Swine Flu: U.S. Declares “Emergency of Preparedness”
On Sunday, Secretary Napolitano declared an Emergency of Preparedness, stating, ‘…we’re preparing in an environment where we really don’t know ultimately what the size or seriousness of this outbreak is going to be.’
I agree that this declaration is needed because most organizations are not well prepared for a Pandemic flu outbreak. Studies show that organizations need to have pandemic plans that address workforce absenteeism rates of 40 percent or higher.
What if 40% of your employees were staying home because:
1) They are home sick
2) Family Members are sick
3) Schools are closed
4) Employees fear becoming sick
What if your vendors are unavailable due to travel restrictions/sick employees?
What if your partners are unavailable due to travel restrictions/sick employees?
What if your employees are unable to travel and make sales calls due to quarantines/border restrictions?
If your organization allows employees to work remotely, how do you know if people are receiving communications?
How can you ensure that all appropriate personnel have access to pandemic flu plans and procedures and understand their roles and responsibilities?
Gaps in communications and coordination efforts must be addressed sooner than later. Has your organization reviewed or updated your pandemic flu plan recently? Are you prepared?
Swine Flu Preparedness…White House Megaphone vs. Twitter Megaphones
This past Sunday I was watching and listening to DHS and HHS officials talk about the Swine Flu Alert. During the announcement I found it interesting that Secretary Napolitano made a special point to clarify the declaration of emergency by saying she wished they could call it a declaration of emergency preparedness, because that is really what it is in this context.
I agree with Secretary Napolitano that a declaration of emergency preparedness is needed because most organizations are not well prepared for a Pandemic flu outbreak….but that is another topic for another day.
Then I came across a headline on CNN about Twitter causing controversy as some of the Twitter micro-blogging is propagating fear, unnecessary hype and misinformation about the outbreak while others comment that the Twitter buzz is a good sign that people are talking about the issue.
No matter what you think about Twitter, everyone using Twitter has a megaphone to use however they want.
So, are there any Lessons Learned involving megaphones? Remember what happened when Orson Welles went on the radio in October 1938 and presented a series of simulated news bulletins that suggested an actual Martian invasion was in progress? The radio show created panic and widespread outrage with some calling the event cruelly deceptive.
So, what happens if an ‘Orson Welles’ or terrorists decided to use Twitter to create panic or spread hype and misinformation about the outbreak? Is your organization prepared to address rumors, hype and misinformation from Twitter and other megaphones?
What happens if your employees stayed home from work because of misinformation?
What happens if ‘bad guys’ or ‘competition’ use Twitter to create panic with your customers and your partners?
Does your organization have a way to securely communicate accurate and sensitive information with your employees? With your partners?
Can your organization ensure integrity and accountability for information at the individual level?
Lessons Learned clearly show megaphones can create complex problems and megaphone management is a dangerous trend that is creating expensive and massive “pains” for organizations of all sizes.
In today’s world of megaphones, organizations need tools that can deliver the right information to the right people in the right place at the right time with accountability and auditability.
Heartland Payment Processor on PCI “Probation”…Compliance is not a Once a Year Thing
In one of the largest data breaches to date, Heartland Payment Company compromised the cards of over 100 million people, almost 1/3 of the U.S. population.
In addition to dealing with a damaged reputation, expensive notifications and fallout, and continued lawsuits from affected banks and credit Unions, the latest hit to Heartland came from Visa. Visa recently took action at Heartland by suspending the data breach victim and removing it from Visa’s online list of PCI-DSS compliant providers.
Heartland was last certified as PCI-DSS compliant in April 2008 but in a presentation given earlier this month by two Visa executives, Visa was quoted as saying, “As of today, no compromised entity as been found to be compliant at the time of the breach”.
Of course they weren’t! How can an organization that exposes 100 million credit card accounts be considered PCI compliant? And…compliance on April 1 does not equal Security on April 1.
Heartland is yet another learning experience of how critical it is for organizations to not only focus on getting past the upcoming compliance examination, but to truly and proactively maintain a secure organization throughout the year. A comprehensive approach to security includes ongoing assessments, ongoing updates, ongoing testing, ongoing training, etc. Employees must be continuously updated on new risks, threats, best practices, etc. on an ongoing basis. Once-a-year training is not enough. Once-a-year compliance is also not enough.
How many more data breaches will we see before organizational leaders realize the importance of implementing lessons learned?
