The Official Assura Blog
Monday, April 21, 2008
Assura's own Connie Riffe brings down the house at Molito's!
Some people think that all risk managers do is sit in a room and figure out how to help the business avoid unacceptable risk. (Well, we do that during work hours any way!)However, occassionally one of us will venture into the sunlight and do something other than risk management. Assura's own Connie Riffe and her band, The Johnny Butler Band, brought down the house on April 12 at Molito's in Powhatan, Virginia. They played a mix of songs from the 60's and 70's. They are available for gigs so give them a call for your next party!
Of course, immediately after the show Connie went back into her dark office and resumed her role as a mild mannered risk manager.
Congratulations to Connie and the band on a job well done!
Tuesday, March 18, 2008
Yet another mass breach of credit card information
"Those who cannot learn from history are doomed to repeat it." -- George Santayana
I know, it's an overused quotation but it is one of those very simple quotes that cuts through the mire with razor sharp clarity.
This time it's Hannaford Bros., an east coast grocery chain. 4.2 million credit card accounts compromised.
Security, incident response, and crisis management are tough because to do them right requires constant vigilance and a saturation of cultural awareness lacking in most organizations. I don't know the particulars of how thiis specific compromise was achieved, but as Hannaford is about to find out, security, incident response, and crisis management done right rather than on the cheap are easier than the fallout of a major security breach, delayed containment, and botched public communications.
I know, it's an overused quotation but it is one of those very simple quotes that cuts through the mire with razor sharp clarity.
This time it's Hannaford Bros., an east coast grocery chain. 4.2 million credit card accounts compromised.
Security, incident response, and crisis management are tough because to do them right requires constant vigilance and a saturation of cultural awareness lacking in most organizations. I don't know the particulars of how thiis specific compromise was achieved, but as Hannaford is about to find out, security, incident response, and crisis management done right rather than on the cheap are easier than the fallout of a major security breach, delayed containment, and botched public communications.
Labels: Crisis Management, Legal Liability, Privacy, Security
Friday, March 7, 2008
Backdoors in Chinese Manufactured Network Equipment?
Place this one in the "tell me something I didn't know" file.
According to a report on the website PC Pro, Chinese manufacturing firms are placing backdoor code in router firmware that could allow Chinese hackers (read: the Chinese government) from eavesdropping on communications of companies in the UK.
No kidding.
However, this does highlight an issue that is an ongoing blind spot in the IT security strategies of most organizations. That is, most organizations aren't as good about monitoring what's going out of their networks as they are about what's coming in to their networks. You don't have to be part of a defense, intelligence, or law enforcement organization to be the target of this type of espionage. Any organization that handles personal information such as financial data, social security numbers, etc. is a target for identity thieves. If you have some sort of intellectual property like a proprietary manufacturing process or new computer code, you're a target.
What makes the issue of the Chinese placing backdoor code in routers is that US companies continue to move R&D, product development, and manufacturing overseas. Sometimes they open international divisions of their own companies, or sometimes they outsource those services to outside contracting firms. I'm the last person in the world to tell a company how to run its business or to advocate barriers to international commerce, but I think there could be some real trouble ahead in two areas if organizations don't start to take this threat seriously:
According to a report on the website PC Pro, Chinese manufacturing firms are placing backdoor code in router firmware that could allow Chinese hackers (read: the Chinese government) from eavesdropping on communications of companies in the UK.
No kidding.
However, this does highlight an issue that is an ongoing blind spot in the IT security strategies of most organizations. That is, most organizations aren't as good about monitoring what's going out of their networks as they are about what's coming in to their networks. You don't have to be part of a defense, intelligence, or law enforcement organization to be the target of this type of espionage. Any organization that handles personal information such as financial data, social security numbers, etc. is a target for identity thieves. If you have some sort of intellectual property like a proprietary manufacturing process or new computer code, you're a target.
What makes the issue of the Chinese placing backdoor code in routers is that US companies continue to move R&D, product development, and manufacturing overseas. Sometimes they open international divisions of their own companies, or sometimes they outsource those services to outside contracting firms. I'm the last person in the world to tell a company how to run its business or to advocate barriers to international commerce, but I think there could be some real trouble ahead in two areas if organizations don't start to take this threat seriously:
- Domestic manufacturers of network equipment could be held liable for damages if someone working on their behalf (whether a company employee or outside contractor) inserted backdoor code in their product that was then used to exfiltrate confidential information; and
- Companies that unwittingly deploy equipment with backdoor code that was then used by outside parties to exfiltrate confidential information.
The thing of it is that it's not a major leap in intellectual honesty to understand that this threat was always out there. The defense and intellgence communities have understood this for years and have rules around what they call "acquisition security" where the issue of foreign ownership and control (FOCI) is very top-of-mind. In fact, given the choice between a superior product manufactured by a foreign owned company and an inferior product owned by a domestic manufacturer, they will always choose the domestic company. Just ask Check Point Software how many firewalls they sold to the US Department of Defense.
For private organizations, there are a plethora of steps that can be implemented to prevent "data leakage" on the policy, acquisition security, personnel, and technology fronts. The specifics depend on the organization and the types of information at stake.
But the take away from this is that this tyoe of threat isn't just the stuff of Tom Clancy novels. It is real. Take it seriously.
Thursday, February 14, 2008
The $54M Laptop
A woman from Washington, DC is suing Best Buy for $54M over the loss of her laptop computer claiming that she was exposed to potential identity theft and that Best Buy didn't notify her in a timely manner about the loss/theft. The $54M price tag is because, "I had to come up with a number that was significant enough that might force them to pay attention to me."
The Victim, Ms. Raelyn Campbell received $1,110.35 to compensate for the price of the laptop plus a $500.00 gift card for her inconvenience, which she donated to charity.
Now, I'm certainly the first one on the dog pile when some company or government agency blows it and compromises personal information because they were too lazy or inept to implement proper controls (and Best Buy was certainly guilty of that in this case), but Ms. Campbell also had a duty to protect her own information either through the use of file encryption (hint: it's built into Windows) or be removing any confidential information before handing it over to Geek Squad.
In this case, I think Best Buy acted entirely appropriately to clean it up with Ms. Campbell (how they could have prevented this from happening in the first place is a different matter). Hopefully a judge will see this for the publicity stunt that it is.
The Victim, Ms. Raelyn Campbell received $1,110.35 to compensate for the price of the laptop plus a $500.00 gift card for her inconvenience, which she donated to charity.
Now, I'm certainly the first one on the dog pile when some company or government agency blows it and compromises personal information because they were too lazy or inept to implement proper controls (and Best Buy was certainly guilty of that in this case), but Ms. Campbell also had a duty to protect her own information either through the use of file encryption (hint: it's built into Windows) or be removing any confidential information before handing it over to Geek Squad.
In this case, I think Best Buy acted entirely appropriately to clean it up with Ms. Campbell (how they could have prevented this from happening in the first place is a different matter). Hopefully a judge will see this for the publicity stunt that it is.
Labels: Privacy
Monday, December 24, 2007
Happy Holidays!
Christmas shopping. Travel. Getting work caught up so that you can take a few days off at the end of the year. Add to that the ever present possibilities of business interruptions or disasters and you might as well not even get out of bed!
It seems as though there is always something to worry us or stress us out. In my line of work, it is very easy to think about all of the things that can go wrong. However, I would like to talk about all of the things that went right this year. (My mother would be so proud of me right now!)
There are a lot of things to be thankful for this year. Here are some of my favorites:
Room In The Inn Program: For several years, hotels such as Holiday Inn Express, Marriott, Hilton, and Comfort Inn make rooms available for free to people who are visiting a friend or family member who is hospitalized or in a treatment center over the holidays. Without this program, some families would not be able to visit their loved ones because of the financial burden. They launched an outreach campaign this year to hospitals and nursing homes to increase awareness of the program.
Youngest Entrepreneur Honored: Jason O'Neil, 11-year-old founder of Pencil Bugs, was awarded the Young Entrepreneur of the Year Award this month by Young Entrepreneurs of America. O'Neil started the business when he was 9-years-old and it has become a sensation. For more information on his invention, you can go to the Pencil Bugs website.
Teen Rescues 4 From a Deadly Fire: Dacreene Shaw, a 14-year-old from Brooklyn, New York, saved four children from a deadly apartment fire. She suffered from smoke inhalation, but has fully recovered.
First Cell Phone College Class Opens: Japan's Cyber University is the first school to offer the first ever university class on mobile phones. Sakuji Yoshimura, who heads Cyber University and gives the mobile course, said the university provides educational opportunities for people who find it hard to attend real-life universities, including those with jobs and those who are sick or have disabilities. (Source: Associated Press)
And last but not least...
Assura Opens In April: While opening our doors may not be on par with the good news events listed above; we are very happy about starting Assura. We are even happier that we have had the opportunity to help our clients and make a positive impact on their ability to handle any business disruptions or disasters. While there were obstacles that threatened to stand in our way, we persevered and opened our doors. It was one of the best decisions we have ever made and we are so excited about our growth. We cannot wait for the new year.
We hope that you have had lots of good news in your life this year. If you get a chance, respond to this blog and let us know about the good things that have happened to you in 2007.
On behalf of all of us at Assura, we would like to wish you and your families a wonderful holiday season!
It seems as though there is always something to worry us or stress us out. In my line of work, it is very easy to think about all of the things that can go wrong. However, I would like to talk about all of the things that went right this year. (My mother would be so proud of me right now!)
There are a lot of things to be thankful for this year. Here are some of my favorites:
Room In The Inn Program: For several years, hotels such as Holiday Inn Express, Marriott, Hilton, and Comfort Inn make rooms available for free to people who are visiting a friend or family member who is hospitalized or in a treatment center over the holidays. Without this program, some families would not be able to visit their loved ones because of the financial burden. They launched an outreach campaign this year to hospitals and nursing homes to increase awareness of the program.
Youngest Entrepreneur Honored: Jason O'Neil, 11-year-old founder of Pencil Bugs, was awarded the Young Entrepreneur of the Year Award this month by Young Entrepreneurs of America. O'Neil started the business when he was 9-years-old and it has become a sensation. For more information on his invention, you can go to the Pencil Bugs website.
Teen Rescues 4 From a Deadly Fire: Dacreene Shaw, a 14-year-old from Brooklyn, New York, saved four children from a deadly apartment fire. She suffered from smoke inhalation, but has fully recovered.
First Cell Phone College Class Opens: Japan's Cyber University is the first school to offer the first ever university class on mobile phones. Sakuji Yoshimura, who heads Cyber University and gives the mobile course, said the university provides educational opportunities for people who find it hard to attend real-life universities, including those with jobs and those who are sick or have disabilities. (Source: Associated Press)
And last but not least...
Assura Opens In April: While opening our doors may not be on par with the good news events listed above; we are very happy about starting Assura. We are even happier that we have had the opportunity to help our clients and make a positive impact on their ability to handle any business disruptions or disasters. While there were obstacles that threatened to stand in our way, we persevered and opened our doors. It was one of the best decisions we have ever made and we are so excited about our growth. We cannot wait for the new year.
We hope that you have had lots of good news in your life this year. If you get a chance, respond to this blog and let us know about the good things that have happened to you in 2007.
On behalf of all of us at Assura, we would like to wish you and your families a wonderful holiday season!
Labels: Misc.
Friday, December 7, 2007
When insurance doesn't come through...
You pay your premiums every quarter or month like clockwork. It isn't always an easy payment for many companies, especially with costly insurance such as flood protection, but you feel confident that you are covered in the event that something should happen.
But can you really feel safe?
Since Hurricane Katrina, there has been a significant increase in lawsuits against such large companies as State Farm and Nationwide for "Bad Faith Claims." Bad Faith Claims are when insurance companies breach their contract with insurers to pay legitimate claims. As a result, many policyholders wait 2-5 years for their case to proceed through the legal system and to receive their money. In this process, it seems that the only people who benefit are the lawyers. But why would this happen? Many say it is really just a profit and expense game where insurers see that it is cheaper to litigate a claim than to pay it up front.
I do not think that insurance companies are always the "bad guys" turning down claims to make a profit any more than I think that bad faith claims never happen. In reality, it is a mixture of both types of situations. However, I do know that insurance should not be the cornerstone of saving a business in the event of a disaster. It is one of the tools available to the business owner and will most likely be the last tool used.
One of the biggest misconceptions about insurance is that as long as a company has business interruption insurance, then they will have all they need to get back up and running without really having a plan that was developed ahead of time.
So let's take a look at business interruption insurance.
Business interruption insurance is insurance that compensates a business for lost income if the company has to vacate the premises due to disaster-related damage that is covered under the property insurance policy, such as a fire. Business interruption insurance covers the profits you would have earned, based on your financial records, had the disaster not occurred. The policy also covers operating expenses, like electricity, that continue even though business activities have come to a temporary halt. It does not tell you the steps you need to take to get back up and running.
What most people do not realize is that many of these policies have a 48-72 hour "waiting period" before a policy kicks into effect. Can you imagine your business being down 48-72 hours before you can even make a claim or having to take the financial hit of losing 48-72 hours worth of revenue that will never be repaid? Then it gets worse. When you are finally at the point you can make a claim, then you have to go through the hassle of pulling together the paperwork needed for the insurance company while dealing with the client and employee issues that come along with resuming operations? I cannot think of too many businesses that can handle this amount of downtime, stress, and paperwork and not want to run for the hills or suddenly find themselves out of business.
So what can be done? Performing analysis that identifies the business processes performed and the assets, people, and records needed to resume operation is a great start to creating a business recovery plan that details how these business processes will be recovered, where they will be recovered, the immediate plan to immediately get back in operation, while phasing in staff and business processes that will eventually return the organization back to normal operations. As you are back up and running, then you will have the time to deal with the insurance companies.
This analysis is also critical for selecting the right insurance policy that will make funds and resources available as you need them. Insurance should never be considered the cure all for any business disaster; it is just one tool of many that can be used to benefit the company. It is important to realize that this tool will take the longest amount of time to produce a benefit even in the best of circumstances. With that in mind, can you really afford not to have a plan?
But can you really feel safe?
Since Hurricane Katrina, there has been a significant increase in lawsuits against such large companies as State Farm and Nationwide for "Bad Faith Claims." Bad Faith Claims are when insurance companies breach their contract with insurers to pay legitimate claims. As a result, many policyholders wait 2-5 years for their case to proceed through the legal system and to receive their money. In this process, it seems that the only people who benefit are the lawyers. But why would this happen? Many say it is really just a profit and expense game where insurers see that it is cheaper to litigate a claim than to pay it up front.
I do not think that insurance companies are always the "bad guys" turning down claims to make a profit any more than I think that bad faith claims never happen. In reality, it is a mixture of both types of situations. However, I do know that insurance should not be the cornerstone of saving a business in the event of a disaster. It is one of the tools available to the business owner and will most likely be the last tool used.
One of the biggest misconceptions about insurance is that as long as a company has business interruption insurance, then they will have all they need to get back up and running without really having a plan that was developed ahead of time.
So let's take a look at business interruption insurance.
Business interruption insurance is insurance that compensates a business for lost income if the company has to vacate the premises due to disaster-related damage that is covered under the property insurance policy, such as a fire. Business interruption insurance covers the profits you would have earned, based on your financial records, had the disaster not occurred. The policy also covers operating expenses, like electricity, that continue even though business activities have come to a temporary halt. It does not tell you the steps you need to take to get back up and running.
What most people do not realize is that many of these policies have a 48-72 hour "waiting period" before a policy kicks into effect. Can you imagine your business being down 48-72 hours before you can even make a claim or having to take the financial hit of losing 48-72 hours worth of revenue that will never be repaid? Then it gets worse. When you are finally at the point you can make a claim, then you have to go through the hassle of pulling together the paperwork needed for the insurance company while dealing with the client and employee issues that come along with resuming operations? I cannot think of too many businesses that can handle this amount of downtime, stress, and paperwork and not want to run for the hills or suddenly find themselves out of business.
So what can be done? Performing analysis that identifies the business processes performed and the assets, people, and records needed to resume operation is a great start to creating a business recovery plan that details how these business processes will be recovered, where they will be recovered, the immediate plan to immediately get back in operation, while phasing in staff and business processes that will eventually return the organization back to normal operations. As you are back up and running, then you will have the time to deal with the insurance companies.
This analysis is also critical for selecting the right insurance policy that will make funds and resources available as you need them. Insurance should never be considered the cure all for any business disaster; it is just one tool of many that can be used to benefit the company. It is important to realize that this tool will take the longest amount of time to produce a benefit even in the best of circumstances. With that in mind, can you really afford not to have a plan?
Sunday, November 18, 2007
How not to handle a crisis that affects your business...
Hat tip to Breitbart.tv: From Santa Cruz, CA comes this report of a restaurant that is shut down because of a communicable disease that seems to have made around 80 people sick thus far.
Watch the YouTube clip for the story.
There are a couple of things wrong with the handling of this incident:
Watch the YouTube clip for the story.
There are a couple of things wrong with the handling of this incident:
- The Santa Cruz County Health Department isn't releasing the name of the restaurant. It's tough to contain an outbreak without facts.
- The restaurant in question is refusing to respond to the media. This is the wrong approach because the media have already started to write the story. They will do this with or without the restaurant. The right thing for the restaurant to do is to respond with some key messages about how they are handling the situation. Now the story is out of their control, and now the public perception is that they are being evasive.
The media have a saying: "feed the monster". Every single day, the media have to fill up so much time or so many column inches of space. Make no mistake about it, they will write the story with or without a response from this restaurant.
It will be interesting to see how this restaurant's future plays out. As a colleague of ours always says, "no comment is never an option".
Labels: Crisis Management