Feeling Vulnerable? WannaCry?

“Proactive steps can be carried out to reduce vulnerability, aimed at negating negative business impact”

WannaCry ransomware was first reported on Friday the 12th May 2017. It quickly spread to more than 200,000 computers in over 150 countries and was headline news and continues to be topical in many discussions.

Hackers reportedly used classified information stolen from the National Security Agency to develop WannaCry ransomware that exploited a vulnerability in Microsoft Windows. The impact is huge, both economic and social, estimates are still being tabulated, but could run into the billions of dollars.

An important question raised is about the potential disruption of social and economic activities with increasing dependency on IT systems for daily operations. Irrespective whether one’s computer was infected by this ransomware or not, it is imperative to fix the identified vulnerability by applying software patches available from Microsoft. For computers that were infected, the first step was to stop any further spreading by isolating impacted computers, followed by restoration processes for the computers and data affected.

A key word that has emerged and should be highlighted is vulnerability. The attack vector in WannaCry was vulnerability in Microsoft Windows desktop computer software. Software from other providers too could be targeted for attacks if there are inherent vulnerabilities in their software or associated tools.

The question is: “How to minimize or eliminate vulnerabilities to avoid a potential attack and impact on business?”

In the case of WannaCry, the solution would have been to patch Windows software by applying updates from Microsoft before the vulnerability was exploited. Similarly, for any other software, regularly applying patches released by the providers reduces vulnerability.

But what if one had not applied the patch, the focus would be on the recovery process. Because of an increased dependency on technology, it is important to have an effective recovery process in place. Again, in the case of WannaCry, those that did not have recovery plans in place may have been forced to pay the ransom.

To minimise “vulnerability” below are 4 steps proactive steps that should be taken by every regular user of information technology:

-Deploy preventative measures: maintain software and use prevention and detection tools such as up-to-date antivirus software

-Build awareness through education and communication

-Continuity planning – for businesses, there has to be continuity planning against various risks that could impact the business – back-up procedures form a large part of this

-Monitor and check – regularly testing these proactive steps and updating risk registers is key

Depending on the criticality of the use of IT these proactive steps could be carried out in way commensurate with the risk either by internal IT organisations or by outsourced IT service management providers.

The challenge, and an important point for business leaders or business owners, is in determining the level of risk and the proactive measures that can be afforded and secondly, ensuring that those proactive and preventative measures are being undertaken as planned. Making addressing these challenges part of the overall organisation risk management process is a key step to avoiding surprises.

If you wish to find out more about how Accelerate Evolution can assist your organisation in building and managing effective cyber-defense mechanisms, please contact us on: information.technology@accelerateevolution.ae

 

Sustained success in an IT enabled business

“Ensuring that your technology enabled business, whether that be a budding start-up or a long established mature business, continues to deliver.”

by Charles Chirchir, 1st February 2017

Technology enabled business initiatives are a common occurrence in today’s world. Examples include businesses that do all transactions online and use courier companies for fulfillment and in the extreme the entire service is online, examples are travel or accommodation reservation and online training services. The setting up of required technologies for such services are primarily business led and the project team implementing the IT solution is thus strongly focused on the desired business functionality.

An organisations’ internal process usually guide such undertakings and depending on the level of maturity of those internal processes, the journey of bringing a new service into operation and resolution of issues that arise will have varying levels of structure.

In more mature organisations, new services typically transition from a project team to an operations team skilled in running services. Such organisations will have in place structures to categorise work into the various stages of strategy, design, transition and operations.

In start-up ventures, or organisations that are in early phases of maturity, the work is done by small teams, often made up of one or two individuals, who due to pressure may not rigorously categorise work into these stages. Teams involved in such projects are usually made up of deeply integrated entrepreneurial, business management and IT resources working together going through intense periods focussed on customer satisfaction.

During the early life cycle of such a project, the team resolves any arising issues with a laserlike focus on speed and immediate problem solving whilst simultaneously providing ongoing input and support to non-customer facing areas of the business.

Business growth in start-ups, when successful, is often exponential, as explained by Rogers depicted below, resulting in an increase in demand on IT services, also see Rogers Diffusion Theory:

Rogers Diffusion Theory

Exponential growth and the addition of features to grow the business offering, operating platform updates and upgrades, incidences that are technology related, requests related to daily operations, and the need for better managed IT to minimise business risk all begin to add up and scaleability becomes key to survival.

To aid a managed and relatively painless transition from start-up mode to full commercialization and a sustainable service offering it is imperative to pay attention to two aspects of any service, ‘Service Utility’ and ‘Warranty’.

Utility typically refers to the function or feature that the business wishes to perform, for example process an order, or communicate an offering to clientele. Warranty is everything else that needs to be done to make the service usable, secure and responsive.

Warranty processes ensure that the service performs as anticipated and more importantly, address questions of additional capacity to address, oftentimes exponential increase in usage, action to ensure continuity in the event of disruption, availability at the stipulated hours of business and security. In a start-up, a service may have been dimensioned to meet anticipated demand, as the business grows, both aspect of the service, utility and warranty will need to scale up to maintain the same quality of service. A disciplined  approach in scaling up the IT service to avoid disruption of business operation that could lead to loss of reputation, and subsequently customers due to poor service will enable the business to optimise investment in IT.

For a growing and innovating business, structured management of IT will ensure:

  • – Service delivery within targeted, required and agreed-to service levels
  • – Prioritisation of demand
  • – An IT Investment strategy to support growth in line with the business strategy and performance
  • – Visibility of utilisation and service levels internally but more importantly from a customers viewpoint
  • As organisations mature, some of the initial assumptions or strategies may have changed, organic growth and solutions that served certain business functions could be consolidated or shared, the drivers in such organisations drivers may include:

  • – Cost avoidance & savings – cash allocated can be saved or reduced
  • – Higher IT productivity – increased productivity leads to reduced IT costs
  • – Increased Business productivity – resulting from higher quality IT services
  • Examples of outcomes of such interventions include:

  • – Avoidance of the high cost of redundant infrastructure investments
  • – Reduction of cost through idle capacity identification and re-allocation
  • – Identifying vendor credits and rebates
  • – Saving money on IT infrastructure maintenance renewals
  • – Proactive performance or capacity problem forecasting
  • – Increased network uptime and its associated increase in user productivity
  • What is critically important for any business leader is to recognise and apply intervention measures at the right time and maturity of the business for IT to continue to be a catalyst in creating value either as the business grows or during maturity.


    Accelerate Evolution is well-positioned to assist organizations at different levels of maturity, from start-ups through to businesses with established processes and procedures, in that determination.

    We offer advisory services identifying appropriate measures to be taken to mitigate IT risk to allow IT enabled client organizations to scale up rapidly enabling a swift and effective response to increased customer demand.

    Contact us on information.technology@accelerateevolution.ae to discuss how we can help your technology enabled business build and maintain a sustainable IT platform that continues to support your growing business.

    Governance of Enterprise IT – from the Pain Points to the Business Case

    “The practice of good governance provides the direction required to achieve desired outcomes”

    From the pain points and triggers identified and their possible damage to or impact upon the organisation, a business case can be built for the implementation of Governance of Enterprise IT.

    by Charles Chirchir, 16th November 2016

    In today’s highly interconnected and technology-enabled world, organisations are rapidly realizing that their digital presence and ability to protect critical functions and information are as important to their ability to remain competitive as the product and service they produce.

    Further, there are multiple frame works -security, privacy, compliance, risk etc.- seeking to address and help direct and monitor optimization in support of these bleeding edge business drivers.

    Question is, how do organisations determine the following:

    – The extent to which their business goals are dependent on technology?

    – That the enterprise’s technology resources are effectively utilised to realise business goals?

    – Alternatives that the enterprise could use to make them nimbler, more agile or better equipped to respond to market pressures or customer demand?

    – That the technology they have in place is providing value and realising the expected return on investment?

    Systematically answering these and other related questions will bring many benefits among them more effective and efficient use of resources, greater control and overall better strategic alignment and risk management.

    Governance of Enterprise IT (GEIT) is an industry practice that is rapidly gaining adoption to systematically address the above questions. The need for GEIT is usually recognised because of pain points such as:

    – Failed initiatives, rising costs of IT and perception of low business value

    – Significant incidences related to IT risk and security e.g. data loss or project failure

    – Service delivery problems by outsourced providers

    – Failure to meet regulators or contractual requirements

    – Audit findings for poor IT performance or low service levels

    – Hidden and/or rogue IT spending

    – Resources waste through duplication and overlap in IT initiatives

    – Insufficient IT resources, and inadequate skills or staff burn out or dissatisfaction

    – Multiple and complex IT assurance efforts

    – Reluctance of board members or senior managers to engage with IT

    Trigger events are a second set of factors that signify an improvement opportunity, some examples of trigger events are:

    – Merger, acquisition or divesture

    – Shift in the market, economy or competitive position

    – Change in the business operating model or sourcing arrangement

    – New regulatory or compliance requirement or a new business strategy

    – Significant technology change or paradigm shift

    – External Audit or consultant assessment

    From the pain points and or triggers identified and their possible damage to or impact upon the organisation, a business case can be built for the implementation of Governance of Enterprise IT and a business case developed on this basis sets a foundation such that the desired end state can be achieved.


    To find out more about how Accelerate Evolution can help your organization to design and implement a successful Enterprise Information Technology Governance structure click here to contact us.

    Partially re-published from “A primer for Implementing Governance of Enterprise IT” by ISACA 2016