Webinar Notes: The Preparis 2014 Threat Report
This week’s featured webinar notes are from a February 6th webinar hosted by Preparis. The event is available on demand on their website. The event was fascinating, in no small part because of the qualifications of the speakers and the organizations they represent.
In a panel format, we heard a variety of threat categories: information security, weather and natural disasters, workforce continuity, and workplace violence. Each speaker was an expert in their field and presented a recap of 2013 risks, changes for the coming year, and preparation recommendations. There were a few take aways that spanned all categories of risk, including listening to the proper experts in each instance, and putting an emphasis on training and communication planning.
Information Security: Jonathan Fairtlough, Kroll Cyber Security
In addition to their 2013 threat predictions (which included keeping an eye on old but forgotten data, making sure skills are kept in house, hacking to destroy rather than to steal, and disclosure in the face of a breach) Fairtlough emphasized the need to keep an eye open for attacks from inside the company. This, notably, includes vendors who need access to corporate systems in order to conduct business. The recent data breach at Target was a perfect example of a vendors credentials being stolen and used to eventually reach and breach their point-of-sale (POS) systems.
Among his recommendations for handling risk, Fairtlough mentioned the need to coordinate cross functionally (and quickly) before responding. He also made valid points about separating the staffing and responsibilities of IT and security. The skills for one do not always translate to the other, and different reporting structures, oversight and seniority may be appropriate. In cases where one or both of these functions have been outsourced, procurement will need to validate that the proper SLAs and capabilities are in place at the selected vendors.
Weather & Natural Disasters: Mike Smith, AccuWeather
In a time when we all have immediate access to weather information via our smartphones and other mobile devices, Smith made a very good point about the difference between forecasting the weather and predicting the after effects of the weather. For the purposes of business continuity it is important to listen to meteorologists (validate that any critical information is coming from an appropriate and credible source) and not to try to adapt broad or general information for a specialized need.
We have apparently been in a relative weather lull, and it has been 8 years without a major hurricane. The downside of this calm is that enough time has passed that natural turnover have caused organizational memory loss about where information is kept and how to respond when severe weather strikes. Keeping plans current requires regular reviews when colleagues change positions or leave the company.
Workforce Continuity, Jonathan Trapp, Centers for Disease Control (CDC)
People are the core of any successful business, and when they are affected by health issues on the job, an organization must be prepared to respond in a way that balances the need to keep the operation going and the importance of being supportive and sympathetic to co-workers and family. As with the other threat types, much of the work must be done in advance, making sure that the risk associated with each role or position is both accurately assessed and appropriately staffed.
All continuity plans should be separate from the individuals who are likely to carry them out. That way, in a worst case scenario, almost anyone can step in and execute the response. [As an aside on this topic, there was coverage in the wake of the opening of the Olympic games in Sochi of the response plans put in place by the event’s largest sponsors should there be a tragedy. These plans included changes to (or elimination of) pre-scheduled advertising campaigns, CEO response scripts, and pre-approval of donations. Read more here from the USA Today]
Workplace Violence: Sgt. Steve Veillon, FBI’s Joint Terrorism Task Forces
Sadly, there are few locations left where we can consider ourselves safe from risk, and the workplace is no exception. Every incident helps improve awareness and planning to prevent future attacks. A 2012 SHRM study found that 36% of industrial organizations had reported workplace violence. One of the unique characteristics of response plans for cases of workplace violence is that people must be prepared to respond according to a plan as well as to act alone if the circumstances require it.
Some of the discussions to have in advance include making recommendations about evacuation versus shelter in place responses. When a facility is rented or managed by a third party, they should be a part of response planning and risk assessment, as should their hired or on staff security team.
In her concluding remarks, Jonna Mayberry, the Managing Editor of Continuity Insights Magazine, made a recommendation that will not only help in responding to threats but also points out the need to constantly review and refresh them to take advantage of all available assets. Twitter, something that few companies used at all only a few years ago, is now one of the best communication channels when disaster strikes.
Does your organization do formal threat assessment planning? Does that extend into the first and second tiers of the supply chain? Share your thoughts by commenting below or by connecting with us directly on LinkedIn, Twitter, or Facebook.