In our field, the terms business continuity and crisis management are thrown around a lot. What we've noticed recently, though, is that many are under the mistaken impression that the two have the same meaning.

Crisis Management

While it is true that they are closely related, they are not one and the same. In his Managing Outcomes newsletter, crisis management pro Tony Jaques gave an excellent explanation on the aspects of crisis management: 

Crisis Management is a strategic management process which begins long before the triggering event and continues after the triggering event has been brought under control.  It embraces:

• Identifying and proactively managing potential crisis issues before they happen
• Getting ready for when a crisis does happen
• Responding effectively to the event
• Restoring business as usual
• Responding to the highly damaging risks which often arise when the dust has settled (sometimes called the crisis after the crisis) and finally,
• Learning from what happened and incorporating it into future planning.

You see, doing crisis management right means taking a holistic approach, which is part of ensuring business continuity – keeping your operations up and running while the crisis is being managed.

Business Continuity

The prep, training for, and actual act of maintaining or restoring business to usual is what business continuity actually entails, although such a brief description does little service to the massive scope of work required when encountering a serious interruption.

In fact, business continuity entails just about any activity performed by an organization to ensure that critical business functions will be available to its stakeholders, including customers, suppliers, regulators and other entities. For example, the efforts behind re-linking broken supply chains and overcoming disaster situations would all fall under the description of business continuity, as would training employees how to handle operations when the computers are down, or power is out.

Just as with crisis management, business continuity is an ongoing process that should be a part of your day-to-day operations, rather than a separate process that you only turn to in times of trouble. Train well, run practice simulations, and have your skills at the ready when the time comes.

Crisis management and business continuity go hand in hand, but they aren't the same thing. Know the difference, and your organization will be stronger for it.

MissionMode's simple-to-use crisis management, emergency notification and mobile communication software enables organizations to take control of crises and reduce the time and cost of the response.

Social media hacks are making the news on a weekly basis. Hackers have taken command of the social media accounts of numerous high-profile companies such as the Associated Press, Wall Street Journal and Jeep. Don’t you think it’s about time you protected yourself?

Staying secure

In a PR News article, Peter Lamotte shared a wealth of advice, including tips for security, like these:

Diverse passwords Too many organizations use the same passwords to access and manage all of their social media properties. Instead, organizations should diversify their passwords by creating uniformed segments within the password specific to the company, the user and the platform.

Taking care with your passwords is the absolute best way to improve online security. One new trend is to use full phrases as passwords, making them lengthy and complex, yet simple to remember. Don’t leave passwords the same for extended periods either, changing them regularly up makes things harder for those looking to gain access.

Passwords are not enough

Two-factor authentication For the more cautious brands, factor authentication represents the most intense level of password security available. When seeking access to social media properties account managers enter login information and then are sent a random password to an email address or mobile device. They then enter that password for total access.

Two-factor authentication is the best way to ensure that only the people you’ve OK’d can access your accounts. Facebook, Google and Microsoft have all rolled out two-factor authentication in response to user demand, and Twitter recently added that option for users. However, in each case, two-factor authentication remains an option that must be enabled.

What to do if you’re hacked

The article also offered steps to be taken for crisis management the moment you realize you’ve been a victim, including this essential first move:

Contact Twitter or Facebook to pull the page down The moment a hack is detected, suspend the account until passwords can be reset and security can be reestablished.

How do you do this? Twitter has a full page explaining, step by step, what you should do when your account’s been compromised and you do still have access, as well as when you don’t have access.

Aside from Twitter, Facebook is the most likely place you’ll be hit. If you find yourself locked out, head over to the Account Compromise Reporting Page and follow the step-by-step instructions.

Another bit of advice, unless it’s part of your regular method of operation, don’t start sharing personal viewpoints on your business account. A sudden change in behavior can spark false alarms, scaring viewers away.

There is no question that hackers are going to continue to target social media accounts, both for kicks and as a result of financial motivation. Because their methods will only continue to grow more sophisticated and effective, it’s critical that every organization become educated and remain aware of the latest preventive measures.

MissionMode's streamlined incident management and mass notification software enables organizations to take control of fast-moving crises and reduce the time and cost of the response.

The more accepting your organization is of the need for business continuity management, the easier it is to implement plans, and the more successful you will be when it comes time to enact those plans. The problem is, everyone in your organization is busy with their own tasks, and business continuity often gets left with the short end of the stick when it comes to spare time and energy from other departments.

Making business continuity mean more

How can you help make business continuity mean more to members of your organization? A Continuity Insights article by Ken Simpson explains the many dimensions of culture and relates them to BCM. At the end of the article, Ken has an exercise, part of which is below.

Consider these questions relating to your BCM program and your organization. Use it as a Gap Analysis—what are the current answers, what should they be to improve/align the culture of BCM?

Organizational Structure

How formal/informal are the management structures that apply to BCM in your organization?

Would the culture, or acceptance, of BCM be better if they were more/less formal?

Control Systems

What is most closely monitored and controlled in your BCM program?

Should you put the focus on some other aspect/artifact?

Rituals and Routines

What core beliefs do these established protocols reflect about BCM?

What do they reflect as important about BCM? (e.g. Are exercises about succeeding or dealing with issues?)

Power Structures

What are the core assumptions and beliefs of Executives about BCM?

As you can see, taking in mind the way your organization (and the individuals within) think and operate will help lead you down the most effective path towards creating a BCM-friendly culture.

Perspective matters

Along with increasing acceptance of business continuity plans, it helps immensely to know who is best suited for each role, and what the organization as a whole is willing to accept. The following quote, from Ken Simpson’s “Considering…” blog, should help explain:

No one cultural perspective is either right or wrong, we need to learn how to apply the appropriate perspective to the task at hand.

• Get the appropriate actions/responsibilities assigned where they best fit
• The culture of the rugged individual may not be appropriate for Emergency Management (especially for a role of Fire Warden and Evacuation Marshals) – “every man for himself” is not the best philosophy here!
• Agility is an important attribute of a resilient entity – but do not expect this to be built, or embraced, by a Hierarchist/Bureaucrat culture.

Adapt for success

The name of the game is adaptation. Whether adapting your plans themselves, or the way you approach the subject of business continuity, it takes flexibility and a willingness to communicate in several different styles in order to promote a BCM-friendly culture to the fullest.

Organizations around the globe trust MissionMode's incident management and emergency notification applications for communications and coordination of the response to all types of crises. Contact MissionMode for more information.

Here is an interesting infographic about how to avert a social media crisis. The author refers to "climbing the Social Media Hierarchy of Needs". Learn how to advance from the foundation to the pinnacle of enlightenment with 15 principles of social media crisis planning and response.

Click the image to view at full size

Source: Patricia Redsicker

Organizations around the globe trust MissionMode emergency notification and incident management applications for communications and coordination of the response in all types of crisis. Contact MissionMode for more information.

We hear a lot of talk about the importance of business continuity. In short, it involves anything that helps ensure that your business can continue on, regardless of the hurdles thrown in its path. That means crisis plans, supply stockpiles, communication chains, disaster training, data backups and more must all be a part of your business continuity planning.

Where do You Start?

With such a wide range to cover, where do you start? According to a recent post on the Stoneroad Business Continuity blog, it pays to start with your worst-case scenario:

Start With the Worst. Begin the planning with the worst-case situation your organization can imagine. For many, this example is the tragic events of September 11, 2001. Work backwards from there and you’ll start to fill in many of the dangers that can harm your corporation. You’ll also be able to start challenging the worst-case situation and begin to get more inventive with potential impacts – and develop the plan accordingly.

Why is it good to start with the worst-case scenario? Because working through plans for a devastating situation is likely to make you pull together much of the information, and prepare many of the strategies, that will then be put to use in planning for lower-impact issues.

The creation of your worst-case plan may result in a list of contacts being formed, information on alternate supply chains being gathered, evacuation plans implemented, and other information. When you go to put together a continuity plan to cope with a smaller issue, say, a local power outage, you’ll have all of the essential information already at your fingertips and the plan can come together quickly.

Plan, then Practice More

Of course, you can’t stop with planning. Business continuity plans are often created with a great deal of effort, and then left to gather dust on a shelf somewhere where they’re good for nothing except balancing out wobbly tables. You have to put these plans into practice as much as possible, through tabletop exercises and, preferably, at least one full-fledged simulation each year.

Fail to prepare, and even a minor crisis can leave you reeling. Put in the time and effort, though, and watch your organization conquer difficult situations like a well-oiled crisis-fighting machine.

Organizations around the globe trust MissionMode's incident management and emergency notification applications for communications and coordination of the response in all types of crisis. Contact MissionMode for more information.

It’s difficult for many to understand that the way that you communicate during a crisis is just as, if not more, important than what you’re actually saying. When you speak like a genuine person, then your audience will typically be receptive to your messaging, whereas if your communication sounds shady, even a full admission of fault will be viewed with suspicion.

In a recent blog post, crisis and reputation management pro Chris Syme discussed three messaging styles that should be avoided at all costs in a crisis, including one that epitomizes the cringe-inducing term, “spin doctor:”

The PR Machine. This persona speaks corporate-speak, talks of the events in third person language, and can make any negative, no matter how horrifying, into a positive. Even though every storm cloud has a silver lining, sometimes we just need to acknowledge it is raining and leave it at that. Personable, straight forward language in the first person is the best way to communicate. Remind your audience that you are committed to resolution and to taking care of any people affected by the event. If you put people—both internal and external—above the organization in your messaging, you will lay the groundwork to engage more advocates in your crisis.

It all comes down to this – you have to be honest. Not just honest as in, “I didn’t exactly lie because I left some words out and twisted a few words around a bit.” Rather, honest as in, “I made it as clear as humanly possible exactly what happened, even if it means admitting responsibility for some mistakes.”

In today’s business climate, both the public and the media are keen to spot someone looking like they’ve got something to hide, you absolutely cannot play spin doctor with your crisis messaging. Get out there, tell it like it is, and explain exactly what you’re going to do to set things right. Is it painful initially? You bet. Will it help save, and even possibly bolster, your reputation as a caring, responsible organization in the long run? Absolutely.

MissionMode's simple-to-use crisis communications, emergency notification and mobile communication software enables organizations to take control of crises and reduce the time and cost of the response.

An excellent article in the International Airport Review details how Birmingham Airport’s new control facility is strengthening the airport’s operational effectiveness. The 3 million dollar Airport Control Centre (ACC) merges the facility’s previous five control centers into one state-of-the-art facility. It plays a multi-functional role to manage the apron, terminal, engineering and security control functions at the airport and to create better communication and processes using the latest technology.

The ACC is a 24-hour operation, overseen daily by an Airport Manager and a team of Airport Controllers. The team are responsible for monitoring and controlling the entire airport’s operations. During normal operations, they are focused on improving operational performance in every area of the airport, ensuring that Birmingham is delivering the best possible service to its partners and customers.

The article provides a fascinating behind-the-scenes look at a complex 24x7 operation.

Read the Article

MissionMode's streamlined incident management and mass notification software enables organizations to take control of fast-moving crises and reduce the time and cost of the response.

If you've been watching the headlines for the past several months, you've had a series of major reminders about the importance of cyber security. From the Twitter hackings of Burger King and Jeep, to the NY Times' announcement that hackers gained and held access to its systems for several months, to the big one—a report from computer security firm Mandiant. The report details the actions of an aggressive group of hackers that appear to be connected to a foreign government that's been stealing data and infiltrating systems across the U.S. for years.

Besides obvious steps like running up-to-date anti-malware programs and maintaining a skilled IT staff, what can corporations do to avoid becoming the next victim? The answer lies in a combination of education, policies and better security.

Educate Employees

Many corporate intrusions these days are led by a spear-phishing attack. These are similar to the phishing emails we're used to seeing that target a huge number of emails in an attempt to get people to hand over bank info, etc., except that these are specifically crafted to dupe a single target, or a small group of people, into opening infected files or giving out private information.

Teach everyone in your organization the proper security procedures not only for use at work, but on their home systems as well. With how connected we are these days it’s just as easy for hackers to target someone’s laptop or even home PC and then jump from that to their work network.

Employees need to know how to recognize a potentially suspicious message, even if the sender is familiar. They should be careful when opening attachments such as zip files or executables that could contain malicious code.

Weak passwords are one of the easiest ways for hackers to break into a system. Employees need to use different passwords for different services and they need to use strong passwords with a combination of characters, symbols and numbers. Force employees to change their password for internal systems every few months.

Every year, SplashData releases its list of the most common passwords used on the Internet and posted by hackers. Five of the most common passwords are qwerty, password, 111111, baseball and sunshine. Employees should never be able to select weak passwords like these.

Create and Enforce Policies

Don’t just tell people what they need to do to stay secure, make Internet security an integral part of your policies. Require those strong passwords, and make sure that they are reset every few months. Schedule mandatory malware scans and system checkups on a regular basis, and institute procedures that allow for instant reporting and investigation of suspicious activity. Make it easy for your staff to report suspicious activity.

Conduct regular training sessions for all employees, not just your IT staff. Reinforce the important of the policies.

The integrity of your network and the data within is more important than simply getting work done as quickly as possible, and everyone should be aware of the steps to be taken when encountering any suspicious web-related activity.

Strengthen Security

You need to have good anti-malware on every computer in your organization. With the rise in BYOD (bring your own device), personal computers often do not have proper protection. Mandate that even personal devices have software that you have approved.

If you’re using enterprise anti-malware, make sure the signatures are updated regularly, daily if possible. Because of its complexity, enterprise software can sometimes fail to update itself, which leaves computers more vulnerable.

If your help desk can reset passwords for employees, make sure they have a stringent set of criteria for doing so. So-called social engineering is a common way to steal passwords. A knowledgeable hacker could pose as an employee and have their password reset, bypassing all your security precautions. Ask more than just personal questions. The answers to those types of questions can often be found by searching on the Internet, particularly if someone is active on social media.

To strengthen security for mission-critical systems, you can require physical authentication using password key fobs, such as SecurID.

An ongoing battle

Cyber threats are not going to go away. Whether it’s a modern smash ‘n’ grab aimed at stealing credit card numbers or extensive corporate espionage that gives competitors full access to your data, financials, blueprints and negotiating strategies, these are the crimes of the future, and they’re only going to get more sophisticated.

The virtual arms race between hackers and “white hat” computer programmers is a close one, but as we know it’s often those from the dark side that set the pace in terms of finding new methods to get past whatever walls we put up. Stay informed, aware and vigilant. It’s your best defense.

Organizations take control of crises and reduce the time and cost of the the response with MissionMode's simple-to-use incident management, emergency notification and mobile communication software. Contact MissionMode for more information.

Photo credit: Reuters/Brian Snyder

The Boston Marathon bombing last week was a grim reminder for many that terrorism can strike within our borders. Should we live in fear? Certainly not. Should we be prepared? Absolutely.

"Any public event of that magnitude is very difficult to secure," said Lou Marciani, director of the National Center for Spectator Sports Safety and Security at the University of Southern Mississippi in Hattiesburg, Miss. "There's no perimeter control, there's no access control, there's nothing."

You simply can't guarantee that you'll spot every attack before it happens. Whether in the midst of a large event or at your own workplace, unless you're working in a military facility there any number of gaps a committed party can slip through for long enough to create a crisis.

Domestic terrorism encompasses more than just major destructive acts such as bombings. For instance, radical environmental groups have attacked facilities and disrupted operations. And most of us are familiar with instances of disgruntled employees attacking people at their workplace.

While you can't stop every incident, there are steps that can be taken to minimize the impact and risk of domestic terrorism on both your business and human life:

1. Include domestic terrorism in your business continuity planning.

Although it's not something anyone expects to be a regular occurrence, even a single act of terrorism can have significant impact. Just as many organizations have incorporated active shooter scenarios, it pays to consider adding terrorism scenarios.

Think of the businesses in the area around the Boston bombings. Imagine the effort required to make it safe to enter, much less make things as they were again. Who's in charge? How do they notify staff?  You don't want to be figuring out the answers to questions like that in the chaos after an attack, that's why it's critical to have a plan.

2. Terrorism can strike more than just your physical operations.

Domestic terrorism doesn't have directly hit your place of business to throw you into crisis. Would your organization be prepared to run tomorrow if your traveling execs were kidnapped? How are you going to react when an attack puts your key supplier out of commission? What will you do when your supply chain is disrupted by an attack? Create backup plans for critical assets, along with solid procedures for key man succession.

3. Be prepared for false alarms.

Bomb scares are becoming more common, and will likely remain that way as hyper-vigilance sometimes results in misidentifying innocent packages such as backpacks. Have a way to pull back your crisis plan as it unfolds, should it be necessary. The most common way now is to use text messages or phone calls to quickly notify everyone that the coast is clear and it's time to return to business as usual. Using emergency notification or incident management software can make this a simple process that takes virtually no manpower.

4. Beef up security.

This one seems obvious, but is often neglected due to an "it can't happen here" attitude. A person off the street shouldn't be able to walk through your offices unchecked. Consider adding video surveillance in areas accessible to the public, such as entrances.

At public events, especially those surrounding anniversaries of previous attacks, the more eyes—both human and electronic—that are on an area, the more it deters potential attacks, as well as improving the chance of catching culprits.

Increasing your physical security also has the benefit of reducing the risk of corporate espionage and workplace violence.

5. Clear the (e-)airwaves.

If you aren't impacted by an attack, it's still important for you to clear your online marketing schedule, at least for the moment. Immediately following the Boston bombings, we spotted quite a few organizations who had clearly not wiped their social media posting queues and were spamming away with self-promotional messages, as well as some advertising emails that used spectacularly poorly timed terms like "explosive". If you're not sharing relevant info or helping emergency responders spread their messages, just stay quiet.

6. Become CERT certified

FEMA’s CERT (Community Emergency Response Team) program educates people about disaster preparedness, and trains them in basic skills like fire safety, light search and rescue, team organization and disaster medical operations. These classes are offered free or at low cost in most communities, and having even one or two CERT trained people on staff can really make a difference.

Domestic terrorism is an unfortunate reality, but being prepared we eliminate the need for constant concern. Put these steps into action and then go on with business, confident that you're prepared to cope with the worst should it occur.

Organizations around the globe trust MissionMode's incident management and emergency notification applications for communications and coordination of the response in all types of crises. Contact MissionMode for more information.