Overcoming obstacles to growth with Datacom and Aruba

Today’s CIOs are expected to drive business innovation, yet many are grappling with limited IT staff, resources and budgets. In a rapidly evolving landscape, leveraging the right tech is key to overcoming those obstacles and freeing up your team to focus on what matters – growth.

At Datacom, we partner with Aruba Networks – a leading provider of next-generation network access solutions – because it enables organisations to take advantage of a cost-effective mobile-ready network without sacrificing business-class performance, security or reliability.

Our Business Development Manager, Tom Cook, regularly sees the following common obstacles cropping up in the market – here’s how utilising Aruba’s networking solutions can help to overcome these issues to accelerate business growth.

Lack of network visibility
A survey by the Ponemon Institute polled some 3,866 IT and IT security practitioners in Asia-Pacific, Europe, the Middle East, Africa and North America and found that more than half (63 per cent) highlighted the importance of network visibility – the need for availability and capacity to monitor traffic on their network.

With Aruba Central, everything from setting up the network to monitoring and maintaining it is streamlined. Whether managing one site or a thousand remote locations, full visibility and control over all network traffic is possible via one enterprise-grade portal.

Slow response times to issues
Many organisations lack the capability to quickly diagnose and rectify network issues before they halt operations, or, worse still, allow a security breach.

Aruba’s connectivity health functionality provides the proactive monitoring and analysis required to address issues in all phases of the connection process, including association with access points, network authentication, address assignment and domain name service accessibility. Detailed drill-downs also help isolate problems and identify rogue devices quickly and easily

Lack of capital to upgrade
One of the most common obstacles to growth for small and mid-sized businesses is a lack of capital to invest in new systems or infrastructure, no matter how archaic the current set-up may be.

Thanks to the value of the cloud, the cost of implementing high-performing networks has come down significantly. Aruba offers enterprise networking solutions at a consumer-grade price. And the benefits your business can reap from an upgraded solution – in productivity, increased customer engagement, sales growth and more – means you quickly achieve a return on investment (ROI).

Additionally, you can choose a subscription option that fits your business today and scale up or down as needed, so you don’t have to justify a huge Cost of Capital (COC) from the outset.

Security concerns
With such rapid developments in both technology and cyber-crime, Tom regularly speaks with practitioners who believe some of their organisation’s existing security solutions are outdated and inadequate.

Aruba offers the option for integrated and automated security controls to protect business data from malware and unauthorised users, and intrusion detection and prevention to safeguard infrastructure. Aruba’s Instant Wi-Fi also includes a built-in firewall and smart application handling for granular visibility and control to make it even more secure.

Lack of centralised control of the network
Disjointed or incomplete network control capabilities are some of the leading causes of inefficient or insecure network management for businesses of all sizes. Aruba’s comprehensive dashboard provides a streamlined overview of the network, along with client and application performance monitoring views.

Simplified monitoring and control of headend and branch gateways through integrated software-defined WAN (SD-WAN) management is also provided. Intelligent workflows provide the ability to look into specific device, policy or circuit configurations to ensure performance aligns with business and user expectations.

If you’d like to learn more about how Datacom and Aruba can help you achieve better visibility, control and performance of your network, get in touch with a Datacom team near you.

Phishing Trilogy Part 3: The “Carrot and Stick” Approach

What’s the best way to fight phishing attacks? Is it punishing users or rewarding good behaviour?

By Emily Wang

This is part Three of the Phishing Trilogy, see the series introduction here:

Part 1 – From awareness to habits

Part 2 – A multi -layered defence

The ‘carrot and stick’ approach

People often scoff at phishing attack victims and put the blame on them. It needs to be recognised that this “blame culture” contributes to the real issue of slow reporting of phishing compromises which has a direct and material effect on organisations.

Studies collectively show, falling for phishing email is far from rare and the number of victims is growing. The real question is how to mitigate it? This article covers the discussion around the “carrot and stick” approach. They are not mutually exclusive and are most effective when used together to best suit your business.

Carrot

The consensus in the awareness training domain is not to blame the users. We should encourage them to report any suspicious activities, particularly if they are the originators of the breach.

Since a hacker only needs one person out of the whole organisation to click on a single malicious link, it is impractical to achieve zero click rate. However, if we have one person that reports the incident, it allows the security and the IT team to review and quickly stop the phishing campaign from spreading and causing further damage.

The Cyber Security Breaches Survey published by the UK government (Department for Digital, Culture, Media and Sport, 2019) found that the most disrupting attacks were more likely to be spotted by employees than by software, which is the case for 63% of businesses. This also aligns with previous years findings. Hence, we should realise the importance of staff vigilance and to understand the power of empowering employees.

Stick

Another school of thought is to enforce punishment when people repeatedly fall for phishing attacks. For example, Paul Beckman, CISO at the Department of Homeland Security considered a policy to remove employees’ clearance if they repeatedly fail an anti-phishing test. Needless to say, this is a controversial idea and received a lot of criticism. One study showed that the perceived severity of consequences did not predict behaviour (Downs, Holbrook, & Cranor, n.d.).

Studies also show that training focused on prohibition of behaviour or attitudes can often have the opposite effect whereas training that emphasises positive effects can and do change behaviour (Robinson, 2011).

What is your mix?

This table outlines the differences between the two approaches. It is essential to understand your business to pick the right mix.

Be mindful about leaning too heavily on the “stick” approach. The ripple effects can put a strain on employees’ morale, leading to a sense of anxiety and distrust. In the worst case, it can lead to grudge attacks. Reports show that internal threats in cybersecurity are prevalent and cause more grave damage than external attacks (Tripwire, 2017).

It is our advice to develop an approach that balances the carrot and the stick. Taking into account the responsibility of the role and its importance in your organisation will help you to determine the appropriate balance. For example, an IT admin would be expected to be much more vigilant to phishing than a clerk our your logistics desk. It may well be appropriate for the IT admin as part of their employment agreement to agree to a policy where there is a sliding scale of consequence for phishing breaches, whereas that would not be appropriate for the clerk.

Food for thought

Regardless of what stance you take on the approaches. It is important to consider the following:

– Ask your HR, legal and management to contribute

  • What are the legal or contractual requirements?
  • What is the company’s policy on rewards and penalties?
  • What culture is the company trying to build?

– Be consistent with your approach

  • For example, if enforcement is going to be implemented, senior management need to follow the policy as well. They need to be role models

– Understand that people make mistakes and don’t blindly blame your staff

  • As discussed, aiming for zero click-rate is unreasonable. Therefore, we need to acknowledge honest mistakes can happen.

– Ensure that you have an incident-handling process in place. For example, who/how to report them.

  • Your staff needs to know the proper process to be compliant with the company’s policies

For more details on phishing and user awareness, contact Emily Wang or the Cybersecurity Advisory Practice .

References

Department for Digital, Culture, Media and Sport, T. (2019). Cyber Security Breaches Survey 2019. London. Retrieved from https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/791940/Cyber_Security_Breaches_Survey_2019_-_Main_Report.PDF

Downs, J. S., Holbrook, M., & Cranor, L. F. (n.d.). Behavioral Response to Phishing Risk. Retrieved from http://payaccount.me.uk/cgi-bin/webscr.htm?cmd=_login-run

Robinson, L. (2011). How the Science of Behavior Change Can Help Environmentalists. Retrieved from https://www.triplepundit.com/story/2011/how-science-behavior-change-can-help-environmentalists/81401

Tripwire. (2017). Insider Threats as the Main Security Threat in 2017. Retrieved November 19, 2018, from https://www.tripwire.com/state-of-security/security-data-protection/insider-threats-main-security-threat-2017/

Phishing Trilogy Part 2: A multi-layered defence

By Emily Wang

This is Part Two of the Phishing Trilogy, read Part One here

We can see how modifying habits can help to combat phishing attacks from the part 1 of this trilogy: “From awareness to habits”. However, it is unrealistic to expect no-one to click on a malicious link by only changing people’s email behaviour. In fact, some argue that a “Zero Click” goal is harmful (Spitzner, 2017). It doesn’t matter how much training is provided; people will make mistakes.

This is evident from many of our phishing simulation reports, where a few people would ignore the education page after they fell for a simulated phishing email. They realised their mistake as soon as they clicked on the link and would immediately close whatever popped up as a reflex act. This doesn’t in itself show that awareness training is futile; like many other defensive tools, awareness training should be used to reduce risk even though it is not possible to completely eradicate it.

The three pillars

Let us not forget about the three pillars of cybersecurity, namely people, process and technology. Using them together is like building a 3-legged stool. If any of the legs are too short, it will cause an imbalance.

Google recently announced that none of their 85,000+ employees have been phished since early 2017 (Krebs, 2018). What is their secret? Google requires all staff to use security keys to log in. This security key is an inexpensive USB-based device that adds to the two-factor authentication. That is, the user logs in with something they know (their password) and something they have (their security key). This is called “2-factor authentication”. It is a perfect example for aiding a person with technology and process measures, or as the security experts like to call it – defence in depth.

A multi-layered approach

The guidance splits the mitigations into four layers:

  • Layer 1: Make it difficult for attackers to reach your users
  • Layer 2: Help users identify and report suspected phishing emails
  • Layer 3: Protect your organisation from the effects of undetected phishing emails
  • Layer 4: Respond quickly to incidents

Take layer 1 as an example, here is how we can defend ourselves from all three angles:

Many controls can be placed into your organisation at different layers. To holistically implement counter-measurements, we need to consider your organisation’s constraint and what is suitable for your employees. At Datacom, we look at how to help customers reduce risks from all six areas. Importantly though:

Don’t wait until it’s too late and don’t rely on just one defence mechanism.

For more details on phishing and user awareness, contact Emily Wang or the Cybersecurity Advisory Practice .

References

Krebs, B. (2018). Google: Security Keys Neutralized Employee Phishing. Retrieved from https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/

National Cyber Security Centre. (2018). Phishing attacks: defending your organisation. Retrieved from https://www.ncsc.gov.uk/phishing

Spitzner, L. (2017). Why a Phishing Click Rate of 0% is Bad | SANS Security Awareness. Retrieved November 18, 2018, from https://www.sans.org/security-awareness-training/blog/why-phishing-click-rate-0-bad

Why every business needs a trusted advisor for cyber security

By Mark McWilliams

Australian businesses are increasingly turning to information technology solutions to improve their performance. Whether it be helping to reduce cost, improve revenue or connect more effectively with customers and suppliers, IT offers business many benefits. Connectivity between people, systems and processed is creating new, low friction, efficient ways of doing business which enhances the productivity of Australia. An alarming growth in the sophistication and persistence of cyber criminals threatens to reduce the benefits from this technology investment.

Cyber-crime has become a very lucrative business. It’s very hard to put an exact number on the direct cost to Australia of successful attacks as often direct losses are held away from public scrutiny. In 2015 global cyber-crime is estimated to cost the economy $500 billion and by 2019, if current trajectories continue, it will become a $2.1 trillion problem. In the fifth year of producing their “Cost of Data Breach” study, the Ponemon Institute estimated that the cost per compromised record in Australia is $145. Malicious attacks which make up 46% of compromised records have the highest cost at $161 per record. And the average total cost paid by an Australian company to resolve a successful attack is $2.8 million.

In many instances Australian businesses who have responded well to getting their businesses up online have not adequately prepared themselves to fend off a targeted attack from an organised threat actor. DistributeIT collapsed within weeks of a sustained and coordinated attack leaving thousands of businesses that relied on them dead in the water. In many instances, Australian businesses are not even equipped to detect malicious activity on their systems, let alone respond in a coordinated fashion. And even if an attack is detected, using the limited resources available to the company from both a technology and people perspective, attacks take a long time to sort out – on average 243 days.

At Datacom we take a holistic approach to helping corporate Australia protect its digital assets. From an IT infrastructure perspective we have skilled people in every geography with trusted technology vendor partners who can deploy point solutions to help ward of malicious attacks.

In 2010 we established a high-end security consultancy, staffed initially with people from the defence intelligence community. This team, motivated by altruistic intent to protect Australia from malicious attacks, delivers industry leading cyber security advice on culture, policy, practices, people and technology. They recognise that deploying technology alone is not the answer to this very real global threat. This team undertakes some really interesting work on behalf of its clients. One of the most interesting, and provoking, engagements is called a “Red Team Event”. In a red team event the CIO or CISO will engage and set an objective for the team to reach within the digital borders of the business. The businesses’ IT folk are not given any warning of the event so they are not operating in a state of heightened awareness. In almost every case our team has managed to retrieve the targeted digital asset. In some cases they have managed to achieve full system administrator rights to whole IT environments, which could if acted upon cripple significant Australian businesses.

Unfortunately it is neither practical nor operationally possible for Australian businesses to adequately protect themselves online. From a practical perspective good IT security professionals are incredibly hard to find and expensive. And operationally even if you could find a good person, one is not enough. Threat actors work 24×7, are incredibly well resourced, and are ready to strike when nobody is likely to be watching, often using techniques which are so new a single security person has no hope of keeping up. In response to this dilemma Datacom’s Technical Security Services business has established a service offering where a team of seasoned professionals are available 24×7 to detect and respond to security events within Australian businesses.

Cyber security is a growing business for all the wrong reasons. Currently the threat actors are winning as business plays catch up. Developing the resources and skills internally is out of reach for all but our very largest corporations. Leveraging the skills of trusted partners that can aggregate learning and watch multiple electronic borders simultaneously is the only effective way of accelerating the response to the growing cyber threat.

Mark McWilliams has an in-depth knowledge of the technology market and is the Director for Datacom Investments.

What 2014 Will Hold for Technology

As we did at the end of last year, we decided to once again survey some members of our business to see what they were looking forward to or predicting in the technology space for the new year. We got varied responses on everything from cyber security to government consumption of cloud services. Read along to see the answers and share your opinions in the comments section.

Innovating to fight the invisible battle

“Cyber-crime will continue to grow. Its effectiveness at extracting value through exploits will improve. As consumers, we expect things to connect and work together seamlessly across the internet. The cyber criminals, however, will continue to find holes in technology and use these vulnerabilities for personal gain…

“The exciting side of this will be the new wave of services to which companies will subscribe, which will give them a level of comfort that somebody is helping to protect their reputation online. The clever cyber warriors will aggregate critical security alerts from various sources and provide services 24×7 to organisations to defend, monitor and respond against the online world’s subversive element. It’ll be interesting to see how this invisible battle plays out in 2014.”

 Mark McWilliams, Datacom Director of Investments

Government cloud and the Internet of Things

“I’m looking forward to:

· A progressive year in the migration of Government to cloud based services.
· Continuous innovation in the Internet of Things to improve the way technology enhances our everyday life.”

 Tom Scicluna, Datacom New Technology & Innovation Business Manager

Smarter watches

“The tech I am looking forward to is a mature delivery of smart watches. The Galaxy Gear, for example, looks impressive, but for a first-generation device, it comes with a hefty price tag.  Second generation devices will hopefully bring greater battery life and more creativity for design combined with pricing less than a 7” tablet goes for.”

 Damon Wynne, Datacom South Australia Solution Architect

From cloud brokers to social calendaring 

“Body tech  body monitoring technologies integrated with mobile apps and cloud. Internet of everything  contextual automation and sequencing. Cloud brokers involved in moving companies from one cloud provider to the next seamlessly based on special offers and costs like credit cards. Social calendaring, mobile device diversity, application diversity and 3D printing.”

 Wasim Anwar, Datacom Western Australia Project Service Manager

Tackling Cyber Safety in Your School 1:1 Program

Cyber security is a crucial component of a school 1:1 or technology program. Yet, many schools aren’t equipped to tackle this area in a way that incorporates the needs and concerns of parents, teachers, kids and other stakeholders. We spoke with Peter Geale, CMO ofNetbox Blue, a provider of advanced security protection for schools’ networks and data, on new cyber security threats, cyber bullying and how to continually educate all of your school’s populations on appropriate online use.

Q: Beyond the typical online threats and cyber safety issues affecting schools, such as bullying and inappropriate images and web sites, is there anything new or unique you are seeing?

A: There are, and often they revolve around specific web sites. For instance, there’s Ask.fm, which by its nature is rather insidious in that it encourages anonymous questions. People can post hurtful things: ‘Why are you so ugly?’ ‘Why would anyone ever be your friend?’ In the past, kids would create a fake account and harass people that way. Thankfully, Facebook’s number of phantom Facebook profiles has dropped dramatically over the last few years.

Security experts will tell you that the biggest risks come from people from within — in other words, people you know. Kids won’t often pick on people they don’t know.

Q: In your opinion, do schools perceive that they have a duty of care to protect students from cyber bullying just as they do for in-person bullying?

A: There’s no question, they certainly do perceive that they have a duty of care. What happens on Facebook on the weekend comes to school on Monday. Teachers know they are dealing with issues. Teachers recognise the impact this is having on educational outcomes. That’s why they are getting involved, not because they want to spy on or control kids’ lives but because it’s affecting day-to-day life. School laptop or 1:1 programs legally require the school to consider online activity that impacts learning as part of their duty of care.

Q: How do you recommend schools come up with a security strategy around 1:1 device use and behaviour online both inside and outside of school?

A: It’s actually not that difficult. The key thing is they don’t try to do it by themselves. Learn from other schools. Most schools are part of a wider group, such as an independent schools association. Even if they are not, most schools post policies on the Internet that you can refer to. Look around and see what’s available publicly.

Early on, absolutely engage all the stakeholders. Not just the school employees, but parents, kids and the organisation the school belongs to. What’s happened in the past is that the IT manager has put together policies and they are not necessarily the right person as they might look at issues from a purely technical perspective and not the holistic approach necessary for a comprehensive use policy. Once the policy is out there, make sure it’s well-taught and make sure it’s monitored.

Q: How do we make sure children have a broad range of ongoing support, education and encouragement in order to make sound decisions online?

A: Broadly, one of the things schools try to do is create a community full stop. The good news is that some types of activities they are doing include engaging with parents — providing info to parents. These are the trends we see happening. For instance, the school shares a message saying, ‘A recent publication in education shows 75 per cent of all issues in respect to social media are on Facebook. Here are some of the areas we think might cause issues down the track.’ Then schools pass this on to parents. This happens a lot in primary school. It happens less in high schools. It needs to happen more in the high school because kids are getting more access to technology.

Q: Some peers and even adults might not be setting a great example for kids in terms of acceptable online use. How do you talk to kids and parents about this, about where kids can find a role model?

A: Earlier in 2013, Professor Donna Cross from Edith Cowan University came out with a statement that said today schools need to be involved and actually using and modelling good Facebook behaviour — if we’re not doing it, it’s like teaching kids how to swim in the classroom versus in a swimming pool. They are only going to get ordinary learning, they are not going to know how to swim. Parents also need to demonstrate positive use of the technology.

Q: What is your advice for engaging parents on issues of cyber safety?

A: There are lots of good opinions on this. For instance, making sure computers are used in public places, no computers in the bedroom and, if they are, only for a limited period of time. It should be viewed in a similar way that parents set boundaries — the same boundaries that exist offline. Kids are going to places online that parents don’t know about, to online playgrounds you don’t know, and they are going to do this in their room or on their mobile phone. Just as these boundaries exist in the physical world, they should be in the online world.

Schools can make sure parents are reminded about technology on an ongoing basis in a newsletter and online forums. Give the parents more understanding and, if they do know nothing, teach them. Make sure the parents are at least informed and know what the boundaries are and support their boundaries at home.

Additional resources to use include:

The Easy Guide to Socialising Online

Who’s chatting to your kids? 

ThinkUKnow Australia

Cyber Bullying in Australian Schools: The Question of Negligence and Liability

Cyber Security is Not Quite All Hype – Your Organisation Needs an Appropriate Security Posture to Protect Itself

By Richard Byfield

A Gartner VP recently suggested thatcurrent cyber security discussions on advanced threats are just hype to which most commercial enterprises should not pay attention. The argument likened cyber security technologies and practice to a “Ponzi scheme”, whereby the returns never match the investment and essentially entrap business into an ever increasing dependence on vendors and technologies.

This viewpoint is bound to draw attention from security vendors, practitioners and consumers. In part, it is most likely designed to create that very response and is a conversation that needs to be had. On the record, we have to agree with the sentiment. Advanced nation state threats are not targeting every commercial enterprise operating in Australia. So why should a business with a market cap of $4 million spend 25 per cent of that value trying to protect themselves from threats that are, in essence, of low to almost no threat?

Yes, there are legal and regulatory obligations for businesses to protect both personal and financial data. There are implications for businesses on the availability of information systems affecting revenue, continuity and a business’s ability to maintain commercial operations. Not to forget the impacts upon the reputation of those organisations whose security is known to have been compromised. Who would feel secure visiting a retail store after media reports suggested that the point of sale mechanism was stealing credit card details for “foreign” hackers?

Like any service designed to support commercial operations, cyber security has a known commercial value and impact. The difficult part is in assessing the “what” of value and business impact. Without this, it is almost impossible to measure the business effectiveness of cyber security.

The security posture should equate to business risk and impact value

At Datacom TSS, our focus is on helping our clients establish a security posture appropriate for business needs. We view a security posture as your organisation’s level of risk based upon commercial asset values (revenue, capital, IP, reputational, regulatory, legal), actual threat and recognised vulnerability. This is assessed against the maturity or effectiveness in ICT design, development, procurement, supply chain, policies, processes and service operations. We, therefore, begin by determining the impact of security specific to your business.

Based upon the assessment against your current security posture, a security strategy can be designed to mitigate or treat identified vulnerable areas in business operations. This strategy is always determined and traced against both business requirements and asset values. This ensures that security outcomes can be quantified against the value they protect versus the cost of implementation. Cost benefit analysis is essential in establishing commercial impact. Security must always be justified and quantified.

If the case for security cannot be justified, then the reasons for implementing security may not be well understood. If you cannot justify your expenditure against a business outcome, you most likely have paid for something you did not need.

The value of trust in your practitioner

It cannot be stated enough that many security outcomes do not involve the sale of a vendor product. As security practitioners, we must remain both solution- and vendor-agnostic in determining outcomes to security strategies. Without this approach, achieving a suitable security posture breaks down into an exercise of setting the strategy to meet product X. This, in turn, leads to businesses purchasing capability that had no impact against actual organisational security threats. The “What can we sell you today?” attitude will not extend effective security gains; adversaries are always adaptive and industry segment threats change constantly. Trust is the key. The truth that sometimes is counter to commercial interest is imperative in protecting assets. Without this, it is all hype.

The outcome

Cyber security is not simply a “product solves everything” industry. It is as much a service to ICT as ICT is a service to business. As such, each business should seek solutions that align with its threat profile and the value of its assets. Being cognisant of these facts will enable both enterprises and governments alike to deliver actual outcomes for cyber security. This will rationalise the current discussions surrounding advanced threats, including that of APT.

In creating an understanding of the position and posture of security, including the needs of business to achieve security, you will avoid the hype and deliver cost-effective capability outcomes.

Datacom’s Take on Mobility in the Workplace at the Evolve Security Conference

Datacom recently presented on mobility in the workplace at the Evolve Security Conference held in Melbourne and Sydney. Our mobility expert Kurt Nasarenko, who is based in our Brisbane office, gave two back-to-back sessions in the consumerisation stream. His first, “Beyond the Buzz: Increasing Business Performance through Practical Mobility Solutions,” covered how organisations can align mobility with business needs. His second session, “Practical Mobility Solutions [Case Study]: How Organisations are Using Mobility to Increase Business Performance Now,” demonstrated how organisations Datacom has worked with have used mobility to solve their business issues and drive productivity, competitive advantage and revenue.

Kurt stressed in his first session that a mistake many organisations make is expecting mobility to somehow improve the organisation without a defined tie in to specific business processes. A key question organisations should ask themselves before they embark on the path to mobility in the workplace, according to Kurt, is, “How are we going to optimise our business and how are we going to optimise our processes? Think about the needs of the business, how mobility can solve the problem.”

Kurt made a point that getting caught up in the technology of mobility can throw an organisation off course in relation to how mobile solutions can solve real problems. The focus, he said, should be outcomes, such as reducing operating costs and time to market. Organisations should first identify passive needs they might have and the compelling reason they should implement a mobility solution now.  After thorough analysis of the problem and how mobile technology could solve it, Kurt advised organisations design the solution, implement, support and then review and refine it.

In his second session, Kurt presented three case studies of organisations for which Datacom has implemented mobility solutions. For one organisation, Kurt’s mobility team developed a “fatigue calculator” app for a field service team that worked long hours in a dangerous environment. Formerly, the 800 workers had to report back to base to have their fatigue assessments. The app was able to help reduce the number of back-to-base visits by 6,000 and cut costs by $300,000 per annum.

In another example, a state government agency was using manual forms for data collection, which was a slow process that led to a lot of errors. Kurt’s team implemented an ink-on-glass mobile app that allows integrated data fields and workflows to better manage process. As a result, the process execution was reduced from weeks to hours and the amount of errors and incorrect form submissions decreased by 80 per cent.

As with any new technology implementation, Kurt explained a mobility solution will necessitate cultural changethat will include some resistance to the new way of doings things — even if employees themselves instigated the change in the first place. Choosing a few key evangelists who can spread the benefits to others and even pilot test the mobility solution is helpful in the change management phase, Kurt said. By embracing these champions, the true benefit of the mobility solution to the business will start to emerge.

Learn more about how to get started with a mobility solution that aligns with your business needs.

Being Short-staffed is No Excuse for Mishandling IT Governance and Security

In the 2012 Governance of Enterprise IT (GEIT) Survey by the Information Systems Audit and Control Association (ISACA), organisations in the Asia-Pacific region reported a higher annual incidence of security breaches than the global average and a considerable shortage of IT staff.

The implication apparent to anyone who reads this information is that without enough IT support, organisations can’t get a grip on security. Adopting this mindset that security is only as good as the number of IT staff you have, however, is risky and may give a false sense of security to an organisation. Businesses do not need to pay more IT staff salaries to effectively enforce security across the workplace. Rather, they can approach increasing security awareness from two angles. First, they can develop meaningful business policies all employees are able to embrace and understand to further the cause of improved security. Second, organisations need to be able to leverage the right outside help to consult them on the best security approach to suit their specific business.

Setting effective policies

According to ISACA’s survey, most organisations expect the second most likely network security threat to occur in the next year to be caused by an employee mistake. Yet many of these organisations have no set security policies outlining what exactly employees should or shouldn’t do to avoid comprising security. Changing employees’ behaviour doesn’t begin with hiring more IT staff to enforce security — it begins with enforcing effective user policies across the business.

Organisations can define user policies based on organisation-wide, departmental or individual risk profile to determine who should have access to which data, networks and systems, and what types of web sites and applications can be used on different devices. If you allow BYOD, you should have a list of approved apps. If you use a cloud computing service, you should have a list of who can access it and who can’t. You should also consider providing lists of banned web sites and providing guidance on which corporate data can be accessed via VPN when employees or offsite.

Once you’ve established what employees should be able to do and have access to, you can then set the procedures for maintaining security and determining what happens in the event of compromised systems, devices or data. Consistent education for current and new employees will help your newly-defined security policies and procedures become engrained in the culture. Security awareness should be a part of every employee’s induction, where practical examples are used to demonstrate why policy, procedures and good security practices are necessary. Ensuring employees know who or where to access meaningful security advice and guidance is also useful. Security refresher workshops should be conducted annually for all employees and updated to reflect the changing threat landscape.

Enlisting the help of outside experts

It is unlikely you can invest enough money to completely secure yourself if you are connected to the Internet and external networks. So you need to understand how to make sure every dollar spent is spent wisely to get the best value from your security investment. Seek independent advice from a product-neutral expert — even better if it’s a consultant or company that has a background in high-level cyber security in areas such as government.

This advice will help you understand your security posture and keep up-to-date on its evolution completely irrespective of specific security products that might not fully protect your organisation. An independent security review can help organisations deep-dive into their security architecture to get an objective view of their needs and identify gaps. This type of customised, independent advice might also include certain tests, such as vulnerability or penetration testing, to ensure you really are protected from the latest cyber threats.

Remember that no one single person will be able to cover your organisation’s attack surface and the entire threat landscape. Rather than worry that you don’t have enough IT staff in place, draw upon your current department resources to help draft and enforce policy and educate employees. Remember, too, that drawing upon external advice can help your organisation get the overall security picture it needs to prevent future threats.

Security in the Cloud Part II: Technical Protection for IT Security Risks

In Part I, we covered off how organisations are partially responsible for guiding the IT security strategies in Infrastructure-as-a-Service cloud. The focus there is mostly on business processes that an organisation likely already considers when protecting itself from regular IT security risks.

Now we’ll get into the technical part of establishing solid IT infrastructure security in the cloud. Here are some areas to discuss with your cloud services provider to mitigate IT security risks in the cloud.

Do you need client networks to be open? Unless your organisation requires each client network to remain open, a cloud services provider can segregate networks so they cannot talk to each other to prevent IT security risks in the cloud.

Who do you want to have access to your cloud? Organisations will have to manage or get their provider to manage the staff members that have access to the cloud to prevent IT security risks via domain access, Active Directory or remote access, for example. It all depends on the requirements you’ve outlined when building your IT security strategies for the cloud.

How do you want your network connection configured? To prevent IT security risks, you can use secure VPN connections over the internet or install private WAN connections so external parties do not have access.

How will you monitor network security in the cloud? Just like in the traditional data centre, you can deploy IPS/IDS devices in the network to monitor cloud servers on the domain and scan them and the network for IT security risks.

How will you address firewalls to prevent IT security risks? For instance, Datacom can configure the firewalls or clients can bring their own firewalls to lock down the cloud network — it all depends on the IT security risks you want to avoid.

What type of hypervisor protection exists to prevent IT security risks in the cloud? Is the virtual machine protected at the hypervisor level as soon as it comes on?

How deep does protection go to prevent IT security risks in the cloud? Does your cloud services provider offer end-to-end IT infrastructure security? What type of antivirus is in place?

Datacom can help organisations understand their IT security risks in the cloud. We look at every organisation on a case by case basis and then implement their IT security strategies in the cloud environment.