Civil Unrest

Amid the anxiety and angst of the worst pandemic in 100 years, the elimination of social injustice has been the rallying cry of protesters following the George Floyd incident. Peaceful demonstrations erupting into violence under the cover of darkness have been national news. Cities of all sizes have seen demonstrations—some experiencing civil unrest night-after-night for months.

 Acts of vandalism, malicious destruction of property, and arson have been perpetrated on government buildings, statues, vehicles, and other property. Public streets, highways, and public space have been blocked and barricaded to prevent the free movement of citizens and commerce. Assault, battery, and homicide have been perpetrated with bricks, stones, firearms, and other weapons. Police, protesters, counter-protesters, and innocent people have been injured. Businesses have been looted and destroyed by fire. Block after block of storefronts have been boarded up. Losses to businesses in at least 40 cities in 20 US states may come close to the costliest civil disorder in US history. [Claims Journal, June 2, 2020] 

Recent decades have witnessed protests and civil disorder surrounding issues of social injustice, world economic and trade forums, political conventions, major sporting events, and labor disputes. Riots have plagued the United States for more than half a century, and 50 countries have seen a surge in civil unrest since 2019 according to political risk consultants Verisk Maplecroft. 

Concern about protests and demonstrations like those surrounding the 2016 Presidential election have law enforcement planning for the possibility of a repeat. Directors of security worry that volatile political divisions in our society may provoke conflicts between workers escalating into acts of workplace violence. Civil unrest is now a foreseeable threat requiring preparedness. 

In this Preparedness Bulletin the following topics are covered in detail:

• Recognizing the Potential for Civil Unrest
• Weapons & Tactics
• Vulnerability & Risk Assessment
• Security, Life Safety & Emergency Planning
• Preparedness for Planned Demonstrations
• Response to Civil Unrest
• Workplace Violence 

Links to other resources are also provided to help organizations prepare for civil unrest and workplace violence.

Read the entire Preparedness Bulletin: https://bit.ly/3dNCgLd

 

Incident Management System

Florida SERT Chief briefs staff managing concurrent responses to the Covid-19 pandemic

and Hurricane Isaias.

The ongoing Covid-19 Pandemic, weeks-long civil disturbances, and numerous natural disasters emphasize the need for effective incident management. 

No longer an exclusive practice of public safety agencies, incident management system is an essential capability for all organizations to protect lives, property, business operations the environment, reputations, and stakeholder relationships. 

An incident management system (IMS) can and should be used for all incidents planned, forecast, or occurring that require activation of emergency operations, business continuity, IT Disaster Recovery, and crisis management plans. 

An incident management system is defined by NFPA 1600 as "the combination of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure and designed to aid in the management of resources during incidents." 

Implementation of an IMS enhances communications, coordination, efficiency, and effectiveness by organizing and bringing together the functional roles necessary to manage any incident.

Read the full September Preparedness, LLC Bulletin: https://bit.ly/36nX3my

 

Building Resilience: ISO Standard for Business Continuity Updated

Business interruption and the potential impact on revenues, profits, contracts, and customers is an ever present concern for business executives. Hurricanes, flooding, wildfires, and now preemptive power outages are in the news. An effective business continuity management capability is essential and increasingly a customer requirement.

ISO 22301, "Business Continuity Management Systems – Requirements," is one of the two leading standards for business continuity programs along with NFPA 1600 “Standard on Continuity, Emergency, and Crisis Management,” which is published by the National Fire Protection Association.

The 2019 edition of ISO 22301 has been published by ISO and is available for purchase. ISO has also published a free publication explaining the standard: https://www.iso.org/news/ref2446.html.

Don Schmidt, CEO of Preparedness, LLC, is a long-time member of the USA’s Technical Advisory Group to ISO’s 292 and predecessor 223 committee that is responsible for ISO 22301 and related standards. He is also the past-chair of the NFPA 1600 technical committee. If you have questions about ISO 22301 or NFPA 1600, please contact us.

Cybersecurity Month

photo credit: niccs.us-cert.gov

October is Cybersecurity Month, reminding us that we must constantly protect our digital information. Businesses are constantly under attack and face potentially significant financial loss when the corporate network is compromised. Here are 10 actions to enhance cyber-security and data protection:

1.  Employee Education: Every employee (and family member) needs to be educated about cyber security. From the “C Suite” to the mail room, anyone on the network can compromise security by installing and using unauthorized software applications or browser extensions; copying files from malware infected flash drives to the network, opening phishing emails, or visiting unsafe sites. All employees should understand data protection policies and procedures. Educate employees about how personal information obtained from social media and web searches can be used by hackers to target them.

2.  Data Access: Identify confidential and company proprietary information; restrict access as needed; and verify that all confidential, proprietary, and important information is stored on drives that are backed up regularly. Educate employee and audit to verify that files are not stored on local hard drives and sharing company confidential or proprietary information with unauthorized recipients is prohibited.

3.  Physical Security: Smartphone and laptops are targeted by thieves for resale and especially for the information the devices store. Configure laptops with encrypted hard drives and ensure biometric or strong password access is enabled. Educate employees to secure laptops in hotels, meeting rooms, public places, and in vehicles. Remind employees to keep their smartphones close by and not in a position where they can be easily stolen.

4.  Network Security: Vulnerabilities in networking components including routers, switches, and wireless access points can be exploited. Inventory network hardware and sign up for notifications from vendors to be informed when vulnerabilities have been identified. Download firmware updates when they are offered. Enable the highest level of encryption for wireless connections. Restrict administrative access to the network to trustworthy technical staff.

5.  Operating System Updates: The cycle of computer and smartphone operating system updates is increasing to patch the latest known vulnerabilities. Ensure that automatic updates are enabled or ensure that your technology professionals promptly review and install patches.

6.  Passwords: Password management is a pain and overuse of simple passwords is common. Thankfully, enterprise password management can make passwords available across a company, computers, and devices. Implement password management software, restrict access to password vaults to those with a need to know; require strong, and unique passwords for each site; and promptly remove access when off-boarding employees.

7.  Software Applications: Enable multi-factor authentication whenever possible. Enable automatic updates to keep software updated or restrict software installations until security assessments have been completed. Audit software periodically to ensure the latest version has been installed, and security settings have been turned on.

8.  Malware Detection: Firewalls and malware detection software is critical and definition files must be continuously updated to protect against the latest threats. Prohibit access to the network if malware software is not enabled.

9.  Secure Connectivity for Remote Connections: All connections for employees working remotely or business partners should require encryption. Maximize security for remote management of the network and disable external access ports that are not needed.

10. Business Continuity & IT Disaster Recovery: Ensure that all important digital information is backed up. Maintain three (3) copies, each on different media (e.g., hard drive, network server, and cloud). Store one copy remote from the primary site in case of physical damage to the facility. Document hardware and software inventories; maintain current images of standard computers; and document a plan for recovery.

September is National Preparedness Month

September is National Preparedness Month.  Preparedness is defined by DHS/FEMA as "a continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective action in an effort to ensure effective coordination during incident response."

Our name says it well…..

Preparedness, LLC's mission is to safeguard people, protect property, minimize business interruption, and protect reputations.  We assess hazard and operational risks and develop loss prevention and hazard mitigation strategies.

Preparedness, LLC has published a variety of Bulletins offering detailed guidance for development, implementation, and evaluation of your organization’s preparedness program. We invite you to take a look at our extensive library of bulletins providing information and guidance on how to prepare for a variety of weather related emergencies, protective actions for life safety, including from acts of violence.  Other bulletins offer guidance on helping your company become more resilient from a number of impacts, including business continuity, crisis management, reputational issues, supply chain interruptions and a host of other potential threats to an organization.

 

We also offer a self-assessment checklist of over 200 questions, based on NFPA 1600  “Standard on Continuity, Emergency and Crisis Management” 2019 Edition to help your organization assess your preparedness program.

We invite you to contact us if your organization requires assistance with assessing, managing or implementing a preparedness program.

Financial Risks of Climate Change: CFO's Should Pay Attention

National Hurricane Center, NOAA

At the Wall Street Journal’s CFO Network Annual Meeting, held on June 11, 2019, Zurich Insurance Group chief risk officer Alison Martin explained that CFO’s should take a leading role in analyzing their companies’ exposures to weather related risks.  According to a report published by CDP Worldwide, a U.K. environmental nonprofit, the world’s 500 largest companies face $1 trillion in potential financial risk from climate change.

CFO’s need to make climate risk assessments a bigger priority, and actively assess how environmental issues could affect their companies’ bottom line.  For more information, click here to read the Wall Street Journal article.

Additionally, climate change and its potential ramifications are now on the radar screen of financial institutions.  Although not a yet standard industry practice at this time, as of this publishing of this article, 26% of banks and financial firms say they have established dedicated teams for evaluating climate-related risks, and how these may affect their bottom-line. Financial institutions find they are under increased scrutiny from investors and regulators.   Click here to read the entire Wall Street Journal article.

Based on these articles, published within days of each other in the Wall Street Journal, it is evident that climate change as it relates to the financial health of an organization is becoming a hot-button issue.  More scrutiny as to the potential fall-out from these risks is sure to arise in the coming years – affecting organizational risk management, the financial bottom-line, how to evaluate these risks, and ultimately who in an organization will be tasked with the responsibility of where the buck stops.

NFPA 1600 2019 Edition: A Resource for Every Practitioner and Auditor

                                                         Risk and Resilience Hub

Don Schmidt, Preparedness, LLC CEO was recently published in Risk and Resilience Hub. In this article, Don explains how NFPA 1600, 2019 Edition, the most mature standard of its kind, defines the inter-connected elements of a preparedness program including program management, risk assessment, business impact analysis, loss prevention/hazard mitigation, emergency management, business continuity, crisis management, and crisis communications.  Read Article

Hurricane Preparedness

As the 2019 Hurricane Season is upon us, officially beginning on June 1^st, we have already had one named storm.  Storms do not check the calendar, and the “season” is an estimate of when these storms can occur.

The 2019 season is predicted to be a “near normal” season, with about 9 to 15 named storms, with 4 to 8 of these becoming hurricanes.  

However, no matter how many storms are predicted, it is important to remember that it only takes one powerful storm to hit where you or your organization are to cause catastrophic destruction and death.  So planning and preparing for hurricane season should be the same, whether it is forecasted to be a moderate or heavy season.

When we think of hurricanes, one usually thinks of winds – how strong the winds are determine if the hurricane is a category 1, 2, 3, 4 or 5.  However, according to Ken Graham, National Hurricane Center Director, history has shown that 90% of fatalities in hurricanes are in fact due to water.  In the last 3 years alone, 83% of deaths during hurricanes have been due to water.  While we think of winds, we really must focus on flooding, and how to protect property and life from the effects of flooding.  

Flooding caused by stalled storms that dump a tremendous amount of water on already soaked land can happen well inland.  Storm surge is a coastal concern of water pushed onto the land by the force of the storm.  With more people living on the coast than ever before, there are more lives vulnerable to the dangers of storm surge.

Hurricane planning includes multiple phases:

• Before Hurricane Season
• Tropical Storm or Hurricane Watch
• Tropical Storm or Hurricane Warning
• During the Storm
• After the Storm

For information on Hurricane Preparedness, take a look at the Preparedness Bulletin for detailed information on how to prepare.

Analyzing flood exposure is an important part of preparing for storm season.  Our Preparedness Bulletin, Flood Preparedness is instructive, and provides resources on where to find information specific to your region. 

A plan that accurately identifies the resources and time needed to prepare has the greatest chance for success.

Severe Weather Preparedness

Springtime brings a welcome change in seasons.  Along with blooming flowers and trees and warmer temperatures, it also marks the start of Severe Weather season. The first week in May is Severe Weather Preparedness Week.  Severe weather in warm weather months include thunderstorms and the devastation that may come from them: the potential for flooding, high winds and tornadoes.

A thunderstorm is a rain shower with thunder.  Since thunder comes from lightning, all thunderstorms have lightning.  A thunderstorm is classified as “severe” when it contains one or more of the following:  Hail (3/4 inch or greater, winds gusting in excess of 50 knots (57.5 mph) or a tornado.  On average, about 10% of thunderstorms are classified as severe.

Lightning strikes the U.S. about 25 million times each year, kills an average of 47 people annually, and injures hundreds more.^[1]  When lightning is detected, it is important to take shelter as there is no safe place outdoors when thunderstorms are in the area. “When Thunder Roars, Go Indoors”^[2]  Once the storm has passed, wait at least 30 minutes after the last thunder is heard before resuming outdoor activities.  Once the storm has passed, assess any damage to your property.  Contact local authorities if there are power lines down.

High winds can occur during a severe thunderstorm.  Winds speeds of 40 to 50 mph can produce localized damage.  “Straight-line” winds, which are not associated with any rotation, can exceed 100 mph and can cause widespread damage, and blow objects making them airborne, posing a significant threat to personal safety.  If you are outdoors, take shelter in a sturdy building.  If not near a building, take shelter in your car.  If no shelter is available, stay away from trees and power lines.

A tornado, which is spawned from a severe thunderstorm, is a violently rotating column of air extending from the base of a thunderstorm down to the ground. Tornadoes are capable of completely destroying well-made structures, uprooting trees, and hurling objects through the air like deadly missiles. Tornadoes can occur at any time of day or night and at any time of the year. Although tornadoes are most common in the Central Plains and the southeastern U.S., they have been reported in all 50 states.^[3]

If a tornado warning is issued, go to the basement or an interior room in your home/school/business, away from any windows. If you are outside, it is imperative to seek shelter in a sturdy building immediately. Once the authorities have deemed it safe and the tornado(s) has passed, carefully assess your property for damage.  Stay out of damaged buildings and contact local authorities if you see power lines down.

Flooding is caused when bodies of water (e.g. rivers, streams, lakes, oceans, etc.) overflow their normal boundaries.  Flooding can also occur as storm water runoff accumulates in normally dry areas. Read the Preparedness Bulletin on Flood Preparedness to learn more about how your organization can create an emergency plan to deal with floods, as well as how to mitigate the risk as well as recover from an unexpected flooding event. 

For more information about severe weather threats, including mitigation strategies for your organization, read Preparedness Bulletin: Thunderstorms, Lightning & Tornadoes. 

---

[1] Weather.gov; https://www.weather.gov/safety/lightning ; access date 5-8-2019

[2] Ibid

[3] National Weather Service; https://www.weather.gov/safety/tornado; access date 5-8-2019

Business Impact Analysis: Vulnerabilities, Loss Potential and Mitigation

Donald L. Schmidt spoke at RIMS2019, the Risk & Insurance Management Society's annual conference, on the value of the business impact analysis (BIA) to risk management. He explained how the BIA identifies vulnerabilities and opportunities for risk mitigation. He also addressed how the BIA provides a methodology for quantifying business interruption and prioritizing the recovery of business operations.  View the presentation.

Read Preparedness, LLC's bulletin on Business Impact Analysis for an in-depth look at this important process and how it can prepare your organization.   

NFPA 1600 2019 Edition Webinar

NFPA has published the 2019 edition of NFPA 1600, “Standard on Continuity, Emergency, and Crisis Management.” In this webinar Don Schmidt, past chair of the committee, reviewed the new and revised content in the 8th edition of this important international standard. Access this webinar to learn how you can use this tool to improve your organization’s resilience. http://bit.ly/2Xenljr

Download Preparedness, LLC’s Self-Assessment Checklist (insert picture) based on NFPA 1600 “Standard on Continuity, Emergency, and Crisis Management” 2019 Edition.  Containing over 200 questions, this is an important tool to help your organization evaluate its preparedness program.  http://bit.ly/2ufM3B4

CFOs May Be Held Accountable for Climate Change Catastrophes that Affect a Company's Bottom Line

FM Global’s, Report Master the Disaster Report: Why CFOs Must Initiate Natural Catastrophe Preparedness in 2019 and Beyond^[1] makes the compelling case for CFOs to explore the broader financial consequences of natural disasters, and to allocate capital towards loss prevention and business interruption.

Insurance policies are implemented as they are thought to absorb most property damage and business disruption losses, however, they do not cover all economic risk.  Market share, reputation, cash-flow and even potential growth opportunities may be adversely affected by a prolonged disruption, resulting in economic hardship for an organization. 

While companies may take the gamble that unpredictable events are not likely to occur in this earning year, this is taking short-term view of profits over long-term viability.  Devastating results can be the consequence, even with a moderate natural disaster.  FM Global’s CFO Kevin Ingram says that “The buck stops with the CFO.”  If a company is unprepared for a natural disaster, wide-ranging stakeholders including institutional investors, shareholders, Wall Street analysts, consumers and regulatory agencies will be privy to this information.

FM Global reviewed 10-K filings of nearly 100 public companies that experienced damage and disruption in 2017 from Hurricanes Harvey, Irma or Maria.  Findings saw losses ranging from a few million to hundreds of millions of dollars.^[2]  The U.S. Securities and Exchange Commission has clarified their position on climate change risks, instructing companies to treat these material risks from climate change like any other business risk.  This position will likely place CFOs facing hard questions if losses are incurred and no plans have been put in place to deal with these natural disasters.

Risk managers, who typically have an inward-looking role in their organizations, are charged with planning for risks that already exist.  While this can improve vulnerability for a company, a more global view is typically needed.  The CFO, with their C-Suite vantage point and outward-looking focus, has the ability to completely eliminate some of these risks.  For example, the risk manager may allocate money to fortify a critical plant against flood exposure, whereas the CFO has the influence to change the landscape entirely by moving the plant from a flood plain to higher ground, eliminating the flooding risk completely.

The bottom line is CFO’s will be on the hot-seat if a natural disaster has negative impacts on the company’s profitability and survivability.  Natural disasters have the potential to impact global supply chain, impact cash flow, and severely impact customer relationships.

For the complete picture, read FM Global’s Master the Disaster:  Why CFOs must initiate natural catastrophe preparedness in 2019 and beyond.  Click Here

---

[1] FM Global. Master the Disaster: Why CFOs must initiate natural catastrophe preparedness in 2019 and beyond.  W00644_18 © 2019 FM Global (01/2019)

[2] Ibid

NFPA 1600 2019 Edition Published

The 2019 edition of NFPA 1600 “Standard on Continuity, Emergency, and Crisis Management” has been published by the National Fire Protection Association. This international standard is the most mature standard of its kind in the world. Originally published in 1995, the 2019 edition is the 7^th edition. It addresses the inter-connected elements of a preparedness program including program management, risk assessment, business impact analysis, prevention/mitigation, emergency management, business continuity, crisis management, and crisis communications.

First off, the title has changed to emphasize “crisis” management content that has been introduced over the past three editions. A crisis is defined as “an issue, event, or series of events with potential for strategic implications” including impacts on brand, image, reputation, and more. A new section “crisis management” has been added to chapter 6, Implementation. This section defines a “crisis management capability,” with senior leadership involvement, signals detection, identification of issues, strategy development, and more.

Another notable change is the addition of a new chapter 7 titled “Execution.” It defines what should be obvious but is often overlooked, that is, how a program should be executed. Incident recognition, reporting and notification, activation and planning, incident management, documentation, and resource management are included in the new chapter. The chapter extracts the important elements of alerting, notification, and warning with activation of an incident management system.

The annexes, which are a treasure trove of valuable information, continue to expand. Annex J, “Social Media in Emergency Management” has been added. When an incident occurs, social media is alive before emergency, continuity, and crisis management responders are fully engaged. Therefore, integrating social media into all program activities—preparedness for a forecast event to communicating with stakeholders regarding continuity and recovery information after—is a must.

Other new annexes include Annex K Emergency Communications: Public Alerts and Warnings in Disaster Response and Annex L Emergency Management, Continuity, and Crisis Management Data Interoperability.

NFPA 1600 can be downloaded for free from the NFPA website http://bit.ly/2AOTiFF

Check out a historical review of NFPA 1600 on the Preparedness, LLC website. http://bit.ly/2UcLzt9. Be sure to download the 2019 edition of Preparedness, LLC’s program self-assessment checklist, which is based on NFPA 1600. http://bit.ly/2uUz7ma

Happy New Year

The New Year, A Time of Reflection and Anticipation

The early Roman calendar was created in the 8th century B.C. by Romulus, founder of Rome, consisting of 10 months and 304 days. Each New Year began at the vernal equinox as was tradition.  Later, King Numa Pomlpilius added the months of Januarius and Februarious. Over the years the calendar fell out of synch with the sun. In 46 BC, emperor Julius Caesar consulted with prominent astronomers and mathematicians to solve this problem. The Julian calendar, which closely resembles the more modern Gregorian calendar used today, was introduced. Caesar instituted January 1st as the start of the New Year, honoring the month's namesake: Janus, the Roman God of beginnings and endings. The fitting significance of Janus' two faces allowed him to look back into the past and forward into the future.

_________________________________________

Looking back, here are events that occurred in 2018 causing widespread and significant impact: Hurricanes Florence and Michael Over-pressurized gas lines in Massachusetts that caused explosions, more than 60 fires, and months-long service interruption to 8,000 customers including many businesses Data breaches of Facebook, Marriott/Starwood, and many others Historic wildland fires in California Reputations tarnished by product liability suits (Bayer/Monsanto) and privacy concerns (Facebook and others) Geopolitical events including trade wars affecting the global supply chain and disinformation campaigns inciting the public discourse

Events thought to be "unexpected" are now clearly foreseeable. Preparing for events that threaten life, property (real, digital, and intellectual), business operations, reputations, and relationships with stakeholders is a New Year's resolution for every organization. We continue to monitor events as they unfold and work towards building better international standards and practices for preparedness and resilience.  Our goal has always been to help others understand the hazard, operational, and reputational risks that surround them and to implement plans and strategies. We wish you all the best in 2019.

Tips to Enhance Survival During an Active Shooter Incident

"Active Shooter" actor from a full-scale exercise
(photo by Preparedness, LLC)

Lieutenant Colonel (ret.) Mike Wood’s article “What cops need to tell their families about active shooters,” (PoliceOne.com) should be read by everyone venturing out into public.

• Maintain situational awareness
• Know where the exits are
• Get off the floor.
• Don’t volunteer to be deaf and blind
• Limit alcohol consumption in public
• Have a plan
• Be careful with your communication devices
• Know how to act when the police arrive
• Learn first aid basics.
• Be prepared

Personal preparedness is essential. When a hostile event unfolds, no one is going to direct you to exits, concealment, or cover. It’s up to you.

Organizations have a lot of work to do, too. Human resource practices, effective physical and operational security, threat detection, warning and communication systems, and many more elements of a preparedness program should be implemented. Read the Preparedness Bulletin “Acts of Violence” for detailed guidance.

Resilience

November is National Critical Infrastructure Security and Resilience Month. Critical infrastructure is the physical and cyber systems and assets that are so vital that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.

There are 16 critical infrastructure sectors including commercial facilities, manufacturing, financial services, food and agriculture, healthcare, information technology, transportation, communications, energy, emergency services, and more. Every organization depends on critical infrastructure and many are a part of, or support, the critical infrastructure sectors.

What is resilience?

You hear the word resilience more and more—often after a major disaster or utility outage. Merriam-Webster defines resilience as the “ability to recover from or adjust easily to misfortune or change.” Resilience is not a finish line, rather it is a continuous process that engages safety, security, human resources, operations, engineering, supply chain, IT, risk management, and others. It begins with identifying assets that are critical to the success of the organization—people, operations, facilities, supporting infrastructure and technologies, machinery and equipment, supply chain, and more. Resilience should also encompass reputation and relationships with stakeholders.

Resilience is a continuous process to gain and maintain a current understanding of:

• threats, hazards, and perils that could impact life and physical, digital, intellectual, operational, and reputational assets
• operational criticalities (production or service delivery priorities),
• vulnerabilities of assets and resources (weaknesses) that would make them more susceptible to damage or loss, and
• potential impacts to life, property, operations, the environment, and the organization’s reputation and relationships with stakeholders.

Resilience also includes the development of strategies to manage risk and capabilities to promptly respond to and recover from whatever has happened.

What does it take to achieve resilience?

Since the risk environment is not static, continuous gathering of information and the development of actionable intelligence about credible threats, foreseeable hazards, and potential impacts to critical assets is essential. THIRA (threat and hazard identification and risk assessment) and BIA (business impact analysis) are the processes that engage internal and external experts to identify hazards, their probabilities of occurrence, and assets at risk; to evaluate the adequacy of prevention and mitigation capabilities; and to develop strategies for risk management.

Strategies for loss prevention, deterrence, and hazard mitigation should begin even before a building is built. By selecting a geographic site that has limited exposure to natural hazards and crime and one with reliable infrastructure and public safety services, the need and costs for building design, construction, redundant utilities, and on-site response capabilities may be reduced. Design and construction that is compliant with building codes and standards and industry best practices also can enhance resiliency. Periodic inspection, testing, and maintenance of protection systems and equipment are essential to ensure reliability.

Ongoing programs to manage risk are essential. Internal professionals including human resources manage employee risks through pre-employment screening, onboarding processes, threat assessment, critical employee backups, training, employee communications, and wellness programs.

Environmental, health and safety (EH&S) professionals partnering with human resources, operations, engineering, and others play an instrumental role with job hazard analysis, process safety, fire prevention, accident prevention, and environmental protection.

Security professionals and facilities management staff implement CPTED (crime prevention through environmental design) practices, surveillance and detection technologies, and operational security practices to deter, detect, and respond to potential threats. Communication and coordination with law enforcement is needed to promptly learn about developing threats and to increase security commensurate with the threat level.

EH&S professionals along with security, facilities, human resources and other staff must work together to develop and implement emergency response capabilities to safeguard employees, protect facilities, and prevent environmental contamination from the threats and hazard identified during the risk assessment.

Information Technology must manage the technology environment balancing access, efficiency, reliability, information security, and costs. Connectivity between internet service providers, worksites, networks, servers, and users must be reliable and have sufficient bandwidth to meet business needs. Digital information must be protected and promptly recoverable along with user applications to minimize production and service delays and unacceptable customer impacts. Information security laws require compliance. Conformity to standards and best practices for the protection of data centers and supporting infrastructure reduces exposure to loss and interruption. IT disaster recovery plans must be developed and tested to validate the ability to meet recovery time objectives.

Production managers and engineers must identify vulnerabilities in production methods, machinery and equipment, supporting infrastructure and technologies and develop strategies to overcome loss scenarios. Supply chain managers must continually assess the ability of suppliers to meet demand and logistics capabilities to deliver supplies where and when needed. Strategies for loss or damage to equipment, unavailability of essential personnel, and supply chain interruption must be developed.

Operations personnel working together with managers, supervisors, and others within the organization that possess the institutional knowledge of operations and resources must work together to complete the business impact analysis and develop business continuity strategies and documented plans for use when critical processes are interrupted or required resources are unavailable.

Role of Leadership

Resilience is elusive because of the broad spectrum of hazard, operational, financial, and strategic risks. It can be fleeting because of the short duration of institutional memory and human nature that “it can’t happen to us” or “it will never happen again.” A concerted, ongoing effort is required to understand and manage risk. Ultimately, senior management must embrace resilience as a core value of the organization and strive to embed risk management within its culture.

Reaching a threshold of “resilience” means that the organization has a clear understanding of risk and has implemented controls to manage operational, financial, and reputational risk to an acceptable level. Compliance with laws and regulations is the minimum. Meeting customer requirements is essential. Protecting the business, its employees and facilities by implementing and maintaining a mature preparedness program is no longer a luxury. There is no finish line.

From the National Cyber Awareness System: Major Online Ad Fraud Operation

https://www.us-cert.gov/ncas/alerts/TA18-331A

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window.

Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Patrol-hijacked IP addresses.

Malware

Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs.

Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser.

Solution

DHS and FBI advise users to take the following actions to remediate malware infections associated with Boaxxe/Miuref or Kovter:

• Use and maintain antivirus software. Antivirus software recognizes and protects your computer against most known viruses. Security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your antivirus software up-to-date. If you suspect you may be a victim of malware, update your antivirus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
• Avoid clicking links in email. Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser. (See Avoiding Social Engineering and Phishing Attacks.)
• Change your passwords. Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords.)
• Keep your operating system and application software up-to-date. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches and Software Updates for more information.)
• Use anti-malware tools. Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.

Practical Tips for Continuity Planning

Don Schmidt presented “Practical Tips for Continuity Planning: From Impact Analysis to Executable Strategies and Plans” to the Safe+Ready Institute’s 2018 Virtual Summit.

Tips (and lessons learned) from decades of business continuity planning were shared including:

• Importance of management support and Identifying who needs to be involved in the planning process
• Planning Scope, Assumptions, Limitations, and Scenarios
• Tools & Techniques for Business Impact Analysis (BIA)
• Risk Assessment: It’s not just for emergency planning
• Continuity Strategies: Focus on Priorities
• Resources, Resources, Resources
• Continuity Plan: Putting it all together
• Incident Management: Concept of Operations
• Training, Testing & Exercises
• Program Development Resources

The presentation can be viewed here, and the recorded webinar can be viewed on the Safe+Ready Institute’s website here. While you’re visiting the Preparedness, LLC website, be sure to check out the program development resources and Preparedness Bulletins.