OTA: over 90% of data breaches in the first half of 2014 “could have been avoided”

January 22, 2015 by Neil Ford  

The Online Trust Alliance (OTA), the global non-profit organisation “with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet”, released its 2015 Security & Privacy Best Practices and Security & Privacy Risk Assessment guides yesterday.

According to its analysis of “nearly 500 breaches reported in the first half of 2014”, more than “90% could have been avoided had simple controls and security best practices been implemented.”

OTA recommends the following best practices:

-      Enforce effective password management policies.

-      Employ least privilege user access (LUA) to provide protection against malicious network behaviour and system faults.

-      Deploy multi-layered firewall protection; use up-to-date antivirus software; enable patch management for operating systems, apps and add-ons; disable auto-running of removable media; and employ whole-disk encryption.

-      Conduct regular penetration tests and vulnerability scans.

-      Require email authentication on all inbound and outbound mail streams to detect phishing and spoofed emails.

-      Implement a mobile device management programme.

-      Continuously monitor the organisation’s infrastructure security.

-      Deploy web application firewalls to mitigate common threats, as identified by OWASP.

-      Only permit authorised devices to connect wirelessly to the network and encrypt communications with wireless devices.

-      Implement Always On Secure Sockets Layer (AOSSL) for all servers requiring login authentication and data collection to prevent data sniffing.

-      Review server certificates for vulnerabilities and risks of domain hijacking.

-      Develop, test, and continually refine a data breach response plan.

Organisations that are concerned about information security and want to implement OTA’s recommendations will be pleased to learn that there is a single best-practice solution that can be employed to address all of the points listed above.

ISO 27001, the international information security standard, sets out the requirements of an enterprise-wide information security management system (ISMS) that encompasses people, processes and technology.

IT Governance ISO 27001 packaged solutions – Get A Little Help

IT Governance’s recently relaunched ISO 27001 packaged solutions provide ISMS implementation resources for all organisations concerned about information security. The ISO 27001 Get A Little Help Package contains three international standards, two training course places, two essential implementation guides, a comprehensive documentation toolkit, the ISO 27001-compliant risk assessment software tool vsRisk, and two hours’ Live Online consultancy support.

It is aimed at organisations that already have some management system expertise and an initial understanding of information security management, as well as the necessary available internal resources and a corporate culture of using best-in-class tools and skills to accelerate learning and implementation while still essentially following a do-it-yourself approach to project management.

Take charge

By Brian Bakker, Contributor

Johannesburg, 18 Nov 2014

Gavin Hill, director: communications and networking (MEA), Dimension Data.

The real cost of telecommunications services in SA is increasing, bucking international trends. This is according to Jiaqi Sun, senior research analyst for IDC. Sun, who opened this month's roundtable discussion, believes profitability is driving this trend, with mobile operators a case in point. Sun's question to the panel was: "Is it possible to manage telecoms costs?"

Peter Walsh, director at CommsCloud, suggests that while the likes of MTN and Vodacom are making piles of money, they're not investing in their customers.

"Nobody's going to the customer and getting to understand their pain points," he says, adding he has yet to find someone from any of the local mobile networks trying to understand how to drive customers' costs down. "That's because those people (mobile operator salespeople) are incentivised on a commission basis. So you'd be asking them to cannibalise their income and their market," says Walsh.

Nebula's COO Jacques van Zyl agrees. He says mobile operators see no benefit in helping customers understand where they are and where they need to go.

Tyron Sharnock, sales manager at AspiviaUnison, believes things are changing. "Previously, (vendors) just needed to deliver an invoice and you would pay it, possibly with a discount. Now there's more visibility and pressure from the client… to say, I want this, I want that, I want more, I need more, I need better information."

Walsh believes enterprises need to take charge. "That's why we have telecoms cost management; I imagine that, in the enterprise, it's very low in South Africa. I remember going to a telecoms expense management conference in Amsterdam in 2010, and their stats on South Africa was 12% or 15% take-up. So you need to take ownership of your costs."

Catch-22

Stanley Louw, network transformation lead for Accenture SA, believes the issue is one of managing telecoms costs properly within an organisation.

Nobody's going to the customer and getting to understand their pain points.

- Peter Walsh, director, CommsCloud

Gavin Hill, director: communications and networking (MEA) at Dimension Data, says telecoms costs remain high in SA because enterprises don't necessarily pressure the carriers on pricing.

"Pressure from the enterprise is brought to bear when they take a holistic or more strategic approach to how they consume services, who they choose as their carriers, the pricing models they demand and start to dictate, as opposed to being dictated to by the carriers, which has happened for far too long in this country," he elaborates.

But why is this the customer's fault?

"In many instances, it is. We haven't pushed back hard enough... on the carriers to demand the services we want and the prices we want to pay," says Hill.

Jacques van Zyl, COO, Nebula.

Reshaad Sha, chief strategy officer of Dark Fibre Africa, trots out the economies of scale argument, essentially suggesting if SA used more data or voice minutes, the cost would come down. While acknowledging this is somewhat of a Catch-22 scenario, he suggests consumers are not quite as vigilant as they could be.

"If somebody gets a local phone bill with a voice side that's exceeding R2 000 a month, then it's an education issue, because he doesn't understand. He should never have to pay more than R2 000, simply because there are many packages that allow unlimited calls for a fixed fee (of about that)," he insists.

Data vs voice

Hill suggests the reason voice minutes are down is partly due to cost and partly due to increased use of social media. "Voice minutes are never going to grow beyond a certain volume, because the next generation doesn't use them," he says.

Sha agrees: "That's why you're seeing the growth in data far outstripping that of voice. That's why you're seeing the cost per megabyte coming down so significantly as opposed to the cost per minute of voice. It's largely driven by that usage," he suggests.

Van Zyl wonders which came first, the chicken or the egg: "Isn't part of why consumers use WhatsApp, Internet Messaging and Skype because telecoms costs are high?"

However, he notes this is not just restricted to the consumer market. Some companies, he reports, are actively promoting the use of WhatsApp and other messaging apps, instead of picking up the telephone.

If all enterprises take control, you will wipe out 20% of telecoms costs just like that.

- Jacques van Zyl, COO, Nebula

Louw doesn't necessarily believe lower cost is the motivation for using messaging apps instead of voice calls. "The behaviour of a lot of users is changing and the methods people collaborate with each other are changing too," he says.

Van Zyl retorts that at least some of it has to do with a generation gap. "Kids these days, they're more vested in this; it's part of how they've grown up."

Blaming the telcos

Jiaqi Sun, senior research analyst, IDC.

Sharnock finds it interesting that, in a discussion about telecoms cost management, the first thing is to criticise the mobile service providers for charging too much. "But we can't blame them for their business. Their business is to up-sell, to make profit," he asserts.

That said, he appears to concur with the consensus that enterprise customers are not putting enough pricing pressure on their telco providers. However, Sharnock wonders how these companies could do it, given that few have a central telecoms cost management strategy.

According to his experience, responsibilities are all over the place. For example, while fixed-line data costs typically fall within the ICT budget, fixed-line voice is usually the province of operations, while both 3G data and voice are often the responsibility of HR.

Louw agrees: "It comes down to how you manage it and how you centralise these things and automate the processes around them."

Hill raises another pertinent point: "Many organisations, especially smaller enterprises in this country, think that telecoms expense management is call accounting. They think it's checking how many times Mavis in marketing phones her grandmother."

What gets measured gets managed, and unless enterprises actually do something, those costs are going to continue to increase.

- Tyron Sharnock, sales manager, AspiviaUnison

And although he concedes that call accounting should be part of the mix, Hill insists it is far from the be-all and end-all of managing and controlling communications costs. To really get on top of telecoms cost management, he says it's necessary to consider the entire life cycle of each telecoms service from procurement to termination at the end of the contract.

Sha believes for the typical medium-sized business, voice costs are negligible in relation to data connectivity. However, the challenge for such businesses is that their priority is not telecoms management; their priority is doing whatever business they do.

Solving the problem

The solution, he says, at least for medium-sized businesses, is to outsource telecoms management to an external non-traditional service provider empowered to change service providers in order to cut costs, while maintaining constant connectivity and high service levels.

Walsh concurs and cites an example from a few years back. "We did a big mobility clean-up where a client was spending R3 000 000 a month on 3G cards. Some R1 750 000 of that was tied up in 3G cards lying in desks and in cabinets all over the country," he says.

Reshaad Sha, chief strategy officer, Dark Fibre Africa.

Sharnock suggests many enterprises simply don't care about reducing costs because those costs are all recovered through enterprise-based cost accounting. "What they do is a claims-based mobile voice thing or a top-up 3G package or here's your allowance. Whatever is over the limit, we're going to take back from HR," he says.

This brings Sharnock back to the lack of central strategy, which, he believes, ultimately results in the enterprise making this the consumer's problem.

Louw agrees, but takes it a step further than centralisation. "There's all this data sitting inside the organisation, but there's very little analytics being done on it (to rationalise costs). If you drive the analytics, you can influence behaviour (and begin to select) the right packages," he says.

Hill notes it is one thing to have the information, but unless you're actually taking action to influence the high costs, the savings are never going to be realised. Coming back to Sha's point, he also suggests enterprises give a third party specialist organisation the mandate to take remedial action on their behalf.

Van Zyl agrees and suggests the level of savings that could be realised by such action. "If all enterprises take control, you will wipe out 20% of telecoms costs just like that," he says. "And that's without taking on the service providers."

Walsh reiterates his point that the enterprise and service provider need to work together. "Business and service providers need to work as partners. That's what telecoms cost management is all about," he says.

"You have to get engaged internally, you have to sit down and communicate, put a strategy together, and if you don't have the skills to do that, and to play a role in industry, then you need to outsource that to somebody else," insists Walsh.

Tyron Sharnock, sales manager, AspiviaUnison.

Partially echoing Walsh, Louw says it comes down to two things for him: business relevance and partnerships. In the first instance, he says advanced technologies must be used to enable business. Secondly, he notes the old days of adversarial relationships between client and supplier have gone and things are very much more about partnerships these days.

Hill echoes the partnership view, but adds a caveat that not all service providers have embraced the new ethos. "The next generation of service providers can be potentially more agile because they don't have a legacy anchoring them down," he says.

Hill also points to a growing trend to adopt utility models of telecoms and ICT consumption as another way to manage the telecoms cost equation. "You don't tie yourself into long-term fixed contracts and become more agile, because you consume these services on a far more granular scale," he elucidates.

Van Zyl believes the partnership model is the best solution for unlocking the value to be found in effective telecoms cost management.

Sharnock reiterates Louw's earlier point about the value of using analytics technology to take control of telecoms cost management. "What gets measured gets managed," he says, "and unless enterprises actually do something, those costs are going to continue to increase."

Demand to deliver – IT infrastructure

August 6th, 2014, Published in Articles: EngineerIT

From sales, operations, finances, procurement, warehousing and distribution through to the executive, IT departments are facing unprecedented pressure to enable the transaction and improve on communications and collaboration.

Service providers and vendors are touting voice, video and cloud-based applications and storage facilities as the Holy Grail.

The internal customer in an organisation’s various business divisions wants more of everything. Demand for 24x7x365 access for all role players, differentiation in the market place, along with hunger for information, and the ability to analyse and use it, is putting pressure on the enterprise’s private virtual private network and stretching the IT department to its limits.

Facebook, YouTube, Instagram, iTunes, streaming media and other social media networks, along with cloud-based storage, are consuming bandwidth faster than the enterprise can roll it out. The bring your own device revolution is disrupting business in ways we are only starting to fully understand. Most businesses are merely playing catch-up. Mobility by way of tablets, smartphones and laptops and social media networks that enable conversations with brands has disrupted the manner in which customers and service providers interact with companies, and enable customers to be far more educated and engaged than ever before.

When I go shopping, for example, I understand what I am buying, what it costs at ten different stores and I have a good understanding of all the specifications long before I arrive at the retail store. I am often better informed than the sales person I am buying from. So whilst the sales person is telling me that their offering is the cheapest in town with the best service levels and the best products, I’ve already done a price comparison online, read customer complaints and compliments, and weighed up the benefits of making the purchase from them or their competitors.

This is true from white goods, through to food, clothes, vehicles, electronics and almost anything you could think of. As a result, the sales person, support agent, receptionist, manager or driver involved in the transaction needs to be empowered to deal with a significantly more knowledgeable and empowered shopper.

In order to empower its employees to deal with these new demands, the enterprise needs to train and up-skill people, retain and distribute institutional knowledge, and collect and analyse the data it needs to ensure better decision-making and to evolve the business on an ongoing basis.

To complicate matters, whilst the cost of bandwidth is coming down, both the consumption of and demand for bandwidth from the end user, along with the expectation of 24x7x365 access is pushing IT departments and their budgets into uncharted territory. Any savings from bandwidth cost reductions are inevitably lost to an apparently insatiable demand for throughput.

This is the cause of some frustration in CEOs and CFOs who do not understand why IT costs are going up when bandwidth costs are dropping. The viewpoint is often that employees want a BMW when they can drive a Golf. This indicates a lack of understanding of ITs role as a business enabler.

Technology is now involved in every aspect of business. All stakeholders in the enterprise are looking to IT to provide the connectivity, the access, the storage, the applications, the collaborative tools and the communication tools that will deliver on this vision – when they need it and where they need it. And the CEO who is not intimately involved in IT decision-making, and who doesn’t understand the competitive edge it offers his business, is missing a significant opportunity to gain an edge on his competitors.

Nowadays the astute CEO is more likely than ever to be involved in IT. The CIO no longer frets alone about IT. The message is getting through to the executive that to ignore the benefits derived from IT as a business enabler is to become uncompetitive, irrelevant or, even worse, to go out of business.

The problem with all of this is that IT is expected to deliver next year’s technology vision on last year’s budget, with the same resources it has always had.

Sharing ITs budget with an enterprise’s divisions and/or branches has always been a tough sell. In today’s evolving landscape finding ways to apportion costs, measure and manage those costs and report thereon just got that much more difficult. Increase costs and you can expect serious pushback. Don’t deliver and you will get serious complaints.

How do the CEO, CIO and their IT manager manage this demand and the associated challenges and cost of delivery? The days when the IT department carried the cost and then apportioned those costs to each user in each department and carried the can for over-spending, are gone. The IT department can no longer hold up the budget for the business on its own.

Whether you are reading McKinsey or IBM whitepapers, or just using good old common sense, you cannot get away from the fact that if IT is to be an effective enabler it needs to work in partnership with the people driving the demand.

Where to start?

• Include all stakeholders in planning, budgeting and implementation.
• Understand the company’s growth drivers and business priorities and gain a thorough understanding of the demand for and consumption of IT services.
• Listen to the company’s divisions and their business need, offer tiered options at different costs and partner with them.
• Build flexible, scalable and cost effective networks, ready to deliver on the business’ needs.
• If you don’t measure it, you will never manage it. Measuring the consumption accurately along with regular reporting to the units on progress, costs, and challenges, will ensure business units buy into the timeframes, solutions and/or services as well as the associated costs.
• Shift the responsibility for managing costs onto the end user. The sub-text being that if you want to consume large amounts of data and have all the bells and whistles, you are going to need to pay for it.
• Ensure that buy-in to a solution includes both a clear mandate to source solutions and/or services and explicitly specifies that the end user is willing to budget and pay for said solution.
• Use the fact that everyone is carrying the IT budget to resource and up-skill the IT department, ensuring that the IT department delivers a great service at a good price.

If you wish your business units to be fully onboard, supportive and willing to pay for what they use, bringing the role players into the design, costing, procurement and implementation phases of solutions/services procurement will stand you in good stead and ensure buy-in, careful use, budget to pay for it and, most importantly, that the solution is relevant to the business need.

When supply equals demand, and all the business units are paying their fair share, the IT department’s role in business will have evolved to the place it needs to be.

Converging its networks cuts CMH’s telecoms costs

May 19, 2014

Retail motor Group CMH has cut its telecoms costs and increased its network capacity fourfold by migrating to a converged MPLS VPN network.

Like most local companies, CMH was running separate voice and data networks. Telkom line infrastructure was in place for voice, and costs were being managed by utilising cell phone-based least- cost routing.

The Group was running point-to-point diginet links into its car dealerships and car rental offices countrywide, something that was proving both expensive and inefficient. There was also limited redundancy. If a line went down the dealership or office concerned was offline until someone could get a physical 3G dongle to the location or the line was repaired.

In October 2011, Group IT manager Roelof Minnaar met with Peter Walsh of CommsCloud, a specialist telecommunications consultancy. Whilst initially the discussions were about gaining clarity on an array of VoIP proposals from multiple service providers (aimed at driving down costs) in the end Minnaar engaged CommsCloud to assist with analysing the Group’s telecommunications usage and costs, document its business need, and put together a Request for Proposal (RFP) for a tailor-made converged network.

It soon became clear to all the role players that converging the disparate voice and data networks would aggregate costs, increase savings, reduce operational impact and deliver significant benefits to the business.

Says Minnaar: “We drafted an RFP for a fully converged network servicing 54 dealerships and about 42 car rental depots, and distributed the RFP to the major players in the market. Thereafter we started a lengthy process of interacting with the respondents and working through the thick piles of RFPs they’d come back to us with.”

Minnaar says CommsCloud created a massive comparable matrix, analysing and plotting all the information in each RFP – from last mile redundancy to technical details, hardware and costs.

The service provider list was then trimmed down to three potential providers, with CMH conducting two site visits to the short-listed service providers’ support centres, gaining a better understanding of how CMH would be looked after post implementation.

Assessments concluded, CMH went with Vox Telecom because it felt it would get dedicated attention. A three-year deal was signed and planning was done. Each site was analysed to establish what connections it had and what it needed.

“The whole purpose was to ensure redundancy, increase throughput for the end-user and have a much better, more stable network. By converging the voice and data network we could ultimately afford a far better network,” Minnaar comments.

The decision to converge its network saved CMH almost R20m over the three-year contract period, of which half was reinvested back into last mile connectivity at its sites. The main links were sized based on specific needs and segregated to carry voice, video and data traffic. In addition, the secondary links were set up to be used by CMH IT to manage its own network, leaving the primary links for mission critical business applications.

CMH has also removed its least cost routers and significantly reduced the cost of calls. Voice traffic (VoIP) now runs over the converged network, at a lower cost, with inter-branch calls being routed at a negligible rate.

With careful planning, CommsCloud’s analysis and input and the willingness of its service provider to go the extra mile, CMH has been able to optimise its telecoms infrastructure, which has contributed significantly to ongoing savings.

One spin off of the move has been to enable Minnaar to centralise the Group’s IT systems in its service provider’s datacentre. This is not only ensuring mission critical applications reside in a secured, controlled environment with generators and a replicated site allowing for immediate failover, but also ensures there is no single point of failure in accessing CMH’s business applications.

“CMH has almost completed its rollout,” says Minnaar. “And whilst it was not all smooth sailing, redundancy is now in place, throughput to the desktop has improved and the ongoing demand from dealerships for more bandwidth is manageable”.

CMH’s network now services 78 sites housing 110 branches countrywide. It is scalable, provides alternative routing, and enables the Group to leverage technology for its businesses requirements. CMH is now free to focus on improving the customer experience and increasing productivity.

Convergence a challenge for organisations

May 15, 2014

Peter Walsh, CommsCloud director

For mid-sized organisations without a large IT budget, convergence and the move to IP-telephony is posing a serious challenge. Disruptive technologies like cloud computing are here to stay. The ‘bring your own device’ trend has set in and more and more things (from fridges to phones) are being connected daily. According to Intel, the number of networked devices will be double the world’s population by 2015. For IT managers trying to cope with current needs, like managing the BYOD explosion, while planning for future network and bandwidth requirements, things are not going to get easier any time soon.

While IT managers (and CIOs) have traditionally faced the challenge of being in a continuous upgrade cycle, falling behind now could have disastrous consequences for organisations.
Managing telecommunications infrastructure is both complicated and technically difficult.

Upgrading and keeping pace with change is resource intensive, requires a strong understanding of costs and business needs, and is further complicated by the current legislative and regulatory environment.

Chasing price when managing telecommunications infrastructure is the wrong way to do it – as evinced by the cut-prices the corporate world has obtained from operators like MTN and Vodacom over the years without great service to show for it. IT managers need to understand their costs, and their business need better than their service providers do. They need to benchmark costs by product and solution (to measure and monitor progress); this will show where inefficiencies lie and where there is opportunity for improvement as well as what needs to be prioritised. IT managers should also document their business need so that they can clearly communicate this to the service providers they engage with.

Most businesses will not be able to conduct this process internally. Telecommunications expense management is a relatively new discipline in South Africa and not yet well understood or well used. Local TEM expertise does exist in specialist consultancies, however, and IT managers would be well-served to get one on board to conduct this assessment.

Once the assessment is complete, price your needs on the open market via an RFP/RFI or tender process. Bandwidth costs are coming down and if you’ve not renegotiated pricing in the last 24 months then chances are you are paying too much.

Use your documented business need along with clearly defined deliverables, and ensure responding service providers have all the information they need to propose a viable solution. Request an SLA and get a legal mind involved in the signing of commercial agreements.

If you have to change networks bear in mind that it is a challenging project that requires detailed planning, strong communications and change management skills, good project management and will involve some degree of disruption.

Get the process right and you can upgrade the network to one that is scalable, resilient and redundant while fulfilling the business’ strategic IT requirements and driving down costs. You will also be able to future proof your business and embrace an evolving IT landscape.

Convergence is a must, not a nice-to-have

Local telecommunications consultancy CommsCloud says local companies stand to realise a lot more value from converging their voice and data networks into one, IP-enabled converged network than they actually realise.

Next generation converged networks are designed to manage diverse traffic, expedite and prioritise solutions and deliver value to the business, its customers and its stakeholders. IT is now a strong enabler in business and companies that do not leverage this opportunity will struggle to compete.

“If your employees are hamstrung by IT where your competition enables its employees, your business will have a distinct disadvantage in the marketplace, says CommsCloud director Peter Walsh.

Convergence will reduce total cost of ownership, enable a company to better manage network traffic, and keep employees actively involved in servicing the customer – no matter where they are.

Although many companies have migrated to IP-based solutions intended to effect cost savings for voice traffic, they still tend to maintain dual voice and data networks. Consequently, resultant savings from VoIP-enabled calls are often eroded by the costs of running two separate networks rather than a single converged network.

The sheer complexity of a convergence project often puts companies off before they’ve even started, and stories abound of companies that have tried and either failed or gone through huge pain doing so. For most organisations, and particularly the people making the telecommunications decisions, the number and variety of telecommunications options available is complex.

It’s difficult to determine which solution will meet the company’s requirements and support its business strategy, particularly where newer technology concepts like convergence are considered. Companies should also consider how motivated their incumbent service provider is to help them reduce their overall spend.

Says Walsh: “You cannot manage what you can’t measure. Doing a comprehensive audit and analysis of a company’s telecommunications fixed and variable costs (both voice and data) and establishing a TCO, is a must do starting point.

This analysis provides insights into how a company’s networks are used, what the actual costs are and how the network (and products/solutions running on the network(s)) can be optimised or improved to better meConvergence is a must, not a nice-to-haveet the company’s business need.

Based on the audit and business needs analysis, the business can approach the market in a formal manner and ensure that input on fulfilling a specific business need is requested from multiple service providers. In CommsCloud’s experience this is best achieved by way of a formal Request for Proposal (RFP), says Walsh.

Implementing a converged network is a massive undertaking, requires keen project and change management skills, requires strong commercial agreements with service providers and is definitely not for the faint-hearted, comments Walsh. That said, real value can be gained from getting rid of unused infrastructure and replacing it with a converged network solution, that enables the business, rather than inhibits it, he notes.

Moving to a converged network is not just about costs, says Walsh, but results in a substantially better end-user and customer experience. Requirements for bandwidth and access to the internet of all things are not going to decrease, they will only rise, IT heads need to plan and prepare their networks accordingly.