Casualties Mount as Calif. Fire Continues to Burn

The massive Thomas Fire in Ventura County has claimed another victim. CalFire Engineer Cory Iverson was killed while battling the blaze, which has so far burned 252,500 acres and destroyed about 1,000 homes and businesses, according to the federal InciWeb fire information website. One other death connected to the fire was a woman killed in a car crash while evacuating.

Iverson had been with the agency since 2009 and was assigned to the Thomas Fire as part of a fire-engine strike team from CalFire’s San Diego unit.

“I know I speak for us all in saying our hearts go out to our CalFire colleagues during this difficult time. This is a tragic reminder of the dangerous work that our firefighters do every day,” Teresa Benson forest supervisor, Los Padres National Forest said in a statement. “The Thomas Fire has many unprecedented conditions and complexities that challenge the already demanding job of fire suppression.”

The Thomas fire broke out Dec. 4 in Ojai, northwest of Los Angeles. Strong Santa Ana winds helped it to quickly spread to the city of Ventura, according to InciWeb.

Up to 85,000 people were impacted by power outages and surges in the Santa Barbara area, according to the Southern California Edison utility company. Santa Ana winds are expected to continue on Friday and through the weekend, and could reach up to 30 miles per hour in some areas. Ventura County, northwest of Los Angeles, has ordered mandatory evacuation of a portion of the county.

The Thomas fire has also taken a toll on agriculture, which is a $45 billion industry in California employing more than 400,000 people in the state. The wildfire struck the largest avocado- and lemon-producing region in the United States. A 200-acre farm lost 80% of its avocado crop, according to the New York Times. Avocado orchards are more vulnerable because of their location near hillsides in the path of the fire.

Consumers are unlikely to see a surge in the price of avocados from the fire because most avocados bought in the United States are grown in Mexico. A spike in lemon prices is unlikely to occur even though Ventura County produces more than 40% of the national output, because any lost crop can be made up by increasing imports, John Krist, chief executive of the Ventura County Farm Bureau told the Times.

More About Santa-Related Risks

Earlier this month, we reviewed how the mere mention of Santa Claus can affect business and finance. Tying his name to a stock market rally or business operation could make values jolly, or the reverse, it could have more of a Freddy Krueger effect. But even if your portfolio and productivity remain unchanged, Santa-related risks can also follow you home and even impact family life.

Anyone who needs more than a mere glimpse of Santa Claus may want to take the fun a step further and attend one of the SantaCons across the country (many of which will be held this weekend). According to SantaCon.info, the best-known repository for SantaCons, at least 397 cities in 52 countries host the events, and some cities have more than one. Whether you want to appear in costume or take your family, dressed in their red, green and white seasonal sweaters, the site has some tips to help you avoid getting jilted out of holiday cheer. The site warns that while SantaCons are typically free, some are ticketed events to help organizers cover excess costs, and many of the Santa-themed events are commercial. Then there are the spoilers. It continues:

Again, this year, websites are popping-up making false claims and trying to sell SantaCon tickets. Please be careful not to get scammed and also consider the reputation and safety risks involved. Use this guide:

  • Most SantaCons are completely free to attend (Washington, D.C. is one of these).
  • Many SantaCons request a donation which is completely optional (San Francisco is one of these).
  • Some SantaCons request a donation which gets you some benefits (NYC is one of these).

Visit the site to review the overall criteria for entering and remaining at SantaCon for the event’s duration. The most important guidelines cover dress, safety, and conduct:

  1. You can dress how you like but the theme is red.
  2. Don’t make kids cry.
  3. Don’t mess with security and make people feel unsafe.
  4. Don’t get drunk or high.

(It would seem like disregarding tips 3 and 4 could directly cause #2.)

Additionally, be sure to determine if your SantaCon will be family-friendly or for adults only. Some of these events are fundraisers for charities, while others are just a prelude to a pub crawl—which does contradict the fact that Santa is generally discouraged from drunk and disorderly behavior (see guideline #4 above). Those pub crawls are often limited to the Santas in the crowd, but why shouldn’t everybody be merry?

And although you and your family will see Santa’s foot soldiers, lots of people will wonder which is the real Santa amid all the white beards and red hats.

What has become a pastime on Christmas Eve is the tracking of Santa’s location and progress.

There are several devices and agencies dedicated to keeping tabs on Santa. One of the most popular trackers is run by NORAD (North American Aerospace Defense Command). Its Santa Tracker began in 1955 after a newspaper ad for Sears mistakenly listed a phone number that kids could dial to reach Santa Claus; it was actually a secret line to the red phone at the Continental Air Defense Command, NORAD’s predecessor. One of the outcomes of the ad was to expose the risk of typographical errors in print publications.

Using more than one tracker on Christmas Eve, like the Google Santa Tracker, can call into question Santa’s aerodynamic abilities among children whose vocabularies might not include the word “aerodynamic.” Two trackers may simultaneously show Santa along different routes and indicate different amounts of presents delivered. So once a child is actively following Santa activities on more than one tracker, he or she may then ask: “How can he be in China on the Google tracker when NORAD says he’s in Nebraska?”

Most people actively tracking Santa do not want to comment on the technological and supply chain risks involved, accidentally bringing a “bah humbug” to the holiday. Of course, if you are seeking that information, enjoy reading one of his many risk assessments.

Oroville Dam Repairs Concern Calif. Residents

Construction of a new spillway at the Oroville Dam in northern California—the largest dam in the U.S.—is underway and is expected to be completed sometime in 2018, according to the California Department of Water Resources. The dam replaces the previous spillway, which was damaged by heavy flooding in February.

Problems at the Oroville Dam began, when the dam’s main sluice was damaged after a winter season of record rain and snowfall, following five years of drought. Torrential rainfall caused water levels to rise so quickly that large amounts needed to be released to prevent the dam from rupturing and sending a wall of water to the communities below.

The force of the cascading water was so strong that it created a large hole in the main sluice, requiring the use of an emergency spillway. This safety backup, however, also nearly failed because the dirt spillway, which had never been fortified by concrete, began to erode, increasing the risk of damage to the dam. In anticipation of a possible disaster, almost 200,000 residents living below the dam were temporarily evacuated.

The dam’s new construction has proved to be contentious at times, with residents expressing concern about small cracks that have appeared in the freshly laid concrete. Rainy season is just ahead and residents are anxious about the possibility of another flood.

State officials said cracking is normal, however, and federal regulators agreed that no immediate repairs are necessary, but not everyone is convinced.

“We heard that in 2009 when we saw DWR fixing cracks on the spillway, that it was completely normal, that it was no concern,” Oroville resident Genoa Widener told the Associated Press. “And then we were told to run for our lives. So you telling us that it’s normal is not enough.”

So far, about a third of the spillway has been fully rebuilt, while the rest has been fortified for the winter with plans to finish it next year. The project is expected to cost about  $500 million.

In preparation for the upcoming winter, Lake Oroville was drained about 80 feet below its normal level, providing extra reservoir storage for incoming water from winter rain and spring snowmelt. On Wednesday, the lake was 200 feet (61 meters) below its maximum capacity, the AP said.

Residents are also upset because state officials have closed a scenic road spanning the top of the dam during the construction. They have deferred a decision about whether it will ever be re-opened due to safety concerns. Several residents said the road closure has cut off their access to recreational areas, the AP reported.

Using ERM to Protect Your Business from The Equifax Fallout

As with many data breaches, the general conclusion of the Equifax attack is that personnel were not aware of the issue beforehand. This conclusion, however, is false.

In early September, I anticipated that a vulnerability in Equifax’s software was known ahead of time, and that this scandal was, therefore, entirely preventable. A month later, the NY Times reported that the Department of Homeland Security sent Equifax an alert about a critical vulnerability in their software. Equifax then sent out an internal email requesting its IT department to fix the software, but “an individual did not ensure communication got to the right person to manually patch the application.”

The Equifax data breach was a failure in risk management. As a credit bureau that deals with the personally identifiable information (PII) of 200 million U.S. customers, Equifax has a legal and moral responsibility to safeguard their customers’ security, and to adopt the proper systems to do so.

For instance, if Equifax had an enterprise risk management (ERM) system in place, the warning from Homeland Security would have been properly recorded and assigned out to the appropriate personnel. This system would have provided transparency over the status of the task in progress, and would have triggered reminders until the vulnerability was patched and verified by the right subject matter expert.

A Point of No Return

It’s my opinion that this scandal is a point of no return for risk management. While data breaches have abounded in recent years, there has never been one of this magnitude or one that provides every piece of information hackers need to steal our identities. Of course, lawsuits and penalties are piling up around the company’s negligence, but these financial losses are nothing compared to the reputational damages Equifax will suffer—shares fell by 18% following the breach and have yet to fully recover.

What makes this scandal so unique, and therefore a point of no return, is that these reputational damages reach far beyond Equifax. Consumers can’t always choose whether they’re a customer of Equifax, but they can choose whether to do business with the institutions that gave away their information to Equifax in the first place.

I also believe that consumers’ outrage with this scandal will cause them to shift their money, loyalty, and trust to institutions that can demonstrate effective risk management. CEOs and boards of every company will have to prove their organizations have adequate enterprise risk management systems in place. They’ll find that more effective risk management and governance programs are necessary to keep their market shares up and their reputation clean.

Where to Go from Here

While this breach may appear to be an event of the distant past, we are in the eye of the storm. Stolen information can lie dormant for months or years as criminals wait to make their move, and when they do, you’ll have either taken this period of calm as a chance to forget the scandal, finding yourself ill-prepared, or a chance to get to higher ground, finding yourself fully protected.

To protect themselves, businesses must:

  • First, to determine where to focus your security resources, recognize that people, processes, and procedures are now the biggest risks. Businesses need to perform risk assessments across all departments to determine who has access to sensitive information and authentication processes, and what the business impact would be if these employees were to be impersonated.
  • Next, to address these risks, businesses must rewrite their procedures for authenticating the people involved in sensitive requests and actions both verbally and electronically. With so much PII now in the public domain, it is no longer safe to rely on traditional authentication based on these pieces of information. For example, the security question “What was your first car?” is not effective because the answer is now easily accessible. A more effective question would be “Who was your best friend in elementary school?”
  • Finally, it is important to keep your third-party vendors in mind. Vendors often have access to sensitive information and processes, which could have an enormous impact on your company. It is crucial, therefore, to extend your internal authentication procedures out to your third parties so that they are authorizing sensitive requests and actions as securely as your own organization.

Our world, including the business world, is becoming increasingly transparent, meaning it’s up to you to act with integrity and protect your stakeholders. Keeping the Equifax data breach in mind, along with enacting these tactical steps, will help you stay ahead of the competition and out of glaring social media headlines.