[Webinar Recap] How to Create a Crisis Response Strategy That Will Bulletproof Your Reputation

Tips for Involving the Public in Crisis Response PlanningIn today's social media-driven world, a company's actions during a crisis can make or break its reputation in an instant. According to a study from Deloitte, 87 percent of executives rate reputation risk as more important than other strategic risks. Equally compelling, 41 percent of companies that experienced a event with a negative impact on reputation reported a loss of brand value and revenue. Having a positive relationship with your community is a key way to boost your reputation, and forming your crisis response strategy with this in mind is crucial to the long-term success of your company.

In our most recent webinar, Rentsys Senior Manager Brandon Tanner delved into the importance of the public's involvement in a company's crisis response strategy and its correlation to reputation. Key takeaways from the presentation include:
  • Engage the public in all steps of your strategy — from planning to execution —
     to ensure you're meeting their needs and maintaining their goodwill.
  • Establish communication protocols in advance.
  • Gain executive buy-in through explaining the benefits of building relationships with the community to reduce reputation risk.

To hear more, listen to the webinar recording here.

Four Businesses Making Sparks Fly in their Communities for July Fourth

Concert with fireworks
What does the Fourth of July mean for your business? Maybe it’s a day off to allow employees to spend time with friends and family, an opportunity for a marketing campaign or just another day at work. Or maybe it’s an opportunity for employees to roll up their sleeves and get involved in the community.
  
Building relationships with the people you live and work with not only humanizes your business, but it also helps shape the public’s perception of your company and builds reputation currency. If your business ever experiences a crisis, a good reputation increases your ability to rebound from the incident.

Below are four examples of businesses making fireworks — literally, in some cases — in their communities this July Fourth.

6-Ton Hoagie Feast


You’re able to get a hot dog or hamburger just about anywhere on the Fourth of July, but where do you get a 6-ton hoagie? In Philly, that’s where. In honor of the men and women serving the city of Philadelphia and our country, convenience store Wawa hosted the 25th Annual Wawa Hoagie Day as part of the six-day Fourth of July celebration Welcome America. The 6-ton hoagie serves 20,000 Philadelphians and is loaded with 4,308 pounds of meats and cheese and 5,413 pounds of veggies, oregano and oil. The ingredients are packed onto 274 pounds of hoagie wrap by 250 chefs.

Double-the-Fun Celebration


Imagine your idea of the quintessential July Fourth celebration. Now double that. In Fairfax, IA, Fairfax State Savings Bank organizes Fairfax USA Days, a two-day community celebration of Independence Day. The event brings local families together for Ferris wheel rides, sports competitions, a 5K, live music, a street market, a charity fundraiser and a large fireworks display. Thanks to the support of local organizations, the event is completely free to the public. USA Days is so popular that it’s now celebrating its 25th year.

Barbecue Dinner Sing-a-Long


People like to spend Fourth of July sharing a good meal with their friends and family, but for residents of retirement homes, that’s not always possible. Nashville, TN-based asphalt paving and highway construction company Rogers Group, Inc. (RGI) is changing that for 200 elderly citizens. For five years, RGI has sponsored an Independence Day meal for residents of a local retirement home. Several corporate employees personally serve barbecued meat, potato salad, baked beans, coleslaw and watermelon. While fireworks are understandably not allowed in the facility, RGI volunteers lead the residents in a chorus of patriotic songs such as “God Bless America!”

Guide to Local Fourth of July Celebrations


Engaging your community doesn’t have to entail a significant investment of time or money. Central Ohio’s Heartland Bank compiled a guide to all local celebrations and posted it on the bank’s website with a brief message letting patrons know that the Heartland Bank team would “be right there with you, celebrating every step of the way.” Although the bank isn’t hosting any celebrations of its own, it took the time to express its appreciation for the communities it serves. 

Whether it’s a simple gesture such as putting together a resource the community can use or going all out and planning an event, these four businesses are making it clear that their communities are important to them. And if those businesses ever experience a crisis, the community will remember that and give the company the benefit of the doubt. After all, wouldn’t you be more understanding toward an organization that had fed your elderly parent a barbecue meal in the nursing home? 

FFIEC Update to Cybersecurity Assessment Tool

Man touching shield with lockThis week, the Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Assessment Tool to help financial organizations improve their cybersecurity preparedness and identify risks.
There are two key updates:
  • Revisions to Appendix A, which provides guidance for mapping baseline statements to the FFIEC IT Examination Handbook. The changes correspond to the latest versions of the handbook booklets.
  • Additional response options that allow financial institution management to include supplementary or complementary behaviors, practices and processes that represent the institution’s current cybersecurity activity assessment practices.
To read more about the update, click here

Business Continuity Awareness Week: Cybersecurity

cybersecurity awareness poster: password sticky note
The Business Continuity Institute (BCI) Business Continuity Awareness Week starts May 15. As this year's theme is cybersecurity, here are some of our favorite tips for building a strong cybersecurity plan.

Create Strong Passwords


"123456" or "QWERTY" may be easy to remember, but they make for easily guessed or hacked passwords. Yet they were two of the most common passwords used in 2016, according to Keeper Security's study of 10 million passwords leaked in data breaches last year.

Protect your company from data breaches by educating employees on creating strong passwords. Warn them of the dangers of reusing previous passwords, and require them to create new unique passwords on a frequent basis.

Evaluate Your Bring-Your-Own-Device Policy


Allowing employees to connect to your company network from their own personal devices can be a great way to cut down on costs, but it can lead to possible data breaches. Minimize this risk by developing a bring-your-own-device (BYOD) policy or by updating your existing policy.

A good BYOD policy should address application permissions, public Wi-Fi use, operating system updates, locking functions and other factors that may present security risks.

Don't Neglect the Internet of Things


While most people might be aware of the importance of a strong password, many don't realize their internet-connected devices are also prime targets for hackers. Ensure your cybersecurity policy accounts for all devices connected to your network, and have a clear business continuity plan in case of an attack or downtime.

Do you have any cybersecurity tips? Let us know in the comments!

Q&A: Black Knight Financial Services Talks BC/DR Testing on the Go

Four men sitting around table with TV screens in background
Black Knight Financial Services' BC/DR Test 
When most people attend the Disaster Recovery Journal (DRJ) Spring World conference, they plan to attend sessions to enhance their knowledge of business continuity and disaster recovery (BC/DR) best practices or browse through the exhibit hall to check out technological advances in the industry. The team at Jacksonville, FL-based Black Knight Financial Services had a more ambitious schedule — they decided to perform a BC/DR test between show activities. 

Black Knight, which is a customer of ours, had heard that we’d be deploying one of our Mobile Recovery Centers (MRCs) to DRJ Spring World to showcase our new Crisis Command Center configuration. With some test deadlines looming, Black Knight approached us about scheduling a test at the show. When we say we have a flexible testing schedule, we mean it, so we made it happen.

After the test, we had a chat with William Russ, Business Continuity Analyst for Black Knight, to talk about Black Knight’s experience with testing on the go. Here’s what he had to say.

Q: What was the objective of the test?
A: Our objective was to simulate a disaster in our primary facility requiring recovery of the enterprise business continuity office at a remote facility to direct crisis management operations and any critical business continuity support functions.

Q: Who participated?
A: Five business continuity specialists and one call center support manager participated in the exercise.

Q: What functions did you test?
A: The tested functions included:
  • VPN connectivity into our backup data center network
  • Network speed test — both Wi-Fi and cabled Ethernet
  • Emergency notification system activation
  • Five-way live video conferencing between Little Rock, AR; Jacksonville, FL; and Orlando, FL MRC locations
  • VoIP softphone capability
  • Logging in to five critical systems to verify data entry and reporting capability

Q: What did you learn from the test?
A: This was the first time most of the team had ever utilized an MRC and we were quite
pleased with the facility, its capabilities and the Rentsys support team. 

Q: What was the most surprising thing the test revealed?
A: The most surprising thing about our exercise is that everything went off without even one hitch!  Also, we were impressed by the network speed back to our company network and the helpfulness of the Rentsys team.  

Quote from William Russ, Business Continuity Analyst, Black Knight Financial ServicesQ: What will you do differently next time?
A: While management was invited to participate in this exercise, a last-minute scheduling conflict required changing some of the participants. We will invite more management to participate next time for higher corporate visibility.

Have you had a unique BC/DR testing experience? We want to hear about it! Let us know in the comments. 

Do You Revoke Access Privileges After an Employee Leaves?

Application password
There were no auto dealership sales reps milling around when a man returned the red muscle car he'd been driving to the dealership's lot. Nobody was there to ask him what he thought of his test drive or to discuss the price. That's because it was 5 a.m. on a Sunday, and the dealership was closed. The man, a former employee of the dealership, never should have had access to the car in the first place.

Lingering access privileges for former employees is a growing problem across all industries. But not all privilege abuses are detected as easily as the dealership ex-employee's joyride — especially when digital assets are involved.

According to a recent study by Osterman Research [PDF], almost 90 percent of former employees retained login credentials for at least one business application, such as PayPal, WordPress or Facebook, after they left the company. Almost half still had access to confidential business data. Forgetting to reset passwords, disable accounts and revoke network access puts your business at serious risk of data and cybersecurity breaches.

An FBI warning to businesses issued in 2014 revealed that costs incurred due to data breaches involving disgruntled or former employees ranged from $5,000 to $3 million. No matter the size of your business, can you afford to risk that much by allowing former employees to retain data access after they leave?

Here are three organizations that had to deal with data breaches at the hands of disgruntled, retiring or former employees and tips for what you should do to avoid a similar breach.

Gucci


What Happened: In 2010, an employee of fashion brand Gucci created a fake VPN token in the name of a nonexistent employee and later tricked Gucci's IT staff into activating the token after he was fired. He used the access to do about $200,000 worth of damage to the Gucci network, deleting data and shutting down servers.

What You Should Do: Perform regular reviews of employee access privileges. If something seems fishy — such as an account for a fake employee — or if a real employee has access to something that isn't needed for their job duties, terminate the account or the access. You should also terminate all accounts associated with a former employee or contractor and change passwords to group accounts immediately after their departure.

Office of the Comptroller of Currency


What Happened: The U.S. Office of the Comptroller of Currency (OCC), which supervises all national banks, was sent scrambling in 2016 when it discovered that a former employee had downloaded a large number of files onto two removable memory devices prior to retiring from the bureau the year before.

Though the data was encrypted and was not believed to have been misused, the OCC still considered it a major incident. The former employee had misplaced the memory devices, meaning the unrecovered files could still fall into the wrong hands.

What You Should Do: The OCC didn't discover the incident when it happened because it didn't have a policy concerning the use of external media devices. Even when employees feel like they're downloading harmless data such as personal photos, they can still represent a risk. Consider implementing a policy that prevents the download of information to a removable device without supervisor approval. Regularly reviewing what data is being downloaded can also help you react quickly to potential breaches.

Houston Astros


What Happened: A former St. Louis Cardinals employee was recently sentenced to 46 months in prison for his part in hacking into the Houston Astros' player information database. The employee had left to be the Astros general manager and used a similar password between the two teams, giving the hacker an open door to the Astros' confidential research.

What You Should Do: When hiring new employees, be sure you educate them on password security and encourage them to not reuse a password they've used for any other employer or personal application. Implement a policy that requires unique passwords that are frequently changed to combat the possibility of a password falling into the wrong hands.

Unrestricted network access and poor password security aren't the only things that can cause security breaches. The use of personal devices such as smartphones and tablets for business purposes can represent another major security risk for businesses. Read our post "Is Your BYOD Policy Prepared for Pokémon GO?" to find out the importance of a bring your own device (BYOD) policy.

[Webinar Recap] The Cure for Your HIPAA Headache

Culture of Compliance screenshot
As of February 2017, there are more than 1,800 healthcare providers listed on the breach portal — known as the “wall of shame” in the healthcare industry — maintained by the U.S. Department of Health & Human Services Office for Civil Rights (OCR). In 2016, cyber attacks against healthcare organizations increased by 63 percent. These numbers are symptomatic of a growing problem in the healthcare industry: ever-evolving cyber risks and a struggle to adhere to Health Insurance Portability and Accountability Act (HIPAA) security requirements.

In a recent webinar with the Disaster Recovery Journal, Robert Felps, CEO/CISO for compliance and risk management firm Third Rock, and Brandon Tanner, senior manager for Rentsys Recovery Services, discussed what healthcare providers can do about this “HIPAA headache.”

To discover the cure, check out the recording of the webinar here.


Business Continuity 2016: A Year in Review

There was no shortage of challenges for business continuity professionals in 2016. As we move into a new year, we wanted to highlight some of the themes from last year, as we fully expect to see more of the same this year. Here are our top six observations.

Ransomware Was the Most Talked-About Cyber Threat


It’s responsible for shutting down transit systems. It’s cut off communications among hospital staff. It’s extorted millions of dollars from banks. “It” is ransomware — a type of malware that hackers deploy to encrypt data. The hacker then demands a ransom in exchange for a decryption key.

Back in March, the Los Angeles Times declared that 2016 was “shaping up as the year of ransomware.”  The prediction rang true — Kaspersky Lab confirmed that ransomware attacks against businesses increased threefold in 2016. Healthcare is by far the most targeted industry, with telecom and transportation trailing behind.

Ransoms can reach into the range of thousands of dollars. Hollywood Presbyterian Medical Center, for example, paid $17,000 worth of bitcoin to quickly regain access to its data. The FBI, however, has recommended against this strategy, saying that giving in to criminals’ demands only encourages further criminal activity and there’s no guarantee businesses will receive the decryption key after paying the ransom.

The best defense is the one the U.S. Department of Health and Human Services recommends: regularly back up data (so you can restore it in case primary copies are encrypted by ransomware), use security software and educate employees on cybersecurity best practices.

Data Breaches Continued Unabated


Data breaches have spent plenty of time in the spotlight during the past few years. Whether they involved a hacker exploiting a vulnerability while a client moves from one online services vendor to another; a healthcare vendor losing hard drives containing patient data; an employee falling for a phishing attempt and exposing employee W-2s; or a hospital employee accessing files without authorization over a period of several years, data breaches put countless Americans’ data at risk this year.

The exact cost is debatable, but the risks are clear: Businesses risk not only data loss but also intellectual property theft, exposure of company secrets, source code sabotage, investigations by regulatory authorities, reputation damage and costly litigation. The list of consequences goes on and on.

The top three sectors targeted in 2016 were government, healthcare and business. Businesses in the healthcare industry are a prime target, because unlike credit card numbers, personal data like Social Security numbers and medical records can’t be easily changed, so they fetch a premium on the black market.

Some businesses take out data breach insurance policies as protection, but this strategy is no substitute for business continuity planning.

Businesses Lack the Resources for a Well-Rounded Business Continuity Program


Companies aren’t always well equipped to deal with the business continuity threats they’re facing, especially when it comes to disaster recovery (DR) and cybersecurity.

Cybersecurity technology might be top of mind for the global C-suite, but finding the security talent to accompany it is another story. A combination of rapidly evolving cyber threats and inadequate education programs has led to a shortage in security talent. The security professionals that do exist command such high salaries that they’re inaccessible to SMBs and industries that don’t pay as much for cybersecurity talent as others (the financial services industry pays more than healthcare, for example).

Disaster recovery, on the other hand, simply isn’t a top priority for half of C-level execs. Perhaps this is because 65 percent of execs are already confident in their organizations’ DR plans. Problematically, only 31 percent of IT managers agree with this assessment.

Considering these shortcomings, it’s not surprising that only 51 percent of businesses report having a comprehensive business continuity plan.

Vendor Due Diligence Became a Larger Part of Compliance


As always, compliance plays a prominent role in business continuity. In 2016, businesses that are subject to guidelines set by the Federal Financial Institutions Examination Council (FFIEC) and the Health Insurance Portability and Accountability Act (HIPAA) saw their regulatory burden increase. Now, these businesses are being held responsible for performing due diligence on any outsourced service providers that provide essential technology services and/or handle protected health information (PHI) or personally identifiable information (PII). What’s more, they must also perform due diligence on any third parties and their subcontractors used to provide the contracted services.

HIPAA is especially strict — it holds business associates (i.e., subcontractors handling PHI and PII) directly responsible for observing HIPAA requirements. In fall 2016, the Office of Civil Rights (OCR) launched phase 2 of a round of audits, which resulted in the first penalty against a business associate.

The emphasis on vendor management is largely driven in part by the increasing number of cyber threats. The OCR issued an alert on the importance of cyber awareness, and the FFIEC issued a warning about cyber attacks.

The DRaaS Market Continued to Expand


The cloud market — particularly the disaster recovery as a service (DRaaS) market has continued to expand. In 2016, the DRaaS market was worth $1.68 billion and is expected to be worth $11.1 billion by 2021, growing at an estimated CAGR of 45.9 percent.

Data breaches are hastening the move to the cloud, and MSPs are realizing the vast revenue potential of offering DRaaS to their customers. It’s especially appealing to SMBs that lack the resources and expertise to manage a cloud solution, large enterprises that want their dedicated IT staff to spend more time on revenue-generating projects, and organizations that want to leverage multiple clouds (e.g., private and public).

New Weather Challenges Emerged


Data security garnered plenty of attention in the media during 2016, but unique weather threats and natural disasters put business continuity plans to the test as well.

For instance, this year’s hurricane season was a significant one on many levels. It boasted the most hurricane activity since 2012 (there were 15 named storms) and had the most major hurricanes (three) since 2011. Additionally, the Atlantic saw its first Category 5 hurricane in nine years. While hurricane season officially begins in June and ends in November, this season was extra long. Hurricane Alex made an early appearance in the Atlantic in mid-January, and Hurricane Otto showed up in the Caribbean on Thanksgiving. We can expect more of the same in years to come, as some say hurricane season could be extended by as much as a day every year.

NASA reports that fire seasons are getting longer and more frequent as well, with dry landscapes and hotter temps creating prime conditions for fires. To make matters worse, the Forest Service is underfunded and struggling to accommodate fire suppression efforts. The 2016 season included deadly fires such as the Clayton fire in California, which consumed 300,000 acres and destroyed 175 structures. In August, the National Interagency Fire Center reported that California ranked highest for the number, size and severity of wildfires in the West.

The Southeast also experienced significant wildfire activity, which is uncharacteristic of the region. As of November 20, forest fires had burned 119,000 acres across eight states. These numbers don’t include the deadly fires in Gatlinburg, TN — the worst the state has experienced in 100 years. Those blazes alone destroyed more than 2,400 structures and scorched 20,000 acres, killing 14 and injuring 175.

Outlook for 2017


Considering the threats we faced in 2016, our advice for 2017 is to be vigilant, as threats exist on all fronts, from natural disasters to cyber breaches. When planning for cyber threats, be sure you don’t neglect your physical infrastructure. With severe weather threats and natural disasters always on the horizon, you need to consider the impact of not having access to your primary facility. Train your employees well and invest in third-party help if your internal resources aren’t adequate for ensuring you’re protected.