If it can go wrong, it will go wrong

Picture of messy electrical wiresThe recent challenges of the banking sector in the UK have been very public and damaging to the trust that customers place in their bank. If you were lucky enough to be unaffected, then do have some sympathy for TSB customers who recently were unable to make payments using online banking, and also have sympathy for customers making purchases from businesses that used the Lloyds Bank owned Cardnet on 29 August as they may have found themselves being charged twice. The fundamental here is that trust is easily lost and very hard to win back. In the case of the Cardnet failure, that loss of trust may have also affected business customers of Cardnet as from a retail customer’s point of view it would have looked like the business charged them twice rather than being an error in the payment processing.

But how and why did the IT fail so dramatically? Well one possibility is that this is a legacy system issue and reminds us that technical debt, the cost of maintaining legacy systems over time, rises in both cost and risk terms the more time moves on from the original implementation. This is certainly true in the TSB case, where it is well known that TSB has legacy IT issues and has done for some time and this has cost the company hundreds of millions of pounds. These legacy IT issues appear to have really come to the fore when TSB tried to modernise the IT following the merger with the Spanish bank Sabadell after TSB split from Lloyds Bank in 2013. And it is this last fact that possibly points the way to the problem at Cardnet, which is part owned by Lloyds Bank and seems to have suffered similar issues leading to repetitional damage and real financial loos to customers and businesses. It is quite likely that legacy issues were in part, at least, the cause of the Cardnet problem. A quick Google search of “cardnet IT failure” brings up a number of results showing issues going back to 2014 which seems to support this theory.

This issue of technical debt is often a difficult one to get traction on dealing with in a business as resolving it does not generally add to business value, and so persuading the business to sink real money into a problem that has no obvious business benefit is a difficult ask. So how do you get the traction and money you need to reduce your debt? As with many things the answer is to quantify the risk.

Much like ignoring Information Security and GDPR, technical debt can have real world consequences. The Cardnet and TSB issues really help to demonstrate that, but there are also plenty of analyses from organisations like Gartner which can back you up in the argument. You need to find a way to get across your point in a way the board get so that they see paying down the debt as an integral part of risk management as Information Security and GDPR. You may not get everything you want, but you should at least get the issue on a risk list because until the board has sight of it there is very little that will ever be done given all the priorities the organisation will have. But once on the risk list, it can be flagged to governance and that will drive prioritisation and resolution.

Exams, GDPR, and me.

Decorative exam imageMost young adults around the UK will have recently received GCSE and A-level results. The new, tougher, GCSEs come with marks in the scaled 1 to 9, whilst other exams and A-levels retain the alphabetic coding. This can be a stressful time for young people, especially if they are depending on the results in order to go into University, and for some this will be a joyous time of great celebration, for others there may be questions about how the forecast mark was not achieved and why.

One of the questions that often comes up in families where the GCSE or A-level results have not met the grade expected is why that has happened. Obviously a conversation with the school or college is very important and will help to get some insight, but unless you see how the exam script was marked, and the comments of the markers, it can be difficult to get a great insight from meeting with the school. Ultimately it may be that something was missed in the marking, or even in a award appeal, and you may not know.

One way that can help with gaining greater understanding of the exam results is to make use of the new GDPR regulations that came into force in May 2018. GDPR has placed new obligations on organisations about how they handle personal data and in particular how it is managed and made available to data subjects and other parties. For many organisations this has led to changes about what data is kept and how it is retained, and for many individuals it has enabled access to information held by organisations that was previously unknown. For example, GDPR allows you to request all records kept about you and this can include information about your exam performance. This can include your mark, examiner comments, and minutes of examination appeals panels. In Universities these are often made available to students in any case, but this is not always true of GCSE and A-level exams when it may matter just as much, if not more so. This may be an additional burden for schools and exam boards that they may not be prepared for and need to take action on if they are in receipt of such requests as this information must be supplied free of charge. A Subject Access Request (as they are known) must be met within 40 days or there are legal consequences, so it is good practice to be familiar with what to do should one arrive.

So, if you are wanting to find out more about your exam results and the institution does not provided them routinely, you can now request them under GDPR and the institution is required to provide them within 40 days. Helpfully, the Information Commissioners Office has provided a useful guide on obtaining your detailed results and some guidance on how to make an appeal if you believe you have grounds. By using this approach you can gain real insight into the marking regime and also pick up if the examiner made a mistake, procedure was not followed, or even that there has been an unintentional bias introduced. This could make the difference between getting the grade that was expected or not and for some this could turn disappointment into a success!

 

Is critical for business Business Critical?

Those of you going on holiday this week may have found the process a little less straight forward than usual, especially if you were travelling by air from Gatwick Airport on Monday 20th August 2018. Rather unfortunately for many travellers, the flight information screens at Gatwick failed requiring staff to resort to using white boards to keep passengers up to date with flight departures and arrivals.

On the face of it, especially given the twitter frenzy that subsequently broke out, this might seem like a major fail for the airport and the IT infrastructure that supports it. But, really just how critical for business was this issue and was the contingency planning and response appropriate given the public nature of the service?

When looking at services and considering them in the context of the criticality to the business you need to consider the risk, impact, possible mitigation and ultimately the cost of mitigated or unmitigated impact. In this case Gatwick could have quite easily mitigated this failure by having a redundant link to their flight information service provider. Certainly, in the University of Brighton case we have provisioned resilient links to all our sites and always connect to different exchanges to ensure that we are resilient against our downline supplier equipment failing. However, for a university internet connectivity is business critical when the core business is teaching, learning, and research which depends so much on access to information and data. For an airport, this may not be true so long as flight control systems and air traffic management can continue. But does that always apply?

Essentially it all comes down to risk and what value you place on it. When considering how much to spend on mitigation of risk, one must consider the probability of the risk and the impact if it came true and then weigh that against the cost. In the case of Gatwick they appear to have concluded that a suitable mitigation using white boards was cost effective and maintained core business without the need to invest in additional resilient data connections. Whilst travellers may be dissatisfied, departures and arrivals still took place on time and the core business of the airport is largely unaffected. In this case the damage to reputation may have a cost which must also be considered, but this could be short lived providing the mitigation is effective.

So, in conclusion, when looking at business critical services in your IT estate you need to consider the value of the service to the business and also have agreed service levels. Assess the risk and impact of the failure of the services individually, not forgetting any underpinning infrastructure, and devise a mitigation that meets the needs of the business and at a cost appropriate to the level of the risk.

The one final question for Gatwick, and anyone else considering Business Critical services, is do you have a sufficiently good understanding of the risk in the first place? This is not the first public failure of infrastructure at Gatwick, and the last time it happened it disrupted core functions including arrivals and departures in the peak Christmas holiday season.