we must be ready managing threats in a dangerous … pre - crisis management.pdf can we plan for...

We Must Be Ready

Managing Threats in a Dangerous World

April 12

ISACA/INFRAGARD

www.andrewsinternational.com

Creative Solution to the

Global Credit Crisis


We Must Be Ready


Swiss Re’s Sigma Study

Worldwide economic losses from natural catastrophes and man-made

disasters were $US 218 billion in 2010- triple the 2009 figure of $US 68

billion

The cost to the global insurance industry was more than $US 43 billion-

more than 60% over the previous year

Approximately 304,000 people perished in these events- the highest

number since 1976

The earthquake in Haiti claimed 222,000 lives

56,000 died during the summer heat wave in Russia

Natural disasters cost the global insurance industry about $US 40 billion

Man Made disasters trigged claims of more than $US 3 billion

Natural catastrophes and man-made disasters cost the US society $US

218 billion in 2010


When you are walking

through the flames


You should be thinking about

What’s Next?


A Crisis of Sorts?


Recent Crisis of Sorts


Man Made

&

Natural Disasters/Incidents


Black Swans

It is an outlier- it lies outside the realm of regular expectations because

nothing in the past can convincingly point to its possibility

It carries an extreme impact

In spite of its outlier status, human nature makes us concoct explanations

for its occurrence AFTER the fact, making it explainable and predictable


Black Swans of the past

decade

Sept 11, 2001: attacks on the World Trade Center and Pentagon

2000-02: 78% decline in the Nasdaq

2003: European heat wave (40,000 deaths)

2004: tsunami in Sumatra, Indonesia (230,000 deaths)

2005: earthquake in Kashmir, Pakistan (80,000 deaths)

2005: Hurricane Katrina overwhelms New Orleans

2008: earthquake in Burma (140,000 deaths)

2008: earthquake in Sichuan, China (68,000 deaths)

Derivatives roil world’s banking system and financial markets

2008: failure of Lehman Brothers and the sale/liquidation of Bear Sterns

30% drop in US home prices

2010: earthquake in Port-au-Prince, Haiti (220,000 deaths)

2010: Russian heat wave (56,000 deaths)

2010: BP’s Gulf of Mexico oil spill

2010: market flash crash (1,000 point one-day drop in the Dow)

2011: surge of unrest in the Middle East

2011: earthquake, tsunami, and nuclear events in Japan


Japan Disasters

http://www.businessinsurance.com/apps/pbcs.dll/gallery?Site=CB&Date=20120309&Category=PHOTOS&ArtNo=309009999&Ref=PH&Params=Itemnr=2


Violence Crisis

Oikos University Shooting: At

Least 7 People Dead In Incident

At Christian University In

Oakland, Sources Say (April 2 2012)


School Violence

Teenager Is Charged in Killing of 3 at Ohio School

March 2012- Chardon, Ohio


A “Dilbert” View


Can We Plan For Black

Swans?

Black Swan Stress Test- Four Step Process -Performed on a regular basis to determine the enterprise’s resiliency to

withstand Black Swans.

-Exercise in “What If” to determine how severely certain events could

stress the enterprise. Gaming if you will-

1. Conduct mapping of the footprint, the supply chain, channel partners, customers.

2. Create a list of potential disruptive events- catastrophic environmental, economic,

political, societal and technological events. Then rate them by the type of impact

they might have on normal business activity.

3. Ask the “what if” questions- determine the impact and consequences. Might result

in new structures, reduced exposures, expanded supply chains.

4. Armed with that data- implement new or enhanced contingency plans.


What If?


Hazards:

The List Continues to Expand

Natural Hazards – hurricanes, earthquakes, tornadoes, floods

Terrorism – the threat continues to loom large

Workplace Violence – becoming more frequent

Power Outages – blackouts, brownouts, rolling blackouts

Fires, Explosions, Chemical Releases

Security Threats- new generation of eCrime


New Breed of Damaging

Brand Attacks

Classic Phishing- Ongoing and never ending Data Breaches

Vishing (aka: VoIP phishing using phones)

SMiShing (test message to a link that installs a Trojan)

Malware

Stuxnet

419 Scams ( morphed Nigerian letter scam gone cyber)

Blended Abuse

Advanced Persistent Threats (APTs)


Anonymous/Occupy Wall

Street


Vendetta Symbol


Anonymous

A Crisis of Their Own

“Hector Xavier Monsegur” (Sabu) Leader of LutzSec


New Security Threats

Economy Driven

A DuPont scientist stole $400 million in intellectual property from him

employer in the form of 16,706 documents and over 25,000 scientific

abstracts

An employee working in a Texas physician’s office that was contracted to

treat FBI agents attempted to sell an agent’s health records to drug

traffickers for $500.

A Federal Emergency Management Agency employee stole the identity

information of 200 people and opened $150,000 in credit accounts.


21st Century Hacktivism

Microsoft’s Irish website defaced

FBI website defaced

Scotland Yard career website defaced

Hackers invade Obama website: users redirected to Clinton campaign

website

Safe website let you embarrass people in high places- ananomize

Palin’s Yahoo mail hacked- published on wikileaks.org

Blackmail and Extortion using stolen information


Hackerazzi


Data Breaches 77 million user accounts may be compromised


Cyber/Information Crisis

Datalossdb.org RSS Feed

Firm alleges former employee illegally accessed a protected computer and

downloaded both proprietary information and shareholder information

2011/11/08

500,000 e-mail addresses and passwords acquired and dumped by

hackers 2011/11/08

98 usernames, MD5 hashed passwords and e-mail addresses from

marriage-making site dumped by hacker 2011/11/08

http://datalossdb.org/incidents/4930-firm-alleges-former-employee-illegally-accessed-a-protected-computer-and-downloaded-both-proprietary-information-and-shareholder-information

http://datalossdb.org/incidents/4930-firm-alleges-former-employee-illegally-accessed-a-protected-computer-and-downloaded-both-proprietary-information-and-shareholder-information

http://datalossdb.org/incidents/4932-500-000-e-mail-addresses-and-passwords-acquired-and-dumped-by-hackers




http://datalossdb.org/incidents/4934-98-usernames-md5-hashed-passwords-and-e-mail-addresses-from-marriage-making-site-dumped-by-hacker







Understanding Key Terms

Emergency Management –

– An Ongoing Process to:

• Prevent, mitigate, prepare for, respond to, and recover …

• From an incident that threatens life, property, operations, or the

environment.”

Examples

– Medical Emergencies

– Fires or explosions

– Natural hazards

– Hazardous material spills or releases

– Security threats


Terms

Business Continuity

– An ongoing process to successfully:

• Identify the impact of potential losses

• Apply viable recovery strategies and plans

• Maintain continuity of services

Needed When . . .

– Interruption or loss of:

• Technology: hardware, software, data, connectivity

• Operations: critical facility, building, process, system, equipment

• Transportation: air, land

• Communication

– Essential personnel unavailable


Terms

Crisis Management

– Crisis: situation threatens to significantly harm:

• Operations

• Financial Results

• Reputation or Image

• Relations with Key Stakeholders

– Needed When . . .

• Accident, Natural or Environmental Disaster

• Financial Troubles

• Rumors or Scandals

• Litigation

• Strategic/Business Environment

• Terrorism/Cyber Terrorism

• Media Reports


Developing an Integrated

Program

Emergency

Management‘

Business

Continuity

Crisis Management


Integrated Plan

Emergency

Management

Crisis

Management

Business

Continuity


Lessons Learned from

Disruptive Events


Normal life may be impacted


It could be difficult to travel


Assistance might be delayed


You might have to provide

your own


Typical Challenges

No electricity

Damaged hardware, equipment

No plans to relocate remaining equipment

No plans to repair/replace/dispose of damaged equipment

Incomplete coverage on service contracts

No employee evacuation, re-assemblage plans

No planned employee communication system

No plans for communicating with key stakeholders

No plans for emergency equipment acquisition

No offsite backup of IT systems


Lessons Learned:

Power

No power, or limited power supplies

No time estimates for restoring power

Poor location of generators

Poor location of redundant power supplies

No testing of redundant power supplies

No plan for acquiring generators

Inadequate fuel supply

Inadequate protection for fuels


Things you assume will be

there- may not


Lessons Learned:

Infrastructure

Located in high risk area

– Did not foresee risk, vulnerabilities of locations

Structural Damage

Security, Accessibility problems

Storage/Location of critical assets

Mold, contaminants

Mobile solution didn’t work in affected areas

No access to vendor contact information for clean-up


Lessons Learned:

Insurance

Poor or inadequate coverage

Did not know what disaster scenarios were covered

No documented information for claims adjuster

– Inventory of Assets

– Inventory of Event Activities

Had not assessed risks vs. coverage

Had not insurance-tested various disaster scenarios

Keep an inventory of all assets

No independent review of insurance coverage


Lessons Learned:

The Plan Itself

Plans

– Outdated or non-existent

– Not available - were in the damaged facility

– Plans were not linked to change management

– Plans too complex for quick use under stress

– Not tested; lack of regular team drills

No incident command system

IT and business change plans not integrated

Crisis response structure not organization-wide

Teams not set: Incident Command, Crisis, Operational

No pre-set locations, equipment to facilitate teams


Lessons Learned:

Travel

Movement takes longer than expected

People did not follow local agency directions

Limited or no gasoline

Limited or no air travel available

No rental vehicles available

Heavy traffic, contra-flow

Limited housing availability

No plan for moving key employees and families


Lessons Learned:

Communications

No central number for employees/customers to call

Cell phones may not work

Cordless phones may not work

Internet, Email may not be accessible

No plans to address the media, authorities, others

No communications with public sector agencies

Emergency contact information not easily accessible

No emergency notification system

Not prepared to handle incoming inquiries


Plan to use a range of

technologies


Lessons Learned:

People

Employees

– Not 100% focused

• Traumatized

• With or concerned about families

– Did not know what to do

– Safety not considered in plans

– Emergency loans not available

Alternate team members not planned

Confusion = slow, inadequate decision-making

Not prepared to inform families

– Incoming family inquiries

– Notify families of injured, deceased employees


Operational Challenges

Scale: Large magnitude, multi-location event/crisis

Infrastructure: Damage or Loss of:

– Voice, data communications systems

– Power/Fuel

– Facilities

Rapidly changing environment = unique support needs

Competing interests = non-productive behavior:

– Individual, bureaucratic and departmental interests

– Stovepipes, silos and measurement issues

Complex coordination between company, authorities


Operational Challenges

(Cont’d)

Acquiring Needed Resources: – Food

– Supplies

– Security

– Transportation

– Personnel

– Funding

– Sanitation

Chaos, trauma, emotional stress, harsh environment

Polices, regulations, practices

Limited staff with crisis, disaster experience


Communications Challenges

“90 percent of a crisis response is communications” –

Barbara Reynolds, Center for Disease Control, USA

Responding quickly but accurately

Managing both the company and the crisis

Coordinating crisis operations and communications

Managing rumors

Establishing control of communications

– Media

– Internet

– Employees

– Other stakeholders


Crisis Communications:

Be Prepared

Know your vulnerabilities

Have crisis communications plans already in place – Immediate response plan

– 72-hour response plan

Pre-set teams – One to manage the company

– One to manage the crisis

Pre-set decision structure (rapid-response)

Pre-set contact lists (frequently updated)

Pre-test with crisis communications drills


At Crisis Time

Activate the teams – minutes count!

Quickly establish:

– Secured crisis location

– Command Center (operations and communications)

– Access to accurate information

– Control of outgoing information

• Media

• Internet

Credibility is your most valuable asset


Some Thoughts on Crisis

Management

“In a crisis, don’t hide behind anybody or anything. They’re going to find you

anyway.” -Paul “Bear” Bryant- American Football Coach

“What one decides to do in a crisis depends on one’s philosophy of life, and that

philosophy cannot be changed by an incident. If one has no philosophy in crisis,

others make the decision.” –Jeanette Rankin- US House of Representatives

“It takes 20 years to build a reputation and 5 minutes to ruin it” –Warren Buffet-

“If it’s not important to senior management, it will not be important to middle

management or line management at all” – Denny Lynch, Senior VP of

Communications, Wendy’s-


Primary Challenge & Priority

Maintaining communication regardless of the nature of

the event, be it a natural disaster or terrorist incident, is

the primary challenge during a disaster


Integrated Approach

to Crisis Management

Operations and communications

Risk Assessment – vulnerability audits

Crisis Prevention – mitigating the risks

Crisis Response Planning – becoming prepared

Crisis Response Training – preparing your people

Responding to the Crisis – minimizing damage

Managing Reputation – before, during, and after


VICE PRESIDENT

CONSULTING & INVESTIGATIONS

ANDREWS INTERNATIONAL

214.254.3978 (OFFICE)

972.741.7532 (CELL)

[email protected]

William M. “Bill” Besse

we must be ready managing threats in a dangerous … pre - crisis management.pdf can we plan for...

Documents