Technology is a giant juggernaut ameba growing and evolving at an exponential and unstoppable rate. Trying to keep up with just everyday tech can be overwhelming. What iPhone number are we on now? And what exactly is a ChromeBook, anyway? Keeping up with the Joneses is one thing; staying up to date with and ahead of cyber attacks is a monster all its own. It seems like every week another company makes national headlines for falling victim to a cyber attack. Yours doesn’t have to be one of them.
Stay Proactive
Cybercriminals are always learning, adapting, and evolving new ways of cracking cybersecurity. Staying proactive with your approach to cybersecurity is the first step towards getting ahead of potential cyber attacks. Fortunately, Cognoscape can help you take an active approach to security. We can help you create a Technology Roadmap to plan for the future and stay ahead of whatever those pesky hackers think of next. We can help train you and your employees on how you can strengthen your daily workflow and what precautions you can be taking with each email and keystroke.
Use the Buddy System
If the Joker stepped into your server room and started tinkering around, you wouldn’t go in there alone. You would light up the bat-signal to call Batman. Don’t face cyber attacks alone. Buddy up with a Cognoscape consultant. Our consultants have years of experience staying up to date and ahead of the technology driving cyber attacks. You will be able to focus on the core of your business, while we race ahead of the latest cybercriminal technology to protect your company’s most precious digital assets. Your consultant will be there by your side to help create a custom strategy on how to best fend off and recover from whatever comes your way.
Don’t risk your company’s future by tackling your network security alone. Contact us today to start putting together your Technology Roadmap.
https://www.cognoscape.com/wp-content/uploads/2016/04/itdirect-boo.png266702Export/wp-content/uploads/2014/06/Cognoscape-300x137.pngExport2016-08-04 09:00:132019-12-06 15:50:28Staying Ahead of Cyber Attacks
Technology has advanced thanks to the hard work and innovation of many people over several decades throughout history. Although information technology – the application of any computers and software to process, store, retrieve, and transmit electronic data – is a major part of our lives today, there was a simpler time before the revolutionary spark of digitization. Few predicted how significant information technology and IT security would become in our lives and the way we conduct business. Here is an overview of the development of IT security throughout history.
1970s
The 1970s marked a time in information technology history that saw an emergence in the exploration of microcomputers. At this time, Steve Jobs and Steve Wozniak – pioneers of the personal computer revolution – met and eventually collaborated on what would become Apple computers. The first modern day hackers also appeared during this time and invented a way to circumvent phone systems to make free calls – a practice that later become known as “phreaking.” It was this decade that witnessed the convergence of technology and commerce. Computers, video games, cars, and space exploration are only a few of the many technologies which developed and improved tremendously within these ten years.
1980s
There are a surprising number of tech gadgets from the 80s that define life as we know it today. The first IBM personal computer, called “Acorn,” was introduced using Microsoft’s MS-DOS operating system. Sears & Roebuck and Computerland sold the machines, and this was when the term PC was popularized.
Apple invented “Lisa,” the first personal computer to offer a GUI (graphical user interface), with features like a drop-down menu and icons in a machine aimed at individual business users. In 1985, Microsoft announced Windows in response to Apple’s GUI. This decade subsequently brought about the era of malware, with the first computer virus for MS-DOS called “Brian.”
1990s
Mosaic, known as the original web browser accredited to popularizing the World Wide Web, was released. By allowing users with little to no technical expertise to browse the online realm, this fueled a period of massive growth of the Internet as well as the community of online users. The 1990s also brought upon the dawn of the modern IT security industry. AOL suffered through the first real phishing attacks as hackers began stealing users’ credentials. Tim Berners-Lee, a researcher at a high-energy physics lab in Geneva, invented HyperText Markup Language (HTML) – giving rise to the World Wide Web.
In 1997, Microsoft invested $150 million in Apple – which was struggling at the time – ending Apple’s court case against Microsoft in which it alleged that Microsoft copied the “look and feel” of its operating system.
The 2000s and Beyond
The 21st Century saw a swarm of new computer viruses, such as ILOVEYOU, spread fervently across the Internet, taking advantage of security holes in software made by Microsoft and other major tech companies. Adware and spyware entered the scene with programs such as Conducent and CometCursor. In 2003, the amount of data created surpassed the amount of all information created in the rest of human history combined. The Internet became so central to commerce that opportunities for hackers grew exponentially.
In 2010, a group of the nation’s top scientists concluded in a report to the Pentagon that “the cyber-universe is complex well beyond anyone’s understanding and exhibits behavior that no one predicted, and sometimes can’t even be explained well.” In 2015, Apple released the Apple Watch while Microsoft released Windows 10.
https://www.cognoscape.com/wp-content/uploads/2016/03/Pasted-image-at-2016_03_01-02_01-PM.png266702Cognoscape/wp-content/uploads/2014/06/Cognoscape-300x137.pngCognoscape2016-03-03 19:53:042016-06-23 19:28:54IT Security and its Evolution
Compliance with the standards set by the Payment Card Industry (PCI) Security Standards Council can be cumbersome and flat out difficult. And the punishment for non-compliance can be stiff penalties and fines – or even worse, non-compliance could allow a hacker or data thief to get into your company’s systems and steal critical data from you or your customers. To avoid these unsavory outcomes, it is best to make sure that your business gets PCI compliant and maintain that compliance status. It is critical that you know if your company is PCI compliant so that you can keep your business protected from fines and hackers alike. Here are some of the ways that you can know if your business is not compliant. If any of these signs describe your business, then it is time to make a change and get back into compliance.
You Store Cardholder Data
Storing cardholder data means that you have highly sensitive information that can be stolen on your systems. To maintain PCI compliance, you should not save or store any cardholder data, whether in digital or written form. To avoid storing cardholder data, you can use a card reader, POS terminal, or a payment processor that doesn’t retain that information. That way, you don’t have to think about protecting or encrypting that data on your systems.
You Don’t Have A Separate Network For Payment Processing
PCI compliance can put extra pressure and security measures on your network. That’s why it is a good idea to have a separate system for your regular business connection just for payment processing. This is especially relevant if you are using IP-based credit card terminals.
You Don’t Automatically Log Customers Out
When your customers log in and make a purchase, they might be doing so on a public computer or at a public kiosk. When they leave that computer, they might forget to log out, allowing another person to stumble upon their open session and make unauthorized purchases. Make sure that you avoid these kinds of scenarios by automatically logging your users out of their sessions after a set period. If for example, users are automatically logged out after five minutes being idle, you have a significantly higher chance of stopping unauthorized purchases.
Your Employees Don’t Have Unique Login Information
To be PCI compliant, all of your employees need to have their unique login information for sensitive systems. That way, if there an issue, you know which employee was responsible.
https://www.cognoscape.com/wp-content/uploads/2016/02/PCI-Compliance.jpg266702Cognoscape/wp-content/uploads/2014/06/Cognoscape-300x137.pngCognoscape2016-02-04 14:53:162016-06-23 19:28:544 Signs that You’re Out of PCI Compliance
More cyber criminals are targeting small-to-medium sized businesses. One reason for this is too many workplaces have insufficient bring-your-own-device (BYOD) policies in place. Some have none at all. Although firms are generally more knowledgeable about network security risks than in years past, they still woefully underestimate the security vulnerabilities linked to mobile devices like smartphones and tablets.
This is a real cause for concern since data breaches have the ability to put many already financially challenged SMBs out of business.
If customer/client data has been breached, there could be potential litigation costs, and naturally, lost goodwill and an irreparable hit to brand or company reputation.
Don’t Just Say You’re Worried About the Bad Guys… Deal With Them
SMBs say they view network security as a major priority but their inaction when it comes to mobile devices paints a different picture. An April 2013 study found that only 16% of SMBs have a mobility policy in place.
Despite the fact that stolen devices are a major problem in today’s mobile workforce, only 37% of mobility policies enforced today have a clear protocol outlined for lost devices. Even more troubling is the fact that those firms who have implemented mobility policies have initiated plans with some very obvious flaws.
Key components of a mobility policy such as personal device use, public Wi-Fi accessibility, and data transmission and storage are often omitted from many policies.
Thankfully, most SMB cybercrimes can be avoided with a comprehensive mobility policy and the help of mobile endpoint mobile device management services.
A Mobility Policy Is All About Acceptable/Unacceptable Behaviors
Your initial mobility policy doesn’t have to be all encompassing. There should be room for modifications, as things will evolve over time. Start small by laying some basic usage ground rules, defining acceptable devices and protocols for setting passwords for devices and downloading third-party apps. Define what data belongs to the company and how it’s to be edited, saved, and shared. Be sure to enforce these policies and detail the repercussions for abuse.
Features of Mobile Device Management Services
MDM services are available at an affordable cost. These services help IT managers identify and monitor the mobile devices accessing their network. This centralized management makes it easier to get each device configured for business access to securely share and update documents and content. MDM services proactively secure mobile devices by:
Specifying password policy and enforcing encryption settings
Detecting and restricting tampered devices
Remotely locating, locking, and wiping out lost or stolen devices
Removing corporate data from any system while leaving personal data intact
Enabling real time diagnosis/resolution of device, user, or app issues
It’s important to realize that no one is immune to cybercrime. The ability to identify and combat imminent threats is critical and SMBs must be proactive in implementing solid practices that accomplish just that.
https://www.cognoscape.com/wp-content/uploads/2014/05/70.jpg333500Cognoscape/wp-content/uploads/2014/06/Cognoscape-300x137.pngCognoscape2014-09-10 11:30:572016-06-23 19:29:45Why SMBs Must Proactively Address the Threat of Mobile Hacks
Not too long ago, the New York Times’ website experienced a well-publicized attack, which raises the question – how can this happen to such a world-renowned corporation? If this can happen to the New York Times, what does this bode for the security of a small company’s website? What’s to stop someone from sending visitors of your site to an adult site or something equally offensive?
The short answer to that question is nothing. In the New York Times’ attack, the attackers changed the newspapers’ Domain Name System (DNS) records to send visitors to a Syrian website. The same type of thing can very well happen to your business website. For a clearer perspective, let’s get into the specifics of the attack and explain what DNS is.
The perpetrators of the New York Times’ attack targeted the site’s Internet DNS records. To better understand this, know that computers communicate in numbers, whereas we speak in letters. In order for us to have an easy-to-remember destination like nytimes.com, the IP address must be converted to that particular URL through DNS.
Therefore, no matter how big or small a company’s online presence is, every website is vulnerable to the same DNS hacking as the New York Times’ site. The good news is the websites of smaller companies or organizations fly under the radar and rarely targeted. Larger targets like the New York Times, or LinkedIn, which was recently redirected to a domain sales page, are more likely targets.
For now… There is no reason to panic and prioritize securing DNS over other things right now. But there is a belief that DNS vulnerability will be something cybercriminals pick on more often down the road. Here are a few ways to stay safe:
Select a Registrar with a Solid Reputation for Security
Chances are, you purchased your domain name through a reputable registrar like GoDaddy, Bluehost, 1&1, or Dreamhost. Obviously, you need to create a strong password for when you log into the registrar to manage your site’s files. Nonetheless, recent DNS attacks are concerning because they’re far more than the average password hack.
It was actually the security of the registrars themselves that was compromised in recent attacks. The attackers were basically able to change any DNS record in that registrar’s directory. What’s particularly frightening is the registrars attacked had solid reputations. The New York Times, along with sites like Twitter and the Huffington Post, is registered with Melbourne IT. LinkedIn, Craigslist and US Airways are registered with Network Solutions. Both had been believed to be secure.
So what else can be done?
Set Up a Registry Lock & Inquire About Other Optional Security
A registry lock makes it difficult for anyone to make even the most mundane changes to your registrar account without manual intervention by a staff registrar. This likely comes at an additional cost and not every domain registrar has it available.
Ask your registrar about registry locking and other additional security measures like two factor authentication, which requires another verifying factor in addition to your login and password, or IP address dependent logins, which limits access to your account from anywhere outside of one particular IP address.
While adding any of these extra safeguards will limit your ability to make easy account change or access your files from remote locations, it may be a worthwhile price to pay.
CLICK HERE for a free network assessment and avoid cybercrime with Cognoscape.
https://www.cognoscape.com/wp-content/uploads/2014/05/69.jpg400600Cognoscape/wp-content/uploads/2014/06/Cognoscape-300x137.pngCognoscape2014-09-08 11:30:312016-06-23 19:29:46Just Because You’re Not a Big Target, Doesn’t Mean You’re Safe
Despite new HIPAA Business Associate Agreement (BAA) regulations going into effect in 2013, many healthcare organizations are still encountering the occasional cloud service provider who refuses to sign a BAA. Although they may have a logical explanation, any refusal to sign a BAA should be seen as a red flag.
Here’s the logic from their angle. There are still many cloud vendors who view themselves more as conduits of Personal Health Information (PHI). They feel their role is more akin to that of a mailman. They’re merely transporting data to others and have no real access to the actual contents.
If the data is encrypted and cannot be read, or If they don’t touch the actual PHI data at all, the cloud service vendor will argue that HIPAA regulations do not apply to them and possibly refuse to sign a BAA.
Fair enough, right? If the data is encrypted and the vendor doesn’t hold the encryption key, what’s the problem? Well, here’s the problem.
File this in the unlikely yet not improbable category. Let’s say that the PHI data wasn’t properly encrypted before it was sent into the cloud or unencrypted data was mistakenly transferred over to the cloud service provider. If the cloud provider has refused to sign a BAA, this jeopardizes your HIPAA compliance and could potentially result in a fine anywhere from $50,000 to $1.5 million.
This is why those in the healthcare sector must move on from any cloud provider that is reluctant to sign a BAA. They are basically refusing to be complaint since the new HIPAA Omnibus Rule clearly defines a business associate as anyone who creates, receives, maintains, or transmits PHI on behalf of a covered entity. By refusing to share accountability for HIPAA compliance, they’re a liability to your organization that you just can’t afford.
https://www.cognoscape.com/wp-content/uploads/2014/05/68.gif126223Cognoscape/wp-content/uploads/2014/06/Cognoscape-300x137.pngCognoscape2014-09-05 11:30:282019-12-12 14:48:51Why it's Time to Move on if Your Cloud Provider Won't Sign a HIPAA BAA
In 2013, major companies like Google, Amazon, and Microsoft experienced outages. Not only were these big name outages disruptive to users, but they also made headlines and proved to be costly to each brand. Google’s hiccup footed an estimated bill of $500,000 while Amazon’s 30-40 minute blackout contributed to roughly $3 million in losses.
2013 was also the year the healthcare industry embraced cloud computing thanks to modifications to the HIPAA Privacy, Security, Enforcement and Breach Rules. With these modifications extending the definition of a Business Associated (BA) to cloud service providers, many of the data breach concerns that had previously kept the healthcare sector from taking to the cloud have been quieted.
But as more patient health data is electronic and residing in a virtual environment, the availability of this data is just as important, if not more important, than securing it. Unlike Google, Amazon, and Microsoft, the disastrous effects of data outages in the healthcare sector can have potentially deadly consequences.
Not only is high uptime mandatory in a healthcare cloud, business continuity and disaster recovery (BCDR) plans are also crucial. The good news is the cloud’s virtualized infrastructure, coupled with the expertise and cloud monitoring of a trusted Managed Service Provider (MSP) can help healthcare organizations maintain uptime and reliability. Here are two helpful steps:
Risk Assessments Are Absolutely Necessary
While risk assessments are critical to protecting patient health information, a 2012 audit conducted by the Office of Civil Rights revealed that many healthcare entities and contracted service providers fail to perform them. These evaluations must be conducted regularly and require an honest assessment of probable risks ranging from malicious cybercrime attacks to acts of nature such as natural disasters, flood, earthquakes and power outages. Analyze both the architectural vulnerabilities relative to data availability and security as well as the effectiveness of the counteractive measures in place. The goal is to minimize the plausible impact of such an event and prevent service disruption.
Proactively Monitor for Cybercrime
It is often months before a security breach is detected. By this time, hackers have had ample time to infiltrate your system and feast on its data. Since cybercriminals use an unpredictable array of methods to strike, such as viruses, malware and phishing schemes to steal credentials, the strength of your detection system is key. Alerts should be set up to identify anomalies such as unusual application requests, forced entry attempts, suspicious spikes in traffic, and abnormal data patterns that suggest a breach. The proactive monitoring tools available through a MSP can help scan, pinpoint, and remediate such attacks.
Any BCDR plan must be built upon your organization’s recovery time objective (RTO) and recovery point objective (RPO). Your RTO is the duration of time in which your service level must be restored to avoid dire consequences. Your RPO is the maximum age of the recoverable files in storage to resume normal operations. A MSP can help determine the optimal scenario for your healthcare organization and prioritize the most critical health care information with near real-time replication.
Through this preparation and foresight, your organization can lay the groundwork to not only protect healthcare information in the cloud but potentially save patients’ lives in the event of an unforeseen outage.
https://www.cognoscape.com/wp-content/uploads/2014/05/661.png449474Cognoscape/wp-content/uploads/2014/06/Cognoscape-300x137.pngCognoscape2014-09-01 11:30:262016-06-23 19:29:472 Steps to Ensure Healthcare Data Availability in the Cloud
TO STAY SECURE – A GOOD DEFENSE IS THE BEST OFFENSE
SMBs must understand that the time has come to get serious with their security. Sadly, many small businesses have a false sense of security. In the McAfee/ Office Depot joint survey of 1000 SMBs, over 66% were confident in the security of their data and devices despite admitting to obvious flaws.
Cybercrime is only one cause of compromised data. There are 3 primary causes of breached security at businesses according to the June 2013 Symantec Global Cost of a Data Breach study. Only 37% are attributed to malicious attacks. The remaining 64% are human error and technology errors.
Data breaches aren’t always about bad people doing bad things. Many are the result of good employees making mistakes or of technology failure. SMBs don’t necessarily need a large budget or dozens of employees to adequately protect sensitive data. A secure environment is possible even on a SMBs budget. Here are a few steps to improving data and network security.
STEP 1
KNOW ALL DEVICES CONNECTING TO YOUR NETWORK
Keep a frequently updated list of every device that connects to your network. This inventory is especially important given today’s BYOD (Bring-Your-Own-Device) workplace where employees can access your network through several different devices. Knowing what these devices are and ensuring they’re all configured properly will optimize network security.
All it takes is a regularly scheduled review to add or remove any devices and affirm that every endpoint is secure. Much of thisprocess can be inexpensively automated through a Mobile Device Monitoring (MDM) tool. A MDM tool will approve or quarantine any new device accessing the network, enforce encryption settings if sensitive information is stored on such a device, and remotely locate, lock, and wipe company data from lost or stolen devices.
STEP 2
EDUCATE & TRAIN EMPLOYEES
Every employee should participate in regular general awareness security training. This will not only reduce security breaches directly tied to employee error or negligence but also train employees to be on the defense against cybercrime. Employees are critical to your security success and the prevention of data breaches. Hackers commonly break into networks by taking advantage of unknowing employees. Phishing attacks – legitimate looking emails specifically crafted to mislead recipients into clicking a malicious link where they’re asked to provide their username and password – are still successfully used by hackers to capture login credentials.
If a large company makes the news for a data breach tied to an infected email, be sure to share that news with employees with a warning. Come up with fun ways to teach employees how to identify spear-phishing email attempts and better secure their systems and devices.
It is also important to have a security policy written for employees that clearly identifies the best practices for internal and remote workers. For example, password security is critical and passwords should be frequently updated to a combination of numbers, lower case letters and special characters that cannot be easily guessed. Security policy training should be integrated into any new employee orientation. This policy should be updated periodically. More important than anything, this security policy must be enforced to be effective.
STEP 3
PERFORM AN AUDIT OF SENSITIVE BUSINESS INFORMATION
If you want to keep your most sensitive business information secure, it’s important to know exactly where it’s stored. A detailed quarterly audit is recommended.
STEP 4
USE CLOUD AND MANAGED SERVICE PROVIDERS
Overall, the cloud is likely a more secure data solution for small business. Any conception that the cloud isn’t safe is outdated. Most of 2013’s security breaches were the result of lost or stolen devices, printed documents falling into the wrong hands, and employee errors leading to unintended disclosures. It’s fair to speculate that many of these breaches wouldn’t have occurred had this information been stored in the cloud rather than computers, laptops, and vulnerable servers.
SMBs with limited budgets are actually enhancing their security by moving to the cloud. Since there is no way a SMB can match a large enterprise’s internal services, moving services like emails, backups, and collaborative file sharing to the cloud not only reduces total-cost-of-ownership, but gives access to top-level security to better defend against internal and external threats.
Meanwhile, a Managed Service Provider (MSP) can assume responsibility for security measures like the administering of complex security devices, technical controls like firewalls, patching, antivirus software updates, intrusion-detection and log analysis systems.
MSPs are also capable of generating a branded risk report for any potential client or business partner reviewing your security measures. This third party manual assessment of your network security can instill confidence in prospective business partners by proving to them that any possible security risks or vulnerabilities will be properly managed and addressed.
https://www.cognoscape.com/wp-content/uploads/2014/05/57.jpg300400Cognoscape/wp-content/uploads/2014/06/Cognoscape-300x137.pngCognoscape2014-08-11 11:30:142016-06-23 19:30:134 Steps To Improve SMB Data And Network Security
Many SMB owners think IT downtime only costs them a few productive hours, but there’s a lot more at stake when your systems go down. Customer satisfaction and loss of brand integrity are just two of the key losses apart from the more evident costs such as lost productivity and a temporary dip in sales.
Here’s a few other ways downtime can hurt your business:
1. Customer Loss – Today’s buyer lacks patience; They are used to getting everything at the click of a mouse, at the tap of a finger. Suppose they are looking for the kind of products/services that you offer and your site doesn’t load or is unavailable—even if temporarily– you are likely to lose them to a competitor—permanently.
2. Damage to Brand Reputation – Customers are now using Social media platforms like Facebook and Twitter and blogs to vent their bad brand experiences. Imagine an irate customer who doesn’t know if their card was charged on your site, or not, due to a server error. If it’s your bad day, they could probably be using Facebook or Twitter to share their bad experience, and it could be viewed by hundreds of people, causing irreparable harm to your brand image.
3. Loss of Productivity – When your systems don’t work, this can have a direct impact on your employees’ productivity. Consider a research firm of 200 employees where they primarily rely on internet connectivity to access the knowledge base. If the server hosting the knowledge base is down, there’s a total loss of at least 1600 work hours for one day.
4. Overtime, Repair and Recovery, Compensatory costs – In the above case, imagine the overtime wages the business would have to incur if they were to make up for the work loss they faced owing to downtime. In addition, there’s always the cost of repair—the money the business would have to shell out to fix the issue that caused the downtime and get the server up and running again. In some cases, businesses would have to incur additional costs to make customers happy. These could include giving away the product for free or at a discount, or using priority shipping to make up for a delayed order.
5. Possible Lawsuits – Businesses could also be at the receiving end of lawsuits. For example, a downtime that has an impact on production, delivery or finances of the customer could invite litigation.
6. Marketing Efforts Rendered Useless – Consider a pay-per-click advertisement that shows up for the right keywords on Google, or an extensive e-mail campaign that your business engages in. However, when the prospect clicks on the link, all they see is an error message – Isn’t that a waste of your marketing budget?
The bottom line—one natural disaster, one technical snag or just one power outage has the power to put you out of business – both virtually and in reality. It’s probably time to think about how you can mitigate the threat of a possible downtime and whether your MSP can act as an effective and efficient ally in this battle for you.
Don’t let downtime cost you your business. CLICK HERE for a free network assessment.
https://www.cognoscape.com/wp-content/uploads/2014/05/50.jpg300300Cognoscape/wp-content/uploads/2014/06/Cognoscape-300x137.pngCognoscape2014-08-01 11:30:192016-06-23 19:30:14How Much Does Downtime Really Cost?
U.S regulators have recommended that all futures and securities firms review and update their current data backup, disaster recovery, and business continuity solutions. Prompted by closures in the equities and options market in the aftermath of Hurricane Sandy, Regulators including the SEC, FINRA, and the CFTC contacted firms to assess the impact Hurricane Sandy had on their operations The regulators asked each firm for specifics regarding any backup disaster recovery (BDR) and business continuity plan (BCP) they had in place prior to Hurricane Sandy. The responses they gathered were compiled to develop a list of best practices and lessons learned. The regulators have since gone on to suggest that all firms refer to these best practices and lessons as part of reviewing and improving upon their current BDR and BCP procedures. By doing this, the regulators hope that firms will be better prepared for similar events. Regulators feel that a comprehensive BDR and business continuity strategy will help firms improve responsiveness and minimize downtime. Managed Service Providers (MSPs) have always stressed the importance of the BDR and BCP solutions they offer to small-to-medium-sized businesses. That said, it doesn’t hurt to see what government regulators recommend to those handling our money. We’ve summarized portions of the full report, addressing only the parts that we feel can easily be applied to SMBs. The full report can be read here at http://www.sec.gov/about/offices/ocie/jointobservations- bcps08072013.pdf.
Widespread Disruption Considerations
True business continuity plans go beyond technology. What is the probability of a widespread lack of telecommunications during a disaster? We’re talking no Internet and no cell phone coverage. Large-scale events can knock out power and limit our access to drinkable water and food supplies. Getting around may be complicated. Roadways might be inaccessible and fuel may be scarce. Part of being prepared for the unknown is to assess how any plausible scenario would impact day-to-day operations and services. A critical component to business continuity planning is remote access. Every employee should have the ability to efficiently work from home if a disaster strikes or blocks access to the office. If there is no power or no Internet and phone, alternatives should be defined to carry out key operations.
Alternative Location Considerations
The implications of region-wide disruptions must be factored into the location choices for backed-up data centers. Keeping backups within close proximity may seem like a smart strategy to ensure they’re readily accessible, but this does you no good if it’s a region wide disruption. When it comes to supporting business critical activities at an alternative location, what will be the site’s staffing needs? How about office space, equipment, and available resources? Printed copies of the business continuity plan, contact lists, and other business documents and manuals should also be kept at the alternate site if electronic files can’t be accessed.
Vendor Relationships
Any critical vendor relationships should also have an adequate business continuity plan, as they may be affected by the same event as you. Vendors risk ratings should be considered based on the quality of their BDR and BCP strategies.
Telecommunications Services and Technology Considerations
The telecommunications infrastructure must be enhanced. Consider secondary phone lines, backup mobile phone services with different carriers, emergency Wi-Fi spots, and cloud technology.
Review and Testing
Annual full BCP tests should be conducted. If the business continuity plan changes often, more frequent testing is recommended. All personnel should be trained for their specific role in the plan.
https://www.cognoscape.com/wp-content/uploads/2014/05/40.jpg218350Cognoscape/wp-content/uploads/2014/06/Cognoscape-300x137.pngCognoscape2014-07-09 11:30:562019-12-12 14:50:28What You Can Learn From US Regulator's Business Continuity Recommendations