Risk News

Finding the Cleanup Crew After a Messy Hack Attack

"In the film “Pulp Fiction,” Harvey Keitel plays the Wolf, a fast-talking and meticulous man who is called in to deal with the aftermath of an accidental shooting."

Annie's take:

Find an excellect IT security cleanup team is expensive. That's why it's easier to maintain first class security practices, including encryption of sensitive data, from the outset.

What’s in store for cloud computing in 2012?

"2011 has been an exciting year for the cloud. Companies are starting to accept the idea of using internet-based services instead of servers they control themselves. That in turn has driven a push to make the technologies more mature — and the tech companies making those technologies are growing up too."

Annie's take:

There is no doubt that cloud technology has revolutionized the way we think about data, storage and security.

Seattle Working on New Wireless Public Safety Network

"The city of Seattle is leading a multijurisdictional effort to build a new wireless public safety network in Washington state made possible by a public-private partnership."

Annie's take:

Seattle is on the cutting edge of emergency management planning, and now it looks like it will make a large push on a new public safety network. I applaud the approach being taken with the RFP.

'Anonymous' Claims Hack of Credit Data From Security Group

"Members of the loose-knit movement "Anonymous" claimed on Sunday to have stolen a raft of emails and credit-card data from U.S.-based security think tank Stratfor, promising it was just the start of a weeklong, Christmas-inspired assault on a long list of targets. "

Annie's take:

Evidently this was just the first attack in more than are to come this week. Most surprising is that Stratfor did not encrypt such data where payments information is involved.

The challenges in a changing world: adopting an integrated approach to risk mitigation

"In this paper Robert Hall looks at attitudes to risk within businesses and explains why the balance may be too far on the side of risk avoidance. Business continuity managers may have played a role in creating this imbalance."

Annie's take:

This abstract of the paper provides a link to the paper itself, which makes good points about why business continuity may have contributed to the slow adoption of risk management.

China hack of Chamber of Commerce highlights ‘spear-phishing’ dangers

"Hackers from China have reportedly been able to break into the systems at the U.S. Chamber of Commerce, stealing an unspecified amount of data and possibly gaining undetected access to the network for over a year."

Annie's take:

The lesson behind these attacks would be to think before you click through to a site you don't clearly recognize, since that is how most of these attacks occur. That social media is being used in many cases correlates to the carelessness exhibited by many who use such programs -- in my book, I note that over 80% of those on Facebook automatically accept friends invitations, without checking to be sure the person is indeed someone they know.

Seeing Terror Risk, U.S. Asks Journals to Cut Flu Study Facts

"For the first time ever, a government advisory board is asking scientific journals not to publish details of certain biomedical experiments, for fear that the information could be used by terrorists to create deadly viruses and touch off epidemics."

Annie's take:

It remains to be seen how this request will be met in full. Suppressing sufficient data so that copycat terrorists cannot manufacture such a virus is at variance with historical precedents for scientists sharing information.

Tips for Creating a Plan that Addresses the 3 Key Phases of Business Continuity

"On Feb. 7, 2011, at 7:45 p.m., smoke detectors were tripped at Pitney Bowes’ largest mail services presort facility in Grand Prairie, Texas, as a fire that started in another company’s nearby facility rapidly spread. "

Annie's take:

Jay Oxton is head of mail services for Pitney Bowes. This is a terrific outline of and rationale for any strong business continuity program.

Controversial Anti-Piracy Bill (SOPA) Nears House Approval: Why You Should Care

"The U.S. House of Representatives Judiciary Committee met on Thursday to discuss the controversial Stop Online Piracy Act (SOPA), which is a copyright bill that many believe to be extremely dangerous for the future of the Internet as we know it."

Annie's take:

SOPA is not a piece of legislation to which most of us have paid attention. Despite all the amendments to the bill, there are real questions about whether or not it should be approved.

Information security trends for 2012

"Cryptzone’s predictions for the top security trends for the coming year:"

Annie's take:

This is a list worth paying attention to.

The Top 10 CIO Priorities

"The National Association of State Chief Information Officers (NASCIO) on Wednesday, October 26, released the reults of its annual survey of state CIOs that aims to pinpoint their top priorities in both strategy and technology."

Annie's take:

This late October survey of CIOs who work in the public sector shows somewhat divergent priorities than we see in the private sector, at least in order of importance. In part, that's because the public and private sectors start from different places in terms of the respective age of their infrastructure.

Cloud Adviser: Where's Your Data?

"With cloud computing, technology has advanced more quickly than the law's ability to effectively address its implications."

Annie's take:

Here's another look at cloud computing through the eyes of applicable laws and regulation, which nicely complements Andrew Hansen's December research note, which can be found in the "Research" section of our website.

Is Antiterrorism Training Keeping Up With the Diverging Threat?

"Though Walid Shoebat’s message to about 300 South Dakota police officers that all Islamic organizations in America are the enemy and that Islam and terrorism are inseparable may be an extreme case, there is growing concern about the antiterrorism training being delivered to law enforcement and other first responders around the country."

Annie's take:

We're certainly collecting a great deal of data with antiterrorism funds. But is the training adequate and appropriate?

Risk Practices That Endure

"As we close this year, I claim an editor’s privilege to explain ASA’s commitment – and my own – to research and publication."

Annie's take:

In this, the last column that I write for 2011, I discuss why our firm includes research and publications among its foundational commitments.

Using good governance to control cloud risks

"Cloud computing provides organizations with an alternative way of obtaining IT services and offers many benefits including increased flexibility as well as cost reduction. However many organizations are reluctant to adopt the cloud because of concerns over information security and a loss of control over the way IT service is delivered."

Annie's take:

This is an excellent article that covers a lot of ground. Keep your eyes peeled for Andrew Hansen's research note in our December newsletter that provides a fine complement to this piece. ASA's December newsletter will be published on Monday, December 12th.

Claims Of Cyberattack On Utlility Stem From Contractor Logging On From Russia

"Mystery solved. A reported cyberattack on a water district in central Illinois turned out to be a false alarm set off when an American contractor logged onto the system remotely while vacationing in Russia."

Annie's take:

Mobility causes all sorts of false positives to show up, including this one. It's good that it got sorted out, but does indicate just how far authentication protocols need still to go.

Facebook Flaw Exposes Its CEO

"A security vulnerability in Facebook Inc.'s social-networking site exposed by some users sent the company scrambling for a fix after Chief Executive Mark Zuckerberg's private photos were published online."

Annie's take:

Though Facebook is supposed to have significantly improved its privacy controls, here's an example of how the company's ongoing development efforts resulted in access to Mark Zuckerburg's private photos. The best form of risk managment is not to post status updates or photos that would cause embarrassment if they were made public.

Corzine Rebuffed Internal Warnings on Risks

"MF Global Holdings Ltd.'s executive in charge of controlling risks raised serious concerns several times last year to directors at the securities firm about the growing bet on European bonds by his boss, Jon S. Corzine, people familiar with the matter said."

Annie's take:

Here's another cautionary about a strong-willed CEO who chose to ignore his Chief Risk Officer when times grew tough. Anyone who aspires to become a Chief Risk Officer should first learn how to handle ridicule and suggestions that they lack the right temperament to weather a storm, or that they are just too tentative.

Near misses and direct hits

"The argument goes like this. Business continuity is not about the little disturbances and the day-to-day interruptions. "

Annie's take:

Jim Preen reviews a recent article, "How to Avoid Catastrophe," by Catherine Tinsley, Robin Dillon and Peter Marsden, in the Harvard Business Review that suggests we should be looking at incidents rather than waiting for large catastrophes.,

How to detect and stop corporate espionage

"You’ve spent months fixing the red items on an internal audit report and just passed a regulatory exam."

Annie's take:

This is a very dense article, with a great deal of useful information. It complements the research note that Andrew Hansen wrote last month for the ASA newsletter, along with my own column.

12 Things You Didn’t Know Facebook Could Do

"The designers and engineers who build Facebook are anything but complacent about their success."

Annie's take:

For those of us who use Facebook for business as well as pleasure, this is an important article. Though Facebook often seeks to explain new features to us, this is an easier way to absorb the information.

The real cloud revolution is all about consumerization

"Everyone is talking about the “cloud,” but is there anything new here? How is the “cloud” different from “internet” or “web?” "

Annie's take:

This is an excellent article for those wanting to understand the larger context in which cloud computing plays. And it's a great leadup to the conference taking place today in California, about which we should have more information tomorrow.

The Long Road to Recovery After Hurricane Irene

"Dire warnings preceded Hurricane Irene and although some areas “dodged the bullet,” severe rains hammered parts of the East Coast, hitting areas unaccustomed to such storm activity."

Annie's take:

Big storms have long term impacts. This article lays out some of the longer term recovery issues around Hurricane Irene, where recovery is still ongoing.

Advice From A Risk Detective Is Now Available

In her first book, Searle translates her operational risk expertise into stories, tips and checklists that the general public can use to make themselves safer.

Annie's take:

The third chapter of my new book focuses on life on the Internet -- including ways to protect your digital data and online self.

What is a resilient organization?

"Over the past couple of weeks I have taken part in three separate discussions with high profile business continuity professionals about organizational resilience and resiliency."

Annie's take:

I've printed the definitions of resiliency that David Honour collected, along with a link so that you might add your own definition or comments. The convergence of operational risk, security and business continuity disciplines seems to have made this more difficult for some professionals. What's your definition?

Remember: All Disasters Are Local, Says FEMA Deputy Administrator

"All disasters are local was the theme of FEMA Deputy Administrator Richard Serino’s keynote speech at the International Association of Emergency Managers Annual Conference on Monday, Nov. 14, in Las Vegas."

Annie's take:

Serino's remarks remind us that the best preparations begin at home. For more history and background on FEMA, please check out Andrew Hansen's research note, published in the October issue of the ASA Newsletter.

Four Tips on Social Media Strategy

"With face-to-face interactions on the decline and online and mobile banking on the rise, banks are increasingly turning to social media to enhance the customer experience."

Annie's take:

Though this article is written for the banking profession, it applies to other business segments as well. This may just be the article that persuades your executives that social media can enhance other marketing channels.

Report: Climate change means more frequent droughts, floods to come

"Climate change will make the drought and flooding events that have battered the United States and other countries in 2011 more frequent in years to come, forcing nations to rethink the way they cope with disasters. according to a new report the U.N. Intergovernmental Panel on Climate Change issued Friday."

Annie's take:

The Southeast saw 13 tornadoes tear through several days ago. This international report suggests that extreme weather is becoming the norm rather than the exception. It's difficult in light of such data to think that climate change is a fiction.

FAQ: Facebook spam and how to protect yourself

"Many Facebook users were surprised to find graphic pornographic and violent images in their news feeds this week, following a widespread spam attack. The company said that it now has the issue under control."

Annie's take:

Taking the time to lock down your privacy settings, and then taking seriously the advice in this article, could leave you and your digital identity in better shape. My new book has a whole chapter devoted to reasonable precautions to take when using social media.

Pentagon: Cyber offense part of U.S. strategy

"The Pentagon is prepared to launch cyberattacks in response to hostile actions that threaten the government, military or U.S. economy, according to a new policy document submitted to Congress this week."

Annie's take:

While it is reassuring to know that this country has a cyber offense strategy, it is still not very clear under what conditions it might be deployed.

Homeland Security and the Dark Side of Mother Nature

"Recent events have provided poignant reminders of the myriad and persistent homeland security challenges faced by United States and similar societies around the world."

Annie's take:

Stern's powerful summary of the challenges that still face us is worth reviewing.

Preparing a power failure response strategy

"According to a recent Forrester Research survey nearly half of the declared disasters reported over a one-year period were due to power failures."

Annie's take:

Here's a methodical introduction to the approach any business concerned with losing power during an emergency can take. Kennedy covers all the bases.

Alaska storm brings ‘epic’ flooding, snowy weather and strong winds

"A storm of historic intensity continues to pound the west coast of Alaska today. Twice the size of Texas, the storm is as deep as a category 3 hurricane."

Annie's take:

This very rough storm ushers in what is likely to be a La Nina winter for the Pacific Northwest -- a good reminder to double check your home emergency kit and other preparations to ensure you can survive for 3-5 days without a trip to the grocery store or electrical power.

Social Media Disaster Recovery: a First Responder's Guide

"Every new technology brings with it the capacity to screw things up in an entirely new way. With social media, it's now become possible to turn what was once a verbal gaffe behind closed doors into a public peccadillo."

Annie's take:

Here's a good analysis of the types of situations that can go absolutely wrong where social media is concerned, as businesses try to understand and incorporate it into their marketing efforts.

Nationwide Test of Emergency Alert System to Become a Reality

"For the past two years, officials in cooperation with the FCC and National Oceanic and Atmospheric Administration (NOAA) have worked to make a nationwide test of the Emergency Alert System (EAS) a reality."

Annie's take:

This test of legacy platforms for alerts will occur tomorrow, November 9, at 2pm EST or 11am PST.

Thailand Flooding Cripples Hard-Drive Suppliers

"In the neck-deep floodwaters of an industrial zone here, workers are using Jet Skis and wooden skiffs to transport stacks of computer components out of waterlogged factories."

Annie's take:

For those who wonder what "supply chain" means, this story will illustrate the issue graphically.

In a world of cybertheft, U.S. names China, Russia as main culprits

"Online industrial spying presents a growing threat to the U.S. economy and national security, American intelligence agencies warned Thursday in a report to Congress that publicly accused China and Russia of responsibility for cyber-espionage. "

Annie's take:

While none of us in the risk business would be surprised by this news, I can only imagine that the threat must be higher than any of us had imagined.

Tap the Social Media Stream for Competitors' Secrets

"Ten years ago, Logicalis, a systems integrator, would have needed a wiretap to overhear the grumblings of a competitor's dissatisfied customer or prospect. But when a Logicalis sales representative stumbled across a LinkedIn status update revealing an individual's frustration with a rival company's cloud service, he knew just what to do."

Annie's take:

Data mining techniques take many forms, and here's another -- monitoring your competition's Twitter and Facebook sites to see what the competition and its customers are saying. Hmm.

When Each Bad Storm Means More Dark Days

"First came the heavy snow in February that crushed the hangar and destroyed the vintage Piper J-5A airplane he housed in Dutchess County, N.Y."

Annie's take:

This story is as much about crumbling infrastructure as it is about the impacts of multiple types of natural disasters. The lesson appears to be that families need to become better prepared to live without heat or power for extended periods of time.

Former State Official to Lead Federal Cybersecurity Efforts

"Mark Weatherford, California’s former chief information security officer, will lead cybersecurity efforts for the federal government. "

Annie's take:

We wish Mr. Weatherford the best in his new position, an important one for this country.

How Ready Are We for Bioterrorism?

"A few days after 9/11, a retired Air Force colonel named Randall Larsen entered the northwest gate of the White House, crossed a courtyard to the Eisenhower Executive Office Building, stepped through the front door and stopped dead in his tracks."

Annie's take:

Bioterrorism continues to be the one type of intentional disaster not much discussed. We have not seen many examples of it, and so we put it out of our minds. This article may open the discussion in a new way.

Ten early warning signs of fraud in organizations

"Fraud is an increasing enterprise risk but many organizations don't notice the early warning signs that a problem exists. A new checklist provides some help..."

Annie's take:

All managers should have a list such as this in front of them. So should internal auditors. This British group has covered all the key signs of insider fraud. Similar work continues to be done in this country by Dawn Capelli and the CERT team at Carnegie Mellon.

Funding Cuts and Emergency Notification: What do We do Now?

"The emergency notification system for Tucson, AZ has been deactivated due to budget cuts according to several media sources." 

Annie's take:

Here's the unfortunate results in funding cuts at the national level. The advice provided by the authors is good, but should not be necessary.

The New New CIO Role: Big Changes Ahead

"CIOs know all about change management—from jettisoning legacy apps, to prodding line of business VPs to share virtualized resources."

Annie's take:

This article was published last summer, but is complementary to one that appeared yesterday in the same publication discussing the evolving role of the Chief Information Officer in turbulent business climates.

Possible study of anthrax vaccine’s effectiveness in children stirs debate

"The Obama administration is wrestling with the thorny question of whether scientists should inject healthy children with the anthrax vaccine to see whether the shots would safely protect them against a bioterrorism attack."

Annie's take:

The risks inherent in either testing the effectiveness of an anthrax vaccine now, or waiting to test it on children until an actual anthrax attack occurs, appear to be rather equally fraught with peril. It's worth it to read this article all the way through, then formulate your response.

65% of online adults use social networking sites

"Fully 65% of adult internet users now say they use a social networking site like MySpace, Facebook or LinkedIn, up from 61% one year ago."

Annie's take:

Those who thought that use of social media sites was primarily by teens and young adults should read the full Pew report, a link to which is provided in this overview.

Training for a Plane Crash
"Smoke poured into the airplane cabin and activity came to a screeching halt. As the captain yelled "Evacuate! Evacuate!" passengers did what comes naturally: They froze."
Annie's take:

This tip is not in my new book, but maybe it should be. Taking a few moments to make an emergency plan once you seat yourself on an airplane is a great idea. Just like plans help in other parts of life, the statistics here show that planning works.
Activation Triggers--how do you decide when to start communicating?
"I was reminded of this question today by a PIO for a fire and rescue department. It comes up in all the plans I work on. The problem is this: how do you know when to pull the trigger? When to say full frog alert, all hands on deck?"
Annie's take:

This is one of the toughest questions in the business.
Global Data Protection and Privacy Legislation and Regulation in the Digital World: Key Issues and a Vision

"The world is fast moving to a time where instead of using the internet we will be living within in it, as part of many interconnected networks designed to perform certain processes based upon certain events occurring or not: humans and devices (things) working together seamlessly to operate their car safely, the devices taking over when human actions are missing, such as applying the brakes when an approaching the car ahead that has stopped or slowed and the human has not acted; or devices working together in a network to keep, for example, a steady convoy of traffic moving on a highway without human action."

Annie's take:

A terrific interview on the major issues surrounding data protection and privacy. Nymity continues to set the standard for thought leadership around privacy and data.

Breaking the Cycle of Preparing for the Last Disaster

"William Jenkins, director of Homeland Security and Justice for the U.S. Government Accountability Office, provided insight into the office’s role with emergency management and recommendations for emergency managers seeking to establish measurements for their agencies during a question-and-answer session with Emergency Management magazine."

Annie's take:

This is an excellent interview with the Government Accountability Office's representative to DHS, and covers a great deal more than the title might imply. His analysis of FEMA's progress is a useful addendum to the focus of ASA's October newsletter -- both the front page column that I wrote, and the research note by Andrew Hansen.

Facebook Privacy: 11 Settings to Revisit Now

"With Facebook's constant stream of changes, keeping up with your privacy settings can be daunting. Here's a rundown of the newest features, what the changes mean to your privacy and how to update your settings."

Annie's take:

It can't hurt to look at the advice here and apply it to your Facebook account, especially given all the recent changes to the program.

Business continuity and financial turmoil

"‘Eurozone at tipping point’, ‘Greece may be forced to default’, ‘Is the euro doomed?’ The headlines alone make you want to pull the covers over your head."

Annie's take:

Jim Preen's article causes those of us who ran business continuity programs for major banks in 2008 to think back, and wonder if there was something else we could have done. I think his approach here, in suggesting that business continuity staff can only deal with civil unrest that comes in the midst of certain types of financial crises, is short-sighted. If you have employees working in branches of your institution around the country -- your front line with clients and with the public, as it were -- you have a responsibility to test scenarios that offer them a means to determine how the will handle unhappy customers...and not just those outside the doors of the institution.

7 Key Skills New IT Grads Are Lacking

"Greg Taffet, the CIO of U.S. Gas & Electric Inc. in North Miami Beach, Fla., brought on four new staffers in the past six months and is looking to add 11 more to his current team of 20."

Annie's take:

Educator alert -- here's an article that underscores the need for specialized graduate curriculums, especially those dealing in information technology, to evolve to meet the needs of the workplace.

Debate Over--How are you going to use social media?

"It has been clear to me for quite some time that social media has an immense value in supporting the missions of emergency management before, during and after a disaster."

Annie's take:

Eric Holdeman wrote this short piece in mid-September, and I somehow missed posting it. He provides a very useful link to one of Kim Stephens' articles, and goes on to indicate that those who have led in the use of social media for emergency management have paved a trail that will not go away. Emergency managers need to get on board and learn these tools, integrating them into their response and recovery efforts.

Government Aims to Build a ‘Data Eye in the Sky’

"More than 60 years ago, in his “Foundation” series, the science fiction novelist Isaac Asimov invented a new science — psychohistory — that combined mathematics and psychology to predict the future."

Annie's take:

For privacy advocates, this project is a problem -- to date, efforts to filter data for public good have had a very rocky return.

Hurricane Irene: an analysis of the use of social media, crowdsourcing and crisis mapping

"A new report examines the role that social media, crowdsourcing and crisis mapping played before, during and after Hurricane Irene."

Annie's take:

Here's a report that gathers a fair amount of data and allows us to consider the usefulness of these tools from the perspective of disaster response.

White House Orders New Computer Security Rules

"The White House plans to issue an executive order on Friday to replace a flawed patchwork of computer security safeguards exposed by the disclosure of hundreds of thousands of classified government documents to WikiLeaks last year."

Annie's take:

It will take a closer review of the new policies for handling classified information to see if we have really made some progress with classification criteria that are years old. But it is certainly a step in the right direction.

Our security paradigm is out of date
"At a recent Cloud Security event, the president of the UK & Ireland chapter of the Cloud Security Alliance (CSA UK & Ireland) said that the perception of security as a concept is out-dated."
Annie's take:

The security of third party vendors continues to be one of the largest risks that business faces.

IT Inferno: the Nine Circles of IT Hell

"Spend enough time in the tech industry, and you'll eventually find yourself in IT hell -- one not unlike the underworld described by Dante in his "Divine Comedy." "

Annie's take:

I chose this article today so that all of you who struggle daily with technology can feel a bit better about your own professional situation.

How Emergency Management Is Changing (For the Better)

"Like all professions, emergency management has evolved throughout the years to become what it is today — a defined field of work that’s paving a career path for future employees."

Annie's take:

This is a wonderful article, featuring some of our best public sector emergency management leaders -- including Seattle's own Barb Graff.

Industry-specific clouds come rolling in

"We've heard of private clouds, hybrid clouds, turnkey clouds -- now get ready for industry-specific clouds."

Annie's take:

It's taken a couple of years for large industries like the airlines and banking to adopt cloud but, with the advent of sector-specifc clouds, I think we'll start to see things move more quickly.

Smartphones and enterprise security

"Smartphones are spreading throughout the business world. Their use is growing across organizations and at all levels within them."

Annie's take:

Kilpatrick offers basic security tips both to smartphone users and to those IT administrators who may not be aware of that they are now hosting devices on a converged voice/data platform. More tips on smartphone security and risk management may be found in my new book when it appears in a few weeks.

What Caused Spring’s Explosion of Tornadoes?

"The statistics from this spring’s tornado damage are staggering: 535 deaths — the most since the National Weather Service began compiling official records in 1950 — and 1,588 tornadoes throughout June."

Annie's take:

Weather scientists are trying to figure out if this year's spate of tornadoes mark a new trend or just a series of coincidences. What is clear is that our ability to forecast has grown much more sophisticated, and lives were undoubtedly saved because of this level of sophistication.

September 8 Massive Power Outage Provides Important Crisis Communication Lessons

"Working with some large public utilities has made me very sensitive to the issues of communication during large scale power outages."

Annie's take:

The author points out how critical our reliance would be upon the Internet in the event of large power outages like the one in California earlier this month. But there's one scenario past that for which we should be prepared: that the Internet is also down.

In China, business travelers take extreme precautions to avoid cyber-espionage

"Packing for business in China? Bring your passport and business cards, but maybe not that laptop loaded with contacts and corporate memos."

Annie's take:

The risk of losing corporate intellectual property when traveling to China and several other countries remains very high. Read on, for examples.

GAO: FDIC Must Do More to Protect U.S. Financial Data

"The Federal Deposit Insurance Corp. (FDIC), an agency created by Congress to examine the functionality of America’s banks, must do more to safeguard the confidentiality, integrity and availability of internal financial systems and information, according to a government audit."

Annie's take:

The Government Accountability Office report shows that the FDIC has made significant progress on mitigating most of the gaps found last round. But the four significant areas left to fix need focus and attention at once.

Final National Disaster Recovery Framework published

"The final version of the US National Disaster Recovery Framework (NDRF) has been published by FEMA.

According to FEMA the NDRF ‘is a conceptual guide designed to ensure coordination and recovery planning at all levels of government before a disaster’, and it defines how FEMA will work with local and tribal governments and communities and individuals in the area of disaster recovery."

Annie's take:

Here are the definitions around recovery that we all have been waiting for. This framework document has been prepared with an enormous amount of input.

Thirteen dead or missing as typhoon makes landfall in Japan

"A powerful typhoon hit Japan’s main island on Wednesday, forcing the evacuation of more than 1.2 million from the area and causing the deaths or disappearance of at least 13 people as it began its slow path toward the northeastern part of the country."

Annie's take:

Our thoughts are with the people of Japan as they endure another severe weather impact, this time from a typhoon.

Government Shutdown Possible Over Disaster Aid

"Congress once again found itself embroiled on Tuesday in a display of brinksmanship and the threat of a government shutdown, despite the public's recoiling against such maneuvering earlier this year."

Annie's take:

It is inconceivable that disaster aid will become the straw that broke the camel's back. Without such federal aid, states are unable to perform recovery efforts in an economy that is already weakened.

Securing Data in the Cloud

"When part of Amazon’s Elastic Compute Cloud (EC2) crashed on April 21, government agencies in the midst of moving to the cloud received a grim reminder of the need to secure critical databases and files."

Annie's take:

An excellent article, with specific pointers on how to make your data even more secure when utilizing a cloud computing platform.

Call It Your Online Driver’s License

WHO’S afraid of Internet fraud?

Consumers who still pay bills via snail mail. Hospitals leery of making treatment records available online to their patients. Some state motor vehicle registries that require car owners to appear in person — or to mail back license plates — in order to transfer vehicle ownership.

Annie's take:

The Department of Commerce has been working on the National Strategy for Trusted Identities in Cyberspace this year. It's a tough struggle still, given privacy issues that persist on the Internet. The plan encourages the private-sector development and public adoption of online user authentication systems.

China Consolidates Grip on Rare Earths

"In the name of fighting pollution, China has sent the price of compact fluorescent light bulbs soaring in the United States."

Annie's take:

That China has a lock on rare earth minerals puts a real crimp in the global supply chain that manufacturers have relied upon for years.

U.S. needs to be on-guard for a big cyberattack

"A destructive attack from cyberspace "is coming, in my opinion. It is a question of time. What we don't know is how far out it is," and whether it will target commercial infrastructure, government networks or mobile platforms Army Gen. Keith Alexander told attendees of the "Maneuvering in Cyberspace" symposium this week."

Annie's take:

Hearing this warning is nothing new, but the level of cyber-threats seems to rising at a time when both the public and private sectors seem to be stretched thin.

Google Lets Wi-Fi Owners Opt Out of Registry

"Google defused a confrontation with European privacy regulators by announcing on Tuesday that it would give the owners of Wi-Fi routers worldwide the option of removing their devices from a registry Google uses to locate cellphone users."

Annie's take:

Here's another iteration on the security vs. privacy front -- allowing European users to opt out means that users cannot be tracked, for good or for other purposes. Google acted before European regulators forced them to this position.

WHO warns against hype related to H5N1 variant

"The evolution of a new H5N1 avian influenza virus does not increase risks to public health. This is the clear message from the World Health Organization as it attempts to play down media hype following the highlighting of the emergence of the variant by the Food and Agriculture Organization of the United Nations."

Annie's take:

This clarification by the World Health Organization is timely, and appropriate.

Ten Years Later: The Last Four 9/11 Commission Recommendations

“The life of the dead is placed in the memory of the living.”-- Marcus Tulius Cicero (106-43 BC) Writer, politician and Roman orator

“How wonderful it is that nobody need wait a single moment before starting to improve the world.”
-- Anne Frank

Annie's take:

This is my column for September's ASA newsletter. If we could move forward on the four remaining recommendations, the state of resilience in America would be enhanced.

September 11, 2001: A decade on, what business continuity and information security lessons have been learned?

"ABSTRACT: This paper describes research which investigated the impacts of September 11, 2001, on information security and looks at how effective disaster recovery and business continuity prepared to protect information systems were."

Annie's take:

This is a significant piece of work that Mr. Virgona has done. Among his key findings: that organizations frequently create plans but have no ability to implement them. Three ring binders just don't do the trick.

An Exhausting Year Of Weather Extremes

"Nature is pummeling the United States this year with extremes.

Unprecedented triple-digit heat and devastating drought. Deadly tornadoes leveling towns. Massive rivers overflowing. A billion-dollar blizzard. And now, unusual hurricane-caused flooding in Vermont."

Annie's take:

Neither Democrats or Republicans are responsible for the weather. And FEMA is not responsible for the fact that the agency has run out of money three quarters of the way through the year. The ten billion dollar plus catastrophes this year are looking more and more like the new normal.

FEMA Under Fire as Natural Disasters Pile Up

"The year so far in the U.S. has been disaster-filled: tornadoes wreaked havoc in the spring; an earthquake struck the Eastern Seaboard in late August; and Hurricane Irene left 38 dead, numerous eastern states dealing with flooding and more than 3 million people without power."

Annie's take:

The Federal Emergency Management Agency (FEMA) does not have sufficient budget to handle the ten or so one billion dollar disasters that have occurred already this year. What will it take for Congress to act on this challenge, at a time when state and local governments are already operating at a significantly reduced rate?

10 Years After 9/11: How Far Did $635 Billion Spent on Homeland Security Go?

"Since Sept. 11, 2001, the nation has spent a reported $635.9 billion on homeland security."

Annie's take:

This article makes several good points. Most of all, it points out how grants to urban areas for improved security have been cut by over 50%. FEMA's operational budget has also been impacted, as we know now after the latest rounds of natural disasters that have incapacitated the East Coast.

It's worth it to streamline the Congressional oversight and examine what the priorities should be for the world we now live in.

Is business continuity management a misnomer?

"For more than ten years business continuity management (BCM) has been on the priority list of senior managers because of events such as Y2K, the implementation of the Euro, terrorist attacks, natural disasters like hurricanes, earthquakes, floods and tsunamis, and pandemic outbreaks such as SARS, H1N1 and Mexican Flu. Additionally, in some sensitive industries such as the financial sector, regulators increasingly require banks to have effective BCM measures in place. "

Annie's take:

Continuity Central is one of the most important resources available for reading thought leaders. I published a fine piece from that forum yesterday, and here is another today. Luc Klein methodically reviews what is or is not included in the term "business continuity," and points out some inconsistencies as well. He already has one response to his article, which can also be read here.

Are we fear-mongers? Business continuity and the boy who cried wolf

"I was speaking to a colleague the other day about how she runs her business continuity tests. She stated that she often starts her tests by asking: "What do you fear the most?" This struck me as a very direct way of approaching the subject. One that all of us business continuity planners have used at one time or another. But the more I thought about it, the more I felt that it was a negative way to do things."

Annie's take:

An excellent and earnest discussion of how we can persuade executives of the value of business continuity.

Hurricane Cost Seen as Ranking Among Top Ten

"Hurricane Irene will most likely prove to be one of the 10 costliest catastrophes in the nation’s history, and analysts said that much of the damage might not be covered by insurance because it was caused not by winds but by flooding, which is excluded from many standard policies."

Annie's take:

The story highlights the little-known truth that many insurance policies don't cover damage to homes from flooding. It also highlights the far-ranging effects of Hurricane Irene on an impact area that stretches up and down the Eastern Seaboard.

After Irene, FEMA facing a disaster of its own — funding

"Now that the big hurricane is behind us — three days for Irene and six years for Katrina — the Federal Emergency Management Agency is running out of money and finds itself operating in a new political and fiscal climate that may be as treacherous as some of the disasters to which it must respond."

Annie's take:

As this article indicates, disaster relief has usually transcended political boundaries. It is absurd that FEMA will be put on the chopping block just as it has finally been configured to actually work.

East Coast Quake Highlights Need for Public Safety Wireless Network

"The earthquake that struck Virginia on Tuesday, Aug. 23, and was felt from New York City to the Carolinas, was followed by cellular network congestion — thus spurring officials to call for a national broadband network dedicated to public safety."

Annie's take:

This issue is not a new one, but both the earthquake and hurricane last week highlight the need for communication among and between emergency responders. Surely this is not a partisan issue?

Smartphones, tablets can be a port in the storm

"One item that millions will have with them in almost any situation is their smartphone. As Hurricane Irene approaches, that's important because a smartphone or tablet computer can come in handy during the storm - if you've made some advance preparations."

Annie's take:

My new book, Advice From A Risk Detective, covers some of the same ground as in this article. It's worth it to keep your devices fully charged at all times, and gas in the tank of your car as well. Stay tuned for more on this topic.

Jobs Steps Down at Apple, Saying He Can’t Meet Duties

" Steven P. Jobs, whose insistent vision that he knew what consumers wanted made Apple one of the world’s most valuable and influential companies, is stepping down as chief executive, the company announced late Wednesday."

Annie's take:

More than any other technology leader, Steve Jobs has embodied bold risk taking and breathtaking innovation.His influence will be felt for a long time.

New Control Over Privacy on Facebook

"Privacy worries have bedeviled Facebook since its early days, from the introduction of the endless scroll of data known as the news feed to, most recently, the use of facial recognition technology to identify people in photographs."

Annie's take:

Please share this article with colleagues and friends. It makes clear what Facebook is trying to accomplish with new choices that users can make when they post a photo or a status. Clearly this is a balancing act, for both Facebook and its members.

Harnessing the Power of Social Media in Times of Crisis

"When the skies dumped 20.2 inches of snow on Chicago in February 2011 — the third-largest storm in the city’s history — emergency managers rushed to their computers."

Annie's take:

More stories to illustrate the positive power of social media, especially for crisis or emergency management.

Federal Push for ‘Cloud’ Technology Faces Skepticism

"Before cost-cutting became fashionable in Washington, Vivek Kundra, the White House’s chief information officer, was working to shrink the federal government’s enormous budget for information technology."

Annie's take:

This article comes as something of a relief -- evidently departments of the federal government that have real security concerns are slower adopters of the cloud computing platform that others. We still don't have significant guidance around cloud, and if standards have been deployed no one seems to know it.

Measures for Managing Operational Resilience

"How resilient is my organization? Have our processes made us more resilient? Members of the CERT Resilient Enterprise Management (REM) team are conducting research to address these and other related questions."

Annie's take:

Here's a link to a new first report on how to go about measuring operational resilience.

Latest in Web Tracking: Stealthy 'Supercookies'

"Major websites such as MSN.com and Hulu.com have been tracking people's online activities using powerful new methods that are almost impossible for computer users to detect, new research shows."

Annie's take:

It is difficult to keep track of all the gyrations around "cookies" or "supercookies" -- also difficult to know whether or not the data is still being collected by the corporations in question. There appears to be no end in sight for the data mining tools that the industry can create.

Business continuity management lessons from English public disorder incidents

"Now that last week’s troubles seem to have died down, the government has started the process of rebuilding public confidence, whilst those directly affected have begun to rebuild their lives. Few could have imagined the events that have taken place; lives lost, buildings in flames, shops looted, businesses closed and reputations in ruins."

Annie's take:

This could not have been an easy article to write. For those of us outside England, perhaps we should be asking ourselves the very same questions now, bofore we have to use our plans. And if we haven't conducted a drill for awhile, the questions provide the framework for the drill.

Big Debate: Did social media cause London riots?

"It's all in the perspective, isn't it? Social media was widely discussed as a major tool in assisting the pro-democracy forces in Tunisia, Eqypt, Jordan, Syria and other Arab countries to rise up and fight for freedom."

Annie's take:

This is a pretty short piece and by no means does it cover all possible perspectives. I plan to write more on this topic myself. There are many aspects to social media but at the heart of the discussion should be the distinction between the tool and the use of the tool.

Industry Tries to Streamline Privacy Policies for Mobile Users

"For many Internet users, online privacy policies are long and difficult to read. Transfer those same policies to a mobile device, where users can find themselves clicking through multiple screens often with tiny type, and the policies can become almost useless to the average consumer."

Annie's take:

Raise your hand if you simply click through to the "accept" screen on your mobile device rather than read all the fine print.

Google’s social network gets more serious about Facebook rivalry as it adds games to mix

"Internet search leader Google Inc. is bringing a little more gamesmanship to its duel with Facebook.

Just like they have been doing for years on Facebook’s website, Web surfers will now be able to play games with their friends and family on Google’s blossoming social networking service. "

Annie's take:

Like many millions other, I did set up a Google+ account and invite some of my friends. I have not had time to spend on the site, to play games or to increase my network. When I do have free time for social media, I spend it still on Facebook or Twitter. How about you?

For the Plugged-In, Too Many Choices

"When Jessica H. Lawrence left her job with the Girl Scouts of San Gorgonio Council in Redlands, Calif., to pursue a new life in New York City, she arrived in late January without a job, an apartment or someone to keep her warm through the winter nights."

Annie's take:

Those looking for better control over the time they spend on social media sites might want to read this article, which includes descriptions of some social media tools I'd not yet heard about.

On Its Own, Europe Backs Web Privacy Fights

"All 90 people wanted information deleted from the Web."

Annie's take:

An extremely interesting concept -- that people have a right to be "forgotten" rather than data mined on the Internet -- is at the heart of the discussion on European privacy. This is completely opposite how things work in this country.

The London 2012 Olympic Games: how businesses are planning to manage the impacts

"With only a year to go until the opening ceremony of the London 2012 Games, PwC has surveyed over 500 UK businesses on their attitudes towards the Games and the expected impact that it will have upon their operations."

Annie's take:

This new study by PriceWaterhouseCoopers of 500 London businesses indicates that the private sector is planning ahead of the 2012 Olympics. Parts of London are still burning this morning, so perhaps some of these plans will be put to the test sooner than expected.

Emergency Preparedness Homework

"The expediency of knowledge is found in successful emergency preparedness.  But extrapolating the most relevant information to obtain knowledge and create intelligence is an insurmountable task in today’s information-saturated world."  

Annie's take:

Neuwirth's article points to three excellent articles on weapons of mass destruction and extremists. The more of us who are sharing what he calls "good readings" with one another, the more informed we will each be.

Business continuity and brand protection

"According to the April 2011 SunGard Availability Services Business Continuity Software International User Group Forum Survey conducted by SunGard Availability Services, 74 percent of respondents selected ‘protection of reputation and brand’ as one of the main reasons for having a business continuity plan."

Annie's take:

Brand and reputation can't be underestimated when making a business continuity plan. ASA has written on this topic earlier and this survey simply backs up from another perspective the points that we have been making.

Essential Gadgets for the Road Warrior

"These mobile tools will help you stay at the top of your game, no matter where you find yourself. "

Annie's take:

This slide show of 12 technology travel tools may be more interesting to me than to you, because I am deep in writing the last chapter of my forthcoming book. But anyone who has a yen for utility and good design will appreciate the slide show. I especially like the dongle that allows you to track either your keyring or your smartphone.

Obama administration to announce broad strategy Wednesday to combat violent extremism

"Local communities around the country are best suited to take on the challenge of combatting the kind of violent extremism that inspires people to kill, the Obama administration concludes in a new national plan to fight the threat of al-Qaida and other violent radicals at home. "

Annie's take:

Based upon recent examples in this country and (for instance) in Norway, the risk we all face of unexpected and violent extremism presenting itself without warning in our communities deserves more than a vague statement of direction. We have tended to think that "extremism" means "Islamic radical," but we surely know by now that there are home grown American forms of extremism that do not fit that pigeonhole.

Why Emergency Managers Should Use Social Media

"Many emergency managers are avoiding using social media for all the wrong reasons."

Annie's take:

Ms. Pittman makes good points here, and the video underscores her points. There seems still to be a reluctance to use social media tools, a kind of disbelief that people actually expect to get information through Twitter and Facebook. The numbers support the conclusion: get on the bandwagon now, start messaging when there is no disaster so that people know to look for you when something goes wrong.

Mass Notification Layers Fail to Reach the Classroom

"The two to six hours college students spend inside classrooms creates a sizeable gap in mass notification system coverage for most colleges and universities."

Annie's take:

I don't know how I missed this story when it was published in early July. It points to two issues: how few college students sign up for mass emergency alerts; and how the culture and tradition of the classroom means that the teacher asks for the full attention of the students, which is to say asks them to turn off their mobile devices.

All Things Digital Conference

"The ninth annual D: All Things Digital Conference was packed with insight, innovation and, most of all, optimism and excitement."

Annie's take:

Innovation is not dead, at least not from the accounts of this conference. Read on for coverage of specific discussions.

Cloud security fears exaggerated, says federal CIO

"The U.S. Department of Homeland Security (DHS) is not afraid of the public cloud."

Annie's take:

Hopefully these comments were not just putting on a happy face for Congress. There is still a ways to go to enact standards around cloud, including for its largest customer, the federal government.

Holistic Approach Is Needed for Disaster Resiliency, Economic Sustainability and Public Safety

"For all concerned with disaster resiliency, economic sustainability and public safety, the first half of 2011 was momentous."

Annie's take:

This report on a recent gathering of officials confirms in detail what we already know: our disciplines need to converge and we need to operate as a whole rather than as special interests.

Norway's Horror

"We share the grief and pain of Norwegians and mourn the 76 people killed in Anders Behring Breivik’s rampage."

Annie's take:

Editorials don't often end up as part of ASA's Risk News, but here the point is exactly to think carefully about the risks of intolerance and fanaticism. Certainly Europe has higher levels of these risks right now than we do in this country, but we may not be far behind.

The mobile security conundrum

"Whilst the range and variety of IT security defences for portable computers - that's netbooks and laptops to most people - is excellent, and able to cater for all budgets and types of user, it should be apparent to any security observer that the same cannot be said for smartphones and tablet computers."

Annie's take:

As more of us carry tablet and smartphone devices, we need to be educated on data protection strategies, especially if we are performing data transactions on the devices. This article outlines equally the challenges for IT management in educating employees who might be doing business on the devices.

Business Uninterrupted

"When disasters, downtime, and other major disruptions regularly find their way into an enterprise, business as usual can become simply unusual."

Annie's take:

This month's PC World includes several articles on business continuity or disaster recovery -- including this one, in which I am quoted. I'm very pleased with the way this article turned out.

Split Within Nuclear Regulatory Agency

"A majority of the five-member Nuclear Regulatory Commission is signaling that it wants to move slowly on at least some new recommendations from its staff on how to reduce the chance of a Fukushima-type accident at an American reactor despite calls by its chairman for swift action."

Annie's take:

Unfortunately every recommendation from the public sector, including the Nuclear Regulatory Agency, now seems to get bogged down in political wrangling, with muscle applied from the private sector manufacturing interests at stake. This topic is complicated, but we can do better than this.

16 Arrested as F.B.I. Hits the Hacking Group Anonymous

"In the most visible law enforcement response to a recent spate of online attacks, the Federal Bureau of Investigation on Tuesday announced the arrests of 16 people across the country in connection with strikes carried out by a loose, secretive federation of hackers called Anonymous."

Annie's take:

Kudos to the FBI, an agency that has sharpened its analytical abilities in the area of cyberthreats and increased dramatically its partnerships with the private sector.

Motivating people to become prepared for disasters

"Quoting from an email sent by Kate Long, Earthquake and Tsunami Program Deputy at California Emergency Management Agency,

"As part of the Community Resiliency Track at the UASI conference last month, Chris Nance of the California Earthquake Authority, Kristin Hogan of the City/County of San Francisco and I presented new research on the use of “Value-Based Messaging”  to encourage public behavior change around earthquake preparedness and mitigation.  Although this research specifically targeted earthquake, it is germane to public uptake of any disaster preparedness actions.""

Annie's take:

In this column, Eric extracts points from a presentation made in California on how to motivate people to prepare for disasters. I think the point that fear is never a good motivator is a good one. Right next to fear, you usually find resentment. In the book I'm writing, my approach is to suggest that people should take reasonable precautions in their lives, and that preparedness to live off the grid is a reasonable precaution.

Seeing Promise and Peril in Digital Records

"Technical standards may seem arcane, but they are often powerful tools of economic development and social welfare. They can be essential building blocks for innovation and new industries. The basic software standards for the Web are striking proof."

Annie's take:

The health care lobby is second only to the financial services lobby in Washington DC. It's clear that medical software companies, who have a great deal at stake with the software developement already done, would prefer that the government not write any further standards around digital records. But can the private sector really come to a consistent level of access and reporting without another standard?

Branding for value in business continuity program development

"“Help make us recoverable.” “We need to be compliant to standards.” “Develop a program.” These are just a few of the familiar requests when starting to build a program."

Annie's take:

For those business continuity program leaders who wonder why there is not more understanding of and perceived value attached to their efforts, this is a good article to reading on the strategy and merits of branding.

Interoperability is more than just radios

"Public safety agencies are using more technology and more technological devices today than ever before."

Annie's take:

Eric Holdeman once again outlines the case for allocating spectrum to emergency responders, and in fact links to a recent NPR story. Congress seems to be too busy posturing to get anything done right now. One wonders what it will take to get this legislation moving.

Hacktivism and the lessons learned from LulzSec

"The recent hacking spree by LulzSec has helped make hacktivism a household term. Although hacktivism is nothing new, it has undergone a rapid evolution that is driven and inspired by criminal, for-profit hacking."

Annie's take:

The recommendations made by these two high respected experts should be taken seriously.

New Tool for Emergency Messaging: Digital Billboards

"After deadly tornadoes and storms hit multiple states in late April, governments activated digital billboards to communicate with the public."

Annie's take:

For all the difficulties with budget cutbacks, here's an option for messaging in emergencies and disasters that appears to be working.

Japan Rolls Out Stress Test Program for Nuclear Plants

"The Japanese government will launch a two-stage safety review of the nation's nuclear plants in an attempt to end the confusion that ensued after Prime Minister Naoto Kan said last week that he would order "stress tests" before allowing currently idled plants to restart."

Annie's take:

It's good to see the Japanese government moving forward on the nuclear issue, but they are truly in uncharted waters. There is opportunity here to think outside the box, and establish some best practices that can be used in other parts of the world.

To Slow Piracy, Internet Providers Ready Penalties

"Americans who illegally download songs and movies may soon be in for a surprise: They will be warned to stop, and if they don’t, they could find their Internet access slowing to a crawl."

Annie's take:

This surely has to be one of the most appropriate consequences ever worked out for illegal activity. What could be worse than your Internet access slowing to a crawl?

Apple Plans Fix for iPhone Flaw

"Apple Inc. said Thursday it is working to resolve a security hole in its iPhone and other mobile products that German authorities warned could allow cyber criminals to access confidential information or intercept phone conversations. "

Annie's take:

Until Apple fixes this security hole, reading a PDF on an iPhone can be considered a high risk.

5 online safety tips for grads

It’s graduation season, so whether you’re graduating or your child is, here are some safety tips for what’s ahead.

Annie's take:

You don't even have to be a college student with a new degree to take these tips to heart. They are basic, and useful for everyone.

Feds Begin Sharing Secret Cyber-Threat Data With Private Companies

A new pilot program in the federal government would allow the departments of Defense and Homeland Security to share classified information with defense contractors and Internet service providers to strengthen private-sector security capabilities.

Annie's take:

If the threat information being shared is actionable, then this is a very big step forward. We have already seen the FBI working with the private sector on cyber issues. This effort broadens the level of cooperation.

Enough is enough...

"Recently Continuity Central highlighted a report from the Australian National Audit Office which found that over 25 percent of 26 critical Australian government agencies did not test business continuity plans as part of normal business practice."

Annie's take:

There is a world of difference between a good business continuity plan and a plan that has never been tested.