The most recent articles from Best Practice

Technology: understanding the geek jargon

Peter Mitteregger — 2008-09-18T12:47:00.000Z

Peter Mitteregger, Best Practice, Thursday 18 September 2008 at 12:47:00

Data loss is a threat for any business but understanding technical Jargon, let alone the problem, can cause headaches. Peter Mitteregger explains geek speak

Ever wondered what your IT guys are actually saying? Most of the time they speak in acronyms that don’t mean much to anyone except themselves. And with threats to networks and mobile computing growing, the barriers to mutual understanding clearly need to come down. So here’s a guide to help you speak their language and put in place technology that is needed to protect you against the most recent threats.

Common threats

First, what are the things we are trying to avoid? Here are some of the most common threats out there at present.

War driving: Locating and exploiting security-exposed wireless LANs. LANs are Local Area Networks, a small physically linked set of computers. Unless adequately protected, a WiFi network can accessed by unauthorised users who use it as a free internet connection.

Spyware: Any technology that aids in gathering information about a person or organisation without their knowledge.

BotNet: A number of internet computers that have been set up to forward transmissions (including spam or viruses) to other computers on the internet, without their owners being aware of it.

Keylogging: process that records every key pressed on the computer keyboard to get at sensitive data, such as passwords.

PodSlurping: The unauthorised downloading of data from a computer to a storage device, such as a flash drive or an mp3 player.

Protect yourself

So, how do you protect against an increasingly ingenious array of attacks?

Firewall: A set of programs that protects the resources of a private network from users from other networks. (The term also implies the security policy that is used with the programs.) An enterprise with an intranet that allows its workers access to the internet installs a firewall to prevent outsiders from accessing its own private data and for controlling what outside resources its own users can access.

Authentication: The process of determining whether someone or something is who or what they are declared to be.

Encryption: The conversion of data into a form that cannot be easily understood by unauthorised people. Decryption is the process of converting encrypted data back into its original form. Encryption is important in wireless communications.

Full disk encryption: A process that encrypts everything on the hard disk.

Full data encryption: Similar to FDE, but it only encrypts the data not the media it is saved to. Encryption can take place whether data is on a desktop, laptop, PDA or USB stick and it is ‘granular’, so administrators can determine what data is protected.

Intrusion detection systems: Quite simply, detecting potential intrusions.

Intrusion prevention systems A pre-emptive approach to network security used to identify potential threats and respond to them swiftly. Like an IDS, it monitors network traffic. They can also take immediate action based on rules established by the network administrator.

Virtual private network: A network that uses a public telecommunication infrastructure to provide remote offices or individuals with secure access to their organisation’s network.

Network access control: A method of bolstering the security of a proprietary network by restricting the availability of network resources to endpoint devices that comply with a defined security policy.

Data loss prevention: Security products that focus on keeping sensitive enterprise data in.

Public key infrastructure: Enables users of an unsecure public network, such as the internet, to securely exchange data and money through using a public and a private cryptographic key pair obtained through a trusted authority.

The threat is real and you need to arm yourself against it. Don’t let a language barrier come between you and the team.

Peter Mitteregger is European vice president at CREDANT Technologies.

Technology: web security - caught in the web?

Alan Calder — 2008-09-18T12:10:00.000Z

Alan Calder, Best Practice, Thursday 18 September 2008 at 12:10:00

Think you and your clients understand web security issues? Think again

The internet threat landscape has changed significantly in the past ten years. Over 90% of web traffic in 1998 came from email, http and ftp activity. In 2008, internet traffic is additionally made up of file sharing, social networking sites, blogs, voice over internet protocol (VoIP) traffic, videostreaming, webconferencing and instant messaging (IM). Software as a service has also developed, with web-based email and data hosting now ubiquitous.

This complex scenario, described as web 2.0 and highlighted in the February 2008 issue of Best Practice, is one in which the outbound threats of data and information leakage and the inbound ones from malware, security vulnerabilities and phishing are both different and more complex than ever before.

Outbound threats

Apart from their high bandwidth requirements, applications such as webmail, internet messaging and blogs make it far easier to share confidential information. The porous security perimeter, which originally described the corporate security vulnerabilities resulting from the proliferation of notebook computers, PDAs and mobile phones, has become even more porous. Any type of data and any form of content can pass out of an organisation through any one of today’s web 2.0 applications. It is possible, for instance, to download or export files using IM without leaving any trace or record of having done so. Such leakage of company data can have a very damaging effect on an organisation.

Inbound threats

Web 2.0 applications are no less susceptible to malware than earlier technologies. Blogs, social networks, wikis and mashups are all open to attack.

Web 2.0 tools, for instance, enable users to upload files and documents. This increases the risk of malware being spread. For example, there are now more than 25,000 applications available for users of popular social networking site Facebook to share. Many of these applications are written by users and are made freely available in an open source manner. It is not always possible to know whether files which are downloaded from friends within social networking sites, or from applications within these sites, are malware and spyware free and, unless access from corporate environments to social networking sites is blocked, they could find their way onto corporate networks.

There are also ‘blended attacks’ that specifically target web 2.0 technologies.

Blended attacks are those in which mass-mailing virus-delivery mechanisms are used to insert trojans into target systems, which hackers can then use to bypass firewalls and other defences. For example, in December 2006, the JS. Qspace worm was discovered by Symantec on MySpace. This worm injects code which directs the user to a phishing page. The phishing page attempts to steal MySpace credentials by asking users for email addresses and passwords. Another example of a blended attack is the Monster.com resume thefts of August 2007. Typically, this sort of software is designed to intercept and pass on the details of financial transactions.

Security vulnerabilities

Insecure web 2.0 applications can create security vulnerabilities in a user’s operating system or other application. When the original security weakness is patched, the derived vulnerabilities are not necessarily also fixed and web 2.0 companies do not necessarily communicate sufficiently with users who may have compromised systems.

For example, security vulnerabilities in Gmail have caused emails to be transferred and stolen, with consequent potential data disclosure. Although Google patched the vulnerability, users of Gmail were not necessarily made aware of the need to repair the derived vulnerability in their own systems. The fact that web 2.0 companies apparently prefer to downplay such issues might lead to them becoming a preferred attack target for hackers and malware.

Ajax security

In contrast to typical web 1.0 applications, Ajax applications (which are an increasingly widespread web 2.0 technology) send a greater number of smaller requests to the server. This increased number of requests to the server, sometimes called Ajax endpoints, provides a greater number of opportunities for that traffic to be attacked. Ajax bridges also create a security risk. These enable connections between Ajax and third-party websites. An attack can occur through malicious requests from one site to another through an Ajax bridge. In addition, the traffic from one site to another may not be checked because it is thought to be trusted.

Another security issue is that of cross-site scripting, which has been defined as ‘the injection of code (such as JavaScript or VBScript) into a page that is returned to the browser’. The code is then executed by the browser, exposing the user to threats such as cookie theft, session hijacking, information leakage, keystroke logging, screen scraping and denial of service.

Privacy and information security

The personal and sensitive information that is provided on social networking sites enables people to created targeted phishing attacks. The inclusion of such personal and sensitive data creates a level of plausibility, which means that the attacks are far more likely to be successful. This highly targeted attack is called ‘spear phishing’. In addition, fake profiles are used to create false friendships for misuse at a later stage.

Some phishers are emailing invitations to associates, creating login screens that falsely represent the social site registration page and using this opportunity to acquire genuine usernames and passwords.

Many people use just one password for all of their online activity and will repeat it on the false social networking site. Acquiring knowledge of this password can be incredibly valuable to an attacker.

Information and data contained within web 2.0 sites, particularly social networking sites, are likely to be subject to privacy legislation, but the whole area is extremely complex.

Privacy is a difficult concept to define. It is also a concept about which it is difficult to identify an international legal consensus. In the UK, there is no doubt that information held by social networking sites is personal data as defined by the Data Protection Act 1998.

However, as social networking sites have been created in many jurisdictions, and as users of those sites are drawn from anywhere in the world, it is not clear what privacy laws should apply in each case. What is clear is that few social networking sites are taking significant steps to deal with the issues and this is consequently an area of new legislation - initially for the protection of children.

The understanding of web 2.0 threats is still in its infancy, but organisations are going to have a significant challenge finding a balance between deriving the real benefits that can be gained from deployment of web 2.0 technologies and ensuring that all the related threats are identified and effectively dealt with.

Techie terminology

Ajax A set of technologies that enables greater processing to be carried out on the client computer, rather than on the server. In the traditional web application, the user clicked and then waited a while for the server to respond and refresh the page. In contrast, Ajax-enabled web pages are far more reactive, giving the user the impression that pages are updating instantly.
Ajax endpoints In contrast to typical web 1.0 applications, Ajax applications send a greater number of smaller requests to the server which create many more points of input. The inputs are also referred to as Ajax endpoints, which provide a greater number of opportunities for that traffic to be attacked.
Cookie A small data file that a website stores on a surfer’s computer and which contains information about the user.Cookie theft This occurs when an a ttacker uses an injection of code to obtain data held in cookies without the user’s knowledge.
FTP A method of transferring files over the internet.
Gmail Google Mail, or Gmail, is a free, searchbased webmail service available from Google.
Instant messaging A communication method that is analogous to a private chat room, enabling you to communicate over the internet in real time.
Javascript Programming language used for web applications.
Keystroke logging Where hackers record keystrokes on a computer keyboard using special software.
Malware Software designed for a malicious purpose.
Mashup Multiple sources of information combined to create a single application.
Phishing Sending emails that falsely claim to come from a legitimate company in an attempt to scam users.
Screen scraping Where a computer program extracts data from the display output of another program.
Trojan Hostile code concealed within bona fide code. Designed to be executed stealthily and inadvertently.
VoIP/VOB A technology that enables voice communication across the internet.
Wiki Web pages that enable users to collectively add and edit content. Wikipedia describes a wiki as ‘software that allows registered users or anyone to collaboratively create, edit, link and organise the content of a website’.
XSS Cross-site scripting, which involves the injection of code such as JavaScript or VBScript onto a web page which is returned from a server to a user’s browser.

Croak and Dagger

Users of social networking sites appear to have a very weak understanding of their potential exposures. Sophos, an IT security and control company, conducted research in which it created a fake profile for ‘Freddi Staur’, a small green plastic frog who divulged minimal information about himself. Sophos then sent out 200 friend requests to observe how people would respond and how much personal information would be revealed.

The findings were as follows:

87 of the 200 Facebook users contacted responded to Freddi, 82 (41% of those approached) provided personal information.
72% of respondents divulged one or more email address.
84% of respondents listed their full date of birth.
87% of respondents gave details about their education or workplace.
78% of respondents listed their current address or location.
23% of respondents listed their current phone number.
26% of respondents provided their Instant Messaging screen name.

Any of this information can be used as part of a targeted identity theft, or to carry out social engineering attacks on corporate IT networks and information assets.

Alan Calder is chief executive of IT Governance Limited and author of IT Governance Best Practice Report, Web 2.0: Trends, Benefits & Risks

www.itgovernance.co.uk

Financial softwares: thinking outside the box

Tim Phillips — 2008-08-15T12:05:00.000Z

Tim Phillips, Best Practice, Friday 15 August 2008 at 12:05:00

There’s no need to buy expensive office suites and boxed applications. You can get the financial software you need over a broadband connection

At 4pm on 19 September 2006, an acetylene gas cylinder crashed through the boardroom of the Erith Group in East London. It had been launched from across the road, where the neighbouring firm had been doing some welding without observing fire regulations, and caused a small explosion. In the inferno that followed, Erith experienced every company’s nightmare: fire destroyed not just the boardroom, but the entire premises, including the server room.

On 20 September the boardroom might have been history, but board members were back at work in a marquee in the back garden of Paul Driscoll, Erith’s IT manager. ‘We were working at 60% of capacity the next morning. I had 18 of them using my wi-fi,’ he says. ‘With a disaster like that, even with the backups we had, statistically we should have been out of business by now.’

It was Erith’s good fortune that Driscoll’s passion at that time was for Google Docs, a nascent set of office applications (at that time, email, word processor and spreadsheet) that Google had developed as speculative projects. The apps, and your data, sit in one of Google’s data centres. You call up your documents and work on them by logging in from any browser. By September 2006, Driscoll had bullied a quarter of his 205 staff into trialling the system instead of their traditional Microsoft desktop applications. When the servers that held the Microsoft applications were turned into heaps of twisted metal, they were glad he did.

Google Docs is just one example of the industry’s latest fad: SaaS, (say ‘sass’) or software-as-a-service. The industry’s heavyweights (see box) are investing billions in providing applications that we don’t need to store on servers in our offices. Instead we will rent our applications by the month and access them from a browser. The providers will store all our data and our settings in a secure, available environment somewhere in the world.

When SaaS works small businesses can make dramatic savings. Driscoll has now moved Erith Group, which handles remediation, asbestos removal and other tasks for the building industry, completely to Google Docs. He believes that he can save £25,000 to £30,000 a year. ‘I don’t have to worry about spam or the anti-virus running out or all those jobs that I have been scurrying about doing. I need one less member of staff. I have had 1.5 hours of downtime in the last two years, and as an IT manager, I wouldn’t be able to guarantee that level of availability to my board,’ he says.

For SaaS subscribers their future laptops and desktops will need smaller hard disks and maybe less processing power. Sometimes they don’t need any hardware at all: ‘One of our managers accesses his applications at lunchtime from McDonald’s on his iPod,’ Driscoll adds.

Lifting the clouds

This is what Google calls ‘cloud computing’. Dave Armstrong, the head of marketing for Google Apps EMEA, foresees a time when most documents will live somewhere on the web, rather than on servers. Google Apps, which business can rent for £25 per user per year, (the price includes support plus the APIs that mean you can do things like embed Google search and location-finding tools in your web pages) is the first step towards this.

‘Cloud computing means that your applications and your data can be looked after by companies that have the capability and the flexibility to do it,’ he says, ‘Already 500,000 businesses worldwide and 10 million users run Google Apps. If I wanted to write letters on paper, then I’d write one on my PC. But we’re moving to a world that uses living, breathing documents that live online and can have more than one author. There’s one version, you don’t have to send it to everyone.’

Critics of cloud computing point out that it was tried during the dot-com boom, when SaaS was called ASP (application server provider) technology. The vendors built it, but no one came.

Armstrong lived through that boom-and-bust. ‘It’s only over the last 18 months that applications have functioned in a reliable way over the internet,’ he admits.

With billions invested in data centres globally and broadband and wi-fi almost ubiquitous, SaaS providers have a better chance of success, but do the applications work? Google Docs still has rough edges. ‘The applications need honing. If I were to produce an intensive graphic document to print out for a customer, the applications aren’t there yet. If you want to make a document pretty, you need Word,’ Driscoll says, ‘and Outlook has a grip like no other program, and it was hard to prise some of our staff out of their comfort zone.’

Got it SaaSed?

The solution for some SMEs will be to look for SaaS providers who are delivering the applications they recognise through the browser. At AIM-listed Nasstar, chief executive Charles Black has created technology that delivers your Microsoft applications through a browser wherever you are. When you log on, you get your recognisable desktop, your settings and documents, and for a fee he will also host your other applications.

His users include Easy Group and Pinnacle Staffing, which he has calculated that even paying £75 per user per month (for Outlook plus Microsoft Office Professional) for the service it is 40% cheaper than the capital cost of buying and maintaining their own infrastructure.

‘It replaces traditional capex with a per-month cost, and there are other benefits: your laptop has no data on it, so if it is stolen, you’re secure.’ Black says.

Other application providers are rushing to offer the option of SaaS. David Turner, group marketing director at CODA, offers his financial applications as a service called CODA2go, and has teamed up with Salesforce.com one of the SaaS pioneers to offer an integrated accountancy-plus-customer-service suite.

He thinks Saas will capture only 15% to 20% of the market in the next five years so CODA will continue to offer boxed software. ‘If I was starting a business today I wouldn’t be going out to buy servers. I’d be renting my apps. Broadband is not the issue, but there is a problem with mindset. There will be a significant proportion of users who will move to this model, but not the majority,’ he says.

One sticking point, he adds, is worries about data security. Yet this is far greater at a data centre than even the most diligent small business. ‘Go to our data centre and the security is unbelievable. The number of people with access to anywhere even close to your data is tightly controlled, and the data is replicated globally.’

Alan Moody, the UK managing director of business software supplier Mamut, is not surprised that take up of SaaS set ups has been low. ‘It’s an over-simplification to say that SaaS is always better. More complex applications might not be best delivered this way. And if you go into a lift and lose your connection, you lose your applications.’

His view is that SMEs should commit to companies that offer the same, or compatible, applications both as a service and as boxed software, which is Mamut’s strategy. One problem with the rush of new SaaS providers, he says, is that many might not survive, or might not be able to provide the availability and security they promise. By moving all your data to their servers, you might be taking a significant unknown risk. ‘It’s a lot more complicated. I’m trusting you with my business. Are you secure? Are you compliant? If you change your mind tomorrow, and want to replace your SaaS with traditional software, that’s fine with us.’

Back at the Erith Group, Driscoll isn’t about to go back to his Microsoft applications.

Using web-based applications is the future, he says, because it’s doesn’t involve emailing attachments, printing, and server proliferation. Two people can simultaneously work on a spreadsheet while chatting over instant messaging, for example. And it means Erith could survive another explosion.

‘If that happened again I know 100% of our staff would get their email in the morning,’ he says. ‘As an IT manager, that’s reassuring.’

Delivery issues

To get online applications, we need broadband. But in order to deliver online applications, vendors need thousands of servers at a location near you.

The company providing your applications (and guarding your data) could theoretically store everything in one location that it leases from a big telecommunications company. But that makes it vulnerable to natural disasters and power cuts. If the supplier goes bust, then what happens to your data?

Also, if your data or application comes from one location and travels over the public internet, then when you’re half way round the world it might be unusably slow. Ultimately, this might be the deciding factor in which supplier wins the battle to deliver our desktop applications; today’s data centres cost around $500m (£250m) each, and there aren’t many software providers out there that can make that sort of capital investment.

Big players

Not surprisingly, two that do have the resources are Google and Microsoft. Google is extremely secretive about how, why and where it makes its investments. Its spending plan has included secretly buying its own telecommunications networks and joining a consortium to lay a cable under the Pacific.

Microsoft is spending billions of dollars developing what it calls ‘Live Mesh’, which mixes SaaS with desktop applications. It is building a 51,000 square meter data centre just outside Dublin to deliver this in EMEA costing the same as the entire development budget of Windows 95, and many other similar facilities worldwide.

‘The size and scale of the development is beyond anything in the industry,’ says Arne Josefsberg, the general manager for infrastructure services for global foundation services at Microsoft, ‘with the possible exception of Google.’

Tim Phillips is a freelance business and technology journalist.

For more click here

Technology: optimise your website

Peter Wailes — 2008-03-20T00:00:00.000Z

Peter Wailes, Best Practice, Thursday 20 March 2008 at 00:00:00

There is little point in having an all-singing all-dancing website if no one can find it. Optimising your site will bring potential customers to you ahead of your rivals

Given that around 71% of people use the internet to research goods and services, website optimisation has become an essential online marketing toolkit. Without it, your website has little chance of being picked up by a random search. And while your site might still be doing a good job of reinforcing your brand to existing customers, it will be providing little help in the search for new customers.

To ensure that the site is well positioned in the results of the top search engines for keywords and phrases relevant to your company and industry you trade in, the site should be optimised according to best practice. Greater visibility and highly targeted visitors improve sales, which, in turn, improves the bottom-line.

One of the most important disciplines in this type of marketing is search engine optimisation (SEO)

Maximum visibility

SEO is the process of refining a website’s architecture, content, coding and link popularity to secure maximum search engine visibility in search engines like Google, Yahoo and MSN.

Unlike many forms of online promotion, SEO is not done through paid-for advertising on websites. Instead, what you pay for is the expertise of the people who do it and for them to maintain your position in the top search engines.

In simple terms, optimisers analyse your website to see how ‘search engine-friendly’ it is. They then streamline and enhance it so that key terms related to your services get picked up by search engines, thereby sending a website towards the top of relevant search results. So, for example, if your website offered reviews of holidays and vacations, they would look to optimise for key terms such as ‘travel reviews’, ‘holiday reviews’, ‘hotel reviews’ and so on. Simply put, optimisation makes your website accessible to a wider group of people, whom may not know the company name.

What you get from good SEO is fairly simple and impressive: measurable return on investment, brand promotion and an increase in relevant, targeted traffic to your website. Around 42% of all searchers click on the first result of the first page in the search results. The numbers then tail off fairly sharply from there, resulting in 75% of people not even going to the second page of search results.

Take London car supermarket Cargiant as an example. Cargiant’s website ranked poorly for key service related terms before it was optimised, but moved up to number three in a Google search under the term ‘car supermarket’ once its pages and code had been optimised. That’s third out of almost 700,000 other competing websites.

In internet search terms, getting onto the first page of search results is the ‘Holy Grail’. Due to a general lack of understanding as to how search engines work, people assume that sites that appear towards the top of a list of search results are highly authoritative. As such they will trust their content more, stay on them longer and be more likely to return again.

According to e-Consultancy, an online marketing best practice site, around 36% of search engine users believe that the companies whose websites are returned at the top of the search results are the top brands in their field.

Multiple media

The modern SEO expert or ‘search marketer’ must be able to write compelling copy, have a strong coding ability, understand site architecture, have a sound working knowledge of psychology and be able to work across multiple media, including audio, video and text.

SEO professionals should understand how you can attract links to your site through the use of social sites like Digg, Reddit, Facebook and StumbleUpon.

Search engine optimisation can be one of the most cost effective forms of marketing around, but if you’re going to use the services of a SEO specialist you will need to make sure that you are getting the right results. Always set out benchmarks to measure marketing successes.

Make sure that your SEO provider gives you detailed reports each month, and not just summaries of how your website ranks in the search engines, but an analysis of where the traffic is coming from. Web analytics is becoming recognised as a key tool in terms of measuring the success of marketing techniques used both online and offline, with particular reference to search engine marketing, if set up correctly.

This is the process of analytics, and it is a vital measurement tool. Reports should include a breakdown of traffic levels, including numbers sent from each source, such as search engines, other websites, direct traffic and so on. You should also expect to get return on investment and key performance indicators, such as the number of leads generated by each source, recommendations for how to boost traffic and suggestions for improving conversion rates, from a good agency.

If your site isn’t optimised, potential clients will visit competitors’ websites before visiting yours. So, making sure your website ranks well in the search engines is equivalent to ensuring your sales team does its job and brings in business for your company.

On the other hand…

'Organic' search engine optimisation will provide the perfect foundation for achieving top visibility for your website within the natural search engine results. However, 'pay-per-click' will open up opportunities to run targeted advertisements and campaigns for specific product or service pushes, with its extreme flexibility.

PPC enables your website to appear in the sponsored listings in the search results of the top engines such as Google, MSN and Yahoo by bidding on keywords chosen to drive targeted visitors to your site, via targeted landing pages. The best part of pay-per-click marketing has to be that you pay nothing until someone actually clicks on your sponsored advertisement. If set up correctly, you can track this user's path through the website as its level of measurability is virtually transparent.

Case Study - Novotel London West

Company details Novotel London West (NLW), the UK flagship hotel of the Accor Group, provides the international business community with conference, exhibition, banqueting and hospitality facilities. It boasts 5,500 square metres of space, a choice of 32 meeting rooms and 630 bedrooms, and has won 16 awards for excellence in the past four years.

Search marketing objectiveTo achieve maximum visibility across the top search engines for Novotel London West. In particular, to appear on page one of Google search results for their conference and meeting room facilities.

Strategy

Adams Creative optimised NLW's website to make it as search engine-friendly as possible. Through continuous monitoring of its search engine rankings and web analytics data, the agency was able to evaluate the impact of the increased search engine visibility on traffic to the website.

Results Adams Creative significantly increased the visibility of Novotel London West's website across the top five search engines (Google, Yahoo, MSN, Ask and AOL).

The following results were achieved in the first three months:

• 836% increase in top 10 search engine rankings for key service related terms.

• Page one rankings on Google including 'conference venue West London'.

• 21% increase in traffic to the website.

• 114% increase in traffic from searches on service related phrases from the top search engines.

Key search terms

Link building - The process of acquiring new links for the purposes of increasing traffic from other related industry sites and rankings for key phrases to pull users from search engines.

Analytics - Software used to analyse website traffic, for the purpose of better understanding how visitors interact with the site, where these visitors are coming from and the measurement of ROI and KPIs.

Keywords - The words and phrases chosen to be the main focus of the optimisation techniques applied, based partly on the number of searches per month and the level of relevance to the site and its content on each page.

Linkbait - Content designed to be incredibly viral within a niche, to drive traffic, raise brand awareness and increase the number of links to a given website

Social media - Sites such as Facebook, Reddit and StumbleUpon, which can be used to market to online communities, with the aim of increasing brand awareness, loyalty and word of mouth

Rankings/listings - Where a site can be seen in a search engine result page for a given keyword, notated either by page and depth, or simply overall depth. Very high levels of optimisation can produce indented or lists of rankings, which will produce vastly greater levels of traffic.

Peter Wailes is the search marketing specialist at Adams Creative

www.adamscreative.co.uk

Business intelligence: information overload

Catherine Everett — 2008-02-14T00:00:00.000Z

Catherine Everett, Best Practice, Thursday 14 February 2008 at 00:00:00

How many businesses have information readily available? Data must be centralised and business intelligence tools applied

To support the making of pertinent business decisions, what organisations need most is to have the right information in the right place at the right time.

But while this notion of having information at your fingertips is appealing, it is easier said than done. Often, information is scattered between spreadsheets and databases, so data gleaned from one part of the business may not correspond with that obtained from another. This can lead to inaccuracies as it can be difficult to establish a single version of the ‘truth’.

Centralising data

Many large enterprises have traditionally tackled this thorny issue by centralising key data into expensive bespoke data warehouses and adding business intelligence (BI) tools to enable them to analyse the information and generate reports from it.

But because relational database vendors, such as Microsoft, are now embedding BI-style capabilities into their products, it is no longer necessary to set up separate systems. As the corporate market has become more saturated, traditional front-end presentation and analysis tool providers such as Business Objects and Cognos have spread their nets more widely.

These events, along with the advent of new technologies and services, has led to such offerings starting to become more affordable and analysts expect adoption in the SME community to jump over the next few years as prices continue to fall. This is likely to be particularly true of companies with between 1,000 to 5,000 staff in the financial and professional services, retail, manufacturing and media sectors.

One organisation that has already adopted a BI approach is financial services firm, Partnership. It employs 160 personnel and provides products such as annuities to people with health conditions. Partnerships went through an internal transformation in October 2005 when it de-mutualised and undertook a management buy-out from the Pension Annuity Friendly Society.

Partnership’s management team wanted to expand beyond the company’s traditional niche markets and introduce a programme to generate sustained, but rapid growth. ‘Without fast, timely, accurate BI, you’re at risk of making the wrong decision about how to grow,’ says finance director Chris Rhodes.

Decision time

As a result, after evaluating a range of products on the market, the firm decided that it made sense to exploit existing technology and skill sets. It implemented two Microsoft SQL Server 2005 databases one to handle real-time financial-based management information and the other to provide high volume statistical sales data as well as SQL 2005 integration services to import information from third-party sources such as Excel spreadsheets and the HR database. It also introduced SQL 2005 reporting services to enable users to access information using a browser and Dundas Software’s data visualisation tools to enable them to view and analyse it graphically.

Historically, the company had relied on information being rolled down to staff from management briefings, ‘Now everyone has access to performance metrics using their browser. This means that they know how they should be performing and they’re making decisions based on fact,’ he says.

There are certain considerations to bear in mind when implementing software of this type. The first is to have a clear idea of what the organisation wants to achieve and to focus on each area using a step-by-step approach because, says Daniel Gwalter, head of IT at Partnership, ‘the scope for mission-creep is massive’.

The key issue is one of culture rather than technology change. As the way that staff and managers work alters, it is necessary to communicate openly and frequently with all concerned from the outset, what will be provided and how it will affect them, particularly in terms of benefits.

‘You’re moving from a situation where managers were managing based on anecdote to doing it based on hard fact. So the staff being managed need to understand that and be aware of the metrics that they’re being measured on,’ says Rhodes.

Catherine Everett is a freelance technology journalist

www.accountancyage.com/technology

Technology: world wise web design

Jerome Nadel — 2008-02-14T00:00:00.000Z

Jerome Nadel, Best Practice, Thursday 14 February 2008 at 00:00:00

The right website can help drive new customers to your business, but only if you apply the new rules of web design

The web 2.0 - you've probably heard the phrase, but what does it mean? Ultimately, it's about giving internet users far more control over the types of interactions that they want with websites. The hype surrounding 2.0, however, has tended to focus on the technology, but it is essentially about engaging with people.

The pace of change is so rapid that organisations need to develop a digital strategy to create appropriate and compelling online experiences for both clients and employees. For accounting and financial services, this means bringing practitioners and clients closer together. Where large accountancy firms, for example, have local teams working collaboratively for global clients, the framework allows virtual practitioners to collaborate as if working physically side by side.

From a business perspective, an effective user experience is one that meets an organisation's objectives by influencing a user to behave in a certain way. This is valid for both internal and public-facing websites, where online conversion takes place when a user makes a positive decision to interact. The ideal model should be an overarching platform that allows for the smooth transition from an initial anonymous visit to the site to registering and engaging as an authenticated user.

Collaboration needed

Unfortunately, most intranet portals remain hierarchical and fail to foster collaboration. To fully embrace Enterprise 2.0 (the term for web 2.0 tools and social collaboration tools within an organisation), intranets must enhance the experience by including more two-way interactive capabilities like contextual discussion groups, blogs and personalised RSS feeds.

Although organisations are exploring ways of incorporating 2.0 concepts into their websites, most are not approaching this holistically. Some are taking an IT-centric approach to the technology, while others are looking at the potential business benefits through improved communication and collaboration. Simply adding individual, technical elements like wikis and blogs, though, misses the point because it fails to embrace the whole user experience.

Until now, companies have controlled how their products, services and brands are portrayed online through their websites. Creating and updating content has always been one of the most time-consuming aspects of maintaining a website.

With the shift to self-service, users are contributing their own content, reacting to others and creating their own experiences. Rather than 'content-to-people', it is becoming more about 'people-to-people'. Managing content will still be relevant, but the decision as to whether or not to moderate new content contributed by users will be a growing issue for many organisations.

Content design

Interactive capabilities are also affecting overall design. Although sites will have web pages for the foreseeable future, the focus will be on content design. Users are already able to subscribe to content via RSS feeds and even imbed pieces of content directly into other web pages. As a result, it is becoming less certain that they will even visit your site so content will need to stand on its own and in different contexts.

Navigation will continue to be important, using information architecture to organise and label information so that it is easy to find. Users increasingly rely on more socially-derived viral cues such as recommendations. This is also influencing search, with users tagging content and telling other users what content is popular, related or important.

The essence of 2.0 is the web's evolution into a social-user experience. Whatever a site's conversion goal, it is now about people rather than products and services. This requires a new take on usability, which has until now focused on evaluating the rational, behavioural aspects of user experience - for example, whether people can learn to navigate the site or access information easily.

While these issues are still relevant, website design must be persuasive, as well as elicit emotion and trust to trigger the decision-making process. Website usability must now address the much broader concept of user experience, one that encompasses people acting on variables they are not consciously aware of. The difference now is whether users will want to do something as opposed to simply being able to do it.

The emergence of web 2.0 means that it is no longer adequate for organisations to reflect their organisational structure through a separate .com, intranet and extranet. Changes in strategy are required so that digital communication channels engage users in a meaningful way beyond the traditional, one-way, firewall legacy. A digital strategy is not a luxury for an organisation. It should be an intrinsic part of its business plan and reinforced by an understanding of its market segments.

Design guidelines:

• Avoid static, brochure-like websites ¬ web pages are not brochures

• Keep it simple ¬ the majority of people view technology as a means to accomplish something, not as an end in itself

• Design must be user-centred to meet people’s needs and expectations

• Understand users’ motivations and mindsets and design accordingly

• Understand that content is no longer a one-way process with an organisation as the sole conduit

• Avoid incorporating design features unless they serve a purpose

• Incorporate principles of persuasion, emotion and trust into the design to improve users’ experiences

• Make it easy and intuitive for users to be contributors

• Humanise the online experience by encouraging users to rate/score/review information and services provided

• Include a clear privacy policy that can be easily found and understood

• Remember, usable means easy to learn, hard to forget and easy to explain=

Jerome Nadel is chief experience officer of Human Factors International

www.humanfactors.com

Market research: access all areas

Tim Phillips — 2008-01-10T00:00:00.000Z

Tim Phillips, Best Practice, Thursday 10 January 2008 at 00:00:00

Market research has long been hindered by hard-to-find groups. now blogs and social networking sites are opening locked doors

When Philips Lighting wanted an opinion survey of Europe's hospital workers who worked in rooms without a window, it turned to an innovative market research company called Brainjuicer. When Brainjuicer wants to find groups of consumers that normally can't be found, it turns to the internet.

'Nowadays, 64% of the population is online and every slice of the population is represented in that 64%,' says John Kearon, CEO of market research company, Brainjuicer.

The juice that Kearon squeezes from the online population is cheap, effective, highly-targeted market research. Ten years ago, market research on the internet was in its infancy. Today, it accounts for about 25% of the global industry, according to market research consultancy GMI. Nine out of 10 large companies and six out of 10 small companies will do online research in 2007, a global market worth around ££2bn.

Reaching out

At its best, online research is popular because it gives researchers cut-price access to hard-to-find groups: not just hospital workers without daylight, but special interest groups or niches that don't tend to respond to traditional methods of research. Teenagers and young adults, for example, are tomorrow's customers, but are resistant to normal methods of market research. They won't fill in questionnaires or hang around on the phone answering questions about their lifestyle. On the other hand, they will give their opinions in internet discussion groups and social networking sites. They generally don't respond to advertising and marketing concepts in focus groups, but they will rate video clips. 'It wasn't possible to study these groups properly before,' says Kearon. 'Now, the research can be more interactive and creative. You can play a video, or design questions that help them express what they think and feel in a much smarter way.'

Internet-based market research is also useful because, instead of a once-a-year blockbuster research project, companies can tap into customer opinions regularly, or do a simple survey to help steer their decision-making at a very early stage of product design. Kearon says the internet is ideal as a way to dip a toe, to test ideas when you don't need in-depth research. 'For instance,' he says, 'we help start-ups find out if their idea is any good.'

But the internet has created plenty of shoddy market research. Anyone who uses the internet today is bombarded with opportunities to participate in surveys or even to join online consumer panels and be paid to answer questions from companies that care less about who you are, or the quality of the opinion expressed, and more about getting the number of replies that their client has asked for. Charles Pearson at Research Now, explains how he registered for a rival company's paid panel on the internet: 'They don't even say you need to live in a particular place or be a certain age to participate. I was offered five opportunities to participate immediately.' The incentive to make up answers or simply to fill in random responses on this type of panel has created many 'professional respondents' - consumers who will say anything in an online survey, as long as they get paid.

Acceptable standards

Good agencies that care about their reputation are trying to weed out the professional respondents, but not all of them. Eric Salama, the chief executive of Kantar, the market research division of WPP, admits that standards of internet research have often been unacceptable. 'A lot of internet research today has standards that we shouldn't be proud of. These are standards that we wouldn't apply in other fieldwork areas.' The problem when you're buying research is that you simply get statistics and conclusions - misleading research looks exactly the same as good research, until you put it into practice.

The Market Research Society, the UK's industry watchdog, advises companies buying research to use only its members. It's also wise not to rely exclusively on the internet, or to assume it will solve every problem. For example, when Rachel Lopata, research director at Opinion Leader Research, was surveying chief executives online, she eventually discovered that many of the surveys were filled in by their PAs. 'Although online research can be useful,' she says, 'it's not always the answer.'

Tim Phillips is a freelance technology journalist