Tag Archives: Business Continuity Institute

BCI publishes Manifesto for Organisational Resilience as part of Business Continuity Awareness Week 2018

Working together is the key for successfully delivering organisational resilience. This is the core concept of the Manifesto for Organisational Resilience issued by the Business Continuity Institute (BCI) in tandem with Business Continuity Awareness Week 2018.

In the new 15-page document, the BCI explains what it will do in order to deliver its vision of a resilient world. To this end, the Manifesto lists four main points:

*Research: The BCI will champion academic research and new thinking for the benefit of the practitioner community

*Global Alliances: The BCI will create a series of global and local Resilience Alliances with other like-minded professional bodies

*Best Practice Groups: The BCI will aim to utilise the ‘collective brain power’ of some of the most experienced practitioners to create practice groups in the UK, Europe, India, North America and Australasia

*Online Resilience Tool: The BCI will develop a free online tool designed to increase awareness among organisations of all sizes and across all sectors

BCAW2018Logo

In this Manifesto, the BCI provides a detailed explanation of the concept of organisational resilience (ie ‘the ability of an organisation to absorb and adapt in a changing environment’) and how disciplines should collaborate in order to achieve it.

David Thorp, executive director of the BCI, stated: “Our view at the BCI is that no organisations can claim ownership of the resilience ground. What we propose is to work with other professional bodies and membership organisations in the resilience spectrum to provide a range of benefits for the mutual gain of all of our members. Collaboration is the key to a resilient future for organisations, This Manifesto is the first step towards making that future happen.”

The BCI’s Business Continuity Awareness Week 2018 was sponsored by Strategic BCP and SAI Global.

Founded back in 1994 with the aim of promoting a more resilient world, the BCI has established itself as the world’s leading Institute for business continuity and resilience. The BCI has become the membership and certifying organisation of choice for business continuity and resilience professionals globally with over 8,000 members in more than 100 countries working in an estimated 3,000 organisations in the private, public and third sectors.

The vast experience of the Institute’s broad membership and partner network is built into the organisation’s education, Continuing Professional Development and networking activities. Every year, more than 1,500 people choose BCI training, with options ranging from short awareness raising tools through to a full academic qualification available online and in a classroom.

The Institute stands for excellence in the resilience profession and its globally recognised certified grades provide assurance of technical and professional competency.

The BCI offers a wide range of resources for professionals seeking to raise their organisation’s level of resilience, while its extensive thought leadership and research programme helps drive the industry forward. With approximately 120 Partners worldwide, the BCI Partnership offers organisations the opportunity to work with the BCI in promoting Best Practice in business continuity and resilience.

The BCI welcomes everyone with an interest in building resilient organisations, be they newcomers, experienced professionals or organisations. Further information about the BCI is available online at www.thebci.org

Leave a comment

Filed under Risk Xtra

Social engineering “a top cause of cyber incidents” finds Cyber Resilience Report

Research commissioned by Crises Control from the Business Continuity Institute for its annual Cyber Resilience Report 2016 confirms much of what we already suspected about the changing nature of the cyber threat and the way that cyber criminals have found new ways to defeat corporate perimeter security.

66% of respondents to the survey reported that their companies had been affected by at least one cyber security incident over the last 12 months. The costs of these incidents varied greatly, with 73% reporting total costs over the year of less than €50,000, but 6% reporting annual costs of more than €500,000.

The increased difficulty of breaching perimeter security and the increased human resources available to cyber criminals has combined to produce a new point of attack. This is focused on the weakest link in the corporate security chain, which is now human beings rather than technology.

The term ‘social engineering’ describes this attack vector, which relies heavily on human interaction and often involves tricking people into breaking normal security procedures. The BCI research shows clearly that phishing (ie obtaining sensitive data through false representation) and social engineering is now the single top cause of cyber disruption, with over 60% of companies reporting being hit by such an incident over the past 12 months.

A further 37% were hit by spear phishing (ie phishing through identity fraud).

BCICyber

The research has also confirmed that, to effectively counter this threat, companies now need behavioural threat detection provided by a cyber security network monitoring solution. These plug-in devices monitor your network for signs of suspicious insider activity and failed attempts to hack into the system.

They can also provide invaluable intelligence to be acted upon proactively to nip a successful hack or insider threat in the bud.

Traditional anti-virus monitoring software is no longer enough. The BCI research shows that 72% of companies have this software in place, but only 26% of real cyber security incidents were actually discovered through this route. Much worse, 18% of incidents came to attention through an external source such as a customer, a supplier or the impact on a public website.

Network monitoring solutions are much more effective than anti-virus software in terms of alerting companies to a cyber breach, with 63% of businesses having network monitoring software in place and 42% of cyber incidents being brought to attention through the work of the IT Department to whom such systems report.

The scale of the cyber threat can feel overwhelming at times, but educating your own employees about the nature of the threat and then putting in place the right solutions can go a long way towards mitigating the social engineering threat and significantly enhancing your corporate cyber resilience.

The message is simple… Act now before it’s too late.

Leave a comment

Filed under Risk UK News

BCI European Awards 2017: Shortlist of finalists announced

The Business Continuity Institute (BCI) is pleased to announce the shortlist for the 2017 BCI European Awards. Some of the most outstanding business continuity and resilience professionals and organisations have made it to the final stage.

BCIEuropeanAwards

Continuity and Resilience Consultant 2017

Alberto Mattia (Panta Ray)
Petra Morrison (Daisy Group)
Werner Verlinden (Musena Consulting)

Most Effective Recovery 2017

BPER Banca
IBM
West Yorkshire Fire & Rescue

Continuity and Resilience Innovation 2017

Barclays Group Resilience
Crises Control
Everbridge

Continuity and Resilience Newcomer 2017

Elodie Huet (Arup)
Linda McAllorum (MUFG Investor Services)
Patrick Teves (Nestle Deutschland AG)
Timothy Dalby-Walsh (Needhams 1834)
Tinne Dewolf (Goffin Consulting)

Continuity and Resilience Professional (Private Sector) 2017

Joseph McClean (Ulster Bank)
Ken Clark (ARM)
Rob van den Eijnden (Philips)
Sarah Armstrong-Smith (Fujitsu)

Continuity and Resilience Professional (Public Sector) 2017

Carl Mayfield (Milton Keynes Council)
Rina Singh (NHS Professionals)
Russ Parramore (South Yorkshire Fire & Rescue)

Continuity and Resilience Provider (Service/Product) 2017

Alert Cascade
Business Continuity Training
ClearView Continuity
Send Word Now
Sungard Availability Services

Continuity and Resilience Team 2017

Aon
BT
Chief Fire Officers Association
Marks & Spencer

Sponsored by Sungard Availability Services, the BCI’s European Awards Gala Dinner and Ceremony takes place at The Principal Hotel in Edinburgh on Thursday 11 May. The awards will be presented by David Thorp, the BCI’s executive director.

Tickets to the event include reception drinks, a three-course meal with fine wines and the awards ceremony. Individual tickets costs £75.00 +VAT. Tables of ten are priced at £675 +VAT.

*To book your tickets for this event click here

Leave a comment

Filed under Risk UK News, Uncategorized

Organisations “need to do more” to ensure EU GDPR compliance

Organisations need to do more work to ensure compliance with the European Union’s General Data Protection Regulation (GDPR) which is due to come into force in May 2018. While organisations are largely aware of their upcoming obligations, levels of maturity to meet the new standards are low.

Overall, organisations are only complaint with less than 40% of the principles laid out in the GDPR. DLA Piper’s Global Data Privacy Snapshot 2017 notes that some industries are progressing towards compliance better than others. The hospitality and banking sectors are ahead of the rest with 48% and 43% compliance respectively, compared to the average of around 37%. Healthcare and manufacturing are at the bottom end of the scale with 34% and 35% compliance.

Data breaches are already the second greatest concern for business continuity professionals. That’s according to the latest Horizon Scan Report published by the Business Continuity Institute. Unless organisations become compliant by the time the GDPR comes into force then a breach could become even more disruptive.

Patrick Van Eecke, partner and global co-chair of DLA Piper’s Data Protection practice, said: “The responses show that many organisations still have work to do on their data protection procedures. Any organisations operating in Europe will need to see major improvements in their score by May 2018 if they’re to avoid potentially heavy financial penalties under the GDPR, not to mention serious reputational damage as people become more and more aware of their rights in this area.”

eugdprweb

Van Eecke added: “With more and more organisations placing data centre stage, data protection will become an increasingly prominent issue. It’s vital that organisations invest now in the strategy and processes needed to help them to meet their obligations.”

Jim Halpert, the US co-chair of DLA Piper’s Global Data Protection practice, added: “As privacy requirements such as privacy by design, data portability and extensively documenting a privacy program become more complex, compliance demands significant operational work that takes time. In this sense, the results are not surprising. The time to step up compliance efforts is this year, not next.”

The GDPR will apply to processing carried out by organisations operating within the EU and to organisations outside the EU that offer goods or services to individuals in the EU.

The UK Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. Organisations failing to comply with the GDPR after its implementation in 2018 could face fines as high as 4% of global annual turnover.

Leave a comment

Filed under Risk UK News, Uncategorized

30% of NHS Trusts have experienced a ransomware attack” finds SentinelOne

30% of NHS Trusts in the UK have experienced a ransomware attack, potentially placing patient data and lives at risk. One Trust – the Imperial College Healthcare NHS Trust – admitted to being attacked 19 times in just 12 months. These are the findings of a Freedom of Information (FoI) request submitted by SentinelOne.

The Ransomware Research Data Summary explains that SentinelOne made FoI requests to 129 NHS Trusts, of which 94 responded. Three Trusts refused to answer, claiming their response could damage commercial interests. All but two Trusts – Surrey and Sussex and University College London Hospitals – have invested in anti-virus security software on their endpoint devices to protect them from malware.

Despite installing a McAfee solution, Leeds Teaching Hospital has apparently suffered five attacks in the past year.

No Trusts reported paying a ransom or informed law enforcement of the attacks: all preferred to deal with the attacks internally.

Ransomware which encrypts data and demands a ransom to decrypt it has been affecting US hospitals for a while now. The Hollywood Presbyterian Medical Center in Los Angeles notoriously paid cyber criminals £12,000 last February after being infected by Locky, one of the most prolific ransomware variants.

nhstrustsransomware

With the infected computers or networks becoming unusable until a ransom has been paid* or the data has been recovered, it’s clear to see why these types of attack can be a concern for business continuity professionals, with the latest Horizon Scan Report published by the Business Continuity Institute highlighting cyber attacks as the prime concern. This is a very good reason why cyber resilience has been chosen as the theme for Business Continuity Awareness Week in 2017.

“These results are far from surprising,” said Tony Rowan, chief security consultant at SentinelOne. “Public sector organisations make a soft target for fraudsters because budget and resource shortages frequently leave hospitals short changed when it comes to security basics like regular software patching. The results highlight the fact that old school AV technology is powerless to halt virulent, mutating forms of malware like ransomware. A new and more dynamic approach to endpoint protection is needed.”

Rowan continued: “In the past, some NHS Trusts have been singled out by the Information Commissioner’s Office for their poor record on data breaches. With the growth of connected devices like kidney dialysis machines and heart monitors, there’s even a chance that poor security practices could put lives at risk.”

*Note that the data isn’t always recovered even after a ransom has been paid

Leave a comment

Filed under Risk UK News, Uncategorized

“Faster response times needed to combat cyber threat” finds BCI survey

Two thirds of respondents to a global survey carried out by the Business Continuity Institute report that they had experienced at least one cyber incident during the previous twelve months, while 15% stated they had experienced at least ten incidents during the same period.

The frequency of these cyber incidents demonstrates exactly why it’s so important for organisations to have plans in place to mitigate them or otherwise lessen their impact.

The Cyber Resilience Report, conducted by the BCI and sponsored by Crises Control, found that there was a wide range of response times for cyber incidents. Almost a third of organisations (31%) stated that they responded within one hour. However, one fifth (19%) take a worrying four hours or more in responding to a cyber event, while almost half (44%) take more than two hours to respond. This has clear implications for the time taken to return to business as usual, and the ultimate cost of the incident to the host organisation.

IntelligenceLedSecurity2

Even if businesses wish to respond immediately to a cyber attack, the nature of the attack may render them unable to do so. The research finds that phishing and social engineering are the top causes of cyber disruption, with over 60% of companies reporting being hit by such an incident over the past 12 months and 37% attacked by way of spear phishing.

The BCI has discovered that 45% of companies were hit by a malware attack and 24% by a Distributed Denial of Service episode. All these forms of attack will, in different ways, render an organisation’s own network either contaminated or inoperable. Their website may have been taken down and they may well have to switch off their Internet connection until they can secure themselves from further attack.

A detailed study of 369 business continuity and resilience professionals from across the world, the research also reveals that the costs of these incidents varied greatly, with 73% reporting total costs over the year of less than €50,000, but 6% reporting annual costs of more than €500,000.

David James-Brown FBCI, chairman of the BCI, commented: “This piece of research is one of the most timely, insightful and relevant the BCI has ever produced. Cyber attacks tend to target the weakest links of an organisation. That calls for a greater awareness of cyber crime. As the cyber threat evolves, it’s crucial to stay on top of it, building long-term initiatives and regularly updating recovery plans.”

Rickie Sehgal, chairman of Crises Control, added: “Rapid communication with employees, customers and suppliers is vital for any company in terms of responding effectively to a major business disruption event such as a cyber attack. When your business is at risk, even a one-hour delay in responding to an incident can be too long. Taking more than two hours to respond, as almost half of companies appear to do, is simply unacceptable.”

Leave a comment

Filed under Risk UK News, Uncategorized

Cabinet Office minister Francis Maude visits cyber security specialist Advent IM

The Rt Hon Francis Maude MP has visited West Midlands-based cyber security consultancy Advent IM as part of the MPs’ remit as the Minister for Cyber Security. 

Maude met with Mike Gillespie and Julia McCarron, the co-founders of Advent IM, to find out more about the cyber security work the company delivers as one of the UK’s leading independent information security consultancies, the company’s history, its ethos and the business challenges faced by the organisation as an SME.

Topics for discussion on the day were both wide and varied. Mike Gillespie explained the principles of a holistic and risk-based approach to security and the MP was particularly interested in how this translates into solid governance in business.

Maude was also keen to find out more about threat convergence, how cyber threats can now impact our physical environments and steps that can be taken to mitigate those threats.

The team expanded on Advent IM’s development of cyber security training courses specifically for the police in the areas of SIRO and IAO responsibilities and accountability, general cyber security awareness training opportunities currently being developed and Advent IM’s mentoring approach to consultancy delivery, ensuring the company is seen by those involved as a business enabler.

The Advent IM team members meet Francis Maude MP

The Advent IM team members meet Francis Maude MP

The G-Cloud procurement process

Maude and the team discussed the merits of the G-Cloud procurement process and how there’s room to improve the perception that it’s more for technology purchases than consultancy, and how Government is starting to drive the requirement for Best Practice information security and ISO 27001 (more of which anon) through its outsourced service providers.

Changes to the Government Security Classification Scheme and the lack of understanding around its application were touched upon, as were the issues being confronted by local authorities in connecting to PSN and how the latest changes would impact on those either connecting or acting as a provider.

The Cabinet Office Minister also took the time to discuss areas of work with Advent IM staff from the consultancy, marketing and sales teams and the challenges they face when it comes to implementing and promoting cyber security across the UK.

“We greatly appreciate the time Francis Maude has taken to visit us,” said Advent IM’s operations director Julia McCarron. “As cyber security specialists, a number of us have attended events where Mr Maude has been present but we’ve rarely had the opportunity to discuss with him what’s happening in the market or air our views fact-to-face. To be singled out and given the chance to discuss our company, the industry and involve all of our staff in that forum was an honour for the team.”

Advent IM's Mike Gillespie talks cyber security with Cabinet Office minister Francis Maude

Advent IM’s Mike Gillespie talks cyber security with Cabinet Office minister Francis Maude

Holistic security management solutions

Advent IM focuses on holistic security management solutions for information, people and physical assets across both the public and private sectors.

Established in 2002, Advent IM is a Centre of Excellence for security services, promoting the benefits of Best Practice guidelines and standards and the ongoing need to address risk management in order to protect against potential threats.

From offices in the Midlands and London, the company’s consultants work on a nationwide basis and are members of the CESG Listed Advisor Scheme, the Institute of Information Security Professionals, The Security Institute, the Business Continuity Institute and the British Computer Society.

Advent IM consultants are also lead auditors for the international standards on Information Security Management (ISO 27001) and Business Continuity Management (ISO 22301), practitioners of PRINCE2 (a recognised project management methodology widely used within the public sector), CISSP-qualified and also Home Office-trained physical security assessors.

Leave a comment

Filed under Risk UK News