Hey, Let’s Be Careful Out There!

Posted on : 10-06-2016 | By : Maria Motyka | In : Cloud, Cyber Security, Data, Innovation, IoT

Tags: , , , , ,

0

In the context of accelerated digitisation, especially the adoption of innovations in the areas of cloud computing, IoT and the growth of social networking, as well as with increased mobility of the workforce, organisational security and risk management need to be rethought.

The way we work is constantly changing; according to recent research by Gartner, within the next 1.5 – 2 years, ’25 per cent of corporate data traffic will flow directly from mobile devices to the cloud, bypassing enterprise security controls’. Digital users now spend 30% of all connected time, 2 hours a day, on social media (Global Web Index) – let’s not fool ourselves, some of it (whether it’d be using the seemingly innocent Messenger app or the boring meeting savior Instagram) is within the office environment. And it’s definitely not just the Millennials who are guilty of the Social Media at work crime! The Bring Your Own Device (BYOD) trend is also becoming more and more popular, even within the traditionally conservative work environments (employees who get to work on their own laptops/tablets are said to be happier and thus more productive than the company devices-strained ones). While (according to Code42’s 2016 Datastrophe study) 87% CIO and CISOs claim that their companies have a clearly defined BYOD policy in place, a shocking 67% of knowledge workers (organisation’s end users) disagree (Infosec Magazine). When things go wrong and the freedom to connect/work anyplace, anytime compromises organisational security, it is the company that takes the hit.

At the same time, organisations often primarily rely on CXOs to deliver enterprise security, managing the increasingly sophisticated threats, in times when companies (and devices used by employees, often at work and at home) are being constantly compromised. This is not sufficient. All employees, across all functions, are responsible for securing the organisations they are part of. As highlighted by Gartner in the Managing Risk and Security at the Speed of Digital Business report, it is crucial for organisations to apply resilience to not only processes and technology, but also people. We cannot afford to overlook the ‘human’ element of security. Best practices include regular training and digital security awareness campaigns for everyone, as well as extending protections to company’s employees within their home environments (Gartner), in response to the blurring of the tech we use for personal and professional purposes, as well as the flexible work trend. Gartner proposes a ‘people-centric security’, which is about aiming for a perfect balance between protecting the company with the need to allow increased employee agility and adopt new and often risky new tech to stay competitive.

For now, it seems like ‘seeking’ a balance and regular employee education is the best companies can do.

Laptops and smartphones get and will get lost or stolen (whether in a club on the way to work). Data which is stored on or can be accessed through these devices can often be worth a thousand times more than the actual device. This is not an exaggeration; one obvious example being the infamous iPhone, which stirred the Apple-FBI encryption dispute. Moreover, the punishment doesn’t seem to fit the crime – charges for stealing a phone or a laptop usually fail to take into account the value of potentially compromised data. This is going to have to change in the future, especially when the devices we carry will store more and more data (not only confidential due to being work-related but also highly intimate, for example health-related).

Striving for the sweet spot between data security and taking advantage of the opportunities offered by the new tech/following the new working trends also means being clever about WHAT to protect. Not all data needs to be equally secure. As stressed by Richard Gale during ISITC’s General Meeting‘s security panel, companies need to focus on protecting their ‘crown jewels’. Utilising cloud tech and allowing employees the freedom to work flexibly won’t stop you from identifying and investing in protecting crucial data. Detection and response is yet another element which ought not to be overlooked. What would be the worst-case scenario and what your organisation do if the CEO’s mobile phone/laptop went missing? What steps is your company going to take if a Social Media app sends out phishing messages to employees? While it’s impossible to perfectly protect all the data, it’s worth having an action plan for when things go wrong.

Let your employees bring your own devices and go on, embrace the cloud – when doing so however, train, educate, invest more in protecting what’s most valuable and be prepared for when data does get compromised!

 

Talking about BYOD and training your employees about how to be digitally secure – a few months ago we shared a Cybersecurity Manual with 10 hands-on security tips, which you can read here.

What is the true price of BYOD?

Posted on : 29-10-2013 | By : jo.rose | In : Innovation

Tags: , , , , , , , ,

0

“Nature is a mutable cloud which is always and never the same.”  Ralph Waldo Emerson

Our failure to enter into good commercial agreements in the past has hampered our chances of attaining the full value offered by new systems and technologies. The mutable clouds that stream towards us at increasing speeds offer greater potential; yet the commercial challenges are always the same. What are some of these commercial challenges posed by newer technologies? What can you do about them?

Let us consider an example: the trend for CIOs to adopt a Bring Your Own Device [BYOD] policy. Once the concerns about security, data privacy and access have been addressed, a BYOD policy is very attractive to both the user community and the CIO. However, a BYOD policy also starts the timer ticking on a cluster of time bombs: what software suppliers will do about business use of personal software.

Managing software audits properly has always been a difficult task. Many organisations over-deployed software within their environments or allowed software to be used in ways that were not covered by licences or enterprise agreements. How much more difficult does this become where business work is delivered using personal devices? How can the organisation track and report the use of personal devices? Will there be a single personal device used per employee or is business looking at individual instances for desktop, laptop and mobile devices?

One possible approach is for the business to tell the software supplier to pursue staff directly for inappropriately using their home edition software. Staff attitude surveys towards IT might well dip after such an event and the liability will likely return to the business corporation because that is where the benefit lies.

A second solution would be to let the issue drift until the software provider initiates an audit and then cut a deal. Most organisations took this approach to past software compliance liabilities. Given the difficulty of proving the right usage statistics from a BYOD policy, there needs to be plenty of space for a bigger number in the ‘Amount’ box of the settlement cheque.

The best approach is to review software agreements pro-actively. Pay particular attention to applications and data. You may be lucky and find that some of your agreements are based on headcount. Never, ever surrender a headcount clause. Where you do not have a headcount agreement with a software supplier then you can try asking for one, although a new headcount agreement is now likely to be prohibitively expensive with an incumbent supplier.

Assuming you do not have headcount clauses, when you review your software agreements the thought process should be something like this….

  • Can the supplier demonstrate that employees have used personal software to deliver business needs?
  • If the supplier can demonstrate this, we may have a liability.
  • Can we provide accurate statistics for how many instances/devices/employees are involved?
  • If we cannot provide accurate inventory then the liability might end up being a multiple of the number of employees, contractors, consultants and suppliers that work on our behalf.
  • We should be able to reduce the liability if we formulate a commercial stratagem that the supplier will accept.

So is this just scare mongering? US President Obama set up the Office of the Intellectual Property Enforcement Coordinator [IPEC] in 2010 and has significantly expanded enforcement powers in the US. Through negotiations with the European Union, G8 members and G20 members, the US continues to extend its Copyright and Intellectual Property models to the UK and other developed countries as part of a campaign to ‘Fight Worldwide Counterfeiting’, IP Theft and Copyright Infringement. Software suppliers coordinated their common interests through a trade body called the Business Software Alliance [BSA], founded in 1988. Since 2008, software suppliers have seen major reductions in their income because businesses cut back spend on new development projects. Suppliers replaced their lost development income with penalties for non-compliance gathered through more widespread software audits. Most of these are gathered in out of court settlements that are not widely reported.

There is some good news. The BSA and software suppliers focus much of their energy on countries where they see high levels of piracy and the UK is not one of those. The suppliers themselves are also generally amenable to working with businesses to find solutions where software costs remain reasonable. Once you have spotted a problem, work with your commercial or legal teams to formulate a stratagem and bring this in good faith to the supplier.

Do not take too long. Pressures on software firms’ revenues increase as their old products lose market share to new platforms like Android, new applications like Prezi and new productivity tools. The commercial solutions remain the same but the new clouds roll in faster.

 

Many thanks to Sean Pepper for contributing to this article – Sean is an interim manager and consultant with experience of leading Vendor Management and Procurement activities at major banks.

For any questions or more information, please contact: jo.rose@broadgateconsultants.com


Broadgate Predicts 2013 – Preview

Posted on : 29-01-2013 | By : john.vincent | In : Innovation

Tags: , , , , , , , , , , , , , ,

0

Last month we published our 2013 Technology Predictions and asked our readers to give us their view through a short survey. We have had a great response…so much so that we are keeping in open for 2 more weeks.

However, we thought we would share a few of the findings so far, prior to us producing the final report.

Current Ranking

As we stand, the predictions that generated the most agreement are;

  1. Infrastructure Services Continue to Commoditise
  2. Samsung/Android gain more ground over Apple
  3. Data Centre/Hosting providers continue to grow

Some interesting commentary against these;

Many companies have come to terms with the security/regulatory issues concerning commoditisation and cloud services, although still chose to build in-house for now. It will take some significant time to see IaaS address the legacy infrastructure burden.

On the Apple debate, respondents agreed enough to place in 2nd place but differed a lot in terms of how this will develop…there is a feeling that Apple are struggling to continue to innovate ahead of the market and consumers are wiser now, together with a cost pressure that, if it is relieved, will cause users to stay with them.

Regarding Data Centres, the importance of cloud and managed services continues to drive expansion. Within heavily regulated industries such as Financial Services there continues to be a desire to Build vs Buy, but respondents questioned for how long. Having your own DC is not a competitive advantage.

At the other end of the scale, the prediction that respondents disagreed most with was;

  • Instant Returns on Investment required (followed closely by)
  • More Rationalisation of IT Organisations

Again, a pick of some of the additional comments;

Whilst there still exists demand for long term and large corporate technology initiatives, the stance is starting to change somewhat towards more agile, focused investments. Unfortunately, legacy issues and organisational culture continue to block progress.

Whilst the market conditions and technology evolution is facilitating a reduction in workforce, respondents cited other equal forces in areas such as risk and control, plus offshore operations delivering less value than expected, working to counteract this.

Please continue to send us your thoughts before we close!

Interestingly the largest number of No Comments (40%) came against the prediction that “Crowd-funding services continue to gain market share”…maybe an article for February.