IBM and Ponemon Institute count the true cost of data breaches

IBM in conjunction with US independent data protection and security organisation The Ponemon Institute have published that the per-record cost of a data breach reached $154 in 2015, up 12% from $145 in 2014.  Aggregated, this amounted to an average total cost of a single data breach of $3.79 million.  The survey reviewed 350 companies across 11 countries, each of which had suffered a breach.

Prior to this, technology and communications giant Verizon had estimated the per record cost to be a scant 54 cents. However Ponemon Institute Chairman Larry Ponemon noted this was based on a small sample of 191 reports from cyber insurance claims and represented only around 10% of the insurance coverage for the cost of the breach and ignored the indirect costs or loss of resulting business.

Target’s latest breach was estimated to cost the company over $1 billion, but it was only insured for $100 million. Ponemon added:  “Companies generally buy enough insurance to cover 50% of the value of their fixed assets, but only 12% of the value of their digital assets”.

Loss of business is a growing part of the total cost of a data breach, with an increased trend of customer churn, with reputation and goodwill adding up to $1.57 million per company cost (up from $1.33 million the previous year).

VP at IBM Security, Caleb Barlow commented:  “At a minimum, a company with a data breach has to send out letters notifying customers that they were breached pay for credit monitoring”.

Data breach costs reportedly varied substantially in different industries and geographies, with healthcare having the highest costs due to its long shelf life, at an average of $363 per record and the US with the highest per-record cost at $217, followed by Germany at $211, with India the lowest at $56 per record.

Healthcare records are especially valuable due to the volume of personal information, Social Security numbers and insurance details which can be used to create credit records or for identify fraud in 10-15 years.

Cyber breach cost reductions:
• Companies with incident response teams reduced the costs per record by $12.60 because of their ability to swiftly respond
• Using encryption reduced costs by $12.
• Employee training reduced costs by $8.
• If business continuity management personnel were part of the incident response team, costs fell by $7.10.
• CISO leadership lowered costs by $5.60
• Board involvement lowered costs by $5.50
• Cyber insurance lowered costs by $4.40.

Having an assured and well prepared management response has a definite impact on the bottom line cost of any cyber security breach.  As Caleb Barlow darkly warned:  “You don’t have days to respond.  You don’t even have hours. You have minutes to get your act together.”

Cyber breach cost increases:
• Bringing in outside consultants added $4.50 per record.
• Lost or stolen devices added $9 per record on average.
• Third party involvement as the cause of a breach increased the average per-record breach cost by $16 (from $154 to $170).

Factoring in time to respond to end cost proved significant too:
• Respondents took 256 days on average to spot a breach caused by a malicious attacker – and 82 days to contain it.
• Breaches caused by system glitches took 173 days to spot – and 60 days to contain.
• Human error breaches took an average of 158 days to notice – and 57 days to contain.

With cyber security a major thorn in the side of business and an increasingly sophisticated route to damaging trust and reputation, no organisation of any size can afford a) not to have reviewed the security of its estate and b) taken steps to develop relevant and up to date policies and measures to safeguard its digital assets – and share this regularly with the Board.

Additionally and crucially, as our Head of Technology & Governance, JP Norman reminds us, “The reputational and financial losses quoted are without the EU Data Directive changes on the way which will enable fines of up to 5% of global turnover. CIO’s need to ensure their boards are aware of the potential financial risks that are likely to be in place by late 2016”.

 

Legal sector encryption failure gifts large payout to cyber criminals

A recent account published in the Telegraph newspaper, reported the alarming story of a London couple who inadvertently became the victims of a cruel cyber attack.  Completion funds on the sale of their property were intercepted by cyber criminals and the couple lost all proceeds, totalling £333,000.

The law firm handling the conveyancing, Perry Hay & Co in Surrey, had emailed owner Paul Lupton, requesting his bank account details for the proceeds of sale to be paid into upon completion.  Mr Lupton duly replied, giving both account and sort code.  The fraudsters, using ‘xray’ technology which identifies data patterns with financial information, intercepted this email and replied to the law firm, requesting the previous email be ignored and funds be transferred to a different account, theirs.

On discovery that the monies had not transferred, the owner alerted the bank (Barclays) and the police.   The account was frozen and £271,000 was returned.

With conveyancing a lucrative target for cyber criminals, law firms have to take responsibility for their clients money and use encrypted emails, requiring passwords, for confidential or financially sensitive information.

For email users, account numbers, sort codes, passwords and Pins should never be transmitted by email or be written down.  Online passwords should be strong (involving numbers and characters) and changed regularly.  Devices should also be protected with security software including regularly update installations to help defend accounts.

This is little comfort for the Luptons who are currently still out of pocket to the tune of £62,000 after Perry Hay & Co (and Barclays) rejected responsibility, despite legal watchdog, the Solicitors Regulation Authority (SRA) asserting that member firms were responsible for safeguarding client funds and must replace any monies “improperly withheld or withdrawn from a client account”.

Beware of the local cloud

A new wearable device is currently being crowdsourced called the ReVault. On the face of it, it looks like a fairly standard smartwatch – but its secret weapon is invisible – your own local cloud.

The Revault watch comes in both 32GB and 128GB variants and can connect to your phone, tablet or even PC as a wireless hard drive.  The pitch is that you can have one copy of your data on your watch and can then access it across all your devices without the need of syncing each to a PC or a cloud in advance. You can even access this data when you have no internet connection as it connects locally via either Bluetooth or WiFi so this local cloud will work in places where you can’t connect to your regular cloud services.

The idea of separating physical storage from your device is not a new one, although the idea has faded away in recent years due to Cloud storage offerings and manufacturers being able to charge more for high capacity flash storage models. Having a memory card in your phone is seen by some as an advantage as you could get additional storage (including capacity far outreaching the device manufacturers options for a lot less), plus the flexibility to move your content to your next device, again without the additional cost on a pricier high capacity model.

Portable wireless storage could be the replacement for memory cards as it has distinct advantages and doesn’t require the device manufacturers to physically include compatibility – which is something they have little incentive to do.

A real concern is when these devices, personally owned by employees, are taking into the work space. Many companies will block the use of USB storage and block public cloud networks, however as the Revault is neither reliant on a physical or internet connection these devices is unlikely to be blocked by a standard company security policy.

The Revault will probably be a niche product and the chances of copycat devices or functionality remains uncertain at this point.  However, the strength of this crowdsourcing campaign could play a vital role in its success if personal clouds become relevant to a larger market.  One thing is certain though, new devices will always test your security practices and you will need to be vigilant to safeguard your corporate data from the ever evolving and unmonitored consumer device and services market.

 

Europe aims to close the door on encryption flaw risk

There has been a lot of talk recently about whether Government entities be allowed direct, back door access to encrypted messaging systems such as Apple’s iMessage and Facebook’s acquired WhatsApp.

In the US, the FBI asked the U.S. Congress to make encryption back doors in mobile devices mandatory to help combat crime.    Apple, Google and other major  tech companies are currently urging Barack Obama to reject the proposals for back doors for smart phones.

This conversation has mostly taken place in America where government bodies have argued that without back door access to these systems, how can they have a clear avenue for investigating terrorism claims?   There are two main arguments against allowing this. First is users rights’ to have private information. The second is a technical one, with any back door access, you are making a once secure system less-secure, and introducing a new front through which the system can be breached.

European Commission Vice President Andrus Ansip states there are no plans to require backdoors in communications encryption in Europe, “We don’t want to destroy people’s trust by creating some back doors,”

It is reassuring that back doors to secure, encrypted services that users trust is not on the cards for Europe, but if America does get its way then these services and our own mobiles could in fact have back doors – whether or not Europe chooses.  With such security flaws in place, how long would it take a resourceful hacker to use it for their own needs?   Hopefully in a post back door world, countries which do not enforce such a policy will have their own data unreachable from those who do.   If not we could see a new market for European-only encrypted services which promise no back doors for anyone.

Can digital technology enhance our work/life balance?

Striking a good work/life balance and embracing the rapid developments of technology has been a challenge for employees, as well as employers for a number of years now, especially for a business like Amicus ITS where we operate and support clients 24×7.  With the rapid deployment and acceptance in the workplace of mobile devices (BYOD and corporate mobiles + increased procurement of laptops), this has created flexibility options for many workers to answer emails, work on projects or just keep track of workload, out of hours or from offsite.

The question is – does this extra work, or working in a different environment create greater productivity and effectiveness, or is it allowing the individual to be swamped and creating a guilt culture about completing work or a ‘see I’m working now’ badge?

Phil Libin, CEO of Evernote speaking ahead of the ‘Silicon Valley Comes to Oxford 2015’ conference this week, commented:  “The challenge today is that we are a first generation digital society and still figuring out how to make it help us.  We now have mobile devices with email and most people think they should respond to the traffic all the time.  People need to manage their time right and access to work, to be in the right environment to be most productive. The point of the devices is to enable you to choose when you should engage with work. To do this successfully, we need new culture to support this”.

As part of the management team at Amicus ITS and with overall line management responsibility for our HR function, I believe that having the flexibility of a mobile workforce is a valuable tool for business in delivering productivity for the business and flexibility for the workforce.  However, I think we have to acknowledge that there needs to be a mature management culture overseeing this and individual discipline for those involved.  With all the enablement and security activated, it can also ensure that business continuity plans are quicker to exercise.  We have to get smarter about distinguishing work expectations and move away from micro-managing employees to thinking about how we can engage better with staff.  We should provide this balance when staff are out of the office both supporting them to escape and enjoy their downtime, as well as facilitating those who want to utilise some of this time for ‘clearing the decks’ or innovative thinking, by providing them with anywhere access to systems and data.

This is a thought echoed by Head of Envisioning at Microsoft UK, Dave Goplin, whose view is that, “It would be wrong to stifle innovation or good work if it suits the individual”.

The 2009 MacLeod Report for UK Government “Engaging for Success”, showed that disengaged employees cost the UK economy about £60 billion per year.  Technology is moving swiftly, but corporates are still slow to react and missing the boat on engagement.  As Dave Goplin said:  “If we can fix the challenge of engagement and enthuse the workforce by integrating technology with flexibility, employees will increasingly reconsider the importance of their work and the organisation they are working for”. 

At the back of all this, as a Managed Service Provider there is the corporate handle of ‘Shadow IT’.    Full governance, controls and management of what applications are allowed on a device, as well as keeping the data secure at all times has to be in place, before any of this vision can take place.  But it’s a good idea which progressive companies should position themselves to embrace and consider – and could make the difference of being the ‘go-to’ employer of choice in the next decade.

Data centres cool down and radiators go green in the Netherlands!

We all know the adage that there’s no such thing as a free lunch.   But could there really be a company out there offering free heating for us?

The answer is a surprisingly, sustainable yes!   Netherlands-based energy supplier Nerdalize, has joined forces with Dutch energy supplier Eneco, to create a clever solution called Eneco eRadiator, to fix the costly cooling problem faced by data centres worldwide.

Instead of high overhead costs and the size and volume of air conditioning units to cool servers in data centres, this solution spreads the installation of servers across different homes with no worry about the excess heat or overhead of a data centre!   Nerdalize covers the cost of electricity, the heat is generated by the computations and the home or building is heated for free.

It may not yet be a permanent heating solution, but this could be just a matter of time.  It is this sort of lateral thinking that makes technology solutions exciting and the guilt and expense of server farm bi-products acceptable.   Here, the amount of electricity used was monitored and the home owners reimbursed for the running costs.

Naturally, data security and backup issues spring to mind, not to mention maintenance questions with multiple geo-locations, but if the data is decentralised meta data and stays resident in that country it could start to have wider takeup  – but would not be a comfortable model for enterprise level data, no matter how green you are trying to be.

Windows as a Service as Windows 10 becomes the last launch for Microsoft

At last week’s Ignite conference, Microsoft’s developer staff were freely talking about some pretty substantial changes in the future direction of Windows.  It is likely that Windows 10 will be the last version of Windows to be released, as Microsoft moves firmly towards “Windows as a Service” fulfilment.

With the engineering and delivery of Windows changed for Windows 10, instead of new releases there will be regular improvements and updates of 10.  How it will work (whilst being a sizeable task), will see Microsoft splitting up operating system components like the Start Menu and built-in apps into separate parts. These can then be updated independently to the entire Windows core operating system.  This gives highly desirable flexibility to span across multiple devices and provide smoother background monthly updates instead of new version launches every 2-3 years.

The apps and services that power Windows 10 are nearing launch and the new version of Windows 10 is currently being trialled by a number of test participants.

All of this bodes well for Managed Service Providers as our embrace of “as a Service” packages makes moving to the Cloud increasingly convenient, smoother and more flexible for tailoring the end user experience.

IBM in race to be fastest data transfer

IBM has developed a new silicon photonic technology which will significantly speed up data transfers. The technology can produce speeds of 100Gbps in tests using pulses of light over a distance of 2km. The silicon photonics technology has been in development for a decade and utilises 4 different colour channels over a single fibre and is aimed at data centres.

With greatly increased data transfer speeds between servers, large processor demanding tasks such as big data analytics and machine learning will be able to be performed much quicker and more efficiently.

Silicon photonics technologies amplified speed could also be the key to dividing up a servers’ core components:  processor, memory and storage. In this fashion the processor can be handled a lot like storage is today by bringing extra flexibility ie. taking advantage of additional available processors when needed.  The decoupling of each component could reduce costs by combining fans and power supplies for each.

IBM is not alone in the race for superfast super servers.   Intel also has their own silicon photonic chip, but recently delayed shipment till 2016.  IBM’s chip is supposedly more manufacturable with a simple integrated silicon structure – and will be cheaper to produce.

IBM has yet to confirm when their silicon photonics chips will reach the market so the race is on!   However, the money is on IBM.   More importantly when both are deployed in real world data centres, we can then review which is truly the fastest and most reliable technology.   Either way Cloud will soon be becoming a lot smarter than it is today.

As smartphones continue to grow, which is right for your business?

It’s no secret that smartphones are getting bigger and bigger. Apple was last to the party with the 5.5” screen ‘iPhone 6 Plus’ last September, but extra-large sized phones have been available for both Android and Windows phones beforehand.   There has been a substantial increase in consumption patterns for this size of phone.  Extra-large phones now make up 20% of the market in 2015 up from just 6% at the beginning of 2014.  This number is likely to increase even further as more phone manufactures decide to make these ‘larger than life’ phones their flagship devices, instead of being an interesting niche side offering.

With both consumers and business users doing even more with the content of their larger smart phones, the need for small to medium sized tablets has also decreased. Why carry around a 7” tablet when you have a 5.5” phone in your pocket?  As applications, services and support becomes even more universal across the competing mobile platforms, almost any modern smart phone could be used for business, so with all the competing platforms and devices – which makes most sense for your business?

The primary consideration for business will be to strike a good balance of cost, functionality and administration effort required.

• Price is the most obvious point here and multiplying this by the size of your workforce is critical. What could seem a reasonable price difference between handsets at face value will balloon in size if it is to become the new company standard when you do your rollout.
• Functionality between different devices used to vary far more greatly than it does today but is still a very important consideration.  How great does the camera quality need to be?  Will wireless charging be utilised?  How big is ‘big enough’ for the screen to view ever increasing content application to help workflow on the move?  And the perpetual question of how long will the battery last in ‘real world’ use time?
• Administration effort may not come up in conversation much on picking the perfect phone but is potentially the biggest pain area if not considered thoroughly. Some Smartphones are very much consumer focused and can be used as great business phones – but only after deleting bloat apps, changing settings, disabling features, downloading essential tools and compliance procedures.  Many of these tasks can be assisted with MDM but even with an MDM layer, some phones are simply quicker and thus more preferable to select and setup than others.

If your office runs Microsoft software then the overlooked Windows Phones could be perfect for you. The system is quick and battery efficient and comes with Microsoft Office pre-installed, which saves time downloading the de facto tool every time you roll out a new device. They are also very price competitive:   for example the new 5” Lumia 640 can picked up £129 which makes it cheaper than the 5” Motorola G at £149 and a staggering difference to the 4.7” iPhone 6 starting at £539 unlocked.

There’s no perfect phone for all businesses, so your choice will be tailored to your own business needs, the support lifespan from the manufacturers and new technical innovations that could help improve your worker’s business performance.

What makes you decide which phone your business has chosen this year or is planning to purchase this year?   Let us know which you think is right for your business and what the deciding factor was?
Kind regards and thanks

 

Skype really sounds like Sky….Really? No!

Microsoft have lost their second legal battle in the European courts against UK pay TV broadcaster Sky, part of the BskyB group, over trademarking brand name, Skype.  According to BskyB lawyers the brand name Skype sounded just too close to Sky, their premium pay TV channel and any reference to a trademark including the ethereal reference to the word ‘sky’ trod on their till-like toes.  Sky holds a European trademark on audiovisual goods, telephony and software-related services.

Skype’s call and video conference platform launched in 2003 and was bought by eBay in 2005 for $2.65 billion and then by Microsoft in 2011 for $8.5 billion.  Skype has been a hit from the start.  As a mostly free service (ex landline or mobile calls) the telecommunications application software, provides much welcomed free video chat and very wide access from any devices via the Internet to desktops, laptops, tablets or smartphones.   Popular for sending instant messages, exchanging files and video messages nationally and internationally, its impact in the corporate collaboration technology space has broadened substantially following Microsoft’s purchase (now renamed ‘Skype for Business’).

In their news release the EU General Court stated:  “Conceptually, the figurative element conveys no concept, except perhaps that of a cloud, which would further increase the likelihood of the element ‘sky’ being recognized within the word element ‘skype’, for clouds are to be found ‘in the sky’ and thus may readily be associated with the word ‘sky”.  For real….?   Back in 2013, Microsoft had to back down and rebrand their ‘SkyDrive’ service to ‘OneDrive’ after an ‘undisclosed’ out of court settlement with BskyB.

BskyB has successfully seen off several trademark challenges since 2004/5 with Skype, so the moral of the tale for any aspiring business brand is get in early to register your brand and any trademarks from the start –  and think broadly about your description and services.  This way, whatever happens in the marketplace as technology and media formats change, you can still come out fighting from your corner and see off big competition in an increasingly crowded brand space.

Is this ruling reasonable?   Microsoft are intending to appeal, success based on their history is doubtful here – but tell us what you think?