Building Resilience: ISO Standard for Business Continuity Updated

Business interruption and the potential impact on revenues, profits, contracts, and customers is an ever present concern for business executives. Hurricanes, flooding, wildfires, and now preemptive power outages are in the news. An effective business continuity management capability is essential and increasingly a customer requirement.

ISO 22301, "Business Continuity Management Systems – Requirements," is one of the two leading standards for business continuity programs along with NFPA 1600 “Standard on Continuity, Emergency, and Crisis Management,” which is published by the National Fire Protection Association.

The 2019 edition of ISO 22301 has been published by ISO and is available for purchase. ISO has also published a free publication explaining the standard: https://www.iso.org/news/ref2446.html.

Don Schmidt, CEO of Preparedness, LLC, is a long-time member of the USA’s Technical Advisory Group to ISO’s 292 and predecessor 223 committee that is responsible for ISO 22301 and related standards. He is also the past-chair of the NFPA 1600 technical committee. If you have questions about ISO 22301 or NFPA 1600, please contact us.

Cybersecurity Month

photo credit: niccs.us-cert.gov

October is Cybersecurity Month, reminding us that we must constantly protect our digital information. Businesses are constantly under attack and face potentially significant financial loss when the corporate network is compromised. Here are 10 actions to enhance cyber-security and data protection:

1.  Employee Education: Every employee (and family member) needs to be educated about cyber security. From the “C Suite” to the mail room, anyone on the network can compromise security by installing and using unauthorized software applications or browser extensions; copying files from malware infected flash drives to the network, opening phishing emails, or visiting unsafe sites. All employees should understand data protection policies and procedures. Educate employees about how personal information obtained from social media and web searches can be used by hackers to target them.

2.  Data Access: Identify confidential and company proprietary information; restrict access as needed; and verify that all confidential, proprietary, and important information is stored on drives that are backed up regularly. Educate employee and audit to verify that files are not stored on local hard drives and sharing company confidential or proprietary information with unauthorized recipients is prohibited.

3.  Physical Security: Smartphone and laptops are targeted by thieves for resale and especially for the information the devices store. Configure laptops with encrypted hard drives and ensure biometric or strong password access is enabled. Educate employees to secure laptops in hotels, meeting rooms, public places, and in vehicles. Remind employees to keep their smartphones close by and not in a position where they can be easily stolen.

4.  Network Security: Vulnerabilities in networking components including routers, switches, and wireless access points can be exploited. Inventory network hardware and sign up for notifications from vendors to be informed when vulnerabilities have been identified. Download firmware updates when they are offered. Enable the highest level of encryption for wireless connections. Restrict administrative access to the network to trustworthy technical staff.

5.  Operating System Updates: The cycle of computer and smartphone operating system updates is increasing to patch the latest known vulnerabilities. Ensure that automatic updates are enabled or ensure that your technology professionals promptly review and install patches.

6.  Passwords: Password management is a pain and overuse of simple passwords is common. Thankfully, enterprise password management can make passwords available across a company, computers, and devices. Implement password management software, restrict access to password vaults to those with a need to know; require strong, and unique passwords for each site; and promptly remove access when off-boarding employees.

7.  Software Applications: Enable multi-factor authentication whenever possible. Enable automatic updates to keep software updated or restrict software installations until security assessments have been completed. Audit software periodically to ensure the latest version has been installed, and security settings have been turned on.

8.  Malware Detection: Firewalls and malware detection software is critical and definition files must be continuously updated to protect against the latest threats. Prohibit access to the network if malware software is not enabled.

9.  Secure Connectivity for Remote Connections: All connections for employees working remotely or business partners should require encryption. Maximize security for remote management of the network and disable external access ports that are not needed.

10. Business Continuity & IT Disaster Recovery: Ensure that all important digital information is backed up. Maintain three (3) copies, each on different media (e.g., hard drive, network server, and cloud). Store one copy remote from the primary site in case of physical damage to the facility. Document hardware and software inventories; maintain current images of standard computers; and document a plan for recovery.

September is National Preparedness Month

September is National Preparedness Month.  Preparedness is defined by DHS/FEMA as "a continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective action in an effort to ensure effective coordination during incident response."

Our name says it well…..

Preparedness, LLC's mission is to safeguard people, protect property, minimize business interruption, and protect reputations.  We assess hazard and operational risks and develop loss prevention and hazard mitigation strategies.

Preparedness, LLC has published a variety of Bulletins offering detailed guidance for development, implementation, and evaluation of your organization’s preparedness program. We invite you to take a look at our extensive library of bulletins providing information and guidance on how to prepare for a variety of weather related emergencies, protective actions for life safety, including from acts of violence.  Other bulletins offer guidance on helping your company become more resilient from a number of impacts, including business continuity, crisis management, reputational issues, supply chain interruptions and a host of other potential threats to an organization.

 

We also offer a self-assessment checklist of over 200 questions, based on NFPA 1600  “Standard on Continuity, Emergency and Crisis Management” 2019 Edition to help your organization assess your preparedness program.

We invite you to contact us if your organization requires assistance with assessing, managing or implementing a preparedness program.

Financial Risks of Climate Change: CFO's Should Pay Attention

National Hurricane Center, NOAA

At the Wall Street Journal’s CFO Network Annual Meeting, held on June 11, 2019, Zurich Insurance Group chief risk officer Alison Martin explained that CFO’s should take a leading role in analyzing their companies’ exposures to weather related risks.  According to a report published by CDP Worldwide, a U.K. environmental nonprofit, the world’s 500 largest companies face $1 trillion in potential financial risk from climate change.

CFO’s need to make climate risk assessments a bigger priority, and actively assess how environmental issues could affect their companies’ bottom line.  For more information, click here to read the Wall Street Journal article.

Additionally, climate change and its potential ramifications are now on the radar screen of financial institutions.  Although not a yet standard industry practice at this time, as of this publishing of this article, 26% of banks and financial firms say they have established dedicated teams for evaluating climate-related risks, and how these may affect their bottom-line. Financial institutions find they are under increased scrutiny from investors and regulators.   Click here to read the entire Wall Street Journal article.

Based on these articles, published within days of each other in the Wall Street Journal, it is evident that climate change as it relates to the financial health of an organization is becoming a hot-button issue.  More scrutiny as to the potential fall-out from these risks is sure to arise in the coming years – affecting organizational risk management, the financial bottom-line, how to evaluate these risks, and ultimately who in an organization will be tasked with the responsibility of where the buck stops.

NFPA 1600 2019 Edition: A Resource for Every Practitioner and Auditor

                                                         Risk and Resilience Hub

Don Schmidt, Preparedness, LLC CEO was recently published in Risk and Resilience Hub. In this article, Don explains how NFPA 1600, 2019 Edition, the most mature standard of its kind, defines the inter-connected elements of a preparedness program including program management, risk assessment, business impact analysis, loss prevention/hazard mitigation, emergency management, business continuity, crisis management, and crisis communications.  Read Article

Hurricane Preparedness

As the 2019 Hurricane Season is upon us, officially beginning on June 1^st, we have already had one named storm.  Storms do not check the calendar, and the “season” is an estimate of when these storms can occur.

The 2019 season is predicted to be a “near normal” season, with about 9 to 15 named storms, with 4 to 8 of these becoming hurricanes.  

However, no matter how many storms are predicted, it is important to remember that it only takes one powerful storm to hit where you or your organization are to cause catastrophic destruction and death.  So planning and preparing for hurricane season should be the same, whether it is forecasted to be a moderate or heavy season.

When we think of hurricanes, one usually thinks of winds – how strong the winds are determine if the hurricane is a category 1, 2, 3, 4 or 5.  However, according to Ken Graham, National Hurricane Center Director, history has shown that 90% of fatalities in hurricanes are in fact due to water.  In the last 3 years alone, 83% of deaths during hurricanes have been due to water.  While we think of winds, we really must focus on flooding, and how to protect property and life from the effects of flooding.  

Flooding caused by stalled storms that dump a tremendous amount of water on already soaked land can happen well inland.  Storm surge is a coastal concern of water pushed onto the land by the force of the storm.  With more people living on the coast than ever before, there are more lives vulnerable to the dangers of storm surge.

Hurricane planning includes multiple phases:

• Before Hurricane Season
• Tropical Storm or Hurricane Watch
• Tropical Storm or Hurricane Warning
• During the Storm
• After the Storm

For information on Hurricane Preparedness, take a look at the Preparedness Bulletin for detailed information on how to prepare.

Analyzing flood exposure is an important part of preparing for storm season.  Our Preparedness Bulletin, Flood Preparedness is instructive, and provides resources on where to find information specific to your region. 

A plan that accurately identifies the resources and time needed to prepare has the greatest chance for success.

Severe Weather Preparedness

Springtime brings a welcome change in seasons.  Along with blooming flowers and trees and warmer temperatures, it also marks the start of Severe Weather season. The first week in May is Severe Weather Preparedness Week.  Severe weather in warm weather months include thunderstorms and the devastation that may come from them: the potential for flooding, high winds and tornadoes.

A thunderstorm is a rain shower with thunder.  Since thunder comes from lightning, all thunderstorms have lightning.  A thunderstorm is classified as “severe” when it contains one or more of the following:  Hail (3/4 inch or greater, winds gusting in excess of 50 knots (57.5 mph) or a tornado.  On average, about 10% of thunderstorms are classified as severe.

Lightning strikes the U.S. about 25 million times each year, kills an average of 47 people annually, and injures hundreds more.^[1]  When lightning is detected, it is important to take shelter as there is no safe place outdoors when thunderstorms are in the area. “When Thunder Roars, Go Indoors”^[2]  Once the storm has passed, wait at least 30 minutes after the last thunder is heard before resuming outdoor activities.  Once the storm has passed, assess any damage to your property.  Contact local authorities if there are power lines down.

High winds can occur during a severe thunderstorm.  Winds speeds of 40 to 50 mph can produce localized damage.  “Straight-line” winds, which are not associated with any rotation, can exceed 100 mph and can cause widespread damage, and blow objects making them airborne, posing a significant threat to personal safety.  If you are outdoors, take shelter in a sturdy building.  If not near a building, take shelter in your car.  If no shelter is available, stay away from trees and power lines.

A tornado, which is spawned from a severe thunderstorm, is a violently rotating column of air extending from the base of a thunderstorm down to the ground. Tornadoes are capable of completely destroying well-made structures, uprooting trees, and hurling objects through the air like deadly missiles. Tornadoes can occur at any time of day or night and at any time of the year. Although tornadoes are most common in the Central Plains and the southeastern U.S., they have been reported in all 50 states.^[3]

If a tornado warning is issued, go to the basement or an interior room in your home/school/business, away from any windows. If you are outside, it is imperative to seek shelter in a sturdy building immediately. Once the authorities have deemed it safe and the tornado(s) has passed, carefully assess your property for damage.  Stay out of damaged buildings and contact local authorities if you see power lines down.

Flooding is caused when bodies of water (e.g. rivers, streams, lakes, oceans, etc.) overflow their normal boundaries.  Flooding can also occur as storm water runoff accumulates in normally dry areas. Read the Preparedness Bulletin on Flood Preparedness to learn more about how your organization can create an emergency plan to deal with floods, as well as how to mitigate the risk as well as recover from an unexpected flooding event. 

For more information about severe weather threats, including mitigation strategies for your organization, read Preparedness Bulletin: Thunderstorms, Lightning & Tornadoes. 

---

[1] Weather.gov; https://www.weather.gov/safety/lightning ; access date 5-8-2019

[2] Ibid

[3] National Weather Service; https://www.weather.gov/safety/tornado; access date 5-8-2019