Innovative Policy Management and User Awareness Solutions
Learning Technology
I have heard it said that many of the professionals involved in elearning are really teachers who like technology. However, some of the technology I was able to see at Learning Technologies 2013 was never in any classroom I ever had been in!
The content creation tools and the quality of what is being produced by some of the leading elearning vendors like Kineo, BrightWave and Adobe is amazing. You can really see how modern, graphical and interesting content can make it so much easier for people to learn. This is a far cry from some of the elearning platforms that still adhere to the old format of static pages that look like 1990′s powerpoint that has a next, next, next button to oblivion.
I also a detected a maturing of the industry that is reacting to customer needs for having a single area for learning and awareness within the organisation. This allows people to access elearning taken in the past at anytime they require the knowledge.
Single Sign On (SSO) is clearly a big issue with organisations recognising the impact of giving the user yet another password and username to remember with each elearning system adopted.
I still love the enthusiasm that the people involved in Learning and Development have for changing their internal environment with new and attractive learning content. This combined with a system that ensures participation, such as MetaCompliance, is the way to go for ultimately changing attitudes and behaviour in the workplace.
Robert O’Brien.
Get Safe On-Line Week
I was walking through Gatwick Airport today, when I was magnetically pulled towards the temptation of a gadget shop, which happened to be Dixons. On reflection this happens almost every time I travel by air. Two things struck me as I perused the aisles of lovely technology. First, the shop was much busier than any other retail outlet in the mall. Second, there was, at that point, more female customers in the shop than male.
The attraction of these stores stems, I think, from the fascination of “what’s new” certainly for myself; currently I am giving a great deal of thought to buying a Bluetooth keyboard for my iPad. A gadget shop is the modern adult equivalent of the toy shop. However, the popularity of new technology among both men and women goes a long way to validating a view that I harbour, that people invest way more in relative terms on personal technology than most organisations do for their corporate users.
I had come straight from a meeting with an FT 100 company, where we discussed automating their awareness projects and implementing our Policy Management Software. Yes, that’s what I do for a day job people! One of the major constraints for this company in their desire to mitigate the risk of a data loss incident with automation technology, is their legacy systems. In many companies the complexity of these systems acts like a dead-hand on progress and business change program’s. As I walked across their beautiful central London office, I was also struck by the prevalence of CRT monitors. This is a typical example of technology at work being inferior to what users have at home. No wonder employees get frustrated and attempt to circumvent IT Security controls.
I believe that the popularity of technology amongst all ages and genders represents an opportunity for organisations to approach employees on the subject of IT security in a more robust manner. Users are already aware of technology and the problems associated with it. From malware through online bullying to identity theft, users have had exposure to these concepts already. Organisations should accept this and leverage off this foundation of awareness.
No one wants to get into trouble at work by inadvertently transgressing a security policy. However, this happens all the time because the human factor has been neglected due to both legacy system induced paralysis and corporate inertia. Compliance is often seen as someone else’s problem.
Organisations should take a leaf from the engaging way that government sponsored programs, such as www.getsafeonline.org in the UK and www.staysafeonline.org in the USA, reach out to users. Here is a top tip readers: get a link to one of these websites placed on your corporate intranet and relate personal IT Security at home to the workplace.
This week is Get Safe Online week in the UK and CyberSecurity Awareness month in the USA, if you needed a reason.
Robert O’Brien.
Information Commissioner’s Office
This is a question frequently asked by NHS Chief Executives, particularly since the £325,000 fine handed out to Brighton & Sussex University Hospitals. For public sector organisations who continue to see drastic cuts, it is an unfortunate situation as these fines frequently affect critical services. However, in accordance to the Data Protection Act, the ICO believe they are justified. One would assume that as the NHS deals with such sensitive information, they would exercise a higher duty of care towards our personal data. Unfortunately, this not the case. It is evident from the number of fines issued by the ICO in the past year, that their current approach towards compliance and user awareness is simply not working.
Information Commissioner Christopher Graham explained: “The senior management is aware of the challenge but the breaches continue. Whether it’s a systemic problem in the NHS or an epidemic we have got to do something about it”. Fortunately, best-practise solutions are available which can put local authorities back in charge, allowing them to monitor, detect and prevent sensitive data breaches.
A policy management solution such as MetaCompliance, solves this key compliance issue and enables organisations to automate and manage the key tasks associated with user awareness and engagement for information assurance. However, even with such robust technology, a number of public sector organisations still turn a blind-eye to this issue and live in hope that regulators never come knocking on their door.
What do you think: Are the ICO’s actions justified?
Sakib Rashid.
Metacompliance is very proud to announce that their new cloud based GRC solution MyCompliance has been chosen as a finalist for two categories in the 2012 UK IT Industry Awards, which are voted for by the British Computer Society:
Organisational Excellence Section -Best use of Cloud Services
Technology Excellence Section – Security Innovation of the Year
Winners of this year’s prestigious awards will be announced on Wednesday 14th November during the awards ceremony in the Battersea Park Events Arena in London. With over 1,300 guests in attendance, the awards bring together the industry’s leading players for the biggest night of the year.
For more information on the awards click here. To read more about our award nominated GRC solution MyCompliance click here.
Lynn Jennings.
When organisations go through a process of growth, whichever industry they operate in, one of the biggest challenges they are faced with is being able to ensure consistency in their business practices. Whether it is their systems, rules and regulations, or simply maintaining standards, the implementation and overall management of these functions can prove to be very difficult.
“The bank underestimated some of the challenges presented by its numerous acquisitions, and despite efforts to meet these challenges; we were not always able to keep up,”
The words of David Bagley as he stood down from his post as Head of Group Compliance at HSBC Holdings after it emerged that the British bank had exposed the US to billions of dollars worth of money laundering, drug trafficking, and terrorist financing.
As demonstrated in the case of HSBC whose growth accelerated rapidly through acquisitions, the problems began because operations of some of those new acquisitions fell far short of HSBC’s own compliance standards and expectations.
The implementation of a system, such as MetaCompliance Policy Management Software, would allow organisations to adopt a unified approach towards compliance and help them to maintain the standards which they are judged against.
The risk to an organisation for breaches and non-compliance extends beyond just monetary sanctions, but to reputational damage, which can prove to be more costly than any financial loss. Public perception towards bankers is already at its lowest ebb, therefore evidence of a lapse attitude towards a subject as important as compliance does little to restore the faith.
At a time where organisations are having their Governance, Risk and Compliance standards scrutinised more than ever, can growth be used as a defence for sub-standard or diminishing GRC practices?
Bhupinder Dhillon.
Data Protection
Hindsight is a wonderful thing as it allows us to reflect on past events, analyse what went wrong and realise what could have been done better. However, any organisation that has ever been fined by the Information Commissioner’s Office (ICO) would surely ask the question “is foresight not better?” Particularly when hindsight has such a big price tag attached to it.
Policy and procedures form the heart of governance and compliance in every organisation. To safeguard information and satisfy regulators, businesses must increase participation; they must ensure that users read and sign up to corporate policy and procedure and, more importantly, that they understand it. Current methods, such as emails and intranet systems, are clearly not working, as 88% of all data breaches can be traced back to user negligence, clear proof that the user presents the most significant threat to the security of data.
As a new MetaCompliance employee and newcomer to the world of Governance, Risk and Compliance (GRC), one thing that has surprised me is that a large number of organisations are complacent regarding compliance awareness, and take a reactive rather than a proactive approach. We all know the factors behind this, budgetary matters, time constraints etc. However, as the fines get bigger (just look at Barclays £290,000,000 fine) along with the significant reputational damage that comes with it, it is becoming less credible for organisations to take such a laissez faire attitude to user participation and awareness.
A best-practice GRC solution, such as MetaCompliance Policy Management Software, will assist companies in solving these critical compliance issues. It is important for organisations to realise that employee awareness of Information Governance is a continual process and it’s crucial to make every endeavour to keep this at the forefront of the users minds.
Hindsight has driven many businesses to invest in user awareness of GRC after they have fallen foul of regulators.
Does your organisation have the foresight to invest in a proactive approach?
Sheetal Sewsanker.
Budgie the Owl
Compliance by its very nature is a “dry bread” issue. It’s very important, but fairly boring. At its core are things like Policy Management, Procedure Manuals and Risk Registers. No wonder getting the attention of staff for these initiatives is so challenging. However, from Politics to television shows, people’s attention can be obtained if there is a relevant theme or topic. Having a recognizable image or word association makes it easier for us humans to make a cognitive connection and possibly get to the Holy Grail of being interested.
Getting the attention of employees for compliance campaigns such as introducing policy management software is one thing, getting them interested is quite another. Again that’s where branding or theming comes into play. Should the theme change or become innovative, then people become aware of a possible lifecycle for the campaign. Hence the development of interest.
The Birth of a Compliance Icon
My team and I are really interested in the whole area of awareness and how compliance can be made easier for staff and the organisation. We speak regularly on this topic with our customers who also are interested in evolving this issue too.
So we set a challenge for our Training Team to work with our Design Team to come with a sort of mascot for compliance learning. The result was an Owl persona that reflected wisdom, vigilance and a kind of all seeing capability.
So far so good. However, during the course of project development our esteemed mascot managed to obtain the nickname Budgie! For some reason that name has stuck and if we are honest, has come to represent a sense of fun that is ideal for assisting people in learning activities.
We have great plans for Budgie boy. Not only are we going to use him to illustrate the ways by which compliance awareness can be positively promoted, he is also going to feature in the overall journey of our company.
Our first project is to originate a competition to see if we can find the most exotic or relevant place that Budgie can be found. Expect Budgie to be found in the travel luggage of our staff and customers as they jet off on holidays.
As Budgie tours the world putting compliance on the map, the Metacompliance Media Team will keep you posted.
Robert O’Brien
The GRC Market has noticeably matured in the past 2 years. The UK’s leading User Awareness, Risk and Policy Management Software solutions provider Metacompliance was recently ranked in first place in The Hypatia Research report on the Global GRC Market, “Best Practices & Drill Down GRC Q1 2012: Data Access & Security”. The report looked at 48 global GRC vendors and 440 companies GRC in their future business strategies, if not already doing so.
The report concluded that vendors and customers alike agree that government and industry regulation show no signs of abating. If anything, the recent fall out from lack of regulation in the Financial Services sector, has added to general acceptance that compliance needs to become a “business as usual” issue. The FSA lists a staggering £66 million in fines handed out to financial organisations in 2011, a sure sign that regulation continues to become more stringent.
For me, two of the major determinants of success for an organisation’s Governance, Risk and Compliance (GRC) Strategy are organisational culture, and people. By the latter I do not mean all of the people in an organisation (these are indeed important but not at the strategic level of GRC planning), but rather that particular group of people that are required to be in place for a successful GRC strategy to be possible. These people must have seniority within the organisation, and have the relevant expertise, experience, personal standing and persistence that is required to drive organisational change and strategic success.
The Information Assurance Maturity Model (IAMM) is an excellent method of determining where an organisation sits in relation to its compliance obligations. The model allows an organisation to get an idea of what should be in place by way of process, policy, technology and people, and provides a solid baseline for a GRC strategy. However; this brings me back to the people and culture issue. In order to develop and embed a successful GRC programme, the organisation needs to have executives and management who recognise firstly that compliance is a business imperative, and secondly, have a realistic understanding of where their organisation sits on the IAMM. The question for them is how close are we to making governance, risk and compliance part of their businesses norms?
The greatest challenge for this team of people will be to look at the core issue of honestly determining their company’s culture of compliance and security. Unlike other business functions, such as sales for example, compliance and risk have no natural origin within most companies. Meaning that those norms have to be created, nurtured, developed and managed for the long term. Other industries have had to undertake similar evolutions, for example the requirement for safety within the oil and gas industry. It took at least a number of decades for safety to become part of their culture, to become embedded in the “organisational DNA”, and it will take time for GRC to become business as usual. I feel that Success means beginning the process now
In their report, Hypatia researched the top reasons for organisations to invest in GRC Software and Consulting Services.. “When asked for the top three reasons organisations invested in GRC tools, survey results spanned a wide range of motivations. The highest percentage of respondents (43.5%) cited “industry regulations require it”, while 28.7% said “Our CEO insisted upon it” and 23.1% said “Our lawyers insisted on it”.
Sometimes the CEO has to be the executive sponsor of the team of people who are tasked with changing the company’s culture. Often, nothing short of this type of emphasis is required to cut through the interdepartmental politics that get in the way of necessary change. For a GRC Project to be successful there has to be an alignment of the irrefutable driver of regulation, the resourcefulness of a capable management team and the backing of a “C” Level Executive. Would you agree?
Robert O’Brien
EU Justice Commissioner Vivian Reding
How can Policy Management Software help you deal with proposed changes to EU Data protection law?
The proposed changes to EU Data Protection laws, has caused much media attention since the live EU debate on Wednesday. At Metacompliance, we agree with the Justice Commissioner, Viviane Reding’s argument that changes will “help build trust in online services because people will be better informed about their rights and more in control of their information.” One thing is certain, you cannot afford to ignore the debated changes if you hold electronic customer records. Companies who are found in breach of the proposed new regulation face a fine of up to 2% on annual turnover.
So, what key changes to the 1995 Data protection laws are the Commission proposing?
This is just the natural evolution of the rules associated with data usage and its safe guarding.
It’s the people issue!
There are still too many organisations treating data protection as “someone else’s problem”. Data Governance should have the same standing in the organisation as Financial Governance. However, it took at least a few decades for Financial Governance to reach the priority within an organisation that it now enjoys. It will be the same with Data Protection and Governance.
Ultimately your organisational Data Protection culture needs to match existing and proposed responsibilities. These proposed changes to EU Data Protection Law provide the incentive to ensure the organisational journey and culture change commences and stays on course.
The culture of best practice Data Protection begins with user awareness. Should there be a Compliance incident, then your IT Security policies become the baseline for any discussions. A combination of User Awareness and IT Security policy management needs to be at the center of an organisation’s response to this increased regulatory environment. Obviously, at Metacompliance we would recommend the use of Policy Management Software to automate these repetitive Compliance processes. Do you agree?
Lynn Jennings
Policy Management Software
Once again, all eyes are on the public sector on the issues of data protection and privacy, with the latest (record) fine from the ICO reflecting the sensitivity of the information involved.
However, these problems extend further, into those private sector businesses that also provide our services and hold our information; businesses such as Solicitors and Barristers, Estate Agents, Pension Firms, Accountancy Practices; businesses who hold as much, if not more, of our sensitive information than our local council. This is an area in which the Metacompliance partner community can add real value in improving organisational awareness of Data Protection issues.
Many of these organisations have no concept of the behavioural responsibility they have for data protection. They view privacy and information security as an IT problem, which amounts to securing the firewall, updating the anti-virus, essentially keeping the bad guys out. They would never think that an inadvertent conversation with a colleague, or in the case below a diligent report back to the office, can be a serious breach of privacy and data protection laws.
Case in point, a telephone conversation I overheard on a train out of London this week. I’ve saved you the full extent of my “rant,” but here is a snapshot of the information I, and 30 odd other people, are now aware of:
The regulators are aware that this is a problem. Representatives of the ICO have, in recent times, been very vocal in their desire to push for an extension of their powers to the private sector to combat lax attitudes to data protection.
But, it’s not the fines that are the issue for the private sector, it’s the reputational damage. A fine is a one off cost. Incident investigation costs, whilst extensive, are finite. Even legal costs can be quantified and belts tightened to absorb these. However, the loss of revenues due to a breach of privacy and data protection laws is infinite, can extend far into the future, and could very easily shut an SME down.
The MetaCompliance partner community have evolved the required skill sets needed to help professional services companies change attitudes to data security issues. With Policy Management Software such as MetaCompliance, our partners can review and update key policies, can recommend methods for distributing to employees and can even carry out adhoc, face to face training on information protection, privacy and data protection.
Any company, public or private, will be found seriously wanting, if lack of user awareness has resulted in data breach involving sensitive information. The only way to combat a lack of user awareness is through ongoing education and communication. Most organisations have natural inertia that restricts the type of change necessary to avoid the risks of compliance failure.
By using an outside organisation to act as a catalyst, management can enable the implementation of the continual awareness communication programme that is necessary to change employee behaviours towards privacy and data protection. Third party specialists can provide the expertise and knowledge to analyse the information generated by the Policy Management and Risk software and remediate against this to maintain a culture of privacy and data protection for their customer.
All our MetaCompliance partners have seen a significant increase in the levels of interest in compliance management from their customer base. Professional services organisations looking to start the process of culture change in relation to data protection and computer use policies can link up with our partner community by contacting me on thutton@metacompliance.com.
Tara Hutton.
