Public sector, private data – is outsourcing the Service Desk too risky?

As the Treasury announce cuts amounting to £6.25bn, £95m of which deriving from a reduction in IT spending, attention is once more directed towards outsourcing as a means to reduce IT expenditure. But Information Technology stores and processes large amounts of personal, sensitive and confidential data, and when it comes to the public sector it can have a very high level of sensitivity, hence a lot of trust is bestowed upon personnel that have access to it. It is already difficult to place confidence in in-house staff, due to the high number of data breaches that are perpetrated by internal staff, backed up by statistics, but the option of off-shore outsourcing elevates the threat level from code yellow to code red.

Widespread use of Cloud computing is unlikely to become a reality in the foreseeable future: strict regulations relating to the Data Protection Act, which the public sector in particular follows religiously, make it virtually impossible to obtain assurances that the data stored outside the organisation’s premises is adequately controlled and kept secure. However, remote access provided to support staff based at another location, be it in the same or another country, still presents a risk in that information can still be collected and recorded. 

With the government CIO, John Suffolk, encouraging the use of outsourcing to countries offering cheaper labour as a cost-cutting strategy, it is time to understand to what extent this can be done and if the public sector can really benefit from off-shoring the Service Desk after all.

Organisations in the public sector are essentially different from private companies: although it seems obvious, it is important to bear in mind that they are funded by British taxpayers, and therefore work for them. However, providing access to personal and sensitive data to companies thousands of miles away and outside the European Union which have different culture, ethics and laws might put the safety of their personal details at risk. For instance, information such as identity, financial and health records can fall into the wrong hands and be used for malicious intent. Not long ago, ITV found that British medical and financial records held abroad could be bought for just a few dollars. No matter how ‘rare’ this event might be, it is not a risk Britons are prepared to take, if the decision were up to them.

It is certainly difficult for organisations in the public sector to carry out a satisfactory level of service when their budgets are being reduced, but it is important to think about the consequences of outsourcing the IT department: a move initially intended to save money can end up making the organisation lose money as a result of large fines and court cases, and most importantly, it can lead to a loss of credibility and reputation.

Recognising a ‘safe’ provider is not easy, especially as identification of a risky supplier often only happens once a breach has been committed, when it might be too late for an organisation to escape liability and to save face. However, it is possible to assess a provider’s trustworthiness before a breach occurs: they should follow Best Practice and have a mature Information Security Management System in line with the ISO 27001 standard, assessed through an independent security review, risk assessment and gap analysis.

There are also better alternatives to extreme or risky versions of outsourcing. For example, the IT department can be kept internal, for better control, but be managed by a third party which is aware of the stringent safety measures necessary for working in this peculiar sector. That said, most information security breaches pertain to threats inside an organisation and are in many cases not a malicious act but a consequence of ignorance, frustration or lack of risk awareness. Well-trained and appropriately-skilled Support staff can reduce these security incidents to a minimum, as would implementing organisational-wide information security awareness sessions.

Management commitment within the industry is especially important to convey the significance of protecting personal and sensitive data and the seriousness of breaching the Data Protection Act, which does not only concern IT staff. Extensive training is necessary to raise awareness across the entire organisation – whenever there is a data breach it is never the provider that suffers the worst consequences, but the organisation’s reputation.

 

David Cowan, Head of Infrastructure and Security

This opinion piece appears in this week’s Dispatch Box on Public Technology: http://www.publictechnology.net/sector/public-sector-private-data-outsourcing-service-desk-too-risky

Doing more with less: an opportunity to learn

Budget reduction teaches organisations to prioritise – a lesson to be learnt not only by the public sector.

The recently announced budget has not been kind to public sector IT, just as expected. Large cuts mean that most technology projects will have to be shelved, but this does not make the level of performance the sector is craving for impossible to be reached – on the contrary, budget reduction is the kind of incentive that drives organisations to prioritise and to seek efficiencies, focusing more on operational, rather than capital expenditure. This does not apply exclusively to the public sector, of course: many private companies are struggling with similarly tight purse strings, so there is a lesson to be learnt for them as well from such challenging circumstances. 

Quick-fix plans which consist of simply reducing the number of personnel and only purchasing tools to replace the most obsolete assets are unlikely to represent the best way to preserve, let alone increase efficiency. With most operations nowadays recognising that IT forms the backbone of the organisation, it is clear that a wiser roadmap must be designed. Clear-sighted organisations, then, will have a strategy which sees them realigning roles and improving skills within their IT department, implementing relevant Best Practice processes and adopting tools and technologies that can help towards reducing overall operating costs while improving efficiency, such as virtualised servers and automated service desk management software. Scoping and planning is vital in order to design a strategic solution that is bespoke, fit-for-purpose and scalable, hence fit not only for present conditions but the medium term as well, and to demonstrate clearly what cost efficiencies a well-balanced mix of people, process and technology can achieve. 

In terms of staffing, it seems that many IT Service Desks lack the skills and tools to deal with most of the calls at first-line level, and therefore become overburdened with an unnecessary (not to mention costly) number of second-line engineers, which are also, because of their more ‘flexible’ nature, often slower in dealing with incidents. An up-skilling of first line support in conjunction with Best Practice procedures and the adoption of automated software which can deal with simple and repetitive incidents such as password resets may take the level of first-time fix from as little as 20-30 per cent to 60-70 per cent. This means that a smaller total number of support personnel are needed, especially at second line, and that the business will be remarkably improved, with incidents taking less time to be resolved, resulting in a more efficient service for users.

Best Practice implementation is a key component in this cost-effective innovation project. The adoption of procedures based on a discipline such as ITIL (Information Technology Infrastructure Library) will help any organisation function in the best possible way. The processes described by ITIL deal, among others, with the management of incidents, risks and change. The latter is of particular relevance: to deal with any alteration to the system, be it small or large, without causing inefficiencies, disruptions and consequently business or client loss it is important to have a mature level of Change Management already in place.

Because of the difficulty of accepting change and truly understanding this new way of working, ITIL-based experiential learning sessions are an important aid in delivering the discipline so that change can effectively happen, and to guarantee active participation of all staff taking part in the training. This should not only be limited to people that are directly affected, but extend to management who equally need to embrace the importance of best practice.

Another smart innovation that takes the idea of ‘doing more with less’ in its most literal form is that of virtualisation. Through virtualising both the desktop and server environment cost savings from a reduction in user downtime and further improvements in levels of remote (and therefore first line) fixing can be substantial, not to mention further benefits seen in terms of reduced server maintenance costs (from personnel to energy consumption).

The steps to take may appear quite clear and straightforward, but current in-house skills, resources and experience might not be enough to deal with such innovation and, as a result, many organisations will need the expertise of a service provider. With regards to the public sector, the cheapest outsourcing option, commonly seen as offshoring, may be automatically ruled out due to information security issues. However, security concerns private organisations as well, especially ones which withhold information that is extremely sensitive, such as law firms and banks. These particular companies cannot risk the loss of reputation, not to mention a hefty fine that can follow a breach of the Data Protection Act by a non properly-trained employee or a non-secure service provider.

There is a solution, though, where cost-efficiency can be achieved at the same, or a lower price than an in-house solution. As predicted by analysts in the sector, it is probable that many organisations will be more and more driven towards adopting a managed service solution in the next couple of years. With Managed Services, Service Desk management is taken care of by a third party, often in the office premises, and while personnel and procedures are left in the hands of the provider the organisation still retains ownership of assets and power over data, particularly important when information withheld within the system is sensitive and cannot risk leakage or loss.

It is not uncommon to achieve cost savings of 15 per cent or more when compared to a similar, in-house option, saving organisations money and improving the overall functioning of operations, in turn creating more business opportunities and enhancing the users’ ability to maximise productivity.

When it comes to innovation and change, and especially when that may involve reductions of any kind, it might be true that a view from the inside is not likely to be the most objective. With that in mind, working with a specialist partner would seem to be the most logical conclusion; however, doing more with less is far more likely to be attainable in the long term if management visibility and control is retained internally to ensure IT is kept close to the heart of the organisation at all times. Balance, it seems, is key to success.

 

Jerry Cave, Director

This article features on the BCS website and in the BCS Service Management e-newsletter: http://www.bcs.org/server.php?show=conWebDoc.35420

Is information safe enough at NHS trusts?

It looks like NHS trusts are starting to realise that Information Security is not just a matter of using complex passwords, locking drawers at the end of the day and installing the latest firewall and antivirus solutions. The Information Commissioner has been particularly critical of the NHS in the past due to a high proportion of security breaches as a result of inadequate Information Security controls and staff awareness programmes.

The result has been an NHS wide initiative to ensure all removable media including laptops and USB drives are encrypted. However, this may not be enough. As reported by the BBC recently, a remarkable amount of non-medical personnel at UK trusts have access to patient records including recent medical history – at least 100,000 including porters, hospital domestics and IT staff, a Big Brother Watch survey stated.

It seems like the risk is not only from staff at off-shore service providers collecting and selling British data to make a few extra pounds, as reported on ITV not long ago. It also comes from internal personnel who have the potential to access extremely sensitive data without the appropriate authority or preventative controls.

 This is not surprising: data collected in the BIS Information Security Breaches Survey 2009 illustrated that 60 per cent of all companies suffered a security breach in the previous two years and of these, 50 per cent were perpetrated by staff, often premeditated or malicious but in many cases simply a matter of a stolen laptop or lost removal media device.

There is an obvious need for greater awareness of information security regulations across the entire organisation, and measures must be taken to protect personal and sensitive data. Management in particular need to be involved in order to avoid resentment, complacency and to ensure everyone takes the matter seriously.

In the case of the NHS, information at risk is highly sensitive and breaches can have very serious outcomes. Consequences of Data Protection Act breaches are not confined to costly fines and a few employees being fired – it is the organisation’s reputation that suffers the most.

This risk can be mitigated by conducting an independent gap analysis and security review which would assess compliance with Information Security best practice, i.e. ISO27001, IG Toolkit v7, and certify that information held within an organisation is secure, reducing the risk of incidents and the cost to the business.

Equally important are staff awareness sessions to which not only general staff but executive participation is required, which is vital in creating a culture where Information Security is part of the organisation’s DNA.

 

David Cowan, Head of Infrastructure and Security