Top 10 Technology Disasters

Posted on : 30-04-2014 | By : jo.rose | In : Cyber Security

Tags: , , , , , , , , , , , ,


Back in 2012 we wrote about Black Swans as related to IT projects (particularly those designated with the grand moniker of “Global”). The term was coined by the author and scholar Nassim Nicholas Taleb to:

“…describe high-impact events that are rare and unpredictable but in retrospect seem not so improbable.”

The report today on the events leading to the Co-operative Bank’s capital shortfall from Sir Christopher Kelly certainly makes for interesting, and cautionary reading.

Whilst much of the report delves into deficiencies in Governance, Risk, the Britannia Merger, relationship with the regulator, PPI mis-selling and the like, there is also a significant section dedicated to a botched IT Replatforming which, over a period of around 7 years, left a £300m write-off. Black Swan? Perhaps.

Either way, before the project was eventually canned the costs had ballooned to a potential £950m (£663m as re-scoped before the CBG Board eventually lost patience).

Kelly concluded with:

“It is critical for an organisation to understand the extent to which it is capable of managing large-scale change programmes. It is important to be realistic about the scale of projects undertaken, and the burden this places on the organisation. It is necessary to understand what good looks like, using best practices and experience from outside. It is essential to heed warnings and act upon them.”

The full report can be downloaded here, so you can make up your own view. Definitely recommended reading.

So, what about other IT Project disasters. Well, the landscape is littered with similar examples, but we’ve selected out Top 10 (that we can safely talk about…we think… ;-).

  1. Obamacare – one of the most recent. The website was a shambles when launched in October, with US citizens resorting to phone lines and post.
  2. The Child Support Agency (EDS) – costs said to have been in the region of £1bn for a system that managed to overpay almost 2 million people and underpay 700k, ultimately assisting in the demise of the CSA.
  3. Passport System 1999 (Siemens) – an insufficiently tested, resourced and with poorly trained staff left half a million Brits without passports and many missing holidays.
  4. FoxMeyer Corp – a bungled ERP system implementation in 1996 actually help take FoxMeyer into bankruptcy (with $1bn in lawsuits issued against SAP and Anderson Consulting).
  5. Sainsbury’s Warehouse Automation – installed in 2003 the barcode based fulfilment system was supposed to streamline its operations for pretty much the whole of London and the Southeast. However, it immediately ran into technical issues and was eventually scrapped (but after 4 years!…)
  6. US Airforce ERP (CSC) – now, imagine spending $1bn on an ERP system and getting nothing? Well, that’s the outcome of the project started in 1995 and hit with software, contractual and infrastructure issues throughout.
  7. NHS patient record system (CSC) – the abandoned IT system, originally estimated at £6.4bn, stands at somewhere around £10bn. Described as “the biggest IT failure ever seen”
  8. Hershey SAP – back in 1999 Hershey’s stock dropped 8% after problems implementing a combination of SAP ERP, Siebel CRM and supply chain software firm Manugistics caused it to miss key product delivery deadlines for Halloween.
  9. Canada’s Gun Registration System (EDS/SHL) – back in 1997 a relatively modest IT project at $199m started but by 2001 was running at $688m, including $300m for support (admittedly, not helped by political changes).
  10. RBS integration of Natwest – whilst we have concentrated on projects, the recent IT debacles and the fact that what was largely a systems led integration was described by the Harvard Business Review in 2003 with the line “…The acquisition is remarkable for how successful it was” means it had to make it in.




Big Data – Can it win Big Games?

Posted on : 30-04-2014 | By : richard.gale | In : Data

Tags: , , , , ,


Malcolm Lewis is in the news with his new book on high frequency trading. He also wrote a book, Moneyball, on sports data back in 2003 on how the Oakland A’s baseball club made extensive use of data research to out gun much higher spending rivals and get to the play-offs two years in a row.

Now with Liverpool Football Club riding high at the top of the league, much credit should be given to its manager, Brendon Rodgers, but there is a vast backroom team sifting through terabytes of data which is assisting him. English Premier League football is big business and the spoils of winning are worth tens of millions. Anything which can give an edge in team selection or insight into the opposition is worth it’s weight in silverware. A new breed of technology companies track every pass, movement and save to gain insight and work out the best way to win.

There are millions to be won or lost in the Premier League. A massive television audiences make it the world’s richest league, expected to make £3.5 billion in revenues this season. But although Premier League clubs make a lot, they spend most of it too. Buying the top talent is pricey – players salaries drain more than 70% of an average club’s takings, and for some that figure is 90% plus. Not buying the best talent and so get relegated is very expensive and costs tens of millions to a club. Getting back up can be a struggle and teams are left struggling with huge wage bills and not enough income to cover the costs. Relegation can result in bankruptcy. Fielding the right team is essential and clubs employee spotters that travel the globe looking for the right talent at a good price. These researchers use their experience and knowledge to pick the next generation talent, often using instinct over data. But now companies such as Opta and Prozone collect reams of helpful data, selling them to the clubs and media for a fee. Pitch-side analysts log every tackle, pass and goal, typically collecting information on 2,000 events per match. Above the stadium, arrays of cameras track players’ movements, logging their distance, speed and acceleration.

The capturing and analysis of data can offer new insight into players value. Gareth Bale, one of the finest players in the world is seen as a strong, fast goal scorer with amazing power and accuracy from a distance. Analysing the data shows that he also plays an important defensive contribution to his club, something that may not be obvious from the play. That helped his previous club Spurs as much as his goals did.

If clubs use the same criteria to crunch the data on players in the lower leagues they may be able to purchase ‘Bale’ quality skills at a lower price. Chelsea have carried out a lot of research in this space with data on all players in fifteen leagues around the globe.

American sports show that this approach can work. As mentioned at the top of the article, at the turn of the century Oakland Athletics, a poor badly resourced team, were playing badly. Then they started to analyse the huge data sets available in baseball to spot under priced players, getting them at budget prices. It worked: in 2002 the Athletics enjoyed a record-breaking 20-game winning streak. With reams of new data available, Premier League clubs are taking notice. Last year Liverpool recruited a data scientist with a PhD in biological physics.

Still, computers are not going to make traditional scouting redundant just yet. Human analysis can take into account the context of play including quality of support a player has which can change his behaviour – such as booting up a long ball if he thinks his midfielders are of low quality and will lose the ball…


Cybercrime: The 9 basic threat patterns for data breaches

Posted on : 29-04-2014 | By : john.vincent | In : Cyber Security

Tags: , , , , , , , , , ,


This week is a big one for the security industry, with the annual European Infosecurity Conference (Infosec) kicking off for 3 days in London. Anyone with an interest in Information Security will descend onto Earls Court keen to find out the latest in process, technology and organisational techniques to try and keep up with the cyber criminal methods of operation.

Indeed, the community of interest is growing. Where once it would only be the “traditional” IT Security experts that went along (and, some outsiders would have considered a bit “geeky”), now the spectrum of attendees is vast and varied. Indeed, in 2013 the visitors travelled from 71 different countries with 10% members of their organisation at a corporate board level and 24% at or above senior executive.

Countering cyber crime, data breaches and related security threats is now firmly on the executive agenda as well as that of sovereign states. In March this year the UK government launched its UK Computer Emergency Response Team (CERT-UK) as part of its strategy in the fight against cyber crime. Launched by Chris Gibson, director of CERT-UK the unit is considered to be one of the most important parts of the government’s £650m cyber security strategy.

In general, like most of information technology, it comes down to data…in this case, breaches of.  So, what are the main sources of data security breaches?

Well, Verizon have just released their 2014 Data Breach Investigations Report. As always, it gives some really useful insight into the security landscape over the last year, taking data from over 50 global organisations in 95 countries and over 63,000 confirmed incidents!

The report analyses these in some detail, but there are a couple of areas we thought we’d just highlight.

The first is some analysis over 10 years regarding the threat actions leading to data breaches (below):

Whilst the sample set has grown over a 10 year period, what it does illustrates well is the explosion in Hacking and Malware exploits from 2009 and the increase in Social tactics from around the similar time frame.

The other area we’d like to explore is the fact that even with over tens of thousands worth of breach incidents over the period of the report, we can effectively describe them in nine basic patterns.

  1. Point-of-Sale (POS) Intrusions: Not surprisingly most prevalent in Accommodation, Food Services and Retail although trending down recently. “RAM Scrapers” collect and exfiltrate payment card information.
  2. Web App Attacks: Exploiting application weaknesses, often through inadequate input validation or impersonation through stolen credentials.
  3. Insider and Privilege Misuse: Crimes that, in the most part, have been perpetrated for individual financial gain. The last year saw an increase in insider espionage targeting data and trade secrets. Interestingly, whilst staff and end users were still the prominent in committing internal breaches, there was an increase in managers perpetrating (including some in the C-suite).
  4. Physical Theft and Data Loss: Pretty much as described. The key industries here are Healthcare, Public and Mining with most losses/thefts actually being reported as a result of mandatory disclosure regulations, rather than fraud.
  5. Miscellaneous Errors: People mess up…fact. Misdelivery of documents (physical and email) and Publishing errors count for two thirds of this category. Indeed, we’ve all seen press reports of sensitive data leaked unintentionally. Organisations who are not addressing Data Loss Prevention (DLP) need to as a priority.
  6. Crimeware: Goal is to gain control of platforms to use for stealing credentials, DDoS attacks, spamming etc. Web drive-by and Web download are the most common vectors for malware actions within this category.
  7. Payment Card Skimmers: Predominant in Finance and Retail with criminal groups installing skimmers on ATM’s and other card reading devices (indeed, ATM’s accounted for 87% of incidents).
  8. Cyber-Espionage: The report from Verizon showed this as having tripled in number from the previous year, which was already up. The US still represents over half of the victims but the targets are diversifying, with State-Affiliated at 87% and Organised Crime accounting for 11%. In terms of the former, Eastern Asia still accounts for nearly half the location for command centres seeking to gather sensitive data.
  9.  Denial of Service Attacks: Although a little out of place in terms of data breach, there were a significant number of attacks in the last year, specifically against the Financial Services industry. Often used as a “smokescreen” for other illicit activity.

The report goes into a lot of data including recommended controls (you can download a copy here).

We will be continuing to strengthen the Broadgate Security Service throughout this year. If you’d like to explore further, please contact

Or, of course, see you at Infosec!