COVID-19 Will Change Forever How We Look at Business Continuity / Crisis Management

The effects of the COVID-19 on businesses are already unprecedented. It’s also going to get worse before it gets better, and I don’t just mean the ridiculous demand for toilet roll. While I am not very good at thinking in ‘futuristic’ terms, even I already know that the businesses that manage to survive will have no choice but to fundamentally change how they do what they do.

Permanently.

Well, those for whom data and electronic communications are the primary keys to their business model that is. Face-to-face stuff (e.g. brick-and-mortar retail) is a whole other ball game and way beyond my ken.

From tele-working, to business travel / commuting, to the communication / collaboration technologies in use, the impact of this global phenomenon will be dissected and analysed for decades. The ‘old ways’ of working; 9-5; bum-on-seat; on -Fri could [and I think should] largely disappear if, and ONLY if, the lessons learned are taken on board. Every business is a series of functions, and it should not be of primary importance where the person who performs those functions is, or even who that person is.

This is the mistake most organisations make, and while the impact of something like COVID-19 has never been part of any BCP I’ve ever seen, we could certainly have extrapolated and prepared for events like it. Here in London for example, if TFL goes on strike there is an enormous impact on the daily commute; people take 3 to 4 weeks off in a row on annual leave; long term power outages at critical locations and so on. All of these things, and many more like them, have all pointed to what is now required but almost universally absent.

But while there are literally hundreds of articles on how to DO business continuity in the face of COVID-19, they are ALL too little too late. It’s not the security industry’s fault however, it’s the fault of every senior leadership team who saw the aspects of security from incident response onwards as nothing more than a paperwork exercise. Or worse, chose to remain ignorant of the right way forward.

Ignorance is a choice.

All that said, this blog is not actually about business continuity planning per se, that’s not really my forte, this is more about ‘crisis management’, and how the LACK of it has made the COVID-19 pandemic worse for everyone. Especially those in the medical professions.

At its heart, crisis management (and by extension, business continuity planning) is about four things:

  1. An understanding of the business’s individual functions;
  2. An understanding of how those functions are performed;
  3. An understanding of who performs those functions; and
  4. Appropriate communication

In other words, if what you do:

  1. and how you do it is known and documented; AND
  2. is assigned to the appropriate and accountable resources.

…then all you have to worry about is the ongoing communication. Yes, the implementation of appropriate technology(ies) is relevant, but that should really be a one-off exercise plus ongoing maintenance.

Clearly this is not happening as a matter of course. Very few organisations have been adequately proactive in communicating to their employees what COVID-19 is, what its impact could be, and what to do about it. Almost everything that has happened to date has been reactive, ad hoc, and ineffective.

You think maybe this is a little unfair? That it’s not the employer’s responsibility to keep their workforce both informed and safein the face of a pandemic? Tell me, who is better placed to do that? The Government? The newspapers? Your doctor?

It is my contention, and the real point of this blog [finally], that it’s the employers who should take the lead in these situations, because even Governments don’t have the level of influence over people that employers do. Of course everyone should follow what the Government and reputable experts say in these scenarios (CDC for example), but it’s the employers who have the most effective access to, and authority over, the lion’s share of the population.

They also have the best chance, by far, of heading off the rampant ignorance that leads to wearing a plastic bag over your head and other irretrievably stupid things that are still going on!

Not convinced? Think about it for a second. In the UK [for example] there are ~66 million people, ~half of whom are gainfully employed by ~2 million employers. If you exclude the public sector and the self-employed, you’re left with ~1 million employers with multiple employees.

I have long maintained that our employers have taken over the role of the communities of old (albeit very poorly):

  • Your and your family’s very livelihood (read Maslow’s Hierarchy of Needs) is largely dependent on them. Even your sense of identity;
  • You spend more than a third of your working life either at work or getting to and from it;
  • A huge chunk of your interpersonal interactions are a result of your place of work (I married an ex-colleague for example (much to her regret)).

Virtually everyone has a laptop/desktop, mobile phone, or both. And whether they are work-supplied or personally-owned makes no difference, your employer has direct and personalised access to you. They also have the ‘power’ to MAKE you listen/read/respond and ACT in accordance with their mandates.

Now imagine if your employer implemented [or had access to] a service that provided not only the most up to date information from all of the reputable and relevant resources, but detailed instructions on what each employee should be doing at any given time? Would these millions of people who are now armed against ignorance not significantly ‘flatten the curve’? Imagine almost one HALF of the population influencing and protecting the other half, even if it’s only against themselves.

Bottom line; I believe organisations not only have a responsibility to keep their employees both informed and safe, they should be held accountable for it (up to and including regulation). It is, after all, in everyone’s best interests including the employers themselves. It just makes sense even if you’re mercenary enough to only see this from a financial perspective.

Eventually I’ll write up more specifics on how every organisation can put something like this in place, but now is not the time. All I ask is that you pay particular attention to how YOU are managing to perform your duties while stuck at home, because if you can’t do it the next time you’ll have failed yourself and your employer equally.

Everyone, please stay safe, informed, and help out where you can, even if it’s by staying in the house.

[If you liked this article, please share! Want more like it, subscribe!]

PSD2

The Key to PSD2 Adoption? Mobile Phones!

On January 13th, 2018 the Payment Services Directive 2 (PSD2) becomes national law across the EU.

Depending on whom you ask – and to a large degree what their vested interests are – PSD2 will either have little effect, or be a FinTech game changer that will kill banking as we know it.

From the bank’s perspective, they clearly don’t want change. They have been front and centre for generations when it comes to consumer interaction, and the data they have collected is a major source of their power. Start-ups on the other hand, need a way in, and access to that data is a very good place to start. Whoever controls the consumer directly, will have the best chance of controlling the consumer’s financial choices.

PSD2 itself is supposed to promote 2 things:

  1. Make it easier and safer to use internet payment services by better protecting consumers against fraud, abuse, and payment problems as well as strengthen consumer rights; and
  2. Promote innovative mobile and internet payment services. [competition in other words].

The first applies no matter who you are, bank, service provider, or merchant. Combine this with General Data Protection Regulation (GDPR) and everyone needs to protect personal data.

The second however, is supposed to create a so-called ‘level playing field’, but can start-ups truly compete against the big banks who already have the direct consumer relationship?

Innovation is not the problem, FinTech is busting at the seams with new ideas, but none of them mean much unless they are adopted by the masses. What do they have to do to displace a bank, when the chances are they will not actually be providing banking services as we understand them? And what exactly areinnovative mobile and internet payment services” in this context – and to the point of this blog [finally] – how are mobile devices going to make all the difference?

Counterintuitively, mobile phones will actually improve security. You only have to look at the sheer number of each authentication factor of which the modern smartphone is capable to realise that traditional banking apps just don’t cut it. From passwords / passphrases, to fingerprints, to geo-fencing, to whatever comes next, your phone gets as close to true identity management as any device can.

That’s not to say mobile phones are secure, they are not, and this is one of the biggest hurdles to overcome. A bad guy ‘hacking’ into one of your banks accounts is bad enough, now imagine them hacking into an app that controls access to all of your finances. Money management apps is one of the greatest potential benefits of PSD2, and one of its scariest.

As for how mobile devices will aid PSD2 adoption, you only have to look at the trends. According to Statista for the UK:

  • By the end of 2017 66% of the UK’s population will be using a smartphone – That’s 43 million people, and given the demographic, they control the lion’s share of the UK’s wealth.
  • In 2015, 58% of all smartphone owners used banking apps

It follows therefore that a good chunk of that 43 million will be using their devices for a lot more than Facebook.

The only statistic that does not back this up, is adoption of mobile payments. Despite the Apple Pays/ Samsung Pays, and the plethora of digital wallets, mobile payments have in no way realised their potential. This is not the fault of the smartphone, this has to do with the inability of the payment apps to provide any sort of value-add. From loyalty point, to instant coupons, to ratings and reviews, payment apps are not improving the BUYING experience, just adding a payment option.

PSD2 will change all of that. When you have an app that can not only help you find the best price for something, but give you the best purchase choices based on your combined financial history, now you’re providing true benefit. It’s not about how you pay, it’s about how you buy.

Yes, you can do all of this through a PC / laptop, but on what device do you spend the majority of your time online?

[If you liked this article, please share! Want more like it, subscribe!]

 

Why Mobility is Good for Security

I should get the Pulitzer for these headlines. It’s only an matter of time until they add blogging to the list of literary/artistic mediums.

What it should say, is that BECAUSE of Mobility/BYOD, the spectre of information security raises its head higher than it usually does (which isn’t saying much), thus getting the attention of the senior management who are either entirely focused on running their business, or busy running it into the ground.

I actually had first-hand experience a while ago of an organisation that is on its way to becoming a BYOD-free zone, and considering what they do, I don’t blame them. At least until they get their security culture and policies sorted out anyway.

Which is kinda the point, as very few things I can think of have put the business side and the IT side into greater confrontation.  Business wants increased productivity AND cost savings, and IT Security want …well …IT security.

I don’t think anyone can deny the inevitable increase in productivity when your work email is sent to the same device you spend vast portions of your life on (usually in order to avoid talking to actual people).  But then you also can’t deny that confidential information on a device that is insecure (currently) is a VERY bad idea.

I know there are BYOD ‘solutions’ out there, but none of them work, and most of them are downright crap.

So where do businesses screw-up?; easy, they look IMMEDIATELY to technology to solve the problem that only education and policy can solve (again, currently).

Here’s a scenario:

  1. A salesperson wants to send a classified contract to legal, should they;
    1. Just send it, because it’s to an ‘internal’ department?
    2. Password protect it if they have that ability on their mobile device?
    3. Never try to send it from a mobile device?
    4. Follow the corporate policy?
    5. Wait until the next day to send it securely from a known-good device?

The correct answer is d.

Hang on – you may say before hearing the explanation – why are b., c. and e. wrong?  They are not wrong, they’re just not right given that policy ALWAYS trumps what you think is the right thing to do.  If corporate policy says you can post classified docs to Facebook for feedback, so be it.  You’re company will be out of business, and your CEO in jail (hopefully), but that’s a perfect segue to my next point…

Do you think you have the right to question your company’s policies?

The answer is that you absoLUTEly have not only the right, but the obliGAtion to question policies if you consider them in any way discriminatory, incomplete, redundant, inappropriate, unworkable …you name it. Not only that, you have a further obligation to help enforce those policies, it’s your company as well.

Policies are supposed to be the parameters upon which the corporate culture if founded.  They define the CEOs perspective on everything from community programmes, to acceptable use, to expenses, and if the CEO doesn’t bother to create them (or at least approve them), as well as evangelise them, they will not be followed.

So, back to my favourite phrase; “Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities.  If the organisation fails to achieve [secure BYOD though policy enforcement] , it’s the CEOs fault, and no-one else’s.

If you don’t think policy is the way to go on this, let me ask you one question; Would you follow company policy if this was the language in it; ‘All employees are strictly forbidden to send confidential information from their mobile devices.  All confidential data must be deleted immediately, and the matter reported to [department].  Any breach of this policy will result in dismissal, and subsequent legal action if deemed appropriate.’

I would.

Why Is Bring Your Own Device (BYOD) So Hard?

This is not going to be about the legalities, policy, or privacy issues surrounding BYOD, that has been covered many times over in articles like this one; “Why almost everyone gets it wrong about BYOD” by Brian Katz.  I would hope that you are fully aware that regular information security policies do not cover the use of personal devices, and have established appropriate policies accordingly.

What I will be focusing on is a) the risks based approach, b) some musings on current ‘solutions’, and c) my thoughts on a possible technology solution.

A lot of these so-called BYOD solutions focus on the communication channels, secure browsing, malware protection, and/or Mobile Device Management.  All of them miss the major point, which is the risk to data at rest.  Do you really expect your employees to VPN into some kind of proxy just to browse the Internet?  Or how do you expect people to sign up to having their phone entirely erased if they loose it?

The issue is that not one mobile application, I repeat, not ONE, works at an Operating System (OS) layer that prevents jailbreaking.  Any encryption of either  the data channels or the data itself is performed by software running on top of the underlying OS.  Jailbreaks work AT the OS layer, meaning that any functionality of the application is immediately at risk, including any encryption keys.

Charles Henderson says it better than me; “Is Your Mobile App Safe?

So BYOD is not about keeping your data from being stolen, you can’t, it’s about agreeing on what you are prepared to loose, and what to do if (when) that happens. So instead of throwing ineffective technologies at the problem, you have go back to basics and look at Role Based Access Control, data classification, retention policies and so on.  You should even question whether or not the cost savings and assumed productivity enhancements associated with it are really worth the effort.

In other words, if you do decide to proceed, assume that whatever your employees are downloading on their phones and tablets is now available to everyone, and implement your BYOD solution accordingly.

I would argue that you are probably better off educating your employees to never put confidential information in emails than you are trying to control how they use / abuse their personal phones.

I believe that there is currently only one way to perform BYOD securely; in a hardware module.  If you accept that you cannot perform authentication / encryption safely at the application layer, and that you will likely never have access to the underlying OS (iOS for example), then you are left with hardware.

The hardware module would perform several functions;

1. Authentication – Once the module is plugged into the mobile device, it establishes a secure channel back to home base to perform whatever form of authentication you choose (LDAP, username/password, certificate, even biometrics).  All encryption keys are kept on the hardware device.

2. Encryption – Seeing as the keys are on the hardware device (some form of mini-HSM perhaps), you can leave the encrypted data on the mobile device when not used for work related applications.

3. Storage – The hardware module could also be used to store all work related data, and the mobile device provides nothing more than  a communications channel.

The form factor for the hardware module could be something that is already very common, the phone case / battery charger.  Like this for example;
Screen Shot 2013-07-08 at 16.43.01

Or it could be something like this that has many connection types;

Screen Shot 2013-07-08 at 16.46.01

There are many things to work through, and perhaps the most significant is that this module would literally have to jailbreak / hijack the mobile device before it could have the kind of control needed to enforce the BYOD policies.  Easy enough on Android/Windows, but I’m fairly sure Apple would have issues, they have already totally screwed the ancillary device market with their lightning adapter. I know Apple are also working on an secure embedded SIM technology, but I really don’t see how it can perform he above functions in something so small, and they haven’t even seen fit to add Near Field Communications (NFC) chips to their iPhones.

Thinking ahead, this may not be a viable solution for all businesses, you still have to purchase hardware, and the centralised management station would have to perform everything an MDM does, but for the hardware modules, not the mobile device.  However, for government, government contractors, military and so on, perhaps the encryption aspect alone would be of interest?

Who is currently best placed to corner this particular market?  I think POS / terminal manufacturers like Verifone, Ingenico, or Micros would be contenders.  They already have manufacturing capability, HSM technology, small-form storage modules, OS and mobile communications expertise etc.

All they would really need is deep expertise in the specific mobile technologies covering the majority of the smartphone / tablet market; Apple, Android, Samsung, maybe even BlackBerry.  I’m guessing those skill-sets are not too hard to find.

Clearly there is a lot more to it that I have mentioned here, I do want to keep something back for collaboration opportunities 🙂

What are your thoughts?  What have I missed?  Is this viable?