Software licensing: Gone are the easy days of counting servers and user numbers

Posted by Audit Advisory on 28/05/2014 at 1:56 PM in Audit Advisory , Contract Risk & Compliance Permalink Comments (0)

Too often software licensing gets put on the back burner, falling to the bottom of the to-do list, or delegated for someone else to do. 

However, many CIOs and IT managers wish they’d paid more attention when faced with a software licence audit or the risk of non-compliance.  

Gone are the days of counting servers and user numbers, when metrics were easy to understand and servers came in great pieces of metal. Now it’s a minefield of virtualised and non-virtualised estate, user accesses and different user types. It’s no wonder then that the licensees can be quickly found to be non-compliant.

It’s estimated that an average organisation can drive potential savings of 30% over the software lifecycle, in addition to reducing risk and non-compliance. Just imagine how much you could save in time, resource and budget if you really invested up front in its effective management.

Good knowledge of software licensing, the pitfalls and the opportunities should be front and centre. 

So what needs to be addressed as priority? You need to know what software you own, what software is deployed and most importantly what software you are using. Establishing these key facts can be far more complex to answer than you first think…

Taking a proactive approach to managing your Software Asset Management process puts you on the front foot. Think process, tool and team.

  1. Process – establish a robust process to manage your software licences.
  2. Tool – acquire the best tool to provide the deployment and usage data that you need and capture your license entitlement.
  3. Team – employ highly-qualified and motivated people who understand the process and its benefits to the business.

Think about how you can optimise your software investments.

Kristian Park, Partner - Extended Enterprise Risk Management
Kristian leads our Extended Enterprise Risk Management team in the UK and Switzerland. Kristian has over 14 years experience advising clients in the area of third party risk, including advising them on how to structure their contracts with third parties, supporting them in the creation of third party governance frameworks and assisting them in performing contract compliance projects to assess third party adherence to contractual terms and conditions.  Kristian has provided services to clients in the Financial Services, Consumer Business, Technology, Media, Oil and Gas, Energy and Life Sciences industries as well as the Public Sector.

Can you unlock the value of Big Data?

Posted by Audit Advisory on 1/05/2014 at 9:42 AM in Analytics , Audit Advisory , Data, Data Analytics, Risk, Security Permalink Comments (0) TrackBack (0)

Ind_tmt_glb_ho_1785_hiBig Data is a hot topic throughout many organisations. We have seen innovative organisations use data in new ways to achieve a significant competitive advantage, in some cases acting as a disruptive force to the traditional business models. Those who don’t keep up may be at significant disadvantage in the future. Although some organisations are drawing up new strategies to take advantage of the available data and drive business value, many are failing to receive a return on their investment.

Data governance is used to help organisations manage their data, enabling them to extract value through efficiency and insight. In a world of Big Data, the need to implement robust data governance as an essential component is crucial to overcome common failings and leverage the potential of Big Data. There are a number of elements which should be considered as part of this:

Business vision and aligned strategy

True value from Big Data is only achieved from embedding extracted insight into everyday business decision making. Defining a business vision will allow an organisation to focus on identifying their Big Data objectives and the capabilities required to extract insight from their data to support their business. Making your vision and objectives clear to everyone is critical, without this vision in place many projects fail to deliver long term value to the business.

Policies and standards to enforce data quality and security

With insight comes great responsibility. Big Data requires the use of new detailed data sources that could also be used to identify specific individuals, this creates a significant data management challenge. The new data sources could also be unstructured, and are likely to have data quality issues. Defining policies, standards and process are essential to ensure data sets can be accessed, they are of sufficient quality and that correct security and privacy controls are in place. The availability and variety of data is only going to increase with the surge of digitisation and growing number of connected devices, increasing the opportunity but compounding these challenges.

Outline ownership and accountability through roles and responsibilities

Getting the most from these new technologies also means investing in the right skillsets, either through recruitment or training. Too often organisations have been focussed on technology without considering the correct skills needed to extract insight and missing the opportunity. The data governance should also set out who is accountable for keeping the projects on track, overcoming obstacles and providing visibility on the value being delivered through reporting.

Setting out the correct Big Data governance will allow an organisation to have a clear vision of what they want to achieve, the required controls in place and the right people and capabilities to help unlock the value of data to stay competitive in this new data age.

Shah ShamilShamil is a Manager in our Data Analytics Team, focusing primarily on TMT and Big Data. He has 9 years’ experience working on data projects including architecting solutions that process large volumes of data to provide business insight. His areas of expertise include copyright infringement, rights and royalties and analysing network data.


U got bare Twitter skillz #respect

Posted by Audit Advisory on 17/03/2014 at 1:41 PM in Risk, Security, Social Media Permalink Comments (0) TrackBack (0)

PhoneTapping into digital channels to advertise, market, sell and provide customer care is far from new terrain for many companies.

I’m sure you couldn’t have missed the latest viral buzz around Argos’ truly unique response to a customer query over Twitter. The well-known retail organisation showed it was ‘down with the kids’ with its innovative response, with their tweets going viral in a matter of hours.

This simple but effective method of customer interaction is a clear example of how organisations benefit from tailoring their service to each individual customer. Receiving a personalised experience is highly valued by customers; it gives a sense of exclusivity and can be a huge driver of brand loyalty.

Click here to view this story on the Huffington Post.

Are you sitting on a pile of money?

Posted by Audit Advisory on 24/02/2014 at 12:10 PM in Audit Advisory , Finance Transformation Permalink Comments (0) TrackBack (0)

£_$_€For businesses both large and small, access to short and long-term working capital can often be a challenge. Our recent study showed that UK companies are sitting on £69 billion of excess working capital for financial year 2012. This is equivalent to a free cash injection worth 5% of the total income of the firms analysed.

Typically, excess working capital is tied up with inefficient financial and operational processes. The effective management of working capital can easily be overlooked, especially when the organisations focus is on generating new growth. However, this could be a good opportunity to focus on managing basic processes and perhaps an opportunity to free up some cash for investment. Last year’s increase in working capital is partly due to a shortening of supplier payment periods, as well as being a by-product of growth. Our study found that unlocking the excess working capital would be the cheapest source of finance to protect or grow shareholder value, rather than a bank loan or equity bonds.

Companies in the UK are becoming less efficient in the cash conversion cycle*, with small businesses (annual turnover of less than £300m) deteriorating at the fastest rate. The report highlights that 68% of cash is held by the top 11% of UK companies, a group able to negotiate terms in their favour with smaller suppliers.

There are a range of process efficiencies, financial instruments or ways of outsourcing available to address this problem, without damaging relationships with suppliers. By using demand forecasting and effective planning techniques, it is possible for cash to be freed to use elsewhere. Streamlining excess working capital will enable UK businesses to take advantage of the economic recovery.

*Cash conversion cycle refers to the number of days that it takes from disbursing cash to collecting cash

David_Lock_5398 web sizeDavid Lock

David is a Senior Manager in Deloitte’s Finance Transformation practice. He has over 20 years’ experience of working with senior management teams to achieve the sustainable release of cash from working capital.

Social Business: do you have the operational capability to back it up?

Posted by Audit Advisory on 3/02/2014 at 2:19 PM in Audit Advisory , Digital Risk , Risk, Social Media Permalink Comments (0) TrackBack (0)


In an increasingly digital era many organisations face a daunting challenge – how to compete in a socially powered world. When used effectively, social media can provide businesses with a great opportunity to engage with a large audience, build client relationships and drive brand affinity. Whilst many organisations may have been slow to embrace this phenomenon, the pace is definitely accelerating.

One of our recent surveys shows that only 33% of respondents say social business is important to their organisation today – a conclusive demonstration that UK plc are still testing the social media waters. However, 74% of organisations believe that social business will be more important in 2016. This is a more encouraging figure but highlights some organisations still doubt the value it can provide.

When organisations are faced with the task of implementing a social business strategy they can often encounter several barriers to widespread adoption – a key barrier being lack of operational capability.

What are some of the key operational challenges that are being faced today?

1.       Tracking your social media: Understanding your social presence is important, not only from operational standpoint but also from legal and regulatory standpoint. Building a single view of your social activity requires the implementation of the right processes and supporting technology from the outset.

 2.       Managing multiple accounts: As organisations expand their social media landscape, especially with the emergence of new platforms, there is an increasing complexity to managing multiple accounts used internally by employees, and externally by third-party agencies.

 3.       Keeping record: Content posted on social media sites can be legitimately presented and used in a court of law. It is important that organisations build mechanisms to be able to archive their content and make it easily accessible when needed; this may even include user-generated content.

 4.       Multiple layers of approvals: A number of organisations impose various internal approval stages before any content can be shared on a social platform. These approvals are normally perceived as barriers to achieve the desired outcome, but despite of this there is a need to develop a risk based model. The right process can not only reduce the cost of compliance, but can also augment the overall engagement strategy by allowing appropriate and timely activity.

 5.       Consistent application of policy: The diverse and dynamic nature of the social media landscape adds complexity to the management of various platforms. Applying a single set of rules to these platforms is not practical and could lead to non-compliance or even failure in some cases.

 Key questions to ask within your organisation:

Are you able to fully define your social presence? How many stakeholders have access to your social media accounts? Does your current governance policy support or impede the use of social media? 

Gagan Arora0217 (3)Gagan Arora

Gagan is a Senior Manager specialising in governance and risk management in IT, business and digital transformations. He specialises in the implementation of governance structures over internet based channels including Social Media and Mobile Applications.

From Sparta to Cyber Space

Posted by Audit Advisory on 14/11/2013 at 1:29 PM in Controls, Data, Data Protection, Privacy, Resilience, Risk, Security, Social Media Permalink Comments (0) TrackBack (0)

GlobeAsymmetric warfare isn't new. It has a long history, from when 300 Spartans held Xerxes' Persian army of more than 100,000 in 480 BC, right through to modern day. You might even argue that Odysseus and the Trojan horse in 12th century BC qualifies as the earliest. All very interesting - but what is the relevance to modern business?

Cyber attacks - the similarities are striking. Often small groups of highly-focused and motivated attackers with little in the way of hierarchy or command and control take full advantage of the anonymity, flexibility, agility and rapid response offered by the use of modern technology. Cyber attacks also share the latest trait of asymmetric warfare; they are global, both in origin and effect. 

Looking back through history can provide two insights for businesses faced with cyber attacks.

The first is that brute force, throwing masses of resources and technology at the problem, alone has a limited effect. As you increase your cost and effort, the effect diminishes, ultimately becoming counter-productive and sapping vital resources. Instead, a careful, considered and proportional deployment acts both as a deterrent and sustainable first line of defence. Back in ancient Greece the Spartans were making the best possible use of their forces, with only a 300 strong army they had to lead a defensive battle rather than a decisive one. This strategic plan worked to their advantage as they were able to move quickly, defend multiple constricted passages and tactically block the narrow passes.

The second is that intelligence-led operations prove amongst the most effective methods to detect and nullify the enemy. Although they had a small army, the Spartans had a greater knowledge of the battlefield, they knew their enemies weaknesses and were able to exploit this to their advantage. In network defence terms, this is the logging, monitoring and threat surveillance by capturing and analysing the traffic on your network. Just like the intelligence work in the world of spies, it is painstaking, methodical and frequently boring but importantly requires a highly skilled human touch. You need the relevant tools tuned to your business and skilled operators to protect your business. While it may appear expensive in cash terms, it is one of the few means to take a pro-active stance against cyber attackers. The re-active and often more expensive alternative is a phone call in the early hours telling you "we have a problem". 

The analogy between cyber attacks and warfare is not perfect; there is a crucial difference, vulnerability in the adversary. Not all cyber attackers have access to the same amount of resources and sophisticated technology and only rely on weaknesses in organisations. There are known defences, which if applied carefully and rigorously, will successfully deter, detect or defeat the vast majority of common attacks. The SANS Top 20 Controls is one collection of such defences of proven best practices. They are developed globally, published freely and applicable across all industries.

The situation might appear overwhelming, but there are tactics and strategies which can help you turn the tables, and can even the odds. From Xerxes to the World Wars, the massed hordes have been held back by the few. Asymmetry works both ways if you choose your battle carefully. 

Gary McCloskeyGary McCloskey

Gary is a manager in Deloitte’s Security practice. He works with clients to understand the threats they face, and to reduce them through proportionate effective changes in culture and practice. Gary also works with multi-disciplinary teams to investigate, control, and help clients return to business as usual following cyber incidents, data breaches and attacks.


Bring in the good guys...Penetration testers

Posted by Audit Advisory on 18/10/2013 at 4:03 PM in Data Protection, Privacy, Resilience, Risk, Security Permalink Comments (0) TrackBack (0)

1Companies spend plenty of time, effort and money protecting their networks from hackers. Firewalls, Intrusion Detection and Protection Systems (IDPS) or security gateways are commonly used to protect connection points between internal networks and the internet.

However, despite all these protections, networks can still be breached. In April 2011, Sony revealed that their network had been hacked exposing 77 million personal details of PlayStation Network users which included names, date of births, e-mail addresses, passwords and credit card numbers.

Unpatched server software, as well as a custom firmware release (Rebug) effectively turned the PS3 console into a developer kit which activated a number of features users could not normally access. Most importantly, the firmware gave trusted access to Sony’s internal developer network. Hackers exploited this to access and pull out information from the customer details database – 77 million customer accounts compromised.

With one of the biggest data breaches in history, how do companies ensure these attacks do not happen to them and they are safe from the bad guys? I suppose they could call on the good guys pretending to be the bad guys…penetration testers (aka “white hats” or ethical hackers).

Penetration Testing is normally conducted as a service to clients by mimicking the types of attacks performed by malicious hackers using the same tools and techniques. The aim isn't simply to break through an organisation's defences, but to identify the depth and breadth of vulnerabilities.

Network infrastructure penetration testing focuses on performing attack simulations or exploitation on clients’ computer networks/systems in order to determine these vulnerabilities. Testing also requires permission from the person owning the target systems, otherwise hacking these systems would be illegal!

With network breaches on the rise, many companies have realised the importance of security, and have incorporated penetration testing activities as part of their information security strategy. The results from these tests and guidance will help companies to better protect their networks (or sensitive data) and prevent them from falling into the wrong hands.

Yeo Bon WanYeo Bon Wan

Yeo Bon is a Consultant in Deloitte’s Security & Testing practice working within the Cyber Intelligence Centre. Yeo Bon specialises in ethical hacking, focusing on network infrastructure and web application penetration testing.

Wireless: The coffee shop corporate LAN

Posted by Audit Advisory on 30/07/2013 at 10:41 AM in Audit Advisory , Data Protection, Digital Risk , Privacy, Risk, Security, Social Media Permalink Comments (0) TrackBack (0)

Ind_cbt_glb_ho_1123_hiWireless networks are growing more and more numerous, and the corporate landscape is no exception. The convenience offered by a laptop or mobile device together with WiFi connectivity to the corporate infrastructure allows employees more flexibility around the office than ever before.

However, the pervasive nature of a wireless signal means it can be available in places you would never dream of rolling-out your wired network. From an attacker's point of view that's one of the most appealing things about WiFi.

The hurdle of gaining physical access is removed, being replaced by the far more alluring prospect of attempting a breach from the comfort of the coffee shop next door.. In the event network traffic is permitted between the wireless segment and the corporate LAN, the attacker may even consider getting a loyalty card.

One of the latest methods of attempting to breach wireless networks (even those operating strong encryption protocols with long passphrases) comes via the WiFi Protected Setup (WPS) functionality offered by newer access points. WPS is designed to facilitate more consumer friendly association of wireless devices with routers. WPS supports a number of association models, but the one of most interest to an attacker would be the PIN only method. The WPS PIN is 8 digits long, and entering it correctly leads to an association being established between the device and the router, with the router then transmitting the passphrase required for successful authentication.

In late 2011, it was revealed that the implementation of WPS was flawed, dramatically reducing its effectiveness against what’s known as a brute force attack. This attack attempts all possible combinations of the PIN, eventually guessing the correct one. It was shown that wireless routers typically split the validation of the PIN in to 2 steps, rejecting a user’s request if the first 4 digits are incorrect. This lets an attacker focus on the first 4 digits and once verified, the next 4 digits. Further to this, the last digit of the WPS PIN is a checksum – a validation bit designed to ensure the PIN value has transmitted accurately. This reduces the complexity of this second half to only 3 digits, as the checksum digit can be calculated during the attack.

As a result of this, the attacker only needs to attempt 11,000 combinations (104 followed by 103) to guess the whole PIN. Given that the attacker needs to wait for a verification or failure message from the router after each attempt (which takes around 1.3 seconds), it would take over 4 years to complete the attack had the 8 digit PIN been treated as a whole (108 or 100,000,000 combinations). However, 11,000 combinations cuts this time to less than 4 hours.

The recommendation from suppliers is to disable WPS or upgrade to a firmware version which addresses this issue. That said, even plugging this hole, using strong encryption and passphrases, doesn’t stop an attacker from setting up rogue access points for unsuspecting users to connect to or sending de-authentication packets to devices they wish to knock off any given network. These attacks could be used to gather information such as login credentials - useful for attacks against individuals directly, or companies posing as legitimate users.

It is clear that while wireless network popularity has grown, their accessibility requires appropriate segregation to be in place. The protective measures surrounding wireless networks need to be as strong, if not stronger than their Ethernet cousin. Once the physical walls are stripped away, a strong configuration is all that is left.

Stuart Gleave0153Stuart Gleave
Stuart is a Consultant within Audit Advisory, specialising in ethical hacking.  Stuart is experienced in both remote and onsite penetration tests, and has a keen interest in the vulnerabilities affecting wireless communications.

How can CFOs balance the risk-return equation?

Posted by Audit Advisory on 3/07/2013 at 4:54 PM in Audit Advisory , Finance Transformation , Risk Permalink Comments (0) TrackBack (0)

PictureCFOs can use risk-adjusted forecasting and planning to protect and enhance value, boost confidence, and manage risk.

Financial forecasts and plans carry a lot of weight in the business world. But how much confidence do companies and CFOs really have in their forward-looking numbers? Especially in a business environment that is increasingly complex, uncertain, and risky.

Are you in a world of best guesses?

click here to keep reading

Nick PopeNick Pope
Director, Strategic Risk, Risk Advisory Services
Nick has over 10 years of consulting experience, with extensive expertise in the development and implementation of risk management frameworks at enterprise, risk type and programme level for companies across a number of industries.


Analytics in Sports #4 – No such thing as a bad idea

Posted by Audit Advisory on 18/06/2013 at 3:30 PM in Analytics , Data, Data Analytics Permalink Comments (0) TrackBack (0)

CyclingAn inevitable consequence of opening up access to insight for all will be the generation of many more ideas.  With greater understanding of the facts and strong evidence will come a greater resolve to take action that drives change.  For some, this could be seen as a managerial nightmare, an opening of a Pandora’s box of feisty bee-in-the-bonnet employees looking to do something different. 

But this wasn’t the case for Peter King when he was running British Cycling.  For him, a broad funnel of ideas was the starting point for finding that extra 1% which could be the difference in winning another gold medal.  “We’ve tried all sorts of random and bizarre ideas because we are not sure what’s going to happen until you’ve analysed it properly. It’s a continuous process, we probably shelve as many ideas as we actually use, and sometimes you have no guarantee that what you are doing is making a difference.”

This tells us something about the management style that is required to foster this success: trusting, supportive, and open to ideas from others.  Evidence has a way of making this trust easier to give (where the facts are indisputable), but the leap of faith that some organisations might be required to take should not be underestimated.  And it is a leap of faith that will no doubt have its detractors. 

Peter King: “Our secret squirrel department, the team that now sits under the Director of Marginal Gains, had the job of coming up with lots of potential ways to improve and testing them.  I think at the start of this approach, a huge number of people thought we didn’t know what we were doing and the old ways would eventually prove to be the best way. We stuck with it, we evolved a plan for Sydney 2000 and because we started to see success, people started to accept the approach.”

Peter King also points to the culture of constantly striving for success that underpinned this empowerment and desire to investigate lots of seemingly bizarre ideas.  In many ways, he is saying that a business can’t afford not to investigate a broad funnel of ideas:  “What happens in business is people do not spend enough time asking why they do things a certain way. However successful we might be, we never stopped looking for the next opportunity to improve. The reason we could repeat our 2008 Bejing Olympic success in London 2012 was because we didn’t stand still. We knew people would catch up with us so we had to move on. We had to analyse everything we did in Beijing and work out how it could be improved”.

New Picture (3)David Blackwell
David is a Partner in Deloitte’s Enterprise Risk Services practice specialising in data analytics, data management and cyber security.  David has worked with many of the UK and Europe’s leading Telecoms organisations, and has deep expertise in helping them secure, manage and derive insight from their data.