U got bare Twitter skillz #respect

Posted by Audit Advisory on 17/03/2014 at 1:41 PM in Risk, Security, Social Media Permalink Comments (0) TrackBack (0)

PhoneTapping into digital channels to advertise, market, sell and provide customer care is far from new terrain for many companies.

I’m sure you couldn’t have missed the latest viral buzz around Argos’ truly unique response to a customer query over Twitter. The well-known retail organisation showed it was ‘down with the kids’ with its innovative response, with their tweets going viral in a matter of hours.

This simple but effective method of customer interaction is a clear example of how organisations benefit from tailoring their service to each individual customer. Receiving a personalised experience is highly valued by customers; it gives a sense of exclusivity and can be a huge driver of brand loyalty.

Click here to view this story on the Huffington Post.

Are you sitting on a pile of money?

Posted by Audit Advisory on 24/02/2014 at 12:10 PM in Finance Transformation , Financial Services Permalink Comments (0) TrackBack (0)

£_$_€For businesses both large and small, access to short and long-term working capital can often be a challenge. Our recent study showed that UK companies are sitting on £69 billion of excess working capital for financial year 2012. This is equivalent to a free cash injection worth 5% of the total income of the firms analysed.

Typically, excess working capital is tied up with inefficient financial and operational processes. The effective management of working capital can easily be overlooked, especially when the organisations focus is on generating new growth. However, this could be a good opportunity to focus on managing basic processes and perhaps an opportunity to free up some cash for investment. Last year’s increase in working capital is partly due to a shortening of supplier payment periods, as well as being a by-product of growth. Our study found that unlocking the excess working capital would be the cheapest source of finance to protect or grow shareholder value, rather than a bank loan or equity bonds.

Companies in the UK are becoming less efficient in the cash conversion cycle*, with small businesses (annual turnover of less than £300m) deteriorating at the fastest rate. The report highlights that 68% of cash is held by the top 11% of UK companies, a group able to negotiate terms in their favour with smaller suppliers.

There are a range of process efficiencies, financial instruments or ways of outsourcing available to address this problem, without damaging relationships with suppliers. By using demand forecasting and effective planning techniques, it is possible for cash to be freed to use elsewhere. Streamlining excess working capital will enable UK businesses to take advantage of the economic recovery.

*Cash conversion cycle refers to the number of days that it takes from disbursing cash to collecting cash

David_Lock_5398 web sizeDavid Lock

David is a Senior Manager in Deloitte’s Finance Transformation practice. He has over 20 years’ experience of working with senior management teams to achieve the sustainable release of cash from working capital.

Social Business: do you have the operational capability to back it up?

Posted by Audit Advisory on 3/02/2014 at 2:19 PM in Digital Governance, Risk, Social Media Permalink Comments (0) TrackBack (0)


In an increasingly digital era many organisations face a daunting challenge – how to compete in a socially powered world. When used effectively, social media can provide businesses with a great opportunity to engage with a large audience, build client relationships and drive brand affinity. Whilst many organisations may have been slow to embrace this phenomenon, the pace is definitely accelerating.

One of our recent surveys shows that only 33% of respondents say social business is important to their organisation today – a conclusive demonstration that UK plc are still testing the social media waters. However, 74% of organisations believe that social business will be more important in 2016. This is a more encouraging figure but highlights some organisations still doubt the value it can provide.

When organisations are faced with the task of implementing a social business strategy they can often encounter several barriers to widespread adoption – a key barrier being lack of operational capability.

What are some of the key operational challenges that are being faced today?

1.       Tracking your social media: Understanding your social presence is important, not only from operational standpoint but also from legal and regulatory standpoint. Building a single view of your social activity requires the implementation of the right processes and supporting technology from the outset.

 2.       Managing multiple accounts: As organisations expand their social media landscape, especially with the emergence of new platforms, there is an increasing complexity to managing multiple accounts used internally by employees, and externally by third-party agencies.

 3.       Keeping record: Content posted on social media sites can be legitimately presented and used in a court of law. It is important that organisations build mechanisms to be able to archive their content and make it easily accessible when needed; this may even include user-generated content.

 4.       Multiple layers of approvals: A number of organisations impose various internal approval stages before any content can be shared on a social platform. These approvals are normally perceived as barriers to achieve the desired outcome, but despite of this there is a need to develop a risk based model. The right process can not only reduce the cost of compliance, but can also augment the overall engagement strategy by allowing appropriate and timely activity.

 5.       Consistent application of policy: The diverse and dynamic nature of the social media landscape adds complexity to the management of various platforms. Applying a single set of rules to these platforms is not practical and could lead to non-compliance or even failure in some cases.

 Key questions to ask within your organisation:

Are you able to fully define your social presence? How many stakeholders have access to your social media accounts? Does your current governance policy support or impede the use of social media? 

Gagan Arora0217 (3)Gagan Arora

Gagan is a Senior Manager specialising in governance and risk management in IT, business and digital transformations. He specialises in the implementation of governance structures over internet based channels including Social Media and Mobile Applications.

From Sparta to Cyber Space

Posted by Audit Advisory on 14/11/2013 at 1:29 PM in Big Data, Controls, Cyber, Data, Data Protection, Privacy, Risk, Security, Social Media Permalink Comments (0) TrackBack (0)

GlobeAsymmetric warfare isn't new. It has a long history, from when 300 Spartans held Xerxes' Persian army of more than 100,000 in 480 BC, right through to modern day. You might even argue that Odysseus and the Trojan horse in 12th century BC qualifies as the earliest. All very interesting - but what is the relevance to modern business?

Cyber attacks - the similarities are striking. Often small groups of highly-focused and motivated attackers with little in the way of hierarchy or command and control take full advantage of the anonymity, flexibility, agility and rapid response offered by the use of modern technology. Cyber attacks also share the latest trait of asymmetric warfare; they are global, both in origin and effect. 

Looking back through history can provide two insights for businesses faced with cyber attacks.

The first is that brute force, throwing masses of resources and technology at the problem, alone has a limited effect. As you increase your cost and effort, the effect diminishes, ultimately becoming counter-productive and sapping vital resources. Instead, a careful, considered and proportional deployment acts both as a deterrent and sustainable first line of defence. Back in ancient Greece the Spartans were making the best possible use of their forces, with only a 300 strong army they had to lead a defensive battle rather than a decisive one. This strategic plan worked to their advantage as they were able to move quickly, defend multiple constricted passages and tactically block the narrow passes.

The second is that intelligence-led operations prove amongst the most effective methods to detect and nullify the enemy. Although they had a small army, the Spartans had a greater knowledge of the battlefield, they knew their enemies weaknesses and were able to exploit this to their advantage. In network defence terms, this is the logging, monitoring and threat surveillance by capturing and analysing the traffic on your network. Just like the intelligence work in the world of spies, it is painstaking, methodical and frequently boring but importantly requires a highly skilled human touch. You need the relevant tools tuned to your business and skilled operators to protect your business. While it may appear expensive in cash terms, it is one of the few means to take a pro-active stance against cyber attackers. The re-active and often more expensive alternative is a phone call in the early hours telling you "we have a problem". 

The analogy between cyber attacks and warfare is not perfect; there is a crucial difference, vulnerability in the adversary. Not all cyber attackers have access to the same amount of resources and sophisticated technology and only rely on weaknesses in organisations. There are known defences, which if applied carefully and rigorously, will successfully deter, detect or defeat the vast majority of common attacks. The SANS Top 20 Controls is one collection of such defences of proven best practices. They are developed globally, published freely and applicable across all industries.

The situation might appear overwhelming, but there are tactics and strategies which can help you turn the tables, and can even the odds. From Xerxes to the World Wars, the massed hordes have been held back by the few. Asymmetry works both ways if you choose your battle carefully. 

Gary McCloskeyGary McCloskey

Gary is a manager in Deloitte’s Security practice. He works with clients to understand the threats they face, and to reduce them through proportionate effective changes in culture and practice. Gary also works with multi-disciplinary teams to investigate, control, and help clients return to business as usual following cyber incidents, data breaches and attacks.


Bring in the good guys...Penetration testers

Posted by Audit Advisory on 18/10/2013 at 4:03 PM in Cyber, Data Protection, Privacy, Risk, Security Permalink Comments (0) TrackBack (0)

1Companies spend plenty of time, effort and money protecting their networks from hackers. Firewalls, Intrusion Detection and Protection Systems (IDPS) or security gateways are commonly used to protect connection points between internal networks and the internet.

However, despite all these protections, networks can still be breached. In April 2011, Sony revealed that their network had been hacked exposing 77 million personal details of PlayStation Network users which included names, date of births, e-mail addresses, passwords and credit card numbers.

Unpatched server software, as well as a custom firmware release (Rebug) effectively turned the PS3 console into a developer kit which activated a number of features users could not normally access. Most importantly, the firmware gave trusted access to Sony’s internal developer network. Hackers exploited this to access and pull out information from the customer details database – 77 million customer accounts compromised.

With one of the biggest data breaches in history, how do companies ensure these attacks do not happen to them and they are safe from the bad guys? I suppose they could call on the good guys pretending to be the bad guys…penetration testers (aka “white hats” or ethical hackers).

Penetration Testing is normally conducted as a service to clients by mimicking the types of attacks performed by malicious hackers using the same tools and techniques. The aim isn't simply to break through an organisation's defences, but to identify the depth and breadth of vulnerabilities.

Network infrastructure penetration testing focuses on performing attack simulations or exploitation on clients’ computer networks/systems in order to determine these vulnerabilities. Testing also requires permission from the person owning the target systems, otherwise hacking these systems would be illegal!

With network breaches on the rise, many companies have realised the importance of security, and have incorporated penetration testing activities as part of their information security strategy. The results from these tests and guidance will help companies to better protect their networks (or sensitive data) and prevent them from falling into the wrong hands.

Yeo Bon WanYeo Bon Wan

Yeo Bon is a Consultant in Deloitte’s Security & Testing practice working within the Cyber Intelligence Centre. Yeo Bon specialises in ethical hacking, focusing on network infrastructure and web application penetration testing.

Wireless: The coffee shop corporate LAN

Posted by Audit Advisory on 30/07/2013 at 10:41 AM in Cyber, Enterprise Risk Services, Risk, Security Permalink Comments (0) TrackBack (0)

Ind_cbt_glb_ho_1123_hiWireless networks are growing more and more numerous, and the corporate landscape is no exception. The convenience offered by a laptop or mobile device together with WiFi connectivity to the corporate infrastructure allows employees more flexibility around the office than ever before.

However, the pervasive nature of a wireless signal means it can be available in places you would never dream of rolling-out your wired network. From an attacker's point of view that's one of the most appealing things about WiFi.

The hurdle of gaining physical access is removed, being replaced by the far more alluring prospect of attempting a breach from the comfort of the coffee shop next door.. In the event network traffic is permitted between the wireless segment and the corporate LAN, the attacker may even consider getting a loyalty card.

One of the latest methods of attempting to breach wireless networks (even those operating strong encryption protocols with long passphrases) comes via the WiFi Protected Setup (WPS) functionality offered by newer access points. WPS is designed to facilitate more consumer friendly association of wireless devices with routers. WPS supports a number of association models, but the one of most interest to an attacker would be the PIN only method. The WPS PIN is 8 digits long, and entering it correctly leads to an association being established between the device and the router, with the router then transmitting the passphrase required for successful authentication.

In late 2011, it was revealed that the implementation of WPS was flawed, dramatically reducing its effectiveness against what’s known as a brute force attack. This attack attempts all possible combinations of the PIN, eventually guessing the correct one. It was shown that wireless routers typically split the validation of the PIN in to 2 steps, rejecting a user’s request if the first 4 digits are incorrect. This lets an attacker focus on the first 4 digits and once verified, the next 4 digits. Further to this, the last digit of the WPS PIN is a checksum – a validation bit designed to ensure the PIN value has transmitted accurately. This reduces the complexity of this second half to only 3 digits, as the checksum digit can be calculated during the attack.

As a result of this, the attacker only needs to attempt 11,000 combinations (104 followed by 103) to guess the whole PIN. Given that the attacker needs to wait for a verification or failure message from the router after each attempt (which takes around 1.3 seconds), it would take over 4 years to complete the attack had the 8 digit PIN been treated as a whole (108 or 100,000,000 combinations). However, 11,000 combinations cuts this time to less than 4 hours.

The recommendation from suppliers is to disable WPS or upgrade to a firmware version which addresses this issue. That said, even plugging this hole, using strong encryption and passphrases, doesn’t stop an attacker from setting up rogue access points for unsuspecting users to connect to or sending de-authentication packets to devices they wish to knock off any given network. These attacks could be used to gather information such as login credentials - useful for attacks against individuals directly, or companies posing as legitimate users.

It is clear that while wireless network popularity has grown, their accessibility requires appropriate segregation to be in place. The protective measures surrounding wireless networks need to be as strong, if not stronger than their Ethernet cousin. Once the physical walls are stripped away, a strong configuration is all that is left.

Stuart Gleave0153Stuart Gleave
Stuart is a Consultant within Audit Advisory, specialising in ethical hacking.  Stuart is experienced in both remote and onsite penetration tests, and has a keen interest in the vulnerabilities affecting wireless communications.

How can CFOs balance the risk-return equation?

Posted by Audit Advisory on 3/07/2013 at 4:54 PM in Finance Transformation , Risk Permalink Comments (0) TrackBack (0)

PictureCFOs can use risk-adjusted forecasting and planning to protect and enhance value, boost confidence, and manage risk.

Financial forecasts and plans carry a lot of weight in the business world. But how much confidence do companies and CFOs really have in their forward-looking numbers? Especially in a business environment that is increasingly complex, uncertain, and risky.

Are you in a world of best guesses?

click here to keep reading

Nick PopeNick Pope
Director, Strategic Risk, Risk Advisory Services
Nick has over 10 years of consulting experience, with extensive expertise in the development and implementation of risk management frameworks at enterprise, risk type and programme level for companies across a number of industries.


Analytics in Sports #4 – No such thing as a bad idea

Posted by Audit Advisory on 18/06/2013 at 3:30 PM in Big Data, Data, Data Analytics Permalink Comments (0) TrackBack (0)

CyclingAn inevitable consequence of opening up access to insight for all will be the generation of many more ideas.  With greater understanding of the facts and strong evidence will come a greater resolve to take action that drives change.  For some, this could be seen as a managerial nightmare, an opening of a Pandora’s box of feisty bee-in-the-bonnet employees looking to do something different. 

But this wasn’t the case for Peter King when he was running British Cycling.  For him, a broad funnel of ideas was the starting point for finding that extra 1% which could be the difference in winning another gold medal.  “We’ve tried all sorts of random and bizarre ideas because we are not sure what’s going to happen until you’ve analysed it properly. It’s a continuous process, we probably shelve as many ideas as we actually use, and sometimes you have no guarantee that what you are doing is making a difference.”

This tells us something about the management style that is required to foster this success: trusting, supportive, and open to ideas from others.  Evidence has a way of making this trust easier to give (where the facts are indisputable), but the leap of faith that some organisations might be required to take should not be underestimated.  And it is a leap of faith that will no doubt have its detractors. 

Peter King: “Our secret squirrel department, the team that now sits under the Director of Marginal Gains, had the job of coming up with lots of potential ways to improve and testing them.  I think at the start of this approach, a huge number of people thought we didn’t know what we were doing and the old ways would eventually prove to be the best way. We stuck with it, we evolved a plan for Sydney 2000 and because we started to see success, people started to accept the approach.”

Peter King also points to the culture of constantly striving for success that underpinned this empowerment and desire to investigate lots of seemingly bizarre ideas.  In many ways, he is saying that a business can’t afford not to investigate a broad funnel of ideas:  “What happens in business is people do not spend enough time asking why they do things a certain way. However successful we might be, we never stopped looking for the next opportunity to improve. The reason we could repeat our 2008 Bejing Olympic success in London 2012 was because we didn’t stand still. We knew people would catch up with us so we had to move on. We had to analyse everything we did in Beijing and work out how it could be improved”.

New Picture (3)David Blackwell
David is a Partner in Deloitte’s Enterprise Risk Services practice specialising in data analytics, data management and cyber security.  David has worked with many of the UK and Europe’s leading Telecoms organisations, and has deep expertise in helping them secure, manage and derive insight from their data.

ECO – Too good to be true?

Posted by Audit Advisory on 29/05/2013 at 3:47 PM in Data, Data Analytics, Enterprise Risk Services, Risk Permalink Comments (0) TrackBack (0)

Picture1_lightbulbThe Energy Company Obligation (ECO), launched in January, is the latest UK Government initiative (along with the Green Deal) through which the UK Government is requiring energy utilities to promote actions that will drive reductions in carbon emissions and energy consumption.  It is hoped it will help deliver enhanced security of supply and combat fuel poverty for more vulnerable consumers.

ECO is made up of three separate measures, all of which are assessed through the following outcomes:

  • Carbon Emissions Reduction Obligation targeting carbon savings
  • Carbon Savings Community Obligation also targeting carbon savings
  • Home Heating Cost Reduction Obligation which targets reductions in heating costs.

The government estimates that implementing the scheme will cost suppliers £1.3bn/year – this is one of the government environment schemes referred to by many utilities when explaining key drivers for price rises.

Although the scheme is arguably more complex than the previous CERT/CESP schemes, and the specific measures that will be taken differ, CERT/CESP nonetheless provides some useful context. Fundamentally both schemes boil down to the utility companies identifying and persuading suitable customers to install energy saving measures on a part or fully subsidised basis.

ECO is focussed primarily on deprived customers/areas and those measures that don’t meet the Green Deal ‘Golden Rule’ and thus suppliers need to work out how to promote ECO, leading to increased levels of take-up.  They can take many learning points from suppliers to the CERT programme.

During CERT, the Department of Energy and Climate Change published research into its delivery and take-up.  They identified one ideal element for a successful delivery route as “active promotion of an offer within a small geographical area”.  This, of course, poses the question of how to identify such areas.  I think there are three key considerations:

  • Customer – at the most basic level the customer needs to qualify under the ECO requirements. Attracting people to use the scheme is not necessarily dependant on suppliers targeting their own customers who are eligible; however, these are obviously the most easily identifiable targets.
  • Property – another important element is the information that is available on the different property characteristics for an area.  There are 27 separate measures available, but not all will be valid for a given property – a simple example being solid wall insulation, which of course requires solid wall construction!  Some housing stock data is directly available (e.g. the percentage of solid-wall houses) and further insights can be inferred from other data - for example, property age can be used to estimate the potential for boiler replacement based on typical boiler working lives. 
  • Impact – using information on energy consumption, either from the utility company’s own data on customers or using publicly available statistics, an estimate can be made of the potential benefit of different measures when combined with other customer and property data.

Making some assumptions around typical installation costs and limits on installable measures due to workforce constraints, as well as the required obligations themselves – the savvy utility company can then use optimisation techniques to identify how many and which measures to target at individual areas.   This will provide a clear, data-driven plan to achieve obligations and good visibility both of how stretching that plan is and the likely associated costs.

Fundamentally the question utilities should be asking is not whether they can deliver ECO, but how can it be done efficiently?  I would argue that the answer lies, at least in part, in the power of analytics.  More on that next time.

Andrew WaghornAndrew Waghorn
Andrew is a Director in Deloitte’s Enterprise Risk Services Practice, focussing on the Energy and Resources sector within the Analytics team. Andrew has over 11 years professional experience working within the utilities sector to analyse and drive value from data across the value chain including billing to settlement reconciliation and resolution, unbilled revenue, payment scheme calculation and management, investigation of billing system performance, meter read management and utilisation and pricing and tariffs.


Analytics in Sports #3 – Getting your data in one place

Posted by Audit Advisory on 24/05/2013 at 12:51 PM in Big Data, Data, Data Analytics, Enterprise Risk Services Permalink Comments (0) TrackBack (0)

DogSam Allardyce recounted a humorous tale which re-enforced how important it is to have the right facts and figures at your disposal, and the importance of controls in establishing a trustworthy dataset.

During pre-season training Allardyce allowed a certain player who was not living near to the club to perform some training sessions at home – saving him a lengthy commute, and (theoretically at least) increasing his wellbeing.  To ensure that he was indeed training and to allow progress to be monitored, the player was provided with a GPS and heart rate monitor – to track his movement and the intensity of his efforts (a foundation for data-driven analysis). 

When the player returned for training sessions at the club, his statistics didn’t come close to matching the very impressive readings from his GPS and heart rate monitors.  Whilst initially this was put down to a glitch, it was a pattern that continued throughout the pre-season.  When Allardyce confronted the player to find out what was going on with his home-based training regime, it turned out that the player had (somewhat creatively) strapped the monitors to his dog – and sent him out for a run around the local park.

This highlights the challenge of maintaining data integrity where humans are involved.  We make mistakes, we cut corners, like water we will find the path of least resistance to the outcome on which we are measured.  If that means creating a new customer called Mr. Mickey Mouse (rather than searching on an antiquated database to find his real name and address) in order to get a sales commission, or indeed strapping a GPS monitor to a dog, then chances are we will do it.

Another significant challenge for many organisations when trying to become more data driven is the need to get data into one place so that it can be analysed.  There are two parts to this problem:

• Firstly, ensuring that analysis is being conducted with the whole picture in mind.  To a certain extent this mirrors the point made in the previous blog – namely that organisations need a model to explain what they are trying to understand and improve, and it is the model which dictates which data need to be integrated.
• But even with a model in place, all the component parts need to come together.  It is little use if, having decomposed a problem into measurable components, you do not re-integrate the findings from those components to paint the whole picture.

As Peter King explains of British Cycling: “A while ago we adopted an approach picked up from NHS. Our equivalent of their patient-centric care is being athlete-centric in our analysis. Anyone with input to an athlete’s success would regularly meet and talk through their needs and ideas. They would all put together their best view of what would be best for that particular athlete”.

Through their athlete-centric approach which integrated all analysis, cycling was able to make significant changes which would not have been spotted had divisions remained discreet.  A good example of this: making sure that the cyclist and the bike are assessed as a single entity.  Seemingly obvious, but it had not always been the case:  “For a long time it was considered that narrowing the bike was the best way to streamline it. We spent a lot of time in wind tunnels over the years and probably do it better than most. But before the London 2012 Olympic Games we looked completely differently at how the front forks work with the wind. We realised that if you made them much wider they would actually create an airflow over the legs and body parts of the cyclists which makes the whole more aerodynamically efficient. Designed not to be efficient in their own right, but work perfectly when combined.”

As such, cycling avoided silos of analysis, which curses so many businesses – creating a focus on the end goal which brought all components together.

But Dr. Marco Cardinale points out that not all coaches or clubs have managed to overcome this challenge: “[Data integration] is still a big challenge in the world of sport. Lots of people collect data in different places. In a typical football club, a sport scientist will have data generated by different data capture systems and formats and the medical team and performance analysts will be using separate systems and not integrating. The data is not in the same place and cannot be interrogated properly”.

New Picture (3)David Blackwell
David is a Partner in Deloitte’s Enterprise Risk Services practice specialising in data analytics, data management and cyber security.  David has worked with many of the UK and Europe’s leading Telecoms organisations, and has deep expertise in helping them secure, manage and derive insight from their data.