This week’s technology news – 27th March 2015

Are you really YOU online?

Cifas have published Fraudscape, their annual survey of 277,000 fraud cases from 245 members spanning a range of UK sectors.  With cyber security issues topping the chart of risks for business in 2014/15, ID fraud is becoming the largest emerging threat as cyber criminals turn their attention to using other people’s identifies or creating new false identities, as increased vigilance by business and consumers has begun a decline in accounts being hacked or taken over.  It is estimated that there are 758 frauds occurring every day at a rate of 31 per hour in the UK (Cifas members alone) and the Department of Health estimates there were an eye watering 30 million cases of prescription fraud in 2014.

The survey findings report:

• 41% of all frauds recorded in 2014 involved criminal abuse of personal data or ID details to impersonate someone or create fictitious ID to steal money.
• 113,839 cases of ID fraud were recorded in 2014, up by 5% on 2013.
• Average victim’s age was 46
• Men are twice as likely as women to have their ID stolen.
• Emerging trend for young adults (21-30) being targeted (up 51% since 2011 to 14,850), reflecting this group’s increased use of financial products.
• The 55+ age group has witnessed a 15% rise in ID fraud victims from 2013 reaching 25,346 in 2014.

Read the full survey at:  https://www.cifas.org.uk/fraudscape_latest

Cifas CEO Simon Dukes described ID fraud as being on an industrial scale, “The frauds we are recording point to increasingly sophisticated, predatory and organised criminals”.  Cifas acknowledge that the stats may be the tip of the iceberg as this is only what has been reported by their members and is on public record.

The true extent is expected to be far greater, as the UK stats which create the starting point for data gathering, are understandably challenging and much goes unreported.  The Department for Business, Innovation and Skills figures records the following baselines:

• There were 5.2 million private sector businesses in the UK at the start of 2014.
• 180,000 charities (England and Wales)
• 560 central government bodies
• 400 local authorities
• 150 NHS Trusts

Then there are the individuals who have suffered fraud.   Collating reports therefore from across 5.4 million organisations and identifying how many out of 60 million people have suffered fraud requires some degree of estimation (and the figures do not include SMEs in the private sector which according to the Federation for Small Businesses accounts for over 99% of all private sector business in the UK and almost 50% of private sector employment).

But the warning bells are there for us all. The last recorded stats from the now disbanded National Fraud Authority (NFA) put the cost of fraud to the UK economy at £15.5 billion in 2013.   The Cifas fraud cases route to the City of London Police. But few of Cifas’ members know the point at which an ID has been compromised which would help target prevention efforts.

WHAT TO DO?  Any organisation which has not taken steps to increase resilience by improving its firewalls, beefing up id authentication, encyption and having sound antivirus and malware software in place could be placing it and its customers at unnecessary risk.  Reporting ID fraud and data breaches as standard has the potential to strengthen national security learning if government and industry can work closer together.  Added to this, education and awareness training amongst employees and consumers is a must as we find ourselves in an ever more cynical world surrounded by criminal intent.

2736833_s

Threat to Safe Harbour Agreement in Euro court

Europe’s highest court, the European Court of Justice’s (ECJ) will shortly be reviewing how European’s data is shared with US companies in a landmark case which questions the effectiveness of the US Safe Harbour Agreement.

Brought by activist Max Schrems off the back of Edward Snowden’s whistleblowing, the lawyer’s complaint is that companies such as Facebook (by being complicit in Prism, an NSA surveillance system), are ignoring privacy practices and that the Safe Harbour Agreement should be scrapped in favour of local regulators acting to protect European’s data.

The Safe Harbour agreement (in place since 2000), allows US firms to collect data on their European users and store them in US data centres as long as certain principles around storage and security are upheld (eg. Giving notice to users and advising them on how the data can be accessed and by whom).

UK data regulator Ofcom are reported to have said at the hearing that scrapping Safe Harbour would “risk disrupting trade that carries significant benefit for the EU and its citizens”.

If upheld, the decision would have severe repercussions for any US firm dealing with Europeans’ data, including giants such as Twitter, Google, Microsoft and Yahoo.   Twitter commented they would be forced to build datacentres in Europe to hold separated info.  Facebook has not responded formally, although the BBC has quoted that the social media behemoth would welcome an update of the Safe Harbour rules post Snowden.

For UK organisations where the issue of sovereignty is important, let alone the level of data protection required, the issue is likely to drive them to seek to preserve and protect their customers data by having it only reside in various UK datacentres to avoid the risk of losing control of the data at any time and having to deal with local regulators and data laws.

275994_s

Microsoft’s future career as a carrier

Microsoft has been delivering text, voice and video services for many years to both consumers and businesses across phones, tablets and PCs. Their current offerings are Skype and Lync, with the latter soon to be rebranded Skype for Business.   Currently over 100 million people now use Lync to communicate at work. This week Microsoft announced that Skype for  Business would include an enterprise-grade PSTN connection to Office 365 Skype for Business.

Microsoft’s strategic partners (including AT&T, BT, Colt, Equinix, Level 3 Communications, Orange Business Services, TAT Communications, Telstra, Verizon and Vodafone) will be working together with Microsoft to deliver secure and direct connections to Office 365 Skype for Business customers through Azure ExpressRoute for Office 365.   Azure ExpressRoute leverages partners’ networks to provide a private, dedicated and high bandwidth connection that bypasses the internet – essentially making Office 365 an extension of your on-premise environment whether you’re on site or not.

Skype for Business can handle all an organisations’ communications and with Azure ExpressRoute and their partners providing a direct connection rivalling traditional communication companies, Microsoft is essentially placing themselves into the carrier business.

This will offer businesses a one-stop-shop for a secure communication package, which is where Microsoft is aiming this offering – for now. In principle this technology could be used on a commercial device. The user, instead of buying a phone, minutes and texts from a high-street carrier, could order a Windows 10 phone with a subscription to Office 365 that includes minutes and texts through Skype direct from Microsoft.

Whether Microsoft does or doesn’t tie these devices and services together in such an offering, its potential does highlight the importance of Microsoft’s strategic partnerships which benefits all – not just Microsoft going forward.

Skype-for-Business-logo-FI

Troublesome domains

When browsing the internet – or even securing your own website, you will likely only worry about a few TLDs (top level domains), with the most common being .com, .net and .org.    In recent years there has been an explosion of new TLDs with the number now available rising to over 650.

One of the most recent TLD’s ”.sucks” has been stirring up trouble.   It’s easy to see how this new domain could be a serious nuisance as all it takes is for someone to take your company’s name and register the new “.sucks” domain and they have the perfect, virtual home in an ideal location to poke mischief and maliciousness at your brand, with the potential of you losing big business.

The initial answer for most will be simple; to buy the domain before anyone else can and cause trouble, but this is where it gets ugly.  The group who purchased the rights to sell “.sucks” called Momentous is charging astronomical fees of $2,500 for ”.sucks” domains.   To major organisation, this could be small change and amount to no more than regular IT admin housekeeping, however for SMEs or professional individuals, the cost is extortionate – and every business will need to calculate the risk of a 3rd party taking over this domain and the potential cost of damages to its brand in doing so.

ICANN, the international body that supervisors all things internet, including the creation and approval of new TLDs clearly decided that “.sucks” was fit for purpose.  Whether ICANN is fit for purpose itself in thinking that such a domain name could be positive in any way for business is risible.

Organisations are now left with a wholly unnecessary headache and unwanted financial outlay if they are to insure against potential negative outcomes.  Hopefully a sharp backlash from disapproving businesses will make ICANN recognise their folly – and in future only permit the release of sensible domain names that add value to the internet.

1280px-ICANN_svg

 

This week’s technology news – 20th March 2015

The Windows 10 launch party welcomes all including pirates

Microsoft has announced that Windows 10 will be launching this summer to 190 countries. A new feature of the system called Windows Hello was also demo’d for the first time. It also lets users log in via fingerprint, face recognition or iris recognition.

To get ready for Windows 10’s big launch party, Microsoft has been teaming up with app service providers worldwide including Chinese internet giant Tencent who will bring their hugely popular (over 32 million active players) online game ‘League of Legends’ onto the Windows 10 store and their QQ social app which has over 800 million active users.

Microsoft sees China as a huge opportunity for Windows 10 and getting companies onboard in providing relevant and highly successful apps, games and services to the Windows 10 store will go a long way to securing Chinese users to upgrade to Windows 10 this summer.

The biggest challenge has always been getting users to adopt genuine Windows instead of pirated versions. Currently two-thirds of all PCs in China run pirated versions, not purchased from Microsoft.

In an unprecedented move, Microsoft will be allowing these ‘non-genuine’ versions of Windows to also be upgraded to Windows 10 for free. Those who do upgrade in this fashion will still have non-genuine, non-supported systems, but will have access to the new features of Windows 10 – most importantly for Microsoft, being the new Windows 10 store where Microsoft takes 30% of all profits made.

Microsoft continues to be very aggressive in its push of the upcoming Windows 10.  It’s strategy of allowing pirated system upgrades and free upgrades in general, is tactically cunning, showing that its first goal is to get as many people as possible using the new system, sooner rather than later and gain maximum marketshare.

windows 10

Amicus ITS explores a trio of cyber security stories in this week’s roundup of technology news:

US healthcare provider Premera not so premier following cyber attack

The FBI were recently called in by Premera Blue Cross, a US non-profit health insurance company which posted revenues in 2013 of $7.6 billion, to investigate a cyber attack on their IT systems which occurred over an eight month period without detection from May 2014.  It is not clear yet how the attackers broke in and the company has not identified how the breach was discovered. However, 1.8 million records were illegally accessed, with medical records, personal data and employee data exposed, as well as any company which did business with Premera Blue Cross.   The data penetrated included:  access to names, dates of birth, addresses, telephone numbers, email addresses, Social Security numbers, member identification number, medical claims information and financial information (though no customer credit card information was held).

This comes on top of another huge cyber attack on Blue Cross Shield insurance giant Anthem, which recently had 78.8 million customer records illegally accessed.

The correct professional PR stance of both Premera and Anthem has been to publish a direct response on the front pages of their websites to try and assuage customer concerns by advising of their remedial steps with their security partners, including offering 24 months of free credit monitoring and ID protection services.

Whether either company will fully regain the trust of their clientele only time will tell, but at least the right reactive steps were taken to tackle the issue head on with its customers.

Premera-logo-jpg

Get me insured – I’m under attack!

The US Department of Homeland Security (US DHS) has started a wholesale review of cybersecurity insurance, as it has emerged that security issues have been marginalised and are not forming a core part of an organisation’s enterprise risk management framework.

Cyber insurance is a relatively new aspect for the financial markets and given the rise in cyber attacks and major data breaches worldwide in recent months, it seeks to offer an olive branch to the financial toll companies can face from the fall out of attack.  However, delivering the insurance is another matter as data to evaluate the threat landscape is thin on the ground.

Senior Cybersecurity Strategist at the US DHS Tom Finan comments:  “Perhaps unsurprisingly, companies are not publicly disclosing their own damages from cyber incidents they’re experiencing….. big data about cyber incidents could be a potential treasure trove that would aid their efforts (to get insured) immensely.”

Meanwhile in the UK, HM Government in its November 2014 summit between Government departments, leading UK insurers, trade and industry representatives and GCHQ, agreed a joint statement to commit industry and government to closer working to develop the UK’s cyber insurance market. They also recognised the role insurers can play in driving improvements in cyber security risk management.  The cyber insurance market report will be supplied to the Cabinet Office in April 2015.  In the meantime, practical measures for businesses to undertake include:

• Detailed insurance gap analysis
• Network security survey
• Security policy review and development
• Cyber risk identification and quantification exercise
• Risk financing optimisation.

Plus, evaluation by experts on internet and network exposures, including:

• Liability: privacy and confidentiality
• Copyright, trademark, defamation
• Malicious code and viruses
• Business interruption: network outages, computer failures
• Attacks, unauthorised access, theft, website defacement and cyber extortion
• Technology errors and omissions
• Intellectual property infringement.

Clearly, Finan adds, “CISOs need to be a central part of any business risk management discussion going forwards,” he said. “And until they do so, businesses will miss out on otherwise more extensive cybersecurity insurance offerings than would otherwise be available to them.”

Insurance-desk-services-bus

World Economic Forum publishes cyber threat risk framework

The World Economic Forum (WEF) launched a new framework in collaboration with Deloitte recently based on resiliency, to help companies calculate the risk of cyberattacks. The risk calculation involves three components:

• An assessment of a company’s vulnerabilities and defences
• The potential cost of data breaches and
• A profile of the attacker

Understanding the risk vs cost is still very difficult even amongst expert voices.  However, it should force Boards globally to sit up and work through the problem, identifying risk areas within their organisation as they try to get inside the mind of a potential attacker.

The lack of historical data required to estimate the probability of attacks from particular types of attackers in particular industry sectors is a stumbling block. However, if, as the WEF have proposed, businesses globally start to openly share information about cyberthreats, instead of burying their shame, all businesses will gain.  Mass learning will ensure companies start to deploy better strategies, policies and more resilient tactics including education, training and staff awareness which can only be a good thing.

Amicus ITS is part of the new Government led UK IT Cyber Security Forum.  Any enterprise seeking advice about major infrastructure security concerns is invited to contact JP Norman or one of the Sales team on 02380 429429.
wef-logo

Samsung and Blackberry team up for new secure tablet     

Blackberry has announced a new tablet called SecuTABLET for the public sector and government use.

The SecuTABLET differs greatly from the company’s only previous tablet, the ‘Playbook’, which launched in early 2011. Unlike the Playbook which ran on Blackberry’s own OS and hardware, this new tablet runs on Android for the OS and the hardware is being provided by Samsung.

Samsung is also providing part of the security with its KNOX security layer which helps separate personal and professional apps and data, by having two distinct modes that the user can switch between.

The now Blackberry-owned ‘Secusmart’ is providing encryption, including an inhouse built secured microSD card, equipped with a range of encryption features.

Finally, IBM is providing a software wrapper for secure apps to keep the data of each app separated and protected from others apps and services.

Altogether the SecuTABLET comes with an impressive list of security features, built on-top of a reliable Samsung tablet foundation – but these do come at a cost. The tablet won’t be available for general consumer purchase – and the reported retail price will be $2,380!   This incredibly high price point makes the SecuTABLET very hard to recommend.

Although the amount of security features is impressive, each of the three core security components seem to overlap in actual usage. Blackberry is going to have an uphill battle convincing organisations to go with one of their new tablets instead of, for the same price, three Samsung tablets with KNOX – or even a Microsoft Surface 3.

secusmart-tablet-640x480

The week’s technology news – 13th March 2015

‘Expectations vs Experience in migrating to Cloud Services’

One of the US Labor Department’s top execs,  Dawn Leaf, CIO, United States Department of Labor
was a keynote speaker at CloudExpo2015 this week.   The following is a precis of her key reflections to our UK audience regarding Cloud and the experiences from her part in the US government’s adoption of Cloud:

• AWS turnover at $1.67 Bn.  Now shows as its own revenue stream.
• 92% of UK enterprise expected to extend their data investment. Cloud is a data reality.

US Government move to Cloud
• Started 2011-12.
• Trigger:  DoL IT spend was $82bn p/a, with 80% of that cost on infrastructure and 80% of that spend being on maintenance and ops – had to change.  Galvanised move to consolidate data centres and migrate to Cloud.
• Size of challenge:  DoL alone has 28 agencies and its ‘mission’ affects 25m workers.
• IT services for 19,000 staff moved across 500 locations to Cloud services.
• 9 different infrastructures, none of which were standardised.
• Expectations:  expectations coming out of cloud service were to create on demand self service, broad network access and elasticity.
• Challenges identified by NIST Cloud Computing Technical Roundup.
• Had to review security and compliance in preparation beforehand and review firewalls before any department could connect to Cloud.
• Recommendation that any organisation should include an Operational Readiness Test Phase in their SLAs’ to prove that they could get to cloud, as safeguard.
• Part of prep, DoL had to upgrade bandwidth and assure desktop readiness.  They still had 10,000 people working on Windows XP.
• Dawn created standards and definitions for NIST (used across Gvmt depts).

Roadmap created
• Need clearly defined roles and responsibilities for interoperability.
• If an issue needs resolving, all sides engage, no silo mentality.  Frequently a 3rd party is blamed and hard to move forward in good time.  Gov had issues with Microsoft, but MS put their hand up + issues with Blackberry.
• Had to review cost challenges
• Needed to estimate mailbox cost per individual vs legacy – worked out the same @ $15 p/mailbox pp.
• Had to sell change to workers to avoid unlimited archive space for staff – housekeeping.
• Issue of Sharepoint which needed to be migrated – taken step at a time:  dealt with first legacy of MS Outlook – moving mail only first.
• Systems reviewed illustrated challenges – Sharepoint alone had 100 instances of legacy to map.  New policy drafted around Sharepoint for new form as primary need in new structure.
• Issue of datacentre consolidation would meet two objectives in US:
• DoL managed to reduce number of datacentres by x40 in 2015.  Datacentres now located in outside Washington in DC.
• Cost reductions came by checking that datacentres were ‘ready’ to be migrated.
• Changes created significant energy cost savings
• Consolidation also created significant reduction in operating costs.
• Bottom line:  two security operations in two silos supported by two people were costing $200k p/a.  Savings made by moving to one model.
a) Consolidation and standardisation
b) Migration needed redesigning in line with Government Digital Platform.

Reflections
• DoL now have 400 x more storage than before.
• Generally lots of legacy and services to migrate – cannot move lock stock.
• Serious challenge as affected lives so had to take it step by step.
• As a Gov organisation they faced legal requirements which were non negotiable.
• Had to adhere to FISA, with additional requirements around security inputs:
o High (sensitive referenced data) – lots of these for Gov – assessed that Cloud not less secure, but the costs jumped so greatly that on cost effective basis, better to have private Cloud or private federated Cloud approach in this band to protect national impacts.
o Medium (PII falls into this category) = there were 200 – all below national levels
• Used federated map risk programme to scrutinise.
• Gov assessed that with Medium risk data – Cloud did not create an increased threat to servicing.
• The main threat to any organisation is from within – its staff.  Cyber espionage whether criminal or run of the mill occurs with 000s of threats/hacks on daily/ weekly basis in US gov departments.
• Recommendation – need sound security practices
• Can take 2 years from selection of cloud partner to implementation.
• Budget and procurement cycles.
• Gov has to have back up plan to keep services going if all falls down
• Gov now has Cloud first policy – strategic decision in outsourcing.
• Closing vision piece – need more science and technology women coming through in sector. Headcount in room 5 out of 100 in theatre.

dawn leaf

 

Overground underground wandering free?

Travelling to London for this week’s CloudExpo2015 at Excel, it was fascinating to do a quick spot check on the variety of devices used by commuters on the train and then the tube.

Around our section of 8 separate travellers sitting across two tables journeying on South West Trains into London Waterloo, there was a lot of technology on show.  Accompanying our little sample were two Mac iBook Airs, three iPads, one HP laptop, one Lenovo Think Pad, one Windows phone, one person read the paper and one person slept.  One commuter (working for a Financial Conduct Authority according to the asset label on their laptop) juggled three devices during the journey.  And then somewhat alarmingly, the gentleman sitting directly opposite worked away on his laptop oblivious about the fact that laptop monitor showed a post it note confirming his antivirus, VPN setting and login.  Truly further education needed about keeping a device secure, especially if it is not your own.

A short while later on the underground, there was no less by way of volume of devices.  The tube carriage with 14 seats facing each other, had 10 people variously using smartphones and iPhones whilst the size of luggage carried indicated tablets, iPads and laptops were being taken along for the ride. The remaining four read the freebie Metro newspaper.

Clearly society is very comfortable today with technology, certainly more comfortable having it as a barrier to avoid engaging with a neighbour en route.  The difference on show was that everything went decidedly smaller as we went underground to suit the environment and the sense of enclosed space.  This reliance on technology will only increase in future as our desire to have technology whilst on the move and to stay connected ramps up.  In contrast, the technology will get smaller, lighter and faster as devices and technology are completely interwoven into every part of our lives both during and outside work.

28159441_s

Week’s technology news – 6th March 2015

Let’s get it on!  Top collaboration trends
A recent survey of over 500 organisations by an American industry analyst showed that whilst many companies have adopted collaboration tools, the difficulty for companies of all sizes is to find toolsets that meet ALL of their organisational needs.

1. 87% confirmed they used ‘distributed collaboration’ (where people can work with distance of time and space, collectively, often using complex information for a set goal or purpose) for some of their work.

2. 78% reported they were working on between two – seven projects simultaneously and most people are now part of three to five teams at work (with the larger the organisation and level of role, the greater the pull to collaborate on projects).

3. 40% advised they spent half their working time in non-decision making meetings, mainly around brainstorming or planning, with a high percentage involved in problem solving and project status meetings.

4. Top five meeting problems were:
a. No clear agenda communicated in advance
b. Stakeholders not prepared or didn’t attend
c. People bringing personal agendas to meeting
d. People re-hashing old topics and decisions + late arrivals
e. Straying from the agenda

5. No ‘behavioural metrics’ which could improve meeting value – here are the most requested metrics:
a. value for interpersonal interactions
b. number of decisions arising from meeting
c. percentage of time spent in the meeting

6. Collaboration leverage – using “the right technology for the right process at the right time with the right people” The top three processes to secure this were:

a. new product/service development
b. crisis management and decision support
c. effective sales /marketing.

7. The impact of these collaboration leverage processes sought to create the ‘ability to make better and faster decisions’ and to increase ‘the number and quality of decisions coming from meetings’.  Tools that support better, faster decision making to help meeting productivity include: Powernoodle, ThinkTank and Facilitate.com. Other tools like Clarizen, that focus on collaboration and project management, enable those in meetings to track the outcomes of their decisions and give feedback to the meeting participants.

8. 52% not happy with their collaboration tools as they failed to support physically distributed teams and project work.

9. Larger companies use more collaboration tools but need to review with users which work best for their workforce:

a. 86% of those surveyed use email (still most popular though decreasing with Apps)
b. 72% now using desktop video conferencing over room–based video conferencing (49%), revealing that mobile technology an increasing driver.
c. 72% use Chat/IM/Texting

Businesses can use all manner of collaboration tools.  There is no single panacea but if tools can improve teamwork interactions and communications between teams, organisations need to think about what will work best for their business in practice.  Review your collaboration techniques and technologies.  And for staff, seek to be more productive: go into meetings prepared, communicate properly, contribute meaningfully and succinctly – and finally don’t arrange a meeting if you don’t have to!

19203349_s

The evolution of unified authentication

Online authentication has evolved greatly since its original implementation through internet sites and services. On a basic level, each account you hold with a particular site would be isolated with your username, password and other details sitting in their database.

As the needs and expectations of online services have grown, so has the need for a more unified attempt at tying online authentication together and this prompted the definition of ‘Identity 1.0’ (also called digital identity, a set of methods for identity verification on the internet using emerging user-centric technologies).

Microsoft’s initial attempt to streamline login was a system called ‘Passport’ debuting in 1999.  Passport worked as a middleman, by providing established identities to users which sites could call upon to authenticate access and eliminate registering for additional accounts for sites which supported the Passport authentication method.  This also alleviated the users password being stored on the site’s database and instead a single, hopefully more trusted source being Microsoft.

Like many of Microsoft’s best plans the idea was solid but ultimately failed. This was partly due to several rebrands of the service confusing consumers alike as Passport changed to .NET  in 2001 which eventually morphed to the Windows LIVE ID in 2006 (and today is simply a Microsoft account). The other reason for the lack of success was a lack of incentive for third-parties to invest in the system, as the user would get the benefit of one less login but the service provider would lose any benefit of creating their own direct consumer database.

The next evolution of digital authentication called ‘Identity 2.0’ was based from the web 2.0 theory of the World Wide Web transition. An example of this in action is the Facebook login – a popular service, where you can login to other sites or application using your Facebook name and password. This implementation went far beyond Microsoft’s Passport.  Not only does it save users from having to remember yet another password, but the services are able to request information such as a user profile picture, address or contacts after user consent and display this natively on another site.   It also works the other way around where tasks done on the associated site could relay information back to facebook, such as ‘liking’ a page, setting a comment on your profile, or potentially most importantly sending information to your friend’s Facebook pages.

‘Identity 3.0’ was defined last year by the Global Identity Foundation and hopes to address the current concerns around digital authentication.  The new principles change it so that only one identity (which is unique and private) is needed, thus eliminating the need for a body to issue or record multiple identities. The identity of one entity to another remains cryptographically unique; negating the need for user-names or passwords and minimising the risk of too much personal information being aggregated.  Also the biometrics of the individual remain within their sole control, so biometric information will not be used, exchanged or stored outside the person’s control.

The principles outlined in Identity 3.0 show similarities to Apple’s approach to authentication with ‘Touch ID’ on the latest iPhones and iPads. Users are able to authenticate purchases direct from Apple with a fingerprint. Most importantly third-party software developers are also able to take advantage of this without compromising the biometric data.  Developers can write apps that use the individual’s fingerprint for authentication, be it a purchase or as a key to unencrypt emails, without the fingerprint data leaving the device, or without the user needing to enter a traditional password. Many such new devices linking user authentication with security access at work and crossing with personal lifestyle were reviewed in our blog dated 6th February.

With newly announced devices like this week’s Samsung Galaxy S6 sporting a similar, speedy fingerprint sensor to Apple’s Touch ID, it may not be long till most people have access to an alternative login like a finger print to alleviate entering passwords altogether.

Authentication has evolved significantly over the years, but depending on the devices and services you use, your own experience – and the amount of accounts you actively use – this will vary considerably. This in theory will only improve in the years to come, but the next big challenge in unified authentication could come from getting device and platform manufacturers to play nice with each other.  Whereas specific apps are available on only the most popular platforms like iOS and Android. This could turn out the same for login options. The market as always will ultimately go for the most simple and intuitive experience for the user.

32702648_s

New digital technology to stop blaggers unlawfully securing jobs
Who doesn’t want to appear better on paper?  Unfortunately according to Cifas, the UK’s fraud prevention service, 63% of all confirmed employment fraud in 2014 including CV fraud, related to people lying about their education, employment or qualifications.  So recruiting an honest, qualified employee may not be as easy as we thought.

The remedies in education are dealt with by universities subscribing to the Higher Education Degree Datacheck system. This logs the detail of degrees, diplomas etc. in subjects and levels achieved.  It also picks up bogus named establishments.

For businesses though, it is far more difficult, time consuming, costly and a considerable administrative task, involving checks on search engines and social networks. As a result, many organisations do their due diligence AFTER appointing someone, because to do so prior, would make the recruitment process literally grind to a halt, as most qualifications are not readily digitised (ie. mounted certificates).    The problems get particularly acute when dealing with jobs in fields such as finance and law that have a well-defined scheme of professional qualifications.  Inevitably though, with tough competition for jobs the final choice can rest on who has the best qualifications ‘on paper’.

Where technology steps in
Pearson have come up with a new digital solution called ‘Acclaim’.  Prospects get digital badges when they complete a particular course or project.  Neatly, the badge links back to the awarding body which can verify the person actually achieved that qualification. Additionally, metadata buried with the badge offers employers further insight into the qualifications.  Started in 2014, Pearson hope to issue 1 million digital badges in 2015.

The scheme has the buy-in from a number of professional organisations as well as trusted career sites such as LinkedIn. With signatories including Adobe, Microsoft’s Sales Academy, and IT consultancy Citrix, plus schools and colleges, it should start to level the playing field and create the necessary transparency especially in the IT and Technology field.  Happily for the IT industry, where a lot is achieved based on experience vs an academic qualification, the new Pearson system embraces this and career skills can be included in the new digital certificates.

Cifas report that the number of people being prosecuted for CV and qualification fraud is on the rise.  It is a crime – and people have been jailed for falsifying their education history.  It doesn’t seem worth it – but some small lies have led to very large cover ups.

Examples of CV Fraudsters ‘MOST WANTED’

• In 2012, former Yahoo boss Scott Thompson falsely claimed to have a computer science degree and had to step down once the truth was uncovered.
• Upping the ante even further was Marilee Jones, former dean of admissions at MIT, who claimed to have three University qualifications, two degrees and a doctorate, she had not earned. It took 28 years for the falsehoods to be unearthed. Ms Jones resigned soon after.
• Alison Ryan, would-be PR manager for Manchester United, claimed to have a first class degree from Cambridge. In fact, she got a second and had been banned from practising law. She was sacked from the £125,000 a year job at the football club in 2000.

14760864_s

Are Sony on solid ground?
Interviewed at this week’s Mobile World Congress, Kazuo Hirai CEO of Sony Pictures, was in an upbeat, honest mood despite being challenged on several fronts about the output from Sony recently.  When asked about the lack of impact with its Android phone, Hirai confessed Sony would keep a close eye on the profitability of its mobile phone arm, as the market was very volatile and carries many inherent risks.  If the ROI wasn’t still there, Hirai commented there were no guarantees of anything in the future – it was just the nature of the electronics business.

Neither has Sony stolen a march in the wearable technology field. Its smart ‘EyeGlass’ is clunky in comparison to its more slick rival, Google Glass.  Sony’s smartwatch and intelligent fitness bands are out there – but in a kind of ‘so what’ manner. Hirai acknowledged the market itself hadn’t yet decided what product most resonated with customers and was a challenge to all suppliers in this space – with everyone searching for the right feature and functionality set, form factor, convenience AND good battery life.

His reflections on the damage to Sony Pictures from the January cyber attack were robust but contemplative as he put the attack in context:  “The Government.. FBI’s enquiries told us that for 90% of companies, had they been attacked the way Sony Pictures were, they would also have been vulnerable, as it was not a run of the mill attack”.  Hirai added that cyber security and network security was a very high priority for them and had been for a long time since the Playstation attack several years ago.

sony_pictures_logo

 

Week’s Technology News – 27th February 2015

Boards acknowledge cyber risk on their 2015 agenda

Back in 2013, following a KPMG report that cyber leaks at FTSE 350 firms were putting the UK’s economic growth and national security at risk, the heads of UK intelligence agencies MI5 and GCHQ then asked leading businesses to take part in a Cyber Governance Health Check.  The results were a stark wake up call.

As we reported in our blog on 19th December, Board engagement is pivotal to the success of any cyber security plan and thwarting the eye popping 80% of preventable attacks in 2014.

The 2015 Cyber Governance Health Check has just been published and reveals that 88% of companies are including cyber risk on their Risk Register with 58%+ anticipating an increased risk over the next 12 months.  However, only 21% say their boards get comprehensive information and only 17% regard themselves as having a full understanding of the risks. This is clearly insufficient in the light of the continuing squeeze on data security and compliance measures.

You do not have to be a FTSE 350 to want continued trust from clients and the comfort of having up to date data security measures.   So wake up and smell the budding roses of 2015 and do your own health check review now:

  • Re-evaluate what the unique crown jewels of your organisation are (key information and data assets) as they may have changed in in the 12 months.
  • Review risk from any 3rd party suppliers and avoid contractual complacency – get into active compliance.
  • Be pro-active about risk and create a competitive advantage of rivals.
  • Arrange for a ‘pen test’ and get in shape to be security fit for purpose in 2015.

GCHQ


Windows Server 2003 is dying – but Windows Server 2012 will offer an elixir

With the forthcoming end of life for Windows Server 2003 and cessation of support from Microsoft on 15th July 2015, the effect will be severe for the many business still running this server in their data centre with exposure to cyber attack, unless considered steps are taken now to plan for upgrade.

Microsoft’s own survey recently confirmed that there were 22 million ‘instances’ (database environments) with WS2003 still running.

Organisations clearly need to plan their migration strategy – and quickly – if they are going to protect their infrastructure. End of support means no patches, no safe haven and no compliance.  Any company continuing to run WS2003 beyond July will fail regulatory compliance audits which could result in losing commercial contracts. So delays are not only expensive but highly risky.

The advances in the data centre with Windows Server 2012 RT offer integrated virtualisiation of compute, storage and networking along with enterprise class scalability and security.  The Cloud options of Microsoft Azure and Office 365 will deliver applications faster and increase productivity and flexibility – and take away risk.

Security implications

  • Software and Hardware compatibility – If you are running a mixture of physical and virtualised servers, then priority should go to addressing physical assets, as most WS2003 licences are tied to the physical hardware.
  • Compliance against many industry requirements has moved from a best practice ‘good to have’, to a mandatory requirement, so no option.
  • Payment Card Industry Data Security Standard (PCI DSS) v2, v3 – providing adequate assurance levels to meet the requirements of PCI will fail.
  • UK Government – connecting to the Public Services Network (PSN), whether through an assured connection or via an Inter Provider Encryption Domain (IPED) will be a headache if updates cannot be supported securely.
  • Industry standards Industry standards such as ISO 27001:2013 and the Cloud Security Alliance all require you ensure your systems and applications are up to date.
  • Disaster Recovery and Resilience  How do you re-start servers that are no longer supported? If DR is key to you business then migrating is a necessity will be fairly expensive.

Planning to move

  • Integrate your servers and their lifecycle into your strategy and risk management process.
  • Check what the servers do for you and do data mapping, flow and services exercise.
  • Identify your core assets and check them against confidentiality, integrity, availability and likelihood of compromise to help future design and investment decisions.
  • Create fit-for-purpose security architecture within your Cloud (ie should you need to retain legacy data which is rarely used – create security zones using layered firewalls, ingress and egress controls, file integrity and protective monitoring.
  • Test – lots – and then get a 3rd party certified security professional to conduct an ethical hack.
  • Failure to plan is planning to fail – do not let your business suffer by putting your head in the sand.

885284