22 October 2015

Businesses over-confident in new Breach Confidence Index

Ilex International’s Breach Confidence Index launches today to monitor the level of confidence businesses have when it comes to security breaches. The result of the latest YouGov survey paints a worrying picture for businesses. Almost a quarter (24 percent) of the IT decision makers surveyed were ‘very confident’ and 59 percent ‘fairly confident’ that their business is protected against a data security breach.
Compared to actual statistics shared by the Rt Hon Michael Fallon MP, Ministry of Defence at the 2015 Cyber Symposium, there is a major gap between the perception and reality of security breaches among businesses. Fallon expects the cost of cyber security breaches to grow, already tripling over the last year in the UK, accounting for £20 to £30 billion per year. The Breach Confidence Index survey uncovers the confidence levels and reveals the primary reasons why businesses had suffered a breach. Click here for the full report and for best practices to minimise the risk of a security breach

23 June 2015

Strong authentication in French local communities, a legal obligation

By Thierry Bettini, Ilex International and Hervé Fortin, Aisne department

The implementation of a strong authentication solution in a local community is most of the time considered as a technical issue by the IT department, which too often limits this type of project to the simple replacement of an obsolete login/pwd. In the context of budget restrictions within local communities, it is therefore difficult for the IT department to make the case for such a project, that is regarded as too costly and as a low priority.

However, beyond its technical dimension, the implementation of a strong authentication solution guarantees security and traceability of access to the Information System. Thus, local communities can comply with the legislation in force and, notably, with the personal data protection obligations defined by the CNIL (Commission nationale de l’informatique et des libertés – National Commission on Information Technology and civil Liberties).

Legal liability of the CIO/CISO

Many local communities validate the French Information Technology and civil Liberties declaration (“Déclaration Informatique et Libertés”) without having a good understanding of its resulting obligations. Indeed, the French law of 6 January 1978 on Information Technology, Data Files and Civil Liberties (which was modified in August 2004) defines the principles to comply with when collecting, processing and storing information about natural persons. The scope of this law is broad and concerns most of the processing or files used by local communities to manage their numerous services: civil status, electoral lists, school enrolment, social action and other services to the population, etc.

"The creation and processing of personal data (identifier number, name, address, telephone number...) are subject to requirements which aim at protecting individual liberties and the private lives of people filed", Thierry Bettini, Sales Director at Ilex International. The requirements vary according to the nature of the file and the purpose of the information collected: standard or simplified declaration or authorisation request. There are also security, confidentiality and information obligations.

Some data is particularly sensitive depending on the area and is subject to specific authorisations by the CNIL. This is notably the case with information processing in the social area where confidentiality is essential, such as "children at risk" information processing. Only authorised people can access specific information.
With digital transformation, local communities manage more and more personal data but how many of them actually know exactly who has access to what?

Controls performed by the CNIL show that many local communities do not comply with some basic rules from the Information Technology, Data Files and Civil Liberties law. In most cases, this is the result of unawareness or carelessness but still, the infringements are real . "Decision makers and local officials must be aware of this because they are directly impacted in case of non-compliance with the law: they can be held legally liable. In some cases, they can even be subject to penal sanctions (a 5-year emprisonment sentence and a €  3,000.000 fine)", Hervé Fortin, CISO and IT and liberties correspondent  for the Aisne department.

Strong authentication, a guarantee of compliance with the CNIL regulatory framework

To meet these strengthened regulatory constraints, access control and security must remain the priority of local communities.

"Strengthening authentication mechanisms and access control rules to Information System applications helps prevent breaches/fraud ", Thierry Bettini explains. Thus, it is essential to provide several authentication mechanisms, with n factors ("what I know", "what I have", "what I am") according to uses (for example, some agents may use smart cards, others USB keys, etc.) and the criticality level of the applications used. Some packaged solutions are already provided by integrators and software providers and efficiently address these issues.

Once the agent is authenticated, it is possible to control access rights according to various criteria such as the primary authentication level (n factors), timeframe, user profile retrieved in a company directory, etc.

In addition, "authentication, authorisation and delegation operations concerning agents must be traced in order to properly comply with the legislation in force and meet auditing requirements".

The CIO/CISO of a local community needs to homogenise and strengthen authentication on the applications for which he controls and tracks accesses. Thus, he will not have to fear any legal penalty about the confidentiality of the data processed within the community.

"Whatever their size, all local communities are concerned", Hervé Fortin concludes. However, not all of them realise the commitment they make by declaring that they are compliant with legislation, nor the risks they take in case of a CNIL control. Awareness about legal obligations needs to rise as in other sectors (for example, the banking sector) in order to make access management a real priority.

2 April 2015

Digital transformation in the retail sector, security serving customer relationship

By Fabrice Bérose
Account Manager
In the age of connected objects, social networks, smartphones and new consumer behaviours, no one can ignore the digital transformation which impacts all business sectors and the retail area in particular. 

Consumers are greedy for new services, new experiences, innovations... This has an impact on the company sales strategy and it is impossible to ignore this new business model. The Information System Department is thus in the limelight and must be able to support the company strategic challenges. Solutions meeting both consumer and business expectations must be provided, without ignoring security nor  increasing and omnipresent threats.

New consumer behaviours

Connected TVs, tablets and smartphones are no longer restricted to a handful of passionate people. New technologies have become more accessible and are now part of our daily lives. The average French household is equipped with 5 to 6 screens, more than 80% of homes are equipped with broadband Internet access, everything goes faster. These new technologies have fostered new consumer behaviours and have deeply changed customer relationship.

With technology, consumers expect immediate responses to their requests, they want a close dialogue, customised and modern services. Mass marketing is over, consumers claim their individuality and freedom of choice. In a highly competitive sector, customers who do not get answers to their questions are lost customers. Indeed, 32% of the buyers who do not find a product in a store buy it on the Internet.

Companies with an image in line with the times and which make a difference have already adopted a "Web-to-store... to Web" approach. If customers do their shopping on the Internet, then why not bring the Internet into the store.

The Information System Department at the heart of the digital transformation

In this context, it is easy to understand that digital technology is an unavoidable growth factor. However, using new technologies to generate business is not just a statement, this needs to be built. Although the issues are indeed strategic, the challenge is above all technical.

Take the case of a retailer willing to facilitate the online purchase process. Solutions to simplify online registration exist with no impact on the consumer's information security.

Many stores provide social authentication via Identity Federation mechanisms. The principle is that once consumers are authenticated to a social network, they can directly access these stores' sites and contents, without having to create a new user account. Thus, the "acquisition" process is smoother and the risk of losing the consumers who are reluctant to proceed with another online registration is significantly limited.

Beyond simplifying consumers' lives, relying on social networks (which are great sources of information for marketing departments) helps retailers customise the contents and offerings intended for the customer. Searching for information is not enough, it must be extracted in order to be deeply analysed and sorted. There are so many communication vehicles that information explodes. At the time of connected watches, bracelets, clothes or other connected objects, the retailer must be equipped and make the most of this increasing traceability. Customer relationship is thus the preferred option, it is targeted and more efficient.

Digital transformation does not only concern online consumers. Retailers must understand that sales assistant mobility is a strategic business challenge, which optimises personnel efficiency and customer experience.

Why not democratise tablets for sales assistants in order to help customers all along their shopping trip?  Sales assistants could retrieve a tablet configured in "kiosk mode" at strategic locations in the store and then unlock it by presenting their badge to a secured terminal. Sales assistants would then automatically access their personal work session and all their business applications safely, without having to enter their password. Far from being a futuristic scenario, this experience is already possible. A modern store, mobile sales assistants and optimised quality of service: the store of tomorrow has already opened.

These are only examples but new technologies offer multiple opportunities to improve customer relationship and business development. The Information System Department must remain at the heart of the corporate digital transformation, in order to support the company, securely, as best as possible. In a highly competitive context, companies that take the digital turn with a smart and methodical approach, give rise to significant growth levers. In terms of digital transformation, assisting employees or certain reluctant consumers through changes is critical. In this area, the most successful companies (Décathlon, Boulanger, Leroy Merlin or Darty) are those that have a perfect grasp of more and more hybrid consumer practices and their impact in the sales business.