A salutary lesson in IT Security from the Entertainment Industry

Open standards and transparency in security.

My client rejected this prose from a recent project I undertook. I will let you judge if this is relevant to recent security breaches.

The precedent had been set, but was ignored by the giants in the entertainment industry.
An excellent example of a disastrous  security technology breach can be found in the consumer entertainment market with the compromise of DVD and Blu-Ray encryption technology. The resulting losses to the industry are conservatively estimated to be in the tens of Billions of dollars. When the initial DVD encryption algorithm was cracked in 1999, the entertainment industry was aghast. The flaw with the Content Scrambling System (CSS) algorithm was that it was only encrypted to 40 bits. Today’s home computers could break the code in a few seconds with free cracking software readily available from the Internet. You would have thought that the entertainment industry would have taken the lessons of history to heart. To fail to do so would be negligent, almost bordering on incompetent! Think again.

Blu-Ray Encryption Breach – ignore the lessons of history at your peril.
The puzzling thing about the Blu-Ray compromise was the clarity with which the security researchers speculated there would be problems ahead. In 2001, cryptography researcher Keith Irwin released a paper titled “Four Simple Cryptographic Attacks on HDCP”. High-bandwidth Digital Content Protection (HDCP) was broken in October 2010. The author noted in his conclusion that “I would like to take a moment to thank Intel and Digital Content Protection, LLC for releasing this specification to the public so that it can be reviewed by independent researchers”. Highly respected cryptographer, author and Information security industry veteran Bruce Schneier stated in 1999 that “demand open source code for anything related to security”. Like many industries, the executives at the entertainment took a calculated risk which they lost.
http://www.schneier.com/crypto-gram-9909.html#OpenSourceandSecurity  http://www.angelfire.com/realm/keithirwin/HDCPAttacks.html

Why did CSS and HDCP fail? – Hindsight is an excellent tutor.
To date, no disclosure has been made of how the HDCP master key was cracked. Visit any website with bit-torrent files listed and you can appreciate how copyright holders feel about the damage wrought on their intellectual property as a result of the CSS and HDCP breaches . Bruce Schneier succinctly sums up the view of most respected security and cryptography experts “Public security is always more secure than proprietary security. It’s true for cryptographic algorithms, security protocols, and security source code. For us, open source isn’t just a business model; it’s smart engineering practice”.  The conclusion that must be drawn is that proprietary security protocols fail regularly and spectacularly. The costly hit to the entertainment industries bottom line resulting from these breaches surely took its toll and inhibited growth and reduced profits. The weakness in the Blu-Ray’s HDCP algorithm was revealed in 2001, but the rapid consumer take-up and market acceptance of Blu-Ray as the format of choice was probably the driver for this breach. What’s the point of picking the lock, if there’s nothing inside worth stealing?

Mike Ryan – Brass Razoo Group – 0419 648 242

www.brassrazoo.net.au

mike at brassrazoo.net.au

Advertisements

Are you communicating effectively?

 Client messaging takes many forms. Are you doing a great job?

Press one for sales, press two for accounts, press…!

Technology improves productivity. The vendor’s brochure says so. It must be true! Why is there a marked disconnect between the expectation and the reality. We empathise with others when feelings of frustration and anger are aroused from communications via Interactive Voice Response (IVR) systems. Can there really be a true correlation between irritation and good business. Do IVR systems improve the client experience?

I wonder if they received my email?

Does your website link to an auto-responder for online forms or emails submitted through the internet? I recently had to email a scanned document to an insurance company. It was a refund so my choices in confirming receipt were either waiting 15-20 minutes to speak with a call centre representative or just hope for the best. Hope is eternal, so I took that option. Why couldn’t the organisation have added an auto-responder to the generic refund email address? Had nobody thought it through? For a better client experience, an auto-responder is mandatory. You can add additional information to the reply email – a note of appreciation for their interest, a call to action or at least an acknowledgement that you received their message. It will markedly improve the customer experience.

Website woes

How many times have you needed an organisations telephone number and fired up the browser and typed in their URL? Well-designed sites have contact information or links clearly marked on the landing page. If you don’t prominently display your phone number on your site you are walking away from business. A prospect picking up the phone on impulse could lead to a brand new client. Make it easy by placing the phone number on as many pages as possible. How’s this for a communication strategy? Put it on every page! Why do website designers feel the need to pay for stock photography to enhance websites? They’re costly and they look phoney. If you need photography for your site, engage the resident happy snapper on staff to capture stacks of images and use these for all marketing collateral. Real employees with real smiles sell products and services.

Perpetual voicemail

I had a wonderful experience. The person I was attempting to reach on their direct line hadn’t picked up after a few rings and the call was then forwarded to a real person who told me the whereabouts of my contact. This struck me as amazing. It’s been so long since this happened I had forgotten how much better human interaction is when you constantly deal with technology.

Pointless Information

Do you preface your telephone number with the International country code? Do you transact business overseas? If you don’t, it’s just another example of redundant and pointless information that clutters contact information everywhere. Audit all client documentation and assess what is the bare minimum required to provide only relevant and useful information. This will ensure easier communications with your organisation. It’s an old but true cliché. Less is more!

Make it as easy and painless as possible

Try to find ways you can simplify or de-clutter your corporate communications. Make it easy for existing and potential clients to reach those quota bearing sales representatives. Brutally review each of the steps involved in contacting your business. Make it as easy as possible. Better communications correlates with a healthier bottom line. 

 Mike Ryan | Brass Razoo Group | mike (at) brassrazoo.net.au | Mobile 0419 648 242

Ouch! Your website is stale

Your website only gets one opportunity to make a first impression.

I reviewed a number of Integrators and Resellers Websites prospecting for new clients.The title sums it up, ouch! Part of my qualification process is to review the content of my potential client’s website. After reviewing the web presence of around one hundred integrators and resellers, I have been left with a general impression as to the status of websites and their messaging in our industry. Some are good, some are bad but most are just average.

Size doesn’t matter.

Some of the Top 10 integrators have the worst websites. Hideous to look at and boring content. Some of the best sites were put together by low profile integrators who project passion and are proud of their achievements. The stark contrast is in the content and how it’s presented. Compare “this is what we do” with “this is what we have achieved and how we can help you”. The difference can be attributed to the company’s aspirational goals.

Staleness.

If your website hasn’t been refreshed for a few years, what impression is your prospect left with? Tell-tale signs are copyright notices circa 2007 and dated references like newsletter archives that abruptly end in the last century. References to technology a few generations past their “best before” date must fail to instil confidence in the ranks of seasoned industry veterans. How many times have you spoken with a suspect and the question asked “what’s your URL”? Does your sales rep apologise for the state of your website to the prospect? Does their heart sink when the question is asked?

Bad websites are bad for business.

You can’t hide your website. Everyone’s a critic. It’s appraised and judged by suspects, clients, partners and vendors. Content is trawled by search-bots with a global ranking applied that’s proportional to the freshness of the content. First impressions are the vital ingredient in ensuring a good web experience. If it’s being late to a first meeting or failing to prepare for a presentation, there’s no way to make a first impression on second occasion. The tough question that should be asked is whether your website is encouraging or inhibiting new business opportunities?

Your website is a member of your sales-force.

If a business development manager fails to meet sales targets or is not compliant with agreed KPI’s, the door soon opens to a new career path. This discipline must be applied to your website too. A web presence is costly and challenging to maintain. Have you factored the opportunity cost of not maintaining your online sales representative? If you don’t nurture your site with stimulating content and invest in regular refreshes, you are ultimately short-changing your efforts to grow your business.

So who’s got the best IT Integrator website in Australia?

And the winner is…. drumroll please Mr Krupa …

Kiandra IT   www.kiandrait.com.au

The first impression is bright and exciting. Navigating the site is easy and the links are comprehensive and easy to locate. The lasting impression is that a lot of effort went into the construction and the website is lovingly nurtured and well maintained.

How good is your website?
Would you appreciate a candid review of your web presence?

NB: The author has no commercial arrangement with Kiandra IT.

 mike (at) brassrazoo.net.au 

0419 648 242
Mike Ryan – Principal
Brass Razoo Group

Marketing needs planning.

Is marketing treated as a poor cousin in your organisation?

Senior management spend vast amounts of time preparing account plans and sales budgets. Unfortunately, marketing usually comes in as a poor cousin. Marketing plans are seldom written or face the cold, hard scrutiny of an A4 piece of paper. It’s one of the many paradoxes of the IT Industry. We evangelise technology and planning, but fail to practice what we preach. Even worse, marketing initiatives that strive and fail to deliver instant results are deemed a failure.
An extremely short-sighted view of marketing objectives.

With a modest amount of planning you can increase the effectiveness of your marketing budget and results delivered. Let’s clarify what marketing means in the context of this article. The purpose of marketing is to generate new leads and opportunities from existing and potential clients.

Step 1 – Your first marketing plan and budget.

Identify your target audience

Identify suspects and prospects worthy of investing 6-12 months of marketing funding and effort. Add these to your list of existing clients.

Frequency

Monthly mailers are easier to resource and manage. Emails to prospects and suspects often produce a negative outcome. Even worse, they can irritate your current clients. If your marketing letter hits the recipients rubbish bin unopened, at least the client has sighted your logo.
The desired “touch-point” has been achieved.

Cost

If you work on $100.00 per 100 clients this should cover the cost of your monthly mailer.

Content

The cost of preparation of the material is dependent upon how much effort you consider worthwhile. Look to your staff and their families for candidates with skills in desktop publishing and a flair for design. Uses Microsoft’s free templates for “Publisher” or “Word”.
ARN sends weekly emails highlighting special deals. So do most distributors. It’s a rich and easy source of content.

Step 2 Follow up.

Give your clients a call and ask if they were interested in any of your offers?
At worst they may say no. Then again, they may say “no, but can you help me with…”
Even better, they may say” I didn’t know you guys did that”. It happens. Bliss!

Step 3 Have faith in your plan.

Remember. Don’t be discouraged if the results don’t flood in. Maintain the touch with existing and potential clients and you will be rewarded with business. Invest in your marketing plan and it will deliver the results.

Tips

• Do not undertake any marketing initiative as a single event.
• Commit both budget and resources to at least 12 months of activity. Start with a mailer, but look for other ways to create interest. Training and knowledge exchanges that reward clients with additional skills or insights can achieve excellent results.
• Set up a user in Exchange called marketing and start filling the calendar with 12 months of recurrent entries. Commit to this and engage with partners and vendors for commitment of resources.
• Ask vendors and distributors to contribute funding to your objectives. With a clearly articulated written plan, the purse strings will open. Remember that you earned those marketing funds. Use them.
• Good ideas with supporting documentation earn credibility points with your business partners. There’s lots of competition out there. Stand out from the crowd.

Mike Ryan is a technical copywriter and communication specialist providing marketing and creative services to the ICT Industry.

mike(at)brassrazoo.net.au

This article was published in Australian Reseller News Sep 8 , 2010

Mike Ryan – presentation to the AISA branch meeting – Jul 14th, 2010

Will a data breach send you broke?

If you listen to the spin doctors who head up IT Vendors marketing and PR departments you’d be certain that a data breach would destroy your business.
Bad news sells newspapers. Awful news sells more newspapers.
The same principle applies to data and privacy breach’s.
Oh – the end is nigh! The sky is failing in. There’s trouble at mill.

The assertion is not supported by the evidence. Like the millennium Y2K bug the hype is totally out of proportion to the business risk. The real damage of the Y2K hyperbole was the massive hit to the credibility of IT pundits and professionals.
Those same managers with lingering memories are still sceptical about claims made by the IT and Security departments.

Enough ancient history. Back to the premise.

I am not advocating that data and privacy breaches will not damage your business. They will and independently researched data bears out this claim. But look for hard evidence about those organisations going broke – it’s not there. Proof to support this assertion is impossible to locate. The same can’t be said for the numerous listings about the nature of data breaches and quantity of records compromised.

As this inaccurate claim continues to be prosecuted the real damage to the IT Security industry will be in irrecoverable credibility.
Just like Y2K, it will be déjà vous, all over again!

So what information is available to quantify data breaches?

The most authoritative document I could locate was published by the Ponemon Institute under the sponsorship of PGP (an AISA sponsor). This comprehensive April 2010 report covers Australian data breach and the cost to business during 2009. The findings were based on data loss or theft researched from 16 organisations and ranging between 3,300 and 65,000 records. It provides considered insights as to what a data breach costs an organisation directly and through collateral damage. A similar report is prepared for other global theatres including the USA, UK and France so benchmarks and comparisons can be made.

Here are some examples of some of the survey findings.

The average cost of data breach to organisations was A$1.97M with individual breached records averaging $123.00. The cost varied by industry with Finance averaging $197 and Government coming in at the lowest cost per breached record.

Kudos to our dedicated and diligent public service!

The most expensive breach – from the sample companies surveyed during 2009 was $4M. The two most significant components of this cost were loss in business and the detection and escalation of incidents. As a direct consequence of these data breaches loss of client trust and resultant customers churn rates represented the main cost of the compromise. The primary source of these breaches was as a direct result of malicious criminal attack and botnets. These types of attacks were significantly more costly than human error, oversight or omission.

An important finding was that seventy five percent of breaches were first time events for organisations. The report makes the assertion that organisations having experienced a breach are better able to manage the costs of ensuing breaches. It’s more likely that prevention is better than cure. With experience comes wisdom and data compromise is a very salient learning experience. Armed with a credible business case backed with actuarial tables, the CFO and CEO will be more disposed to allocating additional budget. Without this approach a breach could result in panic remediation with budgets spent ineffectively. With a breach, the money has to come from somewhere. Other important projects could be delayed, scaled back in scope or at worst cancelled.

Or am I being too cynical? For IT Vendors let’s hope their customers don’t think so.
OK – the last two points in the Ponemon report summary.

For those considering or employing cloud computing or outsourcing, the outlook is grim. Just on a third of breaches resulted from third-party mistakes. There is a pot of gold at the end of the rainbow – with 44% of organisations contracting remediation work out to specialist IT Security Practices.

You beauty!

OK– what’s my point?
Hype!

My assertion is that the premise – Data breaches will send you broke is hyperbole.
Actually, completely over the top hype.
In previous lives in the IT Industry I have witnessed Vendors make the most outlandish claims. Expectations were set and never met. This pervaded the industry and is still perpetuated today, although it’s not commonplace. Industry novices visit clients, deliver their presentation failing to notice seasoned IT professionals look at their watches and roll their eyes.

So back to my initial premise – data breaches will not send your business broke.

Occasionally data breaches make the mainstream press. The example I quoted in my article in the Aisa newsletter was about an online florist who had a significant credit card breach. I went to their website and they appear to be flourishing. Positively blossoming in fact. Nothing says I love you like flowers.

I kept looking for this anecdotal evidence to support the argument. USA based examples provided some of the answers.
Heartland Payment Systems data breach of 130 Million credit and debit cards disclosed in January 2009 have so far cost it $100M with another $42M allocated for future contingency payments. Estimates are that it could eventually reach the $250 million costs TJX has estimated it will eventually pay for its 2006 breach of 94 million credit cards. In spite of this massive hit to the bottom line both businesses are trading and investor confidence hasn’t waned.

Changes are afoot and here’s what the future holds.

This is an excerpt reported in IT news on March 26 , 2010

According to Australian Privacy Commissioner Karen Curtis, the Government has “agreed in principle” with Australian Law Reform Commission (ALRC) recommendations that organisations be penalised for serious privacy breaches.
The Australian Law Reform Commission recommended that the Privacy Commissioner be given the power to seek a civil penalty in a Court for a serious or repeated breach of privacy, and that reporting of serious data breaches become mandatory.

I’ll ask the question?
What’s a serious data breach?
What constitutes a serious privacy breach?

“The Government, in its first stage response to the ALRC report, has already agreed in principle to the application of civil penalties for serious privacy breaches where other compliance orientated enforcement methods are not sufficient,” Curtis told iTnews.

“The Government is still considering the issue of data breach notification.”

To close – my presentation

Hype had damaged the credibility of the Information technology industry. The claim that data breaches will send your business broke are not supported by any evidence. One certain change that must occur is compulsory reporting of data breaches. When that occurs, my view will change. My argument is based on reported breaches.
In the future, regulators must be armed with a regulatory stick a very, very big stick.

Mike Ryan – AISA member 1357

Thanks to Telstra for sponsoring the venue and RSA Security for sponsoring the event!

The IT Department. Are they your organisations “Digital Police Force”?

Should the IT department be in the service delivery or digital enforcement role?

An incident at airline Virgin Blue made headlines recently.
The Sydney Morning Herald reported these comments on June 10, 2010.

“Sharing pornography has been commonplace in the offices and staff rooms of Virgin Blue for years” , claims a group of workers sacked by the airline. And they say that, “far from objecting to the practice, airline management openly condoned it.”

Over my career I have worked for organisations without an IT usage policy. Inappropriate material was circulated discretely and though not countenanced by all of management, casting a a blind eye was accepted. Prior to the days of email and internet, the photocopier was the distribution point for this type of content. Over the past three decades what was permitted as acceptable behaviour in the workplace has changed drastically, and for the better. Sexist
and racist slurs are mostly absent with bullying the last holdout.
Setting apprentices on fire doesn’t seem that funny today. Did it ever? To some it was considered a “rite of passage”. To most it was thought of as an appalling example of workplace victimisation. It just took too long to reach the point where places of employment are now safe havens from these unfortunate practices.

But back to Virgin Blue.
Either these employees are naiive or plain stupid. Five of the staff are appealing the dismissal with government authorities. The rest are “copping it sweet”, and so they should. Companies don’t want stupid or ignorant employees on the payroll. Flagrant disregard for rules enforcing IT usage policies demonstrates that both of these behavioural traits were commonplace at Virgin Blue.
I’ll bet you that problem has gone for good though!

One quesion remains. Who is responsible for policing the digital infrastructure to ensure content and behaviour not appropriate for the workplace are prohibited? One guess. The team in the IT department. This must change. Networking and security staff are employed to protect and ensure the availability of IT systems. Information technology professionals were lumbered with the de-facto role of digital enforcer because technology resides within their domain.This duty is strictly within the realm of the Human Resources department’s responsibility. The sooner HR assume this chore the better. If this responsibility is shirked it’s up to IT to prosecute the business drivers that delivers the transition.

IT can deliver the service, but it’s up to HR to act as the enforcer.

Mike Ryan – mike(at)brassrazoo.net.au

Learn HTML

I am re-learning HTML. It’s been a long time since I was proficient, preferring WYSIWYG applications. New standards have emerged from the WC3 and it’s tough going – well for me anyway. If you don’t know basic HTML structure, make the effort to learn and practice this skill.

Rest assured, it’s more valuable to a career than Esperanto!

UPDATE: Free tools

These are excellent freebies for web design and management.

Filezilla – excellent free FTP client
KomPozer – WYSIWYG HTML design tool
paint.net – Easy to use graphics editor
GIMP – not so easy graphics editor – think CS5 – it’s free