Published on the 05/04/2013 | Written by Paul Matthews
IT security and project stuff-ups are certainly nothing new in our field. But things seem to be getting worse and sadly, most of these issues are preventable…
Two thousand and twelve certainly saw its share of high-profile IT gaffs. The year seemed to lurch from scandal to scandal, with the two most prominent security stuff-ups being the calamitous launch of TradeMe competitor Wheedle, taken down after just a few days amidst what had become a fever pitch of complaints about gaping security holes; and the revelation that up to 736 publicly-accessible kiosks in WINZ offices throughout New Zealand weren’t properly locked down, allowing access to sensitive documents including details of abused children.
Add to that the long-running and far from resolved Novopay fiasco and 2012 certainly wasn’t a good year for the reputation of our profession.
In fact New Zealand’s Privacy Commissioner Marie Shroff has gone as far as labeling it the “year of the data breach” and, given the above issues and others such as the ACC Pullar affair, it would certainly be difficult to argue that she’s wrong.
So what really happened and what do the issues of the past year have in common? Wheedle was a well-intentioned and, by all accounts, well-resourced company that promised to finally take on incumbent behemoth TradeMe in the online auction game. Backed by the founder of Mainfreight, its battle cry included claims of good technology, 40 servers on standby and millions in advertising.
But despite all of this, the founders seriously let themselves down on the IT front. For example, they allegedly didn’t even bother encrypting passwords sufficiently and left gaps in their website that allowed members to change other members’ auction details (including reserve and buy-now prices) leaving the site open to serious abuse. In fact they made a litany of fairly entry-level coding errors and simply got the basics wrong.
It was later revealed that the website development had been outsourced to developers in India, presumably to save costs.
The WINZ kiosk situation should never have happened either. In this case, the Ministry of Social Development built hundreds of self-help kiosks to enable the unemployed to edit their CVs and search for jobs. A great idea, and for the most part they did everything right. However there were two fundamental – and basic – flaws to their execution.
The first was technical; the kiosks were connected smack-bang in the middle of the Ministry’s network with no separation, physical or logical. This meant that a somewhat minor oversight when locking the kiosks down (the ability to access network locations through Microsoft Word’s ‘Open’ dialog box) became a major issue, especially when it was combined with access to sensitive files such as phone logs, invoices and other information, including that of abused children.
While somewhat unforgivable, this wasn’t even the biggest oversight. It emerged later that the Ministry had been made aware of these issues. In fact they’d hired an external security company to audit the kiosks, then simply ignored four out of the six security issues identified, including the major lack-of-separation issue that caused the breach.
Interestingly, a request for funds to do the separation properly had been made. It was apparently ignored and the project pushed ahead without it, probably to save costs. It’s worth noting that the cost of the two recent Deloitte reports into what went wrong is an astonishingly high $450,000 so far – and that’s before the fix has even started.
So again, ignoring the basics caused potentially catastrophic results.
Then there’s Novopay, the New Zealand Ministry of Education’s payroll solution built on Australia’s Talent2 system. Those that have worked in IT for any length of time will know there are often teething problems in the implementation of any new system, especially one as complex as a payroll system for upwards of 90,000 people in hundreds of schools across a country. Teething problems are more or less a given, which is why they are factored into the rollout plans for major new systems.
Already two years overdue and undoubtedly millions over budget, did the powers that be push ahead with the Novopay launch knowing there were still issues, amidst political and financial pressure to get it done? It appears the pre-launch testing showed the system wasn’t ready; only 37 percent of trial users thought it was ready to go. Yet on 20 August 2012 they kicked it off anyway, flicking the switch on all schools and all teachers in one fell swoop.
The promised ministerial inquiry into the resulting mess will hopefully shed light on why they didn’t roll it out to a small group of schools first to identify and resolve most issues before they became totally overloaded by a backlog of thousands of problems. Kicking things off in 50 schools would have identified most of the problems that have subsequently appeared, but in a way that meant they could actually deal to them quickly and without affecting too many people. Not only is that best practice, it’s also common sense.
As you can probably see, a pattern is emerging here, one that we see constantly repeated in IT. It is a pattern of standard good practice being ignored, budgets being cut and cost or political pressure leading to cutting corners with disastrous effect.
In short, it demonstrates a naively held view that cutting costs in the implementation of IT projects won’t have the dire consequences that we see time and time again.
Isn’t it about time we stopped being so foolish? So, how do you prevent your company being the next 6 o’clock news item on privacy, security or IT failing? It’s simple really: just resource and do the job properly. Play by the rules, don’t cut corners, follow established good practice and don’t be fooled into false economy and believing that saving a few bucks now won’t cost you a bunch down the line.
The price of doing it right is seldom more than the cost of cutting corners when all is said and done. And as Wheedle, MSD, Novopay and many others have discovered, getting it wrong in IT can come at huge expense to your wallet… and your reputation.
Paul Matthews is chief executive of the Institute of IT Professionals New Zealand
www.iitp.org.nz