This week’s technology news – 27th March 2015

Are you really YOU online?

Cifas have published Fraudscape, their annual survey of 277,000 fraud cases from 245 members spanning a range of UK sectors.  With cyber security issues topping the chart of risks for business in 2014/15, ID fraud is becoming the largest emerging threat as cyber criminals turn their attention to using other people’s identifies or creating new false identities, as increased vigilance by business and consumers has begun a decline in accounts being hacked or taken over.  It is estimated that there are 758 frauds occurring every day at a rate of 31 per hour in the UK (Cifas members alone) and the Department of Health estimates there were an eye watering 30 million cases of prescription fraud in 2014.

The survey findings report:

• 41% of all frauds recorded in 2014 involved criminal abuse of personal data or ID details to impersonate someone or create fictitious ID to steal money.
• 113,839 cases of ID fraud were recorded in 2014, up by 5% on 2013.
• Average victim’s age was 46
• Men are twice as likely as women to have their ID stolen.
• Emerging trend for young adults (21-30) being targeted (up 51% since 2011 to 14,850), reflecting this group’s increased use of financial products.
• The 55+ age group has witnessed a 15% rise in ID fraud victims from 2013 reaching 25,346 in 2014.

Read the full survey at:  https://www.cifas.org.uk/fraudscape_latest

Cifas CEO Simon Dukes described ID fraud as being on an industrial scale, “The frauds we are recording point to increasingly sophisticated, predatory and organised criminals”.  Cifas acknowledge that the stats may be the tip of the iceberg as this is only what has been reported by their members and is on public record.

The true extent is expected to be far greater, as the UK stats which create the starting point for data gathering, are understandably challenging and much goes unreported.  The Department for Business, Innovation and Skills figures records the following baselines:

• There were 5.2 million private sector businesses in the UK at the start of 2014.
• 180,000 charities (England and Wales)
• 560 central government bodies
• 400 local authorities
• 150 NHS Trusts

Then there are the individuals who have suffered fraud.   Collating reports therefore from across 5.4 million organisations and identifying how many out of 60 million people have suffered fraud requires some degree of estimation (and the figures do not include SMEs in the private sector which according to the Federation for Small Businesses accounts for over 99% of all private sector business in the UK and almost 50% of private sector employment).

But the warning bells are there for us all. The last recorded stats from the now disbanded National Fraud Authority (NFA) put the cost of fraud to the UK economy at £15.5 billion in 2013.   The Cifas fraud cases route to the City of London Police. But few of Cifas’ members know the point at which an ID has been compromised which would help target prevention efforts.

WHAT TO DO?  Any organisation which has not taken steps to increase resilience by improving its firewalls, beefing up id authentication, encyption and having sound antivirus and malware software in place could be placing it and its customers at unnecessary risk.  Reporting ID fraud and data breaches as standard has the potential to strengthen national security learning if government and industry can work closer together.  Added to this, education and awareness training amongst employees and consumers is a must as we find ourselves in an ever more cynical world surrounded by criminal intent.

2736833_s

Threat to Safe Harbour Agreement in Euro court

Europe’s highest court, the European Court of Justice’s (ECJ) will shortly be reviewing how European’s data is shared with US companies in a landmark case which questions the effectiveness of the US Safe Harbour Agreement.

Brought by activist Max Schrems off the back of Edward Snowden’s whistleblowing, the lawyer’s complaint is that companies such as Facebook (by being complicit in Prism, an NSA surveillance system), are ignoring privacy practices and that the Safe Harbour Agreement should be scrapped in favour of local regulators acting to protect European’s data.

The Safe Harbour agreement (in place since 2000), allows US firms to collect data on their European users and store them in US data centres as long as certain principles around storage and security are upheld (eg. Giving notice to users and advising them on how the data can be accessed and by whom).

UK data regulator Ofcom are reported to have said at the hearing that scrapping Safe Harbour would “risk disrupting trade that carries significant benefit for the EU and its citizens”.

If upheld, the decision would have severe repercussions for any US firm dealing with Europeans’ data, including giants such as Twitter, Google, Microsoft and Yahoo.   Twitter commented they would be forced to build datacentres in Europe to hold separated info.  Facebook has not responded formally, although the BBC has quoted that the social media behemoth would welcome an update of the Safe Harbour rules post Snowden.

For UK organisations where the issue of sovereignty is important, let alone the level of data protection required, the issue is likely to drive them to seek to preserve and protect their customers data by having it only reside in various UK datacentres to avoid the risk of losing control of the data at any time and having to deal with local regulators and data laws.

275994_s

Microsoft’s future career as a carrier

Microsoft has been delivering text, voice and video services for many years to both consumers and businesses across phones, tablets and PCs. Their current offerings are Skype and Lync, with the latter soon to be rebranded Skype for Business.   Currently over 100 million people now use Lync to communicate at work. This week Microsoft announced that Skype for  Business would include an enterprise-grade PSTN connection to Office 365 Skype for Business.

Microsoft’s strategic partners (including AT&T, BT, Colt, Equinix, Level 3 Communications, Orange Business Services, TAT Communications, Telstra, Verizon and Vodafone) will be working together with Microsoft to deliver secure and direct connections to Office 365 Skype for Business customers through Azure ExpressRoute for Office 365.   Azure ExpressRoute leverages partners’ networks to provide a private, dedicated and high bandwidth connection that bypasses the internet – essentially making Office 365 an extension of your on-premise environment whether you’re on site or not.

Skype for Business can handle all an organisations’ communications and with Azure ExpressRoute and their partners providing a direct connection rivalling traditional communication companies, Microsoft is essentially placing themselves into the carrier business.

This will offer businesses a one-stop-shop for a secure communication package, which is where Microsoft is aiming this offering – for now. In principle this technology could be used on a commercial device. The user, instead of buying a phone, minutes and texts from a high-street carrier, could order a Windows 10 phone with a subscription to Office 365 that includes minutes and texts through Skype direct from Microsoft.

Whether Microsoft does or doesn’t tie these devices and services together in such an offering, its potential does highlight the importance of Microsoft’s strategic partnerships which benefits all – not just Microsoft going forward.

Skype-for-Business-logo-FI

Troublesome domains

When browsing the internet – or even securing your own website, you will likely only worry about a few TLDs (top level domains), with the most common being .com, .net and .org.    In recent years there has been an explosion of new TLDs with the number now available rising to over 650.

One of the most recent TLD’s ”.sucks” has been stirring up trouble.   It’s easy to see how this new domain could be a serious nuisance as all it takes is for someone to take your company’s name and register the new “.sucks” domain and they have the perfect, virtual home in an ideal location to poke mischief and maliciousness at your brand, with the potential of you losing big business.

The initial answer for most will be simple; to buy the domain before anyone else can and cause trouble, but this is where it gets ugly.  The group who purchased the rights to sell “.sucks” called Momentous is charging astronomical fees of $2,500 for ”.sucks” domains.   To major organisation, this could be small change and amount to no more than regular IT admin housekeeping, however for SMEs or professional individuals, the cost is extortionate – and every business will need to calculate the risk of a 3rd party taking over this domain and the potential cost of damages to its brand in doing so.

ICANN, the international body that supervisors all things internet, including the creation and approval of new TLDs clearly decided that “.sucks” was fit for purpose.  Whether ICANN is fit for purpose itself in thinking that such a domain name could be positive in any way for business is risible.

Organisations are now left with a wholly unnecessary headache and unwanted financial outlay if they are to insure against potential negative outcomes.  Hopefully a sharp backlash from disapproving businesses will make ICANN recognise their folly – and in future only permit the release of sensible domain names that add value to the internet.

1280px-ICANN_svg

 

This week’s technology news – 20th March 2015

The Windows 10 launch party welcomes all including pirates

Microsoft has announced that Windows 10 will be launching this summer to 190 countries. A new feature of the system called Windows Hello was also demo’d for the first time. It also lets users log in via fingerprint, face recognition or iris recognition.

To get ready for Windows 10’s big launch party, Microsoft has been teaming up with app service providers worldwide including Chinese internet giant Tencent who will bring their hugely popular (over 32 million active players) online game ‘League of Legends’ onto the Windows 10 store and their QQ social app which has over 800 million active users.

Microsoft sees China as a huge opportunity for Windows 10 and getting companies onboard in providing relevant and highly successful apps, games and services to the Windows 10 store will go a long way to securing Chinese users to upgrade to Windows 10 this summer.

The biggest challenge has always been getting users to adopt genuine Windows instead of pirated versions. Currently two-thirds of all PCs in China run pirated versions, not purchased from Microsoft.

In an unprecedented move, Microsoft will be allowing these ‘non-genuine’ versions of Windows to also be upgraded to Windows 10 for free. Those who do upgrade in this fashion will still have non-genuine, non-supported systems, but will have access to the new features of Windows 10 – most importantly for Microsoft, being the new Windows 10 store where Microsoft takes 30% of all profits made.

Microsoft continues to be very aggressive in its push of the upcoming Windows 10.  It’s strategy of allowing pirated system upgrades and free upgrades in general, is tactically cunning, showing that its first goal is to get as many people as possible using the new system, sooner rather than later and gain maximum marketshare.

windows 10

Amicus ITS explores a trio of cyber security stories in this week’s roundup of technology news:

US healthcare provider Premera not so premier following cyber attack

The FBI were recently called in by Premera Blue Cross, a US non-profit health insurance company which posted revenues in 2013 of $7.6 billion, to investigate a cyber attack on their IT systems which occurred over an eight month period without detection from May 2014.  It is not clear yet how the attackers broke in and the company has not identified how the breach was discovered. However, 1.8 million records were illegally accessed, with medical records, personal data and employee data exposed, as well as any company which did business with Premera Blue Cross.   The data penetrated included:  access to names, dates of birth, addresses, telephone numbers, email addresses, Social Security numbers, member identification number, medical claims information and financial information (though no customer credit card information was held).

This comes on top of another huge cyber attack on Blue Cross Shield insurance giant Anthem, which recently had 78.8 million customer records illegally accessed.

The correct professional PR stance of both Premera and Anthem has been to publish a direct response on the front pages of their websites to try and assuage customer concerns by advising of their remedial steps with their security partners, including offering 24 months of free credit monitoring and ID protection services.

Whether either company will fully regain the trust of their clientele only time will tell, but at least the right reactive steps were taken to tackle the issue head on with its customers.

Premera-logo-jpg

Get me insured – I’m under attack!

The US Department of Homeland Security (US DHS) has started a wholesale review of cybersecurity insurance, as it has emerged that security issues have been marginalised and are not forming a core part of an organisation’s enterprise risk management framework.

Cyber insurance is a relatively new aspect for the financial markets and given the rise in cyber attacks and major data breaches worldwide in recent months, it seeks to offer an olive branch to the financial toll companies can face from the fall out of attack.  However, delivering the insurance is another matter as data to evaluate the threat landscape is thin on the ground.

Senior Cybersecurity Strategist at the US DHS Tom Finan comments:  “Perhaps unsurprisingly, companies are not publicly disclosing their own damages from cyber incidents they’re experiencing….. big data about cyber incidents could be a potential treasure trove that would aid their efforts (to get insured) immensely.”

Meanwhile in the UK, HM Government in its November 2014 summit between Government departments, leading UK insurers, trade and industry representatives and GCHQ, agreed a joint statement to commit industry and government to closer working to develop the UK’s cyber insurance market. They also recognised the role insurers can play in driving improvements in cyber security risk management.  The cyber insurance market report will be supplied to the Cabinet Office in April 2015.  In the meantime, practical measures for businesses to undertake include:

• Detailed insurance gap analysis
• Network security survey
• Security policy review and development
• Cyber risk identification and quantification exercise
• Risk financing optimisation.

Plus, evaluation by experts on internet and network exposures, including:

• Liability: privacy and confidentiality
• Copyright, trademark, defamation
• Malicious code and viruses
• Business interruption: network outages, computer failures
• Attacks, unauthorised access, theft, website defacement and cyber extortion
• Technology errors and omissions
• Intellectual property infringement.

Clearly, Finan adds, “CISOs need to be a central part of any business risk management discussion going forwards,” he said. “And until they do so, businesses will miss out on otherwise more extensive cybersecurity insurance offerings than would otherwise be available to them.”

Insurance-desk-services-bus

World Economic Forum publishes cyber threat risk framework

The World Economic Forum (WEF) launched a new framework in collaboration with Deloitte recently based on resiliency, to help companies calculate the risk of cyberattacks. The risk calculation involves three components:

• An assessment of a company’s vulnerabilities and defences
• The potential cost of data breaches and
• A profile of the attacker

Understanding the risk vs cost is still very difficult even amongst expert voices.  However, it should force Boards globally to sit up and work through the problem, identifying risk areas within their organisation as they try to get inside the mind of a potential attacker.

The lack of historical data required to estimate the probability of attacks from particular types of attackers in particular industry sectors is a stumbling block. However, if, as the WEF have proposed, businesses globally start to openly share information about cyberthreats, instead of burying their shame, all businesses will gain.  Mass learning will ensure companies start to deploy better strategies, policies and more resilient tactics including education, training and staff awareness which can only be a good thing.

Amicus ITS is part of the new Government led UK IT Cyber Security Forum.  Any enterprise seeking advice about major infrastructure security concerns is invited to contact JP Norman or one of the Sales team on 02380 429429.
wef-logo

Samsung and Blackberry team up for new secure tablet     

Blackberry has announced a new tablet called SecuTABLET for the public sector and government use.

The SecuTABLET differs greatly from the company’s only previous tablet, the ‘Playbook’, which launched in early 2011. Unlike the Playbook which ran on Blackberry’s own OS and hardware, this new tablet runs on Android for the OS and the hardware is being provided by Samsung.

Samsung is also providing part of the security with its KNOX security layer which helps separate personal and professional apps and data, by having two distinct modes that the user can switch between.

The now Blackberry-owned ‘Secusmart’ is providing encryption, including an inhouse built secured microSD card, equipped with a range of encryption features.

Finally, IBM is providing a software wrapper for secure apps to keep the data of each app separated and protected from others apps and services.

Altogether the SecuTABLET comes with an impressive list of security features, built on-top of a reliable Samsung tablet foundation – but these do come at a cost. The tablet won’t be available for general consumer purchase – and the reported retail price will be $2,380!   This incredibly high price point makes the SecuTABLET very hard to recommend.

Although the amount of security features is impressive, each of the three core security components seem to overlap in actual usage. Blackberry is going to have an uphill battle convincing organisations to go with one of their new tablets instead of, for the same price, three Samsung tablets with KNOX – or even a Microsoft Surface 3.

secusmart-tablet-640x480

The week’s technology news – 13th March 2015

‘Expectations vs Experience in migrating to Cloud Services’

One of the US Labor Department’s top execs,  Dawn Leaf, CIO, United States Department of Labor
was a keynote speaker at CloudExpo2015 this week.   The following is a precis of her key reflections to our UK audience regarding Cloud and the experiences from her part in the US government’s adoption of Cloud:

• AWS turnover at $1.67 Bn.  Now shows as its own revenue stream.
• 92% of UK enterprise expected to extend their data investment. Cloud is a data reality.

US Government move to Cloud
• Started 2011-12.
• Trigger:  DoL IT spend was $82bn p/a, with 80% of that cost on infrastructure and 80% of that spend being on maintenance and ops – had to change.  Galvanised move to consolidate data centres and migrate to Cloud.
• Size of challenge:  DoL alone has 28 agencies and its ‘mission’ affects 25m workers.
• IT services for 19,000 staff moved across 500 locations to Cloud services.
• 9 different infrastructures, none of which were standardised.
• Expectations:  expectations coming out of cloud service were to create on demand self service, broad network access and elasticity.
• Challenges identified by NIST Cloud Computing Technical Roundup.
• Had to review security and compliance in preparation beforehand and review firewalls before any department could connect to Cloud.
• Recommendation that any organisation should include an Operational Readiness Test Phase in their SLAs’ to prove that they could get to cloud, as safeguard.
• Part of prep, DoL had to upgrade bandwidth and assure desktop readiness.  They still had 10,000 people working on Windows XP.
• Dawn created standards and definitions for NIST (used across Gvmt depts).

Roadmap created
• Need clearly defined roles and responsibilities for interoperability.
• If an issue needs resolving, all sides engage, no silo mentality.  Frequently a 3rd party is blamed and hard to move forward in good time.  Gov had issues with Microsoft, but MS put their hand up + issues with Blackberry.
• Had to review cost challenges
• Needed to estimate mailbox cost per individual vs legacy – worked out the same @ $15 p/mailbox pp.
• Had to sell change to workers to avoid unlimited archive space for staff – housekeeping.
• Issue of Sharepoint which needed to be migrated – taken step at a time:  dealt with first legacy of MS Outlook – moving mail only first.
• Systems reviewed illustrated challenges – Sharepoint alone had 100 instances of legacy to map.  New policy drafted around Sharepoint for new form as primary need in new structure.
• Issue of datacentre consolidation would meet two objectives in US:
• DoL managed to reduce number of datacentres by x40 in 2015.  Datacentres now located in outside Washington in DC.
• Cost reductions came by checking that datacentres were ‘ready’ to be migrated.
• Changes created significant energy cost savings
• Consolidation also created significant reduction in operating costs.
• Bottom line:  two security operations in two silos supported by two people were costing $200k p/a.  Savings made by moving to one model.
a) Consolidation and standardisation
b) Migration needed redesigning in line with Government Digital Platform.

Reflections
• DoL now have 400 x more storage than before.
• Generally lots of legacy and services to migrate – cannot move lock stock.
• Serious challenge as affected lives so had to take it step by step.
• As a Gov organisation they faced legal requirements which were non negotiable.
• Had to adhere to FISA, with additional requirements around security inputs:
o High (sensitive referenced data) – lots of these for Gov – assessed that Cloud not less secure, but the costs jumped so greatly that on cost effective basis, better to have private Cloud or private federated Cloud approach in this band to protect national impacts.
o Medium (PII falls into this category) = there were 200 – all below national levels
• Used federated map risk programme to scrutinise.
• Gov assessed that with Medium risk data – Cloud did not create an increased threat to servicing.
• The main threat to any organisation is from within – its staff.  Cyber espionage whether criminal or run of the mill occurs with 000s of threats/hacks on daily/ weekly basis in US gov departments.
• Recommendation – need sound security practices
• Can take 2 years from selection of cloud partner to implementation.
• Budget and procurement cycles.
• Gov has to have back up plan to keep services going if all falls down
• Gov now has Cloud first policy – strategic decision in outsourcing.
• Closing vision piece – need more science and technology women coming through in sector. Headcount in room 5 out of 100 in theatre.

dawn leaf

 

Overground underground wandering free?

Travelling to London for this week’s CloudExpo2015 at Excel, it was fascinating to do a quick spot check on the variety of devices used by commuters on the train and then the tube.

Around our section of 8 separate travellers sitting across two tables journeying on South West Trains into London Waterloo, there was a lot of technology on show.  Accompanying our little sample were two Mac iBook Airs, three iPads, one HP laptop, one Lenovo Think Pad, one Windows phone, one person read the paper and one person slept.  One commuter (working for a Financial Conduct Authority according to the asset label on their laptop) juggled three devices during the journey.  And then somewhat alarmingly, the gentleman sitting directly opposite worked away on his laptop oblivious about the fact that laptop monitor showed a post it note confirming his antivirus, VPN setting and login.  Truly further education needed about keeping a device secure, especially if it is not your own.

A short while later on the underground, there was no less by way of volume of devices.  The tube carriage with 14 seats facing each other, had 10 people variously using smartphones and iPhones whilst the size of luggage carried indicated tablets, iPads and laptops were being taken along for the ride. The remaining four read the freebie Metro newspaper.

Clearly society is very comfortable today with technology, certainly more comfortable having it as a barrier to avoid engaging with a neighbour en route.  The difference on show was that everything went decidedly smaller as we went underground to suit the environment and the sense of enclosed space.  This reliance on technology will only increase in future as our desire to have technology whilst on the move and to stay connected ramps up.  In contrast, the technology will get smaller, lighter and faster as devices and technology are completely interwoven into every part of our lives both during and outside work.

28159441_s

Week’s technology news – 6th March 2015

Let’s get it on!  Top collaboration trends
A recent survey of over 500 organisations by an American industry analyst showed that whilst many companies have adopted collaboration tools, the difficulty for companies of all sizes is to find toolsets that meet ALL of their organisational needs.

1. 87% confirmed they used ‘distributed collaboration’ (where people can work with distance of time and space, collectively, often using complex information for a set goal or purpose) for some of their work.

2. 78% reported they were working on between two – seven projects simultaneously and most people are now part of three to five teams at work (with the larger the organisation and level of role, the greater the pull to collaborate on projects).

3. 40% advised they spent half their working time in non-decision making meetings, mainly around brainstorming or planning, with a high percentage involved in problem solving and project status meetings.

4. Top five meeting problems were:
a. No clear agenda communicated in advance
b. Stakeholders not prepared or didn’t attend
c. People bringing personal agendas to meeting
d. People re-hashing old topics and decisions + late arrivals
e. Straying from the agenda

5. No ‘behavioural metrics’ which could improve meeting value – here are the most requested metrics:
a. value for interpersonal interactions
b. number of decisions arising from meeting
c. percentage of time spent in the meeting

6. Collaboration leverage – using “the right technology for the right process at the right time with the right people” The top three processes to secure this were:

a. new product/service development
b. crisis management and decision support
c. effective sales /marketing.

7. The impact of these collaboration leverage processes sought to create the ‘ability to make better and faster decisions’ and to increase ‘the number and quality of decisions coming from meetings’.  Tools that support better, faster decision making to help meeting productivity include: Powernoodle, ThinkTank and Facilitate.com. Other tools like Clarizen, that focus on collaboration and project management, enable those in meetings to track the outcomes of their decisions and give feedback to the meeting participants.

8. 52% not happy with their collaboration tools as they failed to support physically distributed teams and project work.

9. Larger companies use more collaboration tools but need to review with users which work best for their workforce:

a. 86% of those surveyed use email (still most popular though decreasing with Apps)
b. 72% now using desktop video conferencing over room–based video conferencing (49%), revealing that mobile technology an increasing driver.
c. 72% use Chat/IM/Texting

Businesses can use all manner of collaboration tools.  There is no single panacea but if tools can improve teamwork interactions and communications between teams, organisations need to think about what will work best for their business in practice.  Review your collaboration techniques and technologies.  And for staff, seek to be more productive: go into meetings prepared, communicate properly, contribute meaningfully and succinctly – and finally don’t arrange a meeting if you don’t have to!

19203349_s

The evolution of unified authentication

Online authentication has evolved greatly since its original implementation through internet sites and services. On a basic level, each account you hold with a particular site would be isolated with your username, password and other details sitting in their database.

As the needs and expectations of online services have grown, so has the need for a more unified attempt at tying online authentication together and this prompted the definition of ‘Identity 1.0’ (also called digital identity, a set of methods for identity verification on the internet using emerging user-centric technologies).

Microsoft’s initial attempt to streamline login was a system called ‘Passport’ debuting in 1999.  Passport worked as a middleman, by providing established identities to users which sites could call upon to authenticate access and eliminate registering for additional accounts for sites which supported the Passport authentication method.  This also alleviated the users password being stored on the site’s database and instead a single, hopefully more trusted source being Microsoft.

Like many of Microsoft’s best plans the idea was solid but ultimately failed. This was partly due to several rebrands of the service confusing consumers alike as Passport changed to .NET  in 2001 which eventually morphed to the Windows LIVE ID in 2006 (and today is simply a Microsoft account). The other reason for the lack of success was a lack of incentive for third-parties to invest in the system, as the user would get the benefit of one less login but the service provider would lose any benefit of creating their own direct consumer database.

The next evolution of digital authentication called ‘Identity 2.0’ was based from the web 2.0 theory of the World Wide Web transition. An example of this in action is the Facebook login – a popular service, where you can login to other sites or application using your Facebook name and password. This implementation went far beyond Microsoft’s Passport.  Not only does it save users from having to remember yet another password, but the services are able to request information such as a user profile picture, address or contacts after user consent and display this natively on another site.   It also works the other way around where tasks done on the associated site could relay information back to facebook, such as ‘liking’ a page, setting a comment on your profile, or potentially most importantly sending information to your friend’s Facebook pages.

‘Identity 3.0’ was defined last year by the Global Identity Foundation and hopes to address the current concerns around digital authentication.  The new principles change it so that only one identity (which is unique and private) is needed, thus eliminating the need for a body to issue or record multiple identities. The identity of one entity to another remains cryptographically unique; negating the need for user-names or passwords and minimising the risk of too much personal information being aggregated.  Also the biometrics of the individual remain within their sole control, so biometric information will not be used, exchanged or stored outside the person’s control.

The principles outlined in Identity 3.0 show similarities to Apple’s approach to authentication with ‘Touch ID’ on the latest iPhones and iPads. Users are able to authenticate purchases direct from Apple with a fingerprint. Most importantly third-party software developers are also able to take advantage of this without compromising the biometric data.  Developers can write apps that use the individual’s fingerprint for authentication, be it a purchase or as a key to unencrypt emails, without the fingerprint data leaving the device, or without the user needing to enter a traditional password. Many such new devices linking user authentication with security access at work and crossing with personal lifestyle were reviewed in our blog dated 6th February.

With newly announced devices like this week’s Samsung Galaxy S6 sporting a similar, speedy fingerprint sensor to Apple’s Touch ID, it may not be long till most people have access to an alternative login like a finger print to alleviate entering passwords altogether.

Authentication has evolved significantly over the years, but depending on the devices and services you use, your own experience – and the amount of accounts you actively use – this will vary considerably. This in theory will only improve in the years to come, but the next big challenge in unified authentication could come from getting device and platform manufacturers to play nice with each other.  Whereas specific apps are available on only the most popular platforms like iOS and Android. This could turn out the same for login options. The market as always will ultimately go for the most simple and intuitive experience for the user.

32702648_s

New digital technology to stop blaggers unlawfully securing jobs
Who doesn’t want to appear better on paper?  Unfortunately according to Cifas, the UK’s fraud prevention service, 63% of all confirmed employment fraud in 2014 including CV fraud, related to people lying about their education, employment or qualifications.  So recruiting an honest, qualified employee may not be as easy as we thought.

The remedies in education are dealt with by universities subscribing to the Higher Education Degree Datacheck system. This logs the detail of degrees, diplomas etc. in subjects and levels achieved.  It also picks up bogus named establishments.

For businesses though, it is far more difficult, time consuming, costly and a considerable administrative task, involving checks on search engines and social networks. As a result, many organisations do their due diligence AFTER appointing someone, because to do so prior, would make the recruitment process literally grind to a halt, as most qualifications are not readily digitised (ie. mounted certificates).    The problems get particularly acute when dealing with jobs in fields such as finance and law that have a well-defined scheme of professional qualifications.  Inevitably though, with tough competition for jobs the final choice can rest on who has the best qualifications ‘on paper’.

Where technology steps in
Pearson have come up with a new digital solution called ‘Acclaim’.  Prospects get digital badges when they complete a particular course or project.  Neatly, the badge links back to the awarding body which can verify the person actually achieved that qualification. Additionally, metadata buried with the badge offers employers further insight into the qualifications.  Started in 2014, Pearson hope to issue 1 million digital badges in 2015.

The scheme has the buy-in from a number of professional organisations as well as trusted career sites such as LinkedIn. With signatories including Adobe, Microsoft’s Sales Academy, and IT consultancy Citrix, plus schools and colleges, it should start to level the playing field and create the necessary transparency especially in the IT and Technology field.  Happily for the IT industry, where a lot is achieved based on experience vs an academic qualification, the new Pearson system embraces this and career skills can be included in the new digital certificates.

Cifas report that the number of people being prosecuted for CV and qualification fraud is on the rise.  It is a crime – and people have been jailed for falsifying their education history.  It doesn’t seem worth it – but some small lies have led to very large cover ups.

Examples of CV Fraudsters ‘MOST WANTED’

• In 2012, former Yahoo boss Scott Thompson falsely claimed to have a computer science degree and had to step down once the truth was uncovered.
• Upping the ante even further was Marilee Jones, former dean of admissions at MIT, who claimed to have three University qualifications, two degrees and a doctorate, she had not earned. It took 28 years for the falsehoods to be unearthed. Ms Jones resigned soon after.
• Alison Ryan, would-be PR manager for Manchester United, claimed to have a first class degree from Cambridge. In fact, she got a second and had been banned from practising law. She was sacked from the £125,000 a year job at the football club in 2000.

14760864_s

Are Sony on solid ground?
Interviewed at this week’s Mobile World Congress, Kazuo Hirai CEO of Sony Pictures, was in an upbeat, honest mood despite being challenged on several fronts about the output from Sony recently.  When asked about the lack of impact with its Android phone, Hirai confessed Sony would keep a close eye on the profitability of its mobile phone arm, as the market was very volatile and carries many inherent risks.  If the ROI wasn’t still there, Hirai commented there were no guarantees of anything in the future – it was just the nature of the electronics business.

Neither has Sony stolen a march in the wearable technology field. Its smart ‘EyeGlass’ is clunky in comparison to its more slick rival, Google Glass.  Sony’s smartwatch and intelligent fitness bands are out there – but in a kind of ‘so what’ manner. Hirai acknowledged the market itself hadn’t yet decided what product most resonated with customers and was a challenge to all suppliers in this space – with everyone searching for the right feature and functionality set, form factor, convenience AND good battery life.

His reflections on the damage to Sony Pictures from the January cyber attack were robust but contemplative as he put the attack in context:  “The Government.. FBI’s enquiries told us that for 90% of companies, had they been attacked the way Sony Pictures were, they would also have been vulnerable, as it was not a run of the mill attack”.  Hirai added that cyber security and network security was a very high priority for them and had been for a long time since the Playstation attack several years ago.

sony_pictures_logo

 

This week’s technology news – 20th February 2015


Microsoft enjoys gold in Europe

Microsoft’s VP of Legal & Corporate Affairs, Brad Smith announced on 16th February 2015 that it had become the first major cloud provider to adopt an international standard for cloud privacy – which is also the world’s first.

This follows the EU data protection authority’s endorsement of Microsoft’s gold standard for cloud privacy back in 2014 (see our blog 17th April 2014).  The new ISO creates a uniform, international approach to protecting privacy for personal data stored in the cloud.

Smith is clearly pleased:  “The British Standards Institute (BSI) has independently verified that in addition to Microsoft Azure, both Office 365 and Dynamics CRM Online are aligned with the standard’s code of practice for the protection of Personally Identifiable Information (PII) in the public cloud”.

Where standards will affect business assurance and safeguards to industry, this new ISO is important commercially as ISO 27018 assures enterprise customers their privacy is safe – and the new standards promise the data will not be used for advertising.

According to Smith, Microsoft can only process identifiable data the customers provide and is obliged to notify the customers where their data is, and who else is using it (in case there are third parties in need of their data). Additionally, the company offering cloud services must notify the client in case the government requests disclosure of ‘PII’ data.

azure

Google’s CIE says “Don’t get lost in the digital Dark Age”

Chief Internet Evangelist for Google, Vint Cerf, a “father of the internet” and holder of the highest civilian honour, the U.S. National Medal of Technology, addressed the American Association for the Advancement of Science (AAAS) annual conference in San Jose last week.  His talk aired concerns that all the images and documents we have been saving on computers will eventually be lost – and that future generations will have little or no record of the 21st Century as we enter what he describes as a “digital Dark Age”.

This would occur as hardware and software become obsolete (and as backward compatibility is not always guaranteed) and old formats of documents, presentations or images, may not be readable by the latest version of the software or retrievable from external hard drives.

“The key here is when you move those bits from one place to another, that you still know how to unpack them to correctly interpret the different parts. That is all achievable – if we standardise the descriptions…. We have various formats for digital photographs and movies, and those formats need software to correctly render those objects.  Sometimes the standards we use to produce them fade away and are replaced by other alternatives and then software that is supposed to render images can’t render older formats so the images are no longer visible”.

“Over time, we accumulate vast archives of digital content, but may not actually know what it is.”  As it is unclear what would be the most important data of our generation it was important to preserve as much as possible.

“The solution is to take an X-ray snapshot of the content and the application and the operating system together, with a description of the machine that it runs on, and preserve that for long periods of time. And that digital snapshot will recreate the past in the future.” Cerf calls this digital form, ‘Digital Vellum’ to be held in servers in the cloud – and accessible as required because descriptions have been standardised.

Whilst there is no guarantee of Google being around in 3000, the notion is that the x-ray snapshot captured is transportable from one place to another. So, it could move from say Google cloud to another cloud, or back onto a personal machine.

Google-Vincent-Cerf-631_jpg__800x600_q85_crop

See video:  http://emp.bbc.co.uk/emp/embed/smpEmbed.html?playlist=http%3A%2F%2Fplaylists.bbc.co.uk%2Fnews%2Fscience-environment-31458902A%2Fplaylist.sxml&title=Net%20pioneer%20warns%20of%20digital%20’Dark%20Age’&product=news“>http://emp.bbc.co.uk/emp/embed/smpEmbed.html?playlist=http%3A%2F%2Fplaylists.bbc.co.uk%2Fnews%2Fscience-environment-31458902A%2Fplaylist.sxml&title=Net%20pioneer%20warns%20of%20digital%20’Dark%20Age’&product=news

When just one drop IS enough

An American company, Nanobiosym has shown off its latest mobile diagnostic device, ‘Gene Radar’, which can perform real time testing on a drop of blood, saliva or other bodily fluid to detect disease.

Using a nanochip in a mobile device, they claim it provides a gold standard at DNA/RNA level, revolutionising the previous mountainous PCR processing which went before it in medical profiling, to create more efficient scientific solutions to viral scanning.  A mobile scanner that can detect whether a person has Ebola, HIV or the flu virus in less than one hour has great significance. The technology can be deployed in wearables, smart phones and notebooks and apps for self diagnosis are also being developed apace.

Nanobiosym is one of several US companies chasing healthcare business in this sphere, including Corgenix (a Microsoft Gold Service Partner) and Nanomix.  CEO of Nanobiosym Dr Anita Goel is passionate about the opportunity for this new technology to truly democratise healthcare, especially in third world countries, which do not have the industrialised history and infrastructure investment in healthcare and take it to the people.

The personalisation and mobility of this healthcare offering is very exciting. It brings together physics, biomedicine and nanotechnology to diagnose conditions and is viewed by Goel has having the potential to cut the costs of some conditions by up to 99%, surely of interest to healthcare boards around the globe, where the pressure on budgets is forever being squeezed.

The development is eye catching when in the West, traditional HIV screening would cost $200 with results taking two weeks – and six months in Africa.  The outbreak and spread of Ebola hooked world headlines in 2014 and its impact is still being felt.  The new technology being developed by these companies can detect the disease at very low levels, before a patient is even showing symptoms.  In practical terms, scanning for this and other diseases at airports say, could help contain, advise and start pro-active steps for treatment, even affecting future generations.

The company is waiting for approval from the US Food and Drug Administration (FDA) before offering the device for sale.  With diseases like Ebola, it would be a straightforward tick for border agencies, keen to control migration of those affected. However the ramification for detection through apps of other genetic diseases like Parkinsons or Alzheimer’s carries with it the health warning that the patient’s very knowledge of the disease could alter and affect their life, decisions and outlook if pre symptoms were detected whilst there was still no cure.

28337-technology-generadar

See video:  http://goo.gl/FcBXoD

This week’s technology news – 13th February 2015

HP’s doomsday cyber forecast

HP’s CTO Andrzej Kawalec, speaking at the European Information Security Summit in London on 10th February, has predicted a ‘catastrophic cyber attack’ in the next five years.   Before people settle back comfortably and think it is ‘just another cyber attack on a brand’, think again.  Kawalec foresees this as far more serious: “We expect an attack that will cause significant and lasting damage to a major world economy through physical and economic impacts”.

Kawalec acknowledges the enormous challenges around creating a resilient single digital online identity.  Much of the blame he identifies as being a lack of common standards amongst social media platforms, the cloud and devices connecting to the Internet of Things (IoT).

Kawalec identifies a tricky balance to be struck between managing regulatory and privacy concerns and the potential impact on cross-border trade, or exposing industry to financial risk – which must be avoided.

HP have therefore identified three areas of cyber security in 2015 that they will urgently focus on:
• Spending more time and effort understanding our adversaries and how to disrupt them at every step.
• Understand and identify risk to ourselves to ascertain how best to protect, as well as enable information assets.
• The need for businesses to collaborate more – and share information with each other to get a unified view of the threats and extend cyber security capabilities beyond one organisation (as our adversaries have stolen the march on this – and THEY collaborate faster and more efficiently, without being weighed down by any legislation.

On a technical note, Kawalec noted the need to improve management of open-source software within organisations.   He also flagged the need to address security vulnerabilities within supply chains (referring to the 2nd largest US attack on retailer Target in December 2013 which hit 40m payment card users and was the result of a compromise via their air-conditioning supplier).  This highlights the need to change the way organisations deal with their suppliers – and finally, Kawalec impressed on the audience the need to improve securing the end user and the data.

Ultimately, alternatives to password-based authentication will evolve he sees – with greater focus on protecting data.  This, he said, was all part of “understanding our information environments better, see how they work and find better ways of making them secure”.

Amicus ITS has joined the UK Cyber Security Forum, echoing these sentiments that shared knowledge of enterprise security specialists will help create greater strength and unity in 2015.  To find out more click on http://ukcybersecurityforum.com/

130813_1034_290X230
IoT revenue opportunity vs business cost
The latest report by technology research marketing company Beecham Research has identified that IoT security could present a revenue opportunity, with security and data management for the internet of things (IoT) a big value-add revenue opportunity for service providers, instead of it being seen as a business cost.

With the growth and complexity of the myriad applications of IoT and emerging smart lifestyles, Beecham Forrester see this will be accompanied by an urgent need to manage connecting devices which use short-range wireless and fixed-line technologies.

Principal analyst and report author, Saverio Romeo anticipates, “Companies will increasingly rely on outsourcing and we expect that revenues from device authentication, device management, data management, billing and security will exceed $3bn by 2020. Out of these, we see security and data management services generating some $1.8bn alone”.

Data management for IoT remains currently a small market, however Beecham Research believes it has the most potential for high gross margins, with IoT security as the most strategic, across the network, device and services domains.  Romeo commented:  “…we see IoT security providers offering high-value, end-to-end security to service and application providers”.

This follows their last report 5 months ago urging industry to take decisive action to secure IoT devices which should be managed over their entire lifecycle (with resets an option, to enable remote remediation to rebuild and extend security capabilities over time).

As with the cyber security story above, this report has highlighted the need for industry players to unite and enable the securing of IoT devices end to end (from silicon semiconductor manufacturers to network operators and systems integrators), with particular attention to the identification, authentication and authorisation of devices and people in IoT systems.

A strong pattern is thus emerging for 2015 in the technology industry with security themes dominating. Where the core value of security is shared by organisations, there is surely a compelling argument for the different businesses to come together, share knowledge and give the end user assurance that they are safe using such devices. This can surely only result in one result:  greater take up in the long term and profitability for all involved.

31726046_s

Value of IT outsourcing review

Figures out by Business Process Outsourcing analysts (BPO), Nelson Hall, regarding UK spend in 2014 on outsourcing and IT totalled £6.65bn, with IT outsourcing accounting for £3.44bn.

New business deals accounted for 55.5% of those signed, up from 33% in 2013. 66% of those deals were fully onshore by UK suppliers, with the remainder having an offshore element and 8% delivered exclusively from offshore locations.

The drive by organisations to digitise through Cloud and software development (DevOps) saw a substantial rise in private and hybrid cloud transformation.  However, the desire for many businesses to transform their business IT infrastructure environment and the costs involved, meant that many could not fully migrate and so a transactional and usage-based pricing model in contracts emerged.

• Private enterprise accounted for 63% of the spending.
• Local government saw 15% increase in average contract values rise to £30.3m.

• The financial services industry spend was £1.1bn in 2014.
• With energy and utilities companies accounting for 187% growth in IT spending (the fastest growing, which reached £1.07bn).

MSPs which can offer a comprehensive array of IT services and on top of this can apply a flexible approach to their customers with fully secured Cloud solutions and 24×7 support will be the beneficiaries of this increasing trend as 2015 gets underway.

17775729_s

Keeping your keys out of the Box

Cloud storage provider Box has announced a new service that could be a first in the file storage arena. The new service is currently in Beta and allows organisations to hold their own encryption keys for their data. This differs from the traditional approach where the service provider tightly guards everyone’s encryption keys.

This new service called Enterprise Key Management (EKM) will appeal to highly regulated industries such as healthcare, finance, government and the legal sector. EKM will also appeal to those worried about hackers, government requests for data and Cloud providers’ own employees having access to their data.

EKM essentially gives you control over the one master key for your data.  But, it also gives you FULL responsibility. You may no longer need to worry about the threat of hackers getting to your data through your service provider but this should only alleviate concerns if you believe your own security is sturdier.

If you do consider EKM, the most important consideration will be the storage of the encryption key itself.  Of course it will need to be resilient enough to survive hardware or site failure, but the strategy to make sure it is backed up, specifically regarding access to it and backups, will need to careful consideration. Whilst EKM does solve many of the issues some have with Cloud storage solutions today it also comes with its own set of new unique challenges and should only be chosen after great consideration.

 

box-logo
Ever Greener Apple

Apple is no stranger to being green. Not only does the company promote their own products with an environmental check-list on launch, the iPhone producer also uses renewable energies like solar to power their services.

Apple has detailed plans to spend $850 million on a new solar farm in California. This deal marks the largest ever supply of ‘clean power’ to a commercial user. The farm itself will cover 2,900 acres and will have the equivalent to power 60,000 Californian homes. The power from the new farm will be split with 130-megawatts going to Apple to power buildings such as its future campus, while the remaining 150 megawatts is being sold to the Pacific Gas & Energy’s grid.

This huge spend continues Apple’s commitment to use 100% clean energy – and if successful could be used as the blueprint for many other clean energy driven enterprises going forwards.

9806-1744-140708-Solar-l

This week’s technology news – 6th February 2015

US ‘human firewall’ initiative to ward off cyber threats
American safety science company UL, has developed a behaviour focused education programme for their staff to help thwart the high proportion of cyber penetration emanating from phishing attacks through employee mistakes.

At its core, the programme trains employees to recognise and report phishing emails to their IT security department.  The heightened awareness and resulting engagement through this behaviour modelling programme, creates a healthy attitude towards understanding the importance of IT security within a company.  The dynamic ‘human firewall’ was found to be able to spot threats often within minutes, enabling IT security teams to take necessary action and communicate back promptly to the organisation.

The first step at UL was to educate employees on what a phishing attack looked like and a quarterly ‘planted’ phishing message was sent to every employee from CEO down that they were challenged to detect.  Employees were notified that there was to be a test, so as not to be a “gotcha” moment. If an employee fell for the scam, they were routed to a one-page lessons-learned offering two or three pointers on what to look for next time.

The second step was to get employees to report suspect emails. With personal responses to each individual reported attack, the initiative took off quickly and staff were recognised for saving colleagues and customers from attack.  It created a different conversation and improved relationship between departments.  Robert Jamieson, IL’s IT Security Officer believes the personal connect made all the difference. “Because there was no process or reason for people to think to report incidents or queries to us it used to take days or weeks to sort, whereas now the direct response is within 24 hours”.

With this programme, incident reports in UL increased from 10 per month to over 1,000 and the company has reported a 19% decrease in virus-related attacks.  This human firewall initiative is a final cog in the toolbox to many of the technology tools to defend companies from cyber attack – and the principles of what UL have achieved should give serious food for thought to all CISOs whether in a corporate or healthcare environment.
nationwide phishing

How much bigger can BT grow?
Late in 2014, BT confirmed they were in talks for a giant acquisition to take them back into the mobile operator game, with the purchase of their former company O2, or EE. The decision is made and BT has just paid £12.5 billion to acquire UK’s largest mobile provider, EE.

With BT now having both the largest mobile telecoms and fixed-line marketshare in the UK in addition to Openreach, BT’s infrastructure division, any rival telecom operators must go through Openreach to do business, making BT’s control and reach in the UK colossal.

The decision to move back into the mobile provider market isn’t surprising. Increasingly home users admit to only have a landline because they have to in order to get internet access it. Even at home the majority of calls are now made on mobiles instead of the landline. The deal more than trebles BT’s retail customers adding the 10 million BT already had to EE’s 24.5 million direct mobile subscribers.

The inclusion of mobile will also let BT provide “quad play” selling mobile, fixed-line, broadband and TV as a group of services.

UK competition authorities will be paying very close attention to this move but may need to take a different look than usual. Normally mobile and fixed-line markets are analysed separately. If done here, EE is not larger after this acquisition than before, however if competition authorities look at this alongside BT’s numerous non-mobile communications services, the strength BT could potentially apply on overlapping markets would give them significant advantage.

The EE buyout is expected to be finalised by March 2016, subject to shareholder approval and competition authority agreement.  Meanwhile, rumours are that mobile operator Three is in talks to buy O2.  That gossip along with Vodafone rumoured to buy Virgin Mobile, ensures that the telecoms world will be a very busy and potentially contentious commercial space in 2015.

BT-EE