Gartner is just loving cloud computing at the moment. The analyst has released quite a bit of information about the potential for cloud-based services during the last couple of weeks.

Today's slab of research from Gartner suggests security applications delivered through the cloud will have a 'dramatic impact' on the industry:

• In messaging security controls, such as malware and spam detection/exclusion for e-mail and instant messaging, cloud-based services account for 20 per cent of revenue in 2008
• By 2013, cloud-based services in messaging security controls will account for 60 per cent of revenue

Gartner says the increased use of cloud-based services, such as salesforce.com or Google Apps, means users will be accessing data without traversing the corporate network - and will increase the need for security controls between users and the cloud, says Gartner principal analyst Kelly Kavanagh:

"It also will allow security technologies and techniques that are cost-effective to be used only with cloud-style computing. The massively scalable resources provided through the cloud also will be available to people who develop attacks that require intense processing, pursue cloud providers, or both."

Further reading

• Cloud computing will change business technology
• Simon Pitt to lead IT at the Environment Agency
• CIO concerns: Rob Fraser switches Boots for CSC
• CIOs will need to transform to survive
• Career moves: Robin Terrell is John Lewis web MD
• Modernise to beat IT and skills obsolesence

Want to subscribe to this blog? Click here for the options

Want to contact the writer? Email Mark Samuels

More than 60 per cent of IT professionals believe outsourcing code increases the likelihood of hacking. In fact, 55 per cent believe it is far safer to write programs internally, according to a survey from Fortify Software.

Which is fine - but you can only write code internally if you haven't already outsourced most of your IT department. And with increasing amounts of grunt work - such as development and testing - being outsourced, IT professionals can only do so much internal work.

In fact, the survey suggests as much as a quarter of companies outsource application development, but do not specify security processes or technologies to ensure the security of outsourced applications.

So, the firms are probably asking for trouble - especially as the survey also suggests as much as 81 per cent of companies believe their systems are vulnerable to hacking.

Further reading

• Take a risk on innovation and you might just win
• The buck stops with boss on IT security
• McAfee spam project smells like marketing guff
• Time to focus on the good in databases
• Security technology is not a priority for firms
• Stop buying illegal software, or face the risks...

Want to subscribe to this blog? Click here for the options

Want to contact the writer? Email Mark Samuels

How do you feel about risk? Is it something you embrace or something you try to mitigate? Chances are you fall into the second category. If you do, you are not alone: it would be fair to say a large majority of UK professionals are risk-averse.

Economic conditions certainly do not help. The continuing credit crunch has made individuals and businesses think twice before investing. But there is more to risk aversion than the prevailing fiscal situation. In short, people are scared to fail.

I recently overheard two IT executives chatting outside an office in central London and one businessman said to his associate: “Thanks for taking a non risk-averse approach.”

I guess he was pleased his partner had decided to back his initiative. In fact, what he really meant was: “Thanks for taking a risk.”

The desire to win at all costs ­- or rather, to avoid coming second ­- means UK professionals increasingly take the safe approach. Such an approach would be understandable if risk was well defined. But many struggle to comprehend what risk actually means.

Computing’s monthly supplement Computing Business recently hosted a chief information officer roundtable that examined the challenges of risk management.

There was a lot of best practice advice for controlling risk, such as improving training, increasing board awareness and taking responsibility at work.

But while implementing the right processes was seen as a given, participants were also concerned that individuals often fail to quantify risk. And as one concluded, it is impossible to manage risk if you do not understand which areas you should be prioritising.

So what is risk? And when is taking a risk appropriate? Those at the roundtable seemed to think it was crucial to create a careful balance between ground-breaking IT and business costs.

More specifically, it was seen as crucial to not add too much control for fear of stifling innovation. Risk is all about proceeding with care. But it is certainly not about avoiding danger at all costs.

Because being prepared to risk coming second might actually result in you winning the race.

Further reading

• Growing risk of litigation threatens IT innovation
• The buck stops with boss on IT security
•  McAfee spam project smells like marketing guff
• Time to focus on the good in databases
• Security technology is not a priority for firms
• Stop buying illegal software, or face the risks...

Want to subscribe to this blog? Click here for the options

Want to contact the writer? Email Mark Samuels

I went to a high street retailer at lunch time. Not for work, for pleasure - if buying socks for your daughter can be described as pleasure.

Off the side of the stair well on the first floor of the shop is an office (apologies if this sounds like a hackneyed plot to an adventure story). The office is closed to the public, but a window to the outside world shows all-comers the contents of the room.

And in the room is a whiteboard that describes in detail how much money the shop made from sales last week. Nice lack of security, I thought - and certainly an interesting read. But why the openness? Here are some possibilities:

1. The retailer wants its customers to know how much they are spending/wasting
2. The retailer is attempting to regularly remind employees about how much they should be making
3. The retailer is trying to boast to rivals about how much money it is making
4. The retailer is thoughtless

Further reading

• 'The Apprentice' + Aston Business School = hype
• Men like women in short skirts, says research
• "Glamorous" PR tarred with IT nerd brush
• Be proud of being a technology nerd
• IT skills crisis not solved via death by Powerpoint

Want to subscribe to this blog? Click here for the options

Want to contact the writer? Email Mark Samuels

Potentially good news for email users - spammers are now concentrating on a range of other communication channels, too. The bad news is that spammers are using other forms of interaction - such as email - to increase spam on social networks.

Research from messaging specialist Cloudmark and researcher Harris Interactive suggests spam is now clogging social networks and creating a potential barrier to further growth.

More than four in five social networking site users (83 per cent) has received spam “friend” invitations, messages or postings on their account during the past twelve months.

The problem is apparently severe enough for two-thirds (66 per cent) of users to say they would be somewhat likely to switch to another social network.

The research suggests the qualities that make social networks successful – the wide variety of communication channels, the openness of the networks and the size of the audience – are powerful lures for spammers and hackers. The survey also suggests that:

• The majority (80 per cent) of social network users are at least somewhat concerned about spam, phishing and virus attacks on their social or professional network account
• Many users (37 per cent) have noticed an increase in the number of unwanted messages they have received in the last six months
• Nearly one in five users (17 percent) say the increase has been significant
• On average, users have reported receiving 64 spam “friend” invitations, messages or postings in the last 12 months

Further reading

• How can you make money from social networking?
• How can a CIO make the most of Web 2.0?
• Social web is about improvement, not innovation
• Next generation social networking
• Finding useful Web 2.0 and social networking tools
• Facebook? LinkedIn? Social networking is rubbish

Want to subscribe to this blog? Click here for the options

Want to contact the writer? Email Mark Samuels

The growing pressure associated with regulatory compliance is one thing - the increasing risk of litigation is another issue altogether. And insurance specialist Lloyd's suggests businesses could be facing a future liability crisis if they do not face up to growing litigation issues.

One significant impact of the growing threat of liability is that many firms are becoming increasingly risk-averse. Such risk aversion is likely to stifle innovation - which is just what the IT director needs, as he or she attempts to find project funding during the credit crunch.

The research from Lloyd's reveals there is a growing concern among business leaders about the rise of a US-style compensation culture in Europe. IT directors should not that advances in technology and the increasing requirements of corporate governance are particular concerns for the business:

"Shareholder activism is on the rise and a complex operating environment and new legislation serves to increase risks further. An increase in litigation and the fear of potential liability issues is impacting customers through a rise in the cost of products and services and also stifling risk-taking amongst boards who are missing out on new opportunities," says chairman of Lloyd’s Lord Levene, in response to the research findings.

Key findings from the Lloyd's survey include:

• Two thirds of European business leaders expect to spend more time on litigation-related issues over the next three years
• Thirty-nice per cent expect the growing risk of litigation to increase the cost of their products and services, and stifle risk-taking during the next three years
• Over half of all business leaders believe a US-style compensation culture is spreading in Europe and Asia
• Two in three business leaders believe the scale of liability claims arising from the credit crunch will exceed claims arising from the dot com crash
• Boards particularly fear future liability issues arising from advances in technology, environmental damage and corporate governance

Further information on the Lloyd's report can be found here: Directors in the Dock - is business facing a liability crisis?

Further reading

• The CIO must act now to prevent project lethargy
• How can the CIO gain respect for IT innovation?
• Making best use of Gartner's reports
• CIOs will need to transform to survive
• Modernise to beat IT and skills obsolesence

Want to subscribe to this blog? Click here for the options

Want to contact the writer? Email Mark Samuels

Everyone is doing it, but no-one is allowed to do it at work. What are we talking about? Social networking, the addictive habit of the UK masses. Researcher Datamonitor says Britain has the highest membership of social networking sites in Europe.

Continent-wide, usage is predicted to more than double from 41.7 million to 107.4 million. But at the same time, companies remain sceptical about the benefits of social software, with 32 per cent of firms now choosing to block social networking sites, according to ScanSafe.

Time to wake up, says analyst Gartner - who suggest retailers, in particular, need to be more open to social networking - possibly creating a social community to gather feedback, or creating a marketing presence on large social networks.

The analyst has created a top ten tips for retailers considering a social network, summarised below (for full list, visit Gartner).

1. There are Social Sites, and Then There are Social Platforms - Social sites can include features such as discussion forums and consumer reviews. A social platform is a large public site that enables users to do the same things as on a social site, but also creates a platform that encourages and eases the development of applications, widgets and mashups.
2. Social Network Sites Go Way Beyond MySpace and Facebook But Reconsolidation Has Started - Gartner estimates that an individual is able to participate in one to three social networks in any meaningful way. Because there are only so many social networks to participate in, consumers are starting to shift to the large centres of gravity (for example, MySpace and Facebook in North America). Analysts believe that the social network market has not yet settled, so retailers should be cautious with their investments on any one social network.
3. Social Networks Are Rich in Word-of-Mouth Discussions About Retailers and Products - Retailers should view social networks as a lead-generation channel just as they would search engines, review sites, and price comparison sites. Lead-generation vehicles range from banners, to search term bidding, to application programming interfaces (APIs) that enable social networks to access the retailers’ consumers.
4. Social Graphs Make Word-of-Mouth Relationships Known and Usable - Social graphs describe how friends are formally linked to each other on a social network. Word of mouth is effectively amplified by making social graphs usable by friends and business entities on a social network.
5. Viral Propagation is Boosted in Social Networking - Viral marketing is the most obvious route to take with viral propagation but must be closely monitored and managed. Communication between friends about something as simple as a pricing or promotion mistake on a Web site can propagate very quickly in social networks.
6. Applications for Social Networks are Easier to Build - The latest push in the social network world has been the focus on creating a platform that allows individuals and companies alike to build applications (sometimes called widgets) that are designed to run on the social network. Social platforms, especially Facebook, have been providing a platform and technical guidelines to make building these applications easier.
7. Social Networks Are a Huge Source of Consumer Data, but Retailers Cannot Easily Access It - Already some people are regretting having made available so much information available on social networks and access to this information will decrease further over time. However, access to some of this data can be gained by building applications that require members to agree to share some of their data in exchange for using the application.
8. Communities, Groups and Networks Can Be Created By Anyone and Are Impossible to Control - If a social network provides corporations too many capabilities in interacting with members (for example, advertising and selling), there is a risk that members will leave the network. Gartner advises retailers to build their social network presence on content produced by members and create applications that engage members in providing feedback in areas such as product design.
9. Social Networks Are Not Capable of Commerce, Yet - Gartner advises retailers against becoming an early adopter of commerce capabilities on social networks. This lessens the chances of being part of a movement that may drive away social network participants because of the perceived commercialisation of the social network.
10. Social Networks Are Merging Into the Real-Time World - For now this remains an emerging consumer practice, but the ability to access social networks from mobile phones is being promoted by the wireless carriers.

Gartner's tips range from the obvious (social networking is more than just Facebook and MySpace), to the more interesting (social networks are not yet capable of supporting commerce).

The analyst says retailers should stay away from commerce-based social networking - a rule of thumb that might apply to all sectors. I guess the follow-up question might be: "How can you commercialise a successful social network?" After all, the security issues are so significant that most individuals are not keen to give away valuable personal information.

The continuing consolidation - which Gartner refers to as reconsolidation (has there been a previous consolidation stage, then?) - of social networking sites might help provide some clarity. As individuals find useful platforms and begin to trust the methods of operation, more firms should be able to create commercial operations.

Well, that's the theory anyway. If not, expect to be drowned by more and more social networking "opportunities" - most of which offer few benefits and little in the way of commercial viability.

Further reading

• How can a CIO make the most of Web 2.0?
• Social web is about improvement, not innovation
• Next generation social networking
• Finding useful Web 2.0 and social networking tools
• Web 2.0: Your business needs a strategy now
• Social networking creates waste and exclusion
• Facebook? LinkedIn? Social networking is rubbish

Want to subscribe to this blog? Click here for the options

Want to contact the writer? Email Mark Samuels

“The risk of going to jail usually pushes information security up the boardroom agenda,” conclude Jon Fell and John Skelton in their feature on e-crime. Fair enough, I guess ­ – the integrity of customer data has to be a crucial business priority. But who should really call the shots when it comes to security, the IT department or the business?

A recent survey by Websense suggested 95 per cent of security professionals believe the chief executive should be held accountable for a breach, with a quarter of respondents believing the boss should go to jail in the event of a consumer data incident.

Tough talking from the IT professionals ­ – and the survey also found just five per cent of security experts believe ultimate responsibility for a breach lies with the IT department, a huge drop from 21 per cent in 2007.

Are such hard-hitting opinions reasonable or are we looking at a case of IT professionals attempting to pass the buck?

Chief security officers (CSOs) certainly think so, with conference specialist Infosecurity Europe suggesting many are very concerned about the integrity of their application code.

As many as 75 per cent of European businesses think their applications contain security holes that can be exploited by criminals, according to Infosecurity Europe ­ – and CSOs say they would welcome an initiative to raise awareness of security among the developer community.

IT leaders, then, blame the followers. But let’s be honest, no one would blame security professionals for playing their “get out of jail free” card, especially with the media hype surrounding customer data loss.

Such incidents have placed increased pressure on firms to ensure their systems and policies are up to date and in line with current regulatory demands.

Take the recently enforced Companies Act, which gives enhanced rights to auditors to obtain information. The Act states directors must disclose accurate information to auditors.

Board members who include false information run the risk of eating porridge at Her Majesty’s pleasure.

Security chiefs take note. While some IT leaders may be keen to apportion blame for e-crime on security professionals, real responsibility will always rest with the boss.

Further reading

• Data leak prevention is just security best practice
  
• McAfee spam project smells like marketing guff
• Time to focus on the good in databases
• Security technology is not a priority for firms
• Flexible working creates a security nightmare
• Stop buying illegal software, or face the risks...

Want to subscribe to this blog? Click here for the options

Want to contact the writer? Email Mark Samuels

Information is the lifeblood of any organisation and chief information officers (CIOs) need to create a strategy that ensures crucial business information stays protected. It can be a difficult challenge. Forrester Research says information resides across the modern organisation in different shapes and forms.

Successful IT leaders will identify sensitive knowledge and ensure that data disclosure is prevented, says the analyst firm.

But how should the CIO move towards an all-encompassing protection and prevention approach?

The question is answered in this month's Computing Business, where IT decision-makers outline some of the challenges they face on a daily basis.

Such challenges mean now, more than ever before, technology leaders need to focus on risk management,­ a holistic strategy that helps provide protection across a range of key security areas, such as technological threats, human errors and corporate governance.

Top-level risk management will rely on close alignment between the IT organisation and line-of-business managers.

But working relationships between many technology and business leaders are characterised by complexity.

Jay Heiser, research vice president at analyst Gartner , says CIOs com-monly ask him how much they should spend on security.

His standard response: “Go back to the business and find how much confidentially, integrity and availability it needs.”

While clarity on broader risk requirements will help CIOs define a strong risk strategy, our cover story shows practical thinking is crucial.

Rather than seeing corporate governance as an impediment, use discipline-imposing standards ­such as the IT Infrastructure Library (ITIL) ­ to help you create a secure set of risk processes.

Also develop a change advisory board, which will help you ensure new systems are tested and back-up plans created.

Finally, do not allow risk management to become risk aversion: rather than just concentrating on preventing problems, concentrate on proactive control.

This month, Computing Business is hosting a CIO roundtable to discuss the challenges of risk management ­ we will feed back those CIO opinions next month.

Take the right steps now and you could prevent information leakages that could result in lost business and an impact on your bottom line.

Further reading

• Data leak prevention is just security best practice
• McAfee spam project smells like marketing guff
• Time to focus on the good in databases
• Security technology is not a priority for firms
• Flexible working creates a security nightmare
• Stop buying illegal software, or face the risks...
• How to cope with rogue IT

Want to subscribe to this blog? Click here for the options

Want to contact the writer? Email Mark Samuels

Cast a wary (or should that be weary?) eye on the latest security trends. So says ICI global information security director Paul Simmonds, speaking to Lisa Kelly in this week's definitive guide to security:

“Data leakage prevention (DLP) is being hyped and everyone is trying to flog it. Established vendors are tweaking existing products to DLP, while there are a whole bunch of start ups selling it. But vendors are always telling you that you have a big problem and they will solve it for you."

Simmonds has certainly got solution-obsessed vendors down to a tee. But what's all this about DLP? “We have always done DLP at ICI," says Simmonds - breaking the unwritten rule of no more than one TLA (three letter acronym) in a seven word sentence. That's 'unwritten' as in 'made up just now by me', by the way.

With regards to DLP, Simmonds says his company uses the classic 80/20 rule - 80 per cent of security is about people, processes and procedures, and only 20 per cent is about technology.

It sounds like a winning strategy. Especially as in next week's definitive guide, Freeform Dyanmics analyst Jon Collins says:

"IT leaders need to consider risks caused by their own employees, be they through malice or stupidity. Internal workers have always posed the biggest threat to computer systems - even before product categories, such as DLP, were posited."

Apparently, some vendors also refer to DLP - stay with me, here - as information leak prevention (ILP) and extrusion prevention (EP). Basically it's about putting the right security processes and systems in place. So, for DLP (or ILP and EP) read best practice through a bunch of tools and policies.

Simmonds is right to be wary about the the so-called latest security trends - but weary seems an even more appropriate sentiment, I think.

Further reading

• McAfee spam project smells like marketing guff
• Time to focus on the good in databases
• Security technology is not a priority for firms
• Flexible working creates a security nightmare
• Stop buying illegal software, or face the risks...
• How to cope with rogue IT

Want to subscribe to this blog? Click here for the options

Want to contact the writer? Email Mark Samuels

A free laptop, you say? There must be a catch. And there is. Fifty participants from around the world have signed up to a project where they have been provided with a clean laptop without spam protection and a new email address.

Worse still, the participants will be expected to surf the web, make online purchases and register for promotions.

Sounds crazy. But Christopher Bolin, chief technology officer for project sponsor McAfee, says it's becoming more difficult for internet users to detect spam and it's vital individuals understand the risks of leaving computers unprotected (which, of course, is McAfee's specialism).

Thanks be to good old McAfee, then. But hand on a minute, what's this? Dave DeWalt, chief executive officer for McAfee, seems to be suggesting we already know the answers of the research project:

"This experiment will raise awareness of the problem by showing that a 30-day diet of spam is bad for your online health."

Oh. If we already know that, why is the project taking place? Mmmmm... Rather than canned meat, I can smell the not-so-subtle whiff of marketing guff...

Anyway, if you're interested in the results, check the participants' online diary here: http://www.mcafee.com/spamexperiment

Further reading

• Time to focus on the good in databases
• Check the fine print of the Data Protection Act
• Security technology is not a priority for firms
• Flexible working creates a security nightmare
• Stop buying illegal software, or face the risks...
• How to cope with rogue IT

Want to subscribe to this blog? Click here for the options

Want to contact the writer? Email Mark Samuels

It can take a great deal of effort to make the national press interested in technology.

Million-pound system implementations that are bread and butter for a specialist magazine such as Computing are unlikely to be big news for the wider media.

Sometimes, however, organisational processes help push the role of technology. But such promotion is not necessarily a reflection of industry best practice.

Research from the BCS, for example, says UK citizens have expressed an “alarming loss of trust” in the institutions that are expected to safeguard their personal data.

The results are not surprising -­ stories of CD-ROMs filled with personal data lost in the post are hardly likely to inspire confidence.

A cascade of similar stories means the media has honed in on data collection, with the word "database" fast becoming a catchword for potential security threats.

“Fury over kids DNA database,” yelled the Daily Mirror recently, in response to a recent call for a debate on the measures required to identify future offenders from the Association of Chief Police Officers’ Gary Pugh. Such headlines form part of a broad media trend: want to spike citizen fears over technology bad practice? Mention a database or two and watch public indignation rise.

The result is an increased awareness from the proverbial man on the street about information practice and malpractice, with the BCS suggesting 90 per cent of adults are now aware of the Data Protection Act (DPA).

I guess people are aware of the principles of the DPA, rather than the fine details of the act -­ which Dino Wilkinson illustrates in this week’s Computing is a complex regulation.

But the result is the same: increased fear and loathing about the way public and private sector organisations collect, store and use personal information.

Yet technology can provide a helpful hand, rather than be a hindrance. Good IT management can ensure information is protected.

Manchester Airport’s project to use biometric technology, for example, helps restrict staff access and shows how information collection can provide best practice.

Such projects highlight how it is time to accentuate the positives of the database, rather than hate the connotations of a catchword.

Further reading

• Check the fine print of the Data Protection Act
• Security technology is not a priority for firms
• Flexible working creates a security nightmare
• Stop buying illegal software, or face the risks...
• How to cope with rogue IT

Want to subscribe to this blog? Click here for the options

Want to contact the writer? Email Mark Samuels

There have been increasing numbers of data loss or data theft incidents reported in sections of the media over recent months - but when it comes to information protection law, research from the British Computer Society (BCS) suggests UK a dults are informed and demanding.

"A remarkably IT astute Britain - 90 per cent of adults are now aware of the Data Protection Act (DPA) - has expressed an alarming loss of trust in established institutions, including government departments, to safeguard their personal data," states the BCS press release for its Data Guardianship Survey 2008.

UK citizens are remarkably astute? Amazingly astute, I would suggest. I guess people are aware of the principles of the DPA, rather than the fine details of the Act. What I am trying to get at is that the Act is often used as a sort of catch-all phrase for information protection.

So, when you speak to a financial organisation about your banking details, you might hear the response: "I'm afraid we can't give you that information because of the DPA." Or a consumer might say to a friend about a retailer: "Well, if they asked for that information, they're breaking the DPA."

In short, organisations and individuals basically use the DPA as a cliche; a way of saying: "That's our information". But what's the truth?

Despite a high awareness of the DPA, the BCS research suggests only 4 per cent of British adults have been the subject of access requests under the Act.

And according to next week's features section in Computing (out 27 March), Dino Wilkinson - senior associate in the communications, media and technology team at Norton Rose - says:

Under English law, any person who either alone - or jointly, in common with other persons - determines the purposes for which, and the manner in which, any personal data are, or are to be, processed is a 'data controller' for the purposes of the Data Protection Act 1998.

All data controllers must comply with the eight data protection principles set out in Schedule 1 of the Act. In particular, the seventh data protection principle requires data controllers to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

So, check out the fine print - especially if you're a 'data controller' that intends to use personal data. Other findings from the research include:

• As much as 77 per cent of respondents said having the automatic right to personal data - if it is incorrect - is very important
• And 71 per cent of adults said it is very important to be asked for their consent if other organisations or Government departments want access to data originally collected for another purpose
• Meanwhile, 57 per cent of individuals said it is very important that the handling of data by Government employees is on a sliding scale of seniority – the more sensitive the information, the more senior employees should be

Further reading

• Security technology is not a priority for firms
• Flexible working creates a security nightmare
• Stop buying illegal software, or face the risks...
• Single sign-on is route to IT security success
• How to cope with rogue IT

Want to subscribe to this blog? Click here for the options

2007 was a difficult year for IT security chiefs, with the media keen to report how organisations had failed to protect customer data through poor system implementations or slack human process.

Last March, for example, hackers half-inched the payment card details of more than 45 million TK Maxx customers. Later on in the year, misplaced disks at HM Revenue and Customs placed 25 million people at risk of identity theft.

Such problems and dangers - and the inevitable effect that data leak can have on an organisation's public profile - would surely make IT security a key spending priority? Apparently not, according to consultant Deloitte.

Only 5 per cent of technology, media and telecommunications companies increased their security investment by 15 per cent or more last year. Half of firms allocated less than 3 per cent of their IT budget to security.

Hackers breaking down defences, workers losing information and organisations failing to firm up security - talk about mixed-up priorities, especially as the research also shows just 7 per cent of companies believe they are prepared for future security threats. Other findings from the research include:

• Only 38 per cent of companies believe their organisation has all the skills and capabilities to respond effectively and efficiently to security challenges
• A third (36 per cent) of organisations do not track losses of customer data at all
• Even fewer firms (32 per cent) have performed an inventory of personal information

Maybe firms believe personal data is devalued and the risk of playing fast and loose with customer information is overplayed?

Security specialist Symantec recently found there is a global underworld of criminal organisations selling stolen information. UK-based credit cards are available from as little as £1.03, and full identities – US bank account, credit card, date of birth and government-issued identification number – can be bought for just £7.22.

As Paul B. commented on this blog: "Is the information so abundant that the criminals don't need to charge higher prices? Scary." Indeed it is - but two simple facts should help re-set the balance:

• Last July, it was revealed that the Information Commissioner’s Office (ICO) received almost 24,000 enquiries and complaints concerning personal information during the previous twelve months
• Identity theft, meanwhile, costs the UK economy more than £1.7bn per year, according to the UK’s fraud prevention service Cifas

Such figures help illustrates that investing in security has never seemed more worthwhile, despite the apparent low spending priorities of the business.

Given the increasingly mobile nature of business information, it will not come as a surprise to many of you to discover that slack technology leaders are not doing enough to create tight security policies for flexible workers.

More than a third (35 per cent) of employees say responsibility for IT security is left up to the individual worker when they are outside the office, according to research from YouGov and Dimension Data.

In addition, 5 per cent of respondents say no-one is responsible for IT security when they are away from the workplace. Personally, I find it surprising that just 5 per cent - or one in twenty employees - recognise that serious gaps in security policies exist outside the office context.

As the research confirms, an increasing amount of workers now engage in flexible working practices; just over half of respondents (51 per cent) access company information from home and 33 per cent do the same from public places.

Creating information security policies for such flexible workers is a nightmare - relying on some sort of client or portal, so staff can log-in to email and enterprise applications. And many of these workers operate on their own computing equipment, using their own security settings. Thinking of policing flexible working? Good luck.

Good news - possibly. Analyst Gartner has unveiled what it believes will be the top 10 strategic technologies for 2008. It's good news, I guess, in that chief information officers should have a heads-up about the technologies that - to quote the analyst - will have a "significant impact on the enterprise in the next three years".

Which is always helpful, especially if you're planning on spending a big wedge of the finance chief's cash. Gartner suggests proactively planning in the following areas:

1. Green IT: Which is common sense, really - both from a strategic and public relations perspective.
2. Unified communications: Gartner suggests 80 per cent of companies are already involved in trials and refers to unified communications as the first major change in voice communications since the digital PBX.
3. Business process modelling: Service-oriented architecture is tough - BPM helps executives make the most of software resources.
4. Metadata management: Firms keep creating and pumping out increasing amounts of content. Metadata management helps chief information officers make the most of their information, creating consistency and integrity.
5. Virtualisation 2.0: Just when you getting used to the concept of storage emulation, along comes virtualisation 2.0 - stronger, fitter and altogether sleeker. Includes a whole lot more resiliency and real-time automation.
6. Mash up and composite apps: Gartner says mash up technologies will evolve significantly during the next five years - get wise and formulating an enterprise strategy.
7. Web platform and web-oriented architecture: Basically, the web is going to become the standard service delivery model. Prepare for that development, too.
8. Computing fabric: The future of servers - a move beyond blades to create a larger, single system that is the sum of its components.
9. Real world web: Informal term, referring to places where information from the web is applied to the particular location, activity or context in the real world. It is intended to augment the reality that a user faces, not to replace it as in virtual worlds. Gartner says businesses now need to seek out new applications and revenue streams from the web in a real-world situation.
10. Social software: Web 2.0 will experience considerable flux, with continued product innovation and new start-ups. Expect significant consolidation.

The Business Software Alliance (BSA) has announced it prevented more than 36,000 illegal software products from being sold on a select number of online auction sites in the first six months of 2007. The BSA's figures also revealed that the value of the software being offered illegally via during the period totalled over $8m.

“And this is the tip of the iceberg”, said John Wolfe, the excitingly titled director of internet enforcement at the BSA, who warns that counterfeit copies can pose a significant data protection risk.

The BSA release quotes a study from researcher IDC that states the chances of buying legal software that hasn’t had viruses, trojans or spyware embedded into the code on an auction site is less than 1 in 2 (which was a mistake in the press release, by the way - it is actually meant to say 'illegal'). Now that would have been a story: 'Fifty per cent of commercial software is embedded with viruses, Trojans or spyware'...

Twenty-odd years of mobility - and still the pressures for chief information officers (CIOs) mount.

The BBC reports how on the 7 September 1987, 15 phone firms signed an agreement to build mobile networks based on the Global System for Mobile (GSM) Communications (see end of post for link).

Progress has been swift - according to the GSM Association there are more than 2.5 billion accounts that use this mobile phone technology. But while the mobile phone might seems ubiquitous, challenges for business remain - as identified by this week's special feature on mobility in Computing (see end of post for link).

The feature - which is the first of four reports on the future of mobility in the enterprise - identifies how integrating mobile devices and making them work with company applications is still a big barrier to wide scale adoption and use.

Despite massive usage of mobile devices, transformations heralded by the use of such technologies has only just begun.

The report suggest users will face a range of challenges during the next three-or-years and Lief-Olof Wallin, research vice president at analyst Gartner, says CIOs should concentrate on five areas:

Don’t treat everybody the same
Most companies will be able to segment the user base into at least three profiles based on business requirements, job function, work style and locations.

Make IT responsible for mobility
Such an initiative will ensure that the organisation benefits from the same predictability of costs and project delivery times, while achieving the agreed service levels for all its enterprise mobility projects.

Create a mobile centre of excellence
Have three or four key staff that pull in virtual members as required to look at issues such as compliance, security, procurement, contract negotiation and local policies for use.

Implement a single unified mobility policy
Rather than rely on separate policies that have grown up piecemeal for mobile phone and laptop use, firms need to create one end-to-end policy that addresses all the issues of mobility, including security and interconnection standards.

Balance people, process and technology
While policies and processes are required for success, overly focusing on such aspects will delay time-to-business benefits while large amounts of documentation is produced. Find the balance between good enough technology, skilled people and sufficient policy – and processes for a successful implementation.

BBC report on the history of the mobile phone - Mobile phone technology turns 20

Computing special report on mobility - Mobile momentum

How long is a piece of string? More importantly, what on earth is service-oriented architecture?

Such questions can be answered by mobile text question and answer service AQA (Any Question Answered), which Metro reports recently answered its 8 millionth question.

The newspaper provides a list of the top ten most popular questions (which includes 'How long is a piece of string?').

IT-based questions are notable by their absence in the top 10. Which got me thinking - what would a chief information officer (CIO) ask AQA? Here's my stab at the top 10 most popular questions for CIOs:

1. Why can't I get on the board?
2. Why won't the financial director let me spend any money on IT?
3. How can I adopt a service-oriented architecture-based approach?
4. What is service-oriented architecture, anyway?
5. How does opening up 20 new data centres square up with our green computing strategy?
6. What on earth has love got to do with it?
7. How can I outsource the entire IT department and still look like I'm responsible for something?
8. How can I tell the chief executive to get stuffed?
9. Why does everyone hate me so much?
10. How long is a piece of string?

Brunel University has become the hundredth member of the UK Access Management Federation. The Federation is based on Shibboleth technology and provides a route to single sign-on for multiple resources in numerous departments, giving universities, colleges and service providers secure access to electronic resources.

The Federation is operated by government-funded computer network Janet, on behalf of higher education advisory organisation Jisc and the government's IT development specialist Becta.

Jisc spokesman Philip Pothen told me reaching three figures in membership numbers was 'excellent news'. Which, of course, it is.

It is important, however, to keen an eye on the bigger picture - namely roll-out of the federated system across more of the public sector. Back in March 2006, Nicole Harris, programme manager at Jisc, told me that the eGovernment Unit (eGU) and NHS were keen to investigate the potential of federated access.

And last December, Jisc service director John Robinson told me Becta was making steady progress in its attempts to encourage the UK's 30,000-plus schools to join the Federation, alongside further and higher education institutions. 'There is potential that the whole sector will have access to the federated system by the middle of next year,' he said.

Robinson confirmed that the NHS remained interested, with the organisation keen to investigate the potential of using federated access to allow employees to work securely with education institutions. 'There is potential there - and there's potential for local government too,' he said.

With 100 organisations - including universities, local authorities and Regional Broadband Consortia - already signing up to the Federation, it is to be hoped that other public sector bodies will continue to recognise the security of strength in numbers.

Computing features editor Chris Slinn recently received an envelope of informative literature about litter bins, bollards and gritters.

This was strange, seeing as I, and not the mysterious Chris Slinn, am features editor of Computing.

While company expenses might stretch to a taxi fare or a meal with a contact, it’s unlikely they’ll stretch to buying me my own grit spreader.

The double mix-up – the wrong person being sent irrelevant information – suggests that someone, somewhere had a lax moment with a couple of databases.

Such negligence is a widespread and unacceptable side-effect of the knowledge economy, where businesses have to deal with an ever-increasing range of customer records.

At the launch of his annual report last week, Information Commissioner Richard Thomas called on all UK chief executives to take the safekeeping of personal information more seriously.

Thomas referred to the inexcusable security lapses of the past 12 months that have seen laptops holding personal details stolen and credit card statements found in waste bags.

The annual report highlights how the Information Commissioner’s Office (ICO) has received almost 24,000 enquiries and complaints concerning personal information.

Such grievances are not hard to find. A mix-up between two banks meant that my friend recently received another woman’s personal banking information.

The bank offered £35 compensation, which is pretty measly when you consider they will sting you with a £30 bill for going just £10 overdrawn.

Which offence is worse – letting your account slip into the red, or giving personal banking details for free to a total stranger?

Perhaps part of the explanation for a lax attitude to personal information is the cheap availability of data.

Security specialist Symantec recently found there is a global underworld of criminal organisations selling stolen information.

UK-based credit cards are available from as little as £1.03, and full identities – US bank account, credit card, date of birth and government-issued identification number – can be bought for just £7.22.

With personal data devalued to such an extent, is it any wonder companies are playing fast and loose with customer information?

So what if a user downloads personal data to a USB stick, and leaves it on the seat of a bus in Birmingham? You should care. First, identity theft costs the UK economy more than £1.7bn per year, according to the UK’s fraud prevention service Cifas.

Second, the technology leader will be responsible for ensuring security systems do not allow costly information leaks to take place.

But such activities are difficult to prevent, especially with IT managers finding it hard to deal with the downward trend in security spending.

Analyst Forrester Research found European and US chief information officers spent 7.75 per cent of their IT budgets on security last year, compared with 8.92 per cent in 2005.

However, Forrester also found that a drop in spending is not an indication of security’s declining significance, with 63 per cent of technology leaders suggesting security upgrades are a business priority.

It will be your job to convince the board that spending more on information security is worthwhile.

Dealing with errant behaviour is an unremitting and intractable challenge for IT managers. Users install illegal software, muck around with macros and access databases without authority - and that's just for starters.

The answer to such rogue behaviour, according to a survey from integration specialist Blue Prism, is a strong governance model between IT and business, rather than a strong arm from the technology department.

Three quarters (75 per cent) of IT respondents suggest strategic controls, such as monitoring, need to put in place to help the technology department cope with rascals in the business.

Still, IT managers don't blame users for their errant activities, with almost seven out of 10 (67 per cent) respondents suggesting that rogue behaviour comes as result of IT department budget and resource constraints.

Just goes to show, then, that you technology leaders are a patient lot, really.

What do you consider to be rogue IT (as a percentage of the respondents)?

1. Vendor application installed without IT department's knowledge - 100
2. Installing personal software - 83
3. Locally written scripts in VB or other language - 56
4. Local Access databases - 50
5. Complex Excel spreadsheets - 39
6. Using SaaS solutions like salesforce.com/Google apps - 39
7. Macros in Word/Excel - 28
8. Terminal emulator software - 28
9. Other - 11

Source: Blue Prism

So, how can security specialists, such as Kaspersky Lab, help chief information officers (CIOs) crack online crime? Head of antivirus research and development Eugene Kaspersky told The Knowledge that the Lab is continually exchanging information and samples with blue-chip firms. 'We communicate and co-operate,' he said.

When it comes to product development, Kaspersky said the firm is more guarded to ensure intellectual property rights are maintained. But he did say that the Lab will be concentrating on a number of core areas during the next three-to-five years.

And as smartphone penetration increases in response to decreasing cost, Kaspersky expected more and more viruses to appear on mobile devices. And he anticipated the problem to begin significant when China, Latin America and Eastern Europe begin to launch smartphone services, allowing criminals in these areas to become aware of the potential for a new type fraud.

More and more companies are putting essential services on mobile devices, many of which offer a link back to corporate databases. With smartphone viruses likely to increase, it is essential that CIOs think carefully before they introduce mobile services.

Eugene Kaspersky, head of antivirus research and development with Kaspersky Lab, visited Computing's office on Monday. He told me the three main security threats facing chief information officers (CIOs) are related to the benefits of committing online fraud from a criminal perspective: ease, profit and risk.

• Criminal business on the internet is easy. Kaspersky said criminals don't feel guilty because they don't have to see the effect on their victims.
• Internet crime is very profitable. Online fraud sometimes involves an individual and sometimes a group, yet Kaspersky said he is never surprised when millions of pounds are involved. And internet criminals never have to pay tax on their profits.
• Online crime is a low-risk business. The victim and the attacker are almost always based in different countries - and Kaspersky said monitoring such diverse geographies is a challenge, particularly when the police often find it difficult to communicate information within national boundaries.

In short, the biggest security threat to the CIO is the convenience of internet crime. And making such crime inconvenient will be an intractable challenge for technology leaders.