continuity planning

Don't Fall Victim to Optimism Bias

Would you bet your company's livelihood on the spin of a roulette wheel?  Of course not, but risk issues aren’t new, yet a lot of companies are playing the probability game.  They’ve fallen into the habit of the “Optimism Bias.”  In an article by Eastern Kentucky University’s Dr. Richard Osbaldiston, Ph.D., he defines “Optimism Bias” as:

“…the belief that each of us is more likely to experience good outcomes and less likely to experience bad outcomes. The key to optimism bias is that we disregard the reality of an overall situation because we think we are excluded from the potential negative effects.”

A lot of organizations are complacent when it comes to planning for risk – even to the point where the unaddressed issues of yesterday remain the same today. 

Illustrating that point is an article entitled, “10 talking points about cybersecurity and your business”, found at  The ten points are:

  1. You’re never too small to be attacked
  2. Sometimes the big guys get it most wrong
  3. Sometimes, only personal experience trumps complacency
  4. You’re not just responsible for your own network
  5. Consumers play an important role
  6. Companies should plan for the worst
  7. This is about corporate culture, not just technology
  8. Communication is key when a breach happens
  9. Cybersecurity is a bit like road safety…
  10. But risk isn’t always a bad thing
Even though the list was published four years ago, all of the points are still valid.  But with the tendency toward optimism bias, companies still tend to downplay risk.
A better viewpoint is from the risk management perspective.  Understanding your risk doesn’t just mean developing plans for failures and incidents for those what-if scenarios.  Rather, it is an opportunity to understand your operational processes, investigate shortcomings within your organization, and improve areas for the sake of efficiency.  These improvements range from improving internal processes, implementing high-availability IT solutions, as well as drafting a comprehensive business continuity plans.  It starts with identifying the risks in your environment, addressing those risks, and getting closer to Operational Excellence:

“A philosophy of the workplace where problem-solving, teamwork, and leadership results in the ongoing improvement in an organization.”

Part of the challenge tends to be how to start.  Here’s how - call us at 651-429-9991 to schedule an assessment of your environment to start the process.   Don’t let “Optimism Bias” be your default means for addressing risk within your organization. 

We can help, after all, our mission is Helping Businesses Stay in Business! 

Rolling out GDPR - Are you ready for May 25th?

First question… What is GDPR? 

It stands for General Data Protection Regulation, and it’s a new standard for the way in which companies manage and maintain their customers’ data within the European Union.  It goes into effect on May 25th.  Second question, as a U.S. based company, do you really care?  

You probably should.   As a starting point, I’d suggest reading the following article:

 A quick summary of the article is that any U.S. based company that has a web presence and sells products as the result of web contacts needs to review their data practices and how the GDPR might impact them.

In a recent webinar hosted by BrightTalk, entitled “Getting Ahead of the Compliance Curve”, the presenters stressed that full implementation requires a combination of technical and organizational measures to protect your data.   Part of that could be encryption, but operational processes are also required to ensure complete compliance.  As part of that, two key implementation points are the “right to be forgotten” feature, and the requirement that all data breaches must be reported within 72 hours. 
Once in place, the GDPR is positioned to impose significant fines for non-compliance.  One report indicates that fines can be up to 4% of your annual global revenue.  Another example is that if a company is breached and credit card information is accessed, the fine could be in the neighborhood of $3/card breach.  Simple arithmetic shows how quickly the fine can go up based on the size of your breach. 

Confused? Concerned?  We can help.  It all starts with understanding current practices within your environment, assessing them against the requirements of GDPR, and determining what needs to happen next.  Call us at 651-429-9991 and we can help.  After all, our mission is Helping Businesses Stay In Business!

2017 is done - what do we do differently in 2018?

With 2017 behind us and a new year just begun, we consider which business practices we want to continue and perhaps which need to be done differently.   As ghoulish as it may seem, part of my planning includes learning more about how many disasters happened during the past year, problem trends, and how well businesses are prepared for recovery.
In a report from FEMA, I found the number of major disasters declared over the past five years:

Year # % change from previous year
  2017     135                  +32%
  2016   102                +29%
  2015   79                 -5%
  2014   84                 -12%
  2013   95  
These numbers account for such things as weather disasters, floods, terrorist attacks, and those caused by human actions.  Digging a little deeper, I wondered how many cyber/data breaches happened during 2017, or at least those deemed big enough to be reported.  Here’s the list I found:
E-Sports Entertainment Association, Xbox 360 ISO and PSP ISO, InterContinental Hotels Group, Arby’s, River City Media, Verifone, Dun & Bradstreet, Saks Fifth Avenue, UNC Health Care, America’s JobLink, FAFSA: IRS Data Retrieval Tool, Chipotle, Sabre Hospitality Solutions, Gmail, Bronx Lebanon Hospital Center, Brooks Brother, DocuSign, OneLogin, Kmart, University of Oklahoma, Washington State University,  Deep Root Analytics, Blue Cross Blue Shield/Anthem, California Association of Realtors, Verizon, Online Spambot, TalentPen and TigerSwan, Equifax, US Securities and Exchange Commission, SVR Tracking, Deloitte, Sonic, Whole Foods Market, Disqus, Hyatt Hotels, Forever 21, Maine Foster Care, Uber, Imgur, TIO Networks, eBay, Alteryx
That’s more than 40 companies - not a good trend.   It also leads to the questions, "Is my business vulnerable?" and  "What can I do about this?"  
Here are some quick tips that I gleaned from a recent article from EverBridge:
Question your approach
Justification for the effort to define a recovery strategy on what is arguably a rare occurrence is a difficult task.  Rather, look at the need from a value-based perspective for being able to recover, such as:
1.      Regulatory compliance
2.      Competitive advantage
3.      Brand and reputation recognition
4.      Knowledge capture
5.      Increased robustness
Find out what others in your industry are doing and from there address the question, “What is right for us?”  Not all companies need sub-second recovery… Some companies really can convert their entire work force to remote workers…   Your solution needs to be tailored to your needs.
Work Out
Simply, plans are worthless if you don’t exercise them on a regular basis.  Leading standards on continuity planning refer to having regular exercises that increase in scope and complexity over time.  Of course, “How often?”  is a key question.  Two exercises a year is thought to be a good benchmark for exercises, with one being a tabletop exercise and the other a more in-depth simulation.
Some food for thought:  As you continue through your planning process, include your business recoverability and resilience as part of the discussion.  Being prepared for “what if” scenarios is critical for long-term success.  
Huber Advisors is here to help with that planning.  We can advise on how to start the process yourself, as well as engaging with your organization to facilitate the creation of strategy and recovery plans.  Call us at 651-429-9991 or e-mail at This email address is being protected from spambots. You need JavaScript enabled to view it.  and we can help you Be Ready for Anything!

Some things simply stay the same.

I came across a report that highlighted four key areas on which to focus your recovery strategies:
  • Virtualization
  • Cloud Computing
  • Mobile Devices in the Workforce
  • Social Networks
Looking at today’s business climate, these are certainly four areas that can still impact your environment. 

What’s interesting is that the list is from a CIO poll from April, 2012.  A lot of the basic elements of your recovery strategy really haven’t changed in the last five years (if not longer).  Nonetheless, important areas for your planning. 

As you work on your recovery strategies, here are some key points you to consider:

Size does not matter.
Smaller companies are actually easier targets and need to be equally wary of an attack.

The inexperienced are the most complacent.
As soon as business leaders and companies deal with an incident that impacts their business, they are more likely to galvanize the troops to prevent one from making a direct hit.  But the planning needs to be done before the incident, not after.

Educate employees on their roles.
Some people whether employees or customers are often the weakest link in a recovery chain. Training is critical to an organization’s success and resiliency.

Clear communication is critical.
Communicate what you know, when you know it while recovering from an incident that impacts your organization.

Plan for the worst.
When preparing your strategy, definitely discard the rose-colored glasses and plan for the worst-case scenario.

As the title says, some things really stay the same.  The key areas to address, the need for recovery, and the goal of ensuring your business continues to provide product and service.  The biggest thing is to not late complacency be the thing that stays the same.

Starting small works.  Call us now at 651-429-9991 and start with a day’s worth of focus on your recovery strategy.  Remember, our goal is Helping Businesses Stay in Business!