VOLUME 8 | ISSUE 5 | September - October 2014
Still running Windows XP? Are you saying yes to cyber attacks?
INSIDE VitAL Report The attack of the CyberVors
ITSM
Teamwork and collaboration
Shared Service Management The natural way for all your departments to work together
IT
Let your services flourish with Shared Service Management.
Our software is standardized, modular and scalable. Moreover, it is available
TOPdesk’s service management software features modules that are
both as on-premise and SaaS. This makes it the ideal tool for quickly and
designed specifically for supporting departments such as IT, FM and
successfully building a shared service centre – no matter your world.
HR. Creating a cohesive work environment has never been easier. Want to learn more? Call us at (0)20 7803 4200 or visit topdesk.co.uk.
Service Management Simplified
Contents
Contents 8 NEWS Google Glass controlled by brainwaves New domain names spark wave of online threats
nly a third of finance officers claim to O work closely with the CIO
New Kitemark for secure digital transactions
14
20. What will drive cloud computing uptake amongst SMEs in the future?
VitAL REPORT The attack of the CyberVors
15
NEWS FEATURE Are UK businesses truly ready for a new data world?
16 IT SERVICE MANAGEMENT The changing role of ITIL in an outsourced service business
24. Are you part of the 74%?
20 CLOUD COMPUTING What will drive cloud computing uptake amongst SMEs in the future?
Outsourced IT services organisations have, on the whole, enthusiastically embraced ITIL because of its benefits for the organisation itself and its customers. Prasad Natu reports...
Joseph Blass looks at what will drive cloud computing for SMEs in the future...
24
COVER STORY Are you part of the 74%?
16. The changing role of ITIL in an outsourced service business www.vitalmagazine.co.uk | September-October 2014
With 74% of UK IT decision makers still had systems running on Windows XP, and only 29% of that group had plans to put a new OS in place, according to a recent survey, Christopher Strand explains how to keep your systems secure...
3
THE EUROPEAN SOFTWARE TESTING AWARDS
2 0 1 4
RECOGNISING AND CELEBRATING TECHNICAL EXCELLENCE
18th November 2014, Old Billingsgate, London
BOOK YOUR TABLE NOW www.softwaretestingawards.com Choose from two different packages for a table of 10 Standard package • Three-course meal • Free-flowing house wines, bottled beer and soft drinks VIP package • All of the above, plus access to the VIP reception, networking with key opinion leaders and industry figures Prices for individual spaces are available on request.
Book your place at this exclusive, black-tie event for the software testing industry, which honours and recognises individuals, teams, and businesses that are actively involved in the pursuit of technological perfection. Headline Sponsor
Sponsors
MAGAZI MAGAZINE GAZINE GAZI AZINE
Supported by
THE EUROPEAN SOFTWARE SOFTWA W RE TESTER WA
Contents
Contents 26
VITAL SECURITY For your eyes only: Corporate espionage using social channels A document, listing a wide variety of GCHQ’s cyber-spy tools and techniques used to find private photos on social networking sites, was recently leaked online. Dr Wieland Alge explains why a LinkedIn or Facebook invitation might not be as friendly as it seems...
30
Botnets: A public health approach David Dagon and Brian Foster offer insight on how GameoverZeus and Cyryptolocker provided something of a blueprint for managing mass cyber infections...
34
VITAL PROCESSES
43. managing neW iT services, The iTil and you
40
Personal service in the “Age of Interruption” Rupert Adair discusses why there is still a need for personal service in the “age of interruption”, a term that still resonates with many senior executives working in a world dominated by the constant stream of emails, instant messaging and mobile phone calls...
VitAL MANAGEMENT The sign of a true partner Michelle Ayres looks at the importance of choosing a technical solutions partner that has strong vendor relationships...
43
Managing new IT services, the ITIL and you Steve Gardner explains why organisations shouldn’t try to introduce all change processes simultaneously, but rather systematically adopt new services one at a time. In addition, Steve looks at key steps to adopting cloud and mobile technologies...
46
BREAKTHROUGH TECHNOLOGY From a smile to a frown,TV technology that understands emotions
34. personal service in The “age of inTerrupTion”
www.vitalmagazine.co.uk | September-October 2014
Sophie-Marie Odum investigates a new facial coding technology, called CrowdEmotion, which is being trialed by the BBC to analyse emotional responses to its TV shows...
5
Assurance is the science of optimization. In today’s overly complex technology world, testing and QA functions must balance the art of perfection with the science of optimization. There exists a way: Tata Consultancy Services (TCS). With TCS’ independent enterprise testing arm, Assurance Services Unit (ASU), you can balance your testing needs and business goals with market-proven, world-class experience, expertise and guidance. Visit tcs.com/assurance and you’re certain to learn more. Or write to us at: global.assurance@tcs.com
IT Services Business Solutions Consulting Scan the code to know about TCS Assurance Services
Leader EDITOR Sophie-Marie Odum sophie.odum@31media.co.uk Tel: +44 (0)203 056 4599 ADVERTISING Advertising Executive Sarah Walsh sarah.walsh@31media.co.uk Tel: +44(0)203 668 6945 DESIGN & PRODUCTION Tina Harris tina.harris@31media.co.uk EDITORIAL & ADVERTISING ENQUIRIES 31 Media Ltd 41-42 Daisy Business Park, 19-35 Sylvan Grove, London, SE15 1PD Tel: +44 (0) 870 863 6930 Email: info@31media.co.uk Web: www.vitalmagazine.co.uk © 2014, 31 Media Limited. All rights reserved. VitAL Magazine is edited, designed, and published by 31 Media Limited. No part of VitAL Magazine may be reproduced, transmitted, stored electronically, distributed, or copied, in whole or part without the prior written consent of the publisher. A reprint service is available. Opinions expressed in this journal do not necessarily reflect those of the editor or VitAL Magazine or its publisher, 31 Media Limited. ISSN 1755-6465 PUBLISHED BY: T H I R T YO N E
VitAL Magazine, proud to be the UKCMG’s Official publication. ITIL ® is a Registered Trademark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the US Patent and Trade Mark Office. PRINCE2 ® is the Registered Trade Mark of the Office of Government Commerce. MSP ® is the Registered Trade Mark of the Office of Government Commerce.
Does the public sector risk missing second Windows XP deadline? Hello, and welcome to the September 2014 issue of VitAL Magazine. It’s been five months since support for Windows XP ended, but as we report in this issue, 74% of UK IT decision makers still have systems running on Windows XP, furthermore, new data from 1E suggests that many public sector organisations will fail to migrate away from Windows XP before the end of the first year of Microsoft Extended Support in April 2015, with serious cost implications. Earlier this year, it was reported that UK public sector bodies failed to meet the original April 2014 deadline for XP migration. Several chose to extend their support contract with Microsoft rather than expose potentially sensitive public data to the risk of exploitation. According to the 1E research, Windows migration within the public sector takes seven months on average to complete, compared to five months or less in the private sector. This means public sector organisations such as NHS Trusts now only have a matter of weeks to start their migration to meet the April 2015 deadline. Sumir Karayi, CEO of 1E, said, “At this stage, any public sector organisation that has not set the ball rolling must consider their plans as a matter of urgency and make sure they have the right timescales to act. Many are already paying handsomely for the first year of Extended Support and cannot afford to miss a second deadline.” The survey of IT decision makers shows that fewer public sector organisations have completed a Windows migration than in any other sector: 56% compared to 61% in financial services and 65% in other commercial sectors. The public sector is also the only sector where any IT decision makers registered they simply “don’t have a migration plan” at all. It looks like it could be a busy seven months for some organisations! I hope you enjoy this issue!
Sophie-Marie Odum Editor
www.vitalmagazine.co.uk | September-October 2014
7
News
Google Glass controlled by brainwaves Google Glass has been hacked so that it can be controlled by brainwaves. According to reports, by combining the smart glasses with an electroencephalography (EEG) headset, the software makes it possible to take a picture without moving a muscle. London-based start-up, This Place said the tech could be utilised in highpressure, hands-free situations, such as during surgery. Google was made it clear that it does not support the app, which uses MindRDR software. A spokeswoman told the BBC, “Google Glass cannot read your
mind. “This particular application seems to work through a separate piece of kit which you attach to Glass. “We have not reviewed, nor approved, the app so it won’t be available in the Glass app store.” At present, Google Glass is controlled by either voice command, “OK Glass, take a picture”, or by tapping and swiping on the side of the device. But with an EEG headset, within Google Glass’s “screen” - a small window that appears in the corner of the wearer’s right eye - a white horizontal line is shown.
Recession has been good for IT sector A fifth of the UK’s IT and technology professionals feel that change brought on by the economic downturn has had a positive impact on the sector, according to Randstad Technologies, the specialist recruiter. The survey of 2,000 UK staff examining attitudes to change in the workplace, revealed that tech staff are some of the most positive in the UK when it comes to the impact of the recession. Only 16% of the wider UK workforce believes change brought on by the economic downturn has had a positive impact compared to 19% of those working in IT. Mike Beresford, managing director of Randstad Technologies, said, “The recession forced many companies to look at where costs could be saved, processes could be streamlined and teams could be managed more effectively. “Trimming the fat may have meant increased workloads and targets for those left behind. But these changes have helped staff get used to working within a leaner environment, giving them better experience and a more honed skill set than they might have
developed had more staff been around to share the workload. In short, professionals say they have gained more fulfilling careers. Indeed, previous research of ours shows that 47% of professionals say a heavier workload over the course of the recession has benefited their career in some way. “Now the UK is in recovery mode, businesses are reaping the benefits of those changes.” The most significant changes being felt within the IT and technology industry over the last six years have been to do with workload and team sizes. Over a third (34%) of IT staff feel that changes to their targets and workload have had the greatest impact over the recession. This is closely followed by the impact of having to work within smaller teams as a result in changes to hiring policy (32%).
As a user concentrates, the white line rises up the screen. Once it reaches the top, a picture is taken using Glass’s inbuilt camera. The headset can be used to measure when certain parts of the brain show a greater level of activity. In this case, the MindRDR software monitors when the wearer engages in high levels of concentration.
Uptake in ITSM software in German market There has been a 33% increase in the adoption of IT Service Management (ITSM) software in the German market in 2014, with more than 80% of leading German organisations now operating with an ITSM solution in the last three years, according to IDC research, sponsored by Axios Systems. The research highlights the extent of the new challenge for German IT managers / professionals. More than 50% of them state their basic goal for the next 24 months is to improve service delivery whilst 45% of IT decision makers require that cost savings are made in the same period. Gerald Haberecker, Head of Sales for the DACH area at Axios Systems, said, “Mobility requires a flexible access to the ITSM tool. Through the use of smartphones and tablet PCs, communication and work processes can be handled quickly and efficiently, regardless of location.” This information was gathered at an Axios Systems briefing forum in Dusseldorf, which saw leading IT professionals focus on how IT managers can meet the challenge of improving service quality whilst simultaneously reducing costs.
However, nearly three fifths of tech professionals (57%) feel that change in the industry could have been implemented more successfully. This is much higher than the wider UK workforce, 48% of whom said change could have been implemented more effectively in their own industry.
Follow VitAL Magazine on Twitter: www.twitter.com/VitALMagazine
8
www.vitalmagazine.co.uk | September-October 2014
News
New domain names spark wave of online threats NetNames recently released research from its Internet 2020 report identifying new online risks for internet users and brands. When asked how they expect the launch of thousands of new web address endings, such as .london, .shop and .sport, to change the Internet in the next five years, 40% of consumers believe it will make it a more dangerous place – over double the amount who feel that it will be safer (17%). These concerns were mirrored by businesses, with 92% of companies surveyed recognising risks with the introduction new generic Top Level Domains (gTLDs). Almost nine in 10 (87%) of business respondents are worried about keeping their brands and trademarks protected with the introduction of the new gTLDs. The top risk identified by companies was cybersquatters (36%), who will effectively be offered new opportunities for domain-name hijacking, traffic diversion, counterfeiting and other forms of brand abuse. The research also revealed that over a quarter (29%) of businesses are concerned about exposing their customers to fraud. Companies face serious
consequences if they do not protect their customers in this new online environment with almost eight in 10 (78%) of Internet users stating they would shun a brand if they found themselves on a bogus website pertaining to be that brand. Gary McIlraith, CEO at NetNames, explains the risks facing brands and users in the Internet of the future, “Our research shows that people expect the Internet of 2020 to be quicker and easier to navigate, but they also think it will be a more dangerous place. The launch of thousands of new domain endings is about to reshape the online landscape, effectively opening up another front for cybercriminals to carry out fraudulent activity against businesses and their customers. “The onus is on brands to ensure that they are protecting their customers from falling into the hands of online fraudsters. Before the Internet evolves further, brands must develop an effective online strategy that protects both their intellectual property and online customers. Only then, will they be able to take advantage of the opportunities that the new gTLDs offer to strengthen customer relationships and grow revenues.”
Internet banking used 7 billion times in just one year Customers of Britain’s high street banks used Internet banking nearly 7 billion times in 2013, according to industry statistics compiled by the BBA. The figures, published in the BBA’s 2013 Abstract of Banking Statistics, provide further evidence of the seismic change in the way millions of customers manage their finances. In all, there were 6.9 billion customer instructions using personal computers during 2013 – up from 5 billion in 2009. This number includes: • 316 million bill payments • 293 million inter account transfers • 152.6 million direct debit or standing order creations or amendments • 1.1 billion account queries • 10.5 million stop payment instructions – an eight-fold increase on the previous year. Richard Woolhouse, the BBA’s Chief Economist, said, “These figures provide more evidence of the ongoing revolution in the way millions of us spend, move and manage our money. “There are clear productivity gains for our economy from Internet banking. Many of us are spending less time queuing in branches and can avoid unnecessary fees by keeping a sharper eye on our balances.This is helping customers and providing wider economic benefits.”
The computing ensures firms of all sizes can remain commercially competitive Investment in IT and adoption of innovative cloud services is critical to staying competitive with new entrants to the market and increasing commercialisation, according to Richard Roebuck, managing director of specialist legal IT provider Accesspoint. A recent report compiled by legal IT specialists Accesspoint and secure cloud service provider Databarracks discusses how firms have begun to adopt business practices more typically seen in limited companies. The report points to the arrival of the Alternative Business Structures (ABS) as the key driver of this change. “As we’ve seen with the banking sector, deregulation has brought
www.vitalmagazine.co.uk | September-October 2014
innovation, new methods of service delivery and tapped into markets previously not considered. There is no reason why this wouldn’t also be the case with the commercialisation of the legal sector,“ said Roebuck. “In order to stay competitive in the era of ‘Tesco Law’, as major high street and consumer brands enter the legal market, firms will need to adapt to survive.” Cloud services will play a central role in this transitional period. Roebuck added, “Everyone now has access to the same platforms, software systems and online services, regardless of their size or budget. Firms that adopt cloud services will not be at a
disadvantage technology-wise against the huge businesses entering the market. “In fact, it will be the smaller firms that are more process-light that will be best able to squeeze the most functionality from their chosen IT systems, because they can architect an environment and culture rooted in solid best practice. Law firms are experiencing radical change. For a start, they’re no longer in the legal ‘profession’; they’re in the legal ‘industry’. The adoption of business led practices is an important step to developing more commercially driven relationships with the IT services that firms use.”
9
News
Only a third of finance officers claim to work closely with the CIO 96% of C-level and senior decision maker finance officers in the UK agreed that the CIO is capable of driving business growth and enterprise availability, including developing mobile and flexible working (68%), new idea generation (70%) and go-to-market capabilities (70%), according to research, highlighting the importance of closer collaboration between senior finance and IT functions for driving business growth and availability. However, the research, sponsored by
Sungard Availability Services, also revealed that only a third (32%) of finance offices said that they work very closely with the CIO to deliver business growth and availability. 25% stated that they don’t really engage with the department, and only 29% of respondents said that their organisation breeds a culture where interdepartmental collaboration is openly encouraged. Keith Tilley, EVP EMEA & APAC at Sungard Availability Services said, “Following
One in nine UK homes to be “smart” by end of 2014 One in nine (11%) UK households will have at least one smart system by the end of this year, rising to over one in four (27%) households in five years, according to global forecasting firm, Strategy Analytics. The number of UK households with some form of smart home system – automated entertainment, energy, appliance, security or healthcare systems typically controlled remotely through internet technology – will increase 43% on last year to 3.1 million in 2014, spending a total of £715 million. This is forecast to double to £1.4bn across 7.7 million UK households in five years (2019). Bill Ablondi, strategy analytics’ director, Smart Home Strategies advisory service and author of the forecast, said, “Whilst telecom brands are leading the drive in Europe, energy companies are dominating the early take-up of smart homes in Britain. British Gas relaunched its smart home thrust in late 2013 under the Hive brand and now has almost 100,000 subscribers. In addition, Google subsidiary Nest struck a deal to offer its stylish thermostat through nPower while E.ON is actively preparing its launch after a trial in Milton Keynes. “Take-up will be boosted by ‘cool’ companies such as Apple and Samsung becoming players, alongside a steady stream of elegant single-purpose devices from various companies including Belkin, Dropcam, Piper and Tado, enabling it to be increasingly easy and affordable for people to set up smart home devices.” Entitled, 2014 Smart Home Systems and Services Forecast the study – conducted across the US, China, France, Germany, Italy Spain and the UK – shows the UK will be well ahead of the global average (5% of households) in smart home adoption this year but considerably behind the US (17%). Worldwide revenues in 2014 will hit £29.3 billion, with the US accounting for around 37% (£10.9 billion). UK smart homes will spend an average £234 each on the technology, less than half that of their US equivalents (£517).
10
Gartner’s prediction that by 2020 all businesses will be technology businesses, the IT department is increasingly the keystone in driving revenue growth. Therefore, it is alarming to see that only a third of finance officers are taking the opportunity to work more closely with the CIO and their team. The most successful CFOs and FDs will be the ones who recognise the potential value of investing in the IT department and the business benefit of encouraging closer collaboration.”
Role of IT is changing New statistics have revealed that the role of IT is moving beyond infrastructure administration to become a driver of enterprise services. More than 93% of respondents to a recent survey conducted by KPMG and ServiceNow said the role of IT is changing and nine in 10 respondents agree that many business processes commonly transacted through email could be better run by service automation. The survey found that IT teams are beginning to deliver automated enterprisewide services offered through consumerised “selfservice”portals that span IT, human resources, facilities and other departments. These services manage business processes, enact changes, address problems or procure information. In addition, nearly 75% of the survey respondents said at least half of their company’s business processes still rely on email instead of service automation. The survey showed near unanimous agreement (98%) that IT can leverage the familiar service model they work in to help improve the quality and efficiency of other internal service providers such as HR and facilities through automating their service delivery process. More than half (56%) of survey respondents said that HR was the
best department outside of IT to start with in the implementation of service management. Facilities (23%) and purchasing (13%) came in second and third respectively as candidates for services management. Rick Wright, global cloud enablement leader, KPMG LLP, said, “IT teams have an unprecedented opportunity to provide strategic value to the organisation by creating and managing the systems that deliver enterprise-wide services. The advantage is that many IT departments already have implemented a systematic approach to delivering enterprise services with a proven IT service model.” The report revealed that 56% of respondents planned to implement enterprise service management within 12 months. “Even though we live our personal lives in a self-service economy, where consumer services are automated and service experience is easy and efficient, many organisations still rely on email to request and receive business services,” added Beth White, chief marketing officer, ServiceNow. “IT professionals see a clear opportunity to deliver greater efficiencies to their organisations by replacing antiquated emailbased request process with service automation.”
www.vitalmagazine.co.uk | September-October 2014
News
New Kitemark for secure digital transactions The BSI Kitemark for Secure Digital Transactions has been launched. It has been developed to help consumers confidently and easily identify websites or apps they can trust with their financial and/or personal details. As the digital transmission of confidential financial and personal information increases, so too does the need for the appropriate security to be in place. However, a recent BSI survey showed 30% of people do not trust apps as a secure way to manage their money, and 42% have concerns about the security of their personal data when shopping online. The BSI Kitemark for Secure Digital Transactions has been developed to help address these concerns. The first products to be independently assessed against the scheme are Barclays Mobile Banking and Barclays Pingit, the mobile payment service. Although initially piloted in the banking industry, the BSI
Kitemark for Secure Digital Transactions is available to all organisations who want to demonstrate they take customer data protection seriously. The BSI Kitemark requires a website or app to undergo rigorous and independent testing to make sure it has the security controls in place for the financial and/or personal information it is handling. The assessment involves organisations achieving and maintaining certification to the international Information Security Management System Standard (ISO 27001) for the parts of the business that handle confidential data, as well as undergoing rigorous internal and external penetration tests which scan for vulnerabilities and security flaws. In addition to an organisation’s typical regime of tests and audits, to earn the BSI Kitemark the website or app will be subject to further independent and
regular monitoring and assessment, including penetration tests and Kitemark audits. Importantly, if security levels are not maintained the BSI Kitemark will be revoked until any flaws are rectified. Maureen Sumner Smith, UK managing director at BSI said, “More and more of us are now sharing confidential information through online shopping, mobile banking, booking flights, gaming, university applications or interacting with local government. These behavioural changes from the physical to the digital demand the need for even more rigorous security measures. “Many organisations have good information security processes already established, but by having their systems independently tested on a regular basis as part of the BSI Kitemark process, they can clearly demonstrate to customers their commitment to safeguarding information.
ICT spending amongst Brazilian enterprises is witnessing an upward trend
Growth in managed services driven by new market entrants
According to Kable’s survey of 120 enterprises in Brazil, 76% of respondents plan to increase their ICT spending in 2014 compared to 56% in 2013, providing opportunities for ICT vendors targeting the Brazilian enterprise market. With regards to core technologies, hardware, software, and IT services will attract the major proportion (64%) of ICT budgets in 2014. Furthermore, the proportional spending on hardware and software is set to grow to reach 25% and 22% of the average ICT budget respectively.
The managed services and hosting industry is seeing an unprecedented level of change, with consolidation and birth of new businesses running at a very high level, even for the normally fast moving world of IT. New research by IT Europa shows that 2014 has seen many new brands fighting for a place in the market, as existing firms up their game and traditional IT firms look at new delivery models.
In terms of future investment priorities, the largest proportion of respondents is planning to invest in green IT and virtualisation solutions to adhere to global carbon footprint regulations and improve operational efficiency. Meanwhile, other advanced technologies such as mobility and cloud computing are also gaining increased traction, as 88% of enterprises are planning to spend on these solutions through to the end of 2015. The survey reveals that with a penetration rate of 77%, business intelligence is also an important area of investment for Brazilian enterprises. Furthermore, 93% of enterprises are planning to invest in various BI tools in the coming two years to improve their decision-making capabilities and gain a competitive advantage. Piyush Sharma, a Kable Analyst, said,”Brazilian enterprises are making concerted efforts to adopt various cloud computing solutions as they look to reduce their infrastructure and software license costs and achieve scalability.” Of the various cloud computing solutions, SaaS and private cloud are receiving significant attention, as at least 67% of enterprises are planning to spend on these domains in the next two years. The survey shows that many Brazilian enterprises are keen to outsource their service support and help desk function to third-party providers in order to focus on their core business functions.
12
Recent research by Gartner supports this view: “The market opportunity arising from broad technology changes is creating a digital business opportunity that is forcing a restructuring in strategy, talent, portfolio and organisation within services providers,” said Susan Tan, research vice president at Gartner. The impact of these technology changes coupled with increasing demand for Managed Services is revolutionising the IT industry, its channels and supply models, as new players emerge to lead the market. As Gartner says, service providers must also come to terms with the fact that “in a digital world, their existing delivery models will not effectively address new demands”. “We have reported on many changes as vendors adapt to this,” says John Garratt, editor of MSP Europa. While major hosting companies such as Google and Amazon continue to cut their prices, and those in the second tier complain of “intense cloud infrastructure price competition,” others are looking at where they can carve off a slice of something sustainable. “We have seen many new software companies entering with tools to manage and integrate applications, and new mobile security announcements almost daily.”
www.vitalmagazine.co.uk | September-October 2014
V ITAL executive debates Offering you the key to successful solutions
• One-day event • Monthly • Lunch & refreshments provided • Central London venue • Network with like-minded individuals • Cutting edge content
For more information, contact Swati Bali on +44 (0) 203 668 6946 or email: swati. bali@31media. co.uk
Organised by 31 Media, Publishers of VitAL Magazine www.31media.co.uk
T H I R T YO N E
VitAL Report
The attack of the CyberVors VitAL Magazine reports on news that a gang recently hacked 1.2 billion usernames and passwords… dubbed CyberVor, has hacked 1.2 billion usernames A andgroup,passwords belonging to more than 500 million email
addresses, according to Hold Security.
Hold Security described the hack as the “largest data breach known to date”. It claimed the stolen information came from more than 420,000 websites, including “many leaders in virtually all industries across the world”. “They didn’t just target large companies; instead, they targeted every site that their victims visited,” Hold Security said in its report. “With hundreds of thousands of sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.” Hold Security, which has previously reported about hacks on Adobe and Target, said it took more than seven months of research to discover the extent of the latest hack. The firm claimed the gang initially acquired databases of stolen credentials from fellow hackers on the black market. These databases were then said to be used to attack email providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. The hackers also got access to data from botnets - a network of computers infected with malware to trigger online fraud. Hold Security said the botnets helped the hacking group identify more than 400,000 websites that were vulnerable to cyber attacks. Lawyer and partner, James Mullock at International law firm, Osborne Clarke, commented, “Business with a digital presence will be waiting with baited breath to learn whether their users are affected by this reported attack. It’s a nasty reminder of the cyber risk threat, which organisations face in 2014 and the need for boards to be prepared for attacks such as this. “An interesting feature of the attack having been uncovered
14
With hundreds of thousands of sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites by an independent security firm is the unstructured process by which news of which businesses have been hacked reaches those organisations. There is currently little legislative guidance regulating how that process should operate and it appears ripe for review.“ Simon Eappariello, SVP EMIEA, iboss network security, added, “The ‘Attack of the CyberVors’ can be likened to something out of a science fiction film. The scale is unprecedented, equivalent to the size of the EU population in email traffic being hacked. “The era of companies being held to ransom by a cyber cartel needs to end. Add to this we need to change how we protect networks and confidential data at the very core. The shift in security of our most trusted brands and websites needs to happen on a large scale if we are going to see a shift in the protection of the Internet. “If the onus is continually on consumers to change their credentials, we will create fatigued Internet users who no longer heed security advice. The key now is in forensic remediation. Under new EU regulation, companies have 72 hours to notify their customers. But how can they fix what they don’t know is broken? Once the fog clears a shake up of accountability must come centre stage. Not pay-as-you-go hacker prevention.”
www.vitalmagazine.co.uk | September-October 2014
News Feature
Are UK businesses truly ready for a new data world? John Culkin, director of information management, Crown Records Management, outlines the biggest challenges facing UK businesses in a new data world, and suggests best practice solutions for companies aiming to stay ahead of the game… to be forgotten” is a hot topic as both Google T heand“right Microsoft rush to remove outdated personal data
from Internet searches in response a European Court of Justice ruling. But, are UK businesses truly ready for what lies ahead in a new data world? The ruling is just the thin end of the wedge in terms of data reform, as citizens begin to demand more control over their personal information. High-level discussions on the new EU General Data Protection Regulation are set to begin again in September and the legislation is predicted to be approved in 2015 and in place by 2017. The expression “right to be forgotten” may not necessarily be included in the final draft – it is likely to be re-phrased as a “right to erasure”. But, nevertheless, the impact on any business that handles the data of European citizens could be considerable when the Regulation, replacing the current UK Data Protection Act 1988, is adopted. On a positive note, it will provide a Europe-wide regulation for data controllers and processors, and a one-stop shop to deal with a single Data Protection Authority in each country. There will be new European Data Seals to aid compliancy. But there are also hurdles to clear.
Clearing the hurdles In future, data held will need to be accessible, searchable and editable – a major challenge for some, especially for sectors such as banking, retail and the public sector which store huge amounts of data. It is worth pointing out, too, that the Regulation does not only apply to data stored digitally but also on paper – a completely different challenge. Additionally there will be greater rights for customers to ask for their data in a portable format. And the gathering of data in the first place will require explicit consent from a data subject. This could require some major changes to systems. Below are five key areas in which businesses can prepare early for all eventualities by adopting basic principles of data collection, storage and destruction. These are steps, which will not only place companies and organisations in good stead when the new EU Data Protection Regulation finally becomes enshrined in law but, will also have a positive impact on operational health.
Prepare for all eventualities 1. Spring-clean your data and understand its value Start with an audit to distinguish how much data currently stored actually needs to be kept. Is it “records” or in fact junk or data noise? Destroying unnecessary information can help create a clearer picture for the future, especially data that needs to be searchable and editable. For data that needs to be kept, make sure you know where it is www.vitalmagazine.co.uk | September-October 2014
In future, data held will need to be accessible, searchable and editable – a major challenge for some stored; who uses it; how to access it; and how to protect it. The key to good data practice is in understanding its value in the first place; so treat data like an asset. You wouldn’t leave an asset in the street for other people to pick up – and it is no different in a digital environment. 2. Know who is responsible and assign ownership With fines for non-compliance set at up to 5% of global annual turnover, it is vitally important that someone in the business takes ownership and responsibility for staying up-to-date with new regulations. Make it clear which role in your business has responsibility for each type of data – whether it is the IT manager, CIO, records manager or an outsourced company. 3. D evelop processes now to deal with data breaches It will soon become compulsory for all companies in the EU to have a system in place for dealing with data breaches, including processes for notifying anyone affected by a breach. So why wait? Clear and well-practised procedures should be put in place now – not least to identify who is responsible for reporting. 4. Understand whose data it is In future, companies will require explicit consent from people to gather their personal data; so get those processes in place early. Any company that stores personal data should consider what the legitimate grounds for its retention are, and how it will communicate this to customers as we move inevitably from implicit consent to explicit consent. 5. Design-in privacy: change your culture Start to create a company culture where privacy is considered in every process and at every level of the business. Designing-in privacy – and making staff aware of its importance – is the key to good data practice as data protection evolves.
The age of data is changing fast The bottom line is the age of data is changing fast, for better or for worse and whether we like it or not. So regardless of what ministers in Europe decide over the coming months – and however the final EU Data Protection Regulation takes shape – the digital Stone Age is on the way out. For those who view it as an operational nightmare, the challenges are multiple. But for those who grasp the nettle and see it as an opportunity to truly value data as an information asset, the positives are equally clear. It could yet prove to be a brave new data world.
15
IT Service Management
The changing role of ITIL in an outsourced service business Outsourced IT services organisations have, on the whole, enthusiastically embraced ITIL because of its benefits for the organisation itself and its customers. Prasad Natu, Senior Vice President and Head of Infrastructure Services at ITC Infotech reports‌
ITIL should be all about aligning IT services I nwiththeory, the needs of the business.When your business is IT services it is helping an organisation align the outsourced service with the customer’s needs and requirements. In this environment, ITIL ceases to be an ideal to work towards and becomes a crucial part of the service, delivering value and ensuring a minimum level of competency.
16
The importance of ITIL ITIL can almost be seen as the foundation of a managed services business, it has a great role to play. It is highly important within any IT services organisation for the structuring of services, and for creating predictability in how services are provided to customers and of service delivery itself.
www.vitalmagazine.co.uk | September-October 2014
IT Service Management
Service organisations that want to thrive in future would be well advised to maintain their ITIL status however they see their service catalogue developing.Whatever level of automation they choose to deploy, ITIL will help maintain a structured service framework while the assurances and guarantees it offers will remain every bit as crucial as in the past All the processes at the heart of service provision that ITIL helps to define and delineate are designed to ensure best practice. ITIL offers a standard by which customers can feel secure that their supplier has attained a minimum competence. But, in addition to this, ITIL offers the framework for service organisations to structure their services and the processes around the customer. On a day-to-day basis, when you adopt an ITIL framework, it provides a structure where the talents of service desk staff are deployed in the most efficient way. When a ticket comes in to Level 1 support it is acted on or passed to higher levels, according to the ITIL incident management process with clearly defined actions that are very specific to individual applications and business sectors. When an issue is resolved, reports are created and passed back to the user and responded to with the information being fed back into the process. By having these standard processes within the organisation it minimises human errors that may creep into the service management process. Experienced staff are at the heart of the service desk, and it is vital that all staff within the service organisation should be trained and certified in the ITIL framework as part of their induction process when they are recruited. Obviously, those with more technical and skilled roles, like the process champions who actually define the processes, need to have more advanced training and certification than those working at Level 1, but all should be familiar with the basic aims of ITIL best practice.
Business benefits Embarking on an ITIL journey is never an easy option, however the benefits to the service organisation quickly add up. Because all the service processes are well defined in an ITIL organisation, the service offered can be predictable and fit-for-purpose. With an ITIL defined framework and a customer-focussed service catalogue, it is easier to predict workflows and volumes and target resources appropriately, as well as having a more accurate idea of the expected revenues from the services. Staff attrition is always a problem in service organisations and you need to ensure you always have people available to cover for any staff shortages, but these people need to be able to operate seamlessly in the ITIL framework to ensure a smooth transition. Service delivery using ITIL www.vitalmagazine.co.uk | September-October 2014
best practice enables resource churn seamlessly without having any impact on the service level agreement (SLA) commitments or the quality of service. A high degree of ITIL awareness across the service delivery organisation is therefore of significant importance in assuring service excellence to the customers. Another big benefit of ITIL adoption comes into play when clients require a dedicated team in the service organisation. They might need this arrangement to address security or compliance requirements. With a standard framework deployed, whether it is a dedicated team or a shared services team, the process framework is repeatable and easy to transfer throughout the organisation. In a competitive market costs need to be reduced to make your service offering competitive, so the customer gets great service at an attractive price. What ITIL gives you is a framework that can be used by any organisation irrespective of the type of business it is. The same service offering can be rolled out to multiple customers in a range of different sectors with predictable financial rewards for the service operator. The customer also ultimately benefits from an ITIL informed approach as well. If there is a defined service framework and the vendor is certified and delivering services based on ITIL, it is that much easier for the customer to choose their service providers and get value for money.
The developing role of ITIL Service organisations that want to thrive in future would be well advised to maintain their ITIL status however they see their service catalogue developing. Whatever level of automation they choose to deploy, ITIL will help maintain a structured service framework while the assurances and guarantees it offers will remain every bit as crucial as in the past. With increasing levels of automation in the service desk, using the ITIL framework will ensure that all the right processes are deployed to underpin the automation and make further implementations integrate easier. Any organisation that seeks to be a serious contender in the managed services sphere really has to work under the auspices of ITIL; it really is no longer just an option.
17
IT Service Management
Teamwork and collaboration Matthew Neigh, at Cherwell Software, discusses the difference between teamwork and collaboration, and why businesses should take note…
of all sizes are looking at how they can C ompanies support their staff working together more efficiently. Gartner estimates that the enterprise social and collaboration market grew by 15.7% in 2014. However, this influx of new collaboration technology does not replace one of the fundamental questions that ITSM teams have to think about: what is the difference between collaboration and teamwork, and how does this affect quality of service? I’ll illustrate the difference by providing you with an example of when I recently flew back to the UK from America, and there was a crying baby on board. Before the flight took off, the airline provided a great example of teamwork in action. Teamwork involves each person knowing their own specific objectives that contribute to the end result. In this case, each process is documented and delivered as part of getting the flight turn-around completed. There is also the opportunity to measure performance against any pre-agreed service levels put together by the person in charge.
18
Teamwork is essential to delivering the right result here: the flight came in, and the ground crew unloaded baggage promptly, while refueling was carried out as well. Food for the next set of passengers was loaded on, while the stewarding crew was changed over. This was a great example of teamwork. 30 minutes later, the baby started crying. While the parents attended to the child’s needs, there was a lot of muttering and opinion being shared too. It’s here that you can see the difference between collaboration and teamwork. Collaboration is not defined before the event; it involves bringing together subject experts and service team members to solve a specific problem as it comes up. Compare this to how the passengers on the plane, as well as some of the cabin crew, would have felt about the baby on board. It’s true that there was a single goal in mind for everyone – how to stop the baby from crying – but how to get there was not pre-determined. Similarly, each and every person would have their own opinion on what was wrong, with varying degrees of accuracy. For the parents involved, this is not an ideal
www.vitalmagazine.co.uk | September-October 2014
IT Service Management
situation – on top of the discomfort that their infant was feeling, they also had to deal with all manner of advice and guidance that may or may not have been useful.
“Collaboration has become a very different approach” Managing this, and getting to the right result, is one of the most important skills to bear in mind around collaboration. In the wider business world, collaboration is used to bring those with the right skills together around a problem that has to be solved; while someone might be in charge of the overall response, they have to go through a process of gathering input too. This expertise may be part of the final action taken, but it is not possible to forecast each and every requirement and put it into a more formal teamwork structure; that’s why collaboration has become a very different approach, and why companies are discussing and focusing more on this. For teams that have developed their processes and optimised how they deliver support out to their community of endusers, collaboration may seem like a free-for-all that doesn’t offer additional benefit for the organisation. However, it can provide benefits in terms of responsiveness to service requests, whether these are from internal or external customers. Teamwork also may not take into account some of the fundamental changes that are taking place around the end user. As more options for support and service come up, from social and chat technologies through to video support calls like the “Mayday” button on Kindle tablets, the structure that service desks have put in place can start to get stretched beyond its traditional roots and management approach. Similarly, the sheer range of devices that are coming into businesses today makes the job of support potentially more challenging too. While people are becoming more technically proficient, the fact that company data and applications will now potentially be available on tablets and smartphones alongside traditional PCs and laptops leads to more complicated support scenarios and requests coming through.
University IT teams A further example of this change is visible in the education sector. University IT teams are dealing with a sea change in how support services are consumed by the student populations. According to research by the Service Desk Institute with the University and Colleges Information Systems Association (UCISA), 57% of universities now support Twitter as a way for students to contact the service desk with requests, while 14% also support instant chat functionality.
www.vitalmagazine.co.uk | September-October 2014
Collaboration is used to bring those with the right skills together around a problem that has to be solved; while someone might be in charge of the overall response, they have to go through a process of gathering input too Students want more access to services in ways that suit them – particularly where they collaborate with the service desk team, rather than request support via an email or phone call and join the back of the queue. This represents a move from the more structured approach that service desks might have had in the past to more collaboration with the person requesting support. At the same time, students’ perception of the service desk has changed. Service desk managers at 50% of universities listed managing user expectations as a big challenge for them going forward; at the same time, 76% of those surveyed stated that improving what they already had was a top service desk priority for this academic year. Part of this is the change in attitude students now have about the university they attend; the size of the fees involved to attend university means that students expect much more in general, from the quality of the teaching through to support services like IT. However, it’s also due to the continued growth of confidence that people have around computers too, and the changes in preference for how these individuals choose to contact the service desk. Why should service managers in other industries care about this? In time, this will affect the experience in delivering support out to users more generally. Ultimately, the experience of service will be more collaborative in approach than it would have been in previous years. As the new generations enter the workforce, they will bring with them their own ideas around IT and how they will be productive. In turn, this will put a different kind of pressure on the service desk.
How will a quality service be achieved? What does this mean for service desk teams? Well, quality of service is the end goal for all teams to maintain. However, the mix of collaboration and teamwork is going to affect how that is achieved. Looking forward, service teams will have to adapt their teamwork strategies in order to track how incidents are managed whether they come in via traditional channels or via social media or collaborative methods. Ultimately, the aim has to be how service desks can collaborate with their customers, and use teamwork to provide better service in total. Linking these two concepts together and understanding the difference can help meet this goal.
19
Cloud Computing
What will drive cloud computing uptake amongst SMEs in the future? Joseph Blass, CEO,WorkPlaceLive, looks at what will drive cloud computing for SMEs in the future… the Cloud World Forum event back in June in London, I A ttook part in a Microsoft debate that looked at which new
services will drive the future and uptake of cloud computing, and why cloud computing is particularly suited to small-andmedium-sized enterprises. One of the key points discussed was the fact that cloud has always been considered the future of enterprise IT, but how will it benefit small businesses?
What will drive cloud? We identified the following drivers for the future of cloud: Technology should enhance a business and not disrupt it. Business people understand their business and they need technology that adapts to their requirements and not the reverse. Business owners do not want to adapt their business to technology, which might require training the entire staff and potentially not turn out to be what the company needs. If they are happy with their familiar Microsoft desktop look and feel – why change it? A cloud-based Hosted Desktop solution can deliver the best of both worlds. It allows business users to access their desktop and all their business applications seamlessly through the cloud, so they can enjoy a familiar user experience in the cloud. The second point raised was that companies need tailormade cloud solutions. Every business is different with its own unique requirements, and therefore the IT solution needs to be bespoke. We discussed that, in the future, cloud adoption will involve technology that is completely aligned with individual business requirements. Another key driver for cloud computing adoption is the flexibility it offers. To be competitive, SMEs need to be able to easily upscale or downscale their IT requirements when required. The IT solution must be cost-effective and give them access to their desktop from any location with Internet access. The ability to add or remove users in line with growth or peaks in demand for services is vital. If a business employs temporary workers or wants its employees to work remotely they need to be able to do this easily and seamlessly. Similarly, accessing systems from anywhere will be vital, as employees not only use files and emails, but databases and applications. We also discussed the fact that the cloud computing industry commonly uses too much jargon and complex terminology. Cloud computing is often referred to using acronyms such as SaaS, PaaS, IaaS and MBasS. These terms can be misunderstood by business people and even cause them to “switch off ”. The hidden word that repeats itself within all these acronyms is “service” and the one thing that will drive cloud adoption isn’t the infrastructure or the platform, but the service.
Hosted Desktops One cloud solution that ticks all these boxes is Hosted
20
In the future, cloud adoption will involve technology that is completely aligned with individual business requirements Desktops. A Hosted Desktop is cost-effective, hassle-free and environmentally-friendly. It provides business users with the freedom to work from any location, using any device and access their Microsoft desktop together with all their business applications. The key benefit is that a Hosted Desktop solution maintains the customer’s experience, whilst removing the IT administrative burden. The solution is completely bespoke and unique for every customer, and offers flexibility so the business can scale up and down as needed. It is usually provided with services such as the latest software, regular data backups performed by the provider and a help desk service. Any business thinking about migrating to a hosted desktop or infrastructure-as-a-service model needs to have a clear understanding of how their company data will be stored, managed and protected – and must ensure they do their research thoroughly into the provider they intend to use. It is now a legal requirement for companies to know where their data is being hosted. Last year, the Information Commissioner’s Office stated that companies are responsible for where their data are held, even when using third party vendors. Companies should look for reputable providers and seek references from other customers and look for security accreditations such as ISO 9001, ISO 27001.
www.vitalmagazine.co.uk | September-October 2014
Virtualisation
The evolution of virtualisation – is containerisation taking over? Alex Moore, director of technology and engineering, NTT Europe discusses the flexibility and efficiency that virtualisation brings to enterprises… it’s certainly not new, there continues to be A lthough significant hype in the market about the increased
potential of virtualisation as the technology continues to develop. IDC forecasted that by 2014, 70% of all servers would be virtualised and it’s not hard to see why there is such demand. You get the ability to scale up or down; guaranteed computational resources; security isolation; and API access for provisioning it all, without any of the overhead of managing physical servers.
The evolution of virtualisation - OVF However, broader changes are taking place in the virtualisation ecosystem that enable and reinforce the evolution of the technology. For example, the popular Open Virtualisation Format (OVF) has helped businesses transition between hypervisor technologies and become the de facto standard among responsible vendors. Last year saw the release and update to version 2.0, with the specification moving beyond its original virtualised machine (VM) focused remit and adding support for surrounding strategic elements. This includes aspects like network configurations, workload placement policies and more. In effect, creating virtual environments with a keener strategic focus is easier than ever before. For example, automating the management of files and data ensures that no two VMs are providing the same function on the same underlying physical hardware. By making it easier to define more complex operating environments, pre-configured templates can be quickly deployed with minimum intervention. This improves delivery times; reduce reliance of human input and minimises cost, making virtualisation very attractive to many businesses.
Containerisation Recently however, the concept of containerisation has come back onto the agenda with many debating that it’s the future of virtualisation. Containers have been in use for years, but have been re-popularised by the Docker open source project. Docker is an initiative to create lightweight, portable, selfsufficient containers for applications.
The concept of containerisation has come back onto the agenda with many debating that it’s the future of virtualisation. Containers have been in use for years, but have been re-popularised by the Docker open source project
22
Ultimately, containers are a lightweight form of virtualisation, allowing a single operating system (OS) (often a VM these days, although bare metal is also a possibility) to be split into multiple logical sub-containers. Compared to a virtual machine, the overhead of a container is extremely low. They start so fast that many configurations can launch on-demand as requests come in, resulting in zero idle memory and CPU overhead. Frameworks like Docker are allowing developers to reexamine the meaning of the operating system in relation to the application. For example, a developer can break down a complex application into a number of easy to manage components, define in simple configuration the entire operating environment that each component requires and then connect them together to create complex operating environments – which can then be instantiated at the click of a button, all with embedded change tracking and management. Because containers can operate within a single OS, they are much more efficient, because of this and the rich framework for configuration management and control; they are reemerging as a strong contender to underpin the future of the cloud infrastructure industry in place of VM architecture. Virtualisation promises to increase efficiency, flexibility and lower costs by decoupling the link between hardware and software, and these have become drivers for the evolution of the technology in recent years. Platforms like Docker are evolving that decoupling allowing OS configuration and provisioning for applications to be further decoupled, continuing that march of efficiency and flexibility. Whether it is continuing to use the traditional VMs or what Docker poses for the industry, it is cer tainly exciting times ahead.
www.vitalmagazine.co.uk | September-October 2014
Cover Story
Are you part of the 74%? Although its been fi ve months since support for Windows XP stopped, 74% of UK IT decision makers still have systems running on Windows XP, and only 29% of that group have plans to put a new OS in place, according to a recent survey. If you’re in this 74%, Christopher Strand, Bit9 + Carbon Black’s senior director of compliance explains how to keep your systems secure… multiple warnings, a very real danger lurks in Despite the shadows for many UK businesses. A new study sponsored by security fi rm, Bit9 + Carbon Black, has found that 74% of UK organisations are still relying on the Windows XP operating system, even though support for the OS reached an end back in April 2014. Make no mistake, these organisations are highly susceptible to cyber attacks and should look to upgrade to a current operating system as soon as possible.
How will this affect businesses?
This delay in upgrading from Windows XP is partly due to budget, the study noted. Almost one in three respondents said that their organisations would not spend any money on upgrading from XP, while more than one in four said that they had no budget to attempt to make their XP systems secure
The consequences of ignoring the Windows XP end of life deadline could be severe:
2. Financial penalties: An organisation can be fined for failure to pass compliance audits or for being in a noncompliant state.
1. Breach and data compromise: Malware authors can access customers’ credit card / financial data or patient information.
3. Loss of privileges: A company can lose the right to process transactions with major credit cards, as well as access to business-critical data needed to conduct business. 4. Damage to corporate brand: An organisation’s public image can suffer if an organisation is breached or fails to operate in a compliant state. This is often the most devastating consequence and can be difficult to remediate. Following the end of life deadline, organisations that have not upgraded are exposed to a host of possible exploits that could take advantage of the many vulnerabilities associated with the XP machines. 74% is a staggering number considering how vulnerable XP systems are. Failing to upgrade could mean these organisations lose critical infrastructure and essential data.
Migrating to a new operating system As posted on Microsoft’s website: “There will be no more security updates or technical support for the Windows XP operating system. It is very important that customers and partners migrate to a modern operating system such as Windows 8.1. Customers moving to a modern operating system will benefit from dramatically enhanced security, broad device choice for a mobile workforce, higher user productivity, and a lower total cost of ownership through improved management capabilities.” Based on that information, and after numerous warnings from Microsoft, the impetus to move to a supported operating system is critical, and thankfully, the study noted, the majority of
24
www.vitalmagazine.co.uk | September-October 2014
Cover Story respondents were trying, but success wasn’t guaranteed. Only 29% of organisations planned to migrate their infrastructure away from XP in the near term. Just over a third (37%) of respondents to the study said they would be able to secure only some of their systems, leaving themselves at least partly vulnerable, while a quarter said that they would apply “compensatory controls”. Also, there are many organisations out there running legacy applications that simply cannot make the upgrade to newer operating systems as their software simply won’t run. For these organisations, the risk of a data breach is very real.
Lack of budget This delay in upgrading from Windows XP is partly due to budget, the study noted. Almost one in three respondents said that their organisations would not spend any money on upgrading from XP, while more than one in four said that they had no budget to attempt to make their XP systems secure. The funding to secure or upgrade systems that underpin many companies’ IT functionality simply isn’t being allocated, the study noted.
Compliance regulations Another factor that many companies often fail to take into consideration is that without a full set of patches available for their systems, they could potentially fail to meet their compliance regulations. Many compliance guidelines require that systems be patched with the latest security and OS patches by a specific date. Failure to have patches up-to-date by that deadline would constitute a failure of that particular regulation. This could put companies at risk even further, in that they may face fines and penalties due to the failure of regulatory policy. According to the study, one in five respondents was running Windows XP on back-office servers, and another 14% on point-of-sale systems. And one in 10 industrial systems apparently now runs on this unsupported OS, too, putting industrial control processes in danger. In an industry fraught with identity theft and cyber crime, it’s essential that companies protect their customers’ credit card data and personal information. This can only be achieved by putting in place a positive security model that will monitor and control all servers, endpoints and critical data.
Protecting against exploits Here are two specific measures that organisations can take to
protect against exploits on their XP systems: • Reduce the attack surface on machines that can no longer be updated. Steps such as uninstalling features and applications that are no longer required and stopping services that are no longer needed are good ways to gain control of XP systems. However, these steps can sometimes get in the way of necessary business processes, as the critical business function of the XP machines often depend on these core features and services. • Replace vulnerable applications whenever possible on XP systems that you must keep in service. Again, similar to reducing the attack surface by disabling and removing applications, there is often no choice but to rely on the native or XP application to carry out business functions. Microsoft Internet Explorer version 6-11 provides a good example of this, in that many XP applications are forced to rely on the potentially vulnerable versions of Internet Explorer and cannot remove the application without disrupting business.
Positive security model With positive security, your organisation is killing two birds with one stone: lowering the cost of compliance and security and getting 100% coverage. Your company stays secure by putting a trust policy in place that controls all your servers and endpoints and identifies the critical events that are important to your business. In this way, you can detect and stop malware and immediately respond to alerts and incidents. Compliance is addressed with a positive security model because once in place, you know at any given time what’s running on every in-scope system across your organisation. You can determine, on a real-time basis, if you have any vulnerabilities and whether any in-scope systems have fallen out-of-scope. In this way, you maintain complete control and stay focused only on the activities that are important to your business.
Addressing security and compliance If your organisation has applications that won’t run on a newer version of Windows; does not have the budget to upgrade; or chooses not to pay for out-of-band support, your XP machines can be protected and an additional compensating security control provided – for regular patching and updates that are no longer available from Microsoft. Systems can be hardened to only the known good functions on that endpoint, thereby extending the security window. An alternate layer of control (compensating control) can also be provided to ensure that your business remains compliant.
About the study The cyber security study, conducted by Vanson Bourne, covered 250 UK IT decision-makers, working in organisations of at least 250 employees, across an array of industries. Other interesting findings included: • Nearly two-thirds (64%) of UK IT decision-makers said they expect their organisation to be the target of a cyber attack within the next 12 months. • Nearly one in three (32%) of those surveyed confirm their business was hit by a cyber attack during the past year. • Almost half of the organisations surveyed (49%) said they did not even know if they had been compromised.
www.vitalmagazine.co.uk | September-October 2014
25
VitAL Security
For your eyes only: Corporate espionage using social channels A document, listing a wide variety of GCHQ’s cyber-spy tools and techniques used to find private photos on social networking sites, was recently leaked online. Dr Wieland Alge,VP & General Manager Europe, Middle East and Africa, Barracuda, explains why a LinkedIn or Facebook invitation might not be as friendly as it seems…
The number one priority for any business suffering from a phishing attack should be to protect its customers and to never lose its identity. But that’s not as easy as it sounds revelations concerning the techniques used by the R ecent spy agency, GCHQ, to “protect” the UK, highlight some of the shadier methods it deploys for online surveillance or to manipulate and distort online discussion. Many of the techniques deployed by GCHQ bear a disturbing resemblance to those used by cyber criminals for their own commercial gain and in corporate espionage.
26
For example, GCHQ’s catalogue lists all manner of tools for mainly nefarious purposes, such as “mass delivery of email messaging to support an Information Operations campaign”; “mass delivery of SMS messages to support an Information Operations campaign”; “find private photographs of targets on Facebook”; “a tool that will permanently disable a target’s account on their computer”; and “the ability to spoof any email address and send email under that identity”.
www.vitalmagazine.co.uk | September-October 2014
VitAL Security
Most users never even look at these settings but it’s important for them to take a minute and check their profile, privacy and email settings to make sure they are not sharing data with third parties or publicly displaying too much information
Perhaps it should come as no surprise that GCHQ is emulating techniques that have proved so successful for cyber criminals, but that doesn’t make it any less disturbing. Nevertheless, from a commercial point-ofview, there’s no escaping the fact that these different types of cyber criminal attacks have proved very effective.
Phishing Today, serious and organised cyber crime is a far cry from a lone hacker sending out anonymous malware from their bedroom. Phishing, for instance, has flourished in recent years. Cyber criminals are using the increasingly sophisticated method of phishing to target businesses, resulting in tarnished reputations and loss of sales. The number one priority for any business suffering from a phishing attack should be to protect its customers and to never lose its identity. But that’s not as easy as it sounds. The availability of personal information via social media has made the process of making phishing messages sound more convincing a lot easier for cyber criminals. At the same time, businesses of all sizes are failing to educate their users to be vigilant at all times, especially in their personal online activities. One service that makes a virtue of interleaving the social and business is LinkedIn. Sadly, it’s also one of the most effective platforms for launching phishing attacks with one of the most successful methods of hitting a company with a targeted attack is to disguise it as a simple LinkedIn email. A recent study reported that click-through rates for malicious attacks disguised as LinkedIn invitations was four times as high as for other social networking sites. That’s understandable when you consider the nature of the platform itself. LinkedIn users naturally assume that emails or invitations to connect delivered through the site are workrelated or businesslike. That assumption extends to the platform itself. This probably explains why a survey conducted by Barracuda found that LinkedIn has the lowest number of users who feel unsafe compared to other social media sites. It also accounts for the fact LinkedIn is the social site that employers are least likely to block or limit access to.
www.vitalmagazine.co.uk | September-October 2014
Privacy controls
People tend to trust information received from LinkedIn more than other social media platforms, which accounts for the much higher click-through rates compared to Facebook friend requests or Google+ adding circle invitations. But users should be aware that their LinkedIn settings don’t block unwanted spam. Several default settings on users’ privacy controls are set to receive LinkedIn marketing emails. Most users never even look at these settings but it’s important for them to take a minute and check their profile, privacy and email settings to make sure they are not sharing data with third parties or publicly displaying too much information. As for LinkedIn invitation to connect emails, the best advice for anyone who receives what they believe might be a bogus invitation is to avoid clicking any links included in the email. Anyone receiving an email claiming to come from LinkedIn, even if they know the person supposedly sending the invitation, should visit the LinkedIn site directly to confirm the request rather than clicking on the link. The other point worth making about LinkedIn compared to other social networks is that an individual’s connection to a former work colleague is likely to be weaker, less distinct and less-informed than it might be with a friend. As a consequence, it is much easier for cyber criminals to trick victims into connecting to a false “old colleague” than it would be with an old friend. When you combine the natural vagueness of information and recollection that people have around former work colleagues and a platform that they consider the most trustworthy and professional, the potential for malicious attacks is significantly increased. Businesses may well be aware of their potential vulnerabilities to attacks via the more personal social networking sites but they need to ensure they are not lulled into a false sense of security just because a particular social networking site appears less personal and more professional.
27
VitAL Security
True two-factor authentication Toyin Adelakun, a VP at Sestus, demystifies the confusion over true two-factor authentication… the news of security breaches has brought R ecently into focus the topic of user authentication for online services. Effective, lasting solutions are sought, and two-factor authentication (2FA) is bubbling to the top of the panacea heap. Inevitably, some misconceptions have been aired along the way.The essential take-away is that 2FA systems use two independent forms of identification to authenticate users. Most 2FA systems use the “authentication factors” of knowledge (based on what the user knows) and possession (based on what the user has). Most importantly, evidence of at least one of each form must be captured for an authentication system to be classed as “two-factor”. The proliferation of applications on the Internet is being matched by a proliferation of data that is of interest and value. Most of those have a legitimate interest in the data, some do not – but that does not stop them from making increasingly sophisticated attempts to get at the data.
The majority of Internet resources use username-and-password pairs to authenticate users. For this reason, most attempts to hack the systems and access data start with attacks on the authentication schemes in place.
The issue There’s a whole spectrum of threats that can exploit all manner of vulnerabilities in the handling of passwords. Starting at the opportunistic end, passwords can (still) be found – for instance on Post-It notes or indeed by “shoulder-surfing”. Secondly, attackers can use “social engineering” methods to trick users into divulging passwords. Thirdly, attackers can guess – most often by employing “dictionary attacks” and other passwordcracking methods, typically on a large scale. Finally, attackers can get hold of passwords by hacking into inadequately-protected databases, sniffing end-user traffic at public Wi-Fi stations, or using Trojan-horse malware on end-user devices. The recent billion-password heist would seem to be a sophisticated blending of multiple manual and automated methods. First, it seems, the CyberVor attackers bought a
Collaboration is used to bring those with the right skills together around a problem that has to be solved; while someone might be in charge of the overall response, they have to go through a process of gathering input too 28
www.vitalmagazine.co.uk | September-October 2014
VitAL Security
list of compromised email addresses, which then constituted the seed target for the heist. They then sent malware to the compromised computers, as well as other computers whose users’ email addresses appeared in the address books of the compromised computers and accounts. Whenever users of all these compromised computers went on the web, the malware sprang into action, testing the visited sites for vulnerabilities in password management. Upon finding exploitable vulnerabilities, the malware sent to its Russian mothership details of the site. This happened on a large scale, tracking many users across over 420,000 sites over several months. The attackers subsequently used mixed methods to harvest the password databases from the sites. With such a methodical modus operandi, it is almost surprising that only 1.2 billion username-password pairs were extracted. Even if not all the claims about the CyberVor attack are taken at face value, this is at the very least a wake-up call for organisations and they need to act quickly and effectively. What is evident is that sole reliance upon the humble password for authentication is no longer sustainable.
The implications Identity is still a comparatively primitive notion on computer systems; we simply demand pieces of information as “evidence” of the identity of a given party. A single such piece of evidence – a password – proved sufficient for decades. But as online resources have become more plentiful and valuable, it has become necessary to protect them from simultaneously growing risks by demanding more than one piece of identification. Multi-factor authentication is one of the conceptual solutions developed in response to this need. A factor in this context is an independent aspect that can be used to validate a person’s identity. The most commonly used factors are knowledge, possession, and inherence (“something only the user is”).
The need Properly implemented, 2FA systems hold great promise for preventing compromise of systems. 2FA embodies the defendin-depth security principle at both the micro level – in that the two factors present more than one hurdle for an attacker – and at the macro level – in that 2FA can be used in conjunction with, say encryption or other defensive measures. The key is that the factors are independent of one another; they have no objective correlation, derivation, implication or redundancy relations with one another. To implement the knowledge factor, 2FA systems require the user to present for instance a username, password, PIN, or other shared secret. To implement the possession factor, it requires the user to present something she has, for instance a smartcard, key-fob, or other token. To implement the inherence factor, 2FA systems require the user to present something inherent to her, such as her voice, fingerprint, and eye for a retinal scan or another physiological item. This is the independence requirement as it defines 2FA systems.
www.vitalmagazine.co.uk | September-October 2014
Multi-factor authentication is one of the conceptual solutions developed in response to this need Insight The most common misconception is usually knowledge; some online administrators and service providers believe that demanding two email addresses amounts to 2FA – however, it does not. Similarly, asking for a password and then a PIN doesn’t amount to 2FA – because the two pieces of information represent knowledge factors. These examples do amount to what is commonly called “strong authentication” – as distinguished from 2FA by the likes of the United States’ FFIEC and FDIC. Unfortunately, the European Central Bank insists on referring to 2FA as “strong customer authentication”, refusing last year to amend its terminology. This has the potential to fuel further confusion. In the operational risk context, dual controls are common but dual controls differ from 2FA, as they ask for two things of the same type; for example two signatures of two individuals. However, there is good news; the best 2FA is seamless and almost invisible. And yes, it exists – we carry it about in our wallets and handbags: the humble bankcard. When you present yourself to the ATM and demand cash, you identify yourself by presenting something you have, the card, and something you know, the PIN. The mobile phone presents yet another example of 2FA in action. In attempting to gain access to the mobile phone carrier’s network, you present not just the handset and SIM within it, but also a PIN (“something that you know”). Worse and ironic, though, is the fact that we then use our devices to access services that themselves are not protected with 2FA. That inverts the security principle of defend-in-depth, so it has to be hoped that the recent scandals focus the minds of executives and administrators to the point where true 2FA systems become the norm. In fact the issue goes beyond authentication. The next aspect of access control is authorisation, which addresses users’ rights and privileges within the system. In real-world terms, just because you can prove you’re you doesn’t mean you can make a phone call (you are out of credit) or withdraw money (you are out of cash). It is vital to get authorisation right, because it underpins not just what kosher users are able to do, but also what hackers are able to do once they breach password or other defences. Properly implemented, 2FA systems hold great promise for preventing compromise of online systems. However, it is essential that multiple factors are indeed used for authentication, before handing users onto the authorisation systems that enforce policy and grant or deny access to valuable resources.
29
VitAL Security
Botnets: A public health approach David Dagon, co-founder of Damballa, and Brian Foster, CTO at Damballa, which provided intelligence and resources, as part of the global operation aimed at disrupting GameoverZeus and Cyryptolocker, offer insight on how this operation has provided something of a blueprint for managing mass cyber infections… an article on a machine at work, there’s a I foneyou’rein fivereading chance that your machine is talking to a criminal.
repair man, he was, to neighbours in the down-at -heel Black Sea resort of Anapa, quite normal. Yet, he had, since 2011, been under investigation as a botmaster. Apart from the particular dangers presented by his GameOverZeus botnet, what made him different to the indicted botmasters before him was the approach to taking him down. It wasn’t “government” that was after him – it was governments. What had changed?
By any measure, that’s a huge threat to business. Small wonder, then, that government is taking the problem increasingly seriously.
Worldwide approach
That is, it’s part of a botnet. Furthermore, if you work in a big(ish) company, your infected machine, and its peers, will on average be uploading around 10GB of data to the Internet every day, equating to around 150,000 suspicious events popping up on the network every day. That’s 10GB of potential exfiltration that IT can’t even begin to process.
June of this year saw the indictment of Evgeniy Bogachev, aka “slavik”, and “lucky1245”. A Volvo driving erstwhile computer
30
Classically, botnets are taken down by a technique known as “sinkholing”. A sinkhole works by diverting communications meant for a criminal command and control server to a benign server. Your PC, if it’s infected, must get instructions from a criminally-controlled server before it can execute malicious
www.vitalmagazine.co.uk | September-October 2014
VitAL Security
Think of it a little like public health. Rather than prescribing a course of medicine to individual patients, Operation Tovar is a worldwide attempt both to interrupt transmission and provide a window to inoculate and remediate currently infected machines behavior. Botmasters register domains the same way legitimate organisations do – they use Domain Name System (DNS) registrars. Sinkhole operators can work with DNS registrars to seize control of domains intended for criminal use. Once you’ve seized those domains, infected computers that connect to them will no longer be connecting to criminals for order, but to you, the good guys.
components vectors have been addressed. Registries are either blocking or sinkholing the domain-generation algorithm (DGA) elements of these infections in response to a letter by ICANN supporting the policy-based blocking of malicious domain registries. The malware uses seven top-level domains: .com, .net, .biz, .info, .co.uk and .ru. All but the last two are blocked, while domains under .co.uk and .ru now point to sinkholes.
Historically, individual governments and companies have done that. Acting individually they’ve achieved great results. But the trouble with individual caped crusaders is that sometimes they tread on each other’s capes, taking down each others’ sinkholes and intelligence gathering “honeypots”. More importantly, they might only take down part of the botnet in, say, one domain.
The evolution of cyber public health requires coordinated defences across our community. But just as importantly, these efforts must continue to improve and evolve as our understanding of cyber threats grows.
On 2nd June 2014, the US Department of Justice announced a global takedown of GameOver Zeus and CryptoLocker. The DoJ had partnered overseas agencies, including the National Crime Agency in the UK and counterparts across Europe and the world. Operation Tovar, a global collaborative takedown, is one of the largest sinkholing operations to date, targeting each top-level domain. This was not, of course, before hundreds of thousands of users were infected and defrauded of hundreds of millions worldwide. Nevertheless, the announcement, mirrored by agencies across the world, gave victims two weeks to clean their infected computers, the time in which it was estimated that the Botmasters would resurface.
Public health Think of it a little like public health. Rather than prescribing a course of medicine to individual patients, Operation Tovar is a worldwide attempt both to interrupt transmission and provide a window to inoculate and remediate currently infected machines. Like epidemic control, this requires broad global cooperation beyond law enforcement, from domain registrars, security vendors, sinkhole operators and, most importantly, victims – who must largely opt-in. It’s more than a metaphor, however. Just as with public health, education has been important in achieving opt-in to cyber immunisation. Infected users were asked to remedy infected systems immediately. In the UK, Cyber StreetWise, CERT advisories to industry and the Get Safe Online initiative were available and publicised. Efforts in the US included alerts and a list of resources curated by USCERT. As with epidemiology, so with cyber public health: user awareness of mass infections is short lived. In this case, cyber malaria nets were provided and publicised from day zero. Meanwhile, public hygiene is being enforced. Infected devices are, so far, isolated from botmasters, and peer-to-peer
Prospects for success Isolation has been largely effective. Ultimately, the success of eradication efforts comes down to the ability of law enforcement to go further, making arrests, isolating the brains behind the malware and eradicating it in the wild. Is this eradication of the reservoirs possible, however? Probably not. Consequently, Cryptolocker and Gameover Zeus remediation is being approached as a mass infection that must be managed over time. Code Red and Conficker are, years later, still endemic, showing that eradicating every last viral installation to be virtually impossible. The size and impact of some infections may require perpetual blocking and sinkholing. Botnets must be managed as mass infections, with cleanup as an opt-in experience. The good news is that it’s working. Surveillance of domain generation reveals no “comeback”, in the strict sense, of the targeted malware. Such activity as there is derives from distinct variants of the original malware. Furthermore, brains are being taken out of circulation, with a slew of indictments and arrests over the past couple of years. In January 2014, for example, Aleksandr Panin, a Russian, was extradited from the Dominican Republic before pleading guilty to a US court in relation to “Kartoha” malware. However for Bogachev, no arrest is in sight. So long as he remains in Russia, extradition is impossible. The FBI arrest warrant holds out the hope that, as the owner of an apparently modest yacht, he may somehow, some day find himself extradited from a less friendly Black Sea port. In the mean time, to use the language of epidemiology, elimination is realistic, rather than eradication. The best hope seems to lie with a public health based approach to malware infections. With herd immunity still elusive, with both brains and reservoirs of infection still at large, the prudent organisation is one that endeavours to inoculate itself against the unexpected.
References available on request
www.vitalmagazine.co.uk | September-October 2014
31
VitAL Security
Security in the age of the tablet device Jason Goode, managing director EMEA, Ping Identity, explains how IT managers can overcome the headache of managing multiple devices in the age of fl exible working and BYOD…
Smart watches and Google Glass, for example, will present challenges for IT departments striving to fully secure data on the move. How can complete visibility possibly be achieved if an employee can download corporate data on their smartphone, laptop and smart watch? we like it nor not, tablet devices are set to W hether conquer the PC. Gartner predicts that by the end of
2014, laptops are highly likely to outsell PCs all together. With more mobile devices such as laptops, smartphones and iPads at our disposal, it should come as no surprise that our working environments are adapting to change. The four walls of the office simply no longer exist, with more and more employees taking advantage of new flexible working laws, safe in the knowledge that they have the devices and data needed to carry out their work. But what does this mean for IT managers and system administrators? How can they effectively monitor what applications their employees may be accessing (without breaching privacy), and protect company data in the event of device loss? It’s all about securing user access and ensuring that the right applications are in place to provide security conscious IT departments the ability to centrally manage all applications.
Securing data “on the move” Historically, mobile device management (MDM) was the industry’s first attempt at addressing the Bring Your Own Device (BYOD) phenomena and more generally the use of mobile devices in the workplace. As the name suggests, IT’s control with MDM is at the device level. This has implications on the ability of the employee to use it for non-business related applications and thus affects his or her level of privacy. In addition, this approach is not able to secure data “on the move”. Businesses also need to be mindful of emerging mobile devices such as wearable technology. Smart watches and Google Glass, for example, will present challenges for IT departments striving to fully secure data on the move. How can complete visibility possibly be achieved if an employee can download corporate data on their smartphone, laptop and smart watch? A win-win application architecture for any mobile or tablet
32
device is built around the identity of the employee. An employee’s device will have a split personality where it will obey to the commands of the IT department when it is used for business purposes, while taking orders from the employee during periods of down time. With this in mind, traditional passwords just won’t cut it because only when we clearly define the identities of the users can we set policies that govern their corporate personas and give them the freedom to enjoy their leisure time. Furthermore, applications that authenticate users to all of their applications through federated or basic Single Sign On (SSO), give IT managers visibility and the control over activities that occur beyond the walls of the office. It’s a matter of delivering security and convenience, keeping both IT managers and the workforce content.
A matter of identity Deploying BYOD or MDM policies that are too restrictive will put many organisations on the back foot. Instead, managing user identity should be the driving force behind securing employee tablet devices in a flexible way. To fully secure user identity, basic password management just won’t cut it. Passwords alone should not be used as the sole method of authentication because employees may forget these regularly; share with others; or leave them written on a “post-it” note around the office. Secure two factor SSO is needed to eliminate this risk. Using a simple swipe on a mobile app now means users can benefit from a strong authentication solution to legacy and cloud applications. Robust identity management should ensure that the person using the device has the permission to access or do what it’s requesting. Recognising the entity – whether that’s a device or an employee – will be crucial to avoid problems when determining who has access to certain files, for example, and to avoid any security breaches or data loss.
www.vitalmagazine.co.uk | September-October 2014
VitAL Processes
Personal service in the “Age of Interruption” Rupert Adair, product director of Enghouse Interactive, discusses why there is still a need for personal service in the “age of interruption”, a term that still resonates with many senior executives working in a world dominated by the constant stream of emails, instant messaging and mobile phone calls… American author and columnist,Thomas Friedman who I tfirstwaspopularised the phrase, “The Age of Interruption”. It’s a term that still resonates with many senior executives working in a world dominated by digital technology, where doing battle with a continuous stream of emails, instant messages and mobile phone calls has become a daily fact of life.
Indeed, many people today are working in a state of “continuous partial attention,” a condition identified by former Microsoft executive, Linda Stone, as being triggered by an effort not to miss anything and characterised by always-on, anywhere, anytime, anyplace behaviour that involves an artificial sense of constant crisis.
Many people today are working in a state of “continuous partial attention,” a condition identified by former Microsoft executive, Linda Stone, as being triggered by an effort not to miss anything and characterised by always
34
www.vitalmagazine.co.uk | September-October 2014
V ITAL INSPIRATION FOR THE MODERN BUSINESS
Subscribe for FREE! News, views, strategy, management, case studies and opinion pieces
www.vitalmagazine.co.uk/subscribe
VitAL: INSPIRATION FOR THE MODERN BUSINESS
VitAL: INSPIRATION FOR THE MODERN BUSINESS
VOLUME 7 | ISSUE 6 | November-December 2013
V ITAL
VOLUME 8 | ISSUE 4 | July - August 2014
V ITAL INSPIRATION FOR THE MODERN BUSINESS
INSPIRATION FOR THE MODERN BUSINESS
How well do you know cloud computing?
An “augmented” future for wearable computing Can you envisage all the possibilities?
Are online IT training courses the answer?
Looking back on 2013
T H I R T YO N E
www.31media.co.uk
VOLUME 8 | ISSUE 4 | JULY - AUGUST 2014
VOLUME 7 | ISSUE 6 | NOVEMBER - DECEMBER 2013
INSIDE VitAL Report
VitAL’s 2014 Predictions:
Published by
VOLUM E 8 | ISSUE 5 | Septemb er - October 2014
Still running Windows XP? Are you saying yes to cyber attacks?
INSIDE VitAL News Improving IoT security
VitAL Security How secure is the “IoT”?
INSIDE VitAL Report
The attack of the CyberVors
ITSM
Teamwork and collaboration
VitAL Processes
Many of us are becoming “skimmers”, keeping lots of plates spinning, but not doing any jobs really well
Most office workers today would recognise the symptoms of working in a world where people expect to get hold of you almost 24/7, where workers increasingly sleep next to their smartphones and have instant message on their desktop, pinging messages to them constantly. As a result, many of us are becoming “skimmers”, keeping lots of plates spinning, but not doing any jobs really well.
A human touch When it comes to customer interaction, what’s been lost is a sense of personal service – a human touch. And this is important. After all, even today, certain customers, executives or senior members of staff need some of that VIP treatment. Many such business people continue to want personal service backed by a focused line of communication that routes them to a person that understands their needs and can answer their queries quickly and efficiently. Such individuals are typically highly valued customers and it is therefore critical that the business cultivates them in a bid to keep them loyal. But how can this be done? Interactions can be triaged, routed and prioritised through an automated mechanism, of course, but for these types of customers this is unlikely to be the right way to go. The existence and indeed critical importance of this kind of customer is one good reason why the role of the attendant console operator has not gone away.
real-time presence and calendar information to pinpoint the back office contact best placed to help engage with the caller and answer their queries. Screenpopping caller information can be used to ensure a more personalised service. For larger organisations that may have people spread across the globe in different geographies, business units and departments, the ability to create a global directory and view of who is available and best placed to assist the customer is key. When coupled with quality and performance monitoring tools, comprehensive real-time reporting and coaching can be brought into play to ensure a consistent high quality operator performance and caller experience. Ultimately, this is all a way for the business to enrich that singular form of communication, today typically voice-based but likely, in the future, to also encompass video, and to provide their distracted customer base with a service that is memorable and compels them to keep coming back to the organisation to repeat the rewarding experience they have had. The approach typically generates several other measurable business benefits. Time to answer is reduced as customers are routed to someone who can provide them with the assistance they need with the help of applications like caller prioritisation and skills-based routing and through associated techniques like centralisation, which allows calls to be dealt with efficiently while delivering economies of scale.
For many businesses today, and for at least some of the customers they engage with, the ideal will always be a VIP concierge experience where the customer comes through to a receptionist who knows who they are, understands the problem and routes them through to somebody they either already know or who has the necessary awareness and expertise to deal with their problem there and then.
At the same time in the process of designing an attendant console, you have to create a contact directory across the organisation, which can be kept 100% up-to-date and is also rich with details about people’s availability, presence, and information about everything from the time of their next meeting to how they can be contacted next week. This kind of information helps customers to be routed immediately to the right person.
Why technology still matters
Also, if such a directory exists it can be propagated out to staff that then have presence information at their fingertips, driving efficiencies and reducing costly internal calls into the bargain.
This human interaction is key, but it also needs to be supported by the right technological applications. Operator console technology is critical here in helping to provide the optimum caller experience, enabling the customer to have a rich conversation with the person on the other end of the line. Using the latest systems, the office receptionist can draw on
36
Ultimately though, in a world that continues to be afflicted by the curse of continuous partial attention, where so much needs to be done but so little is done well, it is that human touch, the ability to provide a focused and a rich customer experience that is and is likely to remain console technology’s greatest legacy.
www.vitalmagazine.co.uk | September-October 2014
VitAL Supplier Profile
Ultimately what’s happening is all companies that want to become more digital and find more efficient ways to open up new markets are becoming software companies
Taking a creative and innovative approach VitAL Magazine interviews Doug Mow, head of strategy, Ness Software Engineering Services, about the company’s future plans and asks him to share his thoughts about the current challenges CIOs are facing… VitAL Magazine: What are the origins of the business Doug Mow: We were founded in 1999 as an amalgamation of several very specialised IT service companies. Today, Ness Technologies is a global provider of technology services and end-to-end engineering solutions designed to help clients improve their competitiveness and efficiency through the deployment of new and innovative technologies. VM: What’s your geographic spread? DM: We’re truly global with over 6,500 colleagues who we call Nessians and clients drawn from the Fortune 500 and Software 500 in over 20 countries. Ness has invested in service delivery centres close or near to our customers, as well as taking advantage of more offshore locations. So you’ll find our technology engineering experts working for global clients out of centres in the USA, Europe and India. VM: What do you offer the market? DM: We offer outsourced technology engineering services that allow our clients to exploit and integrate technology to
38
improve efficiency or seek new markets. Typically, Ness is brought in to inject the skills, knowledge and capabilities that a customer doesn’t have or doesn’t have enough of. We also bring creative and innovative approaches that help our customers design solutions they would not normally consider. Our service and consulting offerings are in: data intelligence that derives value from a customer’s data and helps to inform them to make better decisions; product and platform engineering to create the software that’ll be transformative; and experience engineering that maps a customer’s journey throughout a transaction or experience and understands how it can be best supported across multiple devices. We become a technology engineering services partner of a customer whether it’s helping them boost their research and development; bring a new process or product to market or providing continuous operational improvements. Great examples of what we do are enabling a major airline to design, create and run a mobile ticketing app used by thousands of passengers daily, or enable a retail bank to transform point of service systems in branches, on the web and mobile devices or
www.vitalmagazine.co.uk | September-October 2014
VitAL Supplier Profile
a mobile service provider to automate previously manual and costly business processes around customer care. VM: What are your specialisations? DM: Ness works across many markets, including education, financial services, travel and hospitality, telecommunications, utilities, independent software vendors, life sciences, healthcare and government and defence. While we have gathered strong vertical market knowledge, our clients buy Ness for horizontal end-to-end engineering specialisation. They know their markets better than we do but their obstacle is how to creatively apply technology more effectively or even transform how they engage with customers. So our engagements often start with helping a client define this product and what it needs to do for the client’s customers. We then partner with the client to take the product from design to production and beyond. VM: Your plans for growth? DM: Key to our success is how we continue to grow our combination of a global delivery model with local management and shared control with our clients and provide the right mix of R&D, software product engineering and consulting services. Across all industries we see organisations’ revenue focus and channels moving towards productising information, services, applications and their intellectual property through wider adoption of technology. This trend is accelerating in sectors like financial services, media, retail, travel, publishing and education. Ultimately what’s happening is all companies that want to become more digital and find more efficient ways to open up new markets are becoming software companies. This is where they need Ness as an innovation partner. VM: What are the biggest challenges that
your CIO customers are facing?
DM: All CIOs in all industries are grappling with seismic changes linked to mega trends such as the impact of the digital generation entering both their workforces and customer bases, proliferation of mobile technology platforms and pressure to digitise business processes comprehensively. If that was not enough, many CIOs are being drawn into projects that use technology to create new products and services. These projects are driven by new technology budget holders like the CMO or VP, customer care, who are looking for the technology organisation to be hugely innovative and much more responsive in both the design and delivery of products and services. The challenge here is that these solutions depend on new technologies that fall outside of the purview of most CIOs who have cut their teeth on focusing on ERP, CRM, payroll, and claims processing for example. When asked to develop products that leverage mobility or the Internet of Things, CIOs may not have the skills at all or in abundance to deliver for the business. So they need to look for external help urgently. VM: As a technology services business, how
are you responding?
DM: Obviously through investing in the engineering skills and capabilities required. But also by recognising the success factors involved. www.vitalmagazine.co.uk | September-October 2014
Our customers are looking for companies who embrace coinnovating. As a software engineering partner, we strive to enable transformation and be as invested in the business as our clients are. This sees us partnering with clients across every aspect of software design, development and operations. Ness creates commercial-grade software products and platforms that help businesses engage users and make insights actionable. We connect the dots, and then apply best practices and leading-edge technologies in exciting new ways. This is where our investment in what we call experience engineering is so crucial for our customers. Last year, we bought a creative agency in London who can design apps that create the right experiences for customers. Such design creativity is absolutely vital for our clients who need technology products and capabilities that are market differentiating. However, for experience engineering to work, it is vital that this new creativity around end user interfaces and mobility is integrated into our product engineering. And this is something that we have now achieved and thus where our response to the pressure on CIOs to adopt new technologies really stands out. VM: Helping organisations be more responsive to change suggests you are a very agile organisation. But technology outsourcers have a mixed reputation for adaptability. What makes you different? DM: We recognise our clients need for continuous product evolution and differentiate ourselves by our distributed agile execution methodology and accelerator frameworks that deliver results with increased speed, quality and predictability. Being more agile and adaptable to change is enabled by how we combine global delivery with local management. Significantly for our European customers we’re investing in more near-shore European resources, including a newly expanded software product development laboratory in Kosice, Slovakia, as well as growing our local teams in London and elsewhere. VM: Technology outsourcing is associated with India. How is the outsourcing industry developing in Europe DM: India is a key part of our service and consulting offering, represents a third of our global delivery team and is a natural region in which to continue to invest to serve our clients globally and locally. As part of our global delivery model we’ve also been growing our European delivery centres in Central Europe especially in Slovakia and Romania. While these countries technology workforces don’t have the equivalent scale of our Indian centres, they more than make up for this in their technical engineering excellence. What’s more as member nations of the European Union, they offer us the economic and political stability that’s essential to how we run our business in partnership with our clients. VM: What’s next for Ness? DM: 2014 is a landmark year for us as world economies continue their recovery and companies accelerate their strategies to compete on technology innovation and customer experiences.
39
VitAL Management
The sign of a true partner Michelle Ayres, group vendor manager at Hardware.com, looks at the importance of choosing a technical solutions partner that has strong vendor relationships… all too common to hear businesses describe themselves I tasis“strategic partners” – however the reality is many add
no more value than a standard supplier. So how can you tell which company will best suit your technological and business requirements?
For a business looking for a technical solutions provider, a partner is one that provides an end-to-end solution – from conception to scope of works, proof of concept, lab testing, installation and continued support. Beyond understanding each customer’s individual needs, they will pre-empt them, often offering solutions before they are even sought.They are proactive, not just reactive. A technical solutions partner will also look at emerging technologies, and assess whether these can add greater value to their original solution.They are continuously striving to improve the service they offer their customers. But how can a business really tell who is truly “partner” material? One of the most crucial (and yet often overlooked) signs is to look for one that has exceptionally strong relationships with their vendors.
Technical solutions require technical people For even the most experienced among us, it can be easy to be swept away by the persuasive language of a slick, smooth-talking sales representative. But always remember that to actually be effective within an organisation, any technical solutions partner must have a highly technical knowledge base – which translates to a sizeable team of experts and engineers. Of course, the best partners will be able to offer multi-vendor, multi-technology solutions. It therefore follows that their teams should be extremely knowledgeable with regard to a range of different, new technologies – more so even than the IT teams of their customers, so as to truly add value. Working closely with vendors ensures that a technical solutions provider is able to fully understand and provide the latest, most applicable solutions, ones that satisfy the exact business and technological needs of their customers in a fast-moving IT landscape. It also enables technical teams to become thought leaders around a particular technology. This means that a customer can be confident that they are working with experts in their field – a safe pair of hands who are able to help them transition smoothly to best of breed solutions, and provide a service they would be unable to replicate in-house.
A certifiably better service Similarly, the right technical solutions provider should have the highest levels of vendor certification. This is not only an obvious indicator of a business with strong vendor relationships, but also a key marker of a potential ”partner”.
40
How can a business really tell who is truly “partner” material? One of the most crucial (and yet often overlooked) signs is to look for one that has exceptionally strong relationships with their vendors High levels of accreditation will indicate that a technical solutions provider has not only invested in their relationship with a vendor, but crucially that they also fulfil a wide range of technical criteria, and have demonstrated a clear and deep understanding of that particular vendor’s product portfolio. Essentially, high certification and accreditation highlights that a technical solutions provider is able to offer an advanced, higher level of service. Of course, it goes without saying that the more vendors a business is certified with, the better – showing that they offer an impartial, multi-vendor service – thus ensuring a customer is more likely to avoid the dreaded vendor lock-in.
Mutually supportive Finally, it is important to bear in mind that the better a technical services provider’s relationship with their vendors, the better their level of support will be for their customers. As we are all aware, sometimes in order to remain competitive, you need an exceptionally fast-turnaround on receiving a certain product or service. Whilst a standard “supplier” may have difficulties achieving a sudden, close deadline; a “partner” understands the business need behind your urgency, and will ultimately providing the necessary solution in the time required. This is where strong vendor relationships really come to the fore. They enable a technical solutions partner to have a greater degree of flexibility if an issue does arise – and thus they will be better positioned to serve your business.
Always offering the best Working very closely with multiple vendors enables a technical solutions provider to keep ahead of new industry trends and technologies. In turn, they are able to keep their customers informed and always offer the best solution for their business requirements. Without a doubt, the most effective way to differentiate a “partner” from a “supplier” is through testimonials – for example, where customers are willing and happy to testify that a technical solutions provider is a “trusted advisor’” or an “extension of our own technical team”. And it should come as no surprise that such glowing reviews are often accompanied by equally strong vendor testimonials.
www.vitalmagazine.co.uk | September-October 2014
Problem and Incident Management KT Plugin
KT Clear thinking built into
Kepner足Tregoe.com
Software Testing Network Strength in numbers www.softwaretestingnetwork.com
Membership beneďŹ ts include: Series of one day debate sessions High-brow webinar streams Research & industry ďŹ ndings Exclusive product discounts Peer-to-peer networking Annual gala dinner And so much more...
Becoming a member of the Software Testing Network joins you together with like-minded professionals that are all striving for technical excellence and championing best practice and process
VitAL Management
Managing new IT services, the ITIL and you Steve Gardner, UK and Ireland sales director at FrontRange, explains why organisations shouldn’t try to introduce all change processes simultaneously, but rather systematically adopt new services one at a time. In addition, Steve looks at key steps to adopting cloud and mobile technologies…
To be effective, the adoption of new technologies must perform optimally at the time of their introduction and must achieve productivity enhancements for both users and administrators without disrupting production services are as impactful to business operations as F ewthe processes introduction of new technologies.This is particularly
will have on a user’s work habits, the more resistance they will offer to its implementation.
true of current trends that support IT service optimisation, like cloud computing and workforce mobility, which also represent a radical departure from traditional methods of enterprise computing.
Often this reaction is fed by a fear of the unknown. That is, a user’s unfamiliarity with a technology or process may cause them to distrust the solution out of concern it may make their job more difficult. Alternatively, there is also sometimes a fear that a technology introduction will actually work too well, causing some employees to worry they will lose their value to the business.
To be successful in the introduction of new IT services, organisations must embrace best practices for their adoption, along with unified management solutions that enable simplified, reliable and cost-effective implementations.
The challenges of introducing change Even though adopting new technologies is essential to business success, enterprises are often challenged to introduce them due to one inescapable fact – people resist change. The need to alter daily practices or learn new processes can seem objectionable, and the greater effect any technology changes www.vitalmagazine.co.uk | September-October 2014
And, of course, there is usually a more immediate concern that taking the time to learn a new solution will impact job tasks. It is important to realise, then, that any process for introducing new technology into a business environment must include processes for achieving cultural acceptance from the workforce. To be effective, the adoption of new technologies must perform optimally at the time of their introduction and must achieve productivity enhancements for both users and administrators without disrupting production services.
43
VitAL Management
To embrace new technologies, both users and administrators must accept the value of the improvements.There must be an understanding that they will be more productive, that their tasks will be more rewarding, and that they will achieve greater opportunities to excel in their job role
Furthermore, the successful introduction of technological change requires more than just the installation of a new application or service – a synergistic relationship between people, processes and technologies must be established to ensure all impacted elements are brought up to speed simultaneously – they must also be cost-effective, meeting both capital and operational budgets. Where applicable, support personnel must be properly trained to perform new roles, execute new processes, and utilise new management resources.
Effectively managing new technology and services Introducing changes in order to embrace trending technologies – including IT service optimisation, cloud computing and enterprise mobility – involve such a radical departure from traditional management processes that business disruptions can seem unavoidable. However, with the application of best practices in managing change, business impacts can be minimised or negated entirely. Essential guidance is provided by the Information Technology Infrastructure Library (ITIL) set of recommended IT management process improvements. ITIL advocates the adoption of a continuous set of intermediate goals, rather than focusing on a final objective. In other words, organisations should not try to introduce all change processes simultaneously, but rather systematically adopt new services one at a time. To begin with, an organisation should prioritise which new services to introduce according to how well they will meet one or both of the following criteria: • Changes that will address chronic business and IT pain points. • Changes that will enable business opportunities that could not otherwise be pursued. For each new process or resource being introduced, ITIL also recommends the development of a Service Implementation Plan (SIP), which is essentially a project plan consisting of four phases: • Initiation – The introduction of a new technology or a service change begins with setting project goals and identifying the scope of the change process. The “why” and “what” of the project are defined at this stage along with obtaining management commitment for its implementation. • Planning – At this phase, details are assigned to the activities that will be performed and estimates are made with regards to the time, effort and financial costs involved. Based on this, a project plan is developed, identifying specific roles and support steps for administrative staff, and any new tools essential for project completion are identified and adopted. • Execution – During the period when the plan is being carried out, all change processes must be monitored to
www.vitalmagazine.co.uk | September-October 2014
ensure that implementation results are proceeding as expected. • Closure – An often overlooked phase of IT projects, which is in fact critical to success, is the formal acceptance of the changes introduced to provide validation and justification for their introduction. Additionally, processes for the on-going performance monitoring of new services are put in place at this step to ensure they will continue to be reliable and meet business goals.
Enabling IT flexibility In addition to the IITL’s guidance above, the adoption of automated management solutions is essential to implementing effective changes to IT services. Automation ensures consistency in deployments and standardises the execution of administrative processes. Compliance enforcement works in conjunction with automation to continuously identify and report on any performance issues or potential issues that may impact user or business productivity. This reduces administrative efforts and support time by only alerting support staff to issues that require their attention and eliminating any unnecessary distractions. Should a problem be detected, an automated management platform will also provide the intelligence necessary to rapidly identify the root cause of the issue, moving administration processes from reactive “firefighting” to proactive problem prevention. Additionally, a consolidated automated management solution enables holistic visibility in to the breadth of the support stack, enabling real-time reporting of business metrics that help executives and managers gauge the effectiveness of both IT and the workforce. Finally, and perhaps most importantly, always keep in mind that change within the organisation does not come easy in IT – particularly so if it is just deployed without due consideration for its impacts to the business. To embrace new technologies, both users and administrators must accept the value of the improvements. There must be an understanding that they will be more productive, that their tasks will be more rewarding, and that they will achieve greater opportunities to excel in their job role. After all, a primary goal of technology advancement is to simplify work efforts, eliminating time wasted on mundane tasks and redirecting those efforts toward more exciting, business-focused projects. When users spend less time navigating technology, they spend more time productively meeting business objectives. Similarly, administrators are better able to meet Service Level Agreement (SLA) commitments when they are not performing unnecessarily repetitive tasks and systemic firefighting. IT service improvements allow all members of the workforce to do more in less time and with less effort while enhancing job security and business success.
45
Breakthrough Technology
From a smile to a frown, TV technology that understands emotions Sophie-Marie Odum investigates a new facial coding technology, called CrowdEmotion, which is being trialed by the BBC to analyse emotional responses to its TV shows…
Emotions are an important contributor, but people cannot articulate them well. By blending machine-learning technology with 20 years of neuropsychology, CrowdEmotion captures and patterns human emotional signals to behaviour The BBC is testing a new facial coding technology, called CrowdEmotion, which investigates how viewers react and behave towards its TV shows. It is said to be the world’s first cloud-based, facial coding technology to measure emotions anytime, anywhere simply using a camera. The pilot study with BBC Worldwide has started with 200 participants in the UK, measuring their happiness, surprise, anger, fear, disgust and sadness. The BBC Worldwide Insight team said it plans to run CrowdEmotion trials on a number of BBC TV shows, including Top Gear and Sherlock – two of the organisation’s most popular and lucrative series. Daniel Jabry, co-founder of CrowdEmotion, explains the idea behind CrowdEmotion, he said, “Humans are often categorised by physical traits and past behaviours to determine their future actions, yet there is still a massive gap in predicting human behavior. “The emotional artificial intelligence (AI) technology captures, understands and links emotional signals to behaviours. Emotions are an important contributor, but people cannot articulate them well. By blending machine-learning technology with 20 years of neuropsychology, CrowdEmotion captures and patterns human emotional signals to behaviour. This
46
way, humans can continue acting the way they do, but the technology is now able to observe emotional signals using the devices we already have. “The software then takes that messy emotional data and cleans it up to enable comparisons with previous behaviour and ultimately enable better decision making.” David Boyle, Executive Vice President of BBC Worldwide Insight, said that CrowdEmotion’s ability to capture, record and quantify the BBC audience’s emotional attachment and engagement to its TV shows places BBC Worldwide at the forefront of global audience research and ultimately determines what the BBC’s fans love to watch. Matthew Celuszak, co-founder and chief executive of CrowdEmotion, added that the technology will help quality content “cut through the clutter”, and also help to humanise the BBC Worldwide brand. “With today’s media noisier than ever, we’re here to innovate, bring emotions to life and reshape broadcast media through our findings,” he said. A second wave of CrowdEmotion trials will take place in Russia and Australia, followed by a third in six other international markets. Further monthly global research studies are also in the pipeline, according to reports.
www.vitalmagazine.co.uk | September-October 2014
V ITAL INSPIRATION FOR THE MODERN BUSINESS
Print | Digital | Online For exclusive news, features, opinion, comment, directory, digital archive and much more visit
www.vitalmagazine.co.uk
VitAL Online has undergone a redesign, and now features breaking news, events, as well as information on upcoming Focus Groups and Executive Debates Published by T H I R T YO N E
www.31media.co.uk
SUCCESSFUL SOFTWARE DELIVERY
DO YOU WORK WITH THE SAME VISION? Create the software your business really needs Requirements. It’s surprising how often a single link can break the software supply chain. But it’s where most defects occur. Removing them later in the lifecycle is costly, impacts delivery schedules and drains resources. That’s why errors and rework so frequently undermine project success. While complexity has increased exponentially, managing requirements hasn’t evolved at the same pace. Borland tools can improve collaboration. Our technical solution keeps stakeholders in sync throughout the project lifecycle. Better input means better products. So join the thousands of Borland customers who already tackle requirements the right way ... precisely. See more at www.borland.com/connect
Copyright© 2014 Micro Focus. All Rights Reserved. Portions Copyright © 1994-2009 Borland Software Corporation (a Micro Focus company).