Don’t Wait for Scammers – Inoculate Your People First

At the time of writing we are heading into Christmas, we’ve just started the traffic light system, we are getting our vaccine passports, and there are new variants of Covid spreading. Spammers and scammers take advantage of events like these (and the confusion and anxiety that comes with them) to rip us off. So do something about it before the spam hits!

If you watch the security news like I do you’ll know that spammers and phishing gangs quickly adapt their messages and techniques to the latest events. Because their whole modus operandi is to take advantage of fear, people’s better impulses and the urgency of disasters they quickly seize the opportunity when events occur that generate any of these moods in the public. They change what the message is about, they change the appeals (this one is fear, this one is our charitable impulses), but they don’t change fundamentally what they are after: money, identity information, credentials.

In the aftermath of the Christchurch massacre spammers sent emails pretending to be from charities requesting urgent funding. When the US government announced a programme of Covid-19 financial aid, spammers sent emails pretending to be from the government with links to apply for assistance: just provide all your identity details and you’d get your money…oops no you wouldn’t! Every Christmas there are parcel collection scams.

Most organisations I’ve been part of see these messages (usually from diligent staff reporting them) and then issue reactive comms: “We’ve seen spammers sending emails about this: beware!”

But why do they wait? We all know that this will happen after a major event. So be proactive. Use our common sense. Warn our people before they get the first email, before the first person clicks on  that link. Wen we get the message out before the bad guys do we cut down the chance that someone will be fooled by the first email and we cut down the chance that our people or our organisation will suffer.

It is easier if you have some things in place that you can quickly turn to when one of these events occur. Here are some things that I do, and that you might find useful too:

1. Have an action plan in place. Know what you will do when a major event happens.
2. Have templated comms ready. Something that you can update for the specific circumstances. A blog post ready to go. An intranet news article, an all staff email. Coordinate this with any messaging or actions that your service desk or frontline staff will need. 
3. Know which channels you are going to use.
4. Know who is going to send which messages.
5. Tailor the advice to the specific event – don’t just send generic advice about spam and phishing.
6. Remind staff of previous advice and training (what they’ve been told in awareness courses, other campaigns)
7. Be aware that many of these campaigns will be aimed at staff from a personal perspective (they won’t just be looking to gain enterprise credentials, they may be trying to get personal credentials, or scam money off staff). While this isn’t our accountability, show some compassion, and maybe win some brownie points.

Do some of these things and you might just get ahead of the scammers – at least this time.

What is Architecture Exactly?

In the past I’ve seen people present to me a list of technologies and tell me “Here’s the architecture of our solution.” But, in my opinion a solution architecture is no more a list of the technologies used than the architecture of a building is a list of the materials that it is made of.

Once I’ve expressed this opinion, I’m sometimes asked “So, what is an architecture?” Or, “What does an architecture look like?” Or, more pointedly “So, what do you think an architecture is?” My answer to this question has evolved over time (and continues to evolve). Here’s my current answer.

If I think about what we are trying to achieve with IT architecture it is a coherent, consistent and effective approach to the delivery of technology change. So, for me an architecture is the set of deliverables that help us achieve that.

When a building architect is explaining an architecture of a building they talk about the people who will use the building, and what they will use it for, the considerations (functional, structural and aesthetic) that determine or constrain the choice of materials, the arrangement of space. So, by analogy, an IT architecture needs to explicitly describe what the business is trying to achieve from its solution and then how the selected arrangement of technology capabilities (products etc.) delivers on that.

I find the IEC/IEEE standard on architecture (42010) quite helpful. It talks about an architecture including multiple views of an architecture which describe the system from the viewpoints of different stakeholders – taking into account their different concerns. The view of a system from a user’s perspective is often very different from that of a senior manager, or someone tasked with supporting and maintain that system. An architecture needs to take that into account and show how it is addressing these different concerns.

So, practically speaking, what do I think architecture documentation should include?

• It should include a description of the components of a solution and how they interact or integrate together. It needs to specify what each component contributes to the solution in terms of functionality that the solution needs (or put another which requirements the component delivers on).
• In the case of a solution that uses cloud platforms, it should include a description of which services are used and what those services are used for – the role they play in the solution.
• For me it is the choice, arrangement and integration of components – not the internals of the components.
• It should include a description of who interacts with the system – and what they see and interact with.
• It should describe the trade-offs made between the different stakeholder concerns – where we have compromised on the ease of maintaining the solution to improve the usability for example, or vice versa.
• I also want to understand how this solution contributes to (or hinders) attempts to increase consistency and coherence of the business and the technology landscape (by analogy think about how the architecture of a building is consistent with the character and planning restrictions of a zone, a district plan, a neighbourhood).

This is different of course to the question (and problem and answer) to what does an architect do? How do we produce one of these? More on this later…

A Presentation on ICT for Lawyers

This post is a summary of a presentation I gave to a group of lawyers on ICT fundamentals. It represents my own opinion, and not that of my employers or anyone else! I apologies for it being so wordy – but a lot of material was covered.

My presentation walked through some fundamental concepts in ICT, some major trends that are shaping ICT, and how ICT organisations are evolving. The aim is to give a plain english summary to allow ICT lawyers to have sensible conversations about ICT to support the work that they do with ICT professionals. In my view ICT may be hard to do, but it is not hard to understand. At the end of each topic I will include my own personal view.

read more »

NZ Government Announces Desktop as a Service

Exciting news (for me anyway)! Last Friday, November 1 2013, the New Zealand Government Chief Information Officer (Colin MacDonald, Chief Executive of the Department of Internal Affairs) announced that the New Zealand government had negotiated contracts for the supply of Desktop as a Service (DaaS). 

read more »

What Is the Difference Between Privacy and Security?

When talking with people about privacy and information security I often come across a common misconception – that there is nothing more to privacy than security, or that the two are roughly the same.  In particular this often comes up in discussions around the use of cloud services where people seem to think that if they address security issues with cloud services, then there is nothing more to do from a privacy perspective.

read more »

Big News in Virtual Desktops: VMware Acquires Desktone

The big news, from my point of view, from VMworld in Barcelona was the announcement that VMware has acquired the Desktop-as-a-Service (DaaS) vendor Desktone. VMware is probably the leading vendor for enterprise virtual desktop technology (i.e. virtual desktop infrastructure or VDI – with their Horizon product line) – though Citrix might dispute this. Desktone are the leading provider of DaaS technology for service providers – that is virtual desktops delivered from the cloud on an as-a-Service basis.

read more »

What Does Cloud Mean For Your Corporate Network?

If you are looking at a significant use of cloud computing, have you considered what this might mean for your network? Corporate networks are an often overlooked factor when thinking about cloud computing. The problem is that cloud computing increases the criticality of your network, because if your network isn’t available then your cloud services aren’t either.

read more »

Cloud and Consumerisation Have Changed the Desktop Forever

This blog post is sponsored by T-Systems and the Zero Distance community.

Cloud and the consumerisation of IT have changed the face of end user computing, and the desktop in particular irrevocably.

read more »

Why Do Something Rather Than Nothing?

We are often called on to justify the particular option or path we are taking. We often have good articulate reasons for choosing this option over that one, for why we are taking this particular path, but we are rarely asked to justify why we are doing anything at all. But surely, this is the more important question? Why are we doing something at all? Why are we doing something rather than nothing?

read more »

What Has Governance Ever Done for Me?

This is basically the question that many project managers ask me when we have a discussion about adhering to governance. They want to know what value their project gets from adhering to governance processes, from generating artefacts for governance gates. The short answer is “none – governance is not something we do for you!”

read more »