I have said for a long time that our ideas around outsourcing and partnership with expert companies needs to change. Most of the time when commentators talk about IT outsourcing there remains this idea of the powerful client and weak supplier, hoping to get a contract at any price.
This dated view has largely been modified by two changes in the way that companies consume IT services:
- Complexity; many services today are so complex that only experts can perform them well. For example, it’s not possible to internally manage the technology needed to create a great customer service platform for most organisations. So suppliers have become more important because they are the experts with the answers across all areas of business.
- Software As A Service; the way companies purchase their IT has dramatically changed thanks to the cloud and app store concepts. Now managers may buy software solutions without even asking the CIO because they are just buying a subscription to a service that sits on the cloud. Security is guaranteed and all they need is a connection to the Internet.
It’s noticeable that many trade associations and journals have been changing name recently. There is a strong move to disassociate their connection to outsourcing as a business strategy as this environment has become more complex – the new emphasis is just on sourcing. But nothing stands still, even the use of cloud-based systems is evolving. A recent report in ZDNet advises three areas to watch in 2018 for those with an interest in the development of the cloud:
- The Cloud Backlash; many companies will make mistakes when moving services to the cloud. Issues of control or compliance may cause a backlash so look for examples of companies who are further down the road when seeking case studies and examples of success.
- The Hybrid Cloud; you don’t need all your infrastructure to be in the cloud. Explore what might be essential to keep close and what can be moved, for example important data might be safer if stored internally.
- The CyberSecurity Impact; cloud services are generally more secure than in-house systems, but if you have a chain of different partners then this can be a source of weakness – is your system secure at all points?
I strongly agree with this analysis. It’s clear that buying IT services from cloud-based systems is the future (at least for now) but there is still plenty of scope for companies to get it wrong.
Companies across all industries face a wave of almost constant change as digital technologies redefine old industries and create new services we never even knew we needed. Think of any industry and it’s clear that digital transformation is creating a period of industrial flux that has no end in sight.
This does not help to create a secure business environment. Ideally your data and systems would be locked down and controlled, but as the recent global WannaCry attack proved, many systems are much more vulnerable than expected. In addition, many security experts are now advising that this type of chaotic information attack is something we should get used to.
So if your industry is chaotic and hackers are adopting chaotic methods of constantly attacking system vulnerabilities then how can you make sense of the chaos so your data can be protected?
This blog suggests several steps for executives worried about the threat chaos can bring to their business, but the main focus is on automating your network management and accepting that manually managing a network leaves it open to attack. Just one open port is enough for WannaCry – or similar – to get in and cause havoc inside your company.
Automated network segmentation is a reaction to the complexity of today’s enterprise networks. With many different platforms, systems, contractors, and a mix of a physical network and cloud the challenge of managing modern networks is huge. Add the potential for human error and the face pace of change and the threat is obvious.
Automating segmentation allows the system to look after itself. The network breaks into several different secure zones limiting the exposure any hacker would have. Even if a hacker gets into your business, by automatically creating these secure zones you can limit any damage.
Automation is often talked about in terms of productivity – allowing more to be done in less time, but when it comes to information security only automation of network security can really provide protection in a chaotic business environment.
Creating a secure environment for your information requires investment in technology and processes, but no matter how much you spend on systems it is your people that are the weakest link. Planning a secure information security strategy needs to include measures that fight social engineering and other methods used to steal data.
The most basic problem that occurs in every company is password security. According to research published in Inc magazine, each valid email address has around 130 password-protected services associated with it. That’s a huge problem if each one of us has to remember hundreds of different passwords.
The biggest problems are that people don’t change their password frequently and they often use the same password for many systems. The danger is obvious, but what should be done to make systems more secure when the real problem here is just user behaviour?
Inc has five recommendations for better password security:
1. Update passwords regularly; apply operating system settings that force your team to regularly change passwords and also enforce a change if you suspect that a system has been breached.
2. Never reuse passwords; it’s a common mistake, but this practice creates system vulnerabilities.
3. Use passphrases; long phrases are much more secure than a short password and often are easier to remember – use a favourite line from a book or movie for example.
4. Multifactor security; for sensitive systems don’t rely on a single password – use a system that creates a temporary password or uses biometrics to add a second level of security.
5. Never store passwords in plain text; files can be copied and unencrypted files full of passwords are easy to spot. Use a secure password storage system if you really cannot remember every password you need to use.
This is good solid advice, but reality is that if each person has hundreds of passwords then they will almost certainly repeat them across systems. To really enforce information security inside a real company without ‘perfect’ people requires planning. I would advise the use of an enterprise-wide secure password management system so everyone is encouraged to use different passwords, but with the system to support them.
In addition, biometric systems are not expensive and are now very common – look at how the Apple iPhone allows a user to unlock the phone using their fingerprint. Consider protecting your most important systems, those using customer data for example, with multiple layers of security and not just a password.
A good password policy sounds simple, but enforcing good behaviour on users can be difficult. Use pragmatism and support your team so they can work securely.
Last year the Ponemon Institute published research analysing the cost of information security breaches – the result of a business being hacked or attacked by ransomware or even just incompetence leading to data being exposed. The average figure for a data breach was found to be over $4m – that’s right, four million dollars. Some other estimates suggest an average of over $7m. Each customer record that you lose or expose costs around $158 to clean up according to this research.
That’s serious money and therefore this is clearly now a major issue. For small businesses a multi-million dollar clean-up operation could close the business. For larger businesses the expense may in fact be far higher than this average. Information security is now essential in an environment where ransomware and hacking attacks by criminals (and even state actors) are becoming more common.
But there are still several myths around information security that cause executives to invest poorly in protecting their business. It’s an issue that affects everyone in the business and needs to be treated just as seriously as the physical security of your office premises. These are the most common issues and mistakes companies make:
1. Not dealing with human error; human error causes 33% of data breaches and 36% are just because people don’t understand the need for information security. Everyone in the company needs to understand information security, why it matters, and what protocols must be followed. This is not just an IT problem.
2. Ignorance; ignoring your legal need to follow compliance regulations over the way that data is used will lead to major fines in addition to the lost business you may suffer as a result of the data breach.
3. Trusting brands online; just because an email with a link features the logo of a trusted brand, if you did not expect to receive contact from this brand, don’t click the link. Criminals are using highly sophisticated phishing techniques to install their software and just one infected computer can give access to your network.
4. Personal devices; allowing employees to use personal devices to access work email or work systems can promote efficiency, but even password-protected phones can be hacked. If a phone is lost or stolen and it was being used to access office systems then unless the device was encrypted you now have a criminal with access to your network.
5. Papers; paper is old fashioned right? But most offices are still filled with desks covered in printed reports and spreadsheets. Detailed information is left in the open allowing any contractor with access to your office access to all that information. Even your paper recycling bin can be raided so you should really have a clean desk and shred all trash policy in place – even better discourage the printing of any documents in the office.
These sound simple, but many organisations still don’t appreciate the need for information security to the extent that they are training every staff member. Data breaches can be extremely expensive so it pays to think about your systems, your people, and your processes. Where is your business vulnerable to attack?
Last month one of the biggest information security conferences in the world took place in London. InfoSec attracted 13,500 information security experts for 3 days focused on the latest security issues, but one topic dominated the conference – WannaCry.
The recent WannaCry ransomware attack hit hundreds of thousands of victims in over 150 countries. Users of infected computers found their systems locked and a demand for a ransom payment if the user wants to use their computer again – hence the term ransomware.
WannaCry is possibly the largest simultaneous attack on global computer systems and is a real wake-up call for executives with a focus on information security. Companies are extracting more and more data from their customers defining payments, preferences, and future plans – more detailed information is available for hackers to steal from corporate systems. This month the AA motoring organisation in the UK has been criticised as they accidentally made the personal details of over 100,000 customers visible on their website and when they realised their error they failed to inform customers that their card details may have been made public.
But users of devices in the home are just as vulnerable to ransomware attacks. Homes are now largely wifi-enabled and have many connected devices such as laptops, phones, Kindles, and home control systems like the Amazon Echo or Google Home. Ransom attacks demanding a fee of $1000 to access your home systems again will be paid by many people because losing access to all your personal devices would be even more expensive – not only in replacement value, but because of the data we store on our devices.
The InfoSec conference delegates discussed WannaCry at length and the top tips cited for avoiding these attacks were:
1. Multilayered information security defence; in the office, ensure at least three levels of information security by managing everyday risk, compliance risk, and external risks in a coordinated way, but with different teams able to focus on each area.
2. Stay updated; at home or at work ensure that all software is up to date with automatic patching of updates. Apply a good anti-virus system and ensure it automatically updates itself. Ensure your data is not stored locally or is regularly backed up so you can recover if systems are lost.
3. Staff awareness; train all staff in the risks to the business, not just your IT team. Everyone uses IT in their function today and therefore anyone can be the access point to your business.
Data breaches and ransom attacks are now a serious threat to business and need to be treated as such. Information security no longer means running a virus check once a week, this is a complex environment that can create an existential threat to your business if you become a victim to an attack.
One of the trends for 2016 that is certain to only increase in importance is the use of data analysis across many different types of organisation. Big Data and the real-time analysis of data in general is reshaping many industries, redefining how companies build a relationship with their customers.
The fact that this change is applicable across all industries is the most important aspect of this trend. Almost every company in every industry is exploring how a better use of data can give them the edge in 2016. Three specific areas I see as being really important for the year ahead are:
1. The Internet of Things (IoT); tech commentators like talking about the smart fridge that knows you need more eggs, but this is going to be a much more serious trend. If every electric device you own is networked then some incredible new possibilities are created from cars that can self-diagnose and fix problems without you even being aware of it to being able to control anything in your home remotely.
2. Machine Learning; many contact centres have been exploring how robots equipped with product knowledge can handle simple customer service enquiries. As they learn more about what customers want they will get far better and eventually even be able to anticipate what the customer needs. This ability to learn and apply knowledge with physical or virtual robots will be really important. It’s 5 years now since the IBM Watson system beat the TV game show Jeopardy, now doctors are training Watson in how to recognise and diagnose illnesses.
3. Data Security; the weak spot in all systems that need customer data is that the customers become too scared to share their information – scared of data leaks and hacker attacks. The Ashley Madison attack in 2015 was an example of how hackers can even threaten the existence of a company, just by stealing data.
Big Data, and data analysis in general, will certainly be more important in 2016 because it is now affecting so many companies, but this final point is important. As customers share more data there is the danger of more leaks and more attacks. The only thing that will prevent the benefits of enhanced data analysis becoming a reality is if people become wary of sharing information.
Concerns have been mounting in the Internet of Things (IoT) recently. Equipment manufacturers have been tussling over standards prompting some to believe that a ‘Betamax’ situation may be created where some devices cannot connect to the IoT grid.
If such a situation occurs it could seriously impact the adoption of Big Data projects. Big Data does not depend on the IoT – there are many other types of large database – but the constant flow of IoT data means that most IoT projects will also require a Big Data element.
However there is some good news from the analyst community. New data from IDC suggests that the growth rate for spending on Big Data between 2014 and 2019 will be just under $50bn – that’s compounded growth of 23.1% each year.
The real elephant in the room for the Big Data market is the security of collected data. There have been several damaging data leaks by major organisation in recent months. The danger for companies that are collecting large amounts of data is that leaks of private data will cause brand damage so serious that companies could even face an existential threat.
IDC believe that large companies are aware of this danger and are planning their Big Data infrastructure with security in mind.
“The ability to leverage big data and analytics to develop an integrated view of customer activities and business operations will provide competitive differentiation to companies across industries,” said IDC programme director Jessica Goepfert.
“However, in addition to the huge opportunities, big data presents some significant risks and liabilities to organisations. Line of business and IT executives will need to approach these ongoing challenges with awareness, flexibility, adaptability, and responsibility.”
This is an area of the technology business that is growing by around one quarter every year right now. There will need to be some big mistakes to derail this market, but it is possible. The constant stream of security stories in the media shows that the public are more aware than ever of the dangers ahead. Companies adopting Big Data need to ensure they are always one step ahead of the data thieves.
The industry analyst Gartner Group has issued a list of ten technologies to watch for 2016. These are the trends that the analyst firm believes will be shaping the digital agenda next year.
You can go to the Gartner newsroom where they list all of their predictions, but here I want to comment on what I see as their top three.
Adaptive Security Architecture
If a CEO today is not aware of the importance of security then their board should be asking how they got the job. Major companies are now facing existential threats because technology systems were hacked. Consumer companies with personal data on millions of customers are particularly at risk and one hack can destroy many years of trust in a brand. Making security smarter, tighter, and more able to adapt to changing attack methods will be an enormous trend in 2016.
The Internet of Things (IoT)
Despite recent suggestions the IoT is stalling because there is still no single agreed standard, I believe that there is enough momentum in this trend to start creating a significant amount of work. Naturally this connects to an increased need for expertise in Big Data analysis if IoT is creating enormous amounts of data.
Machine learning is getting smarter. People laughed at Apple Siri when it was first launched, but have you tried it recently? Intelligent agents have improved enormously. The Amazon Echo system replicates Siri in the home, allowing a user to ask questions from anywhere in the home. Similarly machine intelligence is set to revolutionise customer service operations as the most common enquiries are recognised and handled by robots – Robotic Process Automation.
As always, the Gartner predictions are interesting, but after checking the complete list of ten, which would you pick as your top three?