Tuesday, 23 August 2016

The Gartner Hype Curve 2016






The latest iteration of the Gartner Hype Curve has been released for 2016. The hype cycle is a branded graphical presentation developed and used by American information technology research and advisory firm Gartner for representing the maturity, adoption and social application of specific technologies. The hype cycle provides a graphical and conceptual presentation of the maturity emerging technologies through five phases.

The latest Gartner Hype Cycle for Emerging Technologies illustrates how quickly technology innovations have the potential to redefine buyer, supplier and customer relationships for any business. Gartner added 16 new technologies to the Hype Cycle this year, including block chain, machine learning, general purpose machine intelligence, smart workspace in addition to many others.

The yearly update to the diagram often presents a reminder to the tech world how focused and consumed the sector is why hype. Many technologies are quoted as life changing years or a decade before they actually are usable and in the mainstream. An example are drones. Amazon are creating the idea that they can do drone deliveries but the curve shows drones as not even at the Peak of Inflated Expectations. Drones won’t be delivering your Amazon order any time soon.




There are some key information within the 2016 diagram:
  • Sixteen new technologies included for the first time this year. 4D Printing, Blockchain, General-Purpose Machine Intelligence, 802.11ax, Context Brokering, Neuromorphic Hardware, Data Broker PaaS (dbrPaaS), Personal Analytics, Smart Workspace, Smart Data Discovery, Commercial UAVs (Drones), Connected Home, Machine Learning, Nanotube Electronics, Software-Defined Anything (SDx), and Enterprise Taxonomy and Ontology Management.

The most interesting addition is the Enterprise Taxonomy and Ontology Management – essentially the categorisation of things. With content search being the issue it is when dealing with big data this potentially has the most B2B impact.

  • Immersive experiences will become more intelligent and contextually aware, enabling greater productivity and Technologies enabling transparently immersive experiences include 4D Printing, Brain-Computer Interface, Human Augmentation, Volumetric Displays, Affective Computing, Connected Home, Nanotube Electronics, Augmented Reality, Virtual Reality and Gesture Control Devices.

There is a lot of media attention around the AR scene with the success of Pokemon GO and the new VR headsets such as the Vibe and Oculus Rift. The odd one on the list is Affective Computing – encompassing speech and facial recognition (old tech right?) but now adding emotion into the mix.

  • Smart machine technologies will transform manufacturing and its related industries: Smart Dust, Machine Learning, Virtual Personal Assistants, Cognitive Expert Advisors, Smart Data Discovery, Smart Workspace, Conversational User Interfaces, Smart Robots, Commercial UAVs (Drones), Autonomous Vehicles, Natural-Language Question Answering, Personal Analytics, Enterprise Taxonomy and Ontology Management, Data Broker PaaS (dbrPaaS), and Context Brokering.

Driverless cars and drone deliveries are in the news already – although both are suffering to grab the mainstream. Robotics is probably the next transformational technology group to change human existence, the last being the internet. Watch out for the term SmartDust. As a collective term for many new and emerging technologies it hasn’t really had its moment in the sunshine, but it’s only a matter of time.

  • Emerging technologies are enabling entirely new business models, driving a Platform Revolution. Platform-enabling technologies making new business models possible include Neuromorphic Hardware, Quantum Computing, Blockchain, IoT Platform, Software-Defined Security and Software-Defined Anything (SDx).

The Blockchain technology is undoubtedly about to change the financial world. The hyper-secure method of managing and tracking financial transactions should go a long way toward negating financial fraud within the banking and public sector.

  • Fourteen technologies were removed from previous years’ diagrams: Hybrid Cloud Computing, Consumer 3D Printing, and Enterprise 3D Printing, Bioprinting Systems for Organ Transplant, Advanced Analytics with Self-Service Delivery, Bioacoustic Sensing, Citizen Data Science, Digital Dexterity, Digital Security, Internet of Things, Neurobusiness, People-Literate Technology, Speech-to-Speech Translation and Wearables.

Many of these removals are a reflection of some expected trends and technologies just not emerging or becoming consolidated within other tech terms and categories. Wearables is the interesting one, now not seen as new, exciting or having the kind of impact it was imagined a few years ago.


The conclusion we can draw is clear. The tech industry will continue to thrive on hype and the promise of change on the largest magnitude. The man in the street will continue to struggle and identify those technologies that really do have the power to improve their lives. Investors will continue to chase the unicorn start-ups – hoping that it will survive the full Gartner curve and become big exit for them. Next year’s Gartner diagram will arrive and the whole technology debate will begin another cycle.

Friday, 19 August 2016

Net Neutrality - do you care?








Summary


Net neutrality is a term many are not familiar with and those that claim they are can struggle to explain it if asked. The most common question then becomes "How relevant it is to you and what you do online?"

Those that propose the notion would argue 
that the debate about how networks operate is fundamentally one about the future of the internet for everyone around the world.

To put the issue into easier terms, lets consider trains and the difference between standard and first class.  First-class carriages on a crowded commuter train represent special treatment for those that can pay - standard ticket passengers are crammed against each other's armpits because of their unwillingness or inability to pay. Herein we have a good example of net neutrality.

On the net neutrality train, all passengers (ie data) would be treated equally, with no special carriages for those able to pay.

The principle that all traffic on the internet should be treated the same relates to the emergence of the internet and for many encapsulates the whole principle of an open for all internet, free from government governance or corporate control.

So what are the two sides of this argument?


Those in favor
: Net neutralists argue that any public internet service provided by Internet Service Providers ("ISPs"), providing the pipes for content,  should only run the networks and have no say over how and what content flows to users, as long as it is legal.

Those against: But ISPs argue that if the internet could run on multi-layered basis with some channels slower but free and others are faster and paid for - the revenue it would generate would benefit everyone and raise minimum standards. Providers prepared to pay can go in an internet "fast lane" - is inevitable in today's data-hungry net world is the common argument.

USA versus Europe versus South America


The current debate was really kick-started by a ruling in a case in the US in January 2014, ISP Verizon successfully challenged the US Federal Communications Commission ("FCC") over its net neutrality policy - known formally as the Open Internet rules.

The Court of Appeals negated two of the three open internet rules, opening the way for ISPs to start charging fees to carry bandwidth-hungry data on its networks. In March of 2014, Netflix agreed to pay a fee to Comcast to improve the speed at which its service reached consumers' homes.

The part of the rule change that has sent the industry into uproar is a proposal for so-called fast lanes, allowing ISPs to charge content providers as long as the terms were "commercially reasonable".


Fundamentally, Europe doesn't agree with the US.


In April 2014, the European Parliament ("EU") voted to restrict ISPs from charging services for faster network access.  It also judged that mobile and broadband network providers should not be able to block services that competed with their own.

Slovenia and the Netherlands have already incorporated the principle in their national law.

Brazil ,by way of comparison, has a new law that telecom companies cannot change prices based on the amount of content accessed by users. It also states that ISPs cannot interfere with how consumers use the internet.  Meanwhile, neighboring Chile was the first country to pass net neutrality legislation, back in 2010.



Why should you care?


Depending on the outcome of all this wrangling, it could either hit your wallet or change your watching habits.

If net neutrality is upheld, ISPs could pass on the cost of delivering bandwidth-hungry; upping the cost of services to pay for delivering faster bandwidth - and raise the monthly fee they charge for internet access.  Users may get a charge that reflects their usage, with those using video-on-demand services being charged more.

On the other hand, if ISPs are able to start charging fees for prioritised access to content then users may find that those websites not in the fast lane are slower to load.  There are fears that ISPs might block access to rival services or slow them down so much as to be unusable.

Consumers could also be charged more by the content providers forced to pay more to get their services to them in quality.

Anyone thinking this is a US-only issue should note that, following its agreement to pay a fee to Comcast and Verizon, Netflix put up the price for its monthly streaming service in Europe as well as America.


What can you do?

Like with most causes there is a petition. You can join the fight against the corporates by signing it here.

If you would like to understand more then check out these current links:


Tuesday, 16 August 2016

Brexit and Data Protection – What Happens Now?




The unexpected decision for the UK to Brexit the EU recently will require all businesses to adjust their approach to Data Protection.

The fundamental issue for most business will become how data protection will be governed in the UK going forward and over the next five to ten years.

Prior to the Brexit vote, most of European Businesses were gearing up to adopt the EU Data Protection Act (DPA) that is scheduled to replace the existing legislation on the 25th of May 2018. This was designed as an overhaul of the existing laws that have become weaker than the regulators would like. The new laws introduce much stronger data governance and management requirements and lead to clearer data protection responsibilities, more opportunities for personal claims for damage following a data loss, more stringent requirements for organisations, such as IT cloud providers, tighter rules on transferring data outside the EU and greater penalties for data breaches.

The UK Brexit vote and the unknown timescales and process (which could take years) will have significant implications for UK businesses that use data on a day to day basis.

There has to be the prospect that the UK does not adopt the DPA along with the rest of Europe. This could cause significant issues for businesses that need to transfer data between the UK and EU destinations. Red tape looms along with higher costs and lower operational efficiency.

These issues and changes may leave the market with a difference of opinion over the commercial viability of working with UK companies operating outside of the DPA than those within the EU operating within it. That could form the basis of a competitive advantage for EU based companies.

What is important is that companies, especially those transferring data across jurisdictions, consider how the data protection legislation will affect them. Data governance and security is a part of a business strategy and risk mitigation is a crucial aspect to protecting your business.


Thursday, 11 August 2016

Technical Due Diligence - The Basics






Opening Summary


If you’re staring down the barrel of a technical due diligence investigation for the first time, the prospect can be daunting. The VC has brought in a specialist to dig down to the core of your business and you’re quite rightly feeling vulnerable and nervous. The following article is aimed at helping you understand what is happening and how to deal with it calmly and objectively.


Technical Due Diligence


From the beginning there is a temptation to treat the assessor as hostile. It’s quite often the case that the assessor is seen as being someone who can sink the deal. It’s simply not the case. The assessor is not looking for reasons to kill the deal, they are looking for reasons to say yes to the investor.

It’s common for the assessor to have been in the entrepreneur’s position and therefore understand the level of anxiety that the investigation will be generating around the company. That understanding and the first-hand experience of the challenges and realities of running a start-up will ensure both empathy and realistic point of view that nothing will be perfect under scrutiny.

Ultimately the assessor works for the VC and must report honestly and accurately about any deficiencies or concerns made visible during the investigation. Not to do so would put the assessor at risk of a lawsuit for being negligent in the event the deal is completed and something that should have been highlighted wasn’t and subsequently causes a loss to the investor.

Whereas being able to answer questions in detail about your business and how it works is critical, there is also a secondary set of factors about how you engage with those questions, think quickly and how well you deal with the overall process. These give insight into the human behind the business opposed to just seeing the business as a series of process based interactions.

The primary purpose of the assessment is to evaluate four key aspects of the business from a technical standpoint. Vision, Scalability, Maintainability and Continuity. 

vision



The company was (probably) founded by someone with a vision. A future for the tech and for the company. The first question then should be does that vision still exist, how is it described, is it road-mapped and what does that future look like.

  • Sometimes the ownership of the technical vision has been transferred and the responsibility is with someone other than the founder.
  • Does the company’s management share the same vision of the where the tech is taking them?
  • Does the vision make commercial sense and can it be correlated with other parts of the tech spectrum?

The quality of the leadership within the company is critical. Every successful tech company has someone at the head of the organisation with a real vision for the technology. The assessment needs to show and understand how well (or not) that leadership is working.

Diversity is another key indicator. If the entire leadership of the company comes from essentially the same personality types, then the company will become one dimensional. Business leaders, technology types and others must combine to give a complete outlook on delivering the companies vision.

Sample questions around the company’s technical vision might include:
  • Do you have a clear road map for where you want the product to be in one month, six months?
  • What is your recruitment ratio for technical staff? How many interviews does it take to find a new recruit?
  • What is the employee turnover for the company on a yearly basis and what factors do you attribute that turnover to?
  • Do you look to recruit people you know from previous jobs? If not, why not?
  • Are you using Cohort Analysis or some other methodology for user feedback and testing?
  • What is the product tempo? How many releases or update every month/quarter/ year?
  • What are the number 1, 2 and 3 concerns over the current product or service?
  • What is the recruitment process in detail (How many stages? Code tests?)


scale


This would seem obvious at first glance but getting a tech business to scale effectively can be more difficult than just adding more servers or connectivity. There is some science, some methodology and even some philosophy that needs to come together to make a business scale in a frictionless way.

Sample questions on scaling might include:

  • Would/Could you scale/change to accommodate x10, x100, x1000 times more users?
  • Would/Could would you have to scale/change to accommodate a million users?
  • What aspects do you monitor and at what level of detail?
  • What metrics would tell you that you are not scaled appropriately?
  • What aspects of the system do suspect might not scale well?
  • What is your hosting solution, how is it backed up and what is the security approach?
  • Do you use any third party services, and what is your redundancy against 3rd party failures?
  • Can you show me a network diagram?
  • What single points of failure exist?
  • What are your top 3 concerns around the current systems?


maintain


There are a number of concerns that an investor will have over any tech acquisition when it comes to the existing tech. 

  • Will the existing staff depart once the company has changed hands, meaning that all the experience is leaving the business?
  • Will new staff joining the company just find a mess of spaghetti code that takes months or even years to understand?
  • Has any documentation been created in a meaningful way that will support the continued development process?

One of the common issues is that these questions are answered differently by the business types running the company versus the technical types involved in the tech creation process. The assessment must clarify the issues around the existing code base and what will happen when the team attempts to write new code by new team members.

These sample questions seem like common sense but they still do form the basis of an investigators basic train of thought:

  • Do you use any form of source/version control and if so, which one and why?
  • Do you build/check-in on a formal timetable - daily, weekly, whenever?
  • Do you insist comments on check-in?
  • Do you use Continuous Integration or create unit tests?
  • Do you have formal code reviews?
  • What development methodology do you use and why?
  • Can you deploy a build to staging or production with a single click?
  • Do you have dedicated and qualified testers?
  • When do you deploy?
  • Does the software automatically notify you of errors?
  • Do you have a bug tracking system?
  • Could you walk me through some code if required?
  • How many defects did you close last month?
  • How many open defects are there?

continuity


Continuity is essentially about disaster recovery, back up plans and contingencies. If we assume that everything runs as we would like and does so forever, then we’re setting ourselves up for a fall.
There are digital failures to assess. What happens if your data centre goes off line, if a server fails or if connectivity is lost?
There are physical disasters to understand. What happens if the building floods, the power to the building fails or the building burns down overnight?


Disaster recovery planning within most tech businesses is weak and is frequently cited as a concern in technical due diligence reports.

Typical questions around continuity are:

  • Do you have a documented and tested Disaster Recovery plan?
  • Do you have a documented and tested Business Continuity Plan?
  • Is there any part of the product or system that is understood by only a single person?
  • Is your Version Control system backed up, where, how often?
  • If the Database Server exploded how much client data would be unrecoverable?
  • If there was a fire at the Data Centre how much client data would be unrecoverable?
  • Do your staff have laptops and if so how is data and applications secured on them?


Closing Summary


An experienced assessor will start each new assessment with a framework of points or questions and then use their experience to start to focus down on key areas dependent on what responses they are getting. The best ones will be able to think on their feet and drive the investigation on a case by case basis.

Hopefully this article will give you a starting point to think about how you can prepare for the due diligence process before being face to face with an assessor and feeling under pressure.

If you have specific questions or would like to speak to one of the team directly then please get in contact.



Email: dave.sharp@technicalduedil.com
Phone: 0845 862 0726

9 Top Programming Languages







There are many different programming languages that a new coder can learn. Here is a review of the top 9 according to the needs of commercial software developers. The list is in no particular order of importance, but merely serves a reference list.

1.    SQL (pronounced ‘sequel’)

SQL nearly always tops the list, it has become ubiquitous and can be found in various guises. As a suite of database technologies (MySQL, PostgreSQL and Microsoft SQL), it can be used to power servers for big businesses, small businesses, hospitals, banks and academic establishments.  Virtually every online service, web application or mobile app eventually touches something SQL.  Mobile devices and tablets have access to a SQL database called SQLite and many mobile apps and web based services use it as a direct technology component.

2.    Java

Java is now one of the most persistent technologies in the digital era, having been launched nearly 20 years ago, its longevity is unprecedented.  Due to its long life, java is one of the most widely adopted programming languages, used by some 9 million developers and running on 7 billion devices worldwide. When Android hit the market as a technology, it’s programming language of choice was Java, and is used for all native Android apps. The language is regarded as simple and readable by most developers and that has been its core strength. Its highly compatible with older systems and this ensures that code requires less maintenance and upkeep over long periods. A lot of high profile online applications are built in Java, such as LinkedIn and Amazon.


3.    JavaScript

JavaScript is a scripting language (not compiled) used on web pages to inject interactivity. This should not be confused with java which is a compiled programming language. JavaScript is used to create many of the web page effects we have become used to seeing, pop-up boxes, web forms and even simple video games.  JavaScript is now a fundamental part of how the internet works and is embedded into web browsers. The language has developed more complex functions to support things like real-time communication through technologies like Node.js and has become a framework for front-end development through Angular.js

4.    C# (pronounced C-sharp)

C# (released in 2000) is the latest in a long line of Microsoft developed programming languages. These languages fit into the well-used .NET framework. It is a multi-paradigm programming language encompassing strong typing, imperative, declarative, functional, generic, object-oriented (class-based), and component-oriented programming disciplines.  C# is an evolution of the C and C++ languages that have been in mainstream use for the past 30 years.

5.    C++ (pronounced C-plus-plus)

C++ is a general-purpose programming language. It has imperative, object-oriented and generic programming features, while also providing facilities for low-level memory manipulation.  It was designed with a bias toward system programming and embedded, resource-constrained and large systems, with performance, efficiency and flexibility of use as its design highlights.

C++ is a general purpose object-oriented programming language based on the earlier ‘C’ language. Developed by Bjarne Stroustrup at Bell Labs, C++ was first released in 1983. Stroustrup keeps an extensive list of applications written in C++. The list includes Adobe and Microsoft applications, MongoDB databases, large portions of Mac OS/X and is the best language to learn for performance-critical applications such as “twitch” game development or audio/video processing.

6.    Python

Python is a general purpose programming language that is simple and incredibly readable since closely resembles the English language. This simplicity to read is Python’s main strength and makes it a great language for beginners. Python has quickly become the language of choice for academia, recently bumping Java as the language of choice in introductory programming courses.  Because of Python’s use in the educational realm, there are a lot of libraries created for Python related to mathematics, physics and natural processing. PBS, NASA and Reddit use Python for their websites.

7.     PHP

PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language. Originally created by Rasmus Lerdorf in 1994, the PHP reference implementation is now produced by The PHP Group.  PHP originally stood for Personal Home Page, but it now stands for the recursive acronym PHP: Hypertext Preprocessor.  PHP tends to be a popular language since its easy-to use by new programmers, but also offers tons of advanced features for more experienced programmers.

8.    Ruby on Rails

Ruby on Rails, or simply Rails, is a web application framework written in Ruby under the MIT License. Rails is a model–view–controller (MVC) framework, providing default structures for a database, a web service, and web pages. It encourages and facilitates the use of web standards such as JSON or XML for data transfer, and HTML, CSS and JavaScript for display and user interfacing.
Ruby on Rails has many positive qualities including rapid development, you don’t need as much code, and there are a wide variety of 3rd party libraries available. It’s used from companies ranging from small start-ups to large enterprises and everything in-between. Hulu, Twitter, Github and Living Social are using Ruby on Rails for at least one of their web applications.


9.    iOS/Swift

Swift is a general-purpose, multi-paradigm, compiled programming language created for iOS, OS X, watchOS, tvOS, and Linux developed by Apple Inc. Swift is designed to work with Apple's Cocoa and Cocoa Touch frameworks and the large body of extant Objective-C (ObjC) code written for Apple products. Swift is intended to be more resilient to erroneous code ("safer") than Objective-C, and more concise. It is built with the LLVM compiler framework included in Xcode 6 and later and, on platforms other than Linux, uses the Objective-C runtime library, which allows C, Objective-C, C++ and Swift code to run within one program.


Developers will find that many parts of Swift are familiar from their experience of developing in C++ and Objective-C. Companies including American Airlines, LinkedIn, and Duolingo have been quick to adopt Swift, and we’ll see this language on the rise in the coming years.

Tuesday, 9 August 2016

Investment for Video Game Studios (August 2016)



I'm in Edinburgh about to give a presentation on how small independent games studios can get themselves going and how they can generate some investment or grant funding opportunities. I was kindly asked to do this by the peeps at The Big Learning Company and I am happy to be able to do this.

My presentation is quite short due to time constraints so I thought I would supplement the slides with some further comments on here, mainly around the top problems start-up studios face.


#1 Team

As with many non gaming businesses, its very hard to raise money if your a sole founder. The risk of a one man management team is too great for many investors. Its still quite hard with two people. The optimum number is three. Four is too many and has other issues with it. If you're a sole founder don't be surprised if investors suggest you find a couple of other people, its about risk management.

#2 Product

There is a massive difference between a good game and a commercial one. There are hundreds of good games (good art, solid code, nice story) every year that end up with little or no audience. If you're a start-up, start with an audience in mind and build a game towards them. Avoid the build-it-and-they-will-come thing.


#3 Timing

There are investment cycles that need to gel with the games cycles to get a good fit for both the studio and the investor. New hardware releases and launch titles are a good point to aim for, so waterfall backwards to see when investment needs to be completed and make that part of the narrative of your investment.


#4 Expectations

Many game studio founders fail to fully understand the expectations of professional investors until its too late and the relationship has broken down. Investors expect to make a return, and often founders see the road ahead and timelines differently. Don't enter into an investment agreement without fully understanding what the investor wants and needs and when.


#5 Focus on Delivery

Not everything goes to plan, it would be a naive investor that thought that way. Most investors are perfectly OK with problems if the founders are focused on delivery. What they don't want are long-winded elegant solutions built internally that could have been bought for $500.00 and implemented in hours or days. Always focus on getting to market and your investor will always be ready to help financially.

#6 Governance and Guidance

It can sound a bit pretentious when you talk about boards of directors and non-executive directors ("NXD") but its never too early to start getting the best advice you can. The formation of the board is a good indication to potential investors that you're serious about building a sustainable company. NXD's should be used on a rolling basis to help combat specific issues you're facing. Collectively the board and the NXD's give your company strong governance.


#7  Fail Fast

An oldy but a goody. Plans are useless but the planning process is vital. Make sure you have a plan b, c and probably d. When something isn't working move onto the next version of the plan, but do it fast. Learning that pivoting is not a bad thing is vital and every change needs to be rationalised and documented for the investors.


#8   Plan for Success

Many entrepreneurs know exactly what they are going to do if they come up short on sales targets or revenues. They tend to have a regressive set of steps that make less than expected revenues still feasible. They then utterly fail to plan for success, where revenues exceed their expectations. This sounds like an odd problem to have but getting a business to scale correctly and not lose potential revenue and customers is slightly more of an issue than coming up short on sales.


#9 The Growth Staircase & Transition Planning

In the beginning its about games and being a games studio. Ultimately it becomes about transitioning to being a software company that is currently making a game. They're not the same thing. The transition into having a financial director, human resources, bespoke IT department, sales and marketing staff etc. is not straight-forward but is a symptom of success. Once you reach that point the transition needs to be planned and implemented like anything else. Many games studios fail to make this transition and then struggle.


#10   The Exit


Your investor wants to make a return on his investment. A multiple of x10 in an ideal world, x6 would be nice and x4 is probably something like the average. Understand that this conversation is not one you can avoid and at some point the investor will want a sale (typically 4-5 years). If you wanted to run the company forever then you got in the wrong elevator.








Monday, 1 August 2016

7 Measures for Business Cyber Resilience








There are ever increasing threats to business in cyberspace. DDOS, Ransomware and Phishing to name but a few. There are some proactive steps you can take as a business to help mitigate against these threats:

1.    System Hygiene

Everything starts with a proactive and managed approach to keeping computer systems clean and secure. Having software monitoring desktop machines for intrusions, making sure that all routers and firewalls are configured correctly and running the latest operating systems, ensuring that staff do not plug unknown devices into their machines etc.  All of these activities if treated as routine maintenance tasks will stop the basic low level issues from becoming major ones. It’s a small investment in time and money that has a disproportionate effect on keeping your business safe, and like insurance of any type, you’ll be glad you had this approach in the long run.

2.    Planning

Plans are fundamentally useless, as soon as something goes wrong its typical that the incident does not compare with the plan, but, the planning process itself is a vital weapon. If the senior management team understands how to react to a cyber-attack and has a number of documented options available in advance, it can act quickly to stop a problem from escalating. The senior team needs to contemplate all forms of possible attack and create a response for each flavour of incident. Those responses should be made available to the staff and reviewed at regular intervals.  Training key staff members on how to respond to an attack is vital.
3.    Risk Profiling
Not all cyber-attacks are created equal. It’s a positive position to be in if a company can recognise patterns of attack and what may have already happened and what comes next. This allows a far greater capability to create a bespoke defence to different problems and know when to act and where to look. Different company digital assets may require vastly different approaches to keeping them secure, most cyber-attacks will not be beaten by a one-size-fits-all approach. Create different risk profiles for different attacks and have a fit for purpose response.
4.    Metrics
During a cyber-attack its most unlikely that you’re going to have the option to work in high levels of detail. Its more fundamental that you act quickly than act precisely. Focus on being able to be agile with your responses using rough figures and estimates rather than precise numbers. It means that your attacker is forced to do the same making the likelihood that the attack will stop and it avoids your response grinding to a halt because of analysis paralysis. Run simulations, record numbers and create ranges that you can recognise and define what response is appropriate.

 5.    Risk Mitigation

Your company needs to spend time and money to mitigate the risk of a cyber-attack. Some of these seem common sense and yet a lot of companies still fail to ensure these are in place:
Training: Make sure all your staff understand their role in cyber security and actively engage with them in discussions around how the company’s protective stance can be enhanced.
Certification & Compliance: Even if your company is not software or tech focused, make sure that you go through the ISO9001 and ISO27001 certification. Stick to the rules and regularly retest yourself. These standards are there to help you defend your company and its information security.
Policy & Procedure: Write specific processes and policies for the company to use that enable new habits within the staff to form. Bring Your Own Device policies, rules on portable hard drives, policies on accessing external systems and physical security mantras will all help mitigate risks.
6.    Cyber Insurance
In the modern era it would be remiss for companies that hold personal information or sensitive data to not have cyber insurance. These policies cover the loss of data or information from IT systems or networks. The average cost of a cyber-security breach is £600k - £1.15Million so typically carrying £2.5Million of cover seems a minimum policy amount. There is some good guidance on cyber-insurance cover available from the Association of British Insurers here.
7.  Go!

Press the go button and put everything into place. It’s often that plans around cyber-security are left unimplemented because of the “it can’t happen to us” syndrome. If you’ve gone to the extent of the planning, then the implementation should be easy and straight forward. Don’t be the victim of a cyber-attack for the sake taking the last steps of implementing your cyber-security strategy!