w: www.meantime.co.uk
t: 01539 737 766

Sunday, 19 July 2009

Data security

Last week I was at a meeting in London with a project team from a publicly funded organisation and we were discussing how Meantime (the company I work for) would receive some data required for the initial stages of the project. One of the people 'round the table joked that they would give us the data on a flash drive as long as we promised not to leave it on any public transport.

Over the last few years, of course, there have been a number of incidents where this has happened - laptops and external drives left on buses and trains - sometimes with very sensitive data being lost as a result. Worryingly, I think that most people assume that it will happen again, which is dangerous; the acceptance that such incidents can be classed as just 'one of those things' makes people more careless.

I believe that the fundamental issue is that companies are very good at looking after data when it's where it is supposed to be. The database may be behind a firewall and access to that data may be only via an application that requires a valid user name and password from the user. The problems start when the data is extracted or reported out and stored somewhere else.

Earlier this year I had a meeting with a client who was so cautious about his data - which was, admittedly, of enormous commercial value - that he disabled his (password protected) laptop's wireless functionality before he'd open the spreadsheet containing the core data. I asked him where he backed up his data to and he produced an external drive from his laptop case. Quite apart from the fact that someone stealing his laptop bag would also have his backup, the drive was not protected and the spreadsheet, which was not itself password protected, could easily be accessed.

Similarly, data is downloaded to disks and printed out to paper reports, i.e. taken away from its secure environment, which are then being handled by people who under normal circumstances would not have access to that data.

However, there is a solution and it's one that well established, easy to use and free.

True Crypt is available for download from the web and you can read all about it here: www.truecrypt.com. And if you don't want to read all that - it is rather techie - then let me just say that I've been using True Crypt for a couple of years now and I can't sing its praises highly enough. It is simple to install and to use and means that no one can access the data without a valid password.

Another alternative is to use WinZip (www.winzip.com). While many applications will open a ZIP file, allowing the files to be seen (if not their contents) it is still possible to password protect the files.

For me, the biggest advantage is that True Crypt is able to turn a whole device into an encrypted drive meaning that if, for example, you have a flash drive that contains your business data, it cannot be accessed at all without the True Crypt software and, of course, the password required to access it.

It goes without saying that we live in an increasingly data driven society and the boundaries around our personal data are increasingly blurred. Businesses cannot afford to be anything but strict and diligent about their data protection: slip ups will certainly lead to a massive drop in credibility - either within your organisation or with your clients and customers - and may lead to legal action and a loss of business advantage depending on the data that is leaked.

Policies and procedures are essential but the use of tools like WinZip and True Crypt offer a concrete method of ensuring those practices are enforceable.

Wednesday, 1 July 2009

Case Study: Coniston Corporate UK

I decided to choose our work with Coniston Corporate - www.corporate-embroidery.co.uk - as a case study because while the specifics of the projects are, of course, tailored to their business needs, there are some elements of the software that apply to many businesses, especially those that buy in raw materials, add some value and then sell on to other businesses or the general public.

Coniston sell workwear and other clothing, which they embroider for their customers. Driven by a very capable MD, Paul Reilly - from whom I have learnt a thing or two - the company has grown significantly yet maintained its success over the last few years. When I first met Paul, the company had a set of slick paper-based processes in place but as the business grew the overhead of maintaining the paperwork was becoming a serious overhead and also a risk to the business.

Quite apart from the concerns around pieces of paper getting mislaid and related issues around business recovery, there were some other challenges that were not easy to meet with a paper-based system:

- Ensuring that corresponding supplier orders went out to meet the requirements of the customer orders that were being received.
- Ensuring that when supplier orders came in, that the right customer orders were identified and prioritised for production.
- Reporting on margins to make sure that while Coniston offered the best price to their customers, they were making the right profit to sustain and grow their business.
- Keeping on top of their invoicing and statements, especially as customer orders were not always shipped in one delivery.

As is our usual practice, we took the time to listen to Coniston's requirements but also to understand the business context in which those requirements were set. The enabled us not only to devise the most appropriate software solution but also to deliver an application that was designed to develop with their business strategy.

Briefly, the software works like this: when a customer order is received, the items required from a supplier are automatically added to a supplier order (and the system caters for the fact that these items may come from different suppliers.) At the end of each working day, the supplier orders can be printed for faxing or sent by email, depending on the supplier's preference.

When a supplier order is received, the system identifies the customer orders that can now be processed and, when that work is marked as complete, the invoices are generated. The invoices can be printed for posting, sent as a system generated PDF by email or both.

This brings me to an interesting point. When we build systems like this, they naturally and implicitly hold information about the business itself, which is built up through usage. It is very easy for us then to write reports that the client can access whenever they want, such as number of orders this month, total and average values, comparisons with the equivalent period in prior years and so on. This is incredibly valuable business information and it is available easily and on demand without recourse to us.

It is, I think, apparent from the above, that a system that supports a business in this fashion, saves on tiresome - and error prone – administration. Furthermore, the salaries that are saved by not having to employ extra administrative staff can be seen as a method by which the software effectively pays for itself.

Incidentally, once we had the complete working database for Coniston, it also enabled us to build a dedicated site for the workwear - www.coniston-workwear.co.uk - at a relatively low cost, as well as the 'Coniston Shop' function, which gives Paul the facility to set up online shops for his clients: you can see examples here and here. Incidentally, Paul requires no input from us each time he wants to set up a new shop.

Finally, I would just say that even though I picked the above example because it contains elements that apply to many businesses, it is a source of constant interest to me how different companies ask us to implement them in different ways. Over the last five years particularly, it has become obvious to me how few business needs are genuinely met by a package solution.