsible for performing due diligence on any outsourced service providers that provide essential technology services and/or handle protected health information (PHI) or personally identifiable information (PII). What’s more, they must also perform due diligence on any third parties and their subcontractors used to provide the contracted services.

HIPAA is especially strict — it holds business associates (i.e., subcontractors handling PHI and PII) directly responsible for observing HIPAA requirements. In fall 2016, the Office of Civil Rights (OCR) launched phase 2 of a round of audits, which resulted in the first penalty against a business associate.

The emphasis on vendor management is largely driven in part by the increasing number of cyber threats. The OCR issued an alert on the importance of cyber awareness, and the FFIEC issued a warning about cyber attacks.

The DRaaS Market Continued to Expand

The cloud market — particularly the disaster recovery as a service (DRaaS) market has continued to expand. In 2016, the DRaaS market was worth $1.68 billion and is expected to be worth $11.1 billion by 2021, growing at an estimated CAGR of 45.9 percent.

Data breaches are hastening the move to the cloud, and MSPs are realizing the vast revenue potential of offering DRaaS to their customers. It’s especially appealing to SMBs that lack the resources and expertise to manage a cloud solution, large enterprises that want their dedicated IT staff to spend more time on revenue-generating projects, and organizations that want to leverage multiple clouds (e.g., private and public).

New Weather Challenges Emerged

Data security garnered plenty of attention in the media during 2016, but unique weather threats and natural disasters put business continuity plans to the test as well.

For instance, this year’s hurricane season was a significant one on many levels. It boasted the most hurricane activity since 2012 (there were 15 named storms) and had the most major hurricanes (three) since 2011. Additionally, the Atlantic saw its first Category 5 hurricane in nine years. While hurricane season officially begins in June and ends in November, this season was extra long. Hurricane Alex made an early appearance in the Atlantic in mid-January, and Hurricane Otto showed up in the Caribbean on Thanksgiving. We can expect more of the same in years to come, as some say hurricane season could be extended by as much as a day every year.

NASA reports that fire seasons are getting longer and more frequent as well, with dry landscapes and hotter temps creating prime conditions for fires. To make matters worse, the Forest Service is underfunded and struggling to accommodate fire suppression efforts. The 2016 season included deadly fires such as the Clayton fire in California, which consumed 300,000 acres and destroyed 175 structures. In August, the National Interagency Fire Center reported that California ranked highest for the number, size and severity of wildfires in the West.

The Southeast also experienced significant wildfire activity, which is uncharacteristic of the region. As of November 20, forest fires had burned 119,000 acres across eight states. These numbers don’t include the deadly fires in Gatlinburg, TN — the worst the state has experienced in 100 years. Those blazes alone destroyed more than 2,400 structures and scorched 20,000 acres, killing 14 and injuring 175.

Outlook for 2017

Considering the threats we faced in 2016, our advice for 2017 is to be vigilant, as threats exist on all fronts, from natural disasters to cyber breaches. When planning for cyber threats, be sure you don’t neglect your physical infrastructure. With severe weather threats and natural disasters always on the horizon, you need to consider the impact of not having access to your primary facility. Train your employees well and invest in third-party help if your internal resources aren’t adequate for ensuring you’re protected.

Popular Posts