IT WEEK • 6 SEPTEMBER 2004
36 ANALYSIS Councils gain guidance on implementing CRM
systems to support online services and improve efficiency
MANAGEMENTWEEK
WHERE TECHNOLOGY BECOMES BUSINESS REALITY
Editor: Madeline Bennett
IT chiefs plan for audit law
Madeline Bennett
NEW PRESSURES FOR COMPLIANCE
E
Companies Bill is likely to
• The
impose more stringent rules for
xperts are warning IT managers
that proposed UK auditing legislation, along with new US accounting rules, will put extra demands on their
departments as firms struggle to comply.
The Companies Bill, proposed to protect the UK against accounting scandals
like those that have rocked the US and
Europe in recent years, will have its second
reading in Parliament on 7 September.
The bill proposes new rules to ensure
the integrity of financial reporting and the
independence of auditors, and could have
a huge impact on IT departments, according to analyst firm Butler Group.
Last week it warned that if the bill
becomes law, many firms
will only be able to meet
the requirements by investing in better IT systems. These would include business process
Jennings: plan
before investing
•
•
company auditing and reporting.
When the bill becomes law, many
firms are likely to need better IT
systems for process management.
Firms listed in the US will also need
to comply with the Sox Act.
management systems, to ensure tasks are
transparently assigned to appropriate people; email management systems, to make
sure message content is managed at a corporate level; and policy management technology, especially governing data storage.
Disaster recovery, identity and access
management, and records management
were also cited as important areas for IT
departments to consider when addressing
their company’s compliance requirements.
Tim Jennings, research director at Butler Group, said the foundations of compliance would be good systems for business
processes and data integrity. “Under the
rules, firms require one version of the truth
and you need to prove that employees are
Insecurity harms shares
Madeline Bennett
nies should make security a high priority.
Eighty-seven percent said the board should
nvestors say IT security breaches can
be aware of and actively review vulnerabilgreatly affect firms’ share prices, accordities, and 57 percent expected reports on
ing to a report published today. Despite
information risk strategy.
this, many companies still fail to view
But businesses themselves view breachinformation security as a board-level issue.
es less seriously, the research found. Almost
Of 100 equity fund managers queshalf of FTSE 350 companies said they did
tioned by IT services comnot have formal informapany LogicaCMG, 83 per- INVESTORS RATE SECURITY tion security policies, and
cent said that a security
53 percent relied on the IT
How important is IT security
breach would undermine a for investment decisions?
department to enforce secfirm’s share price. They add- 2% Not
urity management rather
6% No opinion
ed that security breaches important
than making it a boardare a top consideration
level issue.
when they decide where to
The study highlights a
31% Very
24%
important
Not very
invest, and only the misrepdifference in the imporimportant
resentation of financial
tance placed on IT securiresults or the sudden departy by companies and their
37% Fairly
ture of a key senior member
investors, said Dave Marimportant
of staff were likely to have a
tin, UK principal security
more harmful impact.
expert at LogicaCMG.“UK
Source: LogicaCMG
Investors said compafirms have a misplaced
I
itweek.co.uk
working with the same set of numbers
across departments and IT apps,” he said.
But Jennings advised firms not to rush
out to buy reporting systems or business
process management tools. “Buying the
technology and then working out how to
use it is the wrong way. It’s better to carry
out a business process review and invest
based on the outcome,” he said.
Although the bill is only due for its second reading and could be amended, Jennings said the need to reassure investors
meant a law along these lines is inevitable.
Firms could face further compliance
headaches following the introduction of a
new element of the US Sarbanes-Oxley
(Sox) Act last month, requiring firms that
are listed in the US to abide by specific disclosure and reporting rules.
According to analyst firm Gartner,
companies tend to focus their IT compliance efforts on section 404 of the act, which
covers internal controls. However, the recently introduced section 409 imposes additional reporting requirements and sets
timeframes for disclosure, putting additional pressures on technology systems.
conception that higher spending on IT
security alone will mitigate information
security violations. Information security
governance needs to be embraced as a
practice throughout the organisation.”
Martin added that investors’ apparent
interest in IT security demonstrated that
share value, as well as corporate brands,
could be damaged by breaches. “This realisation should prompt business leaders to
take a more holistic approach to information security governance,” he added.
Andrew Braunberg, of research firm
Current Analysis, was surprised that so
many firms lacked formal security policies.
“All large organisations should have information security policies in place,” he said.
However, he disagreed with investors who
wanted firms to publish security risk
reports. “There is no reason to potentially
point out weak spots to hackers.”
Braunberg said the imminence of more
stringent regulations would force firms to
improve their approach to IT security.
The threat from within, p36
www.logicacmg.com/uk/security
CONTENTS
36 COMMENT Insider scams and cases
of government staff viewing porn
at work show why organisations
need to enforce strict usage controls, writes Madeline Bennett
37 ANALYSIS New initiatives could help
local authorities to implement
CRM systems, put services online,
and overcome problems of integration and resistance to change
Better tools
for content
management
Brian Fonseca
A trio of vendors recently announced
moves to help firms better manage
electronic content and aggregate
data from multiple sources.
FileNet released its Records Manager product last month.The enterprise content management suite is
designed to improve record processing by automating file management
processes, said the company. It can
also ensure that all records related to
a business process or project are
programmatically declared, classified
and retained.This reduces the possibility of user errors, said FileNet.
Veritas last week announced it
had agreed to acquire KVault Software (KVS), a maker of policy-based
email archiving software.The acquisition could make it easier for Veritas
users to manage the growth of email
content.The KVS tools can archive
and index data held in platforms such
as Microsoft Exchange, Microsoft
SharePoint and Microsoft Office,
along with unstructured data held in
other file systems.
Meanwhile, EMC has released its
Documentum Enterprise Content
Integration (ECI) Services software, to
help firms manage records and aggregate content across the enterprise.
ECI, a rebranded version of the
AskOnce content management technology the company acquired from
Xerox earlier this year, can discover,
access and assimilate structured and
unstructured content via a single
query. This can include content
from repositories outside of the
Documentum Enterprise Content
Management platform.
The latest version offers new
cross-lingual search capabilities and
content extraction features.
www.filenet.com www.veritas.com
www.emc.com www.eweek.com
35
© eWeek USA 2004
36 COMMENT How to
fight insider threats
MANAGEMENTWEEK
IT WEEK • 6 SEPTEMBER 2004
The threat from within
Recent cases of computer misuse in Whitehall and a new report into IT-based offences
in the finance sector highlight the need for strict usage controls, says Madeline Bennett
F
irms are not doing well when it
comes to managing their
employees’ computer habits. The
news that the government fired
some of its own staff for accessing
internet porn at work is likely to
cause a few red faces in Whitehall.
The Department of Work and Pensions (DWP) has apparently sacked
around 20 staff and disciplined a
further 200 for internet abuses carried out since early last year.
The DWP says it takes the misuse of its IT systems very seriously
– a shame this attitude does not
seem to be reflected among its staff.
You’d think that those working for
the government would make a fair
attempt to comply with its policies.
Not so – according to one report,
DWP employees managed to access
two million pages of internet porn,
with one employee allegedly viewing over 100,000 images.
But before employers sack anyone for viewing online porn or
otherwise taking liberties, they
need to ensure they have the law on
their side, and this generally means
that they should establish ground
rules. A proper usage policy should
be in place, and employees should be
fully informed of its content and
required to sign up to its rules – to
avoid unfair dismissal cases.
Many DWP employees originally
under investigation said they had
accidentally accessed inappropriate
content through spam emails. I’m
sure it won’t be long before UK staff
follow their US counterparts in trying to sue employers for failing to
protect their inboxes and innocent
eyes from offensive material.
Meanwhile, a new report from
the US Secret Service and US security advisory body Cert shows that
firms have another reason to be
scared of their staff, thanks to the
threat of insider crime.
The Insider Threat Study analysed
and interviewed the perpetrators of
various computer-based insider
offences. It revealed that most
offenders were from admin or service backgrounds, and used technically unsophisticated techniques.
I’m not sure I agree with analyst
firm Gartner’s response to the study.
It is urging all financial services firms
to carry out an in-depth risk analysis
of all “stakeholders” to determine
whether these parties could possess
the technical ability and the means to
damage company systems or misuse
information. But as the study
showed, there is no standard profile
of offenders and frequently no technical knowledge is required to commit the crime – often a username
and password are enough – which
means all stakeholders could potentially be included in a risk list.
Gartner said firms could eliminate the threat from stakeholders by
“taking steps such as changing passwords and access rights immediately
when an insider’s status changes (for
example, when an employee leaves,
relationships with auditors or suppliers change or consultants com-
CRM lifts council efficiency
CRM tools can help councils streamline their services, but
cultural and technical obstacles must be surmounted first
E-GOVERNMENT ANALYSIS BY MADELINE BENNETT
M
uch is being done to encourage local
authorities to deploy customer relationship management (CRM) systems, to
help them meet the 2005 deadline to put all
central and local government services online. These initiatives highlight a number
of obstacles to CRM that could affect companies as well as government bodies, while
also indicating the possible rewards of successful CRM projects
The London Borough of Newham has
recently launched a project to show how
CRM technology can
help authorities eenable their services.
And Onyx Software
set up a CRM implementation centre
last month, which is
designed to let
Grogan: cut
admin costs
36
local authorities simulate CRM rollouts.
But recent research from integration
software vendor NDL found many authorities were reluctant to install CRM technology. Of 247 local authorities questioned,
over half had yet to install a CRM system.
Difficulties of integration and cultural
change were cited as the main barriers to
successful CRM projects.
NDL managing director Declan Grogan said that e-services is a new topic for
many councils. “Cultural change is a big
barrier,” he said. “Departments have to
learn to let go of transactions, but this is
very hard for them to accept.”
Departments’ existing disparate proprietary IT systems will create integration
headaches for new CRM deployments,
Grogan warned. But the effort could be
rewarded if the resulting joined-up transaction processes create cost savings.
One benefit could be a big reduction in
the time taken to process queries. “The
CRM system is not the first stop, but one
stop. It can answer queries, and not just take
them,”said Grogan.“It’s about 80 percent of
transactions getting sorted by 20 percent of
the people for 20 percent of the cost.”
However, Angus Dunlop, business manager for the public sector division at software and outsourcing specialist Northgate
Information Solutions, said the culture of
local authorities could be an obstacle to
implementing CRM.“Benefits practitioners
will insist nobody else can do their job,” he
said. “But a piece of rules-based software
will enable anybody to take claim details and
make an initial assessment. It prevents a specialist from spending time over a claim that
will eventually be rejected.”
To assess the requirement for CRM systems, managers should first investigate organisational processes to identify where
improvements could be made through online systems to save resources. Dunlop cited
the example of the hall-booking process of
one authority, which required a £30 deposit.
“When they investigated how many times the
deposit had been [permanently] retained it
was never, so that whole process – and associated costs – was done away with.”
Halton council is one local authority
plete a project)”. But this is likely to
do little to reduce the problem,
given the conclusion of the US
report that almost any worker
could have the means and desire to
carry out a crime.
And surely when an employee
leaves, it goes without saying that
their access rights should be amended – preferably to bar entry to all
corporate systems.
Most insider offences analysed in
the report required little or no technical expertise and were spotted by
basic measures such as manual
account audits. So companies might
do better to focus on improving
their procedures, checks, access
controls and logging. ITW
[email protected]
SUMMARY
systems could help local
• CRM
authorities meet the 2005 deadline
•
•
for getting services online, and
speed up services in many cases.
However, about half of authorities
have yet to implement CRM tools.
Problems of integration and cultural change are cited as the main
barriers to CRM implementation.
that has implemented a fully-functional
CRM system. “We wanted a product that
would allow our customer service advisers
to have single log-in and deliver all services,” said Roy Wainwright, head of customer
services at Halton. The council deployed a
system based on Amdocs’ ClarifyCRM
product, with a front-end system developed by Northgate.
For Halton, integrating its existing systems was the difficult part of the transition. “You need the suppliers of legacy
systems to give you doors into it, via XML
or APIs,” said Wainwright.
The council’s new CRM system allows
advisers to handle queries about all Halton’s services. “The system has increased
efficiency all round as we can stop repeat
visits, save time and money, and be more
proactive,” Wainwright said. ITW
www.ndl.co.uk www.northgate-is.com
itweek.co.uk