Why WiFi at WorkPosted on December 28, 2007

Dan ColeYou’re probably familiar with WiFi, the wireless networking standard, from the numerous ‘hot spots’ springing up in towns and cities. Today though, the technology is expanding out of the coffee shops and airport lounges and into the office environment. The reasons for this are, as with most things in life, many and varied…

Flexibility and cost are a major factor. A wireless network allows you to provide networking services in places where there is limited access to the fixed network. Instead of densely running cables throughout your building, you can rely on wireless access points covering areas where there is either lower usage or fewer employees. It is also quick to update; rather than having to re-cable a building, base stations are easily installed.

The flexibility of wireless means employees do not have to be tied to their desks. Staff equipped with laptops can move around the office while retaining connectivity enabling increased flexibility in meetings, and the opportunity to ‘hot-desk’.

The use of WiFi at work though is not without its problems – not least the issue of security. Any signal which can be received inside your office is also likely to be received outside too; and you never know who might be listening in. To combat this, your network should be using WPA encryption rather than the older WEP standard, and have MAC filtering (allowing you to specify which MAC addresses – unique codes embedded in every networking interface – are able to connect to the network). Finally, change the password for your wireless network frequently.

WiFi is rarely a complete replacement for fixed networks. Gigabit Ethernet offers speeds of up to four times faster; and like any radio-based system, WiFi can be affected by interference (from atmospheric conditions or from poorly shielded electrical equipment). That said, the flexibility of wireless does make it an ideal complement to a fixed network infrastructure. This, combined with the advantages of offering the chance to implement new ways of working while reducing the need for excessive cabling, means that WiFi is something that every company should be investigating.

Though, you will have to find another excuse to enjoy a visit to the coffee shop.

Dan Cole – Head of Product Management

Fear and Longing for ECommerce?Posted on September 5, 2007

Jim Credladn… following a recent report from the Federation of Small Business that claims that just 18 per cent of SMEs are selling on-line, with less than one per cent of those generating all their sales through the internet. SME's main reason for such online reticence is their fear about online fraud and security …

Research asks some pretty dumb questions. Reducing the problem to one of ‘fear’ doesn’t make sense. Fear is about risk and business is inherently risky – making money is about taking some risks. According to IMRG, UK e-retail sales hit four billion pounds a month in July this year, so some risks might be worth taking!

If you ticked the box “Would like to sell online but worried about security and fraud” in the research questionnaire perhaps now is the time to consider how to reduce those fears into something manageable.

The primary tool used by security professionals for thinking about these problems is the risk calculation. In case you’ve not used one of these before it works like this:

Risk = Impact * Likelihood

It’s a tool that lets you think about risk sensibly, address the issues and in some cases, achieve the holy grail of risk management - quantify the risk you’re exposed to.

I’ll use an example, a fictional SME; let’s call them Scared Cat Ltd. Scared Cat have a website that has a phone number but no online e-commerce – remember research shows it’s too scary! Lets also assume that there is a ten percent chance of www.scaredcat.com being hacked in a year and that it costs £10,000 to have it rebuilt. The cost to Scared Cat averaged over lots of years from this risk, using the formula is £1000 pounds a year (1000 = 10,000 * 10 %).

For this scenario the business impact of £10,000 is probably a relatively easy calculation: add up the developer rebuilding the website, lost business, lost time, and include some figure to cover damage to their reputation. The probability figure is going to be more of a guess, but they can talk to other people in their industry and harass or employ a security professional.

Scared Cat need to decide if the risk is acceptable as it stands, and may want to look at ways of reducing it. Firstly is it acceptable? Well if the website brings in £1000 pounds of profit (not revenue!) a month then a £1000 a year cost is a pretty good deal.

Can they reduce the figure? If so then the reduction is effectively profit – well really it’s less risk, but it’s very close to the same thing if the calculations are approximately right. Something that reduces risk in the terms of the security professional is known as a control. The trick is to implement the most cost effective control to reduce the risk – and you tend to get diminishing returns as you implement more and more controls.


A good choice of control for a website with custom applications would be some application security testing or penetration testing. Often, because of the custom coding done for web applications, generic security scanning tools are ineffective and real value comes from the manual penetration test. The testing team will do all the things a typical hacker will do with the same tools at their disposal.

Manual tests like these aren’t cheap but can be worthwhile. A test team time runs from about £750 a day upwards (you’re paying for all the time they spent prior to your job staying up all night, eating pizza and keeping up to date with the latest techniques).The good news is that you might see a reduction in that 10% ‘likelihood’ figure to around 2% - if it’s done well and often enough.

So, using the risk formula should they run a penetration test? The risk has gone down from £1000 pounds a year to £200. The penetration test will cost around £3000 and will only save just £800 a year. So, unless the penetration test will provide protection for the next four years it’s not a great deal, unlikely as few web applications and servers remain untouched that long.

It’s important to readdress the controls whenever the impact or likelihood changes. Frequently people focus on the ‘problems’, such as a new type of virus online and forget about the increasing impact figure as their business becomes more valuable.

Should Scared Cat decide to tap into their share of this £4 billion pound a year market online by enabling e-commerce functionality on the site then the impact figure will increase dramatically, hopefully offset by huge additional profits. Suddenly the penetration test, or some other effective security controls may look like a bargain.

Risk analysis techniques like these, however approximate, are essential for turning fear into a set of rational business decisions.

Jim Credland THUS - Head of Product Security

Carphone Warehouse targets SMBsPosted on June 27, 2007

The consumer broadband market is fiercely competitive, as providers compete to deliver the low cost broadband service that consumers demand. However important broadband is to a consumer, price is likely to win out over quality of service.

The business market is very different, or it has been until now. For companies, broadband is a business critical service so – whatever the size of the organisation – the service needs to be fast, reliable and secure. SMBs should be clued up about this and not be attracted by a very cheap service without knowing exactly what it would deliver – after all, you get what you pay for.

It is understandable that consumers will be tempted by a “free” broadband service from Carphone Warehouse, even with their patience being tested by delays and poor quality of service. The SMB market is less tolerant – it cannot afford not to be!

So it’s very interesting to see that Carphone Warehouse, still a new player in the broadband market, is taking an aggressive approach to targeting SMBs. It has announced that it is planning for revenue growth of 11% -12% in its business-to-business operations and that it will continue to develop its “broadband and data proposition” for the SME market.

It is no secret that the roll out of “free” broadband to Talk Talk customers has been problematic, to say the least. Of those that did not abandon the offer altogether, many are still waiting for their broadband to be up and running. Meanwhile, Carphone Warehouse continues to make a loss of £5 per Talk Talk customer as they continue to get their phone and broadband via BT Wholesale.

Carphone Warehouse has proved with Talk Talk that it cannot always deliver on the ambitious goals it sets itself and that the service it delivers is often disappointing. SMBs will be thinking twice before entrusting their business-critical network services to a player with a questionable track record in service delivery, and no apparent understanding of the unique communications needs of these types of businesses.