Author: Robert Broxup

The saying ‘Loose lips sink ships’ was displayed prominently on posters during the second world war to advise military personnel and others to avoid chatter involving information that could be used by the enemy. A key question is to what extent does this apply now that mobile technology is everywhere. Undertaking 100% of professional work inside an office is a thing of the past; people work from any location including trains, aeroplanes and more commonly now in coffee shops. External observers can take advantage of the information on laptop screens, handwritten notes and discussions between people.

Earlier this year in London, while sitting in a coffee shop, I was close enough to overhear a conversation about a security incident. Sound travels, and without any real effort to listen or intention to earwig, it was apparent what these men were talking about and were concerned that a data breach may have occurred. Initially, the information could have been about any company, anywhere or any system. It could have been about their employer or one of their employer’s client’s systems. The details here have been left intentionally vague, but the conversation didn’t end there:

• Clients won’t be happy – such a reference indicated that a data breach could have occurred with one of their internal systems involving their customer data, rather than a system belonging to one of their clients.

• Branded stationery – overhearing a conversation was one thing but getting up for a coffee refill made corporate stationery visible without any effort or intention to spy; everything was in my face as I walked past them.

• Laptop screensaver – companies often give away corporate stationery to clients for marketing and brand awareness. Therefore it was not a given that these individuals worked for the company whose branded pens were visible but returning to my seat and noticing a corporate screensaver on one of the laptops advertising the business was additional confirmation.

• Identified vulnerability – the discussion overheard was sufficient for me to understand the nature of the issue and how someone would exploit it.

How to use this information requires little imagination.

Several years ago, I overheard two people discussing their wills over dinner in a restaurant and how they needed to get them replaced due to changes in circumstances. Shortly after, when a neighbouring couple was ready to leave, the man approached them and said, ‘Sorry, I couldn’t help overhear you mention that you needed new wills. Here is my business card. Give me a call’. This example is innocuous; however, depending on the context, the consequences could be quite severe, such as revealing information that could influence the stock market.

Thoughts include:

• Avoid discussing sensitive issues in public.

• Avoid using names of companies in the discussion. Using alternatives such as ‘we’ and ‘the client’ will often be more than sufficient.

• Use anonymous tagging of corporate laptops so that nothing on the outside identifies ownership if it is lost or stolen. The value of the data on laptop computers will depend on the owner, and effort is less likely to be expended if ownership is unknown.

• Remove visible branding from the operating system, so if it is lost or stolen, and someone turns on the laptop, it is not possible to identify the owner. More challenging than it sounds if the network domain name and the company name are the same.

• Using BitLocker Device Encryption (Windows Vista through to Windows 10) with a boot-up password will prevent the operating system from loading until you enter the correct password. An unauthorised user won’t be able to identify corporate ownership.

Being security conscious in public places is essential. Almost every time I have coffee somewhere, I hear something which someone could use for malicious purposes.

Websites are still offering copycat-services in place of official services provided by government departments and local authorities. The difference is, the copycat-service is more expensive, not always legal, and seldom offers any added value above and beyond the official services available. Authorities have made a significant effort over several years to address this issue, but new services and sites continue to emerge.

These types of copycat-services are different to services delivered through trademark infringement and passing off, as the genuine services are still needed to provide the service required by the customer. E.g. with a passport application, the copycat-service would not make and deliver the physical passport but would act as an expensive intermediary. Instead of the customer paying £50 and applying directly, the copycat service could charge £100 and process the application on behalf of the customer; making a healthy profit from every transaction.

It is also necessary to consider the quantity of personal information required to make such applications, data held by the service provider, which has the potential to create a whole world of pain.

Copycat-services should not be confused with added value services such as the post office check and send service, where application forms are reviewed by post office staff before being sent to HM Passport Office for processing. The post office advertised this service as an added extra and applicants can make an informed choice. Visa agents work in this way also by offering similar added value services such as making sure all the paperwork is in order, or by visiting the consulate to process paperwork on behalf of customers. With copycat-services, the service providers manipulate customers into believing they are using a genuine service.

UK Government services have domain names which end with ‘.gov.uk’ and do not use paid advertising with links to the sites. Visit https://www.gov.uk for details of all available services. The following are samples of direct links.

• Passport Applications: https://www.gov.uk/browse/abroad/passports

• Driving Licence Applications: https://www.gov.uk/browse/driving/driving-licences

• Tax Returns: https://www.gov.uk/file-your-self-assessment-tax-return

• Universal Credit: https://www.gov.uk/browse/benefits/universal-credit

• Land Registry: http://www.landregistry.gov.uk/home

Moving on from the example scenario given in part 2 – this instalment looks at developing the streamlining and consolidation mindset that will contribute towards improving security. To recap on some of the conclusions from the previous two parts:

• The greater the diversity of software, the greater the attack surface. Reducing the number of systems contributes to improving security; reducing the risk of internal and external attacks.

• Reducing the number of systems has a much broader impact than security alone. It also contributes to reduced costs across the board. When decommissioning a business system,  it also eliminates all associated back-office costs.

• Reducing IT costs through streamlining releases funds which for other security-related projects which might otherwise not be economically viable

How many people does it take to change a light bulb? If an entire building has precisely the same type of light bulb in every room, the replacement bulbs will all be the same. The storage cupboard might have a minimum stock level of 20 to cover a building with 5000 operational light fittings. I will leave it to your imagination what happens next door in the office with 50 different light bulbs. In a nutshell, having a standard is good, too much diversity is bad. The more exceptions added, the greater the complexity. In this simplistic example, it is more about how long it takes to change a light bulb.

Here are some thoughts to consider:

• Before committing to the expense of a new system, understand the infrastructure, operating system and database system requirements and ensure they are aligned with the business IT environment. Vendor’s sales representatives might not be aware of the technical details, and if they are, it might not be considered an essential part of their pitch. Also, the buying decision-maker might not know what questions to ask about the operating environment and assume that whatever he buys can be implemented by the technical teams.

• Lockdown desktop permissions so that users are unable to install software themselves; this should also include most of the IT department. Allowing users to install software has much broader implications than just the proliferation of software within the workplace. It has the potential to introduce a wide range of security risks and malware to the business. Even without considering the streamlining of software, this is a recommended action.

• Implement a centralised approach to purchasing software. With distributed software-purchasing and decision-making across the business, the diversity of software will inevitably increase.

Beyond application consolidation within an organisation, businesses can gain the same benefits from the continuing emergence of cloud-based services; developed, managed and maintained by a third-party and offered to a large number of companies requiring the same system. With this approach, the vendor manages the implementation of security.

In part 1, we looked at some of the causes of software proliferation. Here in the 2^nd part, we look at an example of two independent systems that perform the same business function. Consider two profiles of software, one being desktop software such as word processing and spreadsheets, and the second being systems that operate from a server environment with implemented infrastructure.

In this example, we will look at a client/server business system. The same principle applies regardless of what the system does, or how we ended up with two systems performing the same purpose. For illustration purposes, we can assume that we have two insurance claims systems, each with a separate set of customers and insurance policies. Although security is the focus here, the example extends to other factors. Increased costs and skillsets have an impact on budgeting requirements if due to financial constraints, security issues are risk-accepted by leadership teams and ignored until a budget may be available to fund mitigation.

• Infrastructure – each system will have its own set of hardware infrastructure and running costs, and may also have a separate infrastructure for development and testing purposes; separate infrastructure support contracts; infrastructure in place for disaster recovery. Most notably on the security side, a requirement to maintain physical security for a much higher quantity of hardware, possibly at an increased number of locations.

• Skillsets – an increased quantity of differing infrastructure and software systems requires an increased set of skills to maintain the systems. With a single system, staff will develop a greater depth of knowledge, reducing the overall cost of training.

• Access Management – running two systems will require the management of user access to both, along with any development, testing or disaster recovery environments. Reducing the number of systems reduces the overall cost of access management.

• Licensing – where multiple systems serve the same purpose, it is often the case that a high proportion of staff needs access to both systems and not just a single system. Consolidating will reduce the number of vendors, the overall licence requirement and any associated vendor support costs.

• Patch Management – reducing the number of business systems will reduce the overall effort required to maintain business systems at the latest vendor release.

• Vendor Management – increased systems include an increased number of commercial relationships to maintain. Every supplier takes time to manage and deal with changes, sometimes to the point where dedicated members of staff are needed to liaise for a particular piece of software. Reducing the number of vendors reduces the administrative overhead. Also, every vendor will have terms and conditions, and with that comes the requirement to review every contract and every change in terms that may take place. Reducing the number of vendors means less work for the legal team.

• Other benefits of consolidating two systems include reduced auditing requirements and reduced cost in delivering system changes. On top of this, reduced energy consumption in running the services will help contribute towards carbon neutrality.

Having one system to maintain will always be cheaper than developing changes across multiple business systems. Even in cases where one or all are vendor-supplied, often bespoke software provides aggregated reports using data from various systems.

Software is not the only area where consolidation can deliver tangible benefits in the form of reduced complexity and reduced costs. The points discussed demonstrate that the greater the diversity, the higher the effort and expense of keeping systems operational. Bloated back-office costs can reach a tipping point where businesses cease to be profitable. Financial savings are not always obvious, and, in many cases, implementing change will have high up-front costs with long-term tangible benefits. Consider application consolidation as a long-term strategy and not only as a tactical piece of work to be undertaken this month with expected immediate benefits.

Every case for consolidation is different and will need to be carefully considered based on individual circumstances, and delivering the overall benefits will often depend on getting the right balance. It could also be the case that when looking at one small aspect of cost, consolidation could appear expensive and cause conflict. In contrast, cost reduction demonstrated with a holistic view.