Posts Tagged ‘IT security’

Identifying priorities in IT security spending

August 20, 2012

Understanding your business’ priorities in terms of security spending is simple.  It starts and ends with protecting your reputation and therefore your customer data. Identifying what those specific priorities are does, however, take a little more time, but not necessarily investment.

Avoiding a situation where hackers post a file that contains passwords of over six million of your customers to the web (LinkedIn in June 2012) could be classed as priority in terms of security spending. You may suffer a virus attack internally, which whilst it might be somewhat annoying, is largely irrelevant as long as your customer’s data is not compromised – unless of course it affects customer service, which will of course also affect your reputation.

Therefore, it is up to anyone with externally facing systems to determine what and how the information they hold about their customers is protected.  The way to do this is to regularly test your defences with external third-party vulnerability testing. This activity cannot be seen as a project but an on-going process. From this, a business can identify its risks and decide how to tackle them based on their impact to reputation and customer data.

In addition, businesses must also conduct their own internal assessment of all risk. There is of course some necessary spend on the hygiene products to ensure a decent perimeter security system, such as anti-virus and anti-spy ware, but after that, to avoid wasting money, risks have to be prioritised according to your business environment. For example, you can invest in some sophisticated security event logging software which is useful when a security event happens, but you’d rather invest in preventing that event from happening in the first place…first.

There is a perception that security breaches take place where clever hackers find some kind of technical weakness in a company’s systems, which means you have to spend lots on even more clever security software, but largely this is not the case. Most breaches are down to people making mistakes internally. This might be mistakes in how a system is configured or simply carelessness in handling data.  Businesses would be far better off spending time, rather than money looking at avoiding these problems.

Adrian Polley, Director

Advertisements

Legal and financial firms should follow the ICO’s data security guidelines, too

August 10, 2012

Just two days after the news of a Torquay health trust being fined £175,000 for publishing sensitive data of over 1,000 of their own employees on their website, the Information Commissioner’s Office (ICO) released the top five areas which need improvement in order to keep personal and sensitive information safe within an SME. Although aimed at charities and public sector organisations, these tips are also relevant to the private sector, in particular the financial and legal arena where a vast amount of personal and sensitive information is handled.

The guidelines issued by the ICO include giving employees data protection training, being clear on what use is made of personal information and having an established data retention period, where it is only kept for as long as necessary. It is important to highlight the emphasis on the ‘people’ factor and the role of security awareness training in the protection of information within an organisation. Human error is still the leading cause of data protection breaches across the UK, most of which are not malicious. About a third of all data breaches (36 per cent) are due to negligent employees, according to the latest Symantec/Ponemon Institute ‘UK cost of a Data Breach’ study. It is therefore crucial to give more attention to educating people rather than simply concentrating on purchasing the latest data protection tools and technology.

Organisations have to act in two ways: on one side, they have to train their employees so that they are more aware of data protection regulations, the applicable risks to the organisation and internal policies, as well as the consequences of not following these regulations and policies; on the other side, they need to protect themselves from their own employees, making sure encryption is used on all devices, as well as limiting access to data to only those who are authorised.

If personal and sensitive information is lost, stolen or made public, the organisation responsible for the breach will potentially face a hefty fine – but the consequences of a data breach are not only financial. Especially in the case of financial and legal firms, there will also be reputational damage which may be too difficult to recover from.

It may be the case that for a large multi-national company the money and reputational loss involved does not affect their bottom line or position within the market too much, it is not the same for small and medium-size enterprises. With less money at their disposal and a limited number of loyal clients, a large fine can severely affect their capital and the subsequent reputational loss might lead to business loss and, ultimately, failure.

For this reason, it is increasingly important that SMEs in the legal and financial sector invest time and resources on preventing information security incidents, in order to avoid having to pay for their mistakes at a later date. There is a lot of trust bestowed upon these organisations by their clients, so the least they can do is to make sure that their details are kept safe and secure, ensuring that this trust is well deserved.

David Cowan, Head of Consulting Services

The Post-ApocOlympic IT scenario: scalability, mobility and security

July 10, 2012

The Post-ApocOlympic IT scenario: scalability, mobility and security

As organisations of all types and sizes prepare themselves for the Olympics as best as they can, there is still a lot of uncertainty with regards to not only what will happen during the summer event, but also what to expect from the aftermath.

Uncertain forecasts

The latest post-Jubilee figures, issued by Visit England, show that the Queen’s diamond jubilee celebrations have brought an estimated £700m boost to the UK economy; this amount being based on four million people who took overnight trips, spending an average of £175 each. With the Olympics expected to attract an even bigger crowd to London for up to two weeks or possibly even more, it is difficult to foresee what effects there will be on UK businesses, let alone how they will be affected afterwards.

The Bank of England believes that the struggling UK economy will receive a boost that could spell the end of the double dip recession, with an expected output of around 0.2% higher in the third quarter than it otherwise would have been. But others are not so optimistic. Citigroup research based on data from ten Olympics held between 1964 and 2008 shows that there is a tendency for growth to rise in the six months before the tournament, but this is then followed by six months of much weaker growth which can start even before the Games begin.

How are companies preparing?

With so much uncertainty, organisations aren’t really sure how to prepare for all eventualities. Their business might increase greatly during the Olympics, creating a need for more staff, a stronger IT infrastructure and greater IT support to deal with the growth in demand; but they also need a level of scalability that enables them to go back to their previous size afterwards, or to accommodate for any long-term changes if their business finds itself deeply changed. A flexible and scalable IT system and IT support service is vital to keep companies working in a cost-efficient way.

This need for scalability and flexibility has also pushed organisations to try new ways of working, such as mobile and home working, allowing individuals to work around the summer events’ issues and reducing the need to travel into potentially congested areas.

The post-Olympics scenario

After trying mobile and home working during the Olympics, forward-thinking UK businesses might decide they want to adopt this as part of their longer-term IT strategy, finding it a cheaper, more efficient solution that allows them to scale up and down more easily. They will embrace desktop virtualisation to allow employees to work from their own PCs and laptops, and design BYOD (Bring Your Own Device) policies to use tablets and smartphones for work purposes.

This might be the start of a revolution. With the upcoming Windows 8 being able to run on tablets, these will become more powerful and users will be able to do more with them, such as access their familiar Office applications, which at the moment is not always possible. These touchscreen devices could replace mice and desktop PCs, and as users move towards using a single device, it might well be that they will only be using tablets in a few years’ time.

However, right now the tablet doesn’t meet most people’s requirements as an everyday work device: its screen is too small, touch keypads are not as accurate as a standard keyboard and it’s not ideal to quickly switch between multiple applications. It will probably be a while before tablets replace desktop PCs, but they are already starting to replace laptops for things such as working on-the-go, sales and giving client presentations.

New issues

With this new way of working, hardware is not a problem anymore – employees can use their own PC, laptop or tablet, or the company might just set a budget and let the employee choose which device to purchase. The problem, in this scenario, is data.

The data saved, transmitted and processed on employees’ devices is part of the organisation’s Intellectual Property and therefore has great value. How do you make sure that it is secure, managed appropriately and stored in a safe place? Even if virtual desktops allow users to work from their home PCs, you cannot be sure that they don’t store data on their machine.  And when cloud services are used, where is the company’s data kept – is it stored in a data centre in another country, where different laws apply with regards to data security and access? People are using cloud because it is cheap and easy, but it is often not secure enough. You need to wrap something around it to make it more secure.

Companies need to adopt appropriate security measures, such as network access control, strong policies for document management, and use of robust encryption technologies, so that even if data is stolen or accessed by non-authorised people, it cannot be read.

A new, post-Olympics culture

Working from home PCs, tablets and smartphones is a big cultural shift for many, and has to be supported by other types of behaviour-related change. All the security tools and policies in the world are useless without the appropriate security training; human error is the first cause of data security breaches, and if people don’t understand why they have to implement a certain security measure that will add time to their work, they will circumvent it.

So, as organisations evolve and adapt to more flexible ways of working, they shouldn’t forget the data. Hardware can be replaced, but can they afford to lose the list of their clients to their competitors? Organisations must make users aware of the responsibility this new-found work freedom allows. They, and not just the IT department, are now custodians of the data and responsible for its security so you have an obligation to make them aware of this.  Data security should be included in everyone’s induction training and the promotion of good practice should be a continuous feature.

With the Olympics and technology innovations pushing companies towards more flexible ways of working, the revolution may be coming sooner than we think. But it is important to understand that everyone needs to be ready, not just the IT department, in order for it to take place without the company incurring a new risk that may outweigh all the benefits.

David Tuck, Principal Consultant 

This article can be found in the July/August edition of London Business Matters (page 40):

http://www.londonbusinessmatters.co.uk/archive/2012-07/index.html

Focus on 2012: 5 key areas in Enterprise IT

December 19, 2011

According to the industry analysts, experts and professionals, some of the changes and novelties introduced in the last few years are set to become actual trends in 2012. Influenced by the ever-challenging economic climate, disillusioned yet careful outlook on industry best practices and need to obtain measurable efficiency from any IT project, these are the five key areas that will acquire growing importance next year:

1)      Larger use of non-desktop-based applications

This is due to of a growing need for mobility and flexibility. Users need to be able to work while travelling, from any desk or office (for instance, in the case of large/international companies) and from home, as home-working is growing due to the financial benefits involved. It is also a good choice to guarantee business continuity in the case of unforeseen circumstances such as natural disaster or strikes which leave the workers stranded or unable to reach the office. As well as cloud applications, virtualised desktops are becoming a must-have for many organisations. Companies with older desktops which need updating anyway will find this switch more financially convenient, as well as those which have a large number of mobile users which need to access applications from their smartphone or laptop while out of their main office. It can also give those organisations considering or embracing home-working more control over the desktops, as they will be centralised and managed by the company and not at user level.

2)      Larger use of outsourced management services

The ‘doing more with less’ concept that started to take grip at the beginning of the past recession has translated into practical measures. These include handing part or the whole of the Service Desk to an external service provider which, for a fixed cost, will know how to make the best of what the company has, and provide skilled personnel, up-to-date technology and performance metrics. Managed services, IT outsourcing and cloud services will become even more prominent in 2012 and the following years due to their convenience from a practical and financial point of view. With the right service provider, the outcome is improved efficiency, less losses deriving from IT-related incidents and more manageable IT expenditure.

3)      Management plans for ‘big data’

There is much talk around the current topic of ‘big data’, which describes the concept of the large amount of varied data organisations have to deal with nowadays. There are some practical issues that arise from this – mainly how to store it, share it and use it, all without breaching the Data Protection Act. However, at the moment it is still very difficult to understand how to take the next step: using this data strategically and to create business advantage. This is something companies will have to look at in the years to come; as for the next year, they might just concentrate on dealing with data safely and efficiently, possibly storing it on a private virtual server or using public cloud services.

4)      A more balanced approach to security

This new approach sees the over-adoption of security measures dropped after the realisation that it might affect productivity as it may cause delay in carrying out business operations; it could also diminish opportunities that are found in sharing data within the sector to allow organisations to improve and grow; lastly, it can be counter-productive, with employees bypassing the measures in place in order to make operations quicker. Although being compliant with on-going regulations is becoming vital, there will be more scoping and tailoring than large technology adoption. Organisations will be analysed to understand which areas are in need of security measures and to what extent. This way, heavy security measures will be applied only to high risk areas rather than throughout the whole organisations, with less critical areas able to work more freely. In this approach, risks are balanced against efficiency and opportunity and the end result is a tailored solution rather than a collection of off-the-shelf products.

5)      Less budget control

Due to the challenging economic climate, other departments, in particular the financial department and therefore the DOF, will have more control over IT investments. CIOs and IT Managers will have to be able to evaluate if their IT project is necessary or just a nice-to-have, and how it can bring business advantage.  All proposed IT investment will have to be justified financially; therefore, it is important to analyse each project and find a reasonable ROI before presenting it to the finance decision-makers. This implies that IT professionals have to learn ‘business talk’ and manage to translate difficult technical descriptions in business terms.

All in all, developments within IT will not come to a halt next year – investment and changes will continue but with a more careful outlook and a stronger focus on efficiency, safety and Return on Investment rather than on following trends or adopting the latest technology for the sake of it. Because of this, the difficult economic climate could also be seen as a good thing: organisations make wiser and far-sighted choices that will create a solid base for any future decision that will be made when times are less tough and spending capacity rises, increasing the efficiency potential of IT for business purposes.

Tony Rice, Service Delivery Manager

Private vs. public sector IT security: more dedicated staff, yet less awareness

March 3, 2011

According to recent data, the private sector lags behind with regards to data protection, while public sector organisations lead the way. David Cowan explains how firms can improve their IT security and avoid losing money, clients and reputation.

 

A recent survey commissioned by the Information Commissioner’s Office (ICO) revealed that there is a remarkable difference between the public and private sector’s approach to Information Security. The data contained in the research carried out by Social and Market Strategic Research (SMSR) showed that, in fact, the public sector was much more aware of the Data Protection Act principles compared to the private sector.

When asked to identify, unprompted, the main principles contained in the ACT, the 7th Principle ‘Personal information is kept secure’ was mentioned by 60% of public sector organisations, compared to only 48% of private firms. However, a more shocking divide can be found in the awareness of the Information Commissioner’s Office’s existence: 42% of private firms had not heard about it at all, a percentage that actually increased from the previous years – yet this was not the case for public organisations, where only 3% were not aware of the UK’s independent authority set up to uphold information rights in the public interest.

A lack of awareness, however, does not prevent the majority of private sector firms from having more than 10 members of staff dedicated to information security-related duties, compared to an average of 2 in public sector organisations. Quantity is not directly proportional to quality, it seems.

In reality, the public sector has had more reasons to be more data protection-savvy due to handling large volumes of personal and sensitive data. The private sector should start following their example. Regulations have become stricter and ICO fines are tougher, with the authority now able to impose a fine of up to £500,000 for a serious breach. It is important, then, that all firms improve their awareness of information security and that they have an efficient system in place for protecting personal and sensitive information, and to deal with any breach in the most appropriate manner.

Private organisations which deal with sensitive and confidential data – such as banks and law firms – should take these results as a wake-up call and an opportunity to learn from the public sector. They are in fact the most at risk of suffering major consequences in case of a breach of the DPA.

Critically, it is important to understand the steps for improving Information Security. First of all, it is vital that organisations are aware of their information assets and the associated risks. They can do this by conducting an assessment of their Information Security Management System, in particular the controls surrounding the information assets of the organisation. This can then be assessed against the international standard for Information Security ISO 27001, to identify any weak points, possible corrective actions and areas of risk.

Once these have been identified, it is possible to plan remedial work which covers policies, procedures and technology, as well as staff education and awareness, implementing it on a continuous cycle. It is important to note that documents and technology alone are not enough to guarantee an improvement; however, they can minimise information security risks.

Staff commitment, from senior management to the most junior employees, is the key to make all the controls and procedures work. If staff are not made aware of policies and procedures introduced, or are not willing to collaborate, perhaps because they do not understand why they should change the way they have always worked, then no amount of technology can keep an organisation in line with the appropriate standards and regulations.

At the same time, management need to take strong ownership and underline the importance of data protection with a clear Information Security statement; their strategy should include disciplinary actions for whoever does not adhere to the policies. Investing time and effort in prevention will pay off more than insurance, as the latter may reduce some of the damages although not the most important cost – the organisation’s reputation.

It is undeniable that although data security risks can be minimised, they cannot be completely eliminated – there will always be a human or technical error that results in sensitive data being lost, destroyed or disclosed. This, unfortunately, can happen in both the public and private sector, often even when all the appropriate measures are in place. For that, you can only act accordingly to the associated risks, for instance by allowing data to protect itself not only through encryption, but through the implementation of a data classification system that restricts access to unauthorised viewers.

Information Security is not a final destination; instead, it is a never-ending journey where everyone from senior management to service desk engineers commits to an ethos in order to protect personal information from loss, leakage and theft in a manner which is proportional to the identified risks.

 

David Cowan, Head of Consulting Services

This article is published on Infosecurity UK: http://www.infosecurity-magazine.com/view/16319/comment-public-vs-private-sector-information-security/

Data security: controlling the risks – The EGB Masterclass

February 23, 2011

by Dan Jellinek, E-Government Bulletin

David Cowan

Public sector information security breaches often hit the headlines, but are public bodies really any worse than private sector in this area? What are the main risks, now and in a future of ‘any time, any place’ access to systems through cloud computing, and how can they best be tackled? We ask David Cowan (pictured), Head of Consulting at IT services provider Plan-Net.

Q: What are the main areas of risk for public bodies in keeping their data secure?

A: Public bodies are subjected to a plethora of regulations, standards and frameworks on data security due to the nature of the information they hold, and the associated risks of handling the sheer volume of personal or sensitive data. The main areas of risk are staff failing to observe the organisation’s information security procedures; malicious activity from both internal and external sources such as staff unlawfully selling or obtaining personal data and external threats from fraud, or from crime syndicates or rogue groups using ‘phishing’ or social engineering; and organisations and staff not being aware of their legal obligations, such as the legal obligation to report an information security breach under the Data Protection Act.

Q: What is the scale of risk faced by public bodies?

A: It is difficult to quantify the scale of the risk, but even with all the controls, standards and regulations in place to reduce risk, it is still not possible to eradicate it altogether. The size and geographical spread of public sector organisations increases the risk of data leakage and malicious activity occurring, as does the reliance on recording personal information within huge databases across the public services.

Q: What are the potential consequences of security breaches?

A: The greatest risk to an organisation is the potential reputational damage which could occur as a result of an information security incident reaching the public domain. The Information Commissioner’s Office is now empowered to hand out large fines of up to £500,000 for serious breaches of the Data Protection Act, and there is the possibility of criminal prosecution depending on the severity and scale of the breach. Public bodies could even lose access to public sector frameworks and IT networks as a result of a perceived systematic breakdown in their processes and procedures. The impact on individuals and society could include a lack of trust in public sector organisations handling their personal information; loss of productivity; and individual distress or harm caused by a breach.

(Read the rest of this interview on E-Government Bulletin issue 329: http://www.headstar.com/egblive/?p=771 )

Are you Off-Sure about your IT Service Desk?

July 15, 2010

No matter the economic climate, or indeed within which industry they operate, organisations are constantly seeking to lower the cost of IT while also trying to improve performance. The problem is it can often seem impossible to achieve one without compromising on the other and in most cases, cost cutting will take prevalence, leading to a dip in service levels.

When things get tough the popularity of off-shoring inevitably increases, leading many decision-makers to consider sending the IT Service Desk off to India, China or Chile as a convenient solution financially – low-cost labour for high-level skills is how offshore service providers are advertising the service.

In reality things are not so straightforward. The primary reason for off-shoring is to reduce costs, but according to experts average cost savings only tend to lie between 10-15%, and what is more, additional costs can be created – research shows, in fact, that they can in some cases increase by 25%.

Hidden costs, cultural differences and low customer and user satisfaction are reasons which have made nearly 40% of UK companies surveyed by the NCC Evaluation Centre change their mind and either reverse the move – a phenomenon known as ‘back-shoring’ or ‘reverse off-shoring’ – or think about doing so in the near future. Once an organisation decides to reverse the decision, however, the process is not trouble-free. Of those who have taken services back in-house, 30% say they have found it ‘difficult’ and nearly half, 49%, ‘moderately difficult’. Disruptions and inefficiencies often lead to business loss, loss of client base and, more importantly, a loss of reputation – it is in fact always the client and not the provider which suffers the most damage in this sense.

Data security is another great concern in off-shoring. An ITV news programme recently uncovered a market for data stolen at offshore service providers: bank details and medical information could be easily bought for only a few pounds, often just from call centre workers. Of course information security breaches can happen even in-house, caused by internal staff; however, in off-shoring the risk is increased by the distance and the different culture and law which exist abroad.

Not a decision to be taken lightly, then. Organisations should realise that the IT Service Desk is a vital business tool and while outsourcing has its advantages, if they do it by off-shoring they are placing the face of their IT system on the other side of the planet, and in the hands of a provider that might not have the same business culture, ethics and regulations as they do.

So before thinking about off-shoring part or the whole IT department, organisations would be wise to take the time to think about why their IT is so expensive and what they could do to improve it, cutting down on costs without affecting quality, efficiency and security and moreover, not even having to move it from its existing location.

Here are some measures organisations could take in order to improve efficiency in the IT Service Desk while at the same time reducing costs:

Best practice implementation

Adoption of Best Practice is designed to make operations faster and more efficient, reducing downtime and preserving business continuity. The most common Best Practice in the UK is ITIL (Information Technology Infrastructure Library) which is divided into different disciplines – Change Management, Risk Management, Incident Management to name but a few.

ITIL processes can be seen as a guide to help organisations plan the most efficient routes when dealing with different types of issues, from everyday standard operations and common incidents up to rarer events and even emergencies.

Whilst incident management seems to be easily recognised as a useful tool, other applications of ITIL are unfairly seen by many as a nice to have. But implementing best practice processes to deal with change management, for example, is particularly important: if changes are carried out in a random way they can cause disruptions and inefficiencies, and when a user cannot access resources or has limited use of important tools to carry out their work, business loss can occur – and not without cost.

Every minute of downtime is a minute of unpaid work, but costs can also extend to customer relationship and perhaps loss of client base if the inefficiencies are frequent or very severe.

Realignment of roles within the Service Desk

With Best Practice in place, attention turns to the set-up of resources on the Service Desk. A survey conducted by Plan-Net showed that the average IT Service Desk is composed of 35% first-line analysts, 48% second line and 17% third line. According to Gartner statistics, the average first-line fix costs between £7 and £25 whereas second line fixes normally vary from £24 to £170. Second and third line technicians have more specific skills, therefore their salaries are much higher than the ones of first line engineers; however, most incidents do not require such specific skills or even physical presence.

An efficient Service Desk will be able to resolve 70% of their calls remotely at first line level, reducing the need for face-to-face interventions by second line engineers. The perception of many within IT is that users prefer a face-to-face approach to a phone call or interaction with a machine, but in reality the culture is starting to change thanks to efficiency acquiring more importance within the business. With second-line fix costing up to 600% more, it is better to invest in a Service Desk that hits a 70% rate of first-time fix, users for the most part will be satisfied that their issues are fixed promptly and the business will go along way to seeing the holy grail of reduced costs and improved performance simultaneously.

From a recent survey carried out by Forrester for TeamQuest Corporation, it appears that 50% of organisations normally use two to five people to resolve a performance issue, and 35% of the participants are not able to resolve up to 75% of their application performance issues within 24 hours. Once you calculate the cost of number of staff involved multiplied by number of hours to fix the incident, it is not difficult to see where the costly problem lies. An efficient solution will allow IT to do more with less people, and faster.

Upskilling and Service Management toolset selection

Statistics show that the wider adoption of Best Practice processes and the arrival of new technologies are causing realignments of roles within the Service Desk. In many cases this also involves changes to the roles themselves, as the increased use of automated tools and virtualised solutions mean more complex fixes can be conducted remotely and at the first line. As this happens first line engineers will be required to have a broader knowledgebase and be able to deal with more issues without passing them on.

With all these advancements leading to a Service Desk that requires less resource (and therefore commands less cost) while driving up fix rates and therefore reducing downtime it seems less and less sensible for organisations to accept off-shore outsourcing contracts with Service Level Agreements (SLA’s) that guarantee a first-time fix rate of as little as 20% or 30% for a diminished price. It seems the popularity of such models lies only in organisations not being aware that quality and efficiency are something they can indeed afford – without the risk of off-shoring.

The adoption of a better toolset and the upskilling of first-line analysts, especially through ITIL-related training, will help cut down on costs and undoubtedly improve service levels. However while it will also remove the necessity to have a large amount of personnel, especially at higher level, the issues with finding, recruiting and training resource will still involve all the traditional headaches IT Managers have always faced. With this in mind it can often be prudent to engage with a service provider and have a co-sourced or managed desk that remains in-house and under internal management control. Personnel selected by an expert provider will have all the up-to-date skills necessary for the roles required, and only the exact number needed will be provided, while none of the risks associated with wholesale outsourcing, or worse, off-shoring, are taken.

Improving IT infrastructure and enhancing security

Improving efficiencies in IT does not begin and end with the Service Desk of course. The platform on which your organisation sits, the IT infrastructure itself, is of equal importance in terms of both cost and performance – and crucially, is something that cannot be influenced by off-shoring. For example, investing in server virtualisation can make substantial cost savings in the medium to long term. Primarily this arises from energy saving but costs can also be cut in relation to space and building and maintenance of physical servers, not to mention the added green credentials. Increased business continuity is another advantage: virtualisation can minimise disruptions and inefficiencies, therefore reducing downtime – probably the quickest way to make this aspect of IT more efficient in the short, medium and long term.

Alongside the myriad of new technologies aimed squarely at improving efficiency and performance sits the issue of Information Security. With Data Protection laws getting tougher due to the new 2010 regulations, forcing private companies to declare any breaches to the Information Commissioner who has the right to make them public, and facing them with fines up to £500,000, security is becoming even more of an unavoidable cost than ever. Increased awareness is needed across the entire organisation as data security is not only the concern of the IT department, but applicable to all personnel at all levels. The first step in the right direction is having a thorough security review and gap analysis in order to assess compliance with ISO 27001 standards and study any weak points where a breach can occur. Then workshops are needed to train non-IT staff on how to deal with data protection. Management participation is particularly important in order to get the message across that data safety is vital to an organisation.

Taking a holistic view of IT

Whatever the area of IT under scrutiny, the use of external consultancies and service providers to provide assistance is often essential. That said, it is rare to find an occasion where moving IT away from the heart of the business results in improvements. The crucial element to consider then is balance. Many organisations, as predicted by Gartner at the beginning of this year, are investing in operational rather than capital expenditure as they begin to understand that adoption of the latest tools and assets is useless without a holistic view of IT. When taking this methodology and applying it to the Service Desk it soon becomes apparent that simply by applying a Best Practice approach to an internal desk and utilising the new technologies at your disposal, the quick-fix cost benefits of off-shoring soon become untenable.

Pete Canavan, Head of Support Services

This article is featured in the current issue of ServiceTalk