Friday, January 23, 2015
OTA: over 90% of data breaches in the first half of 2014 “could have been avoided”
January 22, 2015 by Neil Ford
The Online Trust Alliance (OTA), the global non-profit organisation
“with the mission to enhance online trust and empower users, while promoting
innovation and the vitality of the internet”, released its 2015 Security &
Privacy Best Practices and Security &
Privacy Risk Assessment guides yesterday.
According to its analysis of “nearly 500 breaches reported in the first
half of 2014”, more than “90% could have been avoided had simple controls and
security best practices been implemented.”
OTA recommends the following best practices:
- Enforce effective password management
policies.
- Employ least privilege user access (LUA)
to provide protection against malicious network behaviour and system faults.
- Deploy multi-layered firewall
protection; use up-to-date antivirus software; enable patch management for operating
systems, apps and add-ons; disable auto-running of removable media; and employ
whole-disk encryption.
- Conduct regular penetration tests and
vulnerability scans.
- Require email authentication on all
inbound and outbound mail streams to detect phishing and spoofed emails.
- Implement a mobile device management
programme.
- Continuously monitor the organisation’s
infrastructure security.
- Deploy web application firewalls to
mitigate common threats, as identified by OWASP.
- Only permit authorised devices to
connect wirelessly to the network and encrypt communications with wireless
devices.
- Implement Always On Secure Sockets Layer
(AOSSL) for all servers requiring login authentication and data collection to
prevent data sniffing.
- Review server certificates for
vulnerabilities and risks of domain hijacking.
- Develop, test, and continually refine a
data breach response plan.
Organisations that are concerned about information security and want to
implement OTA’s recommendations will be pleased to learn that there is a single
best-practice solution that can be employed to address all of the points listed
above.
ISO 27001,
the international information security standard, sets out the requirements of
an enterprise-wide information security management system (ISMS) that
encompasses people, processes and technology.
IT Governance ISO 27001 packaged solutions – Get A Little Help
IT Governance’s recently relaunched ISO 27001 packaged solutions provide
ISMS implementation resources for all organisations concerned about information
security. The ISO 27001 Get A Little
Help Package contains three international standards, two
training course places, two essential implementation guides, a comprehensive
documentation toolkit, the ISO 27001-compliant risk assessment software tool
vsRisk, and two hours’ Live Online consultancy support.
It is aimed at organisations that already have some management system
expertise and an initial understanding of information security management, as
well as the necessary available internal resources and a corporate culture of
using best-in-class tools and skills to accelerate learning and implementation
while still essentially following a do-it-yourself approach to project
management.
Monday, January 12, 2015
Take charge
By Brian Bakker, Contributor
The real cost of telecommunications services in SA is increasing, bucking international trends. This is according to Jiaqi Sun, senior research analyst for IDC. Sun, who opened this month's roundtable discussion, believes profitability is driving this trend, with mobile operators a case in point. Sun's question to the panel was: "Is it possible to manage telecoms costs?"
Walsh believes enterprises need to take charge. "That's why we have telecoms cost management; I imagine that, in the enterprise, it's very low in South Africa. I remember going to a telecoms expense management conference in Amsterdam in 2010, and their stats on South Africa was 12% or 15% take-up. So you need to take ownership of your costs."
Gavin Hill, director: communications and networking (MEA) at Dimension Data, says telecoms costs remain high in SA because enterprises don't necessarily pressure the carriers on pricing.
Reshaad Sha, chief strategy officer of Dark Fibre Africa, trots out the economies of scale argument, essentially suggesting if SA used more data or voice minutes, the cost would come down. While acknowledging this is somewhat of a Catch-22 scenario, he suggests consumers are not quite as vigilant as they could be.
Louw doesn't necessarily believe lower cost is the motivation for using messaging apps instead of voice calls. "The behaviour of a lot of users is changing and the methods people collaborate with each other are changing too," he says.
Sharnock finds it interesting that, in a discussion about telecoms cost management, the first thing is to criticise the mobile service providers for charging too much. "But we can't blame them for their business. Their business is to up-sell, to make profit," he asserts.
And although he concedes that call accounting should be part of the mix, Hill insists it is far from the be-all and end-all of managing and controlling communications costs. To really get on top of telecoms cost management, he says it's necessary to consider the entire life cycle of each telecoms service from procurement to termination at the end of the contract.
Sharnock suggests many enterprises simply don't care about reducing costs because those costs are all recovered through enterprise-based cost accounting. "What they do is a claims-based mobile voice thing or a top-up 3G package or here's your allowance. Whatever is over the limit, we're going to take back from HR," he says.
Partially echoing Walsh, Louw says it comes down to two things for him: business relevance and partnerships. In the first instance, he says advanced technologies must be used to enable business. Secondly, he notes the old days of adversarial relationships between client and supplier have gone and things are very much more about partnerships these days.
Peter Walsh, director at CommsCloud, suggests that while the likes of MTN and Vodacom are making piles of money, they're not investing in their customers.
"Nobody's going to the customer and getting to understand their pain points," he says, adding he has yet to find someone from any of the local mobile networks trying to understand how to drive customers' costs down. "That's because those people (mobile operator salespeople) are incentivised on a commission basis. So you'd be asking them to cannibalise their income and their market," says Walsh.
Nebula's COO Jacques van Zyl agrees. He says mobile operators see no benefit in helping customers understand where they are and where they need to go.
Tyron Sharnock, sales manager at AspiviaUnison, believes things are changing. "Previously, (vendors) just needed to deliver an invoice and you would pay it, possibly with a discount. Now there's more visibility and pressure from the client… to say, I want this, I want that, I want more, I need more, I need better information."
Stanley Louw, network transformation lead for Accenture SA, believes the issue is one of managing telecoms costs properly within an organisation.
Nobody's going to the customer and getting to understand their pain points.
"Pressure from the enterprise is brought to bear when they take a holistic or more strategic approach to how they consume services, who they choose as their carriers, the pricing models they demand and start to dictate, as opposed to being dictated to by the carriers, which has happened for far too long in this country," he elaborates.
But why is this the customer's fault?
"In many instances, it is. We haven't pushed back hard enough... on the carriers to demand the services we want and the prices we want to pay," says Hill.
"If somebody gets a local phone bill with a voice side that's exceeding R2 000 a month, then it's an education issue, because he doesn't understand. He should never have to pay more than R2 000, simply because there are many packages that allow unlimited calls for a fixed fee (of about that)," he insists.
Hill suggests the reason voice minutes are down is partly due to cost and partly due to increased use of social media. "Voice minutes are never going to grow beyond a certain volume, because the next generation doesn't use them," he says.
Sha agrees: "That's why you're seeing the growth in data far outstripping that of voice. That's why you're seeing the cost per megabyte coming down so significantly as opposed to the cost per minute of voice. It's largely driven by that usage," he suggests.
Van Zyl wonders which came first, the chicken or the egg: "Isn't part of why consumers use WhatsApp, Internet Messaging and Skype because telecoms costs are high?"
However, he notes this is not just restricted to the consumer market. Some companies, he reports, are actively promoting the use of WhatsApp and other messaging apps, instead of picking up the telephone.
If all enterprises take control, you will wipe out 20% of telecoms costs just like that.
Van Zyl retorts that at least some of it has to do with a generation gap. "Kids these days, they're more vested in this; it's part of how they've grown up."
That said, he appears to concur with the consensus that enterprise customers are not putting enough pricing pressure on their telco providers. However, Sharnock wonders how these companies could do it, given that few have a central telecoms cost management strategy.
According to his experience, responsibilities are all over the place. For example, while fixed-line data costs typically fall within the ICT budget, fixed-line voice is usually the province of operations, while both 3G data and voice are often the responsibility of HR.
Louw agrees: "It comes down to how you manage it and how you centralise these things and automate the processes around them."
Hill raises another pertinent point: "Many organisations, especially smaller enterprises in this country, think that telecoms expense management is call accounting. They think it's checking how many times Mavis in marketing phones her grandmother."
What gets measured gets managed, and unless enterprises actually do something, those costs are going to continue to increase.
Sha believes for the typical medium-sized business, voice costs are negligible in relation to data connectivity. However, the challenge for such businesses is that their priority is not telecoms management; their priority is doing whatever business they do.
The solution, he says, at least for medium-sized businesses, is to outsource telecoms management to an external non-traditional service provider empowered to change service providers in order to cut costs, while maintaining constant connectivity and high service levels.
Walsh concurs and cites an example from a few years back. "We did a big mobility clean-up where a client was spending R3 000 000 a month on 3G cards. Some R1 750 000 of that was tied up in 3G cards lying in desks and in cabinets all over the country," he says.
This brings Sharnock back to the lack of central strategy, which, he believes, ultimately results in the enterprise making this the consumer's problem.
Louw agrees, but takes it a step further than centralisation. "There's all this data sitting inside the organisation, but there's very little analytics being done on it (to rationalise costs). If you drive the analytics, you can influence behaviour (and begin to select) the right packages," he says.
Hill notes it is one thing to have the information, but unless you're actually taking action to influence the high costs, the savings are never going to be realised. Coming back to Sha's point, he also suggests enterprises give a third party specialist organisation the mandate to take remedial action on their behalf.
Van Zyl agrees and suggests the level of savings that could be realised by such action. "If all enterprises take control, you will wipe out 20% of telecoms costs just like that," he says. "And that's without taking on the service providers."
Walsh reiterates his point that the enterprise and service provider need to work together. "Business and service providers need to work as partners. That's what telecoms cost management is all about," he says.
"You have to get engaged internally, you have to sit down and communicate, put a strategy together, and if you don't have the skills to do that, and to play a role in industry, then you need to outsource that to somebody else," insists Walsh.
Hill echoes the partnership view, but adds a caveat that not all service providers have embraced the new ethos. "The next generation of service providers can be potentially more agile because they don't have a legacy anchoring them down," he says.
Hill also points to a growing trend to adopt utility models of telecoms and ICT consumption as another way to manage the telecoms cost equation. "You don't tie yourself into long-term fixed contracts and become more agile, because you consume these services on a far more granular scale," he elucidates.
Van Zyl believes the partnership model is the best solution for unlocking the value to be found in effective telecoms cost management.
Sharnock reiterates Louw's earlier point about the value of using analytics technology to take control of telecoms cost management. "What gets measured gets managed," he says, "and unless enterprises actually do something, those costs are going to continue to increase."
Demand to deliver – IT infrastructure
August 6th, 2014, Published in Articles: EngineerIT
Service providers and vendors are touting voice, video and cloud-based applications and storage facilities as the Holy Grail.
The internal customer in an organisation’s various business divisions wants more of everything. Demand for 24x7x365 access for all role players, differentiation in the market place, along with hunger for information, and the ability to analyse and use it, is putting pressure on the enterprise’s private virtual private network and stretching the IT department to its limits.
Facebook, YouTube, Instagram, iTunes, streaming media and other social media networks, along with cloud-based storage, are consuming bandwidth faster than the enterprise can roll it out. The bring your own device revolution is disrupting business in ways we are only starting to fully understand. Most businesses are merely playing catch-up. Mobility by way of tablets, smartphones and laptops and social media networks that enable conversations with brands has disrupted the manner in which customers and service providers interact with companies, and enable customers to be far more educated and engaged than ever before.
When I go shopping, for example, I understand what I am buying, what it costs at ten different stores and I have a good understanding of all the specifications long before I arrive at the retail store. I am often better informed than the sales person I am buying from. So whilst the sales person is telling me that their offering is the cheapest in town with the best service levels and the best products, I’ve already done a price comparison online, read customer complaints and compliments, and weighed up the benefits of making the purchase from them or their competitors.
This is true from white goods, through to food, clothes, vehicles, electronics and almost anything you could think of. As a result, the sales person, support agent, receptionist, manager or driver involved in the transaction needs to be empowered to deal with a significantly more knowledgeable and empowered shopper.
In order to empower its employees to deal with these new demands, the enterprise needs to train and up-skill people, retain and distribute institutional knowledge, and collect and analyse the data it needs to ensure better decision-making and to evolve the business on an ongoing basis.
To complicate matters, whilst the cost of bandwidth is coming down, both the consumption of and demand for bandwidth from the end user, along with the expectation of 24x7x365 access is pushing IT departments and their budgets into uncharted territory. Any savings from bandwidth cost reductions are inevitably lost to an apparently insatiable demand for throughput.
This is the cause of some frustration in CEOs and CFOs who do not understand why IT costs are going up when bandwidth costs are dropping. The viewpoint is often that employees want a BMW when they can drive a Golf. This indicates a lack of understanding of ITs role as a business enabler.
Technology is now involved in every aspect of business. All stakeholders in the enterprise are looking to IT to provide the connectivity, the access, the storage, the applications, the collaborative tools and the communication tools that will deliver on this vision – when they need it and where they need it. And the CEO who is not intimately involved in IT decision-making, and who doesn’t understand the competitive edge it offers his business, is missing a significant opportunity to gain an edge on his competitors.
Nowadays the astute CEO is more likely than ever to be involved in IT. The CIO no longer frets alone about IT. The message is getting through to the executive that to ignore the benefits derived from IT as a business enabler is to become uncompetitive, irrelevant or, even worse, to go out of business.
The problem with all of this is that IT is expected to deliver next year’s technology vision on last year’s budget, with the same resources it has always had.
Sharing ITs budget with an enterprise’s divisions and/or branches has always been a tough sell. In today’s evolving landscape finding ways to apportion costs, measure and manage those costs and report thereon just got that much more difficult. Increase costs and you can expect serious pushback. Don’t deliver and you will get serious complaints.
How do the CEO, CIO and their IT manager manage this demand and the associated challenges and cost of delivery? The days when the IT department carried the cost and then apportioned those costs to each user in each department and carried the can for over-spending, are gone. The IT department can no longer hold up the budget for the business on its own.
Whether you are reading McKinsey or IBM whitepapers, or just using good old common sense, you cannot get away from the fact that if IT is to be an effective enabler it needs to work in partnership with the people driving the demand.
Where to start?
- Include all stakeholders in planning, budgeting and implementation.
- Understand the company’s growth drivers and business priorities and gain a thorough understanding of the demand for and consumption of IT services.
- Listen to the company’s divisions and their business need, offer tiered options at different costs and partner with them.
- Build flexible, scalable and cost effective networks, ready to deliver on the business’ needs.
- If you don’t measure it, you will never manage it. Measuring the consumption accurately along with regular reporting to the units on progress, costs, and challenges, will ensure business units buy into the timeframes, solutions and/or services as well as the associated costs.
- Shift the responsibility for managing costs onto the end user. The sub-text being that if you want to consume large amounts of data and have all the bells and whistles, you are going to need to pay for it.
- Ensure that buy-in to a solution includes both a clear mandate to source solutions and/or services and explicitly specifies that the end user is willing to budget and pay for said solution.
- Use the fact that everyone is carrying the IT budget to resource and up-skill the IT department, ensuring that the IT department delivers a great service at a good price.
If you wish your business units to be fully onboard, supportive and willing to pay for what they use, bringing the role players into the design, costing, procurement and implementation phases of solutions/services procurement will stand you in good stead and ensure buy-in, careful use, budget to pay for it and, most importantly, that the solution is relevant to the business need.
When supply equals demand, and all the business units are paying their fair share, the IT department’s role in business will have evolved to the place it needs to be.
Subscribe to:
Posts (Atom)