Those “private” (sm)e(ar)mails

This isn’t a political blog and anyway there’s been plenty of comment about the invented-smears emails, their origin and their target.

But just one IT point keeps being ignored and it appears to have been perpetuated from the very top in Gordon Brown’s letter. It is the assertion that these emails were somehow “private”. Brown’s letter, as reproduced in full by the BBC, says

“I am assured that no minister and no political adviser other than the person involved had any knowledge of or involvement in these private emails.”

Hang on. We’re also told that they were sent “from an official account”. So absolutely no way are they private. Gordon Brown, his staff, and the media are confusing “private” with “confidential”.

If they were private, they should have been sent from a private email account. Sure, if they’d been sent from dmcbride@googlemail there would still have been a fuss if they’d been uncovered; but it would have been much less of an embarrassment for McBride’s employers.

If they were sent from an official email address, that’s the equivalent of being on 10 Downing Street headed notepaper. If they were confidential, but official, they could have been encrypted. Confidential messages have been being sent in code since writing was invented.

This is an object lesson about information risk and information security. Sending personal (= “private”) messages from your business email is very poor practice and highly unprofessional. Not making it clear to your employees that personal mail should be sent personally is equally poor practice and puts both the employee and the employer in jeopardy. And not encrypting information which is truly highly sensitive and business confidential is, quite separately, stupid – although all of us, I suspect, neglect this one most of the time.

As any decent risk management practitioner will tell you!

• Brown’s smear row letters in full, BBC News, 15 Apr 2009
• No 10 official quits over e-mails, BBC News, 11 Apr 2009

UK’s new flexible working entitlements: check the hype

Last week the UK brought into effect a change to the rules regarding statutory eligibility to request flexible working. From some of the discussion, you’d think corporate IT was going to be overwhelmed as ninety percent of the workforce suddenly starts working from home!

Computing, for example, has an article with some good discussion (including comments from Ollie Ross at the Corporate IT Forum) but with two major flaws. First, it mostly assumes that flexible working automatically means being home based (it doesn’t); and second, it anticipates huge IT changes for companies in supporting flexible working staff (there won’t be).

Let’s get it into perspective.

First: the regulations are not new. They apply only to staff who care for young dependents (for the majority it remains, as it always was, entirely a matter of company culture and policy). And they don’t entitle staff with these carer responsibilities to have flexible working. They entitle them to request it, and require the employer to consider it. The request can be turned down, but it must be with reasons and there are appeal lines set out.

And second: the numbers are not huge. The new rules extend eligibility to staff who have dependent children older than six and under 17. There are estimated to be 4.5 million of these; and three cheers for them! But six million parents of six-year-olds and under, or of disabled children under 18, were already covered. So for every four people already on this specific “statutory” subset of flexible working there may potentially be another three.

Some industries do have significant numbers of employees in these categories. But the total UK workforce is about 30 million people and many of the new 4.5 million will be already on flexible working, or not working, or will choose not to make a request. It doesn’t feel like there’s a massive change coming. And in any case not all the people covered by either the previous criteria or the expanded eligibility are likely to be professionals requiring the kind of enterprise IT support discussed in the article.

Flexible working and remote working are not the same thing. It may just be a case of adjusting on-site hours. Flexible working, as the UK Government says, describes “any working pattern adapted to suit your needs. It includes things like part-time working, flexitime and homeworking”.

It would be good if this relatively small change causes a change in culture and a general opening-up in some companies’ attitudes. But it ain’t likely. The extended eligbility isn’t of itself likely to generate enough numbers to require wholesale changes to company services and infrastructure.

Many firms already have staff who regularly have to be supported remotely and/or outside “normal” work hours. Consultants regularly operate from client sites, and managers move between multiple company locations perhaps in different countries. Large sales forces are predominantly home based. And people who work either side of their on-site time can be seen (or, too often, heard!) on any commuter train.

Then there’s the issue of trust. This one surfaces with every new technology. In the 1990s, managers worried that company information would leak away by email, and that employees would spend all their time surfing the then-new Web. The controls that were introduced, including use of the X.400 standard, have melted away and email and the Web have become essential business tools. Now repeat that, but for 1990s substitute 1920s and for email and the Web substitute the telephone. Yes, it’s true.

There have always been ways to spend time not working, and there always will be: but why would a company hire people it believes it can’t trust to work? If staff are meeting their objectives then that should normally be enough.

And, yes, security of proprietary or confidential information is a valid concern. But when I used to commute I would regularly see lawyers heading for a nearby Crown Court reading their briefs on the train. Narry a computer in sight; but their clients’ names, addresses and misdemeanours were well open to public gaze. This isn’t a technology issue either, except in so far as technology makes it possible to lose larger quantities of information much more quickly!

The chance and potential impact of a loss can be estimated. The costs and disbenefits of excessive control can be measured, with a little trouble: slower response, potentially lost business, employee evasion of controls perceived as over-intrusive. That’s to say, a risk assessment needs to be done. The mitigation strategies include employee education (staff don’t learn about these issues from setting up a home network) and appropriate technology solutions (such as DRM and highly secure gateways) to reduce the likelihood of the most significant adverse events.

So there’s some good discussion in the Computing article. But the hype, and the confusion of several issues, makes it less valuable than it could be. “On Monday 6 April, an estimated 4.5 million extra requests for flexible working could, theoretically, swamp UK firms“? I don’t think so.

• How to gear up for a surge in remote working, Computing, 2 Apr 2009
• Flexible working rights extended, UK Directgov newsroom, 3 Apr 2009
• Demographic Trends – The U.K. Workforce…..Brewing Risks Eric Seubert, Talent Readiness, 23 Jun 2008
• Flexibility – Resources for New Ways of Working Flexibility is an online journal which has been covering and advocating flexible working since 1993. It looks like a most useful resource

Is it “OK to stop the project”?

Mike Rasmussen of Corporate Integrity has been busy. He’s in the right business – in the current climate, regulation and compliance are climbing right up the agenda and there will, I’m sure, be many extra demands on IT to provide visibility of data and respond to new regulatory demands.

If you read this in time, Mike is hosting a webinar today (Tueday 7th) at 5pm UK time. He’s done a lot of work on a new structured analysis of the global regulatory and compliance (GRC) arena to identify the issues, and, he says, to define 13 core technology areas that the organization should build into an enterprise architecture for GRC.

Gartner have released a short note (and right at the moment it’s available for free) advising IT organisations to prepare for three scenarios: flat spending, a 20% reduction, and a small increase. But I haven’t seen anyone suggesting that IT should be prepared to increase spending on GRC, either by a budget increase or by diverting resources from other things. Think on!

You might like to look at George Colony’s take on the mess as well. He proposes three general rules:
• Apply a simple rule: “If it doesn’t make sense, it doesn’t make sense.”
• Risk assessment and management programs (perhaps within Sarbanes) should be placed on alert to identify danger points (by which he means: where computer models fail rule one)
• Never be afraid to say Andy Grove’s favorite business word: “No.”

This last one reminds me of a visit I paid a year or two back to London Heathrow’s Terminal 5, which was then one of the UK’s biggest building projects. The biggest message, plastered all over the site and aimed at everyone from plumbers to executives, was “It’s OK to stop the project”. No-one was going to get hammered for saying something was going wrong, or unsafe, or didn’t make sense. Most building projects, our host said, get built one and a half times. They aimed to avoid that cost, and did.

• GRC 2.0 the GRC EcoSystem Mike Rasmussen, Corporate Integrity, 6 Oct 2008
• Hal destroys Wall Street Counterintuitive: George Colony, Forrester CEO, 3 Oct 2008
U.S. Congress Rescues Banks but Pressure on IT Budgets Looms Gartner, 6 Oct 2008