2010 6 Things u need 2 know in 2010 Whitepaper Final
Six things you need to know in 2010
The insider threat
Social media in the workplace
Security in the cloud
Enterprise cloud use
The BT offer
Security concerns are at the heart of pretty much every aspect of
networked IT services today, but are the real security questions being
addressed? Do CIOs and CEOs suffer from a translation problem when
assessing and developing solutions for the potential threat? And has
the incentive during the recession been to sweep the big issues under
the carpet? This white paper looks at the six things a CEO should be
asking his CIO in 2010, and the answers he should be looking for to
ensure his enterprise capitalises on any easing of the global economic
downturn. It also turns each of the six issues on its head and defines
what the CIO needs to be saying to the CEO to ensure the IT function
performs optimally in the year ahead.
This paper offers practical guidance to both audiences on the security
issues likely to be making headlines in 2010. It should be a vital desk
companion to CEOs and CIOs looking to foster better understanding
of how data and network security affects their organisation.
For all that information security is one of the most critical issues facing
organisations today, be they a financial institution holding customers’
banking details or a government body holding electoral, health,
criminal, employment or immigration data, too often an inability to
translate the issue from a technical to a business one gets in the way.
Vital facts are lost, as it were, in translation.
This paper presents six of the biggest security topics that CIOs, CSOs
and CEOs should be discussing – urgently – in 2010. And it does so in
an attempt to break down this barrier, acting as a straightforward
guide to the problem, the situation as it stands and the solutions
available. BT Global Services has decades of experience helping major
international organisations protect themselves and their customers
from the ever-present threat of information loss or attack. This paper
is aimed at spreading just some of that experience around. We hope
it is useful and that you get in touch if you have any questions at all.
In 2010, three things, at least, are certain.
One: information security will be better than last year, which was better
than the year before, and so on, because the technologies to counter
threats are evolving every day.
Two: conversely, the security of information – corporate, commercial
and personal – will come under more threat than ever before as the
increasing importance of data makes it the battleground over which an
ongoing fight between those who would steal or misuse it and those
who would protect it is becoming ever more fraught. This ‘arms race’
between hackers and IT security professionals can only escalate.
Three: the issue of information security will become more and more
of a mainstream topic, discussed in mainstream newspapers and on
mainstream television channels. Already, Google’s decision to cease its
censorship in China due to suspicious attacks on data held on its servers
has been one of the biggest news stories of the year.
Against this backdrop of increasing complexity and a rising public
profile, CIOs, CSOs and CEOs will meet around the board table to
discuss the security issues facing their organisations: issues that have
never been more important, or more challenging to understand, let
alone to address. Yet they will meet around those tables hampered by
a simple yet very real barrier: language and awareness, or lack of it.
5. Datamonitor research commissioned by
BT: Threatening Skies: Risk in the Global Economy, 2008
And the war is escalating. Why is this? Firstly, the world, and
particularly the business world, is more globalised than ever before.
Secondly, that same world is more networked than ever before. It is
more reliant on technology, partly because so much business is now
conducted over huge distances and partly because so much business
is now data-driven and computer-dependent.
The result is a very modern transmutation of the age-old phenomenon
of “industrial espionage”, which has been around since the dawn of
commerce. Spying on, stealing or sabotaging the data of another
organisation – be it a commercial enterprise or a national government
– gives you anything from competitive advantage to economic and
And there is a worrying acceptance of the problem. More than half of
executives in developing regions themselves admit that the threat of
international cyber-espionage, hacking or web fraud is more likely to
come from a source located in a developing economy such as (but not
limited to) Russia, India, Brazil or China.5
What’s the problem?
Globalisation is leading to a new “cyber cold war”. Google’s decision to
cease its censorship of content in China after attempts to hack into its
servers was just the latest in a series of similar events in recent years.
Issues such as this have long been considered at a serious political
and diplomatic level. As far back as 2002, in fact, the FBI announced
its “number three” priority was protecting the United States “against
cyber-based attacks and high-technology crimes.”1
Since that time,
the problem has grown exponentially. In May 2009, US President
Barack Obama announced he would create a new White House office of
cyber security, with that cyber czar reporting to the National Security
Council as well as to the National Economic Council.
Other countries have been quick to follow suit. According to a policy
paper on national security published in January 2010, the Conservative
Party, widely expected to form the next UK Government, plans to
a Cyber Threat and Assessment Centre to counter online
attacks against the UK. In the same month, Australia opened the
Cyber Security Operations Centre3
following a year in which its defence
computer networks were attacked by about 220 “security incidents”
every month, with another 220 targeting other government systems.
In the Philippines, a new cybercrime Bill has been passed this year4
Together, all this paints a picture of a very modern battlefield, one that
itself exists “in the cloud”, with skirmishes being fought daily over data
carried via the internet and networks.
Brazil China India South Africa
Do you believe that the threat of international cyber-espionage (hacking,
web fraud etc.) is more likely to come from a source located in a developing
economy such as (but not limited to) Russia, India, Brazil or China?
Is cyber crime a real danger
for this organisation? CEO
The very language we use is also a problem. The term, “cyber-crime”,
leads us to forget that the data still starts and ends with a physical
machine, and so the physical threat is frequently overlooked. You can
have the best technology in the world, but it won’t help if your office
cleaners are easily able to smuggle information out of your building on
a data stick.
Ultimately, what is needed is a combination of good corporate policy,
married to effective technology. Far too often, we see one without the
other and, in 2010, this is not good enough.
1. Check physical security. Ensure that your technology, facilities
management and human resources departments, at the very least,
are talking to each other. Any external suppliers with access to your
building should be properly vetted.
2. Ensure you have the appropriate technology in place and that it is
set up correctly: software-based anomaly detection, located in the
network, coupled with solid firewalls at your data centre end.
3. Link this up with effective policy adherence – rigorous testing,
monitoring, recording – such as is demanded by ISO 27001
(BS7799) the Information Security Management System (‘ISMS’)
4. Ensure that policy is in place for follow-through: detecting and
countering an attack is one thing. You need to be able to trace it and
build up the chain of evidence so that, should you ever need to take
someone to court, there is a proper chain of evidence. This means
your IT people need to be trained to log dates and times properly,
and your legal department will need to be involved to ensure your
policies adhere to privacy laws.
Can we protect ourselves?
The question being asked in boardrooms is “can we truly protect
ourselves against the next generation of hacking? Or is damage-
limitation the best we can hope for?” Providing reassurance is a tricky
thing, because companies involved in providing security solutions need
to be transparent and responsible with their claims. So let us be very
clear, here, from the outset: there is no easy panacea to this problem.
There is no single product or service that can be plugged in and means
your data is safe. It means companies need to sit up and take this
problem seriously at a senior level and not relegate it to a nuts-and-
bolts IT services issue.
Yes, but don’t expect technology to solve
the problem on its own
Firstly, it is vital to recognise how the very nature of globalisation has
altered the challenge. Once upon a time, a virus detection programme
could easily check IP addresses linked to a PC or server, spot any
beginning 85.xxx, recognise that this was going to China, for example,
and block the address. Today, of course, most international companies
will be sending and receiving legitimate data packets to and from
China daily – suppliers’ details, product data, order information.
So modern software has to learn what activity is legitimate and what
is not before it begins to run effectively. This is hugely powerful,
but the understanding of the process is not always there. Too many
organisations, erroneously, think they have this activity covered as
soon as they’ve installed the new kit. Just because suspicious activity
has not been detected does not mean that it’s not going on.
It’s a growing threat, and one
we must confront CIO
What’s the problem?
The ‘insider threat’ is, unfortunately, a growing one. According to
research from McAfee, 75% of website defacement is the result of
an internal job and 68% of data theft is internal.6
The threat from
within covers three main areas:
• Genuine mistakes – people leaving a machine unencrypted and
vulnerable (see cyber crime, above), or sending the wrong email,
possibly with sensitive data attached
• Lack of awareness of security policies – people naively allowing
leakage of sensitive data
• Deliberate – someone unhappy with the company, maybe having
been made redundant, and taking revenge: deleting billing records,
for example, or stealing information that can be sold to competitors
or used to gain advantage in his next job.
Can we protect ourselves?
Again, the problem arises less from technology and more from
policy and, often, simple human error and forgetfulness.
Most organisations today simply could not exist without
computerised data and the internet and private networks that
allow it to be shared. Data is everywhere, in digital form, and the
proliferation of easy ways to store and transport it, from laptops
and USB sticks to iPhones, iPods and just sending it via personal
email, makes keeping it within your building a daunting task.
Source: McAfee, ‘The Threat From Within’
The insider threat
Security Softie: European League Table
Do employees let friends/family use their work computer to
access the internet at work or home?
European Average: 21%
Italian employees: 42% Most Lax
French employees: 23%
British employees: 21%
Spanish employees: 16%
Dutch employees: 14%
German employees: 12% Least Lax
Is our information safe in the
hands of our people? CEO
use or plugging personal iPods into computers, for example? If you
manage a call centre, do you have a policy on cameras? People can
just as easily take photos of customer data on screens as download
to a stick.
Policy is nothing if people don’t know about it. You must
communicate with your employees, be transparent about your
rules on the above and why they are there. This means ongoing
training and awareness, so that line managers know how to keep
their teams adhering to policy.
At the heart of that policy should be access rights: who has access
to what data? You need to get the balance right, giving people the
access to the information they need, with enough leeway to be
able to innovate and do their job. But full administration rights to
all data are rarely appropriate for the entire workforce. And, above
all, remember to cancel outgoing employees’ access rights, which
includes their key fobs, passwords remote log in usernames and
Follow this up with change management controls. If a new item
of software, a new database, for example, or a new security patch
is being installed, don’t let any one programmer have the right to
unilaterally change the code or the application. The change should
be verified by two or more people.
Finally, encrypt your data. It is incredible how many organisations
in 2010 do not save sensitive data in an encrypted format. Most
software applications – even mainstream ones, such as Microsoft
Office, support strong encryption.
Simple – remember PEACE: Policy, Education, Access, Change
management and Encryption.
Yes, if you remember PEACE
Accessing all that data can be as simple as logging on to a computer
and browsing a directory or folder structure on the server or as
complex as entering multiple usernames and passwords, some
static and others dynamic, generated in realtime by technologies
that are now part of everyday working life, such as key fobs and
remote login tokens.
Countering the insider threat starts with policy. What is your
organisation’s policy for information security, personal email
Gadget Geek European League Table
What percentage of employees admit to owning at least one
personal gadget to connect to the office PC?
European Average: 51%
French employees: 56% Most Lax
Spanish employees: 54%
British employees: 51%
Italian employees: 49%
Dutch employees: 48%
German employees: 48% Least Lax
What percentage of employees connect devices at least once
a week to the office PC?
European Average: 52%
Italian employees: 56% Most Lax
Spanish employees: 53%
Dutch/French employees: 52%
British employees: 47%
German employees: 46% Least Lax
With the right internal policies
and practices, we can ensure
it is safe CIO
8. http://bit.ly/5F9XGS; http://bit.ly/6o1SFL; http://bit.ly/5URQQ5
Yes, but exit management strategy is key
The solution requires that you implement the steps discussed above,
without delay. If you think your organisation is vulnerable to a sudden
and simultaneous exodus of employees, you must put an immediate
focus on getting your exit management processes up to date – there is
no way of knowing when this dam might burst.
1. Ensure that everyone leaving is individually aware of his or
2. Involve your HR department now, so that they are able to provide
a double check (along with your technology people) that physical
access tokens and key fobs have been returned and deactivated
3. Your tech department should, of course, make sure that all
usernames, logins and passwords to company data are cancelled.
What is it?
Research from a variety of countries and sectors indicates that a
considerable number of employees are waiting for the global recession
to end before moving jobs. In the US, one in five workers plans a switch
when the economy improves, according to a December 2009 survey.7
In the UK, similar surveys predict that anything from one in three to
half of employees will move once the economy stabilises.8
Many people, runs the argument, have stayed in the same position for
the past two years, with no promotion, pay rise or bonus and possibly
with pay cuts or reduced hours. Whatever the true figures, the notion
that there is a dam waiting to burst seems valid.
Can we protect ourselves?
Essentially, this is the same question as the previous one – just on a
bigger, simultaneous scale, and therefore with a sense of urgency that
relates to the current economic environment.
If and when these people begin their exodus en masse, they will pose
a unique form of insider threat (see insider threats, above), potentially
removing commercially sensitive (for you) and useful (for them)
information from your organisation, on an unprecedented scale.
Are we protected when people
leave the organisation? CEO
Exit management is critically
important for information
What’s the problem?
The internet phenomenon that is social networking has been one of
the most talked-about security topics of the past two or three years.
As soon as it became apparent that people were using their work as
well as their personal internet connections to log on to external sites
to share information – and, potentially, data – organisations began
voicing their concerns. The worry was, and still is, that sites such as
Facebook and Twitter might at best reduce people’s productivity and
at worst pose a threat to information integrity.
Of particular concern has been the theory that the incoming generation
of employees, reared on the internet and potentially blasé about
security, will pose a major challenge for management.
Generation Y refers to a specific cohort of individuals born from
1981 to 2000 (according to Harvard Business School), while others
mark the beginning of Generation Y in 1978 or 1981 (Wikipedia).
All sources agree, however, that the majority of Generation Y free
time is spent living an online lifestyle. They are sometimes referred
to as ‘Digital Natives’ (as well as Generation Z or the iGeneration).
Fig 1. Which generation are you?
In a survey of university students in the US by Junco and Mastrodicasa
, still the most up to date study of its scope in this age group:
• 97% own a computer
• 94% own a mobile phone
• 76% use Instant Messaging (15% logged on 24/7)
• 34% use websites as their primary source of news
• 28% author a blog and 44% read blogs
• 49% download music using peer-to-peer file sharing
• 75% of university students have a Facebook account
• 60% own some type of portable music and/or video device such
as an iPod
Social media in
Fig 2. Where does Generation Y spend its time?
Source: Ewan McIntosh (http://edu.blogs.com/)
So, is there a risk?
This stems from a fear of the unknown. Generation Y uses a different
vocabulary, follows a different culture, has different demands,
demonstrates a high speed of learning and has different expectations.
They push the boundaries of older management.
But is this a threat? The pace of change in terms of new media
and social networking tools will frequently continue to outstrip
our ability to check for technical security threats and counter them.
The convergence of external and internal applications will proceed
at pace and, certainly, the risk of data leakage is a very real one as
people (of all generations, but particularly younger employees)
increasingly blur the boundaries between their public/private and
That said, the longer organisations spend debating the threats, the
higher the danger that they will fall behind the curve when it comes
to exploiting opportunities
Maybe, but the benefits outweigh
The social web is a driver of change and change can be scary. There are
challenges – and solutions – for implementing social networking tools
and using them safely in the workplace while demonstrating business
value and creating an environment for young talent to grow and want
to stay with your organisation.
Are organisations being hypocritical? For example, many businesses
exploit Facebook for recruitment and looking at individuals, advertise
on Second Life to sell to the younger generation and use Twitter
to research trends and social patterns to exploit for marketing
The trick is to help people manage the fuzzy boundaries between their
public/private and personal/professional lives. It is a challenge – but
not a threat.
Mobile, SMS, IM
Marches, Meetings, Markets, Events, etc
Livejournal, Blogger, Flickr, Photobucket, etc
Bebo, Facebook, Tagged, etc
Television, Gigs, Theatre, etc
Second Life, World of Warcraft, Home, etc
Should we stop people using
Facebook and Twitter? CEO
Fig 3. Manage the fuzzy boundaries
At their heart, social networking sites are about collaboration and sharing
ideas. Both of these things are the very lifeblood of innovation and
organisations must find a way of embracing rather than banning them.
Properly managed, these new
ways of communicating present
an opportunity CIO
1. Make the tools available. You can’t – or at least will find it
increasingly difficult and counter-productive to – stop people using
tools that they have grown up with, that are so ingrained into their
way of life.
2. Divorce management issues from the equation. For example,
worrying about whether employees will ‘waste time’ chatting
on Facebook is only a modern incarnation of worrying if they’ll
‘waste time’ chatting at the water cooler. Motivating people and
optimising productivity is a management issue, not a security one.
3. It is possible to make any web-based tool secure, with the right
technology, the right training and the right level of awareness
among the workforce. And so, again, education is key:
• Make your security policy on social networking usage relevant
to your Generation Y employees. Listen to them, engage,
• Never say no! They will just go round you.
• Embrace the younger generation’s needs – it will accelerate
• As with any other application, layer up the technology to ensure
that data is encrypted and secure, and that access controls to
sensitive information are appropriate to the user.
10. Gartner Inc. Press Release, “Gartner EXP Worldwide Survey of Nearly 1,600 CIOs
Shows IT Budgets in 2010 to be at 2005 Levels”, 19 January 2010
The delivery of services via the cloud has been one of the most talked-
about subjects in IT circles for the past twelve months, but only in 2010
has it made it onto the boardroom agenda. After a slew of articles
on the cloud in the worldwide business press in 2009, the business
implications of the cloud are beginning to filter through to non-
And CIOs are responding to this growing awareness of the importance
of the cloud. According to the Gartner Executive Programmes’ 2010
, the top three technology priorities cited by CIOs are
virtualisation, cloud computing and web 2.0, while the top business
priorities are business process improvement and reducing enterprise
costs. In the current climate, the ability to deliver better IT services
for less chimes with business leaders’ own objectives. The idea of
upgrading technology without significant capital expenditure is
finding fans both among CIOs, but also CEOs and CFOs.
BT Global Services’ recent Enterprise Intelligence research reveals
an interesting disconnect between CIOs and CEOs, with nearly half
CIOs (44%) saying they believe they deal with information that is too
sensitive for the cloud, but only a third of senior executives saying the
same. The implication is that it could be CEOs urging a move to the
cloud in 2010, with CIOs offering a note of caution.
Do cloud benefits outweigh risks?
Many of the risks associated with cloud services are grounded in who
controls what. The ability, or lack thereof, to transfer control and risk
relating to data to third parties is critical. Recent research by the EU
Network and Information Security Agency (ENISA), to which a crack
team of BT’s security experts contributed, reveals that the biggest
security concerns associated with the cloud are corporate data
confidentiality, privacy and the integrity of services and/or data.
These three issues are major ‘deal-breakers’, and if they cannot be
addressed completely, enterprises will find it difficult to move to
On the other hand, the benefits of moving to cloud architecture
are potentially huge: significantly reduced capital expenditure and
fixed costs; increased agility thanks to the rapid provisioning and
de-provisioning of resource; faster return on investment thanks to
pay-as-you-use commercial models; the availability of services to
a mobile workforce; unlocking business opportunities by removing
previous barriers to entry; theoretically more robust business
continuity (see the next section for a more detailed discussion
of business continuity in the cloud).
Cloud security requires strict policies
Cloud services are extraordinarily diverse, and there can be no one-
size-fits-all approach to security. Just look at the software-as-a-
service offered by major names like Microsoft, Google and Salesforce.
com, and compare them to infrastructure-as-a-service from Amazon,
IBM or BT. These are very different propositions and require different
security policies and controls.
The solutions that are most likely to provide enterprise-level stability,
security and usability will comprise federations of best-in-class
Security in the cloud
Is it safe to move into
the cloud? CEO
500 5 10 15 20 25 30 35 40 45
CIO caution: “Our information is too sensitive for the cloud”
solutions provided via a mixture of in-house ‘private’ clouds and
third-party ‘public’ clouds. Such a ‘hybrid’ approach has the potential
to confer huge benefits on enterprises in 2010, while ensuring the
specific risks are mitigated. Thus, data covered by Sarbanes-Oxley or
other legislation can be retained and delivered to end IT systems users
within private clouds. Similarly, publicly accessible material, such as
marketing material that can be downloaded from websites, can be
stored and delivered at minimal cost via a third-party public software-
as-a-service solution in a public cloud. The best advice is to lock horns
commercially with multiple cloud service providers and ensure your
security policy and requirements are built into their offerings.
1. Research the market. All the providers of cloud services, whether
delivering software, infrastructure or platform solutions offer
different services with different service level agreements and security
features. Selection of the right services is an essential first step.
2. Federated solutions may be more bespoke and robust. Using a
selection of different services – including a self-managed private
cloud – to build a bespoke solution can ensure cloud services are
more aligned with your business needs. Increasingly, federation
will become an essential part of building bespoke cloud services,
meeting security and risk demands, adding transparency and
increasingly providing secure collaboration between trusted parties.
3. Prepare for cloud culture. The automated interface of many cloud
services can feel alien to IT departments used to dealing with people
within supplier organisations. Procurement, legal or commercial
teams can also find the pay-as-you-go contracting model of
cloud services demanding. Take these teams with you if you opt
to strategically source services from the public cloud, otherwise
they may become strategic barriers.
4. Regularly seek independent audits of cloud operators’ offerings,
to ensure they are still the best in class and best fit for your needs.
The cloud can be safe, secure…
and financially attractive CIO
Legislation Covering Data
Data protection legislation often prevents the transfer of
risk from one corporate entity to another. For example, both
Sarbanes-Oxley and the UK’s Data Protection Act require the
company looking after data to remain entirely responsible for it.
Legislation also presents jurisdictional challenges. For example,
cloud providers are typically forced to locate data within a
specific territory, usually the client’s own country, which hinders
the benefits and flexibility of their service offerings. Under
such stringent conditions, the data-owning party would need
so much control over how the data is stored and used, that the
benefits of cloud storage of data or computing resource could
Availability – at the heart of security
A sophisticated service that delivers significant value to its users
remains worthless if it is not consistently available. When considering
the security of cloud services, availability is one of the biggest single
issues. There are multiple challenges here: how does cloud architecture
impact availability levels during periods of normal service; how much
can the cloud help or hinder availability when an organisation needs to
rapidly scale up or down key services; and what impact does the cloud
have on an organisation’s business continuity strategy?
The bottom line for most organisations today is that non-availability
of services costs money through impacted productivity and sales,
lost customers and damaged reputation. The strategic challenge
for cloud providers is how to transfer the risk of downtime from
enterprises seeking to adopt cloud architecture. We have already
shown that some risks cannot be transferred, for legislative reasons
(see the previous section). But it is, theoretically at least, possible to
offset some of the concerns of enterprises by committing to strict
service level agreements.
How can we maintain service levels
in the cloud?
This is where federators of cloud services can add value, not only by
bolting together services to create bespoke solutions, but providing
security wraps and service level guarantees that potentially exceed
those of the third party cloud provider alone. The lessons learned in the
design and deployment of high availability infrastructures is critically
important for cloud providers, and there is evidence that some are not
yet applying sound engineering design. Those with an infrastructure
heritage are leading the way here.
While elasticity of service is one of the core features of cloud
architecture, and scaling up and down does not affect availability,
business continuity – in particular, disaster recovery – offers its own
challenges in the cloud.
Under a traditional business continuity model, all data stored on
dedicated – and probably self-managed – servers is routinely
duplicated and stored on a mirror server at a distinct location, in case
of a disaster. Under cloud architecture, however, the location of servers
is not necessarily a fundamental aspect of service provision, which
makes ensuring data is copied to a remote location a challenge. This
is mitigated by the fact that, increasingly – mainly for reasons of data
protection legislation – cloud providers’ customers stipulate in which
region or territory servers, and therefore data will be physically located.
Enterprise cloud use
Can we guarantee our customers
world-class service in the
1. Understand how resource sharing occurs within your cloud provider
– if you require significant scaling-up of provision at the same time
as other users of the same cloud, it may risk breaching the capacity
of the cloud provider, and therefore affect availability.
2. For infrastructure-as-a-service and platform-as-a-service in
particular, a cloud provider’s patch management policies and
procedures have significant security impact so ensure the patching
policy is documented.
3. The cloud provider’s technology architecture may use new
and unproven methods for failover, so verify what they use
for disaster recovery.
4. Understand how your cloud provider deletes ‘old’ data,
particularly on the cessation of a contract. This is an area
that requires greater transparency.
The cloud can boost business continuity
The cloud architecture should theoretically be more resilient than the
traditional model, because with proper planning, instances of failover –
automatically switching to an alternative network upon failure – should
become more integrated. By intelligently backing-up data, access to a
cloud service can be maintained, even with parts of the infrastructure
out of action. Getting this right – and demonstrating they have done
so – is the challenge for cloud providers.
Accidental data deletion may become a thing of the past if automatic
data retention policies – currently adopted by of some of the major
cloud service providers – become standard. At present, some providers
say they will never erase any data at all, but merely archive it. It will be
interesting to see what recovery techniques are developed over the
years, as the volume of data grows, and maintaining data catalogues
becomes increasingly complex. It is also important that deletion of
data upon cessation of contract remains a major technical challenge
and even more so in the infrastructure re-use model being adopted by
Correctly deployed, we can drive
customer and employee benefits
from the cloud CIO
Managed Vulnerability Scanning, powered by BT Counterpane
BT MSSG offers two levels of Managed Vulnerability Scanning service
to meet customer needs. BT partners with Qualys for service delivery.
• The Full Service option is for companies interested in leveraging BT’s
expertise and experience to manage their scans and tightly integrate
them with BT’s infrastructure. BT’s scans can be scheduled to suit
your needs on a weekly, monthly, or unlimited basis.
• The Self Service option is for companies preferring to self-administer
their scans and wishing to take advantage of additional features
of the service, including asset classification and remediation
Both service options provide flexibility in scheduling scans and defining
internal and external targets including address-specific or address-
range coverage options, and conditional start-stop time boundaries.
All scan reports are correlated across data from vendors as well as data
from BT MSSG’s proprietary correlation engine. Executive summaries
and detailed scan reports are available 24x7 via the BT MSSG Portal.
Managed Log Retention, powered by BT Counterpane
Managed Log Retention frees customers from the log and security
management burden while enabling them to achieve federal and
industry compliance, reduce total cost of ownership, and benefit from
best practice guidance on risk management with swift responses to
security incidents, compliance inquiries, and internal threats.
As the authority on enterprise security, BT’s Managed Security
Solutions assure customers’ business continuity, improved compliance,
and protection from financial loss. Leveraging our experienced
professionals and state-of-the-art security solutions, BT delivers
comprehensive protection and real economies of scale and efficiencies
BT’s Managed Security Solutions Group’s (MSSG) portfolio of
managed security solutions provides customers with the industry’s
most complete, single-source enterprise security solution. Our rich
heritage in Managed Security has earned us the trust of customers.
Our foundation in real-time internal network and host-level protection
is augmented by managed internal and external network protection
Managed Security Monitoring, powered by BT Counterpane
BT’s managed security monitoring service combines a team of
disciplined security experts, a rigorous process for incident detection
and response, and best-of-breed technologies to provide information-
driven organisations with immediate feedback regarding the efficacy
of their network’s security – in real-time. Our security monitoring is
the business solution that empowers enterprises to reduce liability,
improve information safety, and facilitate audits.
Device Management, powered by BT Counterpane
Device management focuses on proactively implementing
configurations in the best interests of the customer so that devices are
always providing maximum protection and surveillance. That’s why BT’s
MSSG SLA offers unlimited changes to devices when they are initiated
by BT. This includes new signatures and updates from the vendor and
configuration changes BT MSSG recommends based on observations
from hundreds of networks and thousands of devices around the world.
The BT offer
BT’s Ethical Hacking services enable customers to protect their
networks, information assets, and corporate reputations by identifying
vulnerabilities before they can be exploited. Our security experts
will identify vulnerabilities, provide recommendations to remediate
identified issues, and help improve their security posture. BT
proprietary testing methodologies and techniques yield high quality
results that will help customers optimise their security infrastructure.
• Application Testing – Reviews the logic structure, code, methods
of access and authentication mechanisms of your web-based
• Network Testing – Provides external and internal vulnerability and
penetration assessments, VPN vulnerability and penetration tests
and an analysis of VoIP within your environment
• Wireless Security – Identifies weaknesses and vulnerabilities specific
to your wireless infrastructure
• System Hardening – Tests for over 1,000 network-level
vulnerabilities within your current network configuration
• War Dialing – Identifies unauthorised modems that provide access
to your network and then attempts to exploit your network through
For more information on BT Managed Security Services and how
they can make your organisation and your customers more secure
and risk-resilient, please visit bt.com/globalservices or contact
Ray Stanton (firstname.lastname@example.org)