GDPR – A Never Ending Story

Posted on : 28-06-2018 | By : richard.gale | In : compliance, Consumer behaviour, Cyber Security, Data, data security, GDPR

Tags: , , , , , ,

0

For most of us, the run up to the implementation of GDPR meant that we were overwhelmed by privacy notices and emails begging us to sign up to mailing lists. A month on, what is the reality of this regulation and what does it mean for businesses and their clients?

There was much agonising by companies who were racing to comply, concerned that they would not meet the deadline and worried what the impact of the new rules would mean for their business.

If we look at the regulation from a simple, practical level all GDPR has done is to make sure that people are aware of what data they hand over and can control how it’s used. That should not be something new.

Understanding where data is and how it is managed correctly is not only fundamental to regulatory compliance and customer trust, but also to providing the highly personalised and predictive services that customers crave. Therefore, the requirements of regulation are by no means at odds with the strategies of data-driven finance firms, but in fact are perfectly in tune.

Having this knowledge is great for business as clients will experience a more transparent relationship and with this transparency comes trust. Businesses may potentially have a smaller customer base to market to, but this potential customer base will be more willing and engaged which should lead to greater sales conversion.

The businesses that will see a negative impact on their business will be the companies that collect data by tricking people with dubious tactics. The winners will be the companies that collect data in open and honest ways, then use that data to clearly benefit customers. Those companies will deliver good experiences that foster loyalty. Loyalty drives consumers to share more data. Better data allows for an even better, more relevant customer experiences.

If we look at the fundamentals of financial services, clients are often handing over their life savings which they are entrusting to companies to nurture and grow. Regardless of GDPR, business shouldn’t rely on regulation to keep their companies in check but instead always have customer trust at the top of their agenda. No trust means no business.

The key consideration is what can you offer that will inspire individuals to want to share their data.

Consumers willingly give their financial data to financial institutions when they become customers. An investment company may want to ask each prospect how much money she is looking to invest, what her investment goal is, what interests she has and what kind of investor she is. If these questions are asked “so we can sell to you better,” it is unlikely that the prospect will answer or engage. But, if these questions are asked “so that we can send you a weekly email that describes an investment option relevant to you and includes a few bullets on the pros and cons of that option,” now the prospect may happily answer the questions because she will get something from the exchange of data.

Another advantage of GDPR is the awareness requirement. All companies must ensure that their staff know about GDPR and understand the importance of data protection. This is a great opportunity to review your policies and procedures and address the company culture around client information and how it should be protected.  With around 50% of security breaches being caused by careless employees, the reputational risks and potential damage to customer relationships are significant, as are the fines that can be levied by the ICO for privacy breeches.

Therefore, it is important to address the culture to make sure all staff take responsibility for data security and the part that they play. Whilst disciplinary codes may be tightened up to make individuals more accountable, forward thinking organisations will take this opportunity to positively engage with staff and reinforce a culture of genuine customer care and respect.

A month on, it is important to stress that being GDPR ready is not the same as being done! Data protection is an ongoing challenge requiring regular review and updates in fast moving threat environment.

With some work upfront, GDPR is a chance to clean your data and review your processes to make everything more streamlined benefiting both your business and your clients.

Everyone’s a winner!

 

kerry.housley@broadgateconsultants.com

 

GDPR – The Countdown Conundrum

Posted on : 30-01-2018 | By : Tom Loxley | In : Cloud, compliance, Cyber Security, data security, Finance, GDPR, General News, Uncategorized

Tags: , , , , , , , , , , , , ,

0

Crunch time is just around the corner and yet businesses are not prepared, but why?

General Data Protection Regulation (GDPR) – a new set of rules set out from the European Union which aims to simplify data protection laws and provide citizens across all member states with more control over their personal data”

It is estimated that just under half of businesses are unaware of incoming data protection laws that they will be subject to in just four months’ time, or how the new legislation affects information security.

Following a government survey, the lack of awareness about the upcoming introduction of GDPR has led to the UK government to issue a warning to the public over businesses shortfall in preparation for the change. According to the Digital, Culture, Media and Sport secretary Matt Hancock:

“These figures show many organisations still need to act to make sure the personal data they hold is secure and they are prepared for our Data Protection Bill”

GDPR comes into force on 25 May 2018 and potentially huge fines face those who are found to misuse, exploit, lose or otherwise mishandle personal data. This can be as much as up to four percent of company turnover. Organisations could also face penalties if they’re hacked and attempt to hide what happened from customers.

There is also a very real and emerging risk of a huge loss of business. Specifically, 3rd-party compliance and assurance is common practice now and your clients will want to know that you are compliant with GDPR as part of doing business.

Yet regardless of the risks to reputation, potential loss of business and fines with being non-GDPR compliant, the government survey has found that many organisations aren’t prepared – or aren’t even aware – of the incoming legislation and how it will impact on their information and data security strategy.

Not surprisingly, considering the ever-changing landscape of regulatory requirements they have had to adapt to, finance and insurance sectors are said to have the highest awareness of the incoming security legislation. Conversely, only one in four businesses in the construction sector is said to be aware of GDPR, awareness in manufacturing also poor. According to the report, the overall figure comes in at just under half of businesses – including a third of charities – who have subsequently made changes to their cybersecurity policies as a result of GDPR.

If your organisation is one of those who are unsure of your GDPR compliance strategy, areas to consider may include;

  • Creating or improving new cybersecurity procedures
  • Hiring new staff (or creating new roles and responsibilities for your additional staff)
  • Making concentrated efforts to update security software
  • Mapping your current data state, what you hold, where it’s held and how it’s stored

In terms of getting help, this article is a great place to start: What is GDPR? Everything you need to know about the new general data protection regulations

However, if you’re worried your organisation is behind the curve there is still have time to ensure that you do everything to be GDPR compliant. The is an abundance of free guidance available from the National Cyber Security Centre and the on how to ensure your corporate cybersecurity policy is correct and up to date.

The ICO suggests that, rather than being fearful of GDPR, organisations should embrace GDPR as a chance to improve how they do business. The Information Commissioner Elizabeth Denham stated:

“The GDPR offers a real opportunity to present themselves on the basis of how they respect the privacy of individuals, and over time this can play more of a role in consumer choice. Enhanced customer trust and more competitive advantage are just two of the benefits of getting it right”

If you require pragmatic advice on the implementation of GDPR data security and management, please feel free to contact us for a chat. We have assessed and guided a number of our client through the maze of regulations including GDPR. Please contact Thomas.Loxley@broadgateconsultants.com in the first instance.

 

Could You Boost Your Cybersecurity With Blockchain?

Posted on : 28-11-2017 | By : Tom Loxley | In : Blockchain, Cloud, compliance, Cyber Security, Data, data security, DLT, GDPR, Innovation

Tags: , , , , , , , , , , , , , , ,

0

Securing your data, the smart way

 

The implications of Blockchain technology are being felt across many industries, in fact, the disruptive effect it’s having on Financial Services is changing the fundamental ways we bank and trade. Its presence is also impacting Defense, Business Services, Logistics, Retail, you name it the applications are endless, although not all blockchain applications are practical or worth pursuing. Like all things which have genuine potential and value, they are accompanied by the buzz words, trends and fads that also undermine them as many try to jump on the bandwagon and cash in on the hype.

However, one area where tangible progress is being made and where blockchain technology can add real value is in the domain of cybersecurity and in particular data security.

Your personal information and data are valuable and therefore worth stealing and worth protecting and many criminals are working hard to exploit this. In the late 90’s the data collection began to ramp up with the popularity of the internet and now the hoarding of our personal, and professional data has reached fever pitch. We live in the age of information and information is power. It directly translates to value in the digital world.

However, some organisations both public sector and private sector alike have dealt with our information in such a flippant and negligent way that they don’t even know what they hold, how much they have, where or how they have it stored.

Lists of our information are emailed to multiple people on spreadsheets, downloaded and saved on to desktops, copied, chopped, pasted, formatted into different document types and then uploaded on to cloud storage systems then duplicated in CRM’s (customer relationship management systems) and so on…are you lost yet? Well so is your information.

This negligence doesn’t happen with any malice or negative intent but simply through a lack awareness and a lack process or procedure around data governance (or a failure to implement what process and procedure do exist).

Human nature dictates we take the easiest route, combine this with deadlines needing to be met and a reluctance to delete anything in case we may need it later at some point and we end up with information being continually copied and replicated and stored in every nook and cranny of hard drives, networks and clouds until we don’t know what is where anymore. As is this wasn’t bad enough this makes it nearly impossible to secure this information.

In fact, for most, it’s just easier to buy more space in your cloud or buy a bigger hard drive than it is to maintain a clean, data-efficient network.

Big budgets aren’t the key to securing data either. Equifax is still hurting from an immense cybersecurity breach earlier this year. During the breach, cybercriminals accessed the personal data of approximately 143 million U.S. Equifax consumers. Equifax isn’t the only one, if I were able to list all the serious data breaches over the last year or two you’d end up both scarred by and bored with the sheer amount. The sheer scale of numbers here makes this hard to comprehend, the amounts of money criminals have ransomed out of companies and individuals, the amount of data stolen, or even the numbers of companies who’ve been breached, the numbers are huge and growing.

So it’s no surprise that anything in the tech world that can vastly aid cybersecurity and in particular securing information is going to be in pretty high demand.

Enter blockchain technology

 

The beauty of a blockchain is that it kills two birds with one stone, controlled security and order.

Blockchains provide immense benefits when it comes to securing our data (the blockchain technology that underpins the cryptocurrency Bitcoin has never been breached since its inception over 8 years ago).

Blockchains store their data on an immutable record, that means once the data is stored where it’s not going anywhere. Each block (or piece of information) is cryptographically chained to the next block in a chronological order. Multiple copies of the blockchain are distributed across a number of computers (or nodes) if an attempted change is made anywhere on the blockchain all the nodes become are aware of it.

For a new block of data to be added, there must be a consensus amongst the other nodes (on a private blockchain the number of nodes is up to you). This means that once information is stored on the blockchain, in order to change or steel it you would have to reverse engineer near unbreakable cryptography (perhaps hundreds of times depending on how many other blocks of information were stored after it), then do that on every other node that holds a copy of the blockchain.

That means that when you store information on a blockchain it is all transparently monitored and recorded. Another benefit to using blockchains for data security is that because private blockchains are permissioned, therefore accountability and responsibly are enforced by definition and in my experience when people become accountable for what they do they tend to care a lot more about how they do it.

One company that has taken the initiative in this space is Gospel Technology. Gospel Technology has taken the security of data a step further than simply storing information on a blockchain, they have added another clever layer of security that further enables the safe transfer of information to those who do not have access to the blockchain. This makes it perfect for dealing with third parties or those within organisations who don’t hold permissioned access to the blockchain but need certain files.

One of the issues with blockchains is the user interface. It’s not always pretty or intuitive but Gospel has also taken care of this with a simple and elegant platform that makes data security easy for the end user.  The company describes their product Gospel® as an enterprise-grade security platform, underpinned by blockchain, that enables data to be accessed and tracked with absolute trust and security.

The applications for Gospel are many and it seems that in the current environment this kind of solution is a growing requirement for organisations across many industries, especially with the new regulatory implications of GDPR coming to the fore and the financial penalties for breaching it.

From our point of view as a consultancy in the Cyber Security space, we see the genuine concern and need for clarity, understanding and assurance for our clients and the organisations that we speak to on a daily basis. The realisation that data and cyber security is now something that can’t be taken lighted has begun to hit home. The issue for most businesses is that there are so many solutions out there it’s hard to know what to choose and so many threats, that trying to stay on top of it without a dedicated staff is nearly impossible. However, the good news is that there are good quality solutions out there and with a little effort and guidance and a considered approach to your organisation’s security you can turn back the tide on data security and protect your organisation well.

GDPR & Cyber-threats – How exposed is your business?

Posted on : 28-11-2017 | By : Tom Loxley | In : Cloud, compliance, Cyber Security, Data, data security, GDPR

Tags: , , , , , , , , , , , ,

0

With the looming deadline approaching for the ICO enforcement of GDPR it’s not surprising that we are increasingly being asked by our clients to assist in helping them assess the current threats to their organisation from a data security perspective. Cybersecurity has been a core part of our services portfolio for some years now and it continues to become more prevalent in the current threat landscape, as attacks increase and new legislation (with potentially crippling fines) becomes a reality.

However, the good news is that with some advice, guidance, consideration and a little effort, most organisations will find it easy enough to comply with GDPR and to protect itself again well against the current and emerging threats out there.

The question of measuring an organisations threat exposure is not easy. There are many angles and techniques that companies can take, from assessing processes, audit requirements, regulatory posture, perimeter defence mechanisms, end-user computing controls, network access and so on.

The reality is, companies often select the approach that suits their current operating model, or if independent, one which is aligned with their technology or methodology bias. In 99% of cases, what these assessment approaches have in common is that they address a subset of the problem.

At Broadgate, we take a very different approach. It starts with two very simple guiding principles:

  1. What are the more critical data and digital assets that your company needs to protect?
  2. How do your board members assess, measure and quantify secure risks?

Our methodology applies a top-down lens over these questions and then looks at the various inputs into them. We also consider the threats in real-world terms, discarding the “FUD” (Fear, Uncertainty and Doubt) that many service providers use to embed solutions and drive revenue, often against the real needs of clients.

Some of the principles of our methodology are:

  • Top Down – we start with the boardroom. As the requirements to understand, act and report on breaches within a company become more robust, it is the board/C-level executives who need the data on which to make informed decisions.

 

  • Traceability – any methodology should have a common grounding to position it and also to allow for comparison against the market. Everything we assess can be traced back to industry terminology from top to bottom whilst maintaining a vocabulary that resonates in the boardroom.

 

  • Risk Driven – to conduct a proper assessment of an organisations exposure to security breaches, it is vital that companies accurately understand the various aspects of their business profile and the potential origin of threats, both internal and external. For a thorough assessment, organisations need to consider the likelihood and impact from various data angles, including regulatory position, industry vertical, threat trends and of course, the board members themselves (as attacks are more and more personal by nature). Our methodology takes these, and many other aspects, into consideration and applies a value at risk, which allows for focused remediation plans and development of strategic security roadmaps.

 

  • Maturity Based – we map the key security standards and frameworks, such as GDPR, ISO 27001/2, Sans-20, Cyber Essentials etc. from the top level through to the mechanics of implementation. We then present these in a non-technical, business language so that there is a very clear common understanding of where compromises may exist and also the current state maturity level. This is a vital part of our approach which many assessments do not cover, often choosing instead to present a simple black and white picture.

 

  • Technology Best Fit – the commercial success of the technology security market has led to a myriad of vendors plying their wares. Navigating this landscape is very difficult, particularly understanding the different approaches to prevention, detection and response.

At Broadgate, we have spent years looking into what are the best fit technologies to mitigate the threats of a cyber-attack or data breach and this experience forms a cornerstone of our methodology. Your business can also benefit from our V-CISO service to ensure you get an executive level of expertise, leadership and management to lead your organisation’s security. Our mantra is “The Business of Technology”. This applies to all of our products and services and never more so when it comes to really assessing the risks in the security space.

If you would like to explore our approach in more detail, and how it might benefit your company, please contact me at john.vincent@broadgateconsultants.com.

Is your small business the next target for hackers?

Posted on : 28-08-2015 | By : kerry.housley | In : Cyber Security

Tags: , , , , , , , , ,

0

Cyber attacks make great headlines but behind the headlines are the real stories affecting real business.  The fact is that smaller medium sized companies are increasingly more likely to be targeted than their larger counterparts.  SMEs are now considered the biggest target in the cyber threat landscape.

There are many reasons for this, smaller companies don’t think that that they have anything of interest to hackers “why would anybody want to attack us we don’t have anything to steal”. They couldn’t be more wrong,  even if they don’t have any information which is of interest in its own right they may well provide a way into a larger organisation in their supply chain.

Some worrying statistics are emerging which show hackers are specifically targeting smaller companies as they do not have the budget for people or technology to protect themselves. Key risks for smaller firms are:

  • Lack of security policies and controls
  • Low levels of knowledge of potential threats and methods to combat
  • Small or no budget allocated to cyber protection
  • Outdated technology and update procedures
  • ‘Ostrich’ approach to risk assuming it will happen to someone else

The impact of a cyber attack on an SME can be disproportionate to its size. Larger companies can absorb relatively large losses well and can call on external help to resolve  – Sony’s breach in the end was estimated at £35m which had negligible impact on a multi-billion dollar organisation. For smaller firms, any loss (whether cyber or other fraud) can put them out of business if it impacts cash-flow and could result in the loss of major clients if they are part of a larger firms supply chain.

It is crucial to understand that information assets are more valuable than you might think.  Although larger enterprises now appear to be taking steps to protect their organisations many do not look to their partners and vendors so they too are guilty of not understanding the effect on the supply chain.  There is no point in pulling out all the stops internally to protect information assets if the companies that you do business with are not doing the same.

Many commentators have described SME’s as the Achilles heel in the business world which will result in devastating financial consequence if they do not take appropriate action to protect their information assets.  The UK Government Information Security Breaches Survey 2015 found that 74% of SMEs had reported that they had suffered an information security breach. They also found that severe attacks can now cost up to £300k+ for a smaller business.  This would put many smaller companies out of business as they couldn’t afford to take a hit this big.

In response to this threat the UK government have launched a number of initiatives designed to help SME’s to understand the cyber security issues that they face. 2014 saw the launch of the Cyber Essentials Scheme which is designed to be a much simpler way for business to take steps to limit their risk of a breach.  Most recently in July a voucher scheme has been set up which will enable SME’s to apply for a maximum of £5000 which can be used to fund specialist advice from Information security specialists that they otherwise would not be able to afford.  These initiatives are designed to increase the resilience in the UK business community to cyber attack. Ed Vaizey digital economy minister has said “We want to protect UK business against cyber attack and make the UK the safest place in the world to do business online.”

It is imperative that all businesses of any size understand the cyber threat and the effect this has on their entire supply chain network. Always know who you are doing business with and take steps to ensure you know how they are protecting your information assets.

In addition to assisting many ‘blue chip’ clients we also provide information risk assurance to smaller organisations. Often this can be quickly assessed with our ASSURITY product. Please do get in contact if you need some advice.

Kerry Housley

Kerry.Housley@broadgateconsultants.com

 

NEW Broadgate Product Launch: “Assurity”

Posted on : 30-06-2015 | By : john.vincent | In : Cyber Security, Innovation

Tags: , , , , , , , , , , , , ,

0

Since forming Broadgate in 2008 we’ve helped a number of our clients in addressing the challenges posed by the increased internal and external security threat to their organisation and data. Our projects have included deployment of Malware threat platforms, Data Loss Prevention implementation, Cyber Intelligence and Identity and Access Management solutions.

Our experience during this time was that there is a need for a more business focused approach, so we developed our own assessment methodology, which we have now officially launched as a product called ASSURITY. The product addresses three key challenges facing us today;

1) Understanding your business critical assets

2) Calculating your risk exposure

3) Prioritising areas requiring focus and investment

The product is differentiated in the market through not only the comprehensive inputs and modelling, but also by providing quantitative analysis in the form of a Cyber Value at Risk.

 

ASSURITY is a three step process, as outlined below;

Assurity assessment methodology

Step 01

We profile the organisation from many different data points. This is a critical part of the process as it allows for a more meaningful assessment of the actual risk. C’Level executives can use the product to inform their change programme and investment decisions. It is an iterative approach during which the relative weightings for each criteria are reviewed and discussed with the client to understand carefully the business risk appetite.

Step 02

The assessment is conducted by ingesting a number of different sources from documented artefacts, processes, data and technology into the Assurity product. From this we can assess the current maturity level, a quantified risk level, the potential impact to an organisation of a data breach or security event and also the likelihood of it occurring.

Step 03

The results of the assessment are presented in a form which clearly shows the focus areas for investment, change or where in the organisation is protected at the appropriate level. We map the results to the GCHQ 10 Steps for security and translate into language which allows C’Level executives to make informed decisions.

What are the benefits of ASSURITY?

1) Information security assurance – Demonstrating to your clients, suppliers, regulators, shareholders and insurers

2) Optimising security budgets – Avoiding unnecessary investments typically results in a 30% reduction in redundant operational security expenditure, support and maintenance

3) Qualified cyber value at risk – Financial value of corporate assets at risk is defined for input into broader business risk modelling

4) Improved compliance – Security health check defines current information security level

 

In the ASSURITY report, we  focus on four main areas;

 

Cyber At Risk Score

The Cyber At Risk Score takes a number of internal and external feeds to create a value from which organisations can have a more informed discussion regarding the likelihood of a security breach. We use this across the product to help quantify the impacts against the profile of the organisation.

Gap Analysts against Target Maturity

During the profiling stage we determine the appropriate maturity benchmark for the organisation.  This can be based on the internal risk appetite, industry average or other determining factors, and is used to identify shortfalls, strengths and focus attention and investments.

Maturity Assessment Heatmap

Here we plot the scores from 10 assessment areas against the Likelihood and Impact of an event. Importantly, we also assign a quantified value at risk which we have determined through the profiling exercise and the current maturity level. This allows C’Level executives to target and prioritise the investment areas.

Strategic Roadmap

The output from the ASSURITY product also forms the basis for the required change programme. We split the initiatives into Quick Wins which have the most immediate impact or target the most vulnerable areas. We also provide the long term remediation plan and ongoing continuous improvement projects to meet the required target baseline.

 

The ASSURITY product differentiates from other methodologies by being the most complete and accurate assessment that organisations can undertake to really understand their security risk exposure.

If you would like to find out more about the product and to arrange a demo, please contact jo.rose@broadgateconsultants.com or call 0203 326 8000 to speak to one of our security consultants.

 

The security threat: Do you know your real business risk?

Posted on : 31-03-2015 | By : john.vincent | In : Cyber Security

Tags: , , , , , , , , , , , , ,

0

We are asked by our clients increasingly to assist in helping them assess the current threats to their organisation from a security perspective. Indeed, this is now a core part of our services portfolio.

The question of measuring an organisations threat exposure is not easy. There are many angles and techniques that companies can take, from assessing processes, audit requirements, regulatory posture, perimeter defence mechanisms, end user computing controls, network access and so on.

The reality is, companies often select the approach that suits their current operating model, or if independent, one which is aligned with their technology or methodology bias. In 99% of cases, what these assessment approaches have in common is that they address a subset of the problem.

At Broadgate we take a very different approach. It starts with two very simple guiding principles;

  1. What is the more critical data and digital assets that your company needs to protect?
  2. How do your board members assess, measure and quantify secure risks?

Our methodology applies a top down lens over these questions and then looks at the various inputs into them. We also consider the threats in real world terms, discarding the “FUD” (Fear, Uncertainty and Doubt) that many service providers use to embed solutions and drive revenue, often against the real needs of clients.

Some of the principles of our methodology are:

  1. Top Down – we start with the board room. As the requirements to understand, act and report on breaches within a company become more robust, it is the board/C’Level executives who need the data on which to make informed decisions.
  2. Traceability – any methodology should have a common grounding to position it and also to allow for comparison against the market. Everything we assess can be traced back to industry terminology from top to bottom whilst maintaining a vocabulary that resonates in the board room.
  3. Risk Driven – to conduct a proper assessment of an organisations exposure to security breaches, it is vital that companies accurately understand the various aspects of their business profile and the potential origin of threats, both internal and external. For a thorough assessment, organisations need to consider the likelihood and impact from various data angles, including regulatory position, industry vertical, threat trends and of course, the board members themselves (as attacks are more and more personal by nature). Our methodology takes these, and many other aspects, into consideration and applies a value at risk, which allows for focused remediation plans and development of strategic security roadmaps.
  4. Maturity Based – we map the key security standards and frameworks, such as ISO 27001/2, Sans-20, Cyber Essentials etc. from the top level through to the mechanics of implementation. We then present these in a non technical, business language so that there is a very clear common understanding of where compromises may exist and also the current state maturity level. This is a vital part of our approach which many assessments do not cover, often choosing instead to present a simple black and white picture.
  5. Technology Best Fit – the commercial success of the technology security market has led to a myriad of vendors plying their wares. Navigating this landscape is very difficult, particularly understanding the different approaches to prevention, detection and response. At Broadgate we have spent years looking into what are the best fit technologies to mitigate the threats of a cyber attack or data breach and this experience forms a cornerstone of our methodology.

At Broadgate our mantra is “The Business of Technology”. This applies across all of our products and services and never more so when it comes to really assessing the risks in the security space.

If you would like to explore our approach in more detail, and how it might benefit your company, please contact myself or kerry.housley@broadgateconsultants.com.

Cyber Insurance – What Every Business Needs To Know

Posted on : 26-02-2015 | By : kerry.housley | In : Cyber Security

Tags: , , , , ,

0

Cyber insurance is a growing market in the UK.  Although it has been on the rise in the last few years, it still lags way behind the US who have a far more advanced cyber insurance market. The main reason for this is legislation. In the US most states are required by law to publicly disclose a security breach. As we all know the financial consequences of having to declare a breach publicly are far reaching so US companies seek to mitigate their losses using dedicated stand alone cyber  insurance.

In the UK it is a rather different story:

  • Only public sector companies are required to disclose a security breach with no specified time limit to do so

However, the situation is about to change with implementation of the new European Directive on Data Protection expected to come in to effect in 2016. This reform will radically alter the security landscape in Europe;

  • It states that all data breaches must be disclosed within a specified time limit of 72 hours
  • Failure to do so will incur a heavy fine of 5% of annual turnover or EUR 100M, whichever is the greatest

Some see this EU Directive as the silver bullet for the growth of the UK cyber insurance market.  It changes significantly the rules of the game and UK businesses will be looking at ways to deal with potential devastating effects of this public admission. The fact is that no company can ever completely protect itself from suffering a breach. What they can do is take measures to limit the chances and mitigate the potentially financially crippling effects.

This is where cyber insurance comes into play.

Many business make the mistake of thinking that their current insurance policy will cover them for a cyber incident – in many cases it will not. Companies need a dedicated stand alone cyber insurance policy that is right for them.  However, taking out a cyber insurance policy may not mean that they fully covered for all eventualities.

One of the problems with cyber insurance is that the business looking for the insurance does not know what it is that it needs to insure in the first place. Every company must establish its “Crown Jewels”  – i.e. know what its most critical information assets are. This is an absolutely essential first step to ensuring the right insurance cover is applied for.

It is critical too, on the other side of the deal, that the insurance company must be clear on what it is actually insuring against and understands its liabilities.  Insurance companies are not experts in Information security or the technology involved.  Couple that with the fact that they actually have very little data statistics on cyber incidents, making it very difficult to build an accurate risk profile.

Question is, how does an insurer find out that a business is risky in terms of cyber insurance?

With the absence of data on cyber incidents the onus is therefore on the  client to establish how prepared they to protect their information,  how likely they are to suffer a breach in the first place and what measures they have in place to reduce the financial impact.

  • Robert Hartwig, President of the Insurance Information Institute, described assessing cyber insurance risk as “this is like insuring aircraft in 1915!”

The result of this difficulty and sometimes vagueness in policy language are disputes in the courtroom as policy holders make a claim.

An information security audit is the key. This way both the insurer and the client can see exactly what it is they need to cover. As a business looking for insurance you must show that you have done everything you can to limit the possibility of a security breach and limit the effects when it happens.

Demonstrating that a company takes information security seriously is all about good governance and best practice. In the absence of any legally binding compliance or regulation, companies must look to the various types of guidance available and adopt an approach which best suits the needs of their business. The UK Government was so concerned about this lack of common guidance that it published its 10 Steps to Cyber Security an easy to follow checklist that any business can adopt to improve it information security.

Subsequently, this has been followed with the launch of its Cyber Essentials Scheme. This is a recognised cyber assurance certificate which the government hopes business will use as a baseline standard for its information security. By undertaking the Cyber Essentials Assessment and passing, companies can demonstrate to the insurer that they have adopted an effective good governance strategy and take cyber security seriously (if we adopt a baseline against which insurance companies can risk assess this will greatly improve the insurance process for both sides).

The cyber security challenge is something that crosses many parties and is firmly on the agenda of world leaders. Recently, President Obama was quoted as saying;

Just as we’re all connected like never before, we have to work together like never before, both to seize opportunities but also meet the challenges of this information age

Of course, cyber insurance alone is not enough to win the information security war.  What is needed is a broader strategy that companies must adopt in managing the risk and regularly reviewing the process and procedures and the technologies in place to ensure that they are keeping with changing times.

Insurance must sit alongside to be there when all else has failed!

Is it the time for Joint Shared Services?

Posted on : 29-11-2013 | By : john.vincent | In : Innovation

Tags: , , , , , , , , , , , , ,

1

Last month we wrote about how the rate of technology change is outpacing the internal IT departments of organisations. It certainly seems that the “squeeze” is on with cloud and external providers offering more agile compute services at the infrastructure level (now at an on-demand cost which can compete), and the business consumers procuring what they need, when they need it and of course where the need it through Software as a Service (SaaS) providers.

Two years ago the ability for CIOs to raise the virtual “Red Card” at these external forces through risk, compliance, data security, cost and the like still existed, particularly in areas such as financial services (although we constantly heard anecdotes of technology services being brought on credit cards in the front office and expensed back). However, today it is more a case or working out how to protect digital assets and company reputation from the increased decentralisation of technology governance (business/end-user empowerment), whilst continuing to deliver operational services against a backdrop of having to justify value.

So, whilst this move of technology governance to the corporate edges continues, the question is “What approach should organisations take to sourcing their underpinning infrastructure commodity services?”

We have seen decades of ebb and flow for the sourcing of technology services….Outsourcing, off shoring, near shoring, right shoring (we may have finally run out of prefixes…), managed services and the like. Internally, organisations have coupled this operating model with shared service functions such as Finance, Human Resource and Operations to deliver further efficiencies. What is less prevalent, however, is collaboration between client organisations.

Large service providers have shown the benefits through economies of scale to running client technology platforms. However, whatever your position is on outsourcing technology, many would argue that the clients themselves do not benefit fully from these efficiencies. This is of course natural where there is a fragmented delivery chain and limited client side collaboration. So, is the time right to extend the shared service model and create shared service models, or joint ventures, between peer organisations?

If you take the infrastructure layer then we think…YES. As we said in our previous article, where is the business (or more importantly brand) value in having technicians crafting infrastructure services? There are pockets/exceptions, but typically the “compute plumbing” supporting business applications does not drive competitive advantage. However, in todays fast moving landscape it is very easy to erode value through rigid or elongated timescales for service provisioning.

The pace of change is clearly illustrated by the transformed data centre market. Back in 2005/2006, many large corporate CIOs were scrambling to purchase their own data centres as space and power became scarce. Fast Forward to today and many of those same organisations are sitting with surplus capacity.

In the space of a few years, driven by new the revolution in virtualisation and cloud computing, it would now seem a bad strategy to build and manage your own client facility. 

The question to ask is how organisations can collaborate together to source their compute requirements together for mutual benefit. For back office processing there have been “carve outs”, collaborations or joint ventures such as in the investment management and insurance markets. Leading on from this, there is no reason why peer organisations couldn’t combine to create a SPV/JV for their underlying infrastructure requirements. This has the potential to bring many benefits, including:

  • Increased market leverage for commodity service pricing
  • Reduced fixed overheads and move from Capex to Opex
  • Improved standards and policies in areas such as security and risk management (through collective influence)
  • Increased agility and time to market
  • Enhanced technology innovation 
  • Improved focus on core business competencies

There are many others (and no doubt many counter arguments, which happy to receive…)

So what stops organisations proceeding? Well, most of all we are talking about a cultural shift which, if driven from the technology organisation themselves (CIO), is unlikely to get much traction. This level of change is not something that can be technology driven. This needs to be a top down, business led discussion.

It also doesn’t apply only to technology. Many years ago (I think late 90’s) I attended a conference where the speaker talked about measuring real company value and how organisations would over time “jettison” those operations that didn’t contribute to the customer proposition. What is left in the final end game? In the extreme example it is simply those creating the Strategy and Brand alone, with everything else sourced from the market. When you think about it, it does make sense.

Every year previously we have produced our predictions for the coming 12 months. We don’t see this happening in that timeframe but at least opening up the discussion should be on the CEOs “to-do” list in 2014…

How should banks target technology innovation?

Posted on : 02-09-2013 | By : john.vincent | In : Finance

Tags: , , , , , , , , ,

1

We have written a lot about the pressures on financial service companies and how they are responding differently in order to adapt to these challenges (such as are the banks Too Big to Succeed?, how to manage Technical Debt and are they Missing an Opportunity with Bank Accounts). What we see is one common theme emerging – the need for banks, wherever they are, to continue to innovate in order to protect existing markets, build share in emerging ones and service their clients in a new more agile way.

“Innovation” and “Agility” are words too often scattered liberally in corporate life through mission statements and strategic objectives…a strap line or comfort blanket for C-Level communities. Box ticked.

However, do we really consider the practicality of applying these in today’s environment? Do we modify and target based on situation? Important questions. Let’s consider further.

If we look at the mature financial markets there are a number of external pressures which influence and inform our ability to drive technology innovation. Here we see Risk and Regulation forming a large part of the technology discretionary spend, up to 60% some estimate. This naturally has a big impact on the investment portfolio and how much can be targeted for projects in the innovation category. Indeed, the impact is often disproportionate as resources in the compliance area, such as contractors and consultants, are often sourced from the premium end of the market, thus further eroding what remains. This is something that needs to be addressed, quickly.

Another factor affecting the mature markets is the continued pressure on costs and internal resource burden. Even if funding for nurturing innovation exists, the staff that understand the business AND underpinning technology often cannot be freed up from the day to day fight for survival (an example of where this is being addressed is at Aviva with the creation of their “Digital Unit”).

Contrast this with the start-up communities located close to the key financial hubs…here funding exists to focus solely on the new future technology innovations, such as mobile payments, big data analytics and data science.

In response to this, the larger banks are engaging with the start-up community to drive new technology, such as through the Fintech Innovation Lab – a 12 week programme running through to March 2014. Shaygan Keradpir, CTO at Barclays, said “The increasing role of technology in financial services is accelerating the pace and breadth of innovation and driving the kind of cutting-edge services which our customers and clients demand.”

By engaging in this way banks are more likely to have an agile approach to innovation to combat both their market challenges and not insignificant legacy infrastructure (indeed, only recently Barclays lost their key mobile guru behind PingIt to real-time mobile payments start-up, Zapp).

Switching to emerging markets, a different approach to how technology innovation is approached needs to be considered. Here growth is a priority…in South Africa 67% of the population do not have bank accounts. This represents a huge opportunity to both on-board and drive innovative solutions in a different way. Indeed, Standard Bank has implemented a system with local stores acting as “access agents” to provide South African clients access to bank accounts for deposits, withdrawals and money transfers. They are currently opening at a rate of 5000 accounts every day.

Again in Africa, it is predicted that countries such as Nigeria, Kenya and Tanzania will be at the forefront of mobile banking and payments. In fact, whilst they have been under developed from a banking infrastructure and telecommunications perspective, this is expected be a benefit as competition enters the continent and drives mobile platform innovation without the burden of legacy investments.

It is interesting to watch how technology innovation differs from market to market and country to country. Awareness of this, targeting the innovation portfolio and truly understanding agility are key.