In my interview for Arrk, I was asked what I wanted to get out of this job. If I remember rightly my response was something like: “I’d like to learn all about the computer systems that are increasingly pervading every aspect of modern life.” I am now in my 8^th month.

When I started there was no predefined role for me. I am a physics masters graduate with interests in what sometimes feels like too many things. At the interview I was asked “What area would you like to specialise in?”

I replied: “Anything really – I’d probably be more competent at backend programming due to the scientific nature of it. Data science is something I would find my feet in with some speed, can I learn about machine learning? Hang on, I’m also really interested in Human-Computer-Interaction and information design so maybe I’d like to try my hand at UX (I was a little concerned that this would show me up as being jack-of-all-master-of-nothing – Maybe I should show them the bajillion and one ideas in my notebook?)”

In my first week, another new employee, Jake (a BA from IBM) and I were given a project: design and build a tool to assist with the “alignment and propagation of goals throughout Arrk”.  We spent the next four months working with a team across Mumbai and Manchester, researching, designing and building. The whole team was open and supportive, which as a newcomer was really reassuring.

Along the way I tried my hand at the following…

 

Design Thinking

The first few weeks of the project was all about research and design. We conducted some internal Design Thinking sessions. Design Thinking is a creative strategy for solving problems. It takes you from discovery and specification of a problem, through design, iteration and then a proposal of prioritised work ready to be designed. It was also a great way to get to know other employees – interesting to see how other staff members reacted to how a newcomer might go about such a task. It did feel as if my mistakes were valuable. I even feel like we made a ‘mArrk’ on their methodologies.

UX Design

With guidance from an experienced designer, Jake and I designed the interface for the first release of our product. We crafted paper prototypes, tested and improved them. We then built digital simulations, conducted user tests and iterated. My main lesson from this has been ‘build for the user, not the machine’.

Programming

Studying for a physics masters taught me computing methods for solving equations, data analysis, lab work, microcontroller programming and more. After four years of scientific computing, I thought I understood programming. How wrong I was! Building software with a distributed team is very different. New areas for me included front-end development, databases and working with frameworks.

 

It feels quite unique to be working in an organisation with such a flat structure and open culture where failing (fast) is encouraged and ideas are never shot down. To see a project through from its inception in your first week of a new job, through development and into delivery is an extremely valuable experience to have. When an exciting customer facing project came along next, we were now ready to jump straight in!

 

Do you have what it takes to join our rapidly expanding team? Visit our careers page to see some of the exciting and extremely rewarding vacancies we have to offer.

For over twenty years it’s been possible to protect interaction with websites using encryption. The majority services we interact with daily such as online banking, major online retailers and social media giants such as Facebook, Google, Twitter etc use this technology by default. Website developers and infrastructure engineers have long known the value of web site encryption, but the message had not been given significance to the public.

Now Google, and other browser vendors, are taking steps to explicitly inform users sites are not secure. Organisations need to respond to this challenge by ensuring that their websites are appropriately protected.

HTTP

Hypertext Transfer Protocol, the mechanism that is used to send content to and from web sites.

HTTPS

HTTP extended with TLS to encrypt communication between browsers and web sites.

SSL

Secure Sockets Layer, deprecated technology to implement website encryption.

TLS

Transport Layer Security, replacement for SSL. Confusingly, some use SSL to mean both TLS and SSL.

Certificate

During a browser connection to a website it offers a certificate that guarantees the website is authentic. The data associated with a certificate is used as the basis for TLS encryption.

What are encrypted websites?

There are two ways to give access to a website. HTTP – where data is sent unencrypted between the browser and the web site, and HTTPS – where that data is encrypted using TLS.

With unencrypted HTTP sites, anyone can see the interaction “in transit” between the browser and the web server. For example, if you log in to a site anyone on the same network can, in principle, view your password with simple tools. Likewise, an ISP or other entity could intercept and record everything you do.

With encrypted HTTPS, this interception is far costlier and time consuming, the mathematics behind HTTPS ensures that while it is very “cheap” for browsers and web servers to secure the network traffic sent to and from a site, it requires a practically unreasonable investment in time, money, expertise and equipment to break this encryption.

An additional advantage of HTTPS encrypted sites is a guarantee (using a certificate) that you are looking at the real site, and not a copy designed to collect your data, such as passwords for online banking.

Why aren’t all websites encrypted?

Historically there was a non-trivial investment required to enable HTTPS on a site – in terms of cost, expertise and computing power.

Today HTTPS can be obtained at a very low cost (sometimes for free), tools and automation simplify deployment, and as computing power increases, it’s estimated that the overhead of HTTPS accounts for less than 1% of processing power for a typical website.

In short, unless you have overriding reasons to do so, your website traffic should be protected with HTTPS, and insecure HTTP should not be used.

What is Google doing and why?

Google is leading the way on encouraging adoption of HTTPS:Google is leading the way on encouraging adoption of HTTPS:

• In successive releases, they have slowly changed the behaviour of the Chrome browser to display an explicit warning when people browse to a HTTP website.
• Prioritising results for secure sites in search results.

In the October 2017 release of Chrome, non-HTTPS pages where a user can enter data will be very clearly marked as not secure:

Google has stated that in future its plans to show the ‘not secure’ message for all websites that are HTTP and not HTTPS, even if data isn’t being entered:

Websites that use HTTPS will continue to be marked as secure.

Even if a site uses HTTPS it doesn’t mean it is fully secure. Ensuring that your site is HTTPS-only is an essential step in making your site secure, but that’s only part of the security picture. Your application may still have insecure behaviours that can afford leaking of user credentials and data, and other attacks. Reviewing the list at https://www.owasp.org/index.php/Top_10_2013 is a good starting point.

What you need to do?

You need a plan to ensure that HTTPS is the only way to access your site(s). However, before we take the plunge, we must be aware that:

• All non-sensitive pages should be automatically redirected to the HTTPS site. This ensures that results from Search engines (such as Google) and entries in user bookmarks and history continue to work.
• Some level of testing is required, not only to ensure the website works, but to ensure that some sensitive functions such as login pages, can’t be accessed indirectly via HTTP. Note that significant rework of a site for HTTPS is a potential indicator of poor software architecture or quality of implementation.
• You may need to inform your users of the change as they may need to change their bookmarks.
• Certificates associated with HTTPS are designed to expire, typically after a year or two, and if they are not renewed, you will be in the potentially embarrassing situation of a site being marked “not secure” due to the expiry. Therefore, ownership of certificate renewal must be clearly defined.
• Web services and APIs require different considerations, for security reasons we should generally avoid redirection of HTTP to HTTPS for APIs, so the migration requires careful planning and clear communication to API consumers.
• Ensure that other detailed technical concerns are considered, e.g. ensuring that your user session cookies are set to “secure”, the use of HSTS and that the site security configuration follows industry guidelines e.g. https://wiki.mozilla.org/Security/Server_Side_TLS.

Managing the migration on modern Cloud infrastructure

All modern cloud platforms offer tools and services to simplify HTTPS configuration. For example, both Google Cloud and AWS have low, or zero, cost “certificate” services and load-balancing infrastructure that essentially abstracts configuration away from your site.

Managing the migration of legacy websites

In older/more traditional architectures, you may need more careful planning and testing around configuration of applications, web servers and other infrastructure. In principle this is straightforward, but in practice an experienced infrastructure architect may be required to ensure HTTPS is implemented correctly and securely. Tools such as https://letsencrypt.org/ help, but are not a substitute for planning, testing and understanding.

Lessons for leaders

• All new sites must be HTTPS-only
• All existing sites should be reviewed
• Making a site HTTPS-only isn’t a silver bullet for security – your application could still have insecure behaviours
• If a site is migrated we must take care that testing is done, including checking that existing links still work
• Web services/APIs migration requires careful planning and communication
• Modern cloud infrastructure makes migration easier
• Legacy sites require more detailed and skilled work

How Arrk can help

Google is taking steps to notify users when they access insecure HTTP websites using the Chrome browser, we need to respond to this challenge by ensuring that our sites are encrypted using HTTPS.

Arrk has a wide range of skills in bespoke software development, infrastructure and application security, cloud management, testing services, HTTPS migration strategies and low-level HTTPS build and configuration, to offer these related services:

• HTTPS Migration
• Cloud management
• Infrastructure optimisation
• Full-Stack Security Review
• TechmArrk™ Software Architecture Review
• Software Testing
• API Design
• Architecture modernisation

A new-starter, a young graduate just out of university, is sat in a meeting attended by some senior managers who are discussing an important business initiative. The graduate notices a glaring error in the financial statement on the screen that the room is discussing. Feeling unfamiliar of the people in the room, recalling comments about one particular manager’s tendencies, and not being 100% sure of herself, she decides not to say anything.

What the graduate is doing is called impression management. This is an attempt to influence the perception that others in the room have about her and, whether it is conscious or subconscious, her environment is causing her to do it. Don’t want to look ignorant? Don’t ask questions. Don’t want to seem incompetent? Don’t admit weakness. Don’t want to be intrusive? Don’t offer ideas. Don’t want to be negative? Don’t critique the status quo. The answers are obvious, and unfortunately for employers, they’re effective too.

But why does this matter? Amy Edmondson, Professor of Leadership and Management at Harvard Business School points out that every time we avoid taking these interpersonal risks, we deprive our colleagues and ourselves opportunities to learn, improve and innovate. Some groups have built a culture where these risks are reduced and people are more than willing to speak up and be themselves.

Where the need for impression management is greatly reduced, the team benefit as a result. Edmondson coined the term ‘psychological safety’ to describe this group dynamic. She goes on to define psychological safety as: “a shared belief held by members of a team that the team is safe for interpersonal risk-taking…a sense of confidence that the team will not embarrass, reject or punish someone for speaking up…it describes a team climate characterised by interpersonal trust and mutual respect in which people are comfortable being themselves”.

Edmondson stumbled upon this phenomenon during a study in which she set out to find whether better hospital teams make fewer medication errors. She used a survey and a team effectiveness measure to assess several groups from different hospitals.

Meanwhile the rest of the team collected data on adverse drug errors, i.e. how many times the teams had made out incorrect prescriptions. When Edmondson analysed the data, she found exactly the opposite of what she had expected; the best teams were making the most mistakes. So, she put forward a counter hypothesis; the best team were not making more mistakes than the others, they were just owning up to more of them.

She then sent an unbiased researcher, with no prior knowledge of her study or hypothesis, to investigate. What he found was that the amount of errors correlated positively with the rating of the openness of the climate within the team (later termed psychological safety by Edmondson).

These teams were encouraged to openly report and get to the bottom of errors and they felt comfortable doing this with their colleagues. The table below shows the hospital teams and their number of reported error, sorted by psychological safety rating.

 

In 2012 a study by Google, called Project Aristotle was conducted to understand what made their top teams so good. Researchers scrutinised approximately 50 years’ worth of academic papers on how teams worked together and started to analyse Google teams based on the most popular theories; how often did they socialise? Were they all a certain personality type? Did gender play a role? Were their educational backgrounds similar? No matter how they viewed the data, they could not distinguish any patterns which suggested it was the ‘who’ of the team that determined the effectiveness.

Researchers began examining group norms, sometimes referred to as ‘unwritten rules’ or ‘team culture’. Amongst others, they identified two group norms in particular that were virtually ever-present in the high performing teams: ‘‘conversational turn-taking’’ and ‘‘average social sensitivity’’. Conversational turn taking is the inclination of a group’s members to speak for roughly the same amount of time during an interaction. Average social sensitivity is how good members of a team are at knowing how their teammates are feeling based on tone of voice, facial expressions and other non-verbal cues. Conversational turn-taking and average social sensitivity are key indicators of a psychologically safe work environment. This finding led the Project Aristotle researchers to name psychological safety as by far the most important trait of a high performing team.

This is good news for organisations because the idea that you need to hire the best-of-the-best in order to build a high performing team is partially dispelled. Rather, team effectiveness is significantly boosted by focusing on fostering a culture where people are comfortable to be themselves and take risks with one another. The next question is “how can we create such a culture in our teams?”. Sometimes these cultures emerge naturally as a result of good leadership or favourable group dynamics but, usually, we need to actively foster these group norms in order to reap the benefits.

The next article in this short series will look at how the best managers lead by example by being securely vulnerable.

Voice search is on its way towards disrupting the search engine industry and how we discover content online. It’s posing challenges for search engine marketers as the nature of search changes from text-based to voice.

What is voice search?

Voice search uses voice recognition technology to enable users to search for content online.

For example, instead of navigating to the default search engine installed on your mobile, and typing in something you want to know, you might say “OK Google. Where is the nearest coffee shop to me with free wifi?” Hopefully, your mobile (or personal assistant) will tell you the answer.

At the moment, voice search is most popular with teenagers. ComScore confidently estimates that, by 2020, 50% of all searches will be made using voice. We are now interacting with machines in a much more human-like way, talking to them as you would a friend, and relying on this technology to accomplish goals.

Voice search appears to herald moving away from screens. Gartner predicts that by 2020, 30% of web browsing will be screenless. This medium is non-visual and poses challenges for businesses that rely heavily on design to communicate their brand, or have a name that is hard to pronounce.

Benefits of search

Voice search integrates more naturally with the demands of the physical world.

Using voice search is much easier than typing when a user’s hands or vision is occupied. For example, when driving, or walking down the street, and it’s important to be looking ahead.

It’s more accessible for users who have a physical disability, and typing on a screen would be too difficult for them, or even impossible.

Using natural speech is easier than trying to search in the language of search engines. In many situations, voice search also generates faster results.

How businesses can adapt to voice search

With no visual cues due to the absence of a screen, businesses have to optimise separately for voice search to stay ahead of the curve and ensure they can be successfully found. Natural language, and a question and answer format, is the key to optimising for voice search.

A company’s website navigation and structure has to make sense with users jumping around using voice commands, perhaps disrupting the typical task flow expected when designing a site.

Viewing users as action-oriented rather than search-oriented will transform the nature of connective technologies. This means developing a greater sensitivity to the context in which technology is being used. Instead of imagining a user sat at a desk typing queries into the search box, imagine them walking down the street or driving a car.

It requires knowing the needs and mindset of customers inside out, understanding how they are moving through their environment, and the kind of tasks they might use voice search for. For example, finding their nearest vegan restaurant, or ordering a taxi.

Voice search is also disrupting current advertising opportunities and organic search results. Instead of being able to serve an advert in the search results, businesses will have to find alternative ways to reach their customers.

The future of search

Accuracy is key to the future of voice search. In order to increase the rate of adoption, it has to be easier and more successful than the traditional way of searching online by typing keywords.

Voice search technologies are fuelled behind the scenes by ‘skills’ (like apps) that provide the relevant information or data to answer user queries. The number of these available skills is growing to accommodate more diverse and complex queries.

The online world is going to become increasingly defined by what delivery agents like Google or Amazon define as legitimate or expected activity. There is a huge question mark over the potential that this technology has to shape the way we interact with the world.

If we already had privacy concerns about our identities and data online, then the potential for one of these companies to be recording our speech or even whole conversations has serious implications.

Relationship to Smart Homes

It’s less about killing traditional search and more about mobile technologies permeating even more areas of our lives. Instead of there being a hard line between the virtual and the physical world, personal assistant products help us control our environment digitally.  

The personal assistant market is one way of capitalising on voice search technology, and currently includes products like Amazon Echo and Google Home devices. Users can talk to their devices and use them in the same way they would a traditional browser.

As more products become ‘smart’, including televisions, thermostats and fridges, they can be linked to your personal assistant, and the possibilities for using voice to manage the home are increasing rapidly.

By developing a smart home ecosystem, businesses are increasing their revenue potential in a new market.

Final remarks

Voice search underlines how digital technologies are evolving towards being increasingly user-focused. Understanding your customer is truly key to succeeding in the future of search.

Recordings of natural speech are becoming a more common data format that platforms will need to make sense of. At the moment, Google Analytics does not make voice search queries available, but Google has hinted that this functionality is coming soon.

As with any new technological development, the industry may panic about “the death existing technology”. The reality is, change is much slower than that, and voice search will grow to complement existing search technologies.

Businesses should embrace the change that is coming, and anticipate that, while creating content is still important, the ultimate consumer of that content might eventually be a virtual assistant mining for data.

Ever heard of European Union General Data Protection Regulation (EU GDPR)? It may be quite the mouthful, but it’s one that will soon be rolling off the tongue – because you have less than two years to ensure you’re compliant with it.

Wait… what is EU GDPR?

In short, GDPR is regulation being introduced by the EC, European Commission, with the intention of strengthening data protection in relation to people who are part of the European Union while also addressing the export of data outside the EU. When it is introduced, it will take the place of the existing data protection directive of 1995.

This new regulation was officially adopted on April 27, 2016 with a two-year transition period. It will officially enter into application on May 25, 2018.

So what does EU GDPR change?

EU GDPR includes a host of changes to existing regulation. The main changes are:

Consent

The legislation insists that valid consent must be collected and that it must be explicit. In the case of children under the age of 13, consent must be given by a parent or valid custodian.

Data Protection Officer

When processing is carried out by a public authority, or in private sector situations where regular monitoring of data subjects is necessary, a person with expert knowledge should be in place to process the regulation. This data protection officer is different from a compliance officer in that they would also need to be proficient in the handling of data security, such as dealing with potential cyber attacks; be able to address critical continuity issues; and manage IT processes.

Data breaches

It would be necessary for the data protection officer to inform a supervisory authority immediately if a data breach takes place with individuals also needing to be notified if there was a risk of an adverse impact.

Responsibility

Notice requirements have been expanded and now include retention time for contact information and personal data. Some of the features include article 22, which outlines that profiling must be contestable with citizens having the right to question decisions that affect them; while article 25 insists that data protection automatically be part of services and products.

Scope

All of the regulation takes effect if the organisation or the person him/herself is based within the EU but, unlike existing regulation, will also apply to organisations based beyond the EU’s borders if they are processing any data relating to EU residents. Personal information can include anything from names to email addresses, photos, bank details, medical information, social networks and more.

Single set of rules

There will now be a single set of rules throughout the member states of the European Union rather than different rules in different areas. Each state will establish an independent supervisory authority that will be responsible for investigating complaints and sanctioning offences. If a business has several establishments across the EU then it will need to have a single “lead authority” based on the place where the bulk of its processing activities take place – this will then supervise all processing activities throughout the area.

What happens if you don’t comply?

There are, of course, consequences for those who fail to comply with EU GDPR. The first step would be a warning in writing; following by regular audits; fines potentially as high as two per cent of annual worldwide turnover or 10,000,000 euros in the case of an enterprise; and a fine of up to 20,000,000 euros or up to four per cent of worldwide annual turnover in other cases.

Hold on… what about Brexit?

If you’re thinking that these rules needn’t apply to you because the likelihood is that the UK will exit the European Union by exercising Article 50 following the Brexit vote before May 2018, then think again.

The UK is widely predicted to exercise Article 50 “at some point” during 2017. At that point, a two-year process to complete an exit from the European Union would begin – taking until well into 2019. As such, the EU GDPR rules will certainly apply upon their enforcement in May 2018 – and possibly much longer if the UK decides to retain these rules as part of its exit negotiations. Preparations for EU GDPR can’t wait – meeting the budgetary and governance implications will take time and there is no guarantee that they will be diminished even when the exit is complete.

What impact will this have on companies?

Speaking to The Register, Gavin Siggers, of data storage firm Iron Mountain, outlined that companies will struggle to keep up with the new legislation outlining the obstacles of “knowing what data they hold, why they hold it, where it’s kept and how long it should be kept for.” However, he does believe that over time it should help to reduce risk exposure.

Companies now have an obligation to protect personal information no matter how it is processed. This will mean a complete re-examination of the way they store data – including focusing on any cloud apps that may be used across an organisation. With GDPR there are specific provisions for unstructured data and organisations will need to manage how their employees interact with the cloud to ensure they remain compliant. In addition, companies must look beyond simple data residence and consider the paths data travels.

What’s clear is that there is no time like the present. There is no excuse to wait for the implication of Article 50 – EU GDPR will affect businesses even if only for a short period, by which time so much money and time will have been spent on the transition that it only makes sense to maintain its structure. As such, it is vital companies take measures now to complete what will be a difficult and comprehensive transition.

There is a new term that has entered the vocabulary of not just information technology specialists but also those within the financial services industry, in the form of “fintech”. Referring to the plateau of technology emerging in the financial sector in the 21st Century, fintech has become much more than a term for technophiles – instead it is, depending on who you speak to, seen as a disruptor to the industry that can either take it to new heights or threaten the sector in its existing form with fears that new fintech concepts such as robo-advisors could soon displace their human alternatives.

So what exactly is going on with the fintech industry today? Here we take a look at some of the common trends and features.

Customers want it even if financial services don’t

The general idea behind the influx of fintech is that it has the potential to boost customer profitability. Many believe the push is being driven by millennials but in fact it may be broader than that. A tech-savvy generation is known to reject apps and other products that do not easily integrate into their lives – however, with financial services being an essential part of our lifestyles, an increasing volume of people are looking for fast and easy methods to carry out transactions, access their accounts, read policy details and more.

So what are customers demanding?

Step one | Chat applications

One of the common features of the emerging fintech sector has been the introduction of chat applications for banking with TD Bank the first to integrate a messenger platform into its customer service offering.

Step two | Biometrics

With the development of new technology comes a host of new concerns about privacy and security, especially relating to personal data. In an article entitled Biometrics Continues Its Move Into Financial Services, Paul Schaus outlines that around 50 financial institutions around the world are currently looking to implement biometric authentication at contact centres – with the idea being that further organisations are likely to adopt the technology over time.

Step three | Voice recognition

Much like the development of biometrics, voice recognition is also playing an increasing role in financial services. In March this year, Capital One gave its clients the possibility to access their finances using their voice alone with those who activate the service able to get into their accounts and pay bills just by speaking into their devices. Financial companies are looking to capitalise on the significant investments being made into voice-driven tools by major web and software players including the likes of the Amazon Alexa Channel, Facebook M, Google Now and Microsoft Cortana.

Step four | Internet of Things

Of course every industry is exploring the Internet of Things and finance is no exception. One of the most obvious examples relates to wearable devices – Fitbit, for example, has recently taken over the start-up company Coin with the devices currently being used to pay for purchases. However, in the future it is likely that their uses will extend far beyond this and include alerts for things such as how close you are to slipping into an overdraft; sales linked to your location; and more.

Rapid development | blockchain and insurance

While some aspects of fintech are being directly demanded by consumers, others just make sense for the financial services industry. One such example is the growing interest in blockchain among the insurance sector.

According to a McKinsey report, there are three broad ways in which blockchain can potentially facilitate growth among insurers – namely to enable customer engagement; to help them produce cost-efficient offerings; and to enable the development of products linked to the Internet of Things.

For example, blockchain could assist life and health insurers in accessing personal data as while the data will need to be verified it will not need to be stored on the blockchain, boosting trust and privacy. In addition, it could improve customer engagement by offering a greater degree of transparency and fairness in relation to claims handling and premiums. Smart contracts were used by start-up company InsureETH to show how a peer-to-peer flight insurance policy could initiate payouts for insured flight tickets as soon as flight delays or cancellations are verified from data sources. Indeed it is believed that smart contracts could offer a host of benefits, particularly in relation to reliable and transparent payouts; while also increasing fraud detection and reducing administrative costs – all of which should benefit the insurance customer in the form of reduced premiums.

The pros and cons of fintech

How successful fintech will ultimately be is largely dependent on its ability to convince consumers that its benefits outweigh any perceived negatives.

One example of this is in relation to big data. In October 2016, the Financial Conduct Authority (FCA) issued a feedback statement on big data, dropping its plans for a full-scale investigation probing how insurers use data on customer behaviour to calculate premiums. Its conclusion was that customers are seeing benefits from big data use – such as telematics in vehicles and lifestyle-related life and health policies – but that there are also some potential risks to consumer outcomes and that insurers must comply with data protection and privacy rules when using big data to calculate premiums.

Some see this decision as opening doors for insurers to use sources such as social media to gather information on consumers; while others are worried that it could create an underclass of people who are being priced out of insurance.

This example is just one of many. While millennials may predominantly be open to fintech opportunities, it seems there is a reluctance among older generations – and indeed among some younger generations too – to trust new technologies, especially with something as personal and important as financial data. As such, while the innovations may keep coming, it’s now up to the fintech companies to prove that the pros outweigh the cons and earn the trust of more than just the tech-savvy few.

Today’s criminals are, on the surface, quite a lazy bunch – after all, now they commit their crimes without even leaving their own homes. Sadly however, for anyone who has fallen victim to cyber-crime you’ll be well-aware of just how smart and technologically sophisticated this new generation of criminals has become.

Individuals may believe that preventing cyber-crime is as simple as choosing a cryptic password and being careful not to share your personal data. However, if you’re running a business you have a lot at stake – not only your livelihood but potentially vital data about your clients or customers too. So what can you do to protect yourself against this constantly evolving threat?

The scale of the problem

Think cyber-crime won’t happen to you? Sadly, it seems a lot of UK businesses don’t consider it a particularly large threat with a study by broking giant Aon revealing in August 2016 that just seven per cent of small and medium enterprises (SMEs) have cyber insurance.

Putting your head in the sand, however, can be a costly mistake. According to the Office of National Statistics there were more than five million cyber-crime incidents detected in the UK alone during 2015. Indeed cyber-crime now makes up 44 per cent of Britain’s total crime. From this eye-catching total, 72 per cent of cyber-attacks come from organised gangs within the UK.

If you think that the bulk of criminals probably target large organisations, then think again. A Government Security Breaches survey revealed that 74 per cent of small organisations reported a security breach during 2015 – it actually seems that SMEs are being specifically targeted, perhaps because they lack the sophisticated security systems that are often in place at larger organisations.

So how can you protect your organisation?

The reality is that every day there are new cyber threats emerging and there is no fool-proof approach to protection. However, there are a number of measures to implement that can greatly reduce the level of the risk you face – that can help to protect you, or, at the very least, minimise the impact of an attack.

• Boundary firewalls and internet gateways: One or more firewalls should be installed on the boundary to your internal network. This should ensure that each service able to go beyond the firewall first meets with the authorised computer’s approval.
• Secure configuration: There are a host of basic technical steps you can introduce to minimise the chance of an attack, including the removal of unnecessary accounts and software; regularly changing passwords; and personal firewalls.
• User access control: The idea here is that user accounts should only be accessible to those with special privileges, i.e. authorised individuals. Special access privileges should be restricted to a limited number of trusted parties.
• Malware protection: Malware, including viruses and spyware, is written with the purpose of performing unauthorised actions. Malware protection software should be installed and kept up to date with regular scans.
• Patch management: Software running on a computer should be kept up to date. Make sure you are using licensed software that ensures security patches for known vulnerabilities are made available. This should include regular updates to software.

More sophisticated protection

The examples above are just a starting point – a basis and good practice to follow. However, if you’re really serious about security then there are further steps you can take.

Step one – Full encryption

It’s a straightforward first step, but make sure all of the data on your hard drive is encrypted as chances are it contains a treasure chest full of information – from email messages to chat logs to download history. Full disk encryption technology such as Microsoft Bitlocker or FileVault for Mac users are a good starting point to ensure that data is scrambled.

Step two – Encrypted file volumes

While full encryption is a good starting point, and an effective baseline of encryption, if you hold particularly sensitive data then you may wish to create a separate encrypted file volume for ultra-sensitive files. VeraCrypt and Ciphershed are two of the most well-established programs in this area. If you combine these programs with full encryption then your system is going to be as hard to crack as any.

Step three – Encrypt USB drives

Careless handling of USB drives can lead to data leakage. You can encrypt USB drives just as you would with your hard drive but this can cause problems if you wish to transfer data between platforms. As such look for hardware-based encrypted USB flash drives which will encrypt data as it is being copied on to the drive.

Step four – Trust in the RIGHT cloud

Cloud storage is designed to give you a fall-back in case anything goes wrong with your data and most firms go to great lengths to protect you. However, public clouds still carry risks so you may wish to rely on a private cloud on a network attached storage device or consider peer-to-peer private synchronisation where data is replicated automatically among privately owned devices.

Step five – Manage passwords

It seems like the most basic step in security, but passwords hold the key to your data. Password managers can help you avoid using the same mediocre passwords across multiple devices.

Of course, following these steps is not going to guarantee that nothing will ever go wrong and that you won’t be subject to an attack. However, they will greatly limit the risk of a breach taking place and help ensure you suffer only minimum consequences if the worst does happen.

Consider investing in cyber insurance too, as an added fall back and to limit the potential financial consequences if a breach does take place. Good luck and stay safe.

Project discovery workshops, most reading this article will be familiar with the term and what generally takes place during them and therefore why they are so critically important to the success (or failure) of a software development project.

The way we go about them at Arrk follows our defined and flexible EmbArrk methodology, which means we usually spend a two or three week period at the customer’s location (the gemba) where our team collaborates with all customer stakeholders to envision and elaborate, even if at a high level, the solution for the customer enunciated and (Arrk) elicited business needs/problems that the customer is facing.

The moot question that this article looks to answer is what value the tester brings during discovery workshops and why we need their participation. The EmbArrk crew, at most times, comprises a Business Analyst, a Technical leader, a UX/UI champion and a Test leader. As much as the Business Analyst drives these discovery workshops, the technical and testing member play much-needed complementary roles (i.e. 3 Amigos).

The tester’s contribution to the discovery process can be better understood if her role is clarified.

The Case for Curiosity

Testing happens better on the basis of understanding of what the domain is; be it the business, its mechanics, or the application in use. Testers, by nature, possess the needed inquisitiveness and more to probe deeper through questions, observations and hypothesis.

This curiosity complements that of Business Analyst and helps the domain knowledge to unfold broader and deeper benefiting the entire group. The tester by virtue of the customer provided overview sessions, understands first-hand what the business drivers are, what it expects to gain from the solution, what the quantifiable measures linked with the objectives are, the product roadmap and so forth.

The knowledge and her interaction with the business stakeholders facilitates the drawing of system boundaries, components within which interact and how, the workflow, who uses them etc. She even mentally or physically creates user personas to focus her tests and impersonate these stakeholders when testing.

The Case for Testability

The user story development benefits as the tester influences the story details, the acceptance criteria, questioning the likely implementation and so on. A key element that will be at play when the stories get discussed is that of ‘testability’ and the tester is the (Wo)Man Friday that the team desperately needs. Testability at its simplest refers to ‘how we test’. But testing is never truly simple and testability as such is greatly influenced by:

How much is known about the application?

”The difference between what we know and what we need to know is why we test in the first place” – James Bach

It follows then that more the information about the application, its users, testing can get better.

Documentation available (including test cases)?

This aids the application working knowledge thereby helping test better.

Application complexity?

Simply put, the higher the complexity, the harder it is to test. Example; a mission-critical product requires deeper careful testing than a shopping cart application.

Application size?

Example: a multi-module application interfaced with 3rd party apps requires more elaborate testing… more the code, more the bugs that can be expected so tests need to travel far and deep.

User interaction with the application?

When this is learned through observation, usability tests, etc. testers can mindfully work the application like the ‘user’ would.

What technology is used for the application?

Example: an iOS app has different standards to meet requiring a specific testing approach than an Android app. The tester may have knowledge specific to the language, tool and technology which she will utilise to ease the testing effort and efficiency.

What tools can be used to test better?

Example; certain application protocols used may necessitate specific plug-ins to be used when using LoadRunner tool which the tester is best aware of.

Competence of tester?

A more competent tester tests better and faster and highlights issues to ensure a faster feedback loop:

• Technical skills | A more ‘technical’ tester can have richer conversations with the developers so as to target areas to test.
• Soft skills | A tester having more skills on communication, collaboration, negotiation, assertiveness, initiative front is likely to more positively contribute to testing.

Past experience of the tester?

Example; prior exposure to data-warehouse product based testing will make future testing experiences in the same area more effective

Time available for testing?

The more time made available for testing the more stringent the testing will be and conversely, less time allocated for testing can have a negative impact on the effectiveness of testing.

Therefore it should now be apparent the benefit of having a tester present during project discovery workshops. Who can better speak for and determine testability than the tester who has spent her life in testing, day and night, thinking and doing, dreamt tests, laid awake at night thinking data combinations to provoke a defect or many, etc. As much as testing may be done by anybody, it requires great perseverance, thought, creativity and an exploratory problem-solving mindset to transform testing into an art and a craft form. Such testers provide fantastic value to a team tasked to tango together for a discovery workshop.

The Case for Testing Thought Leadership

Based on the above, a high-level strategy or a mind-map representing the thought-process of the tester in how she will test the application, types of tests, tools that will be employed, data, risks and so forth is created as one of the outcomes of the workshop.

Based on understanding through first-hand information, observation, discussions, clarifications, mental models – the strategy is expected to be well-designed and rich in content that will go a long way to begin testing on the right note. Along the way, the smart tester will likely make a point or two in letting the customer know that the application-whenever-under-test is in safe hands.  The assurance so provided to the customer is worth its weight in gold which may or may not be verbalised.

To conclude…

As much as the benefits of having the tester in discovery workshops / EmbArrk should be understood by now, let me express explicitly which puts a lid on this article as well:

• Assist in collective knowledge acquisition.
• Apply unique mindset that thinks functional, non-functional, testability, user-centric, business-centric, destructively and constructively to question, challenge and clarify the knowledge build-up
• Assist in solutioning aspects from story development to estimates to a release plan
• Ensure customer expectations of the application quality are understood so as to be taken care of through strategy formulation and testing carry-out.
• Ensure incorrect assumptions about testing are nipped in the bud
• Build rapport, provide assurance and demonstrate capability to test

Most if not all companies believe themselves to be customer-centric, but there is often a disparity between the self-perception and the reality. It is easy to hang pithy slogans on the office walls – delivering on these values is a much greater challenge.

Customer-Centricity is a Mindset First

It is important to understand the difference between being merely customer-focused or friendly, and actively customer-centric. Customer-friendliness is a part of customer-centricity, but it is not the whole thing. A customer-centric strategy means putting the customer at the core of everything you do, and fostering that culture from the top down. The customer’s requirements must be at the forefront of your thinking throughout each of your processes, whether developing new products, planning marketing campaigns, at the point of sale or post-sale.

Prioritise Your Best Customers

For a customer-centric strategy to be effective, the customer has to be viewed as your most valuable long-term investment – beginning with an acceptance that there is no such thing as the average customer. Customers each demonstrate different habits and preferences, meaning a one-size-fits-all approach to marketing is a non-starter. It is incumbent upon an organisation to be able to identify, using customer data analytics, the segments of customers who are most valuable, rather than targeting the mean. Without that intrinsic ability to understand your customers at a granular level – and defining their value in terms of projected lifetime, not past, profitability – you simply cannot be customer-centric.

Similarly, there is no one-size-fits-all definition of a customer-centric organisation, but some of the leaders in customer satisfaction and loyalty share certain characteristics and principles. So what are they?

Anticipating What Your Customers May Need Tomorrow

Most fundamentally, it is imperative your business develops a holistic view of individual customers’ interactions and experiences throughout their relationship with your organisation. There must be a recognition that customers’ needs change over time and that your organisation must respond as or even before they arise. One of the best examples of this is Amazon, whose customer-centricity is unambiguously targeted at four primary customer sets: consumers, sellers, enterprises and content creators. Over the years it has developed a profound understanding of its customers, empowering it to deliver what consumers expect today and – perhaps even more crucially – anticipate what they may expect tomorrow.

Operating 24/7 worldwide, Amazon boasts the most diverse customer-base but it recognised one core priority for all of its markets – to fulfil the customer’s need for the immersive, personalised and ‘always-on’ experience. It was this vision that drove the strategy behind the hugely successful Kindle eReader.

Amazon’s desire to innovate never wanes, and it sought to simplify the Kindle user experience – to allow their customers to sample, buy, download and read purchased, digitised content from a device even when on the move. For this to succeed, the device would require connectivity. Amazon’s ensuing partnership with Vodafone – another customer-centric business – saw to that, and in 2011 the first Kindle with 3G connectivity launched globally.

The Amazon / Vodafone collaboration exemplifies perfectly the idea that by focusing on the customer, anticipating their requirements and driving your strategy and product-creation around those needs, your organisation will go from strength to strength.

Customer Retention is King

Other core principles shared by prosperous customer-centric groups include:

• Using customer data analysis to measure, better understand and segment your customers base
• Identifying your most valuable customers
• Focusing on products and services for those customers with the highest lifetime value
• Demonstrating an across-the-board, top-down commitment to customer-centricity, across all channels
• Engaging with customers from the outset
• Designing and implementing processes and strategies from the customer’s point of view

Research across a variety of industries found increasing customer retention rates by a mere 5% increases profits by anywhere between 25% – 95%, while customer-centric organisations are around 60% more profitable than companies which eschew customer-centricity.

One way to figure out if a customer is high-quality – and therefore worthy of an investment targeting retention – is to calculate their customer lifetime value (CLV), which predicts the net profit a business will accumulate from its lifetime relationship with a customer.

Customer Lifetime Value (CLV)

Segmentation through customer data analysis enables you to customise your marketing campaigns across all channels to specific customer segments – investing more in the higher value customers. Instead of sending the same message to all of your customers, you can send tailored messages to customers who previously bought relevant products.

Customer lifetime value (CLV) is a part of the segmentation process – a means of measuring the profit your business makes from any given customer. It represents each customer’s value in monetary terms, and in turn informs an organisation how much its marketing department should be willing to invest in that customer.

There are numerous ways of calculating CLV however the most straightforward way of calculating Customer Lifetime Value uses the following formula:

CLV = (Average Order Value) x (Number of Repeat Sales) x (Average Retention Time)

The higher the value, the better the customer.

Becoming Customer-Centric

Making and delivering on the commitment to becoming a truly customer-centric organisation can be both protracted and complex, but it is an investment worth making. Becoming actively customer-centric, as opposed to merely paying it lip service, is the Holy Grail in terms of maximising customer value. Customer-centricity not only allows you to increase profits from your best customers, it enables you to avoid over-investing in the rest.