I’ve spent a few hours reviewing the Cisco Annual Security Report for 2014 and some of the data contained in it just isn’t interesting, but extraordinary. I’ve excerpted parts of it here with comments (my comments are in italics):

  • Java comprises 91 percent of web exploits; 76 percent of companies using Cisco Web Security services are running Java 6, an end-of-life, unsupported version – This is a huge problem for organisations, particularly given that many of the Java exploits are due to older versions and updating Java across a computer fleet is difficult and fraught with challenges.

  • Ninety-nine percent of all mobile malware in 2013 targeted Android devices. Android users also have the highest encounter rate (71 percent) with all forms of web-delivered malware – Android devices are becoming more ‘trusted’ in organisations rather than the ‘walled garden’ iOS environment. With the enclosed ecosystem at Apple comes security so I’m not sure why corporations who are security conscious would be considering Android? It’s potentially a cost issue as iOS devices are generally much more expensive, but it’s easy to see this is false economy due to the security risks.

  • There should be an assumption by all users, perhaps, that nothing in the cyber world can or should be trusted – I’m intrigued what we can do in the industry around getting this point across to users, it’s still apparent to me that people who wouldn’t dream of letting someone in their front door without checking all information about them freely invites them into their computer world where there is arguably more information available about a person (banking, tax etc).

  • Cisco defines the primary security concerns for 2014 as:
  1. Greater Attack Surface – Data is the prize that most attackers are after, either personal data or information about the environment for further attacks, a staggering statistic – 100 percent of business networks analyzed by Cisco have traffic going to websites that host malware – do you know what’s going on in your network? If the companies analysed skew towards Fortune 500 as most Cisco clients, what chance do SMEs have at securing their networks? The two questions Cisco suggest asking are:

– Where is our critical data?

– How do we create a secure environment to protect that data, particularly when Cloud and Mobility leaves us with little control over it?

2. Proliferation and Sophistication of the attack model – The vectors for attack are numerous and the surface area is huge, the weakest part of your network is where attackers are focusing (usually endpoints) but always with the goal of accessing data residing in datacentres or computing centres. Segration of networks will become key to securing data in the future.

3, Complexity of threats and solutions – Gone are the days when spam blockers and antivirus software could help guard an easily defined network perimeter from most threats. Today’s networks go beyond traditional boundaries, and constantly evolve and spawn new attack vectors: mobile devices, web-enabled and mobile applications, hypervisors, social media, web browsers, home computers, and even vehicles. Point-in-time solutions can’t respond to the myriad technologies and strategies in use by malicious actors – Agree with this point wholeheartedly, in the past all we really needed to worry about was securing our networks from outside at the perimeter level and securing endpoints. The endpoint types have now become myriad and securing them is often impossible, it’s apparent that the majority of security now needs to occur at the network level in order to be effective.


  • Spam volume is down however malicious spam doesn’t appear to be decreasing – Spammers are increasingly using public interest stories (such as the Boston bombing) to drive traffic to malicious websites. Again, how do we stop users from accessing this data given the speed at which spammers can register domains, create fake websites and spam out?


  • Java provides an attack vector too large to ignore, 97 percent of enterprise desktops run Java, as do 89 percent of desktop computers overall in the United States – When will Adobe address the inherent risks of Java? Or when will sysadmins demand that Java just isn’t installed on corporate desktops? We surely mustn’t be far away from this time given the risk and depth of the issue?


  • Today’s security teams are grappling with the “any-to-any problem”: how to secure any user, on any device, located anywhere, accessing any application or resource – MDM is just one part of this problem (although a growing one), how do we secure BYOD at the network level and more importantly accessing corporate applications that are required for people to be productive in their employment? Loss and targeted theft of devices also causes challenges for businesses, particularly ones that haven’t encrypted information on their mobile devices or don’t enforce security on the mobile devices. Given the privacy act amendments I’d suggest that mobile devices will be one of the first ports of call for attackers seeking to compromise corporate networks.


  • Attackers are targeting specific, high value industries via a number of ways to potentially infect – these industries are electronic manufacturing, pharmaceutical and chemical industries. However it’s important to note that other previously low risk industries (such as mining and agriculture) are also rising as those industries value increases – I’ve actually heard from customers that no-one would want to see the data they keep so why should they be concerned about securing it (in a more than cursory fashion) – anywhere there is money, attackers are interested, so if your business is making money, I’d be worried about security.


  • Hosting partners, DNS Namespace providers and Infrastructure as a Service providers are increasingly becoming the focus of attacks due to the fact that once they are compromised, compromising other customers of this provider or using their services to deliver more malware is simple. One compromised server in a large hosting provider could essentially compromise hundreds or thousands of websites. – How secure is your hosting provider? What tools and protection do they have in place at even the hypervisor level to ensure they won’t be compromised?


  • All organizations should assume they’ve been hacked, or at least agree that it’s not a question of if they will be targeted for an attack, but when … and for how long. – This is demonstrated by the fact that 100% of business networks monitored by Cisco have traffic going to malicious websites, it would be naïve to assume that most businesses have not been compromised. Organisations should review what data is going across and out of their networks in order to understand potential compromises.


  • Brute force logins are the number one way websites are compromised – Security logging /alerting, lockout policies and complex password enforcement on any public facing platforms is essential to ensure that brute force attacks are difficult to succeed.


  • DDOS Attacks are increasing in volume and severity – Most businesses that are usually subject to these sort of attacks have already invested in infrastructure to mitigate these attacks, however with the growth of the Internet of Everything and ever increasing bandwidth available organisations should prepare for longer and stronger attacks which may bring previously adequate protection to it’s knees. We’ve also seen that industries that traditionally wouldn’t be targets are becoming targets for a variety of reasons, particularly sites that allow users to comment or ‘flame’ each other which may invite ‘payback’ from people with the means to do so.


  • Ransomware is still a concern and still a major source of revenue for cybercriminals – We’ve actually seen a lot of Ransomware attempts on our customers, which we’ve mitigated through client and server side AV which allows us to ‘undo’ the changes made by these encrypted type Ransomware software (e.g Cryptolocker), however this isn’t going away as a challenge to organisations.


  • Security talent gap – Most organisations don’t have the skills and experience to protect themselves from sophisticated cyber-criminals. There appears to be a shortfall of security professionals, particularly those with ‘white-hat’ type skills. Organisations that can’t source appropriate talent, or aren’t big enough to, should partner with organisations who have strong security focus to round out that skill shortage.


  • Cloud is the new perimeter – With the moving of the ‘edge’ to the cloud, organisations are often at the mercy of their cloud providers security model which may not be in-step with the internal expectation of security process. What questions are you asking your cloud provider on their security process, disclosure policy and patching policy? Is it backended with the business expectation of security?

The Cisco Annual Security Report is available at: http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html?keycode=000350063 and I heartily recommend downloading it and reviewing it for your own purposes, it’s a bit wordy but certainly valuable to all organisations.


Well, I slacked off a bit on the blogging, but I’m hopefully back, re-energised with technology after a great week at Cisco Live!

One of the things that has been bothering me though, isn’t related to Cisco Live but came up during a talk at this event which is availability metrics.

Everyone in the IT industry has heard about them, although very few of our clients have actually worked out what they mean and I’d like to bring some focus to those things today.

First, let’s describe how you come up with availability as a figure (generally represented as the 9s):

Availability = Time of Uptime / (Time of uptime + Time of Downtime)

Let’s start with my favourite myth – 99% availability – it sounds good right? Like if you said to me that my internet service was 99% available I’d likely be rapt with this and not question the outcome but in real terms 99% availability is equal to in any given week an outage of 1.68 hours, in any given month 7.2 hours and in any given year a total outage time of 3.6 DAYS. Now, I don’t know about you – but 3.6 full days of an outage of a corporate system is pretty large right? Of course it may not happen all at once, and the outages may happen out of hours, so they aren’t an effect on your core business – but they COULD and you’d still be inside of what you signed up for.

Even when you scale this up to the even more impressive sounding 99.9% availability, this still equals 8.76 hours per year – so a full business day of outage per year. This might be fine for your internet service, particularly if you have a redundant connection – but if you’re talking about a cloud based ERP service that’s really not satisfactory given you may actually lose a full day of productivity with it being offline.

A number of pretty large services are only 99.9% available, Office365 (less affectionately known as Office364 by some people) has an SLA of 99.9% available although to be fair they’ve actually significantly outperformed this and are closer to the 99.95% availability which you can check in their trust center – http://trustoffice365.com/.  Publishing of real availability metrics is also an important part of establishing trust and Microsoft has done a great job around this aspect of the Office365 product.

So, what am I trying to say? I think it’s important to say that numbers aren’t everything and understanding the real impact an outage would have prior to signing up to services is important particularly with the marketing cloud providers put around their availability metrics. It’s also important to say that it’s fine to have availability metrics, but are all providers actually reporting back to you on what their availability levels are?


Apologies for the delay in posting, it’s been a long time I know – life has gotten to me with a number of big projects so I haven’t had a chance to post.

In any case, today I’d like to post on the upcoming Privacy Act amendments which has been entered into legislation and takes effect in March 2014. Many people are unaware of the changes to the existing Privacy Act and the effect it will have on small businesses (anyone over $3M in revenue is subject to this act).

For companies that are affected by the act, it’s very important to understand what it means to you and your business and the steps that will need to be taken to ensure that you don’t become one of the first companies in Australia to be punished under the act.

At a high level the act comprises a number of mandates about the level of security and protection you need to offer customer data that you keep in your control – including customer data that may be stored not in your facilities (such as in a shared datacentre using DropBox, GoogleApps or Office365).

To take a small reading of the act:

“…an entity must take reasonable steps to protect personal Information it holds from misuse, interference and loss, and from unauthorised access, modification, or disclosure.”

This appears very broad in it’s wording (and potential application) and it’s likely deliberately that way – it would be very hard to capture all of the necessary protections of consumer data that would potentially exist out there.

Some of the penalties are huge for breaching aspects of the Privacy Act through the loss of customer data – up to $370,000 for individuals and $1.7M for companies. Whilst the reputational issue of losing a customers data is significant this is of particular concerns to those smaller companies for whom a fine of this sort of size would effectively push them out of business – a larger company such as one of the big banks could continue on, but a 30 seat accounting business wearing a $1M fine would likely end that organisation for good.

It’s also important to note that onerous fines are not the only remedy available to the government under this act – it would also be possible for the Privacy Commissioner to conduct it’s own investigations and demand that organisations show the precautions they have in place, along with placing binding undertakings on organisations to remedy failures in process around privacy.

Unfortunately for smaller businesses they often haven’t invested in security and data loss prevention like bigger organisations have as they have not seen the need to up until today. This leaves them very susceptible to be compromised as without appropriate investments in protection it would be very easy for nefarious insiders or external ‘hackers’ to access customer information and thus expose the organisation to remedies under the act.

Some of the technology solutions that may be required include:

  • Appropriate workstation and server anti-malware protection
  • Security patching all assets (both computers and network devices)
  • Disk Encryption for servers and workstations (particularly for travelling laptops/mobile devices)
  • IDS/IPS and Firewall to prevent external threats
  • DLP solutions to analyse the flow of customer information and where it may be compromised
  • Reviewing staff access permissions
  • Securing company database assets in an appropriate fashion (access control, location etc)

But there is also a significant amount of work to be done on governance such as:

  • Education of staff so they understand the ramifications of taking/sharing data (particularly in a social engineering capacity) and their responsibilities under the Act
  • Review of security and access control policies across your organisation
  • Testing of the above policies and technology solutions regularly to assure outcomes are in line with expectations
  • What processes are adhered to when customer data is requested and what process is followed if there is a breach of customer data
  • What happens to retired computer assets to ensure data isn’t contained on them when they are no longer needed
  • How do you handle employees working from home or on the road and the security of their mobile devices/laptops? What policies are attached to this sort of employee and their company assets
  • How do you deal with the influx of BYOD and non-controlled devices coming into the organisation?

The full guide on Information Security compliance is here: http://apo.org.au/sites/default/files/docs/information-security-guide-2013_WEB.pdf

This is a landmine for businesses not expecting further compliance requirements outside of what they are already doing – but I would suggest that nearly 100% of businesses will have to do something to meet their compliance requirements in light of this amended act.

If you have any questions about the above – please feel free to reach out to me to discuss.

Thanks go to McAfee for their take on the above and prompting me to write this blog.

My thoughts on the customer experience are very straightforward.

If you aren’t offering something that someone else isn’t offering (ie you have a monopoly) the only way you can differentiate or compete is by making it easy for customers to do business with you in a repeatable and consistent fashion.

This is exactly where retail have it all wrong and are suffering at the hands of the e-Commerce industry.

I could go into a large department store, fight traffic, get parking, walk through hundreds of people to buy my stuff, then wait for a person who knows nothing about the product to help me, then check out and get home OR I could go online, read other customers reviews and one click order from the comfort of my lounge room in my underpants without any of the above. The only issue is that of delay of fulfilment, but most customers don’t need a new pair of shoes, or a DVD player TODAY, so it’s not really an issue in retail.

One is easy, the other is hard and the way this applies to the IT industry is that we all too often make it too difficult for customers to do business with us both initially and in a repeat fashion.

There are a number of ways we can improve the customer service experience, but I’m going to focus on the issues and on two products which are awesome and I really enjoy working with that improve that customer service experience.

The first issue for mine is non-integrated service portals – I hate these with a passion; a separately maintained username and password onto a portal which is usually not well designed and doesn’t allow customers to do key tasks. I’m looking at you here Connectwise, you know what I’m talking about! But luckily, the solution is already here and it’s called DeskDirector (www.deskdirector.com) – I’ve been doing some testing with this product and it, in one word, is awesome.

It’s basically a replacement for the Connectwise service portal (which you probably already give access to your customers to) that does a number of great things to improve that user experience for customers and make it easier for them to do business with you.

First, it’s AD integrated to the CLIENTS Active Directory, you just put their domain SID into a portal and then the users automatically authenticate with their own Active Directory username and password and even better, if the client doesn’t exist as a contact in Connectwise and they try and use the portal, this will actually CREATE them as a contact in Connectwise! That’s actually a really simple thing, but it’s really great because often you won’t have clients details for a call back or something like that, plus you can track who logs tickets and for what.

Second, it’s a client side application installed with a easy installation on clients PCs, particularly easy if you use something like Labtech to roll it out but the reason that clients want to use it is because it includes a raft of user training built into the product and the ability for you to provide training to customers is what will drive the client side adoption of the product without having the “oh no, not another thing for me to use to interact with my service provider!” discussion. The training is customisable and you can provide your own training material on a global or specific per company basis – the other advantage of this is that if a client can find the answer to the problem before contacting you, then you’ll save costs on servicing that customer. But mostly, the client is happier because they can pull training and information they need whenever they want it to help themselves.

Third, there’s a raft of features I love which enable the customer to interact in a simple and consistent fashion. These are:

1. A very user friendly wizard driven way of logging a ticket (including adding screenshots etc very easily) which can automatically assign service types into Connectwise or put the ticket onto different Connectwise boards. Also the ability to see all active tickets for a company including timeline and interactions with your organisation
2. The ability for a specific user at a client site, if they are added to a particular group (that you manage in Connectwise) to be able to either have all of their tickets logged as a priority 1 or 2 OR have the ability to ‘fast-track’ particular tickets that might not look important at first glance but actually are (ie a single PC not working might not be important, unless that person is the payroll person and today is pay day!)
3. The ability for clients to see all invoices issued to them from Connectwise (if given the permission) so they can self service their own invoices taking the pressure off your account management/finance team if a client wants to see an old invoice.
4. The ability for clients to see “Recommendations” which are basically Opportunities in Connectwise and flag them for review (or really just say they want to buy them!) along with being able to see the quote if you have Quosal and are using Order Porter.
5. The ability for clients (if they have the permission) to see tickets in the “On Hold – Awaiting Client Approval” status and approve the ticket – no more billing or security problems when a client says they didn’t approve for work to be done
6. If you want to provide the feature of ‘chat’ with your engineers, there is also the ability for clients to chat with engineers and your engineers to see the ticket they’re chatting about and enter the notes from the chat directly into Connectwise from the chat application installed on your engineers PC. In my mind, this would replace the chat agent that Connectwise are selling which is kind of expensive anyway.

Anyway, that’s enough about Desk Director, but take my word for it, it is truly awesome and I can’t wait to get this rolled out to our customers so they can experience the power. It’s not that expensive and well worth a look, the guys will set it up for you and you can test drive the power of it.

The second issue I have ugly reports. That’s a pretty blunt term, but clients want to know what’s going on with their network and with their service tickets and they want to do that in an easily understood fashion that can be given to a non technical executive and they can at a glance see what’s occuring. I spoke a little in my last blog post about experience scores which I think is where the industry needs to move to but while that’s being built out you have to provide some sort of Managed Services Report to clients who you’re working with.

Generally the reports coming out of RMM and PSA tools are disparate, and, well, ugly. I’ve seen a lot of them, used a lot of them, and even as a technical person sometimes the content is not easily understood even if you know what you’re looking at.

The guys at BrightGauge ((www.brightgauge.com)) have a excellent piece of software that pulls information out of Connectwise, Labtech, Kaseya, Autotask and GFI Max and consolidates that into a online, fully customisable, drill down, gauge driven report that both looks awesome and demonstrates value to your clients for the services you’re delivering. It’s a major differentiator if your competitors are still issuing the tired old reports that have a lot of words, but don’t really say anything. It’s also dirt cheap for what it does, if you don’t already have it, seriously – go and sign up now, they have no contracts and when we’ve needed their support they’ve been very forthcoming with it.

For mine, the next iteration should be that the guys from BrightGauge talk to the guys at Desk Director and have Desk Director be able to deliver the reports directly down to the client desktop without requiring another portal. It would be especially cool if a client could run their own reports, on their own timelines directly from Desk Director. More than one portal.. is too many portals – but if you’re reducing 3 portals to 2, then you’re at least going in the right direction!

Both of these products solve a number of difficult problems with giving clients granular, understandable access to the value you deliver for your Managed Services clients and I can highly recommend both of them for streamlining and improving the customer experience.

My major point for this post is that clients are expecting to be able to pull information on their timeline without necessarily needing to interact with you and your staff or wait for a reporting period to come around so they can see what’s going on with their networks. Anything you can to do give that information in a consistent and concise fashion will add value to the customer experience and make it easier for them to do business with you which will drive improvements in profitability, customer retention and customer satisfaction for you.

Anittel Unified Communications Video

I was reading an article about LeBron James that I can highly recommend to all:


It’s predominately about how James has continually and ruthlessly improved his performance over the last 4 or so years.

Already a prolific talent that just isn’t enough for James, he has the drive and discipline to be the best of all times. You could say, referencing my previous blog post, that he’s highly intrinsically motivated, I have a sneaking suspicion that even if he was a ditch digger, he’d be working out better and smarter ways to dig those ditches and be the best at it.

Anyway, there’s a quote in it that I love:

“It’s work,” James says. “It’s a lot of work. It’s being in workouts, and not accomplishing your goal, and paying for it. So, if I get to a spot in a workout and want to make eight out of 10, if I don’t make eight of 10, then I run. I push myself to the point of exhaustion until I make that goal”

What an impressive mindset for someone already at the absolute top of his game, surely the greatest current player in the NBA and likely to be one of the greatest of all time doesn’t NEED to train this hard, but he wants to – he wants to be the best.

There’s a lot you can learn from this and certainly a lot I’ve learnt over the years from different endeavours in both competitive sport and business – if you want to be the best there’s sacrifice, struggle, time and punishment involved. There is no-one that is the best at something the day they start at it, even if you’re genetically gifted – the very best are defined not by their natural talent but by their drive, will and desire to be better every single day.

Having just taken up playing AFL football at the age of 31 and never touched a AFL football before my team mates think it’s weird that on the weekends that after I’ve played an exhausting game I’m out kicking the football trying to get better, trying to pick up skills, wanting to play more, be involved more – but realistically, it’s just not enough for me to be OK at something, It’s one of the reasons why I can only have one sporting obsession at a time, it’s too overwhelming otherwise!

I work every day, almost obsessively on being a better leader, colleague, sportsman and human being because I know I have room to improve in all of those areas. I think companies should work every day on being better corporate citizens, partners with their clients and community leaders.

So how much do you (or your companies) punish yourself to be better at what you do? What do you give up to be great? Do you really want to be great? If so, do you have a cohesive vision of what would makes you great?

Interesting questions with interesting answers I venture..

Rob’s DISC Profile