In a previous post, I looked at the considerations a business owner has to make when adopting a digital tool into the business. The tricky issues that must be overcome are not unique small or medium businesses however.
Earlier this year, I had a meeting with a bank to explore the possibilities of a strategic partnership. At reception, I was asked to sign in on an iPad, a common process in London but definitely not in Lagos. The usual form like questions were asked - first name, last name, company name. And then came the request for my laptop serial number.
“Wait, what? Oh hell no” I thought.
I asked the receptionist why my laptop serial number was needed.
“That is our sign in process madam”, she declared.
“But that's not what I asked. Why do you need my serial number?”
All external visitors with a laptop were expected to enter serial number into the system. I knew this was going to be one of those frustrating conversations that goes nowhere. So, I asked, in the event that the banks system was hacked, data stolen and my laptop is compromised, will the bank accept liability. I got that “What is dis nonsense you are talking” stare.
A man emerges from the barriers.
“Madam, what is de problem?”
Again, I asked him why my laptop serial number was needed. He parroted what the receptionist said about all external visitors having to do this. I asked him the same question about the banks liability in the event their system is hacked. Unlike the receptionist, he knew exactly what I was asking. You could visibly see he was totally offended by my suggestion that such a thing could happen.
“This is [unamed] bank”, he said in disgust, “our systems do not get hacked”
Well, that was enough to send me into a WTF are talking about short rant.
"If the likes of Sony Playstation has being hacked multiple times, Facebook and NHS have being compromised, what makes you think [unnamed] bank has a robust enough infrastructure to prevent it being hacked"
I'm sure if he could have back handed me at that immediate moment, he would have. I asked if I could leave my laptop behind reception whilst I attended the meeting, I was told no because there was nowhere put it.
“Er, I can leave it just there”, I said pointing to space on the desk.
They could not be held responsible if the laptop went missing. We were at an impasse. There was no way I was entering my serial number into the iPad and there was no way they were letting me in the building.
I waited in the seating area for another 15 minutes before my host came to reception. I explained what was happening. The man who was unimpressed by my audacity to question their IT security eventually suggested my host talk to the Head of IT. He arrived about 5 minutes later. My host relayed the situation. The Head of IT asked if I was going to be with him the entire time I was in the building. My host assured him this would be case. And that was it, I could sign in without entering my laptop serial number into the signing in system on the iPad.
I finally entered the barriers 40 minutes after I arrived. Luckily, I arrived 10mins early but I'd lost 30 valuable minutes of this meeting which had various people in the department attending. Needless to say they were in the middle of doing other things when I finally made it to the meeting room.
Let me explain my stubbornness here. It is no secret that Nigerian banks outsource much of their technological development work to India (many banks do this around the world). Even if they have an in-house team, work may be outsourced in the early stages of development prior to building a team or outsourced when a team has overstretched capacity. One of the key things that is often overlooked in this development process, however, is where the data collected by these systems, platforms, websites or apps sits. More often than not, it doesn't sit anywhere in Nigeria or on a server that belongs to the bank. It lives on the outsourced developers server of choice. It's all too easy to say yes when they offer to take care of everything. The issue of IP and data ownership is totally overlooked. A form for building entry system is not going to be considered the most important data in any organisation. The security architecture around that data will be basic at best. It's just to keep track of who entered and left the building on a given day after all. And in the event of an emergency, all the people in the building can be quickly accounted for in a roll call. So, why the need for a laptop serial number.
A laptop serial number is like a password or bank card PIN number, it's a unique identifier to any machine. With that seemingly random set of numbers and letters, anyone will ill intent can access your laptop and in the information on it.
Three points I'd like to pick up on in the digitisation conversation here:
1 - When deciding on processes, there must be a sound reason behind what you do. "Because that's how we do it" is not a reason. It certainly isn't a defensible position when you are demanding such sensitive information as laptop serial numbers or after you've being hacked. So, always ask yourself why, why do we need to that? Alternatively, get someone who's objective (not in the IT department or development team), who's not afraid to question things and will take a forensic look over processes.
2 - The banks security is imperative, yes. However, any non-staff visitors taking their laptop into the building does not compromise the bank in any way. Not unless they were accessing the servers or connecting to a staff members machine via bluetooth. The latter requires that staff member to pair their machine with the visitors laptop. WiFi access (guest channel is usually available, it should not be the same channel used internally) is what visitors normally request. I didn't even need that.
3 - Everyone who is involved in the execution of these processes should be aware of how to resolve or have adequate knowledge to be able to deal with any issues. It should not have taken the Head of IT to come and ask such a basic question for me to be let into the building. The receptionist should have known to ask my host this question.
No matter how big or small the organisation, the process of digitising areas of the business has to be well thought out. Every minute detail needs to be considered, no matter how pendantic it may seem. The biggest questions to address begin with ‘why’ and ‘what if’. Without addressing these the business, its customers and partners are potentially at risk. Any investor looking at a business would immediately recognise the issue above and suggest closing this gap. If such a vulnerability were to be exploited, it would prove costly. A cost no investor wants to bare.