2022 Security Risk Budget Outlook

Moving on up

At the onset of the pandemic, Security Risk budgets decreased as organizations shuttered their doors and employees left the office, and organizations under duress looked for places to cut costs. Many found their savings in the Security budget. But now, the potential to double or triple budgets in 2022 maybe a reality.

Our research shows approximately two-thirds of security budgets increased in 2021 from 2020, but still have yet to reach or return to 2019 levels. 2022 has the potential to change that.

As organizations are set to come back to life in 2022 security risk events have not gone away. In fact, the COVID-19 pandemic created new security challenges. The new challenges have yet to be solved, and as schools and businesses reopen / remain open during potential future surges, the security risks of the past return as well. In order to protect themselves from past, current, and future threats, organizations need to reinvest in physical security.

Really watch

Real camera surveillance and real-time monitoring integrated with a uniformed security guard force that is properly trained may be for some organizations the order of the day. High-caliber uniforms security guards and training necessary to protect against threats to an organization cost more than $15-20 an hour. Challenges will emerge to protect your organization, your information, your IP, your personnel. All of this may lead to an explosion of security requirements, and the budget.

Another factor contributing to budget increases in 2022 is executive protection. According to the Ontic 2021 Mid-Year Outlook: State of Protective Intelligence Report, 58% of CEOs and senior leaders who expressed a stance on political issues received physical threats. Senior Public Officials and local health department leadership who encouraged health measures like vaccination or mask-wearing have also become targets of physical threats. Against the backdrop of this increased threat landscape, executive protection has grown in importance among physical security professionals.

An inner look

These aforementioned types of threats could also come from inside an organization. Leadership will either take a stand, or not take a stand. The personnel of an organization expect their leaders to take a stand, whatever that might be, for or against a particular issue or concern. Unfortunately, pent up frustration surrounding decisions may not even be pandemic related, and at times still result in leaders being threatened. In many areas of the country, threats against “leadership” is foreign territory for many organizations.

Integration

The threat landscape has always been uncertain and rapidly changing. With many advancements in approach, strategy, and technology, organizations can protect themselves with integrated security risk strategies.

As both physical and cyber threats compound, organizations are tasked with protecting themselves on all sides. With increased and realized threats there is one unfortunate downside. Higher security costs as risks to supply chains, cyber and physical security risks increase. During this pandemic many organizations have unfortunately learned that their security profile may not be or has been at a level they had hoped it to be. New gaps have been found, existing weaknesses have become even weaker and due to other impacts of the pandemic, organizations may have struggled to get the necessary supplies, purchases and even personnel in a manner to which they were once accustomed.

Plug it

Identify your shortfalls, your gaps and plug the holes. A comprehensive risk assessment will assist in that process. If organizations fail to plug those holes, and as they begin to re-open even more, they unfortunately will remain or fall back into a vulnerable position.

Proactive hard work

Technology enhancements, uniformed security, executive protection, education, and plain old attentiveness and proactive behaviour towards security risks to quickly address existing and newfound challenges brought forth because of the pandemic will require increases in security budgets in 2022.

Now more than ever we need to move beyond reactive, and proactively secure our organizations.

It all simply starts with a plan.

We can Help.

Plan the Work. Work the Plan.

 

Should your Municipality need assistance, contact Michael White Group International today, and we will be happy to answer your questions. Visit michaelwhitegroup.com/contact/

 

Share

Being aware – situationally aware

Our world has always been in a state of perpetual change. Now more than ever, it is perceived to be doing that at an ever-rapid pace.

Positive changes such as economic growth, and technology advancements to note a couple. Unfortunately, with the positive, comes the negative. A continuous cycle of persons who wish to do harm.

Safety and Security experts inform us that violent events will continue to happen. The violent extremist motivated and driven by an ideology, to the targeting of individuals, place of business, worship, acts of violence that permeate into every vertical, sector of business and government.

Active safety and security programs are continuous reviewed, modified to face existing and the new challenges of tomorrow.

To make your safety and security programs more effective, the program needs ambassadors, staff.

Ambassadors need to be aware. Situationally aware.

Situational awareness training provides your staff with valuable intelligence & time when facing safety and security situations of potential harm or danger.

Being situation aware is truly a change in mindset.

It is a way of thinking that will focus a person’s behaviour, their outlook, and their mental attitude. People that are aware are no longer vulnerable but capable.

Capable individuals are always prepared. Capable individuals are not complacent, they use technology to enhance their preparedness and response and their planning always includes a contingency plan.

Situationally aware staff improve the effectiveness of your safety and security program.

Situationally aware individuals enhance the workplace and enhance their personal safety and security.

We can Help.

Plan the Work. Work the Plan.

Should your Municipality need assistance in Situation Awareness training, contact Michael White Group International today, and we will be happy to answer your questions.

Michael White Group International is Arcuri Group LLC approved Situation Awareness Specialist Certification Training provider.

 

Share

How to Find the Budget for a Municipal Project

Have you ever received an RFP that doesn’t have any budget listed?  It makes it hard to truly understand the scope of the work requested, doesn’t it?

Municipalities have their hearts in the right place, but often they throw more “wants” into an RFP than they have the budget for. When the bids come in way over their budget, they have to start the whole RFP process all over again – wasting everyone’s time.  

Worst yet, those who bid the first time may not bother to submit a bid the second time around and the municipality may receive fewer bids and ultimately higher pricing.

In defense of municipalities, however, I’ve been on both sides of the argument on whether or not to include the budget for a project in an RFP.

As a CAO, I didn’t want to put the budget number in the RFP either, because I was afraid bidders would simply submit bids right up to the budget number. This is still a common misconception.

But now, experience has taught me, when bidders know the budget number, the reality is they more often submit bids lower than the budget, to try to win the work.

From the Bidders’ perspective though, it’s incredibly frustrating not knowing the budget number because you can’t accurately price the work without understanding the municipality’s expectations.

So, to connect the dots, here’s a tip for Bidders to find the budget for a municipal project.

 

In most cases you can, through good sleuthing, find the budget a municipality has set aside for a specific project.

  • Provincial Announcements

Often when Provinces announce funding for municipalities, they will have a press release and a link to find out which municipality received what amount for specific project(s). That’s the easiest way to find the budget for a project.  

  • Agendas & Minutes

If the municipality received funding for the project, Council will most likely have recently passed a resolution to approve the project.  By searching the municipality’s Agendas/ Minutes section of their website, you can usually find the resolution about a month or so before the RFP was issued.

Personally, I start by looking at the Agendas and searching keywords, related to whatever the RFP has been issued for.  (i.e. Service Delivery Review, Parks & Rec Roof Repairs, etc.).  The Agenda will help you narrow down the minutes that contain the resolution Council passed – and the resolution will normally have the dollar amount approved for the project.  

  • Budget

If the municipality did not receive funding for the project, you may not find a resolution approving it. So, another way you can sometimes find the budget for a project is by finding the municipality’s annual budget on their website.  

This is a bit harder to do if you’re not familiar with how a municipal budget looks, but look at the proposed expenditures for the current year, in the appropriate department and you may see the project noted separately in the annual budget. 

For example, you would most likely find the budget for “Service Delivery Review” in the General Administration part of the budget, or “Roof Repairs” in the Parks & Recreation part of the budget, etc.  

You can also check out the Special Budget Meetings of Council (again in the Agendas/Minutes section of the municipality’s website), and you may see mention of the project and how much Council wants to budget for it. 

It takes time, and it’s not always easy, but in most cases, it is possible to find the budget the municipality has set aside for a project. 

Happy Sleuthing Sherlock! 

Got questions?

Contact Susan Shannon, Founder & Principal, muniSERV.ca

855.477.5095 or [email protected]

 

Share

What type of testing is right for your website – Understanding the difference in website testing

In the last few weeks there has been a rise in reported malware and malicious attacks on small municipalities. Testing of three small municipality websites in recent weeks by our team has resulted in failures on all sites basic security parameters. We often hear small organizations saying they don’t need to worry about attacks, they aren’t “big enough” but anyone can be a target.

Regular testing your website for known vulnerabilities and emerging threats should become a part of your Cyber Security Road Map. The first step is identifying the type of web testing that is right for your infrastructure. Here are a few key questions to consider;

1) Where is your website hosted – do you host it yourself? Is it hosted by a third-party?
2) Who is responsible for the security of the host system, the operating system?
3) Do you have a web application firewall such as CloudFlare in front of your website?
4) Is your website a static page with content?
5) Do you have a login and if so what type of data is behind the login? Customer, pricing, private personal?
6) Do you have any API interactions with other applications?

When you start down the road of testing your website you want to consider the host operating system and the application. There are two key types of testing available, fully automated scanning and manual testing. Fully automated scanning is used for both host operating systems and web applications. The host operating system scan will scan for all currently known vulnerabilities affecting that operation system. It will report back on the CVE, the risk and usually suggested remediation tips. The same is true for the web application scanning. The fully automated web application scanner will scan your website at a minimum for the OWASP top 10 vulnerabilities and report back on risks and remediation. https://owasp.org/www-project-top-ten/.

Manual testing means that you have an actual person who is using various methods to determine the security of a host or the application and If the rules of the engagement permit, they will attempt to exploit a vulnerability and gain access, modify content or download information. There are varying degrees of manual testing, the simplest is one tester and one day and the more extensive 2 testers and 5 days of testing.

The type of test that is required for your website really depends on two main factors –

 

1. Have the host and application ever been tested before?

2. What is the criticality of the data being processed or stored on this site?

 

For example, if you have a very static page of content that is hosted by a third party, chances are a good OWASP 10 scan of you site will be sufficient to let you know if you have any glaring misconfigurations that could lead to a website defacement or potential attack on your site. If your website has a login and you allow users to sign up for accounts and host dynamic content, you would want to make sure you consider a manual test at least for the first test. Once a thorough baseline has been established for the site, testing can become more routine and automated.

We recommend you develop a plan for testing and make sure to include the above considerations. There might be special notifications you have to give in writing to a third party before you test an application, you might have to have a testing IP whitelisted in a web application firewall, you may need special accounts set up in the application for testing.

If you are unsure what type of test is right for your website, reach out to us and we will be glad to discuss options with you.

http://www.mi613.ca

Share

The Importance of Third Party Vendor Assessments

Lessons learned from Cyber Incident Response

We are finding many companies that have experienced a Cyber Incident are not performing even the most basic Third Party Vendor Risk Assessment.

It is absolutely imperative that if you engage with a vendor you understand the associated risks.

5 simple questions can lead you to be a better understanding of your Vendor risks and a quicker recovery from an Incident:

 

  1. Is there an identifiable Leadership team?
    • Who is accountable?
    • Would you be able to escalate or contact them?
    • Where are they located?
  2. Do they have an Incident Response plan and Reporting Structure?
    • Do they have a response plan?
    • Are there dedicated phone numbers or emails for reporting incidents?
    • Are ticket numbers assigned and tracked?
  3. Who is responsible for security within their Organization?
    • Is there someone who is responsible for security?
    • Is there a defined role or is it an off the side of the desk of another role?
    • Does the company reside in a country that has Breach Reporting responsibilities?
  4. Do you have a Service Level Agreement for responding to incidents?
    • Do you have a defined Incident/Severity matrix with set response times?
    • How do you escalate an Incident?
    • What is your communication cadence?
  5. Can they demonstrate their current level of Cyber Security Compliance?
    • Can they demonstrate the framework they adhere to? (NIST/CIS)
    • Do they disclose if and when they do vulnerability/penetration testing?
    • Do they have any risk reports (SOC 1, SOC 2, PCI or DSS) they can share?
    • Do they have patch management?

It is important to develop a Third Party Cyber Security Screening Assessment before engaging in a new contract. We can walk you through the process and helping you to understand your Cyber Risks.

 

Let’s talk Cyber!

http://www.mi613.ca

Share

How have the pandemic adaptations affected your Physical Security?

Well into the COVID19 pandemic, organizations, governments big and small have had to take measures and make changes to their environments to adapt to the needs of their staff, customers, their service delivery model, requirements of health science, government agency regulations and perhaps “new” industry best practices and of course the ever-changing virus.

These measures have evolved into many different things. We’re going to specifically focus on physical security devices.

Two of the pervasive items that have been introduced in many environments are plexiglass and signage.

Organizations have installed plexiglass barriers at intersection points of personnel as they have the potential to interact with other personnel, customers, vendors, etc.

Informative signage itemizing physical distancing rules, self assessment health protocols have been placed all around in both strategic and random locations within the environment to ensure every opportunity for personnel and visitors to be informed.

Funny thing about all of this plexiglass barriers and signage.

In some cases, not all, we have inadvertently defeated some or many of the installed security devices functionality and purpose. That is, their ability to monitor, detect and alert (alarm).

  • Motion detectors blocked, unable to provide proper coverage
  • Cameras experiencing sun flare reflection off plexiglass
  • Nuisance alarms due to swinging signage on the increase
  • And other unforeseen affects

There are incidents where this is enough of this added material, that areas, although devices are active and functioning as per specifications, are unable to detect properly – leaving areas with no security detection or proper monitoring.

We have the answers.

Let’s go for a (physically distanced) walk and have a conversation.

Your security risk plans are more than just a motion detector or even a strategic camera placement.

We can Help.

Plan the Work. Work the Plan.

Should your Municipality need assistance, contact Michael White Group today, and we will be happy to answer your questions or provide quotations.

Share

$31 million Canada Healthy Community Initiative – open for proposals

The Government of Canada announced that the Community Foundations of Canada with the Canadian Urban Institute are open to receive and review your proposal for access to $31 million under the Healthy Communities Initiative.

https://youtu.be/1smdTfZF-zE

 

I attended the Canada Healthy Community Initiative launch webinar February 9 and reviewed the applicant guide which is focused on the increased recognition of social and digital infrastructure that contributes to healthy community outcomes. The applicant guide makes it easy to understand if your organization can apply.

 

The projects eligible for funding need to serve the public or a community disproportionately impacted by Covid19 and fall within three healthy community initiative themes, one of them being community projects that use innovative data and technology solutions to connect people and support healthy communities. Community projects that use digital technologies and solutions to encourage citizen engagement, use open data, online platforms or physical digital devices for public benefit.

All budget items must be project related and expenses occur between April 1 2020 and June 30 2022. Details on how anticipated expenses are outlined in the budget are included in the applicant guide.

You need to demonstrate community engagement. Planned continued engagement with the community to receive feedback on the project may also demonstrate the role of the community in delivering the project. Your team can also elaborate on your equity approach and principles for the project and how it relates to community outreach and feedback.

All projects focusing on the theme of digital solutions and any project that handles public data should demonstrate best practices of digital design and responsible data management. The good news for you and your organization is that Athena Software meets the needs for inclusive design and data management.

 

Athena can provide details on data management considerations including:

Collection – who can collect the data

Access – who can access the data

Use – Who can use the data

Openness – What data is attributed to an individual

Compliance – PIPEDA

Minimum funding is $5000. Maximum funding is $250,000

 

All budget items must be project related and incurred April 1 2020 to June 30 2022. The government provided a budget template in excel. We created a proposal for the Canada Healthy Community Initiative and integrated it with the budget template to help give you a head start on filling out the form. Let me know if you are interested in the proposal and excel budget template and we will send you the forms to begin the process.

 

The first round of funding opened February 9 2021 and will close March 9 2021 5 PM PST. Review committees begin making decisions March 10. All applicants will receive results by April 30 2021.

The second round of funding opens May 14 2021 9:00 AM AST and closes June 25 2021 at 5 PM PST. Applicants that did not receive funding in round one can apply for funding in round two. Review committees begin making decisions June 26. All applicants will receive results by August 13 2021.

 

You will need to check which region your project is in before you apply with the link to the map in the application guide. You will also identify the amount you are applying for. Any project over $100,000 will be reviewed at the national level.

 

Your application will be evaluated with many others in each community. Your application must meet the basic eligibility criteria including project rationale, community engagement, outcomes, project implementation and readiness fulfilling all of the following criteria:

 

  • Submitted by an eligible organization, and provides documentation
  • Responds to needs arising from COVID-19
  • Creates or adapts public spaces, or programming or services for public spaces in the public interest
  • Demonstrates consideration of and connections within the community
  • Serves the general public or a community disproportionately impacted by COVID-19
  • Falls within the Healthy Communities Initiative theme(s)
  • Submitted with a complete budget
  • Is requesting between $5,000 and $250,000
  • Incurs expenses between April 1 2020 to June 30 2022

Please join me March 5 at 1 PM EST for a hands-on webinar as we share ideas from communities that use Penelope to assist those most affected by Covid 19 and review proposals for new and current agencies using Penelope. You can find the registration page on our Athena web site. Hope to see you there. If you have questions before then call or email. Until then stay safe. We will see you soon.

Share

Our 2021 Wage Outlook

A Challenging Year Ahead

While Canadian and global stock markets reach new records week, after week (at least at the time of this writing!), employment, inflation and interest rates tell a very different story.

Employment insurance claims at of the end October were up 200% versus the same timeframe last year.  Interest rates are negligible, and the Consumer Price Index, while rising modestly in November (+1.0%) was a mere +0.7% in October — a reference point used in many collective agreements and other compensation plans as a benchmark for 2021 wage increases.

Despite overwhelming government stimulus, it appears that some employers will face cost pressures and may have difficulty maintaining their budgets as the economy slowly recovers. Downward revisions to pay increases in the coming months is expected.

In the last quarter, more than 36 per cent of Canadian organizations froze salaries for 2020, compared to a pre-COVID forecast of just 2% per cent, and this trend is likely to hold true for the coming year.  In fact, almost half of employers are uncertain about what to do in 2021 and 13% plan to continue salary freezes in 2021, while 6% of employers will be looking to reduce wages.

Not since the 2008 financial crisis have we seen average base salary increases drop below 2%.

Union workforces are being hit particularly hard. Negotiated wages for 2020 came in at 1.7 per cent, compared to 1.9 per cent in 2019. Looking to 2021, negotiated wage increases are expected to fall further to 1.6 per cent or lower.

Alberta, historically a region with the strongest wage growth, will also continue its slide below trendlines at 1.7 per cent, the lowest among Canadian provinces and territories.

Not all employers are freezing salaries. Many sectors are experiencing strong demand, and recruitment in a number of job classifications remains competitive.  Among employers who are considering wage bumps, the average pay increase for non-unionized employees in Canada is projected to be 2.1 per cent next year, according to the Conference Board of Canada.

Other bright spots include those working in waste management and remediation services where projections are a rosy 3% cent increase while those in utilities will see a 2.4 per cent increase. Professionals in finance and insurance, scientific and technical services as well as wholesale trade can expect increases of 2.2 per cent.

By sector, salary projections for 2021 are highest among Crown corporations at 2.5 per cent.

The recovery will be uneven. Industries that lend themselves well to remote work, or that were shut down for only short periods, will recover quickly. Other sectors, such as recreation, accommodation and food services will recover much more slowly, with employment levels not returning to their pre-pandemic levels presumably until vaccine campaigns are more widely available in late 2021.

 

We Are Your HR Department

We look after your Policy Manual, Employment Agreements, government-mandated compliance training and more.  We have you covered – we are your HR Department.  SHRP provides full-service HR support including Job Evaluation and Pay Equity planning in addition to best-in-class Human Resources solutions on a project or ongoing basis with our exclusive HRLive platform.  Contact us today for a free demonstration and start the development of a results-oriented HR strategy for your municipality.

 

Matthew Savino, B.A. LL.B., C.H.R.E.

Managing Partner, SHRP Limited

925-550 Skyway Drive, Peterborough, ON K9J 0E7

[email protected] | www.hrlive.ca | 705-400-7145

————————–

Sources:

-Statistics Canada

-Morneau Shepell “Salary Projection 2021” Survey

-Conference Board of Canada “Compensation Planning Outlook 2021”

-Canadian Payroll Association

-Willis Towers Watson

Share

Physical Security Risk: know how to assess it

 

Many small to medium sized business (and even large enterprise businesses)  and government, have limited budgets, let alone spending a lot on risk and security.

Before you do go and spend a lot of capital on risk and security mitigation measures (aka security cameras, access control, bars and locks, lighting, training, fencing, etc.), you need to know what you’re buying for.

That is, you need to know what risks you are addressing.

Risk dial

Having a Risk Assessment completed on your municipality narrows the focus of your spending and aligns your purchasing with the specific types of risk and security mitigation measures you need.

To get a little technical…Risk assessment is the overall process of risk identification, risk analysis and risk evaluation. It involves the process of identifying internal and external threats and vulnerabilities, identifying the probability and impact of an event arising from such threats or vulnerabilities, defining critical functions necessary to continue the organization’s operations, defining the controls in place necessary to reduce exposure and evaluating the cost of such controls.

That is a mouthful. Let us break this down a bit.

If you have a threat, but there is no vulnerability, then there is no risk.

If you have a vulnerability but no threat, no risk.

Perhaps something many can relate to, you went online and purchased some products, and they are set to be delivered to your home. And no, we are not going to discuss online security…a topic for another day perhaps.

The packages are delivered to your home. But because of your daily routine, errands, off to the office, or shop, you are not always home. The shiny object is the packages just delivered. The vulnerability or sometimes referred to as a gap, is you are not home, and the packages now sit on your front step unattended. The threat, someone will take those packages right from your front step.

So, going back to the assessment. The key is once you know what your largest threats are (and yes you need to be able to determine that), it is important that you take action (implement risk and security mitigation measures) to lower your vulnerability.

Why not eliminate the vulnerability?

Great question, thanks for asking.

Eliminating the vulnerability may not always be possible.

Some business sectors and industries simply have built-in threats. But, if we focus on lowering the vulnerability, we lower the risk of a loss.

The assessment is complete, and we have identified risks. The next important step is finding the risk and security measures that are going to be the most effective in mitigating the identified risk. These measures come in all different shapes and sizes, video surveillance, locks and safes, lighting, security focused training, etc.

Where in doubt, reach out to us or find your trusted Independent Risk and Security consultant.

Yes, we highlighted Independent. That is definitely a topic for another day.

It all starts with a conversation.

We can Help.

Plan the Work. Work the Plan.

Should your Municipality need assistance, contact Michael White Group today, and we will be happy to answer your questions or provide quotations.

 

Share

Getting Ahead of COVID-19 with Data and Analytics – Are You Ready?

smiling woman working on her computer

Communities across Canada were excited to hear the news that shipments of vaccine arrived and front-line workers and seniors were first in line to receive the vaccinations that will eventually make its way across Canada to every citizen in a very large country. Logistical issues aside, the Canadian Armed Forces will ensure that delivery of this life saving miracle arrives safely in each community.

 

It will take months before everyone is vaccinated. Projections suggest it may take until September 2021 before the largest vaccination program in Canada’s history is complete. Each municipality has a responsibility to care for those most impacted during this time. Our immediate attention turns to the hospital and front-line workers as communities slide into the red zone with lockdowns and governments asking each hospital to have an additional 10-15% surge capacity on standby for the expected increase in Covid-19 cases arriving at emergency centers.

 

The impact of Covid-19 will extend beyond the visible health issues and arrive in your community with an increase in demand at the food bank. Hunger is the canary in the coal mine acting as a lead indicator of social health or social determinants of health (SDoH). Social health will play an active role in who shows up in the medical or justice system in the coming months. You only have to ask your local food bank if demand is increasing and they will describe not only demand but location and demographics of those in need. Families without a job, a place to call home, food, medical assistance, family support, domestic violence, increased substance use and a host of other issues all increase and play a significant role in how whole person care is applied.

 

When social services and medical services work independently, the cost per patient increases and the path to better outcomes extended. Minister of Diversity and Inclusion and Youth Honourable Bardish Chagger who is a science graduate and a believer in using outcomes to help improve programs, participated in our webinar last weekSee the link in this blog.  As discussed in the recent webinar, the federal government is looking for ways to help communities do more with less using an evidence based approach. Data science is one of the keys to delivering better outcomes for less.

 

Data and analytics will help communities across Canada better understand the problem and work together to discover the best approach using the resources at hand. 

 

Infrastructure Canada is offering communities $31 million over the next two years to develop innovative digital platforms that will help those most impacted by Covid-19. Over 200 communities attended last weeks webinar. That is 200 communities ready to create a proposal and submit for approval January 2021.

 

Each community has been somewhat sheltered from the next wave of Covid-19 economic, health and social collateral damage with generous but temporary federal assistance. The economy in many communities has shifted and in some cases permanently to a different business model. 

 

Not everyone will find it easy to pick up where they left off. As Canada begins to build back better, all 3200 communities should be thinking of how they use data to create proactive strategies and shield their constituents from the continuing Covid-19 collateral damage.

 

Let me know if you want to discuss your digital transformation as we build back better with funding using innovative digital solutions. Project submission starts January 2021.    

 

Contact Athena Software for more information!

Share