Formalizing an Information Security Program

Formalizing an Information Security ProgramFormalizing your information security program is a critical step to drive information security capability maturation in any organization. The intent of formalizing a program is to get clear on focus and ensure everyone is on the same page about who is doing what.

From our experience, building a great information security program starts with asking the right questions. At Avalution, we build information security programs from the top down, starting with the strategy of the business and focusing on the following five key questions:

  1. Why do we have an information security program?
  2. What are we going to protect?
  3. How are we going to achieve it?
  4. Who is responsible and accountable?
  5. What are the results going to look like?

Let’s take a closer at each. Continue reading

Ransomware Changes the Game for IT Disaster Recovery

Ransomware Changes the Game for IT Disaster RecoveryImagine entering your workplace and being met with a sign instructing you NOT to turn on your desktop computers or dock your laptops until further notice. No network access; no email; no dependent application. Unfortunately, this was the actual scenario that played out for one global law firm, DLA Piper, who fell victim to the Petya cyberattack in late June. For this law firm, the loss of email services is devastating; and their email was unavailable for over one week.

The June 2017 cyberattack, known as Petya, affected major organizations throughout many industries. Global shipping conglomerate, Maersk, has estimated quarterly losses of between $200M-$300M, due to experienced interruptions. Large manufacturing facilities were brought offline for many days while working to re-establish critical systems.

Prior to Petya, in May, WannaCry spread worldwide and infected over 200,000 computers. In both cases, infected computers had their data encrypted and hidden from its owners until a ransom was paid. Continue reading

Introducing Our Information Security Practice

Introducing Avalution's Information Security PracticeFor twelve years, Avalution has been laser focused on business continuity. We’ve become the leading provider of business continuity software and consulting in the US. We work with 13% of the Fortune 100, including the largest organizations in seven different industries.

We’ve become well known for delivering business continuity services that are connected to the strategy of the business, pragmatic, and reliably delivered.

Today, we are expanding into Information Security Management.  Continue reading

Ownership – Where Do Our Responsibilities Begin and End as Business Continuity Professionals?

Ownership – Where Do Our Responsibilities Begin and End as Business Continuity ProfessionalsAs published in the Summer 2016 Issue of the Disaster Recovery Journal – Volume 29, Number 3.

One of the latest threats to organizations is something termed “ransomware”.  Commonly defined as a type of malware that blocks access to an application and its data until the victim pays a predetermined amount of money.  You may have read about two recent attacks, one targeting the Hollywood Presbyterian Medical Center and the other targeting MedStar.  If you haven’t heard about these two attacks, perhaps you can pause for a minute and do a quick Google search to learn more.  And, after you do, I have a question for you to consider:

If your organization hasn’t already prepared for this type of threat (ransomware or malware in general), who owns planning for it or preparing contingencies addressing the affected resources?

This article discusses some of the threats and risks that are currently top-of-mind for executive managers and why resilience-related thinking is so important, as well as the different roles that the business continuity professional can perform to add value. Continue reading

Integrating Cyber Security and Business Continuity

The last several years have continued to see an increase in the sophistication and volume of cyber threats, with a 42% increase in targeted attacks in 2012 (as reported by Symantec, in its 2013 Internet Security Threat Report).  The range and types of threats vary greatly as well; in June 2013, InfoSecurity magazine listed the top five specific IT cyber security threats as: data breach, malware, DDoS, mobile threats, and industrialization of fraud – each of which requires a different preventive and response approach.  An Ipsos survey for Lloyds Risk Index 2013 indicated that cyber risk is the third biggest concern for CEOs when assessing organizational threats, jumping nine spots from the previous year’s ranking of 12th.

In most organizations, monitoring and response has continued to develop and mature within IT to proactively address vulnerabilities.  That said, there may be opportunities to better integrate IT’s response to such illicit activity with the organization’s business continuity program and structure, so that if an event does occur, the organization ensures a timely and coordinated response.  After all, cyber security incidents can have business continuity implications and impacts that extend far beyond IT. Continue reading

Data Breaches On Deck for Federal Oversight (Again)

Data BreachIn December 2009, my perspective titled “Data Breaches: A Sidewalk Sale of Consumer and Personal Information” detailed the financial, reputational and regulatory implications surrounding a data breach occurrence. Since then, little has changed (other than the fact that the term “data breach” is now commonplace throughout workplaces and households due the continuous increase of breaches worldwide). Organizations around the world ranging from US Bank and Outback Steakhouse to the U.S. Air Force and Sony have experienced (or are currently experiencing) a data breach and the headache of breach notification. Despite numerous attempts to implement federal data breach notification legislation, little has been done on a national level to streamline the process.

This perspective highlights the data breach notification process and how recent legislation proposed by the Obama Administration is hoping to consolidate dozens of diverse state breach notification regulations into one integrated national plan. Continue reading