Information Assurance and Protection

Cyber, Data and Information Protection

As recent attacks by both would-be hero-geeks and nation states have shown there is no shortage of actors willing to exploit weaknesses in the information technology and systems that businesses of all sizes use as a matter of daily routine.

Are you confident that your business is secure and safe from potential attack? If you are not certain this brief commentary summarises the risks, consequences and potential solutions that exist.

If you are still unsure of your next steps AMDS Consultants Ltd will conduct a two-hour consultation workshop on your behalf to help you build prevention into their operations.

Cyber Security The primary risk to a business is the comprehensive loss of all operations dependent on information technology and systems. The threat is aggravated by a lack of awareness of cyber security within a business and the failure to ensure all IT is current, protected and monitored. The consequences can be severe ranging from simple financial loss through reputational damage to business collapse and prosecution. Key solutions include hardening of systems, a security culture driven from the top, along with constant monitoring and regular auditing

Data Protection In the modern world where data is not held on copperplate ledgers, but on computers or a server farm, either locally or over a distributed network, data loss through accident or intent is a major risk to business operations. Should a business lose its data not only will it have catastrophic financial and operational impacts it also has the potential to put a company and its owners in breach of the GDPR (General Data Protection Regulations replacing the Data Protection Act in April 2018). Prevention of loss should be a business imperative. Data protection techniques include: regular encrypted backups to secure storage, strict control of access to and utilisation of data, organisational awareness of the importance of data and the consequences of a loss as well as physical and digital security.

Information Assurance Failure to meet the principles of the ISO standard for Information Security Management Systems (ISO27001), even if a business does not feel that it needs to be accredited, presents a major risk to continuity, resilience and growth. Assuring customers that their data, personal information and their business systems are safe is increasingly important. Failures in assurance will impact sales, profitability and retention. Further, gaining a reputation for poor information security will significantly damage business reputations. The requirements of ISO27001 are well documented and readily accessible. Managing a business in accord with the standard will mitigate the information assurance risk at a reasonable cost.

The Worst-Case Scenario. The consequences of a cyber-attack or data loss through a lack of information assurance within a business can go well beyond the consequences highlighted. Should a business be found to be at fault for a breach of the GDPR, or fail to meet the standards of credit and debit card transaction protection, the penalties are draconian. Penalties for a breach of the GDPR can rise to a maximum of €20 million or 4% of global annual turnover whichever is the larger sum. A failure to protect a credit or debit card transaction will lead to fines of £100/transaction for every transaction undertaken during the month when the fraud occurred.

Insurance Options Insurance is your “reserve parachute” you really do not want to have to use it!

There are two types of supplier, large well-known companies such as Hiscox, AIG, AXA and Chubb and these are quickly being supplemented by a significant number of small, usually web-based, niche providers. In many respects the cyber, data and information insurance market is following a similar growth pattern to pet insurance where uncertainties in risk lead to high premiums. That said, as I hope we have shown that businesses of all sizes need to make intelligent choices to address this developing threat.

The AMDS Consultants Offer. The way we approach things is not to recommend a particular software solution, suite of protection or data storage provider. Rather we look at the issues from the organisation’s point of view helping them put in place processes, systems and structures that reduce their information assurance risks as well as helping business understand the threats and consequences.

We will travel to your business’ location and discuss your issues and potential options using a workshop format. Any session will be two hours long and will start with an overview briefing before working on solutions with the local team.

Subsequently we can support your acquisition of the right solutions for your identified needs as well as conduct an information security audit of the business against key standards such as ISO27001, PCI DSS (credit and debit cards) and GDPR (General Data Protection Regulations).

© Dr Alan Morpeth July 2017.

Scam Alert!

A friend I have known since my university days recently came dangerously close to falling for a phone scam. Nothing unusual there, you might think. However, this victim was a hard-headed businessman, the last person you would expect to be caught out by scammers. I began to think about the number of people I knew who had been targeted in this way.

Generally, the victims of these scams are NOT poor decision-makers. They may, like my friend, have successful business or professional careers, but something makes them unduly open to persuasion. Modern life is increasingly complicated and the information overload seems to get a greater every day. We navigate through its using all sorts of shortcuts and rules-of-thumb. Scammers take advantage of these processes to catch their targets off-guard. Which means that no one is immune to being scammed. We need to be on our guard: if something sounds like a scam it probably is one.

The subconscious mind can be exploited in different ways. Scammers know about many of the techniques that can help people to take irrational decisions. These include allowing them to visualise future outcomes, motivating them to make over-hasty decisions, among many other methods. Many scams target people who do not have enough technical knowledge to understand how some things work. When a person has less knowledge about something it becomes much easier for a plausible scammer to drag him into their trap.

Wikipedia defines Emotional intelligence (EI) as: “the capability of individuals to recognize their own, and other people’s emotions, to discern between different feelings and label them appropriately, to use emotional information to guide thinking and behaviour, and to manage and/or adjust emotions to adapt environments or achieve one’s goal(s).” Which is a long-winded way of saying that, when dealing with strangers (particularly on the telephone) you need a very strong empathetic sense of what is going on in the current transaction. Scammers also use emotion intelligence to make us comply and to “feel safe”. Perhaps this explains why so many technically-oriented professionals fall into the trap.

Saddest thing of all, it is good people who make the easiest targets. Some people assume that all people are “good”; usually the ones who really are “good” think that way. By believing that everyone out there is like them, they respond to scammers without suspicion. I would put my friend in this category, although he had enough life-experience to smell a rat when his caller told him that he was due a credit from BT Openreach for which they would need bank details.

Forgive me if I am preaching to the converted but I treat all cold calls whether by telephone or email or any other method with deep rooted suspicion, but that might be because I am a tight-fisted Yorkshireman, a cynical bastard, or probably both. Whichever way it might be I have learned to respond to cold calls by telephone either by telling the caller that, when I want the goods or services they are purporting to sell, I will go looking for them myself or, if I am interested, I tell them that I am too busy to talk at the moment and ask them for their telephone number so that I can ring them back when I am free. It is amazing how many callers hang up at this point.

If you are targeted by phone, including texts, or by email or are the victim of any kind of cybercrime, please report it immediately to Action Fraud any time of the day or night using their online fraud reporting tool: www.actionfraud.police.uk/report_fraud, or by calling 0300 123 2040. Your local police might also have their own cybercrime unit. The more information the police receive the more likely they are to put a stop to the scammer.

As an object lesson:

  • This was a BT Openreach scam, masquerading as a cold call about broadband speed.
  • The caller installed Team Viewer on my friend’s PC ostensibly to check broadband speed.
  • He did ask for ID and the credentials offered were very plausible. For example: everything that was shown was branded as “BT Openreach”.
  • The scammer asked my friend to type values into terminal.
  • The calling telephone number was within the UK.

Carefully prepared and expertly executed. Unlike a scam that was visited on a friend in the USA who got an email from “Smith & Weson”! We cannot rely on scammers to make obvious mistakes these days; they have learned.

One lesson we can learn is not to let anybody take control of your computer unless you have contacted them and asked them to – for example – run diagnostics. Otherwise nobody has any legitimate reason to take over control of your computer and you do not have to type in any values if you are uncomfortable doing so.

A suggested immediate action drill on finding yourself in this situation:

  1. Break the Internet connection at once, and I mean physically. Pull out the cable or switch off the router.
  2. Put your virus protection and related security software on a deep scan.
  3. Phone your bank to have them monitor your account(s).
  4. Phone your payment card providers (there is usually an emergency number printed on the back of each card) so that they can block any suspect transactions.
  5. Contact your dealer, tech support number or any other support you have available to you, tell them what has happened and follow their instructions. Most suppliers and manufacturers have a help line. This may involve taking your machine in or calling out an engineer to thoroughly diagnose the extent of the damage done.
  6. Lodge an incident with the police (see above).
  7. When you are back on line send an email to everyone in your contact book to tell them to report any unusual messages they receive from you. Do not be embarrassed to admit that there has been an attempt to scam your account; you are acting decisively to clear up after it.

One last word: I keep the emergency numbers (tech support, BT, police, bank etc.) on a card that goes everywhere with my laptop. I have never had to use it but I am easier in my mind knowing that I have everything in one place if I do fall victim.

Outsourcing IT in the Third Sector

Information security in the 3rd Sector: does outsourcing IT represent a benefit or a risk?

While most of AMDS Consultants Ltd’s clients operate in the defence, security, transport and generic business process transformation markets some of our recent information security work has been with the 3rd Sector. Our 3rd Sector practice includes: charitable endeavours, the arts and civic organisations.

We recently concluded a major information security audit for an arts organisation. The main purpose of which was to assess their position against the PCI DSS framework for the management of debit and credit card transactions. Like many organisations in the 3rd Sector this particular community had chosen to outsource their information technology function to a third party provider and this is a common approach across the entire market segment.

Important elements of such an approach are shown below:

a. Retaining sufficient expertise in-house, to be an intelligent IT service buyer

b. Ensuring that requisite SLAs (Service Level Agreements) are in place

c. Negotiating robust and effective contracts

d. Clearly annunciating the third party’s place in your supply chain, and their responsibilities

e. Most importantly, ensuring that the third party will fully support you in information security

With these elements in place any information security assessment should go smoothly, provide significant benefit and present limited risk.

If, however, the IT provider chooses a different philosophy, as they did in our most recent 3rd Sector contract, then the possibility of a breach of the PCI DSS regulations becomes real as do the concomitant fines. In particular, we found it remarkable that any third party paid to provide comprehensive IT support to an organisation in the 3rd Sector would see an information security audit as an opportunity to make a profit. By refusing to supply responses to questions about their approach to information security without receipt of a fee not only did they raise concerns over the robustness of their information management systems but also placed one of their most high profile customers at increased risk of a breach. If the level of PCI DSS fines being discussed rwee implemented then our client would face financial ruin.

The question that exercises us now is how typical of 3rd Sector IT providers is this behaviour? Does the generic IT service company see this market segment as easy pickings dependent, as it it often is, on a mixture of employed ofIicers, administrative staff and willing volunteers?  Perhaps it is that the IT providers consider the 3rd Sector lacks the commercial nous to properly manage the services these providers supply and so use the 3rd Sector as a highly profitable dupe. Alternatively, we may have merely encountered a “bad” company and the broader base of IT service providers are committed to comprehensive support to 3rd Sector clients.

Whichever scenario represents a true reflection of these relationships, before choosing to follow this route, the 3rd Sector must consider how much of a risk their provider presents.

In an information security context, risk is vested with the owning organisation, i.e. the buyer of the service, not the outsourced IT provider. It is the responsibility of the buyer to ensure that sufIicient precautions are utilised by their IT providers to protect personal data in both storage and transmission. The buyer should also make sure that the supplier adheres to the appropriate information security standards as well as established best practice in their industry.

In the worst case scenario, where there has been a breach in data protection, any investigation would look first at the information security arrangements put in place by the buying organisation. If it is apparent that the buyer has not set appropriate information security standards and targets or has failed in their due diligence of the supplier then they will receive any penalty.

However, if it is clear that the buyer has done everything that is reasonably practical and the failure to protect information lies with their supplier then it will be the IT provider who will incur any fines deemed necessary.

Returning to the question posed at the outset. The ability of the 3rd Sector to successfully outsource IT services, in a world where the fines for information security breaches could cause financial ruin, is no longer just dependent on making a well-founded choice of supplier. Successful supplier selection is not merely a combination of: running a competition, setting generic performance standards, and placing the contract. In an increasingly connected world, where all IT service buyers carry data security responsibilities the following additional essentials must be considered:

a. Buying intelligently

b. Addressing information security and data protection from the outset

c. Setting genuine information security performance targets

d. Clearly delineating responsibilities

e. Creating and managing a robust but collaborative relationship with the IT provider

The absence of any of these factors in the provision of IT supply increaes risk and limits benefits.

What do people want from their leaders and managers?

In my experience, there are four things that people in the workplace – including myself – want from their leaders and managers. Inspiring leaders and good managers all have these four qualities and market-leading organisations actively seek them when recruiting or promoting.

Trustworthiness

You cannot be a good leader or manager if you cannot win the trust of your people and sustain it over time. Trust binds commitment and promotes action. Without it, you cannot win. From the employee’s point of view, if they cannot see signs of your competence then you are not going to gain their confidence. Openness is another aspect of trust and good leaders and managers encourage openness and manage dissent. You will know when you have got it right when you do not have to reprimand staff who transgress; it will be enough that they know that you know.

Optimism

Oddly enough this is linked with trustworthiness. Working as a project and programme manager I have often been told that I am “positive” or “optimistic”. It is always good to hear because there is not a big market for negative and pessimistic project and programme  managers; we  need to be purveyors of hope. Optimism can be pervasive and powerful. However, it has to be built on trust and not on delusions; it cannot be an act. If you get hung up on your mistakes, problems, wrong turns or mishaps (we all make them) and do not treat them as opportunities to learn and change, do not become a leader or manager! Optimism stems from a clear vision of the future, a commitment to get there and determination to bring everyone on their team along for the ride.

Purpose, direction and meaning

Which brings me to determination. I cannot over-emphasise the significance of determination to achieve a goal, together with the conviction, passion and unique point of view that will establish the energy and direction of the leader and manager. If you are a leader then you are helping to define the purpose of the job. Without the sense of alignment behind the purpose there can be no direction. How do you know which way to face? It must also be a purpose that energizes and engages people, that has meaning and resonance. That is why it is easier to do for leading a project than for managing Business As Usual (BAU). However, it belongs to everyone in the organization. The leader and manager must communicate the purpose in such a way that ownership is created on every level of the operation.

Acts and gets results

Ultimately, of course, you are there to deliver results so you must have the capacity to convert purpose and vision into action. Having developed a great vision you have to use it to inspire people. It has to become “real” in some material way to produce results. Most leaders and managers are pragmatic dreamers and practical idealists, which is not an easy balance to maintain.

Can Managers be Leaders?

Businessmen standing in front of a map of the world

We are still meeting people who use the terms “management” and “leadership” as if they were synonymous because they cannot see the difference between the two or distinguish between the function of each type of role. Other people think that “leadership” exists among the people at the top of the organisational hierarchy. The layers below that in the organization are called “management” and then all the rest are the workers who produce goods and provide services.

There is also a misconception that “leaders” are born with a set of personality characteristics, including “charisma” and “vision.” By that definition, few people can provide leadership. Management, on the other hand, is a set of well-known processes. Planning, budgeting, recruitment, performance management, procurement and problem-solving, can all be learned. Management keeps the business running, delivering goods and services day after day, year after year. This can be an enormously difficult task, but you do not have to be a born manager. That division is so wrong in so many ways.

Back in the late eighties/early nineties, the call was to replace management with leadership. That is still common today and, then as now, it did not understand that both are needed because each serves different, but essential, functions. Let me explain with some examples.

When deciding what to do …

Leadership establishes direction by developing a vision of the future and devising strategies to produce the changes that will achieve that vision.

Management establishes the detailed work breakdown, milestones and timetable to achieve the required results then secures the budget and resources to make it happen.

When aligning people to results …

Leadership communicates the direction to everyone who may be involved, directly or peripherally, and influences the creation of teams and groups that understand and support the vision.

Management sets up the structure to achieve the outcomes of the plan, staffs the structure, delegates responsibility and authority to the staff with guidelines, policies and procedures, and defines performance standards.

When making it happen …

Leadership motivates and inspires, empowers people to overcome barriers (including political, bureaucratic and resource) focussing on the needs of the individual.

Management controls activities and solves problems, monitors results against the plan, corrects deviations and modifies the plan as necessary.

When looking at outcomes …

Leadership defines and redefines the outcomes, produces change and realigns the business to adapt to changing times.

Management produces consistency, reliability and order, key results that contribute to the desired outcomes.

Some of the best leaders I have met, and worked for, were ex-servicemen, some of them making a second career having retired from the forces. Generally, they were the best managers, too, because the armed forces long ago realised that leadership and management can both be learned and that they are not mutually exclusive. In my next couple of blogs, I am going to explore that theme.

Office Politics for Contractors 101

Stabbed in the back

When I made the decision to go freelance it was a lifestyle choice, made attractive by the ability to play by my own rules, enjoy the flexibility and have plenty of variety of experience and challenge. Colleagues wished me well and said it must be great to get away from office politics. Strange thing to say: there is no way to avoid office politics and as a contractor you are expected to take them in your stride. How else are you going to get things done, get your ideas accepted, require a deliverable or get two users to agree?

It is difficult to come into an organisation and get respect straight away. There will be people who feel that you are treading on their toes, that they could do a better job, who cannot see why an over-priced contractor had to be brought in from outside. The trick is to be subtle about your  approach when stepping into a new role. Organisationally you are at the bottom of the ladder. You are an unknown quantity and probably a danger to someone’s job.

An extreme example: a few years ago I was engaged to carry out system synchronisation projects after company takeovers. Walking through the office on the first day you feel the fear, resentment and even hate radiating off the staff. It is importance to keep your distance. You are there to do a job and when it is over you will move off elsewhere. Be polite, watch what you say and change the topic of conversation if it is getting awkward. Of course there is a human element to freelance work, but stick to the facts and the tasks at hand rather than the emotions of somebody else.

There are some guidelines that I have found useful:

  • Never talk negatively about someone else in the organisation. The person you are talking to will wonder what you are saying to others about them and views always get back to the target.
  • Avoid getting involved with personal grudges and other people’s personal problems and frustrations. There will be people who relish the opportunity to offload their problems onto an outsider. There will be others who will be happy to fill you in on the gossip. If you get involved it could end up being embarrassing for you and even cast doubt on your professionalism. You do not need a reputation for being a troublemaker or a gossip.
  • Follow the chain of command. You cannot achieve a great deal without the trust of the people you are working with, or for, so never bypass a layer of management and when you go up the chain of command tell the people at the lower levels that you are doing so.
  • Do not keep secrets from anybody. You have to communicate openly. In particular do not try to hide bad news. There are well-tried techniques for delivering bad news (e.g. accompany it with an assessment of the situation, three alternative fixes and a recommendation). They key is never to surprise your client. So, if your plan is not going to work out as you thought it would say so and avoid spinning the result to suit yourself. Use your skills and experience to make things right. That is why they are paying your fees.
  • As a contractor it is important to be honest in everything you do. Your future roles depend on your reputation. People respond better to honesty; being up front will help you to gain the respect of your client’s employees.
  • Do not get into the habit of deal-making. If you stray into horse-trading be ready to be criticised by all parties and to accept sub-standard solutions.
  • If you offend somebody apologise immediately. There is no need for sackcloth and ashes; make a public apology (you may use an email message at a pinch) but do it honestly and at once.

A good deal of my work these days takes place in my office at home, with the occasional meeting, workshop, project meeting or information-gathering session on site.  Even so I have always enjoyed dealing with the politics, bickering, gossip and hostility. Which either means that I am a good contractor or a very strange man …

Cyber-security must be top-down and all-pervading

code-707069_960_720 There is a dawning suspicion among both the private sector and the public that even with the most advanced encryption the internet will never be sufficiently secure for the most sensitive data. The debacle over the San Bernardino shooter’s iPhone has shaken many I have spoken to who thought that technology could make them safe. Leaving aside the legal and ethical considerations (which the legal systems of the world will have to sort out by test cases in coming years) the question comes down to this: will there ever be a technology that cannot be unravelled by an intruder if the incentive is there?  At present the answer seems to be: “No”.

Does this mean that sensitive data will have to be transmitted in other ways? Are we going to see the re-emergence of bank messengers and military despatch riders? Should we be buying shares in paper mills? Where does that leave the UK government’s “Digital by Default”? We have a client who reverted to paper-based operation until he could design and install a closed dedicated messaging system. Will this be the way forward? As banking becomes increasingly a digital business this might be the only way to reassure customers that their details, and their money, are being protected.

It is not too far-fetched to imagine a secure intranet being set up and managed, possibly by the Cyber-Innovation Centre at GCHQ, to allow UK businesses, banks and government to trade with each other in a closed environment outside the internet. However, where does that leave the man-on-the-street? There is an individual judgement to be made here: am I prepared to accept the level of risk involved for the convenience of transacting on-line? Having adequate insurance against losses moves the balance of the argument toward “yes”. We have to get used to the idea that there are no guarantees.

Since I began working on eBusiness in 1995 organisations have generally considered Cyber-security to be an ICT issue – “our IT department does all that” – and it is only within the past five years that it has begun to be recognised as a matter of corporate governance and the responsibility of everyone in the organisation from the C-suite down. Directors and senior managers take the lead, embedding best practice in the corporate standards and strategies and cascading those down to every employee. Cyber-security is now as important at the monthly sales figures for most businesses, even if many do not realise it. Showing customers that the business or other organisation is taking every reasonable measure to minimise the risk to them will help build confidence in the organisation and encourage customers to transact on-line.

I will close with an anecdote: a major City business carried out a redundancy exercise during the recession, eliminating a complete layer of management. One manager in the IT department was allowed to work his notice (generally considered to be a bad idea!) and one evening visited the eighth floor to check an equipment closet. As he passed the CEO’s office he noticed that the CEO‘s password was stuck to the screen on a sticky-note (incidentally the staff handbook listed this as a disciplinary offence). He sat down, logged on and emailed redundancy notices to the entire board, logged off and went home. The point of this story is that even if there were such a thing as wholly secure technology that fallible component called a human being will find ways to compromise it and that is why Cyber-security must be top-down and all-pervading.

Test your disaster plan

TEST YOUR DISASTER PLAN

A couple of years ago a major business operating in the Midlands (no names!) engaged me to audit their disaster recovery plans and to run a live exercise to test their resilience. Their plan was professional and comprehensive. Not surprisingly because they had a first class systems team working on it. Their ICT department and datacentre were housed in their headquarters building and they backed up their data to a warm backup site. They even tested the time it took for the backup site to get online. Real textbook stuff. With one weak point.

The headquarters building was under the flight path of an international airport so the exercise involved an airliner crashing, on and obliterating, the headquarters building. How quickly could their operations get back on line?

On the morning of the test the dialogue with the IT manager (let’s call him “Gerry”) went like this:

ME: “at 0849 this morning an Airbus 320 impacted with this building completely destroying it and killing or incapacitating everyone inside. What is the next step?”
GERRY: “I phone the backup centre and authorise them to activate the suite”
ME: “and how are you going to do that?”
GERRY: “by phone. I will use my mobile. I have them on speed dial”
ME: “what time did you get to the office today?”
GERRY: “Eight-thirty”
ME: “So what does that make you?”
GERRY: “Oh … dead!”

Only one error but it kippered the entire plan and it was discovered because they were thorough and professional and ran an exercise. Most organisations never test their plan …Fireball

Things get better

Project groupI was working in software development in the days when we still thought that Windows 2.01 was a big step forward. In those days developers spoke slightingly about “scope creep”, requirements changing and growing after they had been signed off. The favourite response to this was to “freeze the specification” i.e. no changes at all, “what you signed for is what we will deliver”. Given that there were likely to be changes in management, market forces, legislation, standards, technology, business direction and objectives for the system during the time it took to develop it this was an excellent way to ensure that the users did not get what they needed from the system.

Thank whichever god looks after hapless developers for coming up with Agile. I was working with agile (small “a”) back in 2000 in a project-based organization (construction company). Construction projects are intrinsically “waterfall” (you cannot iterate the requirements for an office block or shopping mall once you have started building it); however, most projects had an IT element and we also worked on the company’s own systems (including contractor management and on-line drawing sharing) so there we were able to work with the users and other stakeholders using what today we call “user stories” (“storyboards” back then). Implementing DSDM helped a lot and even though public sector and PFI projects had to be delivered using PRINCE2 we were able to blend PRINCE2:DSDM in a mix that satisfied the DfT, MoD, NHS and NAO.

In spite of some prominent hold-outs Agile is much easier to implement today, particularly under the Government Digital Agenda. What is less encouraging is the number of organisations that think that they are “agile”:

ME: “In what way are you ‘agile’”?

THEM: “We use SCRUM for software development”

ME: “How about agile succession planning”?

THEM: “Erm …”

I think it will be a few years yet before we have universal understanding (and acceptance) of the Agile Organisation but it is going in the right direction.

Cyber-insurance?

hands-1004271_960_720With the threat of a successful cyber-attack is becoming ever more likely (firewalls bounce back thousands of attempts a day, even for a small company) cyber insurance may become a basic cost of doing business. Awareness is growing because some well-known companies have admitted that they have been attacked, although the great majority of victims do not report an attack because they want to avoid reputational damage and do not want to encourage further attacks. Even so only 20% are protected by cyber-insurance. This is going to change with industry pundits predicting that it will become a ‘must have’ for businesses.

Insurance is not a defence against cyber-attacks and there is a danger that it may encourage complacency; however, IT service companies and cloud providers are tipped to start providing cyber-insurance as a standard part of their offering. Even so reputational damage is a hard thing to quantify yet might have a far greater impact on an organization than any monetary loss. As it cannot be quantified it may not be covered in a policy.

A UK government survey in 2015 reported that attackers had breached 90% of large corporations and 74% of SMEs at an estimated cost of £1.5m-£3m for the larger targets and £75k to £300k for SMEs. To cope with the aftermath of these breaches a single policy cyber-insurance market now offers both first-party and third-party protection. The challenge to insurers is to come up with a policy that provides adequate cover at an affordable price, not easy when it is impossible to predict third-party consequential loss.

If you have home insurance but leave your front door open when you go out for the night your insurer is likely to decline to pay out on the policy when you are burgled. Similarly, insurers expect businesses to take adequate measures to protect themselves against cyber-crime (making all staff cyber-aware, alerting them to scams, implementing basic security practices, providing adequate firewalls, warnings on using public WiFi and so on). Increasingly businesses will need cyber-insurance to reassure their customers and it may become a requirement of doing business with public bodies.

There is scope here for consultants to go into businesses and audit their cyber-awareness and the adequacy of their protection with the incentive of lower rates if audited satisfactorily. Insurers and their brokers may offer this service themselves to get the right cover for their clients at the best price.

Business resilience projects have taken on a new dimension.

Where’s my data?

Moving corporate data off-site to a cloud provider can make good sense; it will have levels of security, resilience and availability that it would not get in a local server room and at a lower cost. However, talking to a colleague yesterday reminded me that I have often spoken to businesses that do not know where their data is held. At least their IT department might know but the C-suite decision makers answer the question with: “It is in the cloud”. Asked to define the cloud many are surprised when they realise that cloud storage just means putting your data on somebody else’s server or servers.

Where those servers are physically sited can be an issue. I remember one CEO who threw a wobbler when he learned that his precious data was sitting in a datacentre in China. That was an extreme reaction but if you are possibly going to have your data stored on multiple sites in different countries and backed up elsewhere then you need to know where those locations are and to satisfy yourself that you are happy with the risk strategies, insurance and legal safeguards in place at these locations.

When working as a systems or solution architect among the questions I ask clients are: “Is your cloud provider reliable and trustworthy?” “Have you looked into their track record, size, stability?” “What insurance have they got in place?” “Has the provider been hacked or otherwise compromised?” (They will provide levels of security and resilience beyond the resources of most local datacentres but they are not invulnerable). “Can they provide 24/7 cover and support?” (If your business operates over the weekend you do not want your operating data stored with an organisation that goes home at five on Fridays).

There is a danger, too, in excessive reliance on a single supplier. Once your data is embedded with the supplier the cost and inconvenience of moving it to another supplier can make it impractical or you might end up running in parallel with two suppliers for a time. Some organisations get round this by having a primary cloud provider and a deep storage supplier.

If we accept that an organisation’s data is its most valuable resource then handing it over to another organisation should only be done after a good deal of due diligence, investigation, visits to the datacentre, talking to other customers of the provider, the entire process. It might also be worth calling in a consultancy to review or design your cloud storage. A little extra up-front cost but a lot of extra peace of mind.

The Weakest Link

Talking to a cybercrime specialist from Barclays yesterday I learned that 72% of their business customers had reported receiving bogus invoices by email. No surprise there; many businesses I have spoken to have received them and there were two in my own inbox when I got in to the office today. What did surprise me was the number of businesses (Most were SMEs, but not all were) that actually paid these invoices!

I am using this to underline the lesson that the weakest part of any system, and the part targeted by cyber-criminals in 90% of attacks, is a human operator. Which goes to show why human interaction with technology needs to be made failsafe and why cybercrime is becoming less a technical issue and largely a human problem.

It seemed incredible that someone would pay an invoice without checking that it was owed until I remembered a scam that happened in New York a few years ago. A likely lad put an ad in the New York Times. It read: “This is the last day to send in your $10. Box xxxxxxx”. Just that. He had pocketed $30,000 before the NYPD caught up with him.

There is an increasing need for education at all levels to help businesses to protect themselves particularly from social engineering attacks (bogus invoices, fake legal fees), staff negligence (password taped to laptop screen, failure to follow secure procedures) or malicious insider attacks. A major element of advice in our resilience and assurance projects is to “educate your staff”.

Value for money

Another ice-breaker I sometimes use works like this …

I put a picture of Apollo 11 on the screen and say: “When NASA set up the Apollo programme they realised that normal ballpoint pens do not work upside down or in zero gravity. So they set up a project to develop a ‘space pen’. And they came up with this …” [produce official NASA space pen] “… which, adjusted to today’s values, cost $1.5bn to perfect. The Soviets used … a pencil” [produce pencil] “My question to you is: is this system to be a space pen or a pencil?” Invariably someone will say: “can we have the space pen for the cost of the pencil?” and you are off on your discussion of a key factor for every  project – value for money.

Discover your client’s main project drivers

When giving a project presentation to a prospective client I sometimes start with an ice-breaker. One favourite method is to put an old joke on the screen:

GOOD!

FAST!

CHEAP!

– choose two …

… which usually gets a chuckle, even if only out of politeness.

Of course you are going to deliver on all three. However, there are two serious purposes behind this joke:

  1. It initiates discussion to discover of the client’s main drivers for the project;
  2. It is an indication of where you are likely to have to deploy most of your skill during the project. Think about it this way:
  • If the client wants the project delivered quickly and cheaply then you are likely to spend a lot of effort on resolving quality issues.
  • If they want a high quality project delivered quickly then financial control is going to be particularly important.
  • If they want a quality project without spending a lot of money then you are going to have to be prepared to use some inventive shortcuts.

Potential Developments in European Test and Evaluation

Potential Developments in European Test and Evaluation – International Consolidation versus National Protection

For many years the ivory towers of the European defence sector have been consolidation and collaboration. The European Defence Agency (EDA) considers these twin peaks one of if not their only “raison d’être”. Further in the NATO alliance much weight is given to commonality and interoperability. Such a position has clear operational and financial benefits but in some quarters it has been suggested instead that it is closer to a cornerstone of the success of the USA’s political, defence, industrial complex. Such assertions are hardly surprising given the size of the American defence budget, the size of their contribution to the alliance, the close relationship of Federal and State Government with “local” defence contractors and the investment in R&D by US original equipment manufacturers. All of which have contributed to the preponderance of American weapons, systems and platforms among the Armed Forces of Europe.

By contrast, the major nations of Europe have continued to separately develop weapons and systems (METEOR and STORMSHADOW two honourable exceptions) despite the total value of the top 5 national defence budgets in Europe equating to approximately one-third of US investment in defence. Where collaborations do occur on major platform programmes such as: Eurofighter Typhoon, Panavia Tornado, CNGF and A400M, national interests and cultural differences lead to significant delays in realising the desired military capabilities. Consequently, how likely are recent bi-lateral agreements such as the Anglo-French defence and security accord or the Franco-German memorandum on defence test and evaluation to succeed and will they lead to a new era of collaboration and consolidation?

Collaboration in Defence Test and Evaluation in Europe has several precedents including:

  • Anglo-French agreement on hydrodynamic testing
  • NAMFI the established NATO Missile Firing Installation in Crete
  • Joint Test and Evaluation Plan for Meteor
  • The Anglo-French accord on missile design, development and manufacture

Yet there remain many advanced capabilities within Europe that are: under-utilised, searching for third-party income and competing with each other on National and International programmes. What drives this choice and what could be a realistic alternative?

A major contributory factor to the future of both collaboration and consolidation within Europe is the national desire to maintain a Defence and Technology Industrial Base. Investing in national programmes is seen as critical to both maintaining an expertise base and realising defence exports, both of these contribute to growth in GDP. A second and equally important factor is the potential impact on local employment of out-sourcing defence capabilities such as test and evaluation where thousands of staff are employed in both the Public and Private Sectors. The final and potentially dominant factor is the proverbial “line in the sand”; every nation has its own list of defence capabilities that must remain in country, which might include:

  • Special Forces
  • Electronic Warfare
  • Nuclear capabilities where established
  • Munitions manufacturing capability
  • C4ISTAR

Against this background those seeking collaboration and consolidation may find their options limited to technologies that do not necessarily provide a battle winning capability. If we acknowledge that every nation in Europe with a defence budget will strive to maintain the level of indigenous capability implied by the list above how can the European nations create a more realistic and better utilised defence test and evaluation base and what would be the benefits?

To consider the question posed above we need to look at the basic dynamics between the European inventory of modern weapons and the availability of expertise, facilities and capabilities to test, evaluate and train in war-like scenarios with them. Across Europe there are perhaps a dozen nations that possess the expertise, infrastructure and test and evaluation ranges capable of exercising modern weapons and smart munitions to their fullest extent whilst there are 30 or more nations who already have or are planning to acquire such military capability. Among the dozen there are some unique capabilities but also a significant number of duplicate facilities. By using, in a more intelligent way, the extensive set of European test and evaluation facilities across national boundaries our defence sector could: increase utilisation, reduce national costs and increase collaboration through familiarity breeding trust and confidence. Consequently Europe creates headroom to compete more effectively with the USA in markets both within Europe and across the world. The challenge is how!

Collaboration and consolidation in Europe does not start with a blank page as I hope I have shown by the observations made above. What we can do however is change the nature of the discussion by moving on from capturing every nations’ facilities to expressing what Europe alone and through NATO needs by way of a Defence Test and Evaluation Base for the future; this could be based on the recently published NATO 2020 recommendations. A start has been made on this by the EDA but unfortunately the starting point was not what Europe needs but how Europe will cut costs by forcing collaboration and consolidation. I would therefore like to suggest an alternative approach to stimulate this essential development.

Step 1. Agree that this is a Europe-wide initiative through the EDA supported by NATO
Step 2. Acknowledge that every nation round the table has their own national capability requirements and agree them based on genuine need and investment not national “chutzpah”
Step 3. Identify and agree unique European test and evaluation capabilities – two examples from the air weapons domain are: The UK Hebrides which is the only METEOR and AMRAAM war-shot capability in Europe, FMV Vidsel in Sweden the largest overland range in Europe by a factor of 10,
Step 4. Identify and agree the pre-eminent national test and evaluation capabilities that support the future needs of the defence sector and request that they lead on the development of a road map for a particular expertise leading to the requisite consolidated Europe-wide capability
Step 5. Support the consolidation with the negotiation of the necessary defence accords to ensure access to the consolidated facilities and security of national data within the specialised Europe-wide capabilities created by implementing step 4
Step 6. Re-direct the funding from consolidated facilities into the R&D essential to a modern, competitive European-wide defence sector that can truly compete with the USA

©MORTAR and PESTLE: Blending the Perfect Opportunity Pursuit Strategy

It is a well-established truism, particularly in the Public Sector world of competitive tendering, that there are only two types of winner in any competition: the company or consortium that actually wins and the teams of bidders who withdraw before sacrificing too much profit! As companies look for higher win probabilities in the tenders they choose to pursue more and more emphasis is being placed on successfully identifying, assessing and planning the opportunities to invest time, money and energy in.

There are many different and well-used opportunity assessment tools and methodologies but nearly all require a thorough understanding of: your market position, the strength of the competition and the potential of alliances. A detailed example can be found at:

Http://www.rti.org/pubs/mr-0003-0802-liao.pdf

The MORTAR and PESTLE approach looks to bring together many of the key aspects of these different methodologies into a simple and memorable form.

PESTLE is the most commonly used assessment framework that looks at the external environment influencing the opportunity. For those unfamiliar with the model PESTLE looks at the:

  • Political
  • Economic
  • Socio-cultural
  • Technological
  • Legal and
  • Environmental

factors at play in the chosen market that will have a direct bearing on the opportunity under assessment and the delivery environment should the competition be won. An excellent summary of PESTLE analysis is presented in Exploring Corporate Strategy 7th Edition pp 65-8 by Johnson, Scholes and Whittington published by Prentice Hall in 2006.

©MORTAR[1], for those with any of: a scientific training, a classical education or a penchant for making their own spice mixes, is the natural partner to PESTLE. In the context of competitive strategy MORTAR is all about the internal factors that can affect the practicality and value of pursuing a particular opportunity. The key questions within the framework are described below.

Market:

Assess the company’s position in the market where the opportunity lies, what is the company’s market share, strength, standing, and reputation?

What are the explicit and implicit customer needs and wants as expressed by the company’s business development discussions, the contract announcements and the actual tender documents?

Who are the competitors, what are their strengths, weaknesses and standing within the market, how does the customer view them?

Organisation:

How will the company approach delivery, does it have acceptable or value-adding methodologies that will stimulate customer support?

If the competition was won how would the product or service be achieved and what can be the growth pattern?

Can the company make money; is the competition worth winning from the perspective of top and bottom line profitability?

Where does the opportunity sit within the company strategy for products and markets (the Ansoff Matrix) or is it a must win contract to protect market position, company relationships or customer confidence?

Requirement:

What are the explicit and implicit requirements (as opposed to wants and needs) identified by the customer?

What are the required levels of delivery performance and quality standards?

Are there any explicit performance metrics that must be addressed?

Has the business development or tender clarification process exposed any hidden requirements that can give the company an edge?

Can the company offer any “Big Improvements For Free”, i.e., opportunities and approaches that can discriminate or differentiate the company’s offer from the competition?

Track record:

Can the company show successful previous delivery if so will their customer recommend or endorse the company’s efforts?

What is the current level of delivery performance on contracts of a similar nature and are the measures sufficiently robust to provide one or more case studies?

Can the company demonstrate in the tender process methodologies, flowcharts and metrics that prove that the work can be done and delivered effectively with efficiency and value?

Alliances:

Is the chance of success greater if the company establishes an alliance, JV or SPV with a potential competitor or a player from an adjacent or similar market segment?

If the possibility of an alliance increases win probability is the company confident enough in its existing relationships or prepared to invest time an money in developing new relationships to create a profitable operational alliance?

Can the company broaden its coverage and increase its competitiveness by entering into an arrangement with one or more organisation and would the customer condone or resist such a move?

How will the business model improve and profitability increase by using an alliance strategy rather than a go-it-alone approach?

Relationships:

Does the company already have a relationship with the customer base and if so how good is that relationship?

Does the company have or can it establish contacts with all the appropriate levels within the customer’s organisation?

Can the company map the customers, stakeholders, buyers and gatekeepers i.e. just how much does the company understand the customer for the opportunity?

Does the company have sufficient insight into the customer’s wider community of advisors, influencers, political connections and community relations? Any or all of which will influence the outcome of the competition

While the MORTAR and PESTLE may not provide the comprehensive coverage sought by some organisations it does provide an accessible, memorable and readily used framework that should help business make the right choices when considering the pursuit of competitive tenders.

Happy Blending,  Alan Morpeth August 2015

[1] Based on an original idea by Alan Morpeth in Winter 2010

Manage people personally, not by policy

Over the past 15 years I have been engaged by a number of commercial organisations, local and central government and SMEs and a recurring theme that seems to run through every sector is the way some managers prefer not to face up to the tricky side of management: correcting the unacceptable behaviour of their staff.  This has been compounded by the loss of the traditional functions of HR departments to automated workflow systems, providing a  temptation to justify their existence by introducing nit-picking rules and policies. It is a seductive mixture but in the interest of maintaining staff morale in difficult times it would be well to resist that temptation. There are a number of ways in which individual infractions, which would be most effectively dealt with face-to-face by managers and supervisors, end up as one-size-fits-all policies that antagonise the best and are ignored by the rest.  If organisations can rethink their moral-shattering policies and remove or alter those that are unnecessary or demoralizing, everyone will have a more productive time at work even if it is at the cost of managers having to manage.

Alan tells me that this is one of my “grumpy old man” blogs (thanks, Alan …) but if you have the stamina come along on the ride.

Websites. There are certain websites that no one should be visiting at work but once you block the  porn-sites and the other obvious stuff, it is a difficult process deciding where to draw the line and many companies draw it arbitrarily in the wrong place. People should be able to kill time on the Internet during breaks. Does anybody object to them reading a book or newspaper? When companies unnecessarily restrict people’s Internet activity, it does more than demoralize those that cannot check Facebook; it can limit people’s ability to do their job. Many companies restrict Internet activity so severely that it makes it difficult for people to do on-line research. When I am bidding for a contract, for example, I might expect the client to check my Facebook profile to get a better feel for the kind of person I am. And some people need specialised access that is cut off by over-zealous Internet rule-makers. When my friend Jenny worked as the unit administrator of a sexually-transmitted diseases clinic in London she was banned from accessing, and came close to being disciplined for trying to access, websites containing reference material for her job because these sites “contained sexually-oriented material”. Really!? Reference works on STD’s contain sexually-oriented material! Gosh …  So public service can be as bad, or even worse, than business.

Timekeeping. Generally you pay your employees for the work they do, not for the specific hours they sit at their desks (unless you are running Dombey & Sons). When companies penalise salaried employees for showing up five minutes late, even though they routinely stay late and work at home over the weekend, they send the message that policies take precedence over performance. If you cannot trust your staff to deliver then you should not be employing them; if you can trust them then why risk losing their “go-the-extra-mile” willingness by introducing nit-picking rules?  Of course there are occasions when you might need employees to be in a certain place at a certain time. If you are running a shift system on a call centre, for example, or for an important meeting, but when companies are unnecessarily strict in requiring documentation for bereavement and medical leave, it leaves a sour taste in the mouths of employees who deserve better. After all, if you have employees who will fake a family death to miss a day’s work, what does that say about your company?

Email. Some companies are getting so restrictive with email use that employees must select from a list of pre-approved topics before the email software will allow them to send a message. Again, it is about trust. If you do not trust your people to use e-mail properly, why did you hire them in the first place? In trying to rein in the bad guys, you make everyone miserable every time they send an email. And guess what? The bad guys are the ones who will find ways to get around any system you put in place. There are legal banana skins to sending emails, particularly in a world where there are those who spend their time relentlessly tracking down every opportunity to be offended, so you do need safeguards, such as filters to trap unacceptable terms, but they should be unobtrusive and preferably invisible.

Toilet breaks. I still find it difficult to believe that there are organisations that restrict their staff’s toilet breaks.  What is that all about? When you limit basic personal freedoms by counting their  trips to the toilet you can expect your staff to start counting their days at the company. If you are going to limit people’s trips to the toilet you might as well come out and tell them that you would prefer to employ robots that have no inconvenient bodily functions to cater for. The day you have to bring in a doctor’s note to prove that you warrant additional trips to the loo is the day you realise that you do not want to be here.

Airmiles. Do you do a lot of flying on business trips?  Work travel is a major sacrifice of time, energy, and sanity, puts a strain on the person and a strain on the family. One little perk that travel-weary employees earn, is their frequent flier mileage. So how about employers who do not let their staff keep their miles for personal use? It is greedy and small-minded (and often a visible sign of a business in financial tail-spin) and staff become more resentful with every flight. Taking employees’ miles sends the message that you do not appreciate their sacrifice and that you will hold on to every last penny at their expense. It says to creditors that it might be time to start calling in their loans.

Political Correctness. Political Correctness is a much disputed topic. Maintaining high standards for how people treat each other in a world that is full of hostility and prejudice is a good thing. As long as employers know where to draw the line. Going on a witch-hunt because someone says “Bless you” to another employee who sneezed (real example) creates an environment of paranoia and stifled self-expression, without improving how people treat each other and can even be counter-productive by building resentment against “favoured” groups.

Performance measures. Some organisations use statistical measures of performance. I read statistics at university and love the old “bell curves”. However, some individual talents follow a natural bell-shaped curve, but job performance does not. When you force employees to fit into a pre-determined ranking system, you do three things: 1) incorrectly evaluate people’s performance, 2) make everyone feel like a number, and 3) create insecurity and dissatisfaction when performing employees fear that they will be fired due to the forced system. Performance management should be a major part of the work of managers and supervisors not a spreadsheet calculation.

Mobile phones. If I ban mobile phones in the office, no one will waste time texting and talking to family and friends, right? As the Duke of Wellington said: “if you believe that you will believe anything …” Organizations need to do the difficult work of hiring people who are trustworthy and who will not take advantage of things. They also need to train managers to deal effectively with employees who underperform or violate expectations (such as spending too much time on their phones). This is hard work, but what are you paying your managers for? The easy, knee-jerk alternative is to ban phones. It will stop people making or taking calls; it will also demoralize good employees who need to check their phones periodically for pressing family or health issues or at an appropriate break from work.

Personal possessions. Many organizations control what people can have at their desks. A life-size poster of a shirtless soccer star? OK, maybe that could be a problem. But some employers dictate how many photographs people can display, whether or not they can use a water bottle and how many items they are allowed to place on their desks. Sadly for them people have personalities and are happiest and most productive when allowed to express their personality. I worked in technical support for a while and nothing was more frustrating than turning up to fix a problem with a PC and having to remove photographs of children, partners and cats, gonks, dried flowers, rubber elephants, birthday stars and a host of other detritus attached with large quantities of blu-tac. If we had banned these personal items we might have saved two or three minutes on each call.  However, these were people, not androids, and the clues their personal items presented about the caller’s personality smoothed our way when dealing with people who just wanted to get on with their work but were being hindered by a blank screen.

Dress codes. Some organisations need dress codes.  They work well in private schools, armed forces and liveried organisations but they are unnecessary at most workplaces. Hire professionals and they will dress professionally. When someone crosses the line, their manager needs to have the skill to address the issue head-on. Otherwise, you are making everyone wish they worked somewhere else because management is too inept to handle touchy subjects effectively.

I think you see the thread running through this blog: choose good staff, trust your staff, deal with shortcomings and poor performance face-to-face and do not ask HR to fashion a rod to beat all the staff with because one or two have crossed the line.

Give bootleg sights a miss

Imagine that you are one of the world’s leading suppliers of optical rifle sights.  An irate customer is standing in front of you brandishing one of your most popular products.  He is so angry that he almost throws it in your face.  He has spent a lot of money buying this sight because he wanted the best and he has not got the best because he has bought a knock-off, outwardly indistinguishable from the real thing, perfect to the last detail but inside, the part that matters, it is a cheap substitute.

QUESTION: which is going to hurt you most?

  • Losing the original sale?
  • Refunding for a sale you never made?
  • The loss of your reputation?
  • Being hit over the head with a knock-off rifle scope?

Bootlegging is not a new problem and China has long been regarded as the “evil empire” of bootlegging.  In March 2006 a leading manufacturer of rifle and pistol optical sights – let’s call them “DeadShot” (no names, no pack drill) testified to the U.S. Senate about the problem of Chinese counterfeit items.  Once cheap copies make their way into the marketplace, they lose their identity and unknowing or unscrupulous sellers can list them as the real thing.  Unsuspecting buyers wound up paying for what they believed to be a top quality item, only to find out that they had a cheap Chinese copy.  In addition to the risk of someone getting cheated on a resale, the manufacturers were concerned that the poorly made optics would damage their own reputations and brand names, which had been established on the perceived quality of products and service.  The copies were not legal and the genuine manufacturers quite correctly wanted them to be neither listed nor purchased by anyone.  At that time DeadShot and several other companies were in legal battles with the Chinese companies in an effort to make them stop making the copies altogether.

Seven years ago there were some obvious ways of spotting knock-offs.  Unreasonably low sales prices (bearing in mind the significant shipping cost if being delivered from China) were a clear indication.  If the seller said that they offered to warranty the sight themselves then it was probably a fake.  Most manufacturers’ warranties are handled by sending the sight to their factory where they are re-tested by computer and verified as a genuine article and most sights are computer tested before being shipped from the U.S. factory.  The packaging could be a giveaway, too.  A nice box printed in exactly the correct colours, soft bag, printed instructions, warranty card, shrink wrap and so on had to be correct and complete and if not then they may not be original, which is a bad sign.

In 2006 DeadShot were alarmed at the number of their top-selling riflescopes – quality products – that were arriving at the firm’s U.S. headquarters for service.  These turned out to be counterfeit products not manufactured by DeadShot and consequently not covered by the DeadShot full lifetime warranty.  They put a raft of precautions in place.  The DeadShot website provides descriptions of their products together with examples of how to determine if a device is authentic or fake, thus offering potential purchasers the opportunity to educate themselves prior to purchasing a DeadShot product over the internet.  DeadShot issue customer alerts to potential purchasers of their products, particularly aimed at those considering making a purchase via the internet, warning them of bogus DeadShot products.  DeadShot also use a serial number tracking based system for all its riflescopes, so if a customer thinks that a scope that is suspect, this can readily be checked for authenticity with the manufacturer.

An example of bogus riflesight that I examined last year had ‘DeadShot’ laser engraved on the bottom of the turret in a silver etch and the black ring on the objective was etched in white and did not include the name ‘DeadShot’.   Authentic DeadShot riflescopes are  always engraved black on black and have the name ‘DeadShot’ engraved on the black ring.  The counterfeit scopes usually did not bear the DeadShot logo, which all genuine new DeadShot scopes carry.

In 2015 the situation has become trickier as the counterfeiters have become more professional and skilful.  These days counterfeits are often marked, branded and marketed just like the real items they imitate (this is less of a problem if the manufacturer admits to producing “replica” or “clone” items, but they are not, particularly when being promoted on-line).   They make exact copies, even down to the serial number and trade mark.  They no longer offer their products at a bargain price but quote the full retail price.  Sub-standard reject and counterfeit sights were sold to U.S. customers through on-line auctions, like eBay through sellers based in Hong Kong and Shanghai China and some other Asian countries.  Some still are but bootleggers now also break in to the supply chain closer to home.

SCENARIO:  a 20 foot container of rifle scopes arrives at a port in southern Asia and is added to a container stack to be trans-shipped in two days.  That night a trailer unit arrives and takes the container away, returning it next morning.  Only now it is full of bootleg rifle scopes.  The supply chain is compromised and the bootleggers have a container-load of genuine sights.  It happened.

Bootlegging sights is no longer a cottage industry run from a garage in Shanghai; it is big business.  Hunting with guns is a sporting activity that requires the right equipment and manufacturers charge a realistic price for their products.  You pay for a quality item and you expect to get what you pay for.  Bootlegging can spoil your sport, damage the manufacturer and, if they find their way into the police and security arenas (as they are), have even more serious consequences.

One way of safeguarding genuine products is to incorporate a chemical substance (called a ‘taggant’) into the coating of the sight, or into the paint highlighting the numbers on the scope’s dials, into the logo or into pretty much any part of the product, which, when exposed to particular types of light, glows a specific colour.  One U.S.-based manufacturer of this type of solution can even tune their product to indicate the date of manufacture.  When a sight is returned as sub-standard that provides a definite way of proving that the customer has got hold of a bootleg item so (as the lawyers say) caveat emptor or “you bought a junk item and it is not our responsibility to replace it for you”.

A wide range of suppliers unique marking systems which they claim will protect products from counterfeiting.  Not all of these claims are genuine.  A worldwide security marking provider, DataTraceDNA/DataDots, has, it is claimed by the Courier Newspaper of Australia, duped Novartis, a global pharmaceutical company, into using its security solution. What is apparent from the investigation is that, far from being unique to the security provider, the security marking product is based on bulk chemicals supplied as phosphors for the lighting industry. The inevitable consequence of this, the newspaper claims, is that the entire stock of Novartis “‘Voltaren” ampoules sold in Australia using the taggant has been compromised.

The counterfeit product market is booming and becoming more dangerous as the focus moves from clothing, shoes and handbags to medicines, pesticides and firearms.  I came across an H&K G3 machine-rifle a few months ago, destined for a prestige customer in the Middle East.  It was perfect in every detail but one: H&K assured me that they do not make gold-plated firearms!  Nope, it was not a Khyber Pass Special (my wife’s uncle owns a Pakistani copy of an S&W K38 that would have been all but perfect if they had spelled ‘Wesson’ with two “esses”) but copied in a properly tooled-up private arms factory.  The International Chamber of Commerce estimates that by the end of 2015 the economic value of counterfeiting will be $1.7 trillion[1] and while many of the products counterfeited are fashion and apparel items an increasing proportion of goods compromised by this form of economic piracy include weapons, ammunition, accessories and military electronics.

If you are a manufacturer, however, small-scale, you need the products of an anti-counterfeiting/security marking company that maintains a stringent control of their suppliers, manufactures their own marking chemicals and designs their own detector systems.  No security marking system is infallible but the professional approach of the better companies in the market, and the stringent control regimes they have in place, will give you security for your products and allow your customers to buy with confidence.

[1] Steve Hargreaves @CNNMoney

Verimaster anti-counterfeiting technology

 

Portable Verimaster Detector Units

Background.

Historically counterfeiting has been seen as an issue for luxury consumer goods manufacturers. However, counterfeiting affects many more technology-based products ranging from components through high value pharmaceuticals onwards to accessories and enhancements to military systems such as optical sights, personal protection weapons and beyond.

Counterfeiting has become such a problem that at least one US accessory supplier has had their distribution network compromised twice in the last five years.

Consequently, within the supply networks of many products, feature goods of inferior quality that cause increased risk to performance, health and profitability

The purpose of this brief post is to introduce Verimaster® a superbly effective yet simple solution to the critical need to protect your supply chain from corruption through counterfeiting.

The Verimaster® Product

Characteristics. The product, developed by an Anglo-American alliance, is based on a blend of high strength ceramic seeded with inorganic oxides. The combination is chemically inert, immune to ageing or leaching and long-lived.

Very importantly, unlike some basic tagging systems it neither impairs performance of the doped product nor can it be counterfeited without criminals incurring significant costs. Verimaster® is also far less complex and much more easily utilised than the advanced DNA tag typing which has recently been used in very high value products.

Operation.

The product works by incorporating the additive into the manufacturing process at a doping level suitable for the chosen application. When stimulated by a non-visible laser or an audio detector the additive produces either a visual signal or an audible warning to indicate that the product being tested is genuine. Each sensor is supplied as a portable, battery-operated unit. Alternatively the audio sensor can be incorporated into a larger portal for warehouse applications.

Doped Plastic Feedstock illuminated by the Verimaster Laser Detector

The Verimaster® security additive can be incorporated into a wide-range of substrates including textiles, plastic feedstock, inks, laminates, coatings, adhesives, varnishes and paints. Consequently it can be added uniquely to particular components, colours or coatings; a choice that’s made by the customer and changed on an as required basis. It also means that the doping could be in the packaging of a component, system or accessory rather than in the physical product.

Applications.

The product is already being used in the following security applications:

  1. Human protection systems
  2. Financial services and systems
  3. High quality branded consumer products
  4. High value leisure services

In all examples the additive has had no affect on the doped product nor has detection performance deteriorated with operation, storage or environmental exposure. The use of Verimaster® to protect products in these applications has led to major cost savings, brand protection and the detection of criminal activity.

Concept of Operations

Example supply chain application of the Verimaster® system include:

  1. A sub-system printed circuit board (PCB)
  2. An pharmaceutical
  3. Emergency Service personnel uniform

PCB. The wide range of substrates that can be doped mean a genuine PCB can be identified by: the board itself, a protective coating, or a printed logo on the board. Equally individual components can be “marked” as genuine

A Pharmaceutical. Depending on the type of drug and level of supply chain control exercised by the manufacturer. The doping material could be used in the box, blister or the drug caplet itself.

Emergency Services. One of Verimaster®’s principal applications is in clothing. The additive has no effect on the structure, colour or wear of the doped textile and can be incorporated emergency services uniform manufacture with confidence. Example applications include: Identity markings, identity cards, insignia, nametags, webbing, and caps/helmets.

Flexible application means genuine uniforms and so genuine people are quickly and simply identified.

Verimaster® therefore presents a major opportunity to protect genuine products without any impairment of performance.

Anticipated Benefits

The primary benefit of utilising security doping is in the protection of genuine products, systems and accessories throughout your supply chain.

Secondary benefits include:

  • Confidence in product replacement
  • Improvements in ARM performance
  • Identification of reliable and untrustworthy suppliers
  • Date/batch marking or system specific identification marking
  • Personnel protection through security marking of individual uniforms, accessories and equipment
    • Criminal investigation and prosecution

Conclusions

Counterfeit goods are a significant threat to safety, security, and product performance. It can lead to the impairment of delivered capability/serviceability with your customers. The Verimaster® additive is a viable, readily used technology to combat these threats. It is inert, long-lived, has no impact on performance and is simple to use. Existing utilisation in a number of complex, high-value or secure services demonstrates transferability to many commercial domains and so presents an excellent opportunity to secure the your supply chain from the impact of counterfeit goods

Do you have to play by Six Sigma’s rules?

Its promoters are evangelists, preaching a creed of process perfectionism.  Its practitioners are passionate, its methodology is inflexible and to suggest a deviation is close to heresy.  I know, because I was once a fan of Six Sigma and its sleek sibling, Lean Six Sigma.  Not a big fan because, although it has some useful techniques, it has never been perfect.  It is dogmatic and process-bound.  It  presupposes that only Six Sigma “black belts” are capable of doing the process analysis and design.  It is only good for incremental improvement and not brilliant for innovative work.  And it did not incorporate information technology. I have a real problem with that as I am an IT man at heart and have used the power of IT as a tool for business, organisational and process improvement for over 20 years.

Cometh the day, cometh the methodology and Six Sigma, Lean or full-fat, has had its day. When corporate planning horizons were three, four, five years ahead an inflexible process-bound methodology was useful, if only as the basis of more agile in-house adaptations.  In times of great uncertainty, with planning horizons six months away, organisations are looking for agility, flexibility, speed of response (provided by a combination of tools and approaches), advanced systems thinking and an innovative, mix-and-match, method for creating breakthrough process improvements.

Six Sigma, with its dogma, priesthood and devotees, was born in times of certainty and flounders in a period of unprecedented economic turbulence and instability where years of consistent economic growth have given way to rising unemployment, increased costs, reduced incomes and a climate of  risk.  The increased uncertainty has affected everyone. Very few businesses, governments, private or public bodies are immune to the effects of uncertainty. To stay on top most organisations now revise their business plans more than once a year.  Any business plan that is over six months old is likely to be based on assumptions that have been overtaken by events and probably needs to revise its revenue figures downwards and costs upwards.   Business change is now a day-to-day process that needs to be realigned towards the changing strategic goals of the organisation and to be able to take the impact of changing assumptions on the chin.