Original article from http://www.industryweek.com
By Travis Hessman
With industrial attacks on the rise, manufacturers are learning that high-tech defense depends on one vital nontechnical tool: education.
“We are engaged in actual digital combat,” explains Brad Hegrat, principal security advisor and manager of business risk at Rockwell Automation (IW 500/174). “It’s no longer a matter of if you’re going to be penetrated by some sort of advanced threat; it’s more a matter of when.”
The sky is falling.
In April, the entire Internet – all 3.7 billion connected computers and devices in factories, pockets and offices around the world – was pinged by a single operator. Just for kicks.
That ping painted a global map of the Internet riddled with cyber-security holes and easy targets, highlighting about 310 million IPs open for attack.
In that map, there are about 114,000 vulnerable manufacturing control systems, about 13,000 of which can be accessed without inputting a single password.
The industrial world, it appears, is wide open for a cyber massacre.
Which may actually already be under way.
“We are engaged in actual digital combat,” explains Brad Hegrat, principal security advisor and manager of business risk at Rockwell Automation (IW 500/174), which manufacturers the kind of control systems being targeted by these industrial hackers.
“It’s no longer a matter of if you’re going to be penetrated by some sort of advanced threat; it’s more a matter of when,” he says. “If a threat actor decides to focus on your environment, you will be penetrated. It’s simply a fact.”
Such attacks, Doug Wylie, Rockwell’s director of product security risk management, highlights, hold some serious damage potential.
“Unlike some of the traditional IT-based systems that are focused more on protecting the communication and financial sides,” there are some further reaching consequences that come with industrial control,” he explains. “We’re dealing with systems that are facilitating controls of critical infrastructures, oil and gas, water, food and beverage.”
These applications, he says, demand a higher-level of attention than normal system security.
The focus of that attention, however, doesn’t necessarily mean building the impenetrable high-tech fortress one would expect.
Rather, it seems to come down to a combination of robust technical protection measures with equally robust non-technical elements – that is, a well-trained, security-conscious workforce.
“There is a huge push for tech. We like new equipment and new software; it makes us feel safe,” Hegrat explains. “But one of the most important things that a customer can do is to make sure that they have the new technical elements up and running.”
Believe it or not,” he adds, “you can get more done with sound policy and procedure than with technology acquisitions alone.”
Making that happen, however, requires a cultural shift in the industry, says Wylie.
“It comes down to education; education is the number one thing you can do,” he says. “You can’t solve everything with technology.”
“In World War II, they had this saying, ‘Loose lips sink ships,'” Hegrat adds. “Today, it’s, ‘Loose clicks sink enterprises.’ You get that sort of mindset back and you’re going to do far greater good than any technology can do.”
Original article towerswatson.com
Flash survey reveals little consensus on effectiveness
NEW YORK, May 23, 2013 — Despite the explosion of social media in the personal lives of many people, a new survey by global professional services company Towers Watson (NYSE, NASDAQ: TW) shows that just over half of employers are using social media tools to communicate and build community with employees. Further, among those employers that have embraced social media technology, there is little consensus as to which ones are most effective.
The 2013 Towers Watson Change and Communication ROI Survey found that 56% of the employers surveyed currently use various social media tools as part of their internal communication initiatives to build community — creating a sense that employees and leaders are in it together, and sharing both the challenges and rewards of work. However, when asked how they would rate the effectiveness of social media tools, only 30% to 40% of respondents rated most of the tools as highly effective. And only four in 10 (40%) rated the use of social media technology as cost effective.
% THAT USE
% OF THOSE THAT USE AND FIND IT EFFECTIVE
Streaming audio or video
HR or other function journal or blog
Enhanced online employee profiles
Employee journals or blogs
Leadership journal or blog
Apps or other mobile approaches
“We believe that social media can be a great tool for communicating with employees in the workplace,” said Kathryn Yates, global leader of communication consulting at Towers Watson. “By its nature, social media is designed to build community and could help engage employees on key topics such as performance, collaboration, culture and values. As the need for global collaboration increases, we expect more companies will join those already leveraging social media to creatively communicate those messages.”
The Towers Watson survey also found that while four in 10 employers (41%) say they are effective at building a shared experience with their employees as a whole, the percentage drops by roughly half (to 23%) when it comes to building community with remote workers.
“As today’s workforce evolves, we know from our research that the growing number of remote workers are looking for clear communication, to be treated with integrity, and want coaching and support from afar. For employers to effectively engage and retain remote workers, they will need to connect them with their leaders, managers and colleagues. We think social media tools can be a real help in making this connection,” said Yates.
The 2013 Towers Watson Change and Communication ROI Survey was conducted in April 2013. A total of 290 large and midsize organizations from across North America, Europe and Asia participated in the survey.
Get your family and home ready for a tornado with the official Tornado App from the American Red Cross. The Tornado app puts everything you need to know prepare for a tornado – and all that comes with it – in the palm of your hand. Download it directly from the iTunes or Google Play app stores.
Monitor conditions in your area or throughout the storm track, prepare your family and home, find help and let others know you are safe even if the power is out – a must have for anyone who lives in an area where a hurricane may strike or has loved ones who do.
The Red Cross Shelter Finder is available in the iTunes store and works on iOS devices. The Shelter Finder displays open Red Cross shelters and their current population on an easy to use map interface.
The official American Red Cross First Aid app puts expert advice for everyday emergencies in your hand. Available for iPhone and Android devices, the official American Red Cross First Aid app offers videos, interactive quizzes and simple step-by-step advice it’s never been easier to know first aid.
Be ready for an earthquake with Earthquake by American Red Cross. Get notified when an earthquake occurs, prepare your family and home, find help and let others know you are safe even if the power is out – a must have for anyone who lives in an earthquake-prone area or has loved ones who do.
Be ready for wildfires with the official Red Cross wildfire app. “Blaze Warnings” lets you see where NOAA has issued wildfire warnings, “Blaze Alerts” notify you when a new wildfire occurs and the “Blaze Path Tracker” gives you a current view of the wildfire’s track and perimeter. You can also let loved ones know that you are safe even if the power is out and learn what steps you should take to prepare your family, home and pets – all from the palm of your hand.
Original article from http://safetydailyadvisor.blr.com
Virtual training is an effective new way to train … as long as learners are ready to engage with the new training environment. Today’s Advisor presents part one of a two-part series in which we hear from one expert on virtual learning.
When making the move to virtual training, “we, as trainers, often get caught up with what we need to do to prepare,” says Cindy Huggett, training consultant and author of Virtual Training Basics (www.cindyhuggett.com).
However, it is important to keep in mind that while virtual training is a new way for trainers to train, it is “a new way for learners to learn as well.” As a result, trainers need to prepare learners to thrive in a virtual training environment.
In an article for our sister publication, Training Forum, Huggett offers three suggestions to help ensure that virtual training will be effective.
“I’m a big fan of having a kickoff session,” that is, a 20- to 30-minute prerequisite session to be completed before training actually begins, Huggett says. That helps familiarize learners with the content and the technology (e.g., learning how to submit questions, respond to poll questions). If they are new to the technology, they will experience what it is like to be in an online class.”
She also suggests giving learners tips in advance to minimize disruptions during training, such as going to a reserved conference room alone to participate in the training. A checklist can be an effective tool, as well; and that can be as simple as instructing learners to set their phone to “do not disturb,” turn their daily to-do list face down on their desk, and hang a “do not disturb” sign on their office door and ask them to enforce it, she says.
WRIN.tv spoke with Rick Betterley, author of the Betterley Report, to get his thoughts on cyber insurance coverage. He concurs with the findings in a recent benchmark report published by Marsh that said more corporate customers are purchasing cyber insurance, and those that have it are buying more. As a relatively new product, many insureds do not have cyber insurance yet, but more and more companies are purchasing coverage.
Risks that are not covered effectively or currently covered under policy:
Rick discusses new trends toward a highly protected risk approach to cyber exposures, including loss prevention and mitigation. From a coverage approach there are trends towards highly protected risk approach towards preventing and mitigating loss.
Cloud computing is growing in popularity within corporate IT departments. It can provide rapid access to technology support better customer service, and accelerate the introduction of new products.
Risk managers are trying to keep up with the Cloud Computing revolution to assess and properly manage the risks. Here to walk us through the issues surrounding Cloud Computing is Rick Betterley. He is author of The Betterley Report, which publishes research on technology and cyber risk.
In this discussion Rick talks about:
Rick Betterley’s Interview with WRIN.tv.
By Garry Kranz
Social learning may not yet be a mainstay of corporate training departments, although it’s more than a trend inside larger enterprises.
A Jan. 22 report from Bersin by Deloitte, an Oakland, California-based research firm formerly known as Bersin & Associates, says large employers are fueling increased adoption of social-learning tools, such as internal employee blogs, wikis and online expert communities. Enterprises with at least 10,000 employees spent an average of $46,000 on social tools in 2012, three times the average two years ago.
The uptick contributed to an overall spending jump of 12 percent on employee training last year, according to The Corporate Learning Factbook 2013: Benchmarks, Trends, and Analysis of the U.S. Training Market. The study is based on research involving 300 organizations of various sizes and industries.
Most U.S.-based employers use some type of social tool to facilitate greater employee learning, including internal blogs, wikis, subject-matter directories and “communities of practice,” in which employees develop and share their expertise, says Karen O’Leonard, a Bersin by Deloitte analyst who authored the report.
“The big challenge for learning and development professionals is to create a new mind-set of continuous learning, not thinking of social tools as one component within a specific program,” O’Leonard says.
Organizations using social tools face another near-term hurdle: how to seamlessly organize the increasing volume of user-generated content. “We expect content management will become a growing issue. The research shows that the most effective learning organizations have created a strategy for content management and knowledge sharing,” O’Leonard says.
This year’s report uses Bersin’s proprietary “maturity model,” which lets an organization benchmark its learning function based on four levels of effectiveness and business impact.
Most companies are not at the highest rung of maturity, but there is a marked difference between those that are highly mature and those that are still getting there, O’Leonard says. The most effective learning functions are less involved with program management and play an active role in developing long-range strategies.
“High-impact learning organizations have L&D professionals who are very adept at performance consulting and building the capabilities the organization will need in the future,” O’Leonard says, referring to learning and development. “They’re outsourcing noncore competencies and getting away from the business of delivering ad hoc training.”
Also, the manner in which companies spent their training dollars reflects the varying level of effectiveness and maturity. U.S. companies spent about 16 percent of their training budgets on outside learning services, products and consultants in 2012, up from 12 percent in 2009. In general, organizations spent less money on expensive customized training and opted instead to purchase commodity-priced vendor products, the report finds.
At organizations deemed highly mature, the inverse is true: they invested money in instructor-led custom content and assessment programs, with off-the-shelf training products a lower spending priority.
Other notable findings:
The 12 percent rise in training expenditures equates to about $706 per employee. However, companies at the top end of the maturity scale spent $867 per employee—34 percent higher than spending by companies at the lower maturity level.
Many companies beefed up their learning and development staff last year, but the gains were offset by faster growth in the number of employees receiving learning. That dynamic has led to a decline in the trainer-to-learner ratio at many companies and is “one sign of the changing role of the L&D function” from clearinghouse to facilitator.
Training spending increased the most in the technology and manufacturing sectors, which each posted year-over-year increases of 20 percentage points.
The 12 percent spending surge shows companies are reinvesting in skills development after a long period of financial instability, O’Leonard says.
BY VINCENT SYRACUSE, PAUL SARKOZI, MATTHEW MARON,GEORGE DU PONT
Facebook, LinkedIn, Twitter. At times these social media outlets are purely personal communications. Other times, they are part and parcel of how a company does business. How does a company identify which social media data it must retain as part of its overall policies for preserving electronically stored information (“ESI”)? In large part, the answer may be found by examining the degree to which the social media communication is truly a company-related communication. If the company permits or authorizes social media communications on its behalf, it likely will need to take steps to preserve and review such data even if it is made by an employee on a personal, password-protected account on a home computer.
That is not to say a company must always be its employees’ keeper. When company employees create social media accounts for purely personal communications (e.g., a personal Facebook account), a company typically will not have any obligation to preserve such data, particularly where such accounts are accessible by a username and password known only by the individual employee and not the company. Companies can help insulate themselves from ESI obligations with respect to such accounts by enacting policies that prohibit any use of such private personal social media accounts for work-related communications on behalf of the company.
In some instances, however, companies will want to encourage or permit employees to use personal social media accounts for work-related communications. For example, recruiters at personnel staffing companies routinely use personal LinkedIn accounts to reach potential candidates. In such circumstances, even though the companies may not have the passwords or usernames for these accounts, the company may have a duty to preserve the social media communications they contain.
While a body of case law has not yet developed, there is no reason to believe that principles developed concerning other forms of “personal” ESI will not be applied to Facebook, Twitter and their social media cousins. See e.g. Equal Emp’t Opportunity Comm’n v. Simply Storage Mgmt, LLC, (applying traditional discovery principles to compel production of social network site data). For example, courts have required companies to produce relevant ESI that their employees stored in internet-based personal email accounts. See e.g. Helmert v. Butterball, LLC. Courts may well treat personal LinkedIn accounts the same way.
To ensure that companies will not face the extra costs of disputes with their employees to obtain access to the ESI they are required to produce, companies that rely on employee use of social media should establish clear policies governing the use of workplace computers and other electronic devices that access company systems (e.g., smartphones, tablets and other portable electronic devices) with a particular focus on regulating social media usage on company systems and the duties that may be triggered to preserve data generated from such usage. Companies should instruct employees to engage in work-related communications on behalf of the company only from accounts to which the company has access.
In addition, because social media can be accessed anywhere there is an Internet connection, companies should alert employees that even when they are outside of the office, certain work-related ESI generated on their personal social media accounts can be subject to the company’s preservation obligations, and that in the event litigation is reasonably anticipated or when faced with a subpoena, the company may instruct its employees to preserve social media content from their own personal accounts, which may contain relevant information.
Taking these steps may help ensure that companies will be able to access social media used by its employees on behalf of the company. However, companies that rely on their employees’ social media use also need to make sure that they can preserve such data to avoid spoliation claims. The Sedona Conference’s Primer on Social Media (available at thesedonaconference.org) notes that tools for preserving social media are constantly evolving, and some of the suggested methods currently used for preserving relevant social media data include capturing and preserving static images of relevant social media data or by using site monitoring software.
In making these recommendations, we offer an important caveat: Prior to requesting access to an employee’s personal social media account, a company should check with employment counsel to ensure the company does not run afoul of laws that prohibit asking employees for personal social media account passwords.
While advances in technology can spawn increased productivity and lower costs for a company, security concerns about the use of mobile devices and social media remain a hot-button issue for employers and HR professionals.
A recent poll by My Sammy and Holos Research found that security concerns rank as the top reason that employers block employee access to social media sites in the office, according to a report by Human Resource Executive Online. Of the respondents whose companies blocked access, 77 percent cited security as the primary reason, followed by productivity concerns at 67 percent.
Facebook and Twitter aren’t the only tech trends that keep HR leaders up at night. The hardware that employees use to access these and other Internet sites can open the door to serious security breaches, as well, a report by the Society of Human Resource Management (SHRM) noted.
As the sophistication of mobile devices has advanced in the last few years, so have malware, viruses and other threats that specifically target these devices. “The bad guys are getting better at making their apps look legitimate,” Bob Hansmann, senior product marketing manager for Websense Security Labs, said in the SHRM report.
Bad apps can steal passwords and credit card numbers and can track website visits and text messages, said Robert Siciliano of antivirus software firm McAfee.
The problem is compounded when employees use their personal tablets and phones for work purposes.
Employers need to keep their policies and technologies sharp to avoid these security threats, experts say. For instance, employers can limit the amount and types of information that employees can access on these devices, Hansmann suggests.
Siciliano recommends that employees be educated about the risks and be encouraged to be vigilant when shopping for mobile apps — whether they be for personal or professional use. The company, however, should always take the lead when enforcing security policies, he said.
“Lock, locate and wipe is fundamental to any bring-your-own-device policy,” Siciliano said in the SHRM report. “Not having some control over that device . . . is irresponsible today.”
Our new website is fully enhanced to work quickly on your mobile phone, delivering our real time compliance alerts, blog posts and live events anywhere you are, whenever you want. Just visit Hierl.com from your browser-capable mobile phone to access all the latest!