What’s in our MSP crystal ball for 2019?

Amicus ITS has just completed its annual Technology Strategy Review to look at the trends and demands we have seen from our customers in 2018.  We have also taken the opportunity to look at the wider development of technology solutions affecting our public sector customers and those which we believe are likely to have a significant impact in our industry in 2019.

A recent CRN survey of a group of VARS captured interesting views on where they are spotting trends around datacentre technologies they believe are tipped for take off in 2019. Their key results included:

• AI (Automation) – driven by monitoring and decision making
• Hyperconverged Infrastructures (HCI) – single platform flexibility
• Intelligent Edge (IoT)
• Network Automation (underpinned by software defined networking (SDN) – Cisco and VMWare
• Data archive + data backup – hyperconverged backup (vendors like Rubrik and Cohesity)
• Cyber security

So what’s our view?

After 30 years, Amicus ITS recognises that our success centres on our core strengths offering 24×365 IT Managed Services.  This gathers together service desk and other disparate services and software management for each customer.  Customers can buy umpteen individual technology solutions, but it’s helping run the whole service, understanding the customer and being able to spot what adds value that makes an MSP’s role special.  Some customers are in an advanced state of cloud enablement, others undergoing the journey to cloud through us. Others are preparing to embark.  With so much technology out there, we are transparent enough to acknowledge we cannot do everything ourselves inhouse.  So strategy for us, is around consultancy, with regular health checks and the nurturing of our technology partner ecosystem to match what is best in breed and need, so we can tailor what’s right our customers.

Looking at the drivers for our customers and based around conversations that are resonating most strongly, we would identify Hyperconverged Infrastructure (HCI), cyber security and smart working around people-centric technologies as the key go to strategies for the public sector.

Whatever the dictats may be from Government, the price of an entire shift to cloud is beyond the reach of most councils (and is also too complicated and expensive for many), so HCI continues to form a happy medium.  Citrix Virtual Apps and Desktops Service on Citrix Cloud delivers secure, virtual applications and desktops from on-premises resources or from major public cloud providers such as Microsoft Azure.  HCI really lends itself well to this strategy, offering the ability to adopt a cloud-first architecture but maintaining complete control over your application and desktop resources.

Added to this, the protection and compliance offerings around cyber security rightly command attention (though better on the front foot than reactive), as organisations not only want to protect data, but interrogate it to analyse behaviours and manage systems better.  Ultimately, whilst local authorities continue to battle with legacy systems, true end-to-end integration will be challenge to achieving true digital outcomes and the rollout of 5G networks will underpin many advances, but the journey has begun, so the consultancy around the best routes through cloud and most effective spend will continue to foster development and progress for us.

What do you think is going to be a focal point for the industry in 2019?  Let us know?

The UK Referendum – Macro and Micro events impacting on your IT environment

_88531589_86624272

The Macro Picture
On 23rd June 2016, all British, Irish and Commonwealth citizens resident in the UK will be able to exercise their democratic right to vote for the UK to remain a member of the European Union, or leave the EU.

As you would expect in a modern democracy, all eligible citizens will be free to vote as heart or mind dictates and it’s no surprise that such an economically seismic event of this nature is leading to much debate and consideration by politicians, pundits, colleagues and friends alike.

However you vote on the day, this event can rightly be classed as a genuine macro event which happens not every 5 years, but potentially once a generation and both outcomes from the vote have the potential to profoundly impact the UK business environment.

As an organisation that provides integral support to businesses both within the UK and across the world, we have been keeping a keen eye on the implications for staying in or exiting and we know a number of our customers have been doing the same. We are aware that customers across industries have been undertaking discrete assessments of their business footprint, trading parameters and their IT infrastructure in order that policies and processes are developed to accommodate both outcomes. Amicus ITS’ regulatory and compliance teams have been very active with a number of customers to ensure the implications of data management and the storage of data offshore from the UK are clearly known and managed.

At Amicus ITS, our position on the need to assess, review and prepare your IT and data management infrastructure to ensure it is ready for any outcome is clear – TAKE ACTION, however discretely, to provide reassurance to the stakeholders in your business that you can manage and thrive in the unknown environment to come. Depending upon your perspective, macro events can be dealt with as minor bumps in the road or full on roadblocks. Your position on this should be determined by action and not inaction.

The Micro Picture
So what about micro events? These exist all around us and are multiple within the commercial environment that all companies operate. This is the same whether this is within the UK, EU or across the globe and within Amicus ITS we see the impact of these every day. Invariably, our everyday policies, procedures and good common sense ensure that micro events are managed and dealt with in a clean and efficient manner. However, at such a critical time as a major referendum, macro and micro events are inexorably drawn towards each other and this is something we are already starting to see within the IT managed services support environment.

As 23rd June approaches, we are starting to see a rise in the number of micro cyber security related incidents within our customer base, ranging from CryptoLocker attacks, to targeted DDoS attacks. More worryingly, we are seeing refined and highly complex preparation and targeting of brands and institutions for whom the macro outcome of the election could be doubly impacted by a breach of their security thresholds. A complex and high profile breach of cyber defences at the time of our Referendum could damage both commercial performance and reputation to companies and brands who may need to support a new direction within their chosen business space.

The simple truth is that macro or micro events happen all the time. By focusing on the right sort of preparation and planning to ensure IT infrastructure and security is kept at the front of your mind, alongside doing what you do best, will means that you can successfully adapt to any outcome and take some time to embrace the outcome – whichever way things go.

plan_perform

 

Does your company include “cyber” on the Board agenda every month?

Amicus ITS has long been an exponent of the merit of having an IT expert on a company Board.  Indeed ‘cyber’ has been on Amicus ITS’ own Board’s monthly agenda for the past 18 months.

As we continue to convey this good practice recommendation with our customers, this message is now being endorsed by HM Gov’s Treasury department in a direct appeal to the major UK banks.

As reported in The Sunday Times (240116), Andrew Tyrie, Treasury committee chairman and Tory MP for Chichester, wrote to the major financial institutions over the weekend demanding that they take urgent steps to thwart hacking and data theft.  “Bank IT systems don’t appear to be up to the job”, he said.  “Every few months we have yet another IT failure at a major bank.  These IT weaknesses are exposing millions of people to uncertainty, disruption and sometimes distress.  Businesses suffer too.  We can’t carry on like this”.

The remedy is no magic potion.  The Treasury MP is advocating hard investment in computer systems and that banks answer to a new group within the financial regulator, the Prudential Regulation Authority.

No banks are immune.  Barclays, HSBC, Lloyds and the UK tax payer’s own bank Royal Bank of Scotland (RBS) have all suffered outtages.  Most recently, HSBC suffered a two day failure in its online banking services in January 2016. This follows last August’s dropout when a glitch prevented salaries being paid ahead of the August Bank Holiday.  Other banking failures have included mortgage and pension payments. RBS which has experienced many problems was fined £56 million in 2015 for an IT glitch in 2012 that left millions of customers unable to access their accounts.

The Deputy Governor of the Bank of England, Andrew Bailey is expected to head up a new specialist IT unit within the Bank of England’s Prudential Regulation Authority to ‘ensure lendors are investing enough in their systems’.  We wait to see whether this specialist financial regulator post has the teeth and influence to create the necessary change and improvements required – and soon.  If our banking blog of 31st January 2014 is anything to go by, it could be a very long wait.  Could this MPs plea be one of hope more than expectation?

Irrespective of business sector, it is a timely reminder for companies not to put off updating infrastructures or reinforcing vital firewalls by holding on to unspent, shored up profits post recession.  In our technically challenging world, businesses cannot afford NOT to maintain and future-protect their IT systems, let alone ignore recommendations to invest in protecting against increasingly sophisticated and cynical cyber threats facing every organisation.
• 80% of cyber attacks in 2014 were preventable (source:   Ponemon Institute)
• Only 21% of companies say their Board gets comprehensive information about cyber threat*.
• Only 17% of Board members believe they have a full understanding of the risks*.

Action – do a cyber health check review of your company after today:

• Re-evaluate the crown jewels of YOUR organisation (key information and data assets)
• Review risk from 3rd party suppliers (get into active compliance).
• Be pro-active and transparent about risk – your customers will thank you.
• Arrange for a cyber threat ‘pen test’ and get in shape for 2016.

In the constantly evolving world of cyber security, the wise understand that there is no panacea against cyber attack, it is just a matter of when – however, those best armed against the enemy will be the ones best prepared for attack, understanding and prompt response.

Technology & Governance – the year ahead

There is lots of potential in many directions for cyber-security, threat intelligence and risk management in 2016 and I am sure there will be some startling stories.   But the one thing I know for sure is that there will by hyper-growth in online extortion, hacktivism and mobile malware and a pivot for government agencies and corporations towards a much more offensive strategy for dealing with cyber security threats.

g1

I think that both governments and enterprises of all sizes are beginning to recognise the benefits of cyber security foresight and acceptance that there will be cyber attacks – and that it is likely they will be hacked. We see changes in legislation coming down the line and increasing hiring activity around skilled cyber security analysts and officers within enterprises.

g2
Enterprises are now evaluating their risk as it relates to their assets and their position in their supply chain to assess their vulnerabilities and respond with plans to protect and defend accordingly. Individual users are becoming much more aware of online threats and through training and education, are upping their game translating this heightened visibility into increasingly prudent preventative action.  Malvertising is being forced to morph into more sinister approaches due to an almost 50% increase in the use of ad-blocking software in 2015.

g3

This is good and bad, as the new approaches will have figured out a way around the software and will create new and innovative attack vectors that most users won’t see coming. Hackers are really good at evolving to adapt to new environments and for every defensive measure, there must be 50 ways to work around it.

An increase in the sophistication of psychological and analytical techniques and social engineering innovation will create a large bubble in the online extortion business driving hackers to expose even more incriminating information about their victims. Hopefully, the Ashley Madison breach will act as a lesson-learned deterrent, or at least a cautionary tale to help potential victims think twice before posting such potentially incriminating information.

If there is no basis for extortion, then it will be hard to extort.

So here are some of the things I believe we can expect to see during 2016:

•    Evolving cyber criminals will develop new techniques and attack vectors to personalize hacks, potentially making 2016 the year of online extortion (unless we stop posting hyper-personal data in inappropriate spots).
•    Mobile malware will surge along with the sales of smartphones and new online payment systems (these will create a target rich environment that will be impossible for cyber criminals to resist as these payment systems are particularly vulnerable to attack).
•    There will be a significant increase in government regulations designed to increase protection, detection, arrest and prosecution of cyber criminals, but result instead in increased cost and difficulty related to compliance for all businesses.
•    Significant fines and punishment for failure to comply with existing regulations affecting retail, consumer, healthcare, hospitality, finance and manufacturing industries.
•    In spite of increased intention, most companies will not be able to staff cyber security experts in 2016, as the current unemployment rate for analysts is less than zero.
•    There will be a reduction in malvertising but an increase in socially engineered intrusion and the resulting compromise and capture of administrative credentials will lead to an increase in successful breaches.

 

Now is the time to take decisive action to get ahead of all this by installing layered-defence technologies, training in identifying and detecting cyber attacks, moving to immediate compliance with all regulations affecting our and our customer’s industry sector, and developing an internal cyber defence capability as well as partnering with external specialist firms to provide it.

What you don’t want is your emails exposed, your internal documents made public, your assets compromised, your position in your supply chain used as a tool to breach a client company or your name in the paper.

If our assets aren’t more valuable than the investment required to get secure, our customers and reputational impact surely are.   Let’s get moving.

 

Silhouette of a hacker isloated on black

 

 

 

 

 

UK SMBs fail to tool up on security

US security software specialists Trend Micro have published their latest survey results on 500 UK business owners.  This survey was an interesting mix of factual gathering as well as attitudes.  Trend Micro found that 50% of small to medium-sized businesses (SMBs) are not using any internet security tools to protect themselves from hacking and other threats.

In addition:
• Only 44% confirmed they knew how to check if a computer or mobile device was infected by malware
• Around 66% had no knowledge of the final penalties of an online security breach.
• Only 24% of respondents said they believed online threats are too complex to deal with.

With only 18% believing their data was worth stealing this may explain their lethargy in taking a more enterprise approach to security risk management.

The difficulty is, that cyber criminals have for the last few years, increasingly targeted SMBs precisely for their more relaxed view around data security.

Now a precision tooling company in Bristol for example, may not perceive it is in any way a likely target for cyber crime.  However, let’s drill into the risk a little further….   This company’s Accounts department will necessarily hold valuable data assets. These will include:  financial details (including bank accounts and sort codes of customers and suppliers), credit check information on customers, plus private contact details for other organisations that are not in the public domain.  So, they alone may provide fruit off the tree to the cyber criminal, but added to this, they will provide an increasingly valuable inroad into other, larger organisations with whom they do business.  So it’s not just them putting themselves at risk, but indeed the whole supply chain and customer relationships including trust which become jeopardized.

The London skyline

No anonymity when you screw around online – notes from the Ashley Madison fallout

Adulterous subscribers and suspicious partners worldwide waited with baited breath for the fallout after data hackers the “Impact Team’ mass dumped the personal data records of 32 million users from the Ashley Madison database on 15th July 2015.  “It’s full account information,” said Robert Graham, CEO of Errata Security, in a blog post. “That includes full names, emails, phone numbers, addresses and passwords”.  Additionally credit card information and dating information about height, weight, personal information and GPS co-ordinates are included.  Whatever fake accounts some people may have created, there’s so much information leaked that dissecting it and cross referencing it will enable the identities to be verified.

With a further 14 Gigabytes of data with matching encryptions keys dumped yesterday, it is little surprise that the first divorce proceedings about suspected infidelities have started to be listed in the English law courts.  Inevitably the primary beneficiaries of all of this will be the divorce lawyers.  As one quipped today, “September will be like Christmas this year”.  Nice.

The list of global offenders some of whom may have signed up with false names or email addresses is reported to include: business leaders, public figures, government employees, senior politicians, members of the military, police officers and diplomats.  In the US, more than 15,000 of the email addresses are allegedly hosted on US government or military servers using the “.gov” and “.mil” top-level domains, with ties to agencies including the State Department, Department of Homeland Security, as well as the House and Senate.  There is real risk for damaged reputations and of course the prospect of future blackmail threats awaiting some – but for those naughty enough to use the website, it may be years before they are targeted by criminals.

A trigger for the hackers was apparently the flaws in their data protection policy, with leavers being charged a £12 fee to have their details removed permanently.  However, this was not the case, despite assurances from CEO Neil Biderman, as after initial threats from the Impact Team, there were multiple reports of people who had paid this charge whose details still appeared in the exposed data.

Ashley Madison factoids:
• The online dating agency for married people has been running since 2001.
• Subscribers number 37 million members worldwide across 46 countries.
• The organisation states that there are 1.2 million subscribers in the UK alone (representing 2% of the population).
• Ashley Madison’s revenue for 2014 was reported at £77m.
• They are stated to be worth £670 million.

The source code of Ashley Madison is held by its parent company Avid Life, which now faces threat through its other websites and business interests.  The Sword of Damocles now hangs over smug CEO Noel Biderman’s business.  It is highly unlikely it can survive a) the hit to its reputation as a safe place to flirt and b) the cost of lawsuits which are expected to hit its doormat in coming months?

From a legal perspective a breach of privacy may have occurred if personal information has been discovered and published, which could open Ashley Madison to lawsuits.   Mark Watts Head of Data Protection at London law firm Bristows, noted that if a company had a presence in the UK (eg. office or a server) it would be subject to the UK’s Data Protection Act and UK residents would have the right to have their data deleted for free. “You cannot charge for it”, he said.  Our quick check at Companies House shows one Ashley Madison Limited, private limited company, still reportedly active in status terms today, whose nature of business is “other information technology service activities”. They have a registered office in Milton Keynes.

As Luke Scanlon, technology lawyer at Pinsent Masons commented:  “The interesting thing about this incident is that recent court decisions in the UK have been leaning towards the view that a claim can be brought when no financial loss occurs but where a person experiences distress as a result of a data breach.

“In the case of Ashley Madison… if each were to try to claim for £1000 in compensation Ashley Madison could see itself incurring costs of up to £1.2 billion. Even if claims for distress in this case are modest, the sheer volume of data breached and individuals affected in this attack could have a critical impact on the company”.  A remedy for breach of contract he advises would be complicated, costly, and risk further exposure.  However, this sounds like a Class Act to us.

Unreasonable behaviour certainly from Ashley Madison, a salutary reminder to businesses and organisations that never has it been more important to ensure that they have up to date data security measures in place, accompanied by robust governance policies to ensure best possible defence against cyber threats.
AshleyMadison

Cyber Security – Top Tip Takeaways

Following our Cyber Security Round Table event chaired by Amicus ITS’ Head of Technology & Governance JP Norman, on Wednesday 24th June at IBM, delegates discussed the core issues affecting public and private sector organisations. The key takeaway points for all organisations is detailed below:

Top Tip Takeaways:

1.    The urgent need to raise awareness of the EU Data Directive,  its potential impact and 5%  TO financial penalties.
2.    To consider the impact and to plan ahead if we voted to opt out of the EU in the UK Referendum
3.    The need for organisations to educate staff on the issues and impact of cyber security, data and correct device use.
4.    To secure Board engagement on risk from cyber security breaches to recognise the resulting commercial fallout from loss of trust.
5.    Appoint a Data Controller and create core stakeholder engagement across departments.
6.    Organisations to implement and regularly review quality BYOD processes and manage web browsing and software applications.
7.    Organisations need to control data streaming and ensure it stays in the UK to remain compliant.
8.    Match security awareness by staff with maximising their productivity for the business.
9.    Ensuring your 3rd party supply chain have the same compliance checks, liabilities and recognised failure penalties to accompany your due diligence processes.
10.   To treat VOIP the same as any other form of data from cyber security POV and award it the same protections and covered by the same regulations as other data.
11.   Have an up to date digital policy and security measures within HR whatever the nature of the leaver to avoid data breach.

DSC_0083 JP Norman 10@300