GDPR – The Countdown Conundrum

Posted on : 30-01-2018 | By : Tom Loxley | In : Cloud, compliance, Cyber Security, data security, Finance, GDPR, General News, Uncategorized

Tags: , , , , , , , , , , , , ,

0

Crunch time is just around the corner and yet businesses are not prepared, but why?

General Data Protection Regulation (GDPR) – a new set of rules set out from the European Union which aims to simplify data protection laws and provide citizens across all member states with more control over their personal data”

It is estimated that just under half of businesses are unaware of incoming data protection laws that they will be subject to in just four months’ time, or how the new legislation affects information security.

Following a government survey, the lack of awareness about the upcoming introduction of GDPR has led to the UK government to issue a warning to the public over businesses shortfall in preparation for the change. According to the Digital, Culture, Media and Sport secretary Matt Hancock:

“These figures show many organisations still need to act to make sure the personal data they hold is secure and they are prepared for our Data Protection Bill”

GDPR comes into force on 25 May 2018 and potentially huge fines face those who are found to misuse, exploit, lose or otherwise mishandle personal data. This can be as much as up to four percent of company turnover. Organisations could also face penalties if they’re hacked and attempt to hide what happened from customers.

There is also a very real and emerging risk of a huge loss of business. Specifically, 3rd-party compliance and assurance is common practice now and your clients will want to know that you are compliant with GDPR as part of doing business.

Yet regardless of the risks to reputation, potential loss of business and fines with being non-GDPR compliant, the government survey has found that many organisations aren’t prepared – or aren’t even aware – of the incoming legislation and how it will impact on their information and data security strategy.

Not surprisingly, considering the ever-changing landscape of regulatory requirements they have had to adapt to, finance and insurance sectors are said to have the highest awareness of the incoming security legislation. Conversely, only one in four businesses in the construction sector is said to be aware of GDPR, awareness in manufacturing also poor. According to the report, the overall figure comes in at just under half of businesses – including a third of charities – who have subsequently made changes to their cybersecurity policies as a result of GDPR.

If your organisation is one of those who are unsure of your GDPR compliance strategy, areas to consider may include;

  • Creating or improving new cybersecurity procedures
  • Hiring new staff (or creating new roles and responsibilities for your additional staff)
  • Making concentrated efforts to update security software
  • Mapping your current data state, what you hold, where it’s held and how it’s stored

In terms of getting help, this article is a great place to start: What is GDPR? Everything you need to know about the new general data protection regulations

However, if you’re worried your organisation is behind the curve there is still have time to ensure that you do everything to be GDPR compliant. The is an abundance of free guidance available from the National Cyber Security Centre and the on how to ensure your corporate cybersecurity policy is correct and up to date.

The ICO suggests that, rather than being fearful of GDPR, organisations should embrace GDPR as a chance to improve how they do business. The Information Commissioner Elizabeth Denham stated:

“The GDPR offers a real opportunity to present themselves on the basis of how they respect the privacy of individuals, and over time this can play more of a role in consumer choice. Enhanced customer trust and more competitive advantage are just two of the benefits of getting it right”

If you require pragmatic advice on the implementation of GDPR data security and management, please feel free to contact us for a chat. We have assessed and guided a number of our client through the maze of regulations including GDPR. Please contact Thomas.Loxley@broadgateconsultants.com in the first instance.

 

The 2018 Broadgate Predictions

Posted on : 19-12-2017 | By : richard.gale | In : Predictions

Tags: , , , , , , , , , ,

1

Battle of the Chiefs

Chief Information Officer 1 –  Chief Digital Officer 0

Digital has been the interloper into the world of IT – originating from the Marketing Department through the medium of Website morphing into Ecommerce. The result was more budget and so power with the CDiO than the CIO and the two Chiefs have been rubbing along uncomfortably together, neither fully understanding the boundaries between them. 2018 will see the re-emergence of CIO empire as technology becomes more service based (Cloud, SaaS, Microservices etc) and focus returns to delivering high paced successful transformational change.

 

Battle of the Algorithms

Quantum 2 – Security 1

All the major Tech companies now have virtual Quantum computers available (so the toolkits if not the technology). These allow adventurous techies to experiment with Quantum concepts. Who knows what the capabilities are of Quantum but through its enormous processing power it will have the capability to look at every possible combination of events for a giving situation at once. That is great in terms of deciding which share to buy or how people interacting on Facebook but it will also have the potential to crack most current encryption mechanisms. Saying that it will enable another level of secure access too!

 

Battle of the Search Engines

Voice 2 – Screen 0

OK Google, Alexa, Siri…. There’s a great video of Google talking to Alexa on infinite loop. That’s all fun but in 2018 Voice will start to become a dominant force for search and for general utility. Effectively stopping what you are doing and typing in a command or search will start to feel a little strange and old-fashioned. OK in the office we may not all start shouting at our computers (well not more than normal) but around the home, car using our phones it is the obvious way to interact. This trend is already gathering momentum. VR and especially AR will add to this, the main thing holding it back is the fact you look like an idiot with the headset on. Once that is cracked then there will be no stopping it.

 

RoboWars – to be continued…

Robots 1 – People 1

AI and ‘robot process automation’ RPA are everywhere. Every services firm worth its salt has process automation plans and the hype around companies such as Blue Prisim is phenomenal.  This is all very exciting and many doomsayers have been predicting the end of most jobs (and some the end of most people!). Yes. Automation of processes is here. It’s been here for years – that is what most ERP (aka workflow) systems do. It makes absolute sense to automate mundane processes and if you can build in a bit of intelligence to deal with slight differences in the pattern then all the better. Will it result in the loss of millions of jobs… well maybe and probably in the short-term but once again, as every time in the past, technology will replace human endeavour whilst humans will be busy building the next creative, innovative wave.

 

The Lightbulb Moment

Internet 1 – Internet of Things 3

Is there anything left which is not internet connected? Two years ago, there were very few people that had any interest in communicating with a lightbulb – apart from flicking a light-switch. Now IoT connected lightbulbs appear be everywhere and the trend will grow and grow. The speed this happening is accelerating and the scope of connected devices is expanding beyond belief. Who would have thought we needed a smart hairbrush? This is all fine and will enrich our lives in ways we probably haven’t even thought about yet but there is a cost. We are allowing these devices to listen, see, control parts of our lives and the data they gather has value both for good and bad reasons. There is no ‘culture of security’ for IoT. Many of the devices are cheaply designed and manufactured with no thought towards security or data privacy. We are allowing these devices into our lives and we don’t really know what they know and who knows what they know. This may be a subtler change for 2018 – the securing of ‘the Thing’ – well lets hope so!

 

Welcome to our ESports Day

Call Of Duty 2 – Premiership Football 1

Sport is a big business. From Curling to Swimming to Indy Car racing it has a thousand differing forms, millions of participants and billions of armchair viewers. Top class athletes in a popular sport can earn millions of dollars a year both from performing and through product endorsements.

Video games have been popular for years. They started as single, two player games and now are worldwide multiplayer extravaganzas where you can battle, race or fight against people throughout the world. A number of superstars or EAthletes have emerged, first through winning competitions and then through youtube etc where their tournaments are recorded and watched again and again. This business has now broken the $1B mark – still way off ‘real’ sport but its growing massively and some point soon will become part of the mainstream.

Could You Boost Your Cybersecurity With Blockchain?

Posted on : 28-11-2017 | By : Tom Loxley | In : Blockchain, Cloud, compliance, Cyber Security, Data, data security, DLT, GDPR, Innovation

Tags: , , , , , , , , , , , , , , ,

0

Securing your data, the smart way

 

The implications of Blockchain technology are being felt across many industries, in fact, the disruptive effect it’s having on Financial Services is changing the fundamental ways we bank and trade. Its presence is also impacting Defense, Business Services, Logistics, Retail, you name it the applications are endless, although not all blockchain applications are practical or worth pursuing. Like all things which have genuine potential and value, they are accompanied by the buzz words, trends and fads that also undermine them as many try to jump on the bandwagon and cash in on the hype.

However, one area where tangible progress is being made and where blockchain technology can add real value is in the domain of cybersecurity and in particular data security.

Your personal information and data are valuable and therefore worth stealing and worth protecting and many criminals are working hard to exploit this. In the late 90’s the data collection began to ramp up with the popularity of the internet and now the hoarding of our personal, and professional data has reached fever pitch. We live in the age of information and information is power. It directly translates to value in the digital world.

However, some organisations both public sector and private sector alike have dealt with our information in such a flippant and negligent way that they don’t even know what they hold, how much they have, where or how they have it stored.

Lists of our information are emailed to multiple people on spreadsheets, downloaded and saved on to desktops, copied, chopped, pasted, formatted into different document types and then uploaded on to cloud storage systems then duplicated in CRM’s (customer relationship management systems) and so on…are you lost yet? Well so is your information.

This negligence doesn’t happen with any malice or negative intent but simply through a lack awareness and a lack process or procedure around data governance (or a failure to implement what process and procedure do exist).

Human nature dictates we take the easiest route, combine this with deadlines needing to be met and a reluctance to delete anything in case we may need it later at some point and we end up with information being continually copied and replicated and stored in every nook and cranny of hard drives, networks and clouds until we don’t know what is where anymore. As is this wasn’t bad enough this makes it nearly impossible to secure this information.

In fact, for most, it’s just easier to buy more space in your cloud or buy a bigger hard drive than it is to maintain a clean, data-efficient network.

Big budgets aren’t the key to securing data either. Equifax is still hurting from an immense cybersecurity breach earlier this year. During the breach, cybercriminals accessed the personal data of approximately 143 million U.S. Equifax consumers. Equifax isn’t the only one, if I were able to list all the serious data breaches over the last year or two you’d end up both scarred by and bored with the sheer amount. The sheer scale of numbers here makes this hard to comprehend, the amounts of money criminals have ransomed out of companies and individuals, the amount of data stolen, or even the numbers of companies who’ve been breached, the numbers are huge and growing.

So it’s no surprise that anything in the tech world that can vastly aid cybersecurity and in particular securing information is going to be in pretty high demand.

Enter blockchain technology

 

The beauty of a blockchain is that it kills two birds with one stone, controlled security and order.

Blockchains provide immense benefits when it comes to securing our data (the blockchain technology that underpins the cryptocurrency Bitcoin has never been breached since its inception over 8 years ago).

Blockchains store their data on an immutable record, that means once the data is stored where it’s not going anywhere. Each block (or piece of information) is cryptographically chained to the next block in a chronological order. Multiple copies of the blockchain are distributed across a number of computers (or nodes) if an attempted change is made anywhere on the blockchain all the nodes become are aware of it.

For a new block of data to be added, there must be a consensus amongst the other nodes (on a private blockchain the number of nodes is up to you). This means that once information is stored on the blockchain, in order to change or steel it you would have to reverse engineer near unbreakable cryptography (perhaps hundreds of times depending on how many other blocks of information were stored after it), then do that on every other node that holds a copy of the blockchain.

That means that when you store information on a blockchain it is all transparently monitored and recorded. Another benefit to using blockchains for data security is that because private blockchains are permissioned, therefore accountability and responsibly are enforced by definition and in my experience when people become accountable for what they do they tend to care a lot more about how they do it.

One company that has taken the initiative in this space is Gospel Technology. Gospel Technology has taken the security of data a step further than simply storing information on a blockchain, they have added another clever layer of security that further enables the safe transfer of information to those who do not have access to the blockchain. This makes it perfect for dealing with third parties or those within organisations who don’t hold permissioned access to the blockchain but need certain files.

One of the issues with blockchains is the user interface. It’s not always pretty or intuitive but Gospel has also taken care of this with a simple and elegant platform that makes data security easy for the end user.  The company describes their product Gospel® as an enterprise-grade security platform, underpinned by blockchain, that enables data to be accessed and tracked with absolute trust and security.

The applications for Gospel are many and it seems that in the current environment this kind of solution is a growing requirement for organisations across many industries, especially with the new regulatory implications of GDPR coming to the fore and the financial penalties for breaching it.

From our point of view as a consultancy in the Cyber Security space, we see the genuine concern and need for clarity, understanding and assurance for our clients and the organisations that we speak to on a daily basis. The realisation that data and cyber security is now something that can’t be taken lighted has begun to hit home. The issue for most businesses is that there are so many solutions out there it’s hard to know what to choose and so many threats, that trying to stay on top of it without a dedicated staff is nearly impossible. However, the good news is that there are good quality solutions out there and with a little effort and guidance and a considered approach to your organisation’s security you can turn back the tide on data security and protect your organisation well.

GDPR & Cyber-threats – How exposed is your business?

Posted on : 28-11-2017 | By : Tom Loxley | In : Cloud, compliance, Cyber Security, Data, data security, GDPR

Tags: , , , , , , , , , , , ,

0

With the looming deadline approaching for the ICO enforcement of GDPR it’s not surprising that we are increasingly being asked by our clients to assist in helping them assess the current threats to their organisation from a data security perspective. Cybersecurity has been a core part of our services portfolio for some years now and it continues to become more prevalent in the current threat landscape, as attacks increase and new legislation (with potentially crippling fines) becomes a reality.

However, the good news is that with some advice, guidance, consideration and a little effort, most organisations will find it easy enough to comply with GDPR and to protect itself again well against the current and emerging threats out there.

The question of measuring an organisations threat exposure is not easy. There are many angles and techniques that companies can take, from assessing processes, audit requirements, regulatory posture, perimeter defence mechanisms, end-user computing controls, network access and so on.

The reality is, companies often select the approach that suits their current operating model, or if independent, one which is aligned with their technology or methodology bias. In 99% of cases, what these assessment approaches have in common is that they address a subset of the problem.

At Broadgate, we take a very different approach. It starts with two very simple guiding principles:

  1. What are the more critical data and digital assets that your company needs to protect?
  2. How do your board members assess, measure and quantify secure risks?

Our methodology applies a top-down lens over these questions and then looks at the various inputs into them. We also consider the threats in real-world terms, discarding the “FUD” (Fear, Uncertainty and Doubt) that many service providers use to embed solutions and drive revenue, often against the real needs of clients.

Some of the principles of our methodology are:

  • Top Down – we start with the boardroom. As the requirements to understand, act and report on breaches within a company become more robust, it is the board/C-level executives who need the data on which to make informed decisions.

 

  • Traceability – any methodology should have a common grounding to position it and also to allow for comparison against the market. Everything we assess can be traced back to industry terminology from top to bottom whilst maintaining a vocabulary that resonates in the boardroom.

 

  • Risk Driven – to conduct a proper assessment of an organisations exposure to security breaches, it is vital that companies accurately understand the various aspects of their business profile and the potential origin of threats, both internal and external. For a thorough assessment, organisations need to consider the likelihood and impact from various data angles, including regulatory position, industry vertical, threat trends and of course, the board members themselves (as attacks are more and more personal by nature). Our methodology takes these, and many other aspects, into consideration and applies a value at risk, which allows for focused remediation plans and development of strategic security roadmaps.

 

  • Maturity Based – we map the key security standards and frameworks, such as GDPR, ISO 27001/2, Sans-20, Cyber Essentials etc. from the top level through to the mechanics of implementation. We then present these in a non-technical, business language so that there is a very clear common understanding of where compromises may exist and also the current state maturity level. This is a vital part of our approach which many assessments do not cover, often choosing instead to present a simple black and white picture.

 

  • Technology Best Fit – the commercial success of the technology security market has led to a myriad of vendors plying their wares. Navigating this landscape is very difficult, particularly understanding the different approaches to prevention, detection and response.

At Broadgate, we have spent years looking into what are the best fit technologies to mitigate the threats of a cyber-attack or data breach and this experience forms a cornerstone of our methodology. Your business can also benefit from our V-CISO service to ensure you get an executive level of expertise, leadership and management to lead your organisation’s security. Our mantra is “The Business of Technology”. This applies to all of our products and services and never more so when it comes to really assessing the risks in the security space.

If you would like to explore our approach in more detail, and how it might benefit your company, please contact me at john.vincent@broadgateconsultants.com.

A few tips to securing data in the cloud

Posted on : 30-11-2016 | By : john.vincent | In : Cloud, Cyber Security, Data, Uncategorized

Tags: , , , , , , , , , , ,

0

In our view, we’ve finally reached the point where the move from internally built and managed technology to cloud based applications, platforms and compute services is now the norm. There are a few die hard “remainers” but the public has chosen – the only question now is one of pace.

Cloud platform adoption brings a host of benefits, from agility in deployment, cost efficiency, improved productivity and collaboration amongst others. Of course, the question of security is at the forefront, and quite rightly so. As I write this the rolling data breach news continues, with today being that of potentially compromised accounts at the National Lottery.

We are moving to a world where the governance of cloud based services becomes increasingly complex. For years organisations have sought to find, capture or shutdown internal pockets of “shadow IT”, seeing them as a risk to efficiency and increasing risk. In todays new world however, these shadows are more fragmented, with services and data being very much moving towards the end user edge of the corporate domain.

So with more and more data moving to the cloud, how do we protect against malicious activity, breaches, fraud or general internal misuse? Indeed, regarding the last point, the Forrsights Security Survey stated:

“Authorised users inadvertently exposing sensitive information was the most common cause of data beaches in the past 12 months.”

We need to think of the challenge in terms of people, process and technology. Often, we have a tendency to jump straight to an IT solution, so let’s come to that later. Firstly, organisations need to look at few fundamental pillars of good practice;

  1. Invest in User Training and Awareness – it is important that all users throughout and organisation understand that security is a collective responsibility. The gap between front and back office operations is often too wide, but in the area of security organisations must instil a culture of shared accountability. Understanding and educating users on the risks, in a collaborative way rather than merely enforcing policy, is probably the top priority for many organisations.
  2. Don’t make security a user problem – we need to secure the cloud based data and assets of an organisation in a way that balances protection with the benefits that cloud adoption brings. Often, the tendency can be to raise the bar to a level that both constrains user adoption and productivity. We often hear that IT are leading the positioning of the barrier irrespective of the business processes or outcomes. This tends to lead to an approach of being overly risk adverse without the context of disruption to business processes. The result? Either a winding back of the original solution or users taking the path of least resistance, which often increases risks.

On the technology side, there are many approaches to securing data in the cloud.  Broadly, these solutions have been bundled in the category of Cloud Access Security Broker (CASB), which is software or a tool that sits in between the internal on-premise infrastructure and the cloud provider, be that software, platform or other kind of as-a-service. The good thing about these solutions is that they can enforce controls and policies without the need to revert to the old approach of managing shadow IT functions, effectively allowing for a more federated model.

Over recent years, vendors have come to market to address the issue through several approaches. One of the techniques is through implementing gateways that either use encryption or tokenisation to ensure secure communication of data between internal users and cloud based services. However, with these the upfront design and scalability can be a challenge given the changing scope and volume of cloud based applications.

Another solution is to use an API based approach, such as that of Cloudlock (recently purchased by Cisco). This platform uses a programmatic approach to cloud security on the key SaaS platforms such as  to address areas such as Data Loss Prevention, Compliance and Threat Protection with User and Entity Behaviour Analytics (UEBA). The last of these users machine learning to detect anomalies in cloud activities and access.

Hopefully some food for though in the challenge of protecting data in the cloud, whichever path you take.

The Ultimate Way to Move Beyond Trading Latency?

Posted on : 30-03-2016 | By : richard.gale | In : Finance, Innovation

Tags: , , ,

0

A number of power surges and outages have been experienced in the East Grinstead area of the UK in recent months. Utility companies involved have traced the cause to one of three  high capacity feeds to a Global Investment bank’s data centre facility.

The profits created by the same bank’s London based Propriety Trading group has increased tenfold in the same time.

This bank employs 1% of the world’s best post-doctoral theoretical Physics graduates  to help build its black box trading systems.

Could there be a connection? Wild & unconfirmed rumours have been circulating within  the firm that a major breakthrough in removing the problem of latency – the physical limitation the time it takes a signal to transfer down a wire – ultimately governed by of the speed of light.

For years traders have been trying to reduce execution latency to provide competitive advantage in a highly competitive fast moving environment. The focus has moved from seconds to milli and now microsecond savings.

Many Financial Services & technology organisations have attempted to solve this problem through reducing  data hopping, routing, and going as far as placing their hardware physically close to the source of data (such as in an Exchange’s data centre) to minimise latency but no one has solved the issue – yet.

It sounds like this bank may have gone one step further. It is known that at the boundary of the speed of light – physics as we know it -changes (Quantum mechanics is an example where the time/space continuum becomes ‘fuzzy’). Conventional physics states that travelling faster than the speed of light and see into the future would require infinite energy and so is not possible.

Investigation with a number of insiders at the firm has resulted in an amazing and almost unbelievable insight. They have managed to build a device which ‘hovers’ over the present and immediate future – little detail is known about it but it is understood to be based on the previously unproven ‘Alcubierre drive’ principle. This allows the trading system to predict (in reality observe) the next direction in the market providing invaluable trading advantage.

The product is still in test mode as the effects of trading ahead of the data they have already traded against is producing outages in the system as it then tries to correct the error in the future data which again changes the data ad finitum… The prediction model only allows a small glimpse into the immediate future which also limits the window of opportunity for trading.

The power requirements for the equipment are so large that they have had to been moved to the data centre environment where consumption can be more easily hidden (or not as the power outages showed).

If the bank does really crack this problem then they will have the ultimate trading advantage – the ability to see into the future and trade with ‘inside’ knowledge legally. Unless another bank is doing similar in the ‘trading arms race’ then the bank will quickly become dominant and the other banks may go out of business.

The US Congress have apparently discovered some details of this mechanism and are requesting the bank to disclose details of the project. The bank is understandably reluctant to do this as it has spent over $80m developing this and wants to make some return on its investment.

If this system goes into true production mode surely it cannot be long before Financial Regulators outlaw the tool as it will both distort and ultimately destroy the markets.

The project even has a code-name…. Project “Prima Aprilis”

No one from the company was available to comment on the accuracy of the claims.

Broadgate’s Crystal Ball – Our predictions for 2016

Posted on : 18-12-2015 | By : richard.gale | In : General News

Tags: , , , , , , , , , ,

0

During the past few weeks, 2016 trend predictions have flooded our news feeds. After compiling and combining them with our view on the approaching changes, here’s Broadgate’s view on IT in 2016.

future

Adaptive Security Architecture

In the context of companies’ growing awareness of the importance of security and the need to build it into all business processes, end-to-end, Gartner predicts that the near future will bring more tools to go on the offensive, leveraging predictive modeling, for example, allowing apps to protect themselves (!). Therefore, go on offensive and build in security to every project, product, process and service, instead of treating it as an add on and an afterthought or having separate “security” projects.

 

IoT and Big Data Science

IoT will gradually overtake every-thing and generate data-rich insights about us. Gartner notes that the rapid growth in the number of sensors embedded in various technologies of both personal and professional use will lead to the generation of tons of intelligence on our daily patterns. The more ‘things’ and areas of our lives IoT takes over, the more data is going to be collected. According to Gartner, by 2020, the number of devices connected to the Internet is expected to reach 25 billion. As each year is moving us much closer to the IoT big data/even bigger insights reality, it will be challenging to find efficient ways of digging through and making sense of the constant generation of streams of data.

As we stated this time last year, talking about the ‘future’ of 2015 –  Loading large amounts of disparate information into a central store is all well and good but it is asking the right questions of it and understanding the outputs is what it’s all about. If you don’t think about what you need the information for then it will not provide value or insight to your business. We welcome the change in thinking from Big Data to Data Science.

 

Connected Devices

Our bodies are going to be increasingly connected to the Internet through smart devices within the next couple of years. This is reality, not Sci-Fi; those, who claim that wearables will struggle to find their place in everyday life in 2016, should familiarise themselves with the outcomes of Gartner’s October Symposium/ITxpo. It is predicted that in two years, 2 million employees, primarily those engaged in physically demanding or dangerous work, will be required to wear health & fitness tracking devices as a condition of employment (Gartner). According to a different source, in nine years, 70% of us are going to use wearables (IDC).

 

The Hybrid Cloud

Following our 2015 prediction of cloud becoming the default coming true, towards 2016 the integration of on-premises cloud infrastructure and the public cloud is becoming an operating standard; the demand for the hybrid cloud is growing at a rate of 27% (MarketsandMarkets). Google’s hire of Diane Greene, co-founder of VMware, to head up Google Cloud, shows Google’s commitment to offering services to enterprise cloud customers. A hybrid Kubernetes scheme is said to be part of the deal (Knorr, Infoworld), which will likely have a significant impact the growth of the hybrid cloud in 2016.

 

The outsourcing of personal data

Barely a week goes by without another retailer or bank losing customer information by getting hacked. This is becoming a serious and expensive problem for firms, each one is having to put complex defense mechanisms in place to protect themselves.

We think the outsourcing of responsibility (and sensitive data) to specialist firms will be a growing trend in 2016. These firms can have high levels of security controls and will have the processing ability to support a large number of clients.

Obviously one potential issue is that these organisations will be targeted by the criminals and when one does get breached it will have a much greater impact….

 

We are truly excited to see what 2016 will surprise us with!

5 Minutes With Mark Prior

Posted on : 18-12-2015 | By : Maria Motyka | In : 5 Minutes With

Tags: , , , , , , , , , , , , , , ,

0

Which recent tech innovations are you the most excited about?

I get most excited about how my business can benefit from technology (whether it’s new or not). It’s my team’s job to understand our business; its processes, strategy and competitor landscape and bring technology to bear to address those challenges.
Smith and Williamson is a very client centric business – there is a great opportunity to leverage even well-established technology like IPT, Workflow and Document management to improve the service we provide to clients. Additionally Cloud based collaboration tools offer new ways to engage with our clients 1-1 and perhaps open up new markets for services.

Like all industries if we can both improve the service to the client through technology and at the same time lower the cost of servicing a client we will be successful.

From a pure technology perspective I’m looking forward to improvements in price and functionality of end user devices – particularly low cost 2in1 windows devices displacing the desktop or traditional clam laptop as the default end user device. I hope the combination of these devices, windows 10, office 365, Wi-Fi and IPT will provide a better mobile platform that’s easier to manage and support and offers a seamless user experience regardless of location and connection type.

Looking ahead I’m also interested in how graphene will impact IT – whether it’s in battery technology or the size and speed of microprocessors, it appears to have the potential to be revolutionary (and it was invented in the UK!!).

 

How do you see business applications in wealth management adopting As-a-Service operating models?

Firms buy solutions that best meet their needs – how those solutions are delivered is often secondary, however vendors that deliver their solution (only) as a service are I feel better placed to rapidly adapt and evolve their offering as it’s a single code set, single port etc. This should keep their costs down and by passing those savings to customers they will drive adoption and create a virtuous circle. It should also mean they can focus development resource on new features rather than maintaining multiple code sets and branches.

 

In your opinion, what are the biggest data security risks that financial organisations are currently facing and how can they be overcome?

I think everyone understands the need for perimeter security, good patch management, access controls etc. But I think an area this is sometimes overlooked are “end users” either inadvertently or deliberately exposing data. We need to ensure we classify our data based on risk, educate our employees and have appropriate audit trails and controls based on data classification (all easier said than done). Service like MS Office 365 and OneDrive mean this has to be driven as much by policy and education as by IT.

 

Why did you choose Broadgate to assist you? What value has working with Broadgate brought to your team?

I’ve known the team for many years and trust them to do a good job for their clients.

Broadgate’s engagement style is collaborative and consultative, unlike other firms where every conversation is viewed as a selling opportunity.

 

Which technology trends do you predict will be a key theme for 2016?

Every year we think it will be cloud – maybe this year it will happen (though personally I’m not sure it will) Financial service firms are still hesitant to put client data into the public cloud and many firms say the cost of cloud is more than the marginal cost of adding capacity to their own facilitates.
Hosting strategies are difficult to formulate as the options are many and varied with no clear leaders. I think Google will drive into MS market share (a few years ago I can’t recall anyone seriously considering alternatives to MS Office) which should ensure healthy competition and better options for their customers.

Caveat Emptor: The impact of poor cyber security in mergers & acquisitions

Posted on : 30-09-2015 | By : richard.gale | In : Cyber Security

Tags: , , , , , , ,

0

The Ashley Madison breach is now infamous in the world of cyber security as a stark warning of what can happen when hackers get hold your data.  The fallout from this incident has been far reaching and resulting in a failed IPO attempt to list on the London Stock Exchange and multi-million dollar class action lawsuits.  US retailer Target suffered another high profile breach where costs are said to have reached over $160 million and traffic to its site dropped by 23% over the following year. We can see how a breach can have a major impact on company financials in terms of profit and reputational damage.  How you would be feel if you were a new shareholder in Ashley Madison or your company had recently acquired Target?!

Cyber security should be part of any company risk profile and the M & A sector is no exception. However, more often than not this is not the case.  The prime purpose of a merger or acquisition is for the acquiring company to make a return on investment or add value to the existing company.  As cyber security can have a major financial impact it must be seen as a key risk indicator in the due diligence process.

It wasn’t that long ago that mergers and acquisition deals were conducted in a paper based room secured and locked down to only those with permitted access.  These days the process has moved on and is now mostly online, with the secure virtual data room being the norm. Awareness of cyber security in the information gathering part of the deal making process is well established. It is the awareness and need to look at the cyber security of the target company itself that needs to be addressed.  Technology due diligence is investigated but tends to focus on system compatibility and integration alone.

A study published by law firm Freshfields Bruckhaus Deringer found that 78 % of global respondents did not think that cyber security was analysed in great depth as part of the M&A due diligence due process, despite the fact that two thirds said that a cyber incident during the deal or discovery of a past breach during due diligence would significantly impact the transaction.

Deal makers acquiring must take assess the cyber risk of an organisation in the same way that it would assess overall financial risk. Due diligence is all about establishing the potential liabilities of the company you are taking on.  According to the Verizon Data Breach survey it takes an average of 205 days to discover a breach. Often companies are breached without ever knowing. It is therefore crucial to look at the cyber risk not just in terms of have they been breached but what is likelihood and impact of a breach.  An acquisition target company that looks good at the time of closing the deal may not look quite so good a few months later.

The main reason for this lack of importance given to the cyber threat is that M&A teams find it hard to quantify the cyber risk particularly given the time pressures involved.  A cyber risk assessment at the M&A stage would is crucial if the acquiring company wants to protect its investment. The ability to carry out this assessment and to quantify the business impact of a likely cyber breach with a monetary value is invaluable to deal makers. Broadgate’s ASSURITY Assessment provides this information in a concise, value specific way using business language to measure risks, likelihood and cost of resolution.

Conclusion

A cyber security assessment should be part of every M&A due diligence process. If you don’t know what you are acquiring in terms of intellectual property and cyber risk how can you can possibly know the true value of what you are acquiring!

Also crucial for all prospective sellers to demonstrate a serious proactive planned approach to cyber security when attempting to achieve the best price for their business.

The Blockchain Revolution

Posted on : 28-08-2015 | By : richard.gale | In : Cyber Security

Tags: , , , , , , , , , , ,

3

We’ve been excited by the potential of blockchain and in particular bitcoin technology and possibilities for a while now (Bitcoins: When will they crash?  More on Bitcoins..  Is someone mining on my machine? ). We even predicted that bitcoins would start to go mainstream in our 2015 predictions . We may be a little ahead of ourselves there but the possibilities of the blockchain, the underpinning technology of crypto currencies is starting to gather momentum in the financial services world.

Blockchain technology contains the following elements which are essential to any financial transaction

  1. Security – Blockchain data is secure as each part of the chain is linked with the other and many copies of that data are stored among the many thousands of ‘miners’ in an encrypted (currently unhackable) format. Even if a proportion of these miners were corrupt with criminal intent the voting of the majority will ensure integrity
  2. Full auditability – Every block in the chain has current and historic information relating to that transaction, the chain itself has everything that ever happened to it. The data is stored in multiple places and so there is a very high degree of assurance that the account is full and correct
  3. Transparency – All information is available in a consistent way to anyone with a valid interest in the data
  4. Portability – The information can be available anywhere in the world, apart from certain governments’ legislation there are few or no barriers to trade using blockchain technology
  5. Availability – There are  many copies of each blockchain available in virtually every part of the world blockchains should then always be available for use

The blockchain technology platform is flexible enough to incorporate additional functions and process without compromising it’s underlying strengths.

All major banks and a number of innovative startups are looking at ways blockchain can change the way transactions are executed. There are significant opportunities for both scale and efficiency using this technology. Areas being researched include;

  • Financial trading and settlement. Fully auditable, automated chain of events with automated payments, reporting and completion globally and instantly
  • Retail transactions. End to end transactions delivered automatically without the opportunity of loss or fraud
  • Logistics and distribution. Automatically attached to physical and virtual goods with certified load information enabling swift transit across nations
  • Personal data. Passports, medical records and government related information can be stored encrypted but available and trusted
There are still some significant challenges with blockchain technology;
  1. Transactional throughput – limited by banking standards (10’s of transactions per second at present rather than 10,000’s)
  2. Fear and lack of understanding of the technology – this is slowing down thinking and adoption
  3. Lack of skills to design and build – scarce resources in this space and most are snapped up by start-ups
  4. Complexity and lack of transparency – Even though the technology itself is transparent the leap from the decades old processes used in banks back offices for example to a blockchain programme can be a large one. In the case of time critical trading or personal information then security concerns on who can view data come to the fore.
  5. Will there be something else that replaces it – will the potentially large investment in the technology be wasted by the ‘next big thing’?

We think blockchain could have a big future. Some people are even saying it will revolutionize government, cutting spending by huge amounts. If blockchain transactions were used to buy things then sales tax and various amounts to retailers, wholesalers, manufacturers could be paid immediately and automatically. The sales person could have the blockchain credit straightaway too.

Blockchains could remove huge levels of inefficiency and potential for fraud. It could also put a significant number of jobs at risk reflected in John Vincent’s article on the future of employment.