we must be ready managing threats in a dangerous … pre - crisis management.pdf can we plan for...
TRANSCRIPT
We Must Be Ready
Managing Threats in a Dangerous World
April 12
ISACA/INFRAGARD
www.andrewsinternational.com
Creative Solution to the
Global Credit Crisis
www.andrewsinternational.com
We Must Be Ready
www.andrewsinternational.com
Swiss Re’s Sigma Study
Worldwide economic losses from natural catastrophes and man-made
disasters were $US 218 billion in 2010- triple the 2009 figure of $US 68
billion
The cost to the global insurance industry was more than $US 43 billion-
more than 60% over the previous year
Approximately 304,000 people perished in these events- the highest
number since 1976
The earthquake in Haiti claimed 222,000 lives
56,000 died during the summer heat wave in Russia
Natural disasters cost the global insurance industry about $US 40 billion
Man Made disasters trigged claims of more than $US 3 billion
Natural catastrophes and man-made disasters cost the US society $US
218 billion in 2010
www.andrewsinternational.com
When you are walking
through the flames
www.andrewsinternational.com
You should be thinking about
What’s Next?
www.andrewsinternational.com
A Crisis of Sorts?
www.andrewsinternational.com
Recent Crisis of Sorts
www.andrewsinternational.com
Man Made
&
Natural Disasters/Incidents
www.andrewsinternational.com
Black Swans
It is an outlier- it lies outside the realm of regular expectations because
nothing in the past can convincingly point to its possibility
It carries an extreme impact
In spite of its outlier status, human nature makes us concoct explanations
for its occurrence AFTER the fact, making it explainable and predictable
www.andrewsinternational.com
Black Swans of the past
decade
Sept 11, 2001: attacks on the World Trade Center and Pentagon
2000-02: 78% decline in the Nasdaq
2003: European heat wave (40,000 deaths)
2004: tsunami in Sumatra, Indonesia (230,000 deaths)
2005: earthquake in Kashmir, Pakistan (80,000 deaths)
2005: Hurricane Katrina overwhelms New Orleans
2008: earthquake in Burma (140,000 deaths)
2008: earthquake in Sichuan, China (68,000 deaths)
Derivatives roil world’s banking system and financial markets
2008: failure of Lehman Brothers and the sale/liquidation of Bear Sterns
30% drop in US home prices
2010: earthquake in Port-au-Prince, Haiti (220,000 deaths)
2010: Russian heat wave (56,000 deaths)
2010: BP’s Gulf of Mexico oil spill
2010: market flash crash (1,000 point one-day drop in the Dow)
2011: surge of unrest in the Middle East
2011: earthquake, tsunami, and nuclear events in Japan
www.andrewsinternational.com
Japan Disasters
www.andrewsinternational.com
Violence Crisis
Oikos University Shooting: At
Least 7 People Dead In Incident
At Christian University In
Oakland, Sources Say (April 2 2012)
www.andrewsinternational.com
School Violence
Teenager Is Charged in Killing of 3 at Ohio School
March 2012- Chardon, Ohio
www.andrewsinternational.com
A “Dilbert” View
www.andrewsinternational.com
Can We Plan For Black
Swans?
Black Swan Stress Test- Four Step Process -Performed on a regular basis to determine the enterprise’s resiliency to
withstand Black Swans.
-Exercise in “What If” to determine how severely certain events could
stress the enterprise. Gaming if you will-
1. Conduct mapping of the footprint, the supply chain, channel partners, customers.
2. Create a list of potential disruptive events- catastrophic environmental, economic,
political, societal and technological events. Then rate them by the type of impact
they might have on normal business activity.
3. Ask the “what if” questions- determine the impact and consequences. Might result
in new structures, reduced exposures, expanded supply chains.
4. Armed with that data- implement new or enhanced contingency plans.
www.andrewsinternational.com
What If?
www.andrewsinternational.com
Hazards:
The List Continues to Expand
Natural Hazards – hurricanes, earthquakes, tornadoes, floods
Terrorism – the threat continues to loom large
Workplace Violence – becoming more frequent
Power Outages – blackouts, brownouts, rolling blackouts
Fires, Explosions, Chemical Releases
Security Threats- new generation of eCrime
www.andrewsinternational.com
New Breed of Damaging
Brand Attacks
Classic Phishing- Ongoing and never ending Data Breaches
Vishing (aka: VoIP phishing using phones)
SMiShing (test message to a link that installs a Trojan)
Malware
Stuxnet
419 Scams ( morphed Nigerian letter scam gone cyber)
Blended Abuse
Advanced Persistent Threats (APTs)
www.andrewsinternational.com
Anonymous/Occupy Wall
Street
www.andrewsinternational.com
Vendetta Symbol
www.andrewsinternational.com
Anonymous
A Crisis of Their Own
“Hector Xavier Monsegur” (Sabu) Leader of LutzSec
www.andrewsinternational.com
New Security Threats
Economy Driven
A DuPont scientist stole $400 million in intellectual property from him
employer in the form of 16,706 documents and over 25,000 scientific
abstracts
An employee working in a Texas physician’s office that was contracted to
treat FBI agents attempted to sell an agent’s health records to drug
traffickers for $500.
A Federal Emergency Management Agency employee stole the identity
information of 200 people and opened $150,000 in credit accounts.
www.andrewsinternational.com
21st Century Hacktivism
Microsoft’s Irish website defaced
FBI website defaced
Scotland Yard career website defaced
Hackers invade Obama website: users redirected to Clinton campaign
website
Safe website let you embarrass people in high places- ananomize
Palin’s Yahoo mail hacked- published on wikileaks.org
Blackmail and Extortion using stolen information
www.andrewsinternational.com
Hackerazzi
www.andrewsinternational.com
Data Breaches 77 million user accounts may be compromised
www.andrewsinternational.com
Cyber/Information Crisis
Datalossdb.org RSS Feed
Firm alleges former employee illegally accessed a protected computer and
downloaded both proprietary information and shareholder information
2011/11/08
500,000 e-mail addresses and passwords acquired and dumped by
hackers 2011/11/08
98 usernames, MD5 hashed passwords and e-mail addresses from
marriage-making site dumped by hacker 2011/11/08
www.andrewsinternational.com
Understanding Key Terms
Emergency Management –
– An Ongoing Process to:
• Prevent, mitigate, prepare for, respond to, and recover …
• From an incident that threatens life, property, operations, or the
environment.”
Examples
– Medical Emergencies
– Fires or explosions
– Natural hazards
– Hazardous material spills or releases
– Security threats
www.andrewsinternational.com
Terms
Business Continuity
– An ongoing process to successfully:
• Identify the impact of potential losses
• Apply viable recovery strategies and plans
• Maintain continuity of services
Needed When . . .
– Interruption or loss of:
• Technology: hardware, software, data, connectivity
• Operations: critical facility, building, process, system, equipment
• Transportation: air, land
• Communication
– Essential personnel unavailable
www.andrewsinternational.com
Terms
Crisis Management
– Crisis: situation threatens to significantly harm:
• Operations
• Financial Results
• Reputation or Image
• Relations with Key Stakeholders
– Needed When . . .
• Accident, Natural or Environmental Disaster
• Financial Troubles
• Rumors or Scandals
• Litigation
• Strategic/Business Environment
• Terrorism/Cyber Terrorism
• Media Reports
www.andrewsinternational.com
Developing an Integrated
Program
Emergency
Management‘
Business
Continuity
Crisis Management
www.andrewsinternational.com
Integrated Plan
Emergency
Management
Crisis
Management
Business
Continuity
www.andrewsinternational.com
Lessons Learned from
Disruptive Events
www.andrewsinternational.com
Normal life may be impacted
www.andrewsinternational.com
It could be difficult to travel
www.andrewsinternational.com
Assistance might be delayed
www.andrewsinternational.com
You might have to provide
your own
www.andrewsinternational.com
Typical Challenges
No electricity
Damaged hardware, equipment
No plans to relocate remaining equipment
No plans to repair/replace/dispose of damaged equipment
Incomplete coverage on service contracts
No employee evacuation, re-assemblage plans
No planned employee communication system
No plans for communicating with key stakeholders
No plans for emergency equipment acquisition
No offsite backup of IT systems
www.andrewsinternational.com
Lessons Learned:
Power
No power, or limited power supplies
No time estimates for restoring power
Poor location of generators
Poor location of redundant power supplies
No testing of redundant power supplies
No plan for acquiring generators
Inadequate fuel supply
Inadequate protection for fuels
www.andrewsinternational.com
Things you assume will be
there- may not
www.andrewsinternational.com
Lessons Learned:
Infrastructure
Located in high risk area
– Did not foresee risk, vulnerabilities of locations
Structural Damage
Security, Accessibility problems
Storage/Location of critical assets
Mold, contaminants
Mobile solution didn’t work in affected areas
No access to vendor contact information for clean-up
www.andrewsinternational.com
Lessons Learned:
Insurance
Poor or inadequate coverage
Did not know what disaster scenarios were covered
No documented information for claims adjuster
– Inventory of Assets
– Inventory of Event Activities
Had not assessed risks vs. coverage
Had not insurance-tested various disaster scenarios
Keep an inventory of all assets
No independent review of insurance coverage
www.andrewsinternational.com
Lessons Learned:
The Plan Itself
Plans
– Outdated or non-existent
– Not available - were in the damaged facility
– Plans were not linked to change management
– Plans too complex for quick use under stress
– Not tested; lack of regular team drills
No incident command system
IT and business change plans not integrated
Crisis response structure not organization-wide
Teams not set: Incident Command, Crisis, Operational
No pre-set locations, equipment to facilitate teams
www.andrewsinternational.com
Lessons Learned:
Travel
Movement takes longer than expected
People did not follow local agency directions
Limited or no gasoline
Limited or no air travel available
No rental vehicles available
Heavy traffic, contra-flow
Limited housing availability
No plan for moving key employees and families
www.andrewsinternational.com
Lessons Learned:
Communications
No central number for employees/customers to call
Cell phones may not work
Cordless phones may not work
Internet, Email may not be accessible
No plans to address the media, authorities, others
No communications with public sector agencies
Emergency contact information not easily accessible
No emergency notification system
Not prepared to handle incoming inquiries
www.andrewsinternational.com
Plan to use a range of
technologies
www.andrewsinternational.com
Lessons Learned:
People
Employees
– Not 100% focused
• Traumatized
• With or concerned about families
– Did not know what to do
– Safety not considered in plans
– Emergency loans not available
Alternate team members not planned
Confusion = slow, inadequate decision-making
Not prepared to inform families
– Incoming family inquiries
– Notify families of injured, deceased employees
www.andrewsinternational.com
Operational Challenges
Scale: Large magnitude, multi-location event/crisis
Infrastructure: Damage or Loss of:
– Voice, data communications systems
– Power/Fuel
– Facilities
Rapidly changing environment = unique support needs
Competing interests = non-productive behavior:
– Individual, bureaucratic and departmental interests
– Stovepipes, silos and measurement issues
Complex coordination between company, authorities
www.andrewsinternational.com
Operational Challenges
(Cont’d)
Acquiring Needed Resources: – Food
– Supplies
– Security
– Transportation
– Personnel
– Funding
– Sanitation
Chaos, trauma, emotional stress, harsh environment
Polices, regulations, practices
Limited staff with crisis, disaster experience
www.andrewsinternational.com
Communications Challenges
“90 percent of a crisis response is communications” –
Barbara Reynolds, Center for Disease Control, USA
Responding quickly but accurately
Managing both the company and the crisis
Coordinating crisis operations and communications
Managing rumors
Establishing control of communications
– Media
– Internet
– Employees
– Other stakeholders
www.andrewsinternational.com
Crisis Communications:
Be Prepared
Know your vulnerabilities
Have crisis communications plans already in place – Immediate response plan
– 72-hour response plan
Pre-set teams – One to manage the company
– One to manage the crisis
Pre-set decision structure (rapid-response)
Pre-set contact lists (frequently updated)
Pre-test with crisis communications drills
www.andrewsinternational.com
At Crisis Time
Activate the teams – minutes count!
Quickly establish:
– Secured crisis location
– Command Center (operations and communications)
– Access to accurate information
– Control of outgoing information
• Media
• Internet
Credibility is your most valuable asset
www.andrewsinternational.com
Some Thoughts on Crisis
Management
“In a crisis, don’t hide behind anybody or anything. They’re going to find you
anyway.” -Paul “Bear” Bryant- American Football Coach
“What one decides to do in a crisis depends on one’s philosophy of life, and that
philosophy cannot be changed by an incident. If one has no philosophy in crisis,
others make the decision.” –Jeanette Rankin- US House of Representatives
“It takes 20 years to build a reputation and 5 minutes to ruin it” –Warren Buffet-
“If it’s not important to senior management, it will not be important to middle
management or line management at all” – Denny Lynch, Senior VP of
Communications, Wendy’s-
www.andrewsinternational.com
Primary Challenge & Priority
Maintaining communication regardless of the nature of
the event, be it a natural disaster or terrorist incident, is
the primary challenge during a disaster
www.andrewsinternational.com
Integrated Approach
to Crisis Management
Operations and communications
Risk Assessment – vulnerability audits
Crisis Prevention – mitigating the risks
Crisis Response Planning – becoming prepared
Crisis Response Training – preparing your people
Responding to the Crisis – minimizing damage
Managing Reputation – before, during, and after
www.andrewsinternational.com
www.andrewsinternational.com
VICE PRESIDENT
CONSULTING & INVESTIGATIONS
ANDREWS INTERNATIONAL
214.254.3978 (OFFICE)
972.741.7532 (CELL)
William M. “Bill” Besse