2nd biggest US health insurer has insurance to cover revenue lost as a result of customer info being hacked

From Insurance Networking News:

Anthem to tell customers within two weeks if they were hacked

I had never considered that a health insurer would have information to cover their losses if customer info is hacked, although it makes perfect sense, from a business continuity perspective. But as a consumer (of health insurance, not specifically of Anthem's), my first thought was that their insurance doesn't help me if my information is hacked.

Insurance won't cover damage to an organization's reputation, or gain back the trust of all of their customers.

The CEO's knowledge of business continuity

Check out this great article from Continuity Central:

CEO? Here are three key business continuity questions you need to ask

So often, the CEO believes they have an understanding of business continuity that is greater than their true understanding. 

Business continuity professionals need to regularly communicate with the CEO to assure they understand the risk level the company was willing to take (as identified in the last Risk Analysis), what business functions were identified as critical to the survival of the company (and what business functions weren't deemed critical), and the resources required to either maintain critical functions without interruption, or recover critical functions in the in the Recovery Time Objective (RTO) as documented in the last Business Impact Analysis - including systems, data, sites, personnel, hardware including workstations

A CEO that understood these things 2 years ago when a Risk Analysis and Business Impact Analysis were completed may not recall everything, if they aren't involved in Business Continuity on a very regular basis (such as weekly, not yearly).

Can your CEO explain what is recoverable and in what time frame? Can they explain how many people would be working from home (if able) or waiting for facilities to secure a new site that can accommodate all employees and functions? 

Check out Continuity Central's article, and I'd love to know what you think.

And keep in mind that Business Continuity Awareness week is coming up in March and could be a great time to work on awareness with your CEO and upper management.

A common theme you may notice in my blogs is that I campaign hard against the idea that disaster recovery is dead (long live business resilience). Unless your RTOs for every function are zero downtime, and you have a perfect mirroring of all systems (which doesn't mean you're immune to disaster), you have work-space recovery for 100% of employees, disaster recovery is still relevant. Even if you have all of those things, you still have to deal with Crisis Communication, Emergency Response and Emergency Management, and Disaster Recovery. 

There is no getting around it. Business Continuity and Business Resilience plans enhance the Disaster Recovery plan, not replace. You can't disaster-proof your business. If you could, well, a lot of us would be out of a job!

Check out my Toolbox page for some resources you may want to incorporate for Business Continuity Awareness week.

January 29, 2015 CDC press briefing on measles, and the anti-vaccination movement as a public health threat

This is a transcript of Thursday's Center for Disease Control (CDC) tele-briefing for the press on the state of measles in the United States in 2015: 

http://www.cdc.gov/media/releases/2015/t0129-measles.html

A few key take-aways from the briefing:

In January (as of January 28), 84 people in 14 states have been reported as having measles.In 2014, there were over 600 cases.

Measles was declared "eliminated" in the United States in 2000. Between 2001 and 2010, the CDC saw a median of 60 cases a year in the US. This was due to the highly effective measles vaccine.

Measles is very contagious, something that may have faded from our collective memory after a decade that saw so few cases. From  http://www.cdc.gov/measles/about/transmission.html :

"Measles is a highly contagious virus that lives in the nose and throat mucus of an infected person. It can spread to others through coughing and sneezing. Also, measles virus can live for up to two hours on a surface or in an airspace where the infected person coughed or sneezed. If other people breathe the contaminated air or touch the infected surface, then touch their eyes, noses, or mouths, they can become infected. Measles is so contagious that if one person has it, 90% of the people close to that person who are not immune will also become infected.

"Infected people can spread measles to others from four days before to four days after the rash appears.

"Measles is a disease of humans; measles virus is not spread by any other animal species."

Some people don't realize that the complications of measles are quite serious, as shown in this Alberta Health Services slide:

This UNICEF infographic details the effectiveness of this vaccine and others:

So why are we seeing a resurgence in measles in the United States? Because of a small movement to forgo vaccines by people under a false belief that they're unsafe, despite the overwhelming agreement in the scientific community that parents should vaccinate their children except in a few rare circumstances. 

Unfortunately, the decision not to vaccinate effects more than the unvaccinated child. Unvaccinated children pose a risk to expectant mothers, children not yet old enough to be vaccinated, and even people who have been vaccinated: the vaccination is about 93% effective in preventing someone exposed to the measles from getting it. 

The backlash against the anti-vaxxer movement has been fierce:

Measles is a serious topic, one that no one can cover in one blog, and I don't have any medical qualifications to give advice. But I hope if you're unsure what to believe about the measles vaccine, you'll do your own research and make up your own mind. I hope you'll come to the conclusion that I have: the measles vaccine prevents deaths and can effectively eliminate measles.

Afterthought: I wanted to clarify why I chose this subject for a Business Continuity blog. If children are diagnosed with the measles, or their parents are afraid to take them out for fear of exposure, then it effects the workforce: more parents will miss work. If we witness a growing number of people diagnosed with the measles, it will effect a growing number of employees and possibly lead to staffing issues.

Any public health threat can effect an organization negatively, and business continuity professional have to take that into consideration when considering staffing. 

The Old Elevator Speech

Many professionals are familiar with the concept of the elevator speech: a rehearsed, persuasive, short statement that sells you, your company or your products and services, that you can use if you unexpectedly see a contact or potential customer (or employer) and only have a very brief amount of time to talk to them - like the length of time an elevator ride might take.

MindTools.com has developed guidelines for crafting an elevator speech, if you've never created one before:

http://www.mindtools.com/pages/article/elevator-pitch.htm

The elevator speech is a fantastic tool, one you should definitely utilize. But . . . how long has it been since you revisited your elevator speech and updated it? 

Is it covered in dust? 

Why not take the time this week to make it a priority to revise your elevator speech?

Got your elevator speech updated? 

Ready to take it to the next level?

Many business continuity professionals have worked in their current company for years. They know all of the members of upper management, and the members of upper management have at least an average understanding of your company's business continuity program. 

But you may have limited face-time with members of upper management: perhaps you see them in a weekly staff meeting where you're expected to very briefly give an update. Unless you schedule time with them, which can be challenging, you don't have a lot of opportunities to:

• sell yourself: your skills, your initiative, your ideas;
• sell your business continuity program: not just update them on the latest development, but tout the progress that has been made in the program in the last year(s) or remind them of challenges that have been overcome; and
• sell your vision: 
• what area(s) do you feel needs to be a focal point of the business continuity program this year?
• what ideas do you have about changing the status quo?
• what do you need management support to do this year?

The Alec Baldwin movie "Glengarry Glen Ross" utilizes a sales saying: ABC = Always Be Closing. It means everything should ideally be done with one goal in mind: taking you a step closer to making a sale or closing the deal.  

Always Be Closing

Be prepared to use even a brief period of time (like an elevator ride) when you have the captive attention of someone in your organization crucial to your success or the success of one of you initiatives. Here's a sample elevator speech crafted to highlight a problem in the organization, what is already being done about the problem, and an idea that requires the buy-in of executive management:

"Did you know that at the last fire drill, it took 45 minutes to clear the building? I spoke with the fire chief and she said a building this size should be able to evacuate in half that time. One of the lunch-and-learns I've scheduled for Business Continuity Awareness Week in March, is for her to come in and stress exactly how quickly a fire can spread through a training video they use. I'm especially concerned that employees who require assistance aren't being evacuated fast enough.

"I'd like to increase the frequency of our fire drills until we improve the evacuation time, of course working around critical business periods. Combined with my awareness initiatives, I know we can do better on employee safety. Can I book some time with you next Monday to discuss the fire drill scheduling?"

Look at the sentence in red: it ends on a positive note that shows confidence.

Note that last sentence asking for a commitment to meet and discuss scheduling on a specific day. Without that sentence, you haven't asked for the "sale", you haven't necessarily made progress to closing the deal. You could go back to your office and hope he considers what you said . . . or you can Always Be Closing and ask for a commitment before he steps out of that elevator.

If those two paragraphs look long, consider this: with no practice (and a little bit of a slow southern drawl) I read it out loud in 47 seconds.

Experiment with developing several elevator speeches for different situations to accomplish different goals. Practice them so you are always ready. 

As business continuity professionals, it's what we do: always be ready! 

Never get caught not knowing what to say again.

Manage Risk and Deliver Security in a Digital World

Gartner Security & Risk Management Summit

8 – 11 June 2015 | National Harbor, MD (Washington, D.C. area)

http://www.gartner.com/technology/summits/na/security/

Risky Business

The Information Risk Management group is hosting the 2015 Risky Business conference in London November 12, 2015. Risky Business 2015 will be held in London, England.

http://www.irmplc.com/event/risky-business-conference/