Making it harder to steal your data - but will the auditors trust it?

Customers want their data to be secure, firms don't want to be liable for the financial and brand damage due to lost client data, and governments are pushing in new regulations to tighten privacy and security policies in businesses. For once, the standards bodies seem to be keeping up, more or less, with the needs of the industry, helping to clarify once and for all the use of more advanced security technologies and their legal aspects. For example, if a firm encrypts data making it hard to get at by unauthorized people, how are the auditors, who are used to unrestricted access to everything going to respond?

The new set of standards from the Payment Card Industry Data Security Standards (PCI DSS) is expected to be released in October 2010 by the PCI Security Standards Council. A Thales press release discusses some related research on the impact of the changes, in a survey sponsored by them.

The Ponemon Institute, an information-management think tank, designed the survey to focus on identifying trends, recommendations and preferences of QSAs involved in PCI DSS compliance. Specifically, the survey questions focused on the background, experience, client observations, expected changes in PCI DSS, preferences on how to achieve compliance, and typical client recommendations. The results are available in this newly released report, sponsored by Thales entitled: PCI DSS Tends 2010: QSA Business Report. The report can be downloaded at www.thalesgroup.com/iss

"Our research continues to validate that 60 percent of QSAs believe encryption to be the most effective means to protect card data end-to-end, and 41 percent of QSAs said that controlling access to encryption keys is the most difficult key management task faced by clients using encryption. It remains clear that QSAs consider encryption to be one the best techniques merchants can use to keep information safe and comply with PCI requirements. The current version of the standard, however, is ambiguous about how exactly encrypted data should be treated in audits, so QSAs seem to be confident that the October 2010 update to PCI DSS will provide clarity," says Dr. Larry Ponemon, chairman and founder of The Ponemon Institute.

Encryption and electronic signatures are technologies that are well within the reach of companies handling client data, payment transactions, sensitive information and the need to prove non-repudiation of agreements and contracts. The approaches to implement the technology still need a little wiring to get them to work, though we are seeing solutions from companies like Thales, and the vendors we expect to see at Finovate on May 11th, that are making this easier.

Now it just needs clear, unambiguous judgments on the use of these technologies at the level of compliance, audit and legal to say once and for all that a well implemented system of a certain design, with appropriate management, will satisfy the courts and the regulators the way paper, a signature and a locked safe once would. The new PCI standards help, but there is still a long way to go.

A post from the Improving It blog

Your browser preference won't keep you safe

The Zeus Trojan, a nasty piece of malware has been rewritten to target users of the Firefox browser. With an estimated 30% market share, Firefox was the natural next step for the trojan writers to target, after getting such 'great' results attacking Internet Explorer. The fraudulent financial success for the trojan has been its ability to perform online banking transactions within the user's browser directly through the real website, rather than having to try and compromise banking security in some other way.

So one of the options for protecting yourself from this nasty piece of software has been removed. Previously, your easiest option was to avoid using Internet Explorer for online banking, instead using one of the major competitors out there: Firefox, Chrome, Safari or Opera (yes, I know there are other browsers, though most regular computer users are probably not going to use them).

As I discussed in Protecting online bank accounts - is there an app for that?, another option may be the use of a browser that resets itself to its initial installation after each use - a common implementation of this being delivered as a virtual machine appliance that saves no data or changes, running a whole operating system and browser within your PC to simulate a fresh, new install every time. For a while VMWare was pushing an appliance to do this, although I don't see it now. The advantage of this is obvious: even if a trojan does make it to your browser VM, the next time you run the machine will have reset itself to 'pre-trojan' state, so your risk of anything bad happening is much reduced.

What other options are there? As suggested by some, a completely separate, secure hardware device may be an option. A cut down netbook style PC that is limited to only your online banking account, though I see this being less cost effective and only equivalent in security to a virtual machine.

Another alternative is an application written for the native operating system, making it easier to lock down and harder to subvert than a browser, which by design has to be open to developer 'hacks'. Or, we could all jump in bed with Apple and their highly restrictive software practices, to use only online banking applications on the iPhone or iPad.

Wherever we go with online banking security, the current approach to blaming Microsoft for our woes is not going to continue to work. The writers of trojans that perform fraudulent transactions for criminal money-making do not have a care which businesses or organizations they damage along the way, so open-source and Microsoft are equally fair game if the opportunities are there to extract cash out of unsuspecting consumers.

A post from the Improving It blog

FinovateSpring 2010

I'm started to get excited for the Finovate Spring 2010 event in San Francisco. As the organizers put it:

On Tuesday May 11 in San Francisco, FinovateSpring 2010 will again showcase the most cutting-edge financial and banking technology innovations to Silicon Valley and the world.

With Finovate's signature mix of short, fast-paced onstage demos (no slides allowed) from handpicked companies and intimate networking time with their executives, this conference packs a ton of unique value into a single day.

The format of these type of events provides for a great energy. Great presenters, overstuffed on Red Bull and product hype put on a show that tries to appeal to the crowd and their specific target audience. And the audience gets a great opportunity to see what is hot in the financial services technology space.

The companies presenting are already putting a lot of time and effort into building the most compelling demonstrations, tuning their messages, and making sure that this investment in time converts to getting investors, customers and the press interested in their products.

For me, it is the range of products is what makes this event the most interesting. There are a bunch of electronic payment solutions, consumer focused sites for 'financial planning', and even some of the back-office systems providers. I am hoping to get the chance to chat to many of the presenters, while I attempt to blog live from the event (only if my brain and fingers decide to cooperate). So if you would like to catch up with me while I'm there, drop me a note.

If you are interested, the companies presenting are:

Backbase bill.com Billeo Bobber Check Point Continuity Control Controlabill Cortera Cross Commerce Media DebtGoal eRollover Expensify

Fiserv FTRANS The Garland Group Ideon Jemstep Kabbage Liqpay.com MoneyAisle MPOWER Ventures oFlows Pageonce Point of Wealth Systems

SafetyPay Segmint Silver Tail Systems SmartCredit.com TransUnion Interactive TSYS UBank Visa Wikinvest WorkLight

A post from the Improving It blog

I am not a number - unless I trade $20M a day

As the SEC proposes a new trading system that requires individuals or firms to register and receive a trader identification number if they plan to trade more than $20 million or 2 million shares per day. The aim is to allow better tracking of the activities of individuals and firms. In doing so, the SEC is reinforcing the concept that an client's activities are reflected by their overall actions, not just the transactions in a single account. This is not always the way securities firms view, or have viewed their clients.

Of course, at a fundamental level the transactions within an account are what are of most interest to a firm. The account defines what a client can do, what their limits are, and what stock they hold. But from a compliance and risk level, surely it is the health and overall activity of a client that makes more sense. If a client is close to bankruptcy, it may only be the aggregate of all accounts that indicates this, rather than any one item. If there is a risk of insider dealing, perhaps it is only the spread of transactions across accounts that would give this away. Clients with seriously nefarious intentions are unlikely to be dumb enough to not try and obscure what they are doing, and spreading activity across accounts in firms that don't pay close attention may allow them to do this.

Even at a day to day level, having a single view of a client is better than a per-account view. It allows simplified compliance around proof of identity, it allows better opportunities to advise the client well and holistically, and it shows that you really know your customer, not just the stove-piped accounts they hold.

Will the SEC's proposal really help them identify dodgy-dealing? Maybe, or maybe not. But if the SEC can have a single view of a trader, perhaps it is time for the firms executing their instructions for trading to do the same.

A post from the Improving It blog

Reporting processes - scary stuff

My excuse for my recent blogging hiatus is that I was kicking off a project (or three) with a new client - a securities firm in Vancouver. Rather than spend time expelling ideas, it was time for me to sit, listen and learn. It seems that deluge of incoming information in one direction stopped too much coming back out in the form of this blog. So now that we are all refreshed, its time for me to restart the outpourings - with a thought or two on 'reports'. Hmm, interesting stuff, all those numbers printed on pages of paper - I can't wait to hear (you might be saying to yourself with a forced smile). Hold on though...

In previous lives I have worked directly with electronic reports management tools, either selling, implementing or defining a strategy for the product. Although essential in an ECM vendor's stack, the tools rarely got much attention despite the obvious benefits they could offer customers:

1. Reduce costs printing and storing paper reports
2. Simplify the distribution of reports to consumers of the information
3. Secure notes and reviews of the reports, with a far more effective audit trail

These are just three of the many advantages that can be seen from diverting the flow of reports from real printers to a virtual printing environment that generates an on-screen representation of the original data. There are many other clever features of electronic reports management that allow the reports to be split up automatically based on text on certain pages, and indexed so that a quick database search could pull a specific piece of information (such as a customer statement) from the thousand upon thousands of pages collected each print run over the years (you've seen this with the pretty PDFs of your credit card statement online). But what happens when the report is just that - a report?

As I have been seeing on my travels, the reports generated for back office operations are often not a print-stream from a mainframe that really represents documents such as statements going to customers. They actually live up to their name and are just what they claim to be - reports: a point in time snapshot of data. Examples are: the commissions owed to your agents; the trades made in the previous 24 hours; the status of credit on customer accounts for the last week. From an audit or regulatory standpoint, these snapshots show you are paying attention to your business in a way that a dynamic query of your database can not (things change in databases, therefore generating a realistic point-in-time snapshot is often hard, ineffective or inaccurate).

Storing these reports is easy enough. Replicating what some of them are used for in the business is harder. As I have seen, it takes a real technical accountant to review a securities trading report, ensuring that there are not exceptions or compliance issues. The markups these professionals make in the review process are hieroglyphics to the untrained eye, and essential evidence to the regulators. This is something that traditional reports management software would struggle to handle - allowing someone to rapidly and naturally mark up a report in 5 hours over the course of a day.

Why do I tell you this? Because the obvious technology approaches do not fit every requirement once you really take a look at the issues. Reports management tools will not solve all the issues with real reports. I don't have an answer today. One proposal is to implement more automated solutions for spotting exceptions and helping the technical accountants work more on those exceptions than the 99.9% of things that aren't issues. But that's a challenge for somebody else. For the next week or two, those reports are going to get printed, marked up and stored with paper-cuts included.

My excuse for a blogging hiatus is over. The one way valve is broken, and information is ready to flow both ways again. Watch out!

A post from the Improving It blog

Improving processes as companies merge

Mergers and acquisitions can lead to chaos at the best of times, with inconsistent processes and un-integrated teams. Can business process management (BPM) or general workflow automation help in M&A related organizational integrations, or is it just money being thrown into an inferno of change?

BPM marketing often uses words like 'agility' when describing how your processes can be adapted to respond to change. Agility implies an ability to dodge new requirements and keep ahead of the chasing threats, all requiring constant attention from Management to work. I prefer a process improvement solution that is 'flexible' and can absorb the impact of unexpected actions and requirements, automatically taking on the new shape required by a rapidly changing organization.

In a chaotic organization, there is the temptation to avoid process improvement, since it is too much to handle and things are changing too fast. Despite this, bringing structure to the processes that enable a company to operate is essential, whether there is chaos surrounding them or not. With a strong starting point, a department can not only run its own operations better, it can start to influence the organizations with which it interacts. In an M&A scenario, having a solid base of process can make it more appealing to retain that backbone of operations in the new organization, rather than defaulting to the typical political decisions for what stays and what goes.

The problem is that traditional BPM takes a significant time and investment to implement, which is rarely a possibility when approaching M&A. A better approach may be instead to consider a 'quick and dirty' fix to the key processes that will be interacting with the new organization, in the knowledge that everything will change anyway. To be successful, the 'quick and dirty' approach needs to also be flexible (that word again), to adapt to the constant change around it, rather than just collapsing by being too brittle.

Picking the right technical products to build your solution is one part of it. Collaborative technologies, like wikis are great for sharing information in a loose team with minimal effort, but they don't help reinforce processes that require repeatable operations and decisions. Business rules management may be better for processes that rely on complex decisions that must evolve over time, where the end-to-end process is limited in length. BPM is fine where there is rigidity and constant repeatability required and you have time to put it together. Software as a Service (SaaS) or prebuilt solutions running in the cloud can help to get things up and running faster.

I think that companies need a combination of all of these, even when they are not in the chaos of M&A. And rapidly built solutions using flexible blended applications may not be a bad approach to follow.

A post from the Improving It blog

Let us help you improve your business today. Visit www.consected.com

Electronic Health Records - pick your regulator

How can I grow my sphere of influence, and therefore my budget? Is that what some government agencies are thinking when it comes to electronic health records (sometimes referred to as EHR) in the US? I agree that it is important that there is oversight to ensure that individual health information is protected -- without it, we could end up in a free-for-all of litigation and hurried legislation. Though as an over-simplification, its not like the storage of a person's health data is not already electronic in major hospitals, or that they can't share information between them, electronic or otherwise. The e-health records debate seems to think it is blazing new ground, when really it seems there is a large foundation to start with.

Anthony Guerra on InformationWeek Healthcare discusses some of the issues and the challenges around bringing in an agency such as the FDA. I should avoid the politics, and instead focus at the key issues that need to be covered:

• Setting standards for privacy and security of health information
• Providing a control framework around the different transactions and business processes related to health data
• Setting standards for availability of data (including disaster recovery, business continuity and even escrow scenarios), to ensure 100,000 health records don't just go 'offline'
• Identifying and enforcing the quality of information, and highlighting substandard information for future clean-up, or at least careful scrutiny at the time of use
• Providing a way to identify the experience and expertise of doctors adding information to a file, to enable the validity of data to be easily identified
• Developing a framework for better sharing of only relevant information with different consumers
• Enabling anonymous data mining by researchers
• Setting boundaries for insurer access to information, especially in organizations where insurance and delivery of health services fall under a single corporate umbrella
• Managing the certification of systems
• Handling issues and failures in controls and security

The reality of the situation is that there is much more to electronic health records than just privacy and security. Once records are available, the many transactions and processes associated with them, some old (create a new patient, add an event to the history) and some new (handle a request for access to information, transfer custody of records to another organization), will start to fall under the same banner. It is a times like this that the FDA, with its history of managing the processes and controls of drug approvals, can offer some good background. There are times when other organizations are more used to working in the actual environment of health care providers.

There are challenges around formalizing the new 21st century approach to health records, but I wonder how long we should see the Office of the National Coordinator for Health IT (ONC), FDA Centers for Medicare and Medicaid Services (CMS) and others getting dragged in and out of the frame for being the 'regulator'. What is needed is someone who can coordinate the formulation of best practices from inside and outside the industry into a meaningful and less than 600 page definition that can be followed by software vendors, systems integrators and health information consumers alike. Then we can decide who should police it.

A post from the Improving It blog

Let us help you improve your business today. Visit www.consected.com

Once upon a time we called it 'collaboration'

There has been a big rise by the business process management (BPM) software vendors to get in on the 'social' game. As people become more comfortable with using Twitter and Facebook than they do Word and Excel, a new tag has appeared: Social BPM. My argument is that, once upon a time this was called 'collaboration' and the big software vendors (Documentum/EMC, Vignette, etc) did it.

Collaboration software was about helping teams of people, typically on projects or with a need to share information to get a job done, to set up 'collaboration spaces' or 'team rooms'. There was not a lot of process enforcement, because the workflow capabilities of the products were limited and the aim was to focus on ad-hoc collaboration of people, rather than strict process flows.

This lack of process management was probably a shortcoming, since companies grew able to share information online easily, but still struggled to put some structure around the work that was done. And maybe collaboration's demise was due to the name 'collaboration'. A guy I worked with at Vignette, Casey Conner wrote a book with Christine Lambden called the Consulting Stance. It contains many thoughts about how consultants communicate, and if I have remembered well, there is a story about how a consultant failed for a day to communicate with a team in Europe about the value of collaboration - a 'collaborator' still carries negative connotations for many Europeans brought up around the time of the World War II.

Even if collaboration software just died because its marketing showed limiting insight, and its technology missed the mark a little on what businesses really needed to improve the way they work. Social BPM is a land-grab by BPM vendors to help them reclaim some flexibility in their otherwise fixed, rigid product sets. Companies wanting to improve should also search for solutions offering other capabilities such as workflow management, and rapid process improvement when going out to look for solutions on Google. Social BPM has appeared on my website, but its not there to try and charge companies enterprise software prices for common 'social' software capabilities.

A post from the Improving It blog

Let us help you improve your business today. Visit www.consected.com

Banks - win a credit card dispute and lose brand integrity

Many of my discussions are about how financial institutions can improve their processes to serve customers better, improve their brand and reduce costs. It seems that during tough times, and when customers are at their lowest, banks are playing tough, and forgetting that all the improvements in processes are worthless if you kick a customer when he is down. Fraud cases, and unexplained transactions on credit or debit cards are one of these areas when a customer feels exposes and the actions of a bank can make a huge difference in whether the customer stays or goes. I talked about how business account holders in the US are suffering this at the moment. It seems that personal account holders in the UK are seeing nasty dispute resolution tactics being employed as well.

The Light Blue Touchpaper blog by Ross Anderson of Security Research, University of Cambridge, describes how his recent experiences show banks are pushing customers to the courts to resolve issues (a summary of the post is on the Finextra blog). In Ross's experience, the process used by banks to try and resolve dispute cases appears to be designed not from the point of view of efficiency or speed of processing, but in fact to put as many hurdles in the way of the customer as possible. The hope appears to be that the customer will eventually just back off, pay the charge, and the bank can save some money. As I've discussed in the past, one in five cases of customers suffering identity theft switches banks. I bet that significantly higher percentages switch banks when they feel their bank is trying to avoid its obligations to handle disputed transactions.

Ross walks us through his experiences with dispute resolution at NatWest bank in the UK, when several months in, the bank shows its true colors - effectively saying, 'we delayed you so long by only responding to one piece of correspondence per month, now you are out of time':

The following month they wrote back saying that “we are governed by MasterCard International, who are the governing body for credit card transactions” and had to abide by their rules, under which our complaint was now out of time. This is nonsense on stilts; my contract is with the bank, who may not debit my account without my mandate, and if the bank enters into a contract with MasterCard that prevents it from discharging its obligations to me then that’s the bank’s problem, not mine. The bank suggested i get legal advice, or go to the Citizens’ Advice Bureau, Local Trading Standards or the Financial Ombudsman Service. Now I documented the failings of the Ombudsman in an earlier post, so I decided to go straight to the heart of the matter and sue the bank in the small claims court.

The bank settled at once.

From the bank's perspective, they probably find that the majority of customers just roll over at this point. The processes, designed to be as efficiently ineffective as possible, just lead people to give in. As Ross goes on to say:

This may be entirely rational behaviour on the bank’s part. If it can fob off most complainants with tiresome call-centre procedures, or tell them they’re out of time, or pass them off on Citizen’s Advice, then it will only have to refund the minority who ignore this flummery and go to court. Even then, the bank only has to pay an extra £25 for the court fee.

I have experience similar delay tactics, admittedly several years ago, from a bank reporting an odd Visa transaction. Their handling of the situation was not much better, although eventually they had no option but to pay the fee since the receipt they produced did not have my signature, or (since this was while I was in a country that insisted you write ID or passport numbers on credit card slips) a passport number that even matched my nationality. It would have taken someone in the back-office less than two minutes to resolve the issue without ever getting me involved for months. They failed, and thoroughly annoyed me.

If you are brought in to look at the metrics for dispute resolution, I wonder if you just count the amount of cash paid out as a key performance indicator, or the number of customers that switch banks and subsequently flame your brand online due to their experience. And which costs more? For the financial institutions I have worked with, they claim the cost of customer acquisition is hundreds of dollars or pounds, so it is hard to see why you would work so hard to avoid paying a small disputed transaction. I would love to see evidence where a very different approach that tried to resolve issues effectively and rapidly could leave a customer that is happy with the professionalism, customer service and integrity of the bank. Anyone wish to share their positive experiences?

A well organized department of a bank will do what is necessary to raise their game to meet whatever targets they are set. If those targets incorrectly (in my opinion) exclusively aim to reduce dispute payments, rather than balancing that with customer service and brand integrity, it is no surprise that we will see more use of legal threats to get issues resolved. I am looking forward to seeing the UK newspapers (please save them for this reason alone) picking the worst corporate offenders to strip down in public, as they tend to do so well. Profits do not come from saved disputes -- they come from happy, profitable customers.

A post from the Improving It blog

Let us help you improve your business today. Visit www.consected.com

Reputation? What reputation?

In an online world, your reputation is based on feedback from many sources. A positive recommendation from a named contact on LinkedIn can be wiped out by a scathing attack by an anonymous commenter on a blog or Yelp, even though there is no way to substantiate the truth behind the words. The question from Michael Arrington on TechCrunch is whether we need to evolve to ignore the bad comments that we can do nothing about, since these anonymous sources of bitterness vented on the Web are only likely to become more common and pervasive.

As the article says, most normal people have skeletons in their closet (whether one person considers something a skeleton when another doesn't is part of the issue here), so if everybody's dirty laundry is aired online our common acceptance of being human and therefore imperfect is lowered to a level of reality and acceptance, rather than a more typical 'nose in the air' hypocrisy

So what will matter? Hard proof of being a bad person. Criminal records. Non-anonymous and clear statements of wrong doing that need to be addressed. Perhaps a picture of you actually committing a violent felony. That kind of thing.

But the nonsense we’re all worried about today? I just don’t think it will carry the same weight in a few years. Because if there are pictures of the person hiring you smoking pot in college online, and there are pictures of every other candidate smoking pot in college online, it just won’t be a big deal any more.

It sounds like its going to be a painful ride for anyone trying to defend a personal or corporate reputation. Your reputation needs to become more weighted towards your current actions and successes, than what you were doing half your life ago in college. We might even see political elections start to focus on candidate's abilities, rather than mudslinging around the realities of life. Although it has to be said that European politics and media has always been more forgiving of the occasional fling by a politician than the US system, especially if the story is more interesting than reality TV for a moment or two.

It seems that with the planned release of a new Yelp for people, that there may be no option but for us to accept that our reputations are going to be trashed and there is no point in fighting it:

And it’s about to get a lot worse. Next week a startup is launching that’s effectively Yelp for people (look for our coverage in a few days). If someone has something good or bad to say about you, they’ll be able to do it anonymously and with very little potential legal or social fallout.

But something tells me this new service, or some other one, might succeed where the others have failed. We’re primed and ready now and have lots of experience publishing all those random opinions about people and things on Twitter, Yelp and Facebook already. It’s time for a centralized, well organized place for anonymous mass defamation on the Internet. Scary? Yes. But it’s coming nonetheless.

The best defense? Offense! People and companies will need to leverage the power of social networks to ensure that they have built up enough good karma online, and keep it fresh and recent, to push the anonymous rants to the bottom of the Google searches. It won't go away, but keeping the bad stuff seemingly irrelevant in a mass of glowing, or even largely dull feedback, will become really important. And the good karma won't continue to come from paying PR agencies to generate more meaningless words about you: people and companies will need to actually do some good stuff for their communities and the world at large.

A post from the Improving It blog

Let us help you improve your business today. Visit www.consected.com