All the rage

August 20, 2012

Bring-Your-Own-Device (BYOD) has become somewhat of a buzzword. With the push generally coming from the top, namely Senior Management and C-executives, there is a lot of pressure on IT to accommodate for the use of smartphones and tablets for work purposes. However, integrating new devices within the business environment is not all easy and straightforward, from an IT point of view.

Before allowing BYOD there needs to be a lot of planning, especially to insure the appropriate level of security. What end users sometimes fail to understand is that with the introduction of personal smartphones and tablets, the security of information which pass through these devices is at risk. These devices can be more easily hacked compared with a company-approved laptop, and they can be stolen or lost. Although there are some measures to wipe data off a device remotely after it has been lost or stolen, there is still the risk that information has already been seen, copied and used for fraudulent activities. Breaching the Data Protection Act will result in hefty fines that can put pressure on the company’s financial position, and it may also damage the most important thing – its reputation.

A BYOD policy will also create new issues for the IT Service Desk. IT engineers who are not familiar with these devices and the operating system they are working on will have to get some training, or more often than not, self-train in order to be able to support them. It takes time to learn new things and create knowledge-based documents for everyone to learn from, and the initial unfamiliarity with the systems might slow down incident resolution rates. Analysts might also get a number of calls regarding things that are out of their remit, such as ‘How do you turn this thing on?’ or ‘I need to download this app…’. All these things will affect the level of service and therefore any metrics, Key Performance Indicators or Service Level Agreements will have to take this into account.

On the bright side, this is also a good opportunity for IT staff to learn and practise new skills, get to know new systems and make their work more varied. It will ultimately increase their expertise and value.

Generally speaking, it is a good idea to introduce BYOD slowly by starting from one feature in particular. For instance, at the company where I am working in a managed service environment, it was only applicable to email on iPhones and iPads. Documents can be read and sent but not saved or modified on the device. Now that this project has been rolled out, gone live and is running smoothly, we are planning to allow document editing on the devices, once we have come to terms with the security concerns.

Companies shouldn’t avoid BYOD policies just because of the technical complexity or security issues involved. The advantages they can enjoy may outweigh those: BYOD creates savings, as less company-approved phones and laptops have to be purchased for employees; increases productivity as professionals are able to easily work on-the-move and while they are away from their office, for instance visiting a client’s site; and gives employees the chance to take on emergency work and answer urgent emails at any time of day and night and from anywhere.

Why is it that certain sectors are so attracted to the prospect of being able to use their own devices for work? In the financial sector in particular, it is not difficult to guess – so many professionals work nearly 24/7, hardly ever switching off. Their personal and professional lives are intertwined and it is a nuisance for them to have to carry around: a personal mobile phone for personal and work-related calls; a work mobile phone to check emails on-the-go; a company-approved laptop to work from a different office or the train; their personal tablet to show clients presentations. If they can have all-in-one on their personal phone or light-weight and easy-to-carry tablet, it makes life much easier for them.

In the future, BYOD is likely to increase, and we might see some environments entirely populated by employee-owned devices, though this is more likely to happen in start-ups and small organisations rather than medium and large-sized companies. There is also an argument that BYOD is driving Cloud services, as the latter represent a more secure way to manage data without taking the risk of saving it onto devices that can be stolen, lost and hacked.

All in all, BYOD can bring many benefits, but needs careful planning and security measures to be adopted correctly. A policy where employees can use their own devices for work purposes should serve as a way to improve productivity. It shouldn’t be an excuse for people to shun secure and approved devices and use expensive and sexy new gadgets just for the sake of being on trend, putting security and efficiency at risk.

Nick Fenton, Team Leader
This article has appeared in the July/August edition of FSTech – Financial Sector Technology:


Identifying priorities in IT security spending

August 20, 2012

Understanding your business’ priorities in terms of security spending is simple.  It starts and ends with protecting your reputation and therefore your customer data. Identifying what those specific priorities are does, however, take a little more time, but not necessarily investment.

Avoiding a situation where hackers post a file that contains passwords of over six million of your customers to the web (LinkedIn in June 2012) could be classed as priority in terms of security spending. You may suffer a virus attack internally, which whilst it might be somewhat annoying, is largely irrelevant as long as your customer’s data is not compromised – unless of course it affects customer service, which will of course also affect your reputation.

Therefore, it is up to anyone with externally facing systems to determine what and how the information they hold about their customers is protected.  The way to do this is to regularly test your defences with external third-party vulnerability testing. This activity cannot be seen as a project but an on-going process. From this, a business can identify its risks and decide how to tackle them based on their impact to reputation and customer data.

In addition, businesses must also conduct their own internal assessment of all risk. There is of course some necessary spend on the hygiene products to ensure a decent perimeter security system, such as anti-virus and anti-spy ware, but after that, to avoid wasting money, risks have to be prioritised according to your business environment. For example, you can invest in some sophisticated security event logging software which is useful when a security event happens, but you’d rather invest in preventing that event from happening in the first place…first.

There is a perception that security breaches take place where clever hackers find some kind of technical weakness in a company’s systems, which means you have to spend lots on even more clever security software, but largely this is not the case. Most breaches are down to people making mistakes internally. This might be mistakes in how a system is configured or simply carelessness in handling data.  Businesses would be far better off spending time, rather than money looking at avoiding these problems.

Adrian Polley, Director

10 tips for managing the human side of IT

August 14, 2012

The success of an IT department does not solely depend on having the best hardware and latest software. In fact, these alone do not guarantee efficiency if the people working in IT Support are not managed appropriately. It is not a simple task: each Support engineer has their own personality, strengths and weaknesses, ambitions and drive. So here are a few tips to get the best out of your IT Support team in order to deliver an efficient and reliable service to the business.

1 – Understand role ‘shelf life’

Most people want to progress in their career, and in IT this process can be found to be somehow accelerated, leading to significant staff turnover. In order to be prepared to deal with this, it is important to understand someone’s longevity in a certain role, as they will only be effective whilst they are engaged. Different roles have varying shelf life – for example, a typical Service Desk role would last around 18 months-2 years while more skilled software development positions can last longer.

2 – Skills set relevance

Understanding skills sets and ensuring they are relevant to the tasks being performed ensures employees feel valued for what they know rather than being undervalued for what they don’t. This keeps staff happier and also allows them to identify areas within their skills set to develop and improve if they want to progress.

3 – Encourage personal development

To retain staff and keep them motivated, a good manager should recognise development opportunities within the scope of their roles and encourage them to improve their skills. Shadowing other roles, when possible, is also a good way for staff to experience other realities and understand where they want to go with their career.

4 – Feedback and reward

Having regular feedback sessions is imperative for all managers. This should include positive as well as negative feedback, but the most important thing is that, overall, it is constructive. Good results must be recognised, praised and rewarded when possible (it doesn’t have to be financially). This can generate healthy competition internally to naturally get the best out of people.

5 – Expectations management

Just like in any other business agreement, don’t make promises that can’t be achieved. Managing expectations is a vital part of a manager’s role and this has to be done for both sides – the business and IT staff.

6 – Equality and consistency

A good manager has to ensure the same techniques and processes are used for all staff and that they all feel that they are being treated equally. Make sure the team knows where they stand and enforce the same discipline and principles across the whole group.

7 – Differences

When there are both in-house and outsourced staff within the IT service desk, it is important that everyone understands the difference between the two. Staff employed directly and staff provided by Managed Service Providers might have different benefits, varying working hours and so on. Make sure it’s recognised and appreciated and that all expectations are managed.

8 – Relationship building

Listen. Staff like to engage with their management team on a personal front. Offer time to listen but understand boundaries and keep it professional.  Just show an interest and don’t make it “all about work”.

9 – Tailor management style

Adapt your management style so that it is fit for the environment in which you’re working. Different approaches work in different environments. Also ensure the environment is appropriate for an individual’s specific requirements.

10 – Empathy

Take time to understand the roles that you are supervising. The best managers are the ones who can understand the pressures of the people they are managing and empathise with them.

Ben Whitehead, Service Delivery Manager

Find the piece on ITSM Portal

Legal and financial firms should follow the ICO’s data security guidelines, too

August 10, 2012

Just two days after the news of a Torquay health trust being fined £175,000 for publishing sensitive data of over 1,000 of their own employees on their website, the Information Commissioner’s Office (ICO) released the top five areas which need improvement in order to keep personal and sensitive information safe within an SME. Although aimed at charities and public sector organisations, these tips are also relevant to the private sector, in particular the financial and legal arena where a vast amount of personal and sensitive information is handled.

The guidelines issued by the ICO include giving employees data protection training, being clear on what use is made of personal information and having an established data retention period, where it is only kept for as long as necessary. It is important to highlight the emphasis on the ‘people’ factor and the role of security awareness training in the protection of information within an organisation. Human error is still the leading cause of data protection breaches across the UK, most of which are not malicious. About a third of all data breaches (36 per cent) are due to negligent employees, according to the latest Symantec/Ponemon Institute ‘UK cost of a Data Breach’ study. It is therefore crucial to give more attention to educating people rather than simply concentrating on purchasing the latest data protection tools and technology.

Organisations have to act in two ways: on one side, they have to train their employees so that they are more aware of data protection regulations, the applicable risks to the organisation and internal policies, as well as the consequences of not following these regulations and policies; on the other side, they need to protect themselves from their own employees, making sure encryption is used on all devices, as well as limiting access to data to only those who are authorised.

If personal and sensitive information is lost, stolen or made public, the organisation responsible for the breach will potentially face a hefty fine – but the consequences of a data breach are not only financial. Especially in the case of financial and legal firms, there will also be reputational damage which may be too difficult to recover from.

It may be the case that for a large multi-national company the money and reputational loss involved does not affect their bottom line or position within the market too much, it is not the same for small and medium-size enterprises. With less money at their disposal and a limited number of loyal clients, a large fine can severely affect their capital and the subsequent reputational loss might lead to business loss and, ultimately, failure.

For this reason, it is increasingly important that SMEs in the legal and financial sector invest time and resources on preventing information security incidents, in order to avoid having to pay for their mistakes at a later date. There is a lot of trust bestowed upon these organisations by their clients, so the least they can do is to make sure that their details are kept safe and secure, ensuring that this trust is well deserved.

David Cowan, Head of Consulting Services

BYOD brings on new issues and chances for IT Support staff

August 10, 2012

With growing pressure on the IT Service Desk to allow the use of tablets and smartphones for work purposes, it is important to understand how this will affect the IT Support function and the metrics used to evaluate its efficiency.

Perhaps surprisingly, demand for Bring-Your-Own-Device (BYOD) tends to come from Senior Management and C-executives rather than from the more tech-savvy ‘Generation-Y’. These types of users are strongly attracted by new devices and find it easier to work directly from their personal equipment rather than carry around a corporate-approved laptop and phone.

But end users are sometimes unaware of the technical and security issues involved in a BYOD policy.  First of all, if their expensive smartphones and devices are stolen, lost or hacked, the information stored on or accessible through them is at risk, which could result in hefty fines and loss of reputation in the case of a Data Security Breach.

Secondly, BYOD can create new issues for the IT Service Desk. There may be an increase in the number of incidents IT staff will have to deal with, as engineers might not be familiar with the devices and could require additional training. Also, analysts might have to deal with a number of calls that aren’t necessarily relevant to their role, but they are still expected to answer, such as how to download an app or change the ringtone.

These issues will potentially slow down incident resolution and increase the volume of incidents, affecting service levels and therefore any Key Performance Indicators or Service Level Agreements that are in place.

Of course there are also advantages to BYOD: IT analysts can enjoy a more varied environment and get the chance to learn something new. The newly acquired skills will add to their experience, making them more valuable as professionals.

Nick Fenton, Team Leader

This piece appeared in the Summer edition of IT PRO Quarterly Report

How to recruit IT staff (when you don’t understand IT yourself)

August 10, 2012

Having recruited more than 1,000 IT professionals over the last 20 years for our managed service teams providing IT support for businesses, I can safely say Plan-Net has learned a thing or two about how to recruit IT staff.

Hopefully this article might help those of you who are less IT-savvy still make wise IT staff recruitment decisions, and avoid costly mistakes along the way.

There is no shortage of IT people in the labour market today, but the real challenge is in finding the good ones – and then, from that much smaller pool, identifying the right one for your business.

Even those of you who don’t have a great understanding of IT will probably have a good feel for what you need IT staff to deliver. Businesses rely on technical tools and systems. We need someone to fix these quickly when they stop working, and we need someone to improve them so we can increase our business productivity and efficiency.

So the first step when recruiting is to articulate the service your business needs from its IT staff or department. The trickier next step is to convert this into an IT job description that thoroughly details all the necessary technical skills and experiences the individual or team would need. If you’re starting to get lost in technical jargon at this point, it might be wise to find an IT friend or contact that can help you do this. Even if it means paying them a small fee, you’ll avoid the first costly mistake, which is the wrong job description.

Recruiting IT staff: finding the good ones

Using a specialist IT recruitment agency is helpful as they will have a wider access to the supply pool than you, so it can expedite your search. However, a note of caution when dealing with agencies is that their interest is in securing the placement as quick as possible so they can take their fee.

So if they find and present you with three candidates, they will want you to choose one of them, even if perhaps none of them are right for your business. It’s worth ensuring agencies offer you at least a 3-month, or even better 6-month, refund or replacement mechanism if things don’t work out. You can also try scouring LinkedIn and asking your existing business network and partners.

Check, check and check again

The risk for any business looking to fill any type of role is taking on the wrong person. Arguably, this risk is greater for a small company, where you are so much more dependent on every individual to perform. It’s even more risky when you’re looking at IT roles. You are entrusting these people with your business data, systems and operations. A mistake could cost your business dearly.

I therefore cannot emphasise strongly enough the importance of a thorough screening process. Interview candidates face-to-face a number of times yourself and enlist your IT contact to help with the interview too.

For IT staff in particular, it’s important to test their technical skills. At Plan-Net, we have developed our own tests in order to be ultra-confident that potential employees have the necessary capabilities. If you’re doing this yourself, you can find a variety of technical tests online. There are free tests available, but my recommendation is that you invest in paid tests. It can act as a false economy not to.

Background checking is also very important. We invest in a specialist service that carries out a number of checks including CRB (Criminal Record Bureau) checks, credit checks and reference checks.

If you decide to do this yourself rather than using a third party, make sure you check every line of the CV. Check the gaps and make sure you verify all references. We’ve found candidates who claimed they have degrees when they dropped out in the first year, some with outstanding debts and unpaid bills and others with completely bogus references. Sadly, in this economic climate, we tend to see a higher proportion of candidates ‘embellishing’ their CVs. When you’re recruiting IT staff, much like in Finance and HR roles, you are recruiting someone who will be a custodian of your critical business systems and your business information.

Almost above anything else, you must be sure you’ve found someone you can trust.

An easy option

Lastly, if anything to do with IT is Double Dutch to you and you just want to avoid the hassle and headache of recruiting IT staff altogether, you can use managed service providers to manage your IT function for you. Finding the right IT staff to adequately deliver this service is then their challenge – not yours.


Richard Forkan, Director

This article was published on London Loves Business:

The Post-ApocOlympic IT scenario: scalability, mobility and security

July 10, 2012

The Post-ApocOlympic IT scenario: scalability, mobility and security

As organisations of all types and sizes prepare themselves for the Olympics as best as they can, there is still a lot of uncertainty with regards to not only what will happen during the summer event, but also what to expect from the aftermath.

Uncertain forecasts

The latest post-Jubilee figures, issued by Visit England, show that the Queen’s diamond jubilee celebrations have brought an estimated £700m boost to the UK economy; this amount being based on four million people who took overnight trips, spending an average of £175 each. With the Olympics expected to attract an even bigger crowd to London for up to two weeks or possibly even more, it is difficult to foresee what effects there will be on UK businesses, let alone how they will be affected afterwards.

The Bank of England believes that the struggling UK economy will receive a boost that could spell the end of the double dip recession, with an expected output of around 0.2% higher in the third quarter than it otherwise would have been. But others are not so optimistic. Citigroup research based on data from ten Olympics held between 1964 and 2008 shows that there is a tendency for growth to rise in the six months before the tournament, but this is then followed by six months of much weaker growth which can start even before the Games begin.

How are companies preparing?

With so much uncertainty, organisations aren’t really sure how to prepare for all eventualities. Their business might increase greatly during the Olympics, creating a need for more staff, a stronger IT infrastructure and greater IT support to deal with the growth in demand; but they also need a level of scalability that enables them to go back to their previous size afterwards, or to accommodate for any long-term changes if their business finds itself deeply changed. A flexible and scalable IT system and IT support service is vital to keep companies working in a cost-efficient way.

This need for scalability and flexibility has also pushed organisations to try new ways of working, such as mobile and home working, allowing individuals to work around the summer events’ issues and reducing the need to travel into potentially congested areas.

The post-Olympics scenario

After trying mobile and home working during the Olympics, forward-thinking UK businesses might decide they want to adopt this as part of their longer-term IT strategy, finding it a cheaper, more efficient solution that allows them to scale up and down more easily. They will embrace desktop virtualisation to allow employees to work from their own PCs and laptops, and design BYOD (Bring Your Own Device) policies to use tablets and smartphones for work purposes.

This might be the start of a revolution. With the upcoming Windows 8 being able to run on tablets, these will become more powerful and users will be able to do more with them, such as access their familiar Office applications, which at the moment is not always possible. These touchscreen devices could replace mice and desktop PCs, and as users move towards using a single device, it might well be that they will only be using tablets in a few years’ time.

However, right now the tablet doesn’t meet most people’s requirements as an everyday work device: its screen is too small, touch keypads are not as accurate as a standard keyboard and it’s not ideal to quickly switch between multiple applications. It will probably be a while before tablets replace desktop PCs, but they are already starting to replace laptops for things such as working on-the-go, sales and giving client presentations.

New issues

With this new way of working, hardware is not a problem anymore – employees can use their own PC, laptop or tablet, or the company might just set a budget and let the employee choose which device to purchase. The problem, in this scenario, is data.

The data saved, transmitted and processed on employees’ devices is part of the organisation’s Intellectual Property and therefore has great value. How do you make sure that it is secure, managed appropriately and stored in a safe place? Even if virtual desktops allow users to work from their home PCs, you cannot be sure that they don’t store data on their machine.  And when cloud services are used, where is the company’s data kept – is it stored in a data centre in another country, where different laws apply with regards to data security and access? People are using cloud because it is cheap and easy, but it is often not secure enough. You need to wrap something around it to make it more secure.

Companies need to adopt appropriate security measures, such as network access control, strong policies for document management, and use of robust encryption technologies, so that even if data is stolen or accessed by non-authorised people, it cannot be read.

A new, post-Olympics culture

Working from home PCs, tablets and smartphones is a big cultural shift for many, and has to be supported by other types of behaviour-related change. All the security tools and policies in the world are useless without the appropriate security training; human error is the first cause of data security breaches, and if people don’t understand why they have to implement a certain security measure that will add time to their work, they will circumvent it.

So, as organisations evolve and adapt to more flexible ways of working, they shouldn’t forget the data. Hardware can be replaced, but can they afford to lose the list of their clients to their competitors? Organisations must make users aware of the responsibility this new-found work freedom allows. They, and not just the IT department, are now custodians of the data and responsible for its security so you have an obligation to make them aware of this.  Data security should be included in everyone’s induction training and the promotion of good practice should be a continuous feature.

With the Olympics and technology innovations pushing companies towards more flexible ways of working, the revolution may be coming sooner than we think. But it is important to understand that everyone needs to be ready, not just the IT department, in order for it to take place without the company incurring a new risk that may outweigh all the benefits.

David Tuck, Principal Consultant 

This article can be found in the July/August edition of London Business Matters (page 40):

IT outsourcing in the banking sector – what’s the big deal?

July 10, 2012

It is no surprise for those who work in the technology and banking sectors: banks often make large use of outsourcing and managed services for their IT. It is a cost-efficient solution that can help them remain competitive within the market with easy access to the best skills, technology and processes available. However, banks tend to be wary of announcing this practice to the world as they fear customers will think their personal and financial information may be put at risk, and won’t trust them with their money.

Since the NatWest/RBS/Ulster IT glitch became public there has been a lot of speculation around the origin of the issue. The banking group has tried to remain vague while focussing on reassuring their customers, while people took to online forums and social networks to make accusations towards the bank’s IT management and sourcing choices.

The banking giant was in fact accused of hiding the fact that the problem was possibly linked to their use of offshoring, as recent job ads for the support of one particular system which was thought to be the cause were found on recruitment websites in India.

But if the glitch had been caused by an in-house team member, would it have caused less of a reaction? What about an in-house IT Service Desk, but managed by an external service provider? Rather than pointing fingers at ‘outsourcing’, the real issue might be ‘bad sourcing’ or ‘bad IT management’. As this example might have shown, offshoring to save money might actually create more costs due to many factors, such as cultural differences, lack of control, different laws related to data security, and so on. A managed service, where IT is retained in-house and simply managed by a trusted third party, can be a much safer option.

Perhaps if there was more information on outsourcing, customer culture could change and they, too, could start to see outsourcing like a good thing, an improvement, a cost-efficient solution rather than a threat.

A recent survey by the National Outsourcing Association (NOA) found that 80 per cent of UK citizens believe ‘outsourcing hinders British businesses’. However, only 27 per cent of UK citizens associated ‘a local computer company providing IT support to small businesses’ with ‘outsourcing’, while 58 per cent thought ‘a bank opening a call centre in India’ was an example. This clearly means that outsourcing is mainly associated with offshoring, which is only one possible way to outsource a service or function. But there are many other, safer solutions that still use UK resources, such as managed services, co-sourcing and shared services – some even allow the organisation to keep staff in the same office.

So on one side, banks should probably be more transparent on their use of IT outsourcing, so that customers can get used to the fact that its use is quite common. It is important for bank customers to know where their data is stored, who has access to it and what the risks are.

On the other, it is important that people are being made aware of what outsourcing is, what types exist and what benefits this practice can bring. Banks should clearly explain what measures are in place to ensure their personal and financial information is not accessed, stolen or lost and why using an outsourced or managed service can be a benefit for them as well, improving their banking experience by maximising the skills and services of outsourcers.


Jon Reeve, Principal Consultant

This article appeared on Director Of Finance Online:

Microsoft Surface – should Apple be worried?

July 2, 2012

It has been known for a long time that the new version of Windows 8 would be making its debut on a tablet later this autumn, but few actually knew Microsoft would be taking a similar route to market as Apple and actually creating its own product to do so.

Traditionally Microsoft has relied on 3rd party manufacturers such as Dell, HP, ASUS, etc. to create devices for its operating system – but not this time. Microsoft has proved it has the muscle to deliver a hardware platform with its X-box gaming console so it should not be a surprise, but this may seriously affect its relationship with its traditional partners who have until now provided the hardware platform. But really, will it? Are they going to switch on-mass to Android or is Apple going to allow them to create tablets for IOS?  I don’t think so. Many of them already create tablets in Android and they will not stop doing so; however, they can also now create a Windows version too.

I think the creation of the Microsoft tablet was driven by two goals. Firstly, to create a test hardware platform for them that they could develop Windows 8 on to make sure it really does work; and secondly, to show the manufactures the standard and quality of the product they expect for their operating system to sit on. They know that this is the final throw of the dice in the tablet war and it has to be right, it has to be “aspirational”. Microsoft has set the standard and the manufactures now have to follow.

By creating two versions, Microsoft has cleverly extended the reach of their Windows 8 operating system. At home sitting on the sofa you can use the Windows RT much like an IPAD browsing the internet, doing online banking, listening to music, etc., but it can do more of the things you do in the office as well. Corporate customers can truly begin to switch from the traditional laptop to a single device for both the office and mobile use with the Windows 8 professional version offering the power to be a true single replacement.

When it comes to specification, it is obvious that Microsoft have been doing their homework. The Windows RT is a 1/10th of a mm thinner than the IPAD and sports a larger 10.6 inch against 9.7 for the IPAD3. This means it can support true 16.9 widescreen which the IPAD can’t, which for the movie aficionado might be important. It does, however, due to this larger screen, weigh in at around 20g more. It has Gorilla glass to prevent scratching and comes with a clip on magnetic cover much like the IPAD.  However, unlike the IPAD it also doubles as a full size keyboard which makes it more “laptop” like when in use. To further extend this view it also has a built in stand so the screen can be tilted at a comfortable 22degrees mush like a laptop.

Microsoft have invested heavily in creating their own alloy for the casing and stand to make it light and strong and they say that in future they could reduce the thickness from the current 9.6mm . Other innovations also include a full-size USB2 port which means you can connect it to traditional accessories such as a mouse, keyboard, external hard drive, etc. and this should further extend its flexibility. In terms of memory it matches the industry standard of 32 and 64GB versions with the option to extend with a micro-SD port.

Although the RT is more like a laptop, Microsoft seems to think that a single device would not meet all demands, so they have brought out a 2nd product. This will run the full version of the Windows 8 professional operating system and use the Intel based chipset, unlike the ARM in the RT, but has an increased thickness and is slightly heavier. It does, however, sport a USB 3 port for added speed and flexibility. It also comes with either 64 or 128 Gb of memory, reflecting its more corporate aim point. Of course, running Windows 8, which will be the new single OS for Microsoft, means that it will run all the same programs as the traditional desk/laptop.

The real question is of course how will Windows 8 as the single OS across phones, tablets and PCs fair. Well, having used the pre-release version, I found it stable at least. The new UI will take a little while to get used to, but having used windows mobile 7.5 extensively, which has a similar look and feel, I found it quite intuitive. I am perhaps not the average user though and I think the start button will be missed, although getting used to using the “windows” button on the tablet and keyboard to return to the UI starts to feel more intuitive after a while. I found that all the programs I had loaded in Windows 7 continued to work under windows 8 and if, as I am sure many will, you can go straight from the UI to a traditional desktop and it feels very similar to windows 7, although you will note the absence of the start button on the bottom left. I am not sure how it will work with the tablet but if it works as intuitively as windows 7.5 on the mobile, it should be a winner.

So the $64000 question – is it better than the IPAD? – well, judgement must be reserved until we see its use in anger. The IPAD has been successful for good reasons. It is a quality device that is aspirational and works very well with lovely presentation and finish and IOS has a wide range of applications available for it. This alone makes it a device which everyone wants. If Microsoft can create this aspiration for their product, then they could be in a position to challenge this dominance. The majority of us are familiar with the Microsoft suite of products and use them on a day to day basis, and the ability to transfer these across to the tablet must give them a fighting chance. The Windows PC is the only platform that has more applications available for it than IOS, so this should level this playing field here, too.

In terms of the corporate user, the CIO has really been waiting for a viable competitor to Apple. The IPAD has sneaked in via the CEO/Senior management route without clear thought to its use and implications: they wanted it, so they used it. Unfortunately for IT, the management of the device has always been an issue; it is designed as a consumer device, not corporate , so does not come with the management tools necessary to make sure it fits in with corporate policies. Here with the wealth of corporate products available in the Windows world, perhaps Microsoft might finally have the advantage.

Putting out a tablet with a new OS is a gamble but is one which they needed to do now while they still retain the dominant position in the PC OS space. If they had left it much longer the erosion of their market may have reached a point of no return.  The creation of two versions could also prove to be a master stroke. It has always been difficult to create a “one fits all” device and so they have decided to try. In creating a corporate and consumer version of the same product, they might have just got it right. Only time will tell, but healthy competition can only be good, both for corporate and consumer. If this does not work, the future certainly looks to belong to the Apple!


David Tuck, Principal Consultant

Too much security may affect business processes

July 2, 2012

A balance is needed between the protection of information and productivity within a business environment.

Policies, training and awareness, technological tools, physical security barriers – the IT security market today offers all sorts of solutions to help you protect your business from potential reputational or financial damage. However, a heavy investment in information security solutions may have a counter-productive impact on the business. It can affect the corporate culture, flow of information and operational processes, leading to inefficiencies and productivity loss. On the other hand, being too permissive can have the same result, with employees able to access, share, lose or damage sensitive data too easily. How can you find the right balance between protection and productivity?

First of all, companies have to decide just what is important to them and identify the Information Assets that need protecting, the possible risks and the scale of security controls to implement. Once you have analysed each business area and decided which parts of your business are critical, it is then possible to evaluate the appropriate means to protect that information – which could include anything from technology controls to HR disciplinary procedures. A blanket approach to security can be damaging or even counter-productive if only 10% of the organisation has been identified as a high-risk area. Heavy security measures are only needed for critical areas or systems – Finance or HR normally need more controls than Admin and Marketing, which deal with less sensitive data.

Many organisations adopt complex passwords and encryption technology because they think they should, but they do not necessarily understand what they are trying to protect and the impact on the Confidentiality, Integrity and Availability of Information. Excessive restrictions can have similar effects to no restrictions at all: frustrated by the time and effort needed to perform the simplest operations, staff may find ways to circumvent controls to make their lives easier, with disastrous consequences. On the other hand, opening up completely and allowing employees to access and share confidential information is of course not advisable – employers need to protect themselves from their employee’s mistakes or malicious behaviour as well.

It’s a battle between security and productivity. Most businesses are ultimately focused on making a profit; however, they are also concerned with working more efficiently, collaborating with the supply chain, partners and so on. Technology and processes adopted should help make life easier for staff and not obstruct the flow of information.  A frustrated employee might take work home because it’s easier to work from there, with fewer restrictions. They might be unable to finish work in the office due to the time spent logging in and out, waiting for approval or phoning up the Service Desk because they forgot a password. Staff won’t be willing to document and collaborate if it is too restrictive and cumbersome to do so. Experience tells us that complex passwords tend to be written down as they are too hard to remember, which defeats the purpose, like hiding your house key under the door mat. At the same time, employers could be sued or unable to claim on insurance if the correct controls weren’t in place.

Think about why you lock your doors and windows when you leave your house unoccupied: it’s the same reason that a business implements Information Security controls.  Firstly, it is to protect what you own and, secondly, you want to ensure that, in the event of a break-in, all the requirements of your insurance cover are met, i.e. Insurance companies won’t pay out if you left your back door wide open. Yet you wouldn’t lock all the internal doors and windows when you are in the house, would you? That is because most people feel that would be unnecessary and too restrictive as the house is occupied. Having adequate controls in place based on the identified risk is the same process in your home as it is in business.

However, some types of businesses require a larger amount of security measures than others. Large corporations or certain types of businesses might want or need greater security across the whole of their organisation; they are able to implement more controls, as they can afford to pay for expensive technology and even accept large fines if this protection failed, without risking immediate bankruptcy. Banks require higher levels of security because they deal with very sensitive personal information and they rely on their clients’ trust to exist. They have to be very secure and comply with all legislation, regulations and best practices. Excessive controls in this case are justifiable because they will reduce the number of security incidents, fines and crimes.

It is small and medium-size businesses that are the most concerned with finding the right balance. They cannot afford to take the risk of not adopting the necessary best practice controls. At the same time, they cannot afford to pay for a large amount of technology that is not essential to them or will cause even more disruptions and possibly lead to a loss of revenue. If a SME is too restrictive, they won’t be able to be productive. Sharing information with partners, peers and other SMEs is vital for their survival. In this environment, restricting the flow of information could hinder their growth.

Information Security is not a one-size-fits all solution – it needs to be tailored to each business depending on their respective risks and business objectives. Organisations have become over-protective because of the pressure applied by clients to protect their information, stricter regulations and larger fines. Nonetheless, it is important to understand that sometimes productivity is much more important to a business. Security measures mustn’t be so restrictive they affect business processes, nor too relaxed that they cause harm. The key is to weigh up all the risks and vulnerabilities, potential consequences and controls and then decide which information assets to protect and which can be accessed and shared openly without major consequences.  Following a risk based approach will lead to business growth and spending the right amount of time and money on the right level of protection in the right areas.

ImageDavid Cowan, Head of Consulting Services

This article was published on Infosecurity Magazine: