Diary of a Nokia E61 User

‘Mobile internet - now this is more like it!’

I used to use a 3G Sharp mobile phone that had Vodaphone Live! running on it and I thought that was as good as the Internet on a mobile phone had really become. I was hugely disappointed.  It was pretty useless really and everything seemed to cost money, which is not what the internet should be about.  However, with the Nokia E61, I’ve discovered that the mobile internet can be just as good as the normal internet.  I can use our internet banking facility, update our blog, get travel directions, check websites of contacts I’ve just met, etc. There is nothing I haven’t been able to do yet and it’s proved invaluable on a number of occasions. Like the time my sat nav gave out when I was trying to find a prospective customer’s office. This is more reminicent of the good old days of using a Psion 5mx and browsing the internet, except it’s in colour, quicker, and you can do it wirelessly anywhere.

You don’t get the whole of a website on the screen, of course, but the screen size is pretty good and there is a useful zoom facility. Also, there is a clever page overview that overlays on the screen as you move around and allows you to see where you are on a page.

A number of sites, including Google, have views designed for mobile devices, which can help with the speed of browsing, and there is less moving around the screen.

Along with the notes application,email and diary, this has allowed me to stop using my laptop in a number of mobile situations, many of which weren’t that practical in the first place.  It’s so much easier to use the E61 on a train rather than to try and sit with a laptop. Plus, I can save the charge on my laptop for when I get to my destination.

Of course, there is also a web feeds reader application, so I can subscribe to the web feeds I like and keep up to date on the latest posts when I’m on the move. Why would I need a paper? They can be pretty awkward when you’re out and about as well. With the Nokia, I can access news stories all over the world and search for the content that I’m interested in.

I like the feature that I can use a wireless LAN if there is one available rather than the 3G network.  Also, I find that even at home, I reach for the Nokia rather than bother with the laptop, if I want to quickly check the internet for something.

I want to talk about the Email and Diary applications in other articles, and I’ve already written about the creative thinking possibilities with the Notes application, but when you combine the Internet browsing capabilities with these other factors, it’s astonishing how much benefit I am getting from this one tiny device!

Well done Nokia!

No Comments »

Choosing the right IT supplier

Assessing and implementing alongside the IT requirements of any business is usually a dreaded headache which a lot of business owners put off and finally tackle reluctantly.  There are a lot of myths and confusing  jargon associated with IT, but it really doesn’t need to be as scary or confusing as you might think. 

I read a useful article recently by Mark Greatrex, who is product and services director with Lakeview.  They are a provider of bespoke software for business management, accounting and manufacturing control.  In his article, Mark sets out clear steps you should take to help you chose the right IT supplier.

I totally agree with what Mark is saying and I’m pleased to say that our approach fits well with the points that he raises.

Mark suggests you should check you’re getting the best out of the systems you already have in place.  We often find that our customers believe a system is capable of doing a specific thing for them, only to find that they need an additional module to make it work.  At other times, it is simply that the settings on the system in question are wrong.  You might find that little or no additional spend is necessary and a simple adjustment could be all you need to allow your business to become the streamlined operation you originally envisaged.

He also says that your staff may need some additional training in order to use the system in the most efficient way possible. Some software providers fall by the way side when it comes to after sales service, training and customer care. It’s worth researching the possibility of some independent training, as there’s every chance that this gap has been noticed and that training courses are available in that area.  For example, our training courses are tailored to business people who want to learn essential IT skills, but are not interested in the technological complexities behind the scenes.

He mentions that budget is always a deciding factor of any new purchase.  Be sure to set out a clear budget from the very beginning. If you do find that you need to purchase additional systems, don’t be tempted to buy new technology for the sake of it.  Only buy what you need.  Excess technology can be a hindrance, as it can make things over complicated.

Mark states that the relationship you have with your IT supplier is key.  They should listen to your requirements and advise when they feel it is necessary.  A responsible supplier will help you to fulfil your requirements in the most efficient and cost effective way for you and not bombard you with jargon or new technology.  This is part of our commitment to our customers.  With us, you are dealing with people who understand your needs, can talk to you about them in plain English, and get your IT delivering what it truly can to make your business more profitable.

For more information about us, or to contact us, please go to www.eximium.net. 

To read Mark’s full article see http://www.smeweb.com/technology/features/top-tips-on-selecting-an-it-supplier.html.

No Comments »

The expansion of the DNA database – has it become a data security issue?

Last autumn, while visiting the London HQ of the Forensic Science Service, Tony Blair, who was still Prime Minister at the time, called for the national DNA database to be expanded to include every UK citizen.  Gordon Brown raised the matter again in a speech this week.  In light of continuing high-profile breaches of data and information security in the public sector, and concerns that even the highest profile information systems are not safe, has this debate become a data security issue?

What are the arguments for the database?

So what are the implications of this? The arguments for a DNA database are compelling:
1. Without DNA evidence convictions may not always be secured.
2. Police time can be saved by narrowing down suspects very quickly.
3. Unsolved crimes spanning many years can be solved and the criminals brought to justice.

A case in question centers on Mark Dixie, a pub chef from Surrey, as detailed in this article from The Times Online by Richard Woods and Daniel Foggo earlier this year:

“Dixie was regarded by friends as an ordinary guy who enjoyed a party. He had managed to keep hidden a history of violent sexual assaults and had emigrated to Australia in 1993 before the collection of DNA became routine. He was not on the national database when he returned to Britain.

In September 2005 Dixie was prowling the streets in the early hours when he chanced upon Sally Anne Bowman, an 18-year-old aspiring model, returning home. He pounced in the driveway of her house and stabbed her repeatedly, inflicting wounds that one detective said were “off the scale”. Dixie sexually defiled Bowman’s corpse.
Although police recovered DNA samples of the attacker, the database held no match. For nine months the murder investigation made little progress. The police, believing the killer lived locally, had a list of more than 22,000 suspects.

Then in June 2006, Dixie was arrested after a fight broke out among football fans watching an England match in a pub.

The police were puzzled as to why he burst into tears as he was taken away. Dixie knew what was coming. His DNA was taken and within days was matched to the Bowman murder case. Dixie was sentenced to life.”

And the arguments against?

But what about the arguments against a DNA database?
1. Is the data held accurate? Or can mismatches occur?
2. Is this data secure and safe from malicious interference?
3. How would it be used and can we be sure it won’t be used inappropriately?

Expanding on point two you have to look at recent and past high profile breaches in data security, and the government’s record on securing data. Most recently there is the case of a “serious” security breach after a civil servant lost top-secret documents containing the latest intelligence on al-Qaeda!

Then we have the Prime Minister who used a speech on the June 17th to claim the government’s policies of creating a DNA database were protecting civil liberties rather than eroding them. His bid, however, to champion the security agenda was undermined when it emerged that Hazel Blears, the Communities Secretary who has been spearheading a “hearts and minds” campaign to fight extremism, had her laptop stolen from her constituency office in Salford! The computer contained restricted government files on extremism and defence, although aides stressed none of the files were “top secret”!

Conclusion

To conclude I would suggest that the majority of the general public would welcome such a database, but ONLY if they knew that:
• The data held was 100% secure
• That it would not be used or accessed inappropriately

But as history has proven that neither of these points, currently, have the remotest chance of being met, we have compelling arguments against an idea that should, in reality, stand up on its own!

No Comments »

Is there a good time to resign?

With the news that David Davis has joined an ever growing list of people that have resigned on a political matter of principle, it’s hard not to wonder what drives a person to those lengths.  As both a businessman and an IT professional, I can’t help debating when we should simply accept what our employers, customers and colleagues are doing as just the way it is, whether we agree with it or not, and when it’s time to take drastic action and say ‘if you want it like this, you can do it without me’.

Voting with your feet certainly makes a statement, and shows you have strong principles, but couldn’t it also be seen as simply giving up?  If so, when is an issue big enough to warrant this kind of action without creating the wrong sort of whispers once you’ve gone?

In the world of IT and business change, particularly in larger organisations, we all come across some ridiculous things. Timescales are set that can never be achieved, changes are planned that are clearly never going to work, and the approach taken to projects is sometimes quite obviously inappropriate or unethical.  It’s become customary for us to accept the latest crazy scheme as the norm.  But are there some golden rules that we shouldn’t allow to be broken? Are there times when we should be taking a stand and making it clear that we don’t agree with what’s happening by opting out, just as Mr Davis and others like him have done?  And, if we do that, would it be viewed as an honourable gesture or would it create the reputation of someone who doesn’t see things through?

In my view, these are quite complicated questions to answer. Having witnessed several departures of this sort, and been the escapee myself on a few occasions, I think there are a number of factors at play.

It all seems to start with 5 main questions:

1. Is something about this situation going against either my core values or my belief system?
2. How bad is it really going to be for me if I just put up with what’s going on?
3. What are the ramifications for everyone else, and the project in hand, if I go?
4. Does being involved in this cause me more grief than the problems walking away from it could potentially cause me?
5. Is my leaving defensible - could I explain it to future customers or employers and would it sound like I did the right thing?

After these points, there are other things to consider, like peer pressure.  Many of the bad situations I’ve found myself in have been cases where everyone else thinks it’s bad too, but most of them have stayed to see it through. So you feel a certain pressure to stay yourself, and that it can’t be all that bad if they’re all willing to carry on.

I think it’s partly about how comfortable you are with yourself and where your self-esteem comes from.  If your self-esteem is partly based on how others perceive you, which is certainly true in my case, then walking out of any situation is not top of your list - what will people say when you’ve gone?  However, if you’re generally not that concerned with what people think about you, as long as you know you’ve done the right thing, then you’re free to make the decision that suits you best.

There’s also the nature of the engagement to think about. During my time as a freelance IT consultant, I must admit that I was much less inclined to leave a project just because I didn’t like it. I always felt that reputation was everything, and I didn’t want to burn any bridges, so I wouldn’t want to upset my customer or create the wrong impression amongst my colleagues. However, it must be said that, if you don’t truly believe in what you’re doing, what quality of service are you really providing, and what impression is that creating?

With a permanent position, things are a little different. You’re not normally thinking of going back there, and it doesn’t matter so much what people around you are thinking, so you’re a little freer to do what you feel is right.

Another factor is how high profile the role or project is. In the case of Mr Davis’ departure, the profile doesn’t really come much higher!  But, even if it is high, that can work to your advantage. The PR it might generate for you could be invaluable, if you’re in a situation that goes against popular opinion.

With our work taking up such a high percentage of our lives it makes sense to enjoy what we do. If a task becomes too onerous or problematic, is it best to try and stick at it or is the sensible thing to do to give up and go and do something else that you’ll enjoy more? I guess the answer is that the reward needs to be great enough at the end for it to be truly worth putting yourself through something that you’re not really enjoying.

Of course, it’s good to be challenged. It keeps us on our toes, ensures we continue to learn, and makes success that much more fulfilling. But, too much stress is a bad thing. It can reduce your effectiveness, affect your health, and leaves you feeling drained and exhausted during the precious time you spend with family and friends. If a situation is too stressful, you have to know when to draw the line before it makes you ill.

Having the courage to take action is also a key part of the decision - it’s much easier just to carry on.  I met a business owner recently who backed away from his biggest customer because he wasn’t getting the most profitable work from them, and the relationship was time-consuming and difficult. I asked him how he’d got on since then and he said he’s never looked back. He’s happier, the business is making more money, and he has more time to spend on growing his business.

Someone once told me how best to deal with today’s pressing issues. Take a step away and look at the journey you’ve made to date. Consider all the things that have gone before in your life to get you to this point. Think of the obstacles you’ve overcome, the low points, and how they’ve often led to great transformations. Only then think of where you are now and the issues you are currently dealing with. This process helps put perspective on the current problems and it usually makes them seem insignificant.  I think this process also helps enormously when we’re considering whether backing away from a customer, resigning from a permanent job, or terminating a great contract is the right thing to do. It might seem like the biggest decision we’ve ever made at the time, but it probably isn’t if we look back at what’s gone before in our lives.

Mr Davis and others like him, whether you agree with his views in this case or not, are to be commended for taking a stand. We should all learn from their example and try and lead work lives on our terms, that are a better reflection of who we are and where we really want to be.

Derrick Cameron is Managing Director of Eximium Ltd, a business IT solutions provider that specialise in helping business people get more benefit out of their IT systems, by using them to solve their business headaches. He can be contacted on 01582 635 078 or via their website at www.eximium.net.

No Comments »

The right recruitment company is the key to finding the right candidate

Recruiting new staff is a headache that all business people have to face at one time or another. This is why recruitment consultants exist – to take the headache out of the situation for you. But do they?

I recently read an article that, whilst aimed at candidates and employers, reinforced everything that we believe about our service. It was great to hear that others share the same views.

Matthew Poyiadgi, Vice President of EMEA at the Computer Technology Industry Association (CompTIA), suggests that the issues that employees and employers face when using recruitment companies, such as submitting inappropriate candidates for jobs, can be combated by ensuring that your recruitment consultant knows exactly what you are looking for.

This is the thinking that underpins our recruitment philosophy: you can only provide employers with the right type of candidate if you firstly understand exactly what the employer is looking for, and secondly, understand what the candidates’ skills are. We do this by providing IT recruitment using recruitment consultants who currently work in the IT industry, so we know what we are talking about – you won’t find us trying to provide specialist plumbers because we don’t know anything about plumbing!

As his article is aimed at candidates and employers, Matthew says that the onus is on them to ensure that their consultant has enough information to find them the right job or candidate. As the recruitment company, we have taken on this responsibility ourselves, as we also believe that it is also up to the consultant to find this information out, otherwise how can they provide an acceptable service? It is easy to just supply CVs for candidates that have keywords somewhere within the text of the CV without understanding what those keywords are, but in order to provide a truly suitable candidate, you need to understand what the keywords mean and what the employer is looking for, whether that is a qualification or some specific business experience.

Whilst many recruitment companies claim to provide a specialist service, very few of their consultants have worked in the sector they are recruiting for, let alone still currently work in that sector. We actually provide these skills so can provide both candidates and employers with a better service. If you would like more information on our recruitment service, please go to www.eximium.net/recruitment.asp

To read Matthew’s full article see www.computing.co.uk/computing/analysis/2217560/perfect-match-4019770

2 Comments »

Why temporary processes can be a bad idea in your business

Working with one of our customers recently, I was reminded why temporary processes can become such a headache for a business.

Our client uses a key report that shows the real profitability of their products by taking product sales and applying various additional costs and revenues to them to produce the true margin applicable to each product. It’s a vital report to the business. But, it’s created using a massively convoluted process, with a lot of manual intervention. Information is taken from over 30 different sources and manipulated to make it suit the reporting model. Very few people understand the process and it takes at least 6 months for someone new to learn how to do it. Also, it takes one person 20 days each month to produce the report, so it’s a full time job. Of course, with so much manual work, it’s also error prone and an area of high risk - what happens if the person who knows how to produce it is ill, for example. We’ve been helping them to understand and document the process, and making some recommendations for improvements, but changing it now is going to be hard for them.

Like many problematic processes I’ve seen in other companies, it started life as a feasibility study, answering questions such as ‘can this be done?’, ‘how can it be achieved?’ and ‘what would the results look like?’ That’s fine, and it’s a good approach to finding out what’s possible, but the trouble is that there’s a tendency for these things to turn into a real process once the underlying questions have been answered. Suddenly, what started out as a feasibility exercise has become a permanent fixture, which isn’t what the approach was designed for in the first place. Then people start to rely on the outcome of it, other processes are built on the back of it and, before you know it, you become trapped doing something in a less than ideal way.

My advice is to find any processes like this in your business and take stock of them. Consider if they are really necessary and whether, if you were to design it from scratch now, what would you really like it to do and how would you want it to work. Chances are, you’ll find that it’s not really giving what you want anyway, and there are much better ways to do the job you really need.

It’s worth spending some time and money to do this sort of thing properly with a real process that’s carefully thought out, using the proper tool for the job. In this case, a huge amount of information is being processed using 23 Excel spreadsheets, with macros and complex formulae, and a lot of elbow grease. The limits of what’s possible with this tool have really been reached, causing a lot of extra headaches.

Quite often, especially with reporting, and certainly in this example, the real problem that needs to be solved is at the point that the information arrives into the system. When people enter transactions onto systems, the requirements of key reporting processes need to be understood, so that the right information is being gathered at that point, to allow later analysis in the right way. In this example, if the revenue and cost transactions were already being posted at the best possible level, it would be so much easier to analyse the eventual effect on profitability, without all the manual effort to translate it.

So, next time you set someone off on a temporary approach to something, I’d recommend you think about where it might all lead. And once the feasibility study results are in, take the time to use what you’ve found out to design a proper process that provides a workable and sustainable solution to the problem.

If you would like some free advice about any processes in your business that are currently causing you concern, please just drop us a line by clicking here.

2 Comments »

Diary of a Nokia E61 User

Making Time For Creative Thinking

I’ve had the Nokia E61 smartphone for some time now and I thought it worthwhile to share the ups and downs of using it with you. In this diary, I hope to give some insights into what difference having handheld computing power, with remote access, is making to my business.  This week, I want to talk about creative thinking.

Creative thinking is something we all need time to do. Like any business owner, director or manager, I have to make sure I spend time working on, not just in, my business.  But, how do you do that, given the pressure on your time during the working day?

Once again, this is where I’ve found having the E61 is the ideal solution to at least part of the problem.

The notes application on the E61 is ideal for putting down and organising creative thoughts whenever they come to you.  The thing about the E61 is that it has a very usable full keyboard, otherwise I wouldn’t be able to use it to any great extent.

As a result, I’ve found time to spend time thinking creatively about my business in what were previously situations where I might have just mulled things over in my head, or simply sat and done nothing. For example, while waiting to be collected in a customer’s reception area, during taxi journeys, and when I wake up first thing in the morning.

All of a sudden, these are my most creative moments, and my subconcious mind seems to reserve it’s most creative thoughts ready to be used at these stolen moments throughout the day.  Most of the articles I write for magazines, websites, and our blog (including this very article!) are either sketched out or written completely on the E61, at these times.

Waking up is an especially good example. I often wake up early with thoughts buzzing around my head. By getting these thoughts down into the notes application, it ensures they’re recorded somewhere before they’re forgotten, and it gets them out of my mind so I can think about something else, or go back to sleep.

Then, having got the bones of the idea down, I can flesh it out later on.  By either continuing it on the phone or emailing it to myself from the phone, which is very easy to do.  In fact, you can use bluetooth or simply wait until the next time you synchronise your phone with Outlook, as the notes get automatically copied along with everything else.

I find that, looking back at my notes, I’m often inspired again to write more on the same subject. 

Of course, this doesn’t replace the strategic meetings I have with the team, but often I find I’m bringing notes made on the E61 along with me.  It’s made a huge difference to finding time to be creative about my business - I can’t recommend this approach strongly enough to all those other busy business people out there!

2 Comments »

Are you compliant with the PCI standards?

In September 2006, the Payment Card Industry (PCI) Security Standards Council released version 1.1 of a document entitled ‘PCI Data Security Standards’, generally referred to as the ‘PCI DSS’.  The PCI Security Standards Council was formed by the leading payment brands, including Visa and Mastercard, specifically to develop the Data Security Standards. This was in response to rising fraud within the industry, and the standards were designed to ensure organisations adopt consistent security measures to proactively protect customer account data. The standards will be updated in response to new payment security risks, as they are identified.

Adherence to these standards became a mandated requirement in July 2007 for all organisations handling credit and debit card transactions, or providing systems or services that do.  However, many companies are still not compliant and nonconformity could result in hefty fines and possible withdrawal of payment services.  The largest merchants, those handling over 6 million transactions a year, are expected to be compliant first, with the smaller merchants following along later, working towards a deadline of December 2008.  Companies offering systems or services that handle credit and debit card data will also need to comply or face going out of business.

The PCI requirements, like many standards, are just a framework and so by their nature are quite generic. This can make it difficult to pin down exactly how they should apply to your business, your systems and your processes. Anyone who has implemented an ISO standard, such as ISO 9001, will be all too familiar with this problem.

The good news, of course, about a framework such as this is that it’s prescriptive about what needs to be done but not always about how it should be done, so allows you some leeway to implement the approach in a manner that suits your business and the way you like to operate.

So what are these standards really about?

The key information that the standards are interested in is known as ‘cardholder data’.  The PCI define cardholder data as the ‘full magnetic stripe or the PAN (card number) plus any of the following: cardholder name, expiration date and service code (often referred to as the security code on the magnetic strip)’.  In fact, however, many of the requirements deal with general industry best practice in connection with system and data security and have nothing directly to do with card data at all. For example, ensuring that each user of your system has a unique user id and password, and that their password is not one that can be easily guessed.  If your system security policy is already top-notch, then you’ll be a long way there already.  If not, you may have a lot of work to do.

Let’s have a look into the essence of what these standards are really getting at. There are 12 main requirements which are grouped under 6 main headings.  Here are the headings with my simple explanation of the requirements underneath each:

1. “Build and Maintain a Secure Network”
Ensure you have a secure network, including firewall protection and the need for passwords to gain access.

2. “Protect Cardholder Data”
Protect cardholder data wherever it is stored, and even when being transmitted outside your secure network.

3. “Maintain a Vulnerability Management Programme”
Ensure your systems are protected against unauthorised access, including using up-to-date anti-virus software.

4. “Implement Strong Access Control Measures”
Install and maintain strict controls around system access, even access to the physical bits of hardware, ensuring only those people who actually need to see cardholder data have access to it.

5. “Regularly Monitor and Test Networks”
Monitor and track access to systems and, more specifically, cardholder data within systems.  Also, regularly test the security systems that have been put in place.

6. “Maintain an Information Security Policy”
Implement and maintain a policy for the security of information in your business

A common misconception about the standards is that they only apply to credit or debit card numbers. In fact, whilst only the card numbers themselves need to be protected using encryption (meaning converted into something incomprehensible using a ‘key’, so that only a holder of the matching key can convert it back to its original form), information such as expiry dates, issue numbers, customer names, addresses, etc., all need to be carefully protected according to these standards.

The 12 requirements under these headings are then further broken down into a total of 64 smaller requirements.  I don’t propose to list them all out here - suffice to say that the PCI council have been very thorough in covering a lot of areas that could result in a security breach, leading to card fraud.  Interestingly, as you can see from these 6 headings, only number 2 is actually concerned directly with what state cardholder information is in inside your business.  The others are all to do with stopping any unauthorised or unscrupulous activity that might compromise that information.

Is everyone affected in the same way?

The PCI have categorised merchants into 4 levels, each with their own set of compliance criteria, based on the annual number of credit/debit card transactions that your business handles, as follows:

Level 1 - over 6m transactions, or anyone whose data has previously been compromised. An annual onsite security audit and a quarterly network security scan are necessary.

Level 2 - between 1m and 6m transactions. An annual self-assessment questionnaire and a quarterly network scan are necessary.

Level 3 - 20k to 1m transactions.  An annual self-assessment questionnaire and a quarterly network scan are necessary.

Level 4 - everyone else.  An annual self-assessment questionnaire and an annual network scan are necessary (although this is under some debate and may be lessened in the future).

What will happen if I don’t comply?

In theory, each payment brand will take the action that it feels is appropriate (and achievable) to enforce these standards.  At the moment, there isn’t a set fine, and the PCI council doesn’t appear to have any plans to create one.  It’s likely that each brand will want different evidence to show you are compliant and they may opt to withdraw your payment services, in extreme cases.

All the original deadlines that were set for compliance have now all passed, so they’ll probably be looking to set a date based on factors such as your level and the importance of your business.  Your acquiring bank should be the best place to start to find out what date you need to work to and what penalties you can expect to pay if you’re not compliant on time.

How do I go about implementing these standards into my business?

So, what do you need to do to implement these standards into your business?  And how can you ensure that you are compliant with a standard, if it’s so generic?

Firstly, it’s important to review each of the standards carefully and assess how it applies to you and to your business.  You may already have some of these things covered, so it’s a good idea to find those straight away and tick them off the to-do list.  This should leave you feeling slightly happier and with a more focussed list of work to be done.

A number of the requirements are things which are going to need a business process change rather than a system change. For example, users of a system being forced to regularly change their passwords.  You’ll be able to confirm whether your systems are capable of this, or change them to make it so, but it’s not quite so simple to establish whether your people are actually using the facility.  So, identify the standards that cover a business process in this way and think about how you’ll implement them, and how you’ll confirm that they are being adhered to.

You’ll also need to think carefully about where your credit and debit card data is being captured, stored and sent. Ideally, it should remain either hidden or encrypted at all times, but of course this just isn’t practical.  In order to actually use the information, it will need to be decrypted and visible.  However, it will need to be re-encrypted again once it’s been used in order for it to remain safe, so you’ll have to find these scenarios as soon as possible and work out what you are going to do.

It’s important to remember that any form of recording or transmission is covered by these standards, so emails, forms, and letters are just as much of a security risk as computer systems.  Make sure you know about the use of these other methods in your business and are doing something to control and audit their use.

The standards call for you to protect cardholder data from prying eyes and not to expose it to the risk of being stolen, even by your support staff. This is harder than it sounds!  Usually, there are backdoors that allow support staff to view and even amend data. This won’t be allowed in the future, in all but the most extreme cases and, even then, use of this facility has to be carefully controlled and audited.

Think carefully about your support processes because these changes could have an impact on your people’s ability to handle certain transactions in your business successfully. For example, are there any regular processes in your business that involve someone either looking at or manipulating card data?  If so, you’ll need to find these and start working out an alternative approach to handling them.

What about processes that rely on the use of people’s card details? For example, do you process credit card chargebacks?  These often start with the need to search a system using the customer’s credit card number. This might not work once card numbers have all been encrypted on your system!  Check these situations out carefully.

OK, I’ve started work on this but what will all this change mean?

Let’s have a look at the type of testing need all this will create.  At the end of last year we completed a testing project for one of our customers to help them ensure that their system met the requirements for the PCI DSS.

We undertook the work in 4 streams:

1. We needed to prove that the changes to their system achieved what they were supposed to have done.  In essence, were they doing what it said on the tin?

2. Then we had to confirm that the changes had led to the requirements under the PCI DSS being either met or exceeded.

3. Also, it was important for us to confirm that everything else still worked correctly on their system, i.e. that the changes hadn’t broken any of the important processes they already used.

4. Lastly, we had to check that other changes they had had to accept as part of the upgrade were also working correctly.  Their system is essentially a package, so some dependant updates were also provided by the software provider to make the PCI changes work.  This issue may or may not affect you.

After we had completed our testing successfully, we handed everything back to our customer so they could start their own testing, to make sure everything was fit for purpose for their business and their business processes.

I can’t stress strongly enough that all the changes you are going to need to make, whether they are to your business processes or your systems, are going to need to be tested thoroughly.  Don’t just implement them and expect them to work.

Hopefully, that gives you something of a flavour as to how complex testing something like this can be, and what all this change is going to mean to you.  The bigger companies are spending millions of pounds getting this right.

So what do I do next?

The best place to start is to download the standards themselves and the Self-Assessment Questionnaire from the PCI website at www.pcisecuritystandards.org.  You also might also want to contact a PCI Approved Scanning Vendor (ASV) and get them to come in and assess how much work you’ve got to do.
Also, if you haven’t already done so, I’d talk to your acquiring bank as soon as possible and confirm with them what level merchant you are.  Oh, and don’t forget to ask them that all important question about when you need to be compliant by, and how much it will cost you if you’re not ready by then!

Ultimately, this could be a complicated and costly process.  But, it’s worth remembering that it’s an important investment in risk reduction.  And, according to statistics from Visa Europe released in January this year, 84% of customers want to shop with merchants who are security market leaders and 75% say they would not shop at a store that had suffered a security breach.

Derrick Cameron is Managing Director of Eximium Ltd, who specialise in helping businesses use their IT to solve their business headaches.  For further information or advice on the use of IT in your business, please see www.eximium.net or call 01582 635 078.

2 Comments »

System integration is the key to managing your e-commerce business and not just your website

Websales are key to any retail business, but e-commerce is not just about the shopping basket and the parts of the website that the customer sees. In a recent article, President and CEO of NetSuite, Zach Nelson, raises many valid points.  He says you must ensure that your whole business can support the sales process through the efficient integration of your website, front-office and back-office systems. 

Zach’s article advises 2 main things to think about:
1. What information is available at various stages of the process
2. The speed at which information is available

There will always be questions that cannot be answered by your website. You need to ensure that when a customer calls, customer support and administration staff have enough information to be able to respond to the enquiry effectively. Central customer information, such as a customer account, can also show what sort of experience each customer is having, whether good or bad. It can identify your good customers that you want to retain, and warn you about your bad ones!

Your Marketing department also needs enough information about your customers and how they are using your website to be able to understand what your customers want and need, so they can direct your business where it will be most effective.

If you have this sort of information available, how quickly is it being transmitted between systems? Customers expect instant results and are disillusioned when information such as stock levels are incorrect. This can also incur un-necessary costs for your business when you cannot fulfil customer orders. Real-time data can make the difference between an average business and an efficient, streamlined business that customers want to come back to, and effective integration between your systems can help you achieve this.

System Integration is one of the areas we specialise in, as it helps business owners get the most out of their existing IT – and it doesn’t have to cost the earth. We see a lot of cases where 2 or 3 good systems are doing a decent job individually, but where greater benefits could be realised if they simply shared information efficiently between them. If you would like any advice on how to get your systems talking to each other, or would like to arrange a free visit from one of our consultants, please go to www.eximium.net/contactus.asp

To read Zach’s full article see www.inc.com/resources/technology/articles/20070501/nelson.html

No Comments »

What lessons can be learnt by business owners from the events at Terminal 5?

Implementing a major change in your business can be a daunting time, and rightly so.  A lot more than your hopes for the future are pinned on it. The reputation of your business is also often at its mercy.
There are some key steps that you can take, particularly where any kind of technological change is concerned, to stop this kind of disaster occurring:

1. Planning is the glue that will hold everything together. Think carefully about how things are going to work and allow time to make sure everyone’s plans are going to be effective. It’s impossible to think of everything but too much change surfacing later on due to bad planning will cripple your project.

2. Good project management is the key, so find yourself an effective and creative project manager. Someone who will get their hands dirty and work with the team to sort things out when issues come up, not just collate everyone else’s actual effort and report it back to you once a week. And don’t believe them if they tell you they’ve brought every project they’ve done in on time and to budget, because general opinion is that over 95% of all business change projects have gone over on both, so they won’t be telling you the truth, and that’s a bad start to the arrangement. Better to find out what they did when things went wrong, and what strategies they employ to get back on track.

3. In these days of business reliance on computers, don’t forget that most business process changes mean you will need IT system changes, and vice versa. They go hand in hand and you need to ensure that they are dealt with as a concerted effort. If they don’t work together succesfully, your project will be doomed to failure.

4. Don’t set dates too aggressively. Most things usually takes longer than we expect them to and your project won’t be any different, so leave yourself some contingency to fix your unexpected issues - somewhere between 20 and 30 percent is normally a good place to start. Equally, costs normally overrun, because all those unexpected things will cost more, so allow plenty of contingency in your budget.

5. make sure you know the real story about how things are going. People don’t like giving bad news so no-one will want to tell you if it’s not looking good for your launch date. Often, it becomes exactly like the story of the emporer’s new clothes. You need to find a way to get to the truth, by showing them you really want to know what’s going on, won’t sack them if you hear bad news, and are prepared to do something about it. Also, try and find a key informer in the team, who you trust to give you the scoop, and keep in touch with them.

6. Use your team. Between them, they will have a lot of experience and knowledge, so put it to the best use by listening to what they have to say. If they think something might be wrong, you should pay attention and not ignore it, because they’re probably right.

7. Make sure you have a regular meeting with the key team members to review progress and any major risks and issues. Try and create an atmosphere of straight talk only, because that will help you get to the bottom of what problems might hold you back.

8. Equally, nothing can kill a project quicker than poor communication. Get an effective communications strategy in place early on, so that information can flow around the project team, and to you and your management team and back, with ease. As with everything, if everyone knows what they’re doing and why, you’ll have a greater chance of success.

9. A key part to any change project is controlled and thorough testing.  changes to your processes and your systems need to be put through their paces at all the various points along the way, and by various people at each stage. Don’t skimp on testing because it is essential to understanding whether your changes are going to work, and what unanticipated issues there are hiding away.  Your business people should be involved in their own phase of testing, called User Acceptance Testing or UAT, where they confirm that the system and business processes are fit for purpose.

To get the maximum benefit, testing must be done in a controlled way (i.e. like a scientific experiment, with controlled inputs and pre-determined outputs). A lot of people say they are testing when they are just ‘trying it out’, which simply can’t prove it will work in all the key scenarios for your business.

Also, you must make sure that, as well as testing parts of your process and system changes in isolation, they are also going to be tested altogether, in an end-to-end way. That’s often when the really important and surprising results come out.

So check the testing strategy carefully to confirm that the testing is going to be controlled and thorough.

10. Once problems have been found in testing, make sure you and your senior business people are involved in making decisions on which ones need to be fixed and which could be ‘lived with’. Research suggests that it can cost up to 20 times more to fix problems after launch than if you fix them during the development process, so you need to think carefully before putting things off.

Equally, having too many workarounds can really hamper a business, and won’t help you sell the benefits of the change to your staff, suppliers or customers.

11. When you get right up against your launch date, have a thorough review of the situation. Get everyone in a room, tell them you want straight talk only, and find out if the project is ready or not. Get to the truth and pay attention to any concerns people have.

If it doesn’t sound like everything is ready, then put it off. But not for a week - nothing can be done in a week. Put it off for at least a month, longer if necessary. If it’s not ready, don’t be tempted to rush it in and ’see what happens’. Headlines are made out of those decisions, when it all comes crashing down, and it won’t be good PR for you. People won’t forget it easily, either, because anything negative sticks in people’s minds.

12. Don’t cut corners and compromise on quality. The best things take time and money to get right. If you skimp, you’ll get what you paid for, and you’ll simply pay the price later on sorting it out.

13. Allow for extra support cover when your project launches, as there will be problems. Anyone who tells you otherwise is lying. Put procedures in place that will help you identify, analyse and fix problems as soon as possible. And don’t be shy about admitting you might have some teething problems to your customers. They’ll appreciate your honesty and give you some leaway. But, if you keep them in the dark, they’ll be spitting blood if things go bad for them.

14. Contract staff are great - we use them all the time. But don’t rely on them too heavily for your project. They’ll disappear when it’s all over, and the knowledge of what went on and why will disappear with them, so keep a healthy balance of permanent staff on the team - a 60/40 split in favour of your own people is the minimum I would recommend.

Change is always a difficult beast to manage, but if these internal procedures are in place, by the time you come to launch in public you should appear reliable, professional and in control. As BA may discover to their cost, getting it wrong in the outside world is an expensive business.

Derrick Cameron is Managing Director of Eximium Ltd, who specialise in helping businesses use their IT to solve their business headaches. He has been in the IT industry for 20 years. For further information or advice on the use of IT in your business, please see www.eximium.net or call 01582 635 078.

No Comments »

Learn your lesson from Revenue and Customs to avoid a security meltdown

There have been shouts of ridicule at the recent security failings of Revenue and Customs (HMRC) which enabled the sensitive details of millions of child benefit recipients to get ‘lost’ somewhere within their postal service. But there is actually an important lesson to be learnt here. It’s easy to point the finger of blame with the benefit of hindsight, but it’s an episode which business owners would do well to view as a warning and learn from. Data is a valuable resource which can be easily lost or stolen if stringent security measures aren’t in place and actively enforced. The responsibility for making sure that this happens starts right at the top of your organisation, with you, explain’s Derrick Cameron, Managing Director of Eximium.

Businesses across the UK and the world have spent a lot of time and money ensuring that data is well secured within the virtual world of their computer systems with limited access, passwords, encryption etc. Organisations such as HMRC no doubt have rigorous procedures to protect the data while it is inside their computers – but information exists to be used, which automatically puts its security at risk. So what procedures do you have in place to ensure the protection of your data once the information leaves the security of its virtual world?

Protecting data on the move

Start by identifying all the potential ways that sensitive information could find its way out of your systems and your organisation, and make sure you have strict policies and safeguards to address any areas of risk. Ideally, different organisations’ systems should be able to talk to each other, so that passing data between them using an insecure medium such as CDs or flash drives is unnecessary. But for many companies, this is still some way in the future, so if this isn’t possible, at the very least you need to ensure that security procedures for the physical world are at least as stringent as those for the virtual world inside your computers.

When data is transferred between parties, it is at its most vulnerable, so look at ways of making the transfer process as safe as it can possibly be. Electronic transmission methods, such as secure FTP (File Transfer Protocol), or a secure site to site connection using a leased line or a VPN (Virtual Private Network) over the Internet are both preferable options that ensure the data cannot be seen by unauthorised personnel.

If you have no choice but to resort to using CDs or other ‘removal media’ for the transfer of sensitive information, don’t choose to use couriers or postal services unless absolutely necessary. It’s far more secure for an employee to hand deliver the media, making sure that it has reached the correct personnel at its destination. You also need to have a policy on what happens to the media once it has been used - ideally it should be returned to the source to be destroyed. Whilst this isn’t a foolproof method, it does enable you to track your data and ensure its safe return.

Don’t let your staff be your Achilles Heel

As appears to be the case with HMRC, many security breaches are committed by the people who work for you – often unwittingly. Equally, hacking and other deliberate attempts to access secure information often begin as an approach from someone trying to get sensitive information from an employee, using a confidence trick – known as social engineering. A social engineer may well pretend to work for your company and get an unsuspecting member of staff to reveal confidential information. For example, by pretending they work for your company’s IT section and asking for your employee’s password to confirm their login details are working. From here, the skilled social engineer may then be able to access your sensitive data however they want to, whenever they like – and all that information is now at risk.
However, there is something you can do to help prevent this happening in your organisation, and it is really quite simple: communication. It is often easy to assume that everyone who works within your company has the same understanding of data security as you do – but this is rarely the case. As the manager, owner or director of an organisation, it is your responsibility to ensure that those who work for you understand the what, why and how of data security.

Making policy practice

Your starting point should be a clear and practical data security policy which everyone is aware of, has read, understood and signed – even the cleaning staff. Put policy into practice and communicate the gravity of data security by making any violation a dismissible offence. Your Staff must know which data is sensitive, why, and how to protect it. After all, if this isn’t made clear to your people, how can they be expected to ensure its security?

First and foremost, your staff need to understand why they must never give sensitive information out to anyone unless the proper procedure has been followed – unfortunately employees at HMRC have learnt this the hard way. In addition, if a third party does need access to data, make sure they only receive the information they need, and that any sensitive data is either encrypted, removed or disguised. In this case at Revenue and Customs, the National Audit Office didn’t actually need most of the sensitive information on the disks - like bank details - so this information was exposed to unnecessary risk. Further errors of judgment and common sense were revealed in the subsequent story of KPMG receiving copies of similar disks. In this instance, they requested only a fraction (1500 or so) of 25 million records that they were actually sent!

Keeping control over what people can access is vital: if someone needs to retrieve sensitive information, the safest choice is to give them a user id and password which enables them to access the system directly. You can then control exactly what information they are able to see and what they can do with it. Similarly, if analysis of data is required, it is better for someone in your organisation to create a report that carries out the analysis, and send this to the third party rather than all the detailed information in the source database. The golden rule is to limit access to data so that people see only the information that they need – never expose sensitive data unless absolutely necessary.

The faults in security at HMRC were many, and perhaps the most serious security breach was the fact that a junior member of staff was allowed access to extract a complete database of sensitive information, coupled with the fact that they were then allowed to put that unencrypted information in a packet and post it without any need for authorisation from a senior member of staff. Whether it was HMRC policy or practice at fault, or most likely a combination of both, the repercussions of this massive security breach will be felt for a long time to come. So learn from the mistakes of these embarrassed officials and make sure that you address these issues within your own organisation – or you could be next.

Derrick Cameron is Managing Director of Eximium Ltd, who specialise in helping businesses use their IT to solve their business headaches. He has been in the IT industry for 20 years. For further information or advice on the use of IT in your business, please see www.eximium.net or call 01582 635 078.